The name of the institution should be recorded in the XXX below

XXX
The Example below should be replaced with Draft, Final etc

Example Risk Register

The date of the workshop should be recorded in the row below

As at: Day Month 201_

Note: The information recorded in the maroon lettering above will automatically be recorded on each page of the risk register
In addition the name of the file and the date will also be recorded on each page
To be able to print the entire risk register the sheets need to be grouped together
This is done by clicking on the cover sheet and holding in the shift button and clicking on the How to use sheet simultaneously
The workbook will now reflect that it has been grouped. You can then print in the risk register
ever important to note that no value should be entered when in the grouped status. On completion of the printing ungroup the sheets and then close the risk register

280875893.xls

Page 1 of 18

08/24/2015

XXX
Example Risk Register
As at: Day Month 201_

1 Risk register
2 Workshop logistics
3 Categories
4 Inherent versus residual risk graph
5 Heatmaps

280875893.xls

Page 2 of 18

08/24/2015

Strategic
objective
This
column is
the risk
number

Risk description at
Strategic Objective
level

This column
should be
completed to
ensure that
the identified
risk is linked
to the
approved
strategic plan
of the
institution

This column is to
record the identified
risk threatening the
achievement of the
institution's strategic
plan

To ensure a
sustainable
provision of
services.

Suistainability of
institution
compromised.