The name of the institution should be recorded in the XXX below

XXX
The Example below should be replaced with Draft, Final etc

Example Risk Register

The date of the workshop should be recorded in the row below

As at: Day Month 201_

Note: The information recorded in the maroon lettering above will automatically be recorded on each page of the risk register
In addition the name of the file and the date will also be recorded on each page
To be able to print the entire risk register the sheets need to be grouped together
This is done by clicking on the cover sheet and holding in the shift button and clicking on the How to use sheet simultaneously
The workbook will now reflect that it has been grouped. You can then print in the risk register
ever important to note that no value should be entered when in the grouped status. On completion of the printing ungroup the sheets and then close the risk register

427650816.xls Page 1 of 18 07/11/2019

XXX
Example Risk Register
As at: Day Month 201_

1 Risk register

2 Workshop logistics

3 Categories

4 Inherent versus residual risk graph

5 Heatmaps

427650816.xls Page 2 of 18 07/11/2019

 Risk description at Perceived
Strategic Primary Cause (Risk at Secondary Cause (Risk at Exposure in Rand Residual Exposure in
Strategic Objective Risk category Effect (Impact) Impact Likelihood Inherent risk Existing controls control Residual risk
objective Operational level) Business unit level) value Rand value
level effectiveness

This This column This column is to This column should be This column is to record This column is to further "What happens if the This column is to The drop down This The drop down This This is the This column is This column should be The drop down This column This is the This column is This column is to
column is should be record the identified referenced to the what is causing the risk at breakdown the causes of the risk risk materializes?" record the Qualitative menu should column menu should column inherent risk the inherent utilised to capture all high menu should records the residual risk the residual record the Qualitative
the risk completed to risk threatening the approved risk operational level: to identify the root causes: and / or Quantitative be utilised to records be utilised to records category of risk value of level controls be utilised to numeric category of risk value of and / or Quantitate
number ensure that achievement of the categories utilised by "What is causing the risk?" "What is causing the risk?" Cost should the risk record the the record the the each identified each implemented by the record the value of the each identified each identified Cost should the risk
the identified institution's strategic the institution materialize. impact the risk numeric likelihood of numeric risk and is identified risk institution to mitigate the perceived perceived risk and is risk and is materialize after
risk is linked plan would have on value of the risk value of automatically and is identified risk control control automatically automatically considering existing
to the the the occurring within the calculated automatically effectiveness effectiveness calculated calculated contols.
approved achievement of impact a given likelihood calculated It should reflect actual of each
strategic plan the institution's and is timeframe in and is controls in place at a identified risk
of the strategic automatic the absence of automatic given date as ranked by
institution objectives controls the workshop
participants

1 To ensure a Suistainability of Financial Risk Diminishing external 1. High distribution losses etc. due 1. The institution R14,000,000,000.00 Critical 5 Common 5 Maximum 25 1. Revenue Weak 0.80 Maximum 20 R14,000,000,000.00
sustainable institution revenue streams. to lack of asset cannot fund its capital and reputational enhancement project. and reputational
provision of compromised. maintenance(Volume) budget/ operations. damage 2. Ad hoc repairs of damage
services. 2. Lack of turnaround strategy 2. The institution is infrastructure.
(procedures) to address increasingly grant 3. Exploring alternative
decreasing revenue. dependent. revenue streams.
3. Recession.

2 To provide Weak governance Compliance Risk Non-accountability and 1. Inadequate discipline e.g 1. Reputation R5,000,000.00 Major 4 Likely 4 High 16 1. Revised disciplinary Good 0.40 Medium 6.4 R 1,000,000.00
democratic processes and complacency of officials Disciplinary proceedings not damage; and loss of investor policy and proceedings
and accountability. consistently implemented. 2. Low morale and confidence implemented.
accountable 2. Governance tone set by senior productivity. 2. Additional capacity
government management not supporting/ appointed in labour unit
for all enabling disciplined working to deal with disciplinary
communities. environment. hearings.
3. Small team in labour department
to deal with large number of
disciplinary hearings. (Inadequate
capacity).

