The BarnOwl risk management module facilitates a structured and systematic approach to risk management that provides an effective way to prioritise and manage risk and opportunity across the organisation in pursuit of business objectives and strategy. BarnOwl provides a unified view of risk and gives management and staff at every level the ability to identify, assess, manage, monitor and report on risks. BarnOwl provides an early warning system, drives ownership for risk mitigation, and delivers risk intelligence reporting that aids business growth and sustainability. BarnOwl risk management supports and embeds best practices frameworks such as COSO, ISO31000 and the National Treasury Framework.

The BarnOwl Risk Management module facilitates:

  • Step by step enablement of ERM in your organisation

  • Best practice methodology within your organisation

  • An up to date picture of your risk universe

  • Continuous monitoring of your risk universe

  • Improved quality and consistency of your information

  • Extremely powerful and flexible reporting at the click of a button including graphical drill-down reporting, trend reporting, combined assurance reporting etc.

  • Accountability and ownership of risk throughout your organisation

  • A culture of risk and control within your organisation

  • The co-ordinated achievement of your strategic vision (objectives)

Risk Management Clickable Diagram



Custom Reporting

  • Flexible report writer, heat maps, trends, scorecards, bowtie etc.
  • Consolidated reporting with drill down into business units / functions and processes
  • Combined Assurance reporting
  • Advanced analytics and business intelligence



Monitoring & Review

  • Capturing and analysis of incidents, loss events, lessons learnt etc.
  • Automated risk reassessment notifications as a result of changing controls, KRIs, incidents and child-risks.
  • Monitoring and reviewing that the risk control and treatment measures are effective in both design (adequacy) and operation (effectiveness)



Establishing the Context

  • External and Internal context setting
  • Identification of objectives at the various levels of the organisation (strategic, business and functional) including interdependencies



Risk Identification

  • Identify processes, risks, controls and optionally contributing
    factors, key indicators and consequences associated with objectives at every level of the organisation including interdependencies
  • Maintain a centralised library in support of a common risk taxonomy driving consistency across the organisation



Risk Assessment & Analysis

  • Inherent rating of risks qualitatively and quantitatively
  • Identification and rating of controls (adequacy and effectiveness)
  • Residual rating of risks qualitatively and quantitatively mapped against risk appetite and tolerance
  • Automation of risk and control self-assessments
  • Automation of checklists and surveys



Risk Treatment & Execution

  • Control effectiveness in both design (adequacy) and operation (effectiveness)
  • Action plans with due dates and responsible owners
  • Automated reminders, notifications and escalation emails and online completion of action plans with full audit trails
BarnOwl caters for standard frameworks (COSO, ISO 31000, National Treasury).A standard framework helps establish a consistent risk management culture, regardless of employee turnover
Configurable risk parameters.

Setup your categories and sub-categories for objectives, risks, contributing factors, controls, key indicators, incidents etc.

Define your inherent and residual impact and likelihood value lists and colours for either a rainbow or matrix model; the appetite / tolerance values by unit; objective significance and certainty value lists and colours; control adequacy, effectiveness and combined assurance value lists and colours etc.
Enables you to configure BarnOwl according to your risk methodology.
Qualitative and quantitative risk rating.

You can define an impact value matrix to link your risk impact value list to financial values by unit.
Compare the financial value of the risk impact to the risk appetite / tolerance by unit or aggregated.
Configurable risk rating methodology.

Setup formulas for your inherent and residual risk rating. The residual rating can be calculated either from the entered residual impact and likelihood or automatically based on a control factor.
Simplifies the setup and maintenance of your BarnOwl data.
Import your objectives, risk, contributing factors, controls, action plans, combined assurance, incidents, key indicators, impact value matrix, etc. from Excel.Facilitates a managed and optimised non-silo based approach to risk management. Provides an early-warning system of the knock-on effects of inter-related risks across the organisation.
In addition to the comprehensive user and/or group permissions you can restrict access to specific fields on action plans, risks and incidents.Allows you to restrict field level access to specific users.
Central searchable library of the risk entities: objectives, risks, contributing factors, controls, key indicators, incidents and action plans. A library of all risk related information is built up as you go, driving a common risk taxonomy across your organisation and helps to prevent duplicates.
Maintain templates for standard structures of objectives, risks, contributing factors, controls, votes and workshops and apply them to the relevant units or processes.Allows you to publish a standard set of risk information to multiple business units at the click of a button. Simplifies risk maintenance and drives standardisation across the organisation.
Link parent and child risks across strategic, business and process levels of the organisation. Enables a top-down and bottom-up approach to risk management and ensures that strategic and business risks are linked and supported by the underlying process / child risks.
A re-assessment flag is raised for objectives (when a child objective or linked risk rating changes), and risks (when a child risk , linked contributing factor or control rating changes)An early warning for dynamic reassessment.
Setup risk assessment projects to schedule a risk management process (identify, analyse, treat, assess and monitor) for selected units and processes with assessment and review workflow.Ensures a regular assessment of your risks in a managed process.
Setup online or offline workshops to conduct an in-person risk management process (identify, analyse, treat, assess and monitor) in a workshop format.

