RISK AND OPPORTUNITY

MANAGEMENT

RISK AND OPPORTUNITY MANAGEMENT

Value creation through enterprise-wide risk management

Enterprise risk management (ERM) at SAICA integrates strategy and risk with the intention of creating value through improved performance and places a greater focus on the creation and preservation of value as the key driver of risk management whilst emphasising the importance of other features such as stakeholder inclusivity, human and cultural factors.

Value creation through enterprise-wide risk management

Enterprise risk management (ERM) at SAICA integrates strategy and risk with the intention of creating value through improved performance and places a greater focus on the creation and preservation of value as the key driver of risk management whilst emphasising the importance of other features such as stakeholder inclusivity, human and cultural factors.

Integrating ERM into business activities and organisational culture

The journey to mature the risk management process at SAICA continued as management prioritised the embedding of the risk culture across the organisation through:  
  • Enterprise-wide risk management (ERM) workshops for all staff to ensure that ERM principles are understood and consistently applied throughout SAICA
  • Ensuring that risk and opportunities are considered in decision-making
  • Continued implementation and enhancement of the combined assurance model and Risk-Control Self-Assessment (RCSA) tool, and
  • Investment in resources including the implementation of the Enterprise Risk and Compliance Management System


SAICA continuously tracked the trends and events that could potentially have an impact on the achievement of SAICA’s strategic objectives. This information was used to identify potential risks and to update existing risk profiles (where applicable). The outcomes of these assessments were integrated with SAICA’s risk appetite and results of any assurance activities to identify additional mitigating actions if necessary (refer to emerging risks). The SAICA ERM maturity has been independently assessed at foundation level 3; that is, enterprise risk management processes are clearly outlined whilst there is room for improvement in the process. Furthermore, SAICA’s ERM processes are adequate to provide reasonable assurance that performance objectives will be achieved (because risks that could have a significant impact on the achievement of objectives are unlikely to have a significant impact) once the controls are taken into consideration.

Integrating ERM into business activities and organisational culture

The journey to mature the risk management process at SAICA continued as management prioritised the embedding of the risk culture across the organisation through:  
  • Enterprise-wide risk management (ERM) workshops for all staff to ensure that ERM principles are understood and consistently applied throughout SAICA
  • Ensuring that risk and opportunities are considered in decision-making
  • Continued implementation and enhancement of the combined assurance model and Risk-Control Self-Assessment (RCSA) tool, and
  • Investment in resources including the implementation of the Enterprise Risk and Compliance Management System


SAICA continuously tracked the trends and events that could potentially have an impact on the achievement of SAICA’s strategic objectives. This information was used to identify potential risks and to update existing risk profiles (where applicable). The outcomes of these assessments were integrated with SAICA’s risk appetite and results of any assurance activities to identify additional mitigating actions if necessary (refer to emerging risks). The SAICA ERM maturity has been independently assessed at foundation level 3; that is, enterprise risk management processes are clearly outlined whilst there is room for improvement in the process. Furthermore, SAICA’s ERM processes are adequate to provide reasonable assurance that performance objectives will be achieved (because risks that could have a significant impact on the achievement of objectives are unlikely to have a significant impact) once the controls are taken into consideration.

Risk governance

Risk management and opportunity identification form part of every discussion throughout the business, from one-on-one performance management / feedback sessions, divisional meetings, management and executive committee meetings to Board sub-committee meetings.

Significant risks are reported on and approved at every Audit and Risk Committee meeting and reported at every Board meeting. Internal audit and other appointed assurance providers are contracted to provide independent assurance to assist management and the Board in ensuring that the control environment improves and objectives are achieved.

There is clear accountability and ownership of risk through SAICA’s governance structures depicted below.

Risk governance

Risk management and opportunity identification form part of every discussion throughout the business, from one-on-one performance management / feedback sessions, divisional meetings, management and executive committee meetings to Board sub-committee meetings.

Significant risks are reported on and approved at every Audit and Risk Committee meeting and reported at every Board meeting. Internal audit and other appointed assurance providers are contracted to provide independent assurance to assist management and the Board in ensuring that the control environment improves and objectives are achieved.

There is clear accountability and ownership of risk through SAICA’s governance structures depicted below.