3 To ensure a Inability to provide Service delivery Lack of skills and 1. Large number of vacancies due 1. Institution has R 8,000,000,000.00 Major 4 Likely 4 High 16 Budget linked to Good 0.40 Medium 6.4 R 3,000,000,000.00
sustainable services to the experticies within the to political interference, admin received disclaimer/ approved establishment
provision of community. institution's environment. challenges with interviews, union qualified audit
services. challenges, competing with private opinions for the last Annual Workplace Skills
sector for same skills, upcoming four years Plan linked to individual
retirement. 2. Fraud and training needs
2. High turnover of staff. corruption internally
3. Vacancies open for extended and externally. Implemented
periods. Loosing more people than 3. Official arrears. performance
what institution can train. 4. Deteriorating cash management system
4. Increasingly dependent on flow. linked to individual
consultants for core management 5. Low staff morale. development plans
functions e.g. addressing audit 6. Reputational
queries, etc. damage of institution Approved job
5. Inadequate staff retention and/ descriptions
or development strategy.
Enlarging intern
programme.

Placement of temporary
staff.

4 To encourage Inadequate public Political environment Inadequate communication 1. Communities are not kept up to 1. Stakeholder R5,000,000.00 Major 4 Unlikely 2 Low 8 Project steering Good 0.40 Low 3.2 R 1,000,000,000.00
involvement participation by with all stakeholders (e.g speed with regards to progress dissatisfaction. committees
of communities communities). made to address service delivery 2. Increased risk
communities backlogs. public protests and Imbizo's and awareness
in matters of 2. Corporate communication unrest. campaigns
government. strategy not in place.
3. Politicions distort the information Ward committees
provided by the administration
5. Internal and external Planned consultations
communication officers not with stakeholders
effective caused by resourcing of
the unit e.g staffing and budgets Official project launches

427650816.xls Page 3 of 18 07/11/2019

 Risk description at Perceived
Strategic Primary Cause (Risk at Secondary Cause (Risk at Exposure in Rand Residual Exposure in
Strategic Objective Risk category Effect (Impact) Impact Likelihood Inherent risk Existing controls control Residual risk
objective Operational level) Business unit level) value Rand value
level effectiveness

5 Stimulate Inability to participate Economic Institution unable to meet 1.Institution does not have 1. Sewerage R25,000,000,00.00 Major 4 Common 5 Maximum 20 Provision for free basic Weak 0.80 Maximum 16 R 18,000,000,000.00
shared in the shared environment significantly increased funding for bulk infrastructure to operating above services
economic economic growth and demand requirements of its cater for growth. capacity ( in rainy
growth, job create jobs and social stakeholders. 2. Institution re-active not pro- season spillage in Implemented Local
creation and development. active approach to growth. rivers and dams in Economic Development
social 4. High turnover of staff. rural areas a health Strategy
development 5. High vacancy rate. hazard).
2.Backlogs growing Public Works Programme
faster than what
Institution can Liaison with other
provide services. institutions
3. Aged
infrastructure
unable to support
area densification.
4. Institution not
making use/
benefiting from
positive growth
trends.

427650816.xls Page 4 of 18 07/11/2019

Materiality Levels / Tolerance level Actions to improve
Risk owner Action owner Time scale
Tolerance exceeded management of the risk

This column is to record This column is to The employee that This column should be utilised For every action a For every action a time
the Materiality level/ record the Rand will be responsible to develop any additional action owner needs to scale needs to be provided
Tolerance level for this value with which the for reporting on actions that need to be be identified
category of risk as a Residual Exposure the movement of implemented to improve the Care should be taken to
percentage of the exceeds the the identified risk control effectiveness ensure that time scales are
relevant financial Materiality Levels/ going forwards will realistic and factor into
statement line item Tolerance level be reflected in this Care should be taken to consideration any external
column ensure that the actions are influences
realistic and not a wish list
For example to develop,
approve and implement
could have a number of
time scales

R 5,000,000,000.00 R 9,000,000,000.00 Chief Financial a) To minimize expenditure in 1) Chief Financial a) End August 2010
Officer the budget to the available Officer
budgeted revenue. b) End December 2010
b) To prioritize revenue
collection. c) End January 2011
c) Explore establishing unit to
levearge on private growth.

R 3,000,000.00 Below tolerance Accounting Officer a) Explore decentralising a.) Head: Labour a) End September 2010
level disciplinary process. Relations
b) Strenghten performance b) Head: Human b) End December 2010
management system to act on Resources
incidences of poor c) Head: Human c) End February 2011
performance. Resources
c) Training for supervisors to
improve disciplinary
processes.