Optional interactive key pads can be used for real time voting.
Enables group participation in the identification and assessment of your risks.
Easily rate risks taking into account all the related information such as the linked objectives, contributing factors, control ratings, key risk indicators, risk incidents, child risk ratings and action plan progress.The visibility of all the factors that affect the risk rating help you to rate risks accurately.
Use voting to send out risk & control self-assessments (RCSAs) on a regular basis to hundreds of risk and control owners at the click of a button.Involve the entire organisation in risk management and ensures that risk & control registers are kept up to date on an ongoing basis.
Action plans allow you to create and monitor tasks linked to the relevant entities with owners (RACI); due dates and extension requests; progress notes; status; audit trails; email notifications, reminders and escalation.Drives ownership and accountability for all risk related tasks. Enables monitoring and reporting of all action plans by owner by due date.
Incident management allows you to setup and maintain all types of incidents such as H&S, tip offs, gifts, burglaries, robberies, forensic incidents, findings, contracts etc. Incidents can be logged against risks or directly against a unit.Monitor all relevant incidents to assist the risk management process.
Configure any type of key indicator (key performance indicator (KPI), key risk indicator (KRI), key control indicator (KCI) with their frequency and thresholds. Assign owners to update their key indicators online.Track performance against key indicators to assist the risk management process.
Integration to 3rd party data analytics tools (e.g. Arbutus) to update the relevant key risk and control indicators.Provides continuous risk monitoring and an early warning system from operational systems that highlights process and control weaknesses, or fraud, waste, and abuse.
Maintain and distribute surveys, checklists and questionnaires. Collect and analyse the results. Canvas as many people in the organisation as required to obtain their input for the risk management process.
Extensive reporting capability including:

  • Dashboards with drill down and export to Word
  • Customisable registers with export to Excel, Word and/or pdf)
  • Hundreds of standard reports including heat maps, trends, qualitative and quantitative risk appetite, combined assurance etc.
  • Excel report builder combining the various linked entities (units, processes, objectives, risks, contributing factors, controls, action plans and incidents)
  • Word report builder to develop custom Word reports
  • A script runner to execute custom scripts for export to Excel
  • A data warehouse for data analysis and reporting with tools such as Excel, Power BI, SQL Server Reporting Services (SSRS), etc.
Reporting at the click of a button transforms risk data into valuable business insights and enables informed decision making.
Preferred risk management solution endorsed by the Office of the Accountant General.Supports and embeds the National Treasury risk management framework.

View More →


  • What is Risk Management?

    Risk management involves identifying strategic and business objectives to determine which risks you should take and / or avoid in order to achieve these objectives and deciding the best strategy to optimise and / or mitigate these risks. When considering an organisation’s risks, managers need to understand the organisation’s strengths, weaknesses, and management system to identify vulnerabilities and minimise the associated costs. Failure to understand and mitigate risks can result in significant losses.

    The process involves establishing context, identifying stakeholder objectives, risk evaluation, and planning responses. The response plan focuses on reducing or eliminating high-ranking risks. Implementing risk reduction methods, preventative programs, and contingency plans reduces the chances of a negative outcome.

    Even moderate risks can affect a business’s processes and performance. Companies can save time, money, and physical resources by identifying high-risk areas and developing risk-management strategies. By identifying these, companies can minimise their losses and stay competitive. Even in times of crisis, businesses that use risk management processes are less likely to shut down or suffer severe financial losses. As a result, they can improve their operational efficiency and increase their customers’ satisfaction. Furthermore, they are more likely to keep their employees happy.