BOARD OF
DIRECTORS

The SAICA Board sets the tone for risk management and assumes ultimate accountability, but delegates oversight of risk management to the Board Audit and Risk Committee and the day-to-day risk management activities to management. They ensure that assurance services and functions enable an effective control environment and support the integrity of information for internal decision-making and of the organisation’s external reports.

EXECUTIVE
MANAGEMENT

Management is charged with the responsibility for taking appropriate risks within the risk appetite framework approved by the Board to create value. The Board receives quarterly reports on the status of existing as well as emerging risks and opportunities.

ENTERPRISE-WIDE RISK MANANGEMENT FUNCTION

Establishes the policies and procedures for managing risk, as well as promoting a culture of risk awareness and control. The SAICA ERM policy and frameworks adopted by the Board govern ERM in the organisation and clearly define the roles and responsibilities of the Board, Board sub-committees, and various lines of assurance providers, promoting a sound risk culture. Risk is integrated with performance management and aligned to strategic objectives and performance goals.

RISK
OWNERS

Risk owners are the staff who are directly accountable for ensuring that risks are managed effectively by implementing actions required to treat the risks.

INTERNAL
AUDIT

Internal audit and other appointed assurance providers are contracted to provide independent assurance to assist management and the Board in ensuring that the control environment improves and objectives are achieved.

EXTERNAL
AUDIT

External auditors provide an additional line of defence. Their role is to provide reasonable independent assurance on the integrity of financial statements, as well as the effectiveness of internal controls in mitigating risks.

BOARD OF
DIRECTORS

The SAICA Board sets the tone for risk management and assumes ultimate accountability, but delegates oversight of risk management to the Board Audit and Risk Committee and the day-to-day risk management activities to management. They ensure that assurance services and functions enable an effective control environment and support the integrity of information for internal decision-making and of the organisation’s external reports.

EXECUTIVE
MANAGEMENT

Management is charged with the responsibility for taking appropriate risks within the risk appetite framework approved by the Board to create value. The Board receives quarterly reports on the status of existing as well as emerging risks and opportunities.

ENTERPRISE-WIDE RISK MANANGEMENT FUNCTION

Establishes the policies and procedures for managing risk, as well as promoting a culture of risk awareness and control. The SAICA ERM policy and frameworks adopted by the Board govern ERM in the organisation and clearly define the roles and responsibilities of the Board, Board sub-committees, and various lines of assurance providers, promoting a sound risk culture. Risk is integrated with performance management and aligned to strategic objectives and performance goals.

RISK
OWNERS

Risk owners are the staff who are directly accountable for ensuring that risks are managed effectively by implementing actions required to treat the risks.

INTERNAL
AUDIT

Internal audit and other appointed assurance providers are contracted to provide independent assurance to assist management and the Board in ensuring that the control environment improves and objectives are achieved.

EXTERNAL
AUDIT

External auditors provide an additional line of defence. Their role is to provide reasonable independent assurance on the integrity of financial statements, as well as the effectiveness of internal controls in mitigating risks.

Our risk appetite guides our decision-making

The Risk Appetite and Tolerance framework provides guidance on developing and implementing risk appetite, risk tolerance levels and the risk-bearing capacity (which collectively form the risk thresholds of the SAICA Group), linked to and derived from the organisation’s strategic pillars and short-, medium- and long-term objectives. The realisation of SAICA’s strategy depends on the ability to take calculated risks in a manner that creates sustainable value for the SAICA Group. The framework provides guidelines for tracking and monitoring key risk indicators (KRIs) which provide an early warning signal of increasing risk exposures, enabling management to intervene in a timely manner through appropriate risk-mitigating responses.

Our risk appetite guides our decision-making

The Risk Appetite and Tolerance framework provides guidance on developing and implementing risk appetite, risk tolerance levels and the risk-bearing capacity (which collectively form the risk thresholds of the SAICA Group), linked to and derived from the organisation’s strategic pillars and short-, medium- and long-term objectives. The realisation of SAICA’s strategy depends on the ability to take calculated risks in a manner that creates sustainable value for the SAICA Group. The framework provides guidelines for tracking and monitoring key risk indicators (KRIs) which provide an early warning signal of increasing risk exposures, enabling management to intervene in a timely manner through appropriate risk-mitigating responses.