R 3,000,000,000.00 R 0.00 Human Resources None identified by workshop Not applicable Not applicable
Manager participants

R 2,000,000,000.00 Below tolerance Manager: None identified by workshop Not applicable Not applicable
level Communications participants
and Institutional
Social
Development

427650816.xls Page 5 of 18 07/11/2019

Materiality Levels / Tolerance level Actions to improve
Risk owner Action owner Time scale
Tolerance exceeded management of the risk

R 10,000,000,000.00 R 8,000,000,000.00 Local Economic None identified by workshop Not applicable Not applicable
Development participants
Department

427650816.xls Page 6 of 18 07/11/2019

XXX
Example Risk Register
As at: Day Month 201_

The names of the attendees need to

Attendees: be reflected in the rows below Position Contact number

Venue: The venue of the risk assessment workshop

needs to be recorded in the rows provided

427650816.xls Page 7 of 18 07/11/2019

XXX
Example Risk Register
As at: Day Month 201_

Rating factors used in Risk Analysis

Each risk is evaluated in terms of potential loss, likely hood of occurrence and the effectiveness of controls in place to manage the risks according to the criteria set out below
Potential Loss / Impact
Severity Ranking Assessment
Critical Negative outcomes or missed
opportunities that are of critical
importance to the achievement of
objectives
5

Major Negative outcomes or missed

opportunities that are likely to have a
relatively substantial impact on the
ability to meet objectives

Moderate Negative outcomes or missed

opportunities that are likely to have a
relatively moderate impact on the
ability to meet objectives

3
Minor Negative outcomes or missed
opportunities that are likely to have a
relatively low impact on the ability to
meet objectives
2
Insignificant Negative outcomes or missed
opportunities that are likely to have a
relatively negligible impact on the
ability to meet objectives

Likelihood
Likelihood category Category definition Factor
Common The risk is already occurring, or is likely to 5
occur more than once within the next 12
months
Likely The risk could easily occur, and is likely to 4
occur at least once within the next 12
months
Moderate There is an above average chance that 3
the risk will occur at least once in the next
three years
Unlikely The risk occurs infrequently and is 2
unlikely to occur within the next three
years
Rare The risk is conceivable but is only likely to 1
occur in extreme circumstances

Perceived control effectiveness

Effectiveness category Category definition Factor
Very good Risk exposure is effectively controlled and 20%
managed
Good Majority of risk exposure is effectively 40%
controlled and managed
Satisfactory There is room for some improvement 65%
Weak Some of the risk exposure appears to be 80%
controlled, but there are major
deficiencies
Unsatisfactory Control measures are ineffective 90%

Inherent risk exposure Residual risk exposure

Inherent risk exposure Factor Residual risk exposure Factor
Maximum ³ 20 Maximum ³ 10
High ³ 15 < 20 20 High ³ 7.5 < 10 10
Medium ³ 10 < 15 15 Medium ³ 5 < 7.5 7.5
Low ³ 5 < 10 10 Low ³ 2.5 < 5 5
Minimum <55 Minimum < 2.5 2.5

427650816.xls Page 8 of 18 07/11/2019

Risk categories

As the risk environment is so varied and complex it is useful to group potential events into risk categories. By
aggregating events horizontally across an institution and vertically within operational units, allows the development
of an understanding of the interrelationship between events to gain enhanced information as a basis for risk
assessment.

The main categories to group individual risk exposures are provided below. When using this template the
institution should replace the Risk categories in this worksheet with the Risk categories approved by the
institution:
Risk type Risk category
Internal Human Resources

Knowledge and information

management

Litigation

Loss \ theft of assets

Material resources
(procurement risk)

Service delivery

Information Technology

Third party performance

Health & Safety

Disaster recovery /
business continuity

Compliance \ Regulatory

Fraud and corruption

 Financial

Cultural

Reputation

Risk category
External Economic Environment

Political environment

Social environment

Natural environment

Technological environment
Legislative environment
aried and complex it is useful to group potential events into risk categories. By
across an institution and vertically within operational units, allows the development
relationship between events to gain enhanced information as a basis for risk

ndividual risk exposures are provided below. When using this template the
e Risk categories in this worksheet with the Risk categories approved by the

Description

Risks that relate to human resources of an institution. These risks can

have an effect on an institution's human capital with regard to:
• Integrity and honesty;
• Recruitment;
• Skills and competence;
• Employee wellness;
• Employee relations;
• Retention; and
• Occupational health and safety.

Risks relating to an institution's management of knowledge and

information. In identifying the risks consider the following aspects
related to knowledge management:
• Availability of information;
• Stability of the information;
• Integrity of information data;
• Relevance of the information;
• Retention; and
• Safeguarding.

Risks that the institution might suffer losses due to litigation and
lawsuits against it. Losses from litigation can possibly emanate from:
• Claims by employees, the public, service providers and other third
party
• Failure by an institution to exercise certain rights that are to its
advantage

Risks that an institution might suffer losses due to either theft or loss of
an asset of the institution.
Risks relating to an institution's material resources. Possible aspects to
consider include:
• Availability of material;
• Costs and means of acquiring \ procuring resources; and
• The wastage of material resources

Every institution exists to provide value for its stakeholders. The risk
will arise if the appropriate quality of service is not delivered to the
citizens.