    According to ISO 31000, Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”

    COSO’s 2017 update titled “Enterprise Risk Management—Integrating with Strategy and Performance” highlights the importance of considering risk in both the strategy-setting process and driving performance.

    Legislation such as PFMA and the MFMA together with corporate governance codes such as King IV expect an institution to implement a risk management plan. The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis.

    Principle 4 of the King IV code states that the governing body should appreciate that the organisation’s core purpose, its risk and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process.

    Principle 11 of the King IV code states that the governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives.

    Effective risk management not only paints a clear picture of the risks facing the business, as well as the strategies to be followed in the event of risks materialising but facilitates the identification of opportunities ensuring that the corporate strategy remains relevant and up to date.

  • What can Risk management software do?

    Comprehensive and robust risk management software helps you to minimise the impact of unforeseen events and improve the efficiency of your business. A user-friendly interface and intuitive design, facilitates the capturing of up to date information and aids productivity with the automation of consolidated reporting and data analysis. The BarnOwl risk management module facilitates a structured and systematic approach to risk management by effectively prioritising and managing risk and opportunity across the organisation in pursuit of business objectives and strategy. BarnOwl risk management software:

    • Facilitates and embeds integrated risk management in your organisation linking and monitoring the knock-on effect of related risks, contributing factors (causes), key risk indicators, incidents, controls, etc.,

    • Provides a unified view of risk and gives management and staff at every level the ability to identify, assess, manage, monitor, and report on risks,

    • Enables a simplified and streamlined approach to risk management with consistent risk taxonomy and centralised risk library,

    • Supports the automation of risk and control self-assessment voting, surveys and checklists,

    • Drives ownership for risk mitigation by enabling the ‘live’ updating and monitoring of action plans,

    • Provides an early-warning system enabling management to determine more quickly and accurately where to focus their attention and resources to improve processes and take proactive and preventative action timeously. BarnOwl risk management provides continuous risk monitoring together with Arbutus data analytics. Arbutus is a powerful data analytics solution developed explicitly for auditors, business analysts, and fraud investigators,

    • Delivers risk intelligence reporting, providing valuable business insight and assisting with business decision-making,

    • Limits Director / Accounting officer exposure through a formalised approach to risk management.

  • Pros and Cons


    Allows businesses to:

    • Identify and classify strategic, business and operational risks

    • Facilitate a common risk taxonomy across divisions and various assurance providers

    • Keep all risk related data in a centralised database protected by role-based permissions

    • Improve accuracy and relevancy

    • Integrate risk across silos

    • Improve visibility of key risks in an ever changing risk landscape

    • Automate risk reporting. One version of the truth and save 1000s of man hours by not having to try and consolidate 100s of spreadsheets

    • Embed corporate governance culture. Action plans drive ownership and accountability

    • Improve communication to all stakeholders (shareholders, employees, customers, suppliers, community etc.)

    • Improve business decision making with up to date insightful dashboards


    Some of the barriers to using risk software include:

    • Users like working in silos with their own data in spreadsheets

    • Excel is easy to use and provides flexibility for users to capture data in almost any format they wish. No need to conform to a standard methodology, data validation, drop down boxes etc.

    • Users, generally don’t like being monitored via audit trails, action plans etc.

    • Embedding a common risk taxonomy across divisions and assurance providers requires change management and compromise

    • Reports / dashboards generated by the software do not always meet business requirements, however, business often does not know what they want either

    • Learning new software requires time and effort

    • Cost of software and ongoing support

Recommended Reading


BarnOwl Info Sharing Insight: Influencing Business Strategy – Alignment Between Performance Management and Risk Management with Deon van der Westhuizen


BarnOwl Info Sharing Insight: The Evolving Role of the CRO to Power Business Performance with Mark Victor & Christopher Palm


BarnOwl Risk Management Datasheet

Arbutus Integration Datasheet

BarnOwl Intelligence Datasheet


BarnOwl Risk Management Module Explainer HD

Risk Management Software | Audit Software | BarnOwl Software

BarnOwl Introduction

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc.t to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.


Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.


Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.


Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.


Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement. with local sub-sahara African distributor


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.


Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information:
Product Support:

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:


You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You