The risks relating specifically to the institution's IT objectives,

infrastructure requirement, etc. Possible considerations could include
the following when identifying applicable risks:
• Security concerns;
• Technology availability (uptime);
• Applicability of IT infrastructure;
• Integration / interface of the systems;
• Effectiveness of technology; and
• Obsolescence of technology.

Risks related to an institution's dependence on the performance of a

third party. Risk in this regard could be that there is the likelihood that
a service provider might not perform according to the service level
agreement entered into with an institution. Non performance could
include:
• Outright failure to perform;
• Not rendering the required service in time;
• Not rendering the correct service; and
• Inadequate / poor quality of performance.

Risks from occupational health and safety issues e.g. injury on duty;
outbreak of disease within the institution.

Risks related to an institution's preparedness or absence thereto to

disasters that could impact the normal functioning of the institution e.g.
natural disasters, act of terrorism etc. This would lead to the disruption
of processes and service delivery and could include the possible
disruption of operations at the onset of a crisis to the resumption of
critical activities. Factors to consider include:
• Disaster management procedures; and
• Contingency planning.

Risks related to the compliance requirements that an institution has to

meet. Aspects to consider in this regard are:
• Failure to monitor or enforce compliance
• Monitoring and enforcement mechanisms;
• Consequences of non compliance; and
• Fines and penalties paid.

These risks relate to illegal or improper acts by employees resulting in

a loss of the institution's assets or resources.
Risks encompassing the entire scope of general financial management.
Potential factors to consider include:
• Cash flow adequacy and management thereof;
• Financial losses;
• Wasteful expenditure;
• Budget allocations;
• Financial statement integrity;
• Revenue collection; and
• Increasing operational expenditure.

Risks relating to an institution's overall culture and control environment.

The various factors related to organisational culture include:
• Communication channels and the effectiveness;
• Cultural integration;
• Entrenchment of ethics and values;
• Goal alignment; and
• Management style.

Factors that could result in the tarnishing of an institution's reputation,

public perception and image.
Description
Risks related to the institution's economic environment. Factors to
consider include:
• Inflation;
• Foreign exchange fluctuations; and
• Interest rates.

Risks emanating from political factors and decisions that have an

impact on the institution's mandate and operations. Possible factors to
consider include:
• Political unrest;
• Political interference;
• Local, Provincial and National elections; and
• Changes in office bearers.

Risks related to the institution's social environment. Possible factors to

consider include:
• Unemployment; and
• Migration of workers.

Risks relating to the institution's natural environment and its impact on

normal operations. Consider factors such as:
• Depletion of natural resources;
• Environmental degradation;
• Spillage; and
• Pollution.

Risks emanating from the effects of advancements and changes in

technology.
Risks related to the institution's legislative environment e.g. changes in
legislation, conflicting legislation.
XXX
Example Risk Register
As at: Day Month 201_

Inherent risk vs Residual risk exposure

80

70

60
Impact

50
Inherent risk
Residual risk
40

30

20

10

0
1 2 3 4 5
Likelihood

Note: Risk numbers refer to risks on risk register

Explanation: Risks shown on the left hand side are higher inherent risks. The greater the gap between the inherent and residual risk
the more effective the controls mitigating the risks are. Management should concentrate on controlling high inherent risks,
especially those with a low control effectiveness.

Note
The risk graph is automatically generated. Care should however be taken to ensure that the information recorded in the risk register has
been reflected in the risk graph. Should any additional rows be inserted or deleted care should be taken to ensure that the source data of the
graph reflects the actual rows needed to generate the graph. This is done by right clicking on the graph and selecting source data.
Once the source data screen comes up select series. You need to ensure that the values and category (X) axis labels reflects the correct rows
for both inherent and residual risk. To change from inherent risk to residual risk click on residual risk and the residual risk information will be reflected

427650816.xls Page 17 of 18 07/11/2019

How to use this worksheet

1) You type in the attendees / positions and venue

2) You type in risk name, description and background
3) Select the Impact (E), Likelihood (G) ratings
4) Sort by the small column next to Inherent risk rating
5) You type in current controls, actions, owners, timelines
6) You select a Control effectiveness (L)
7) You sort by the small column next to Residual risk.
8) Check bar graph
11) Print all sheets except for the "How to use" to have a complete report of the workshop

427650816.xls Page 18 of 18 07/11/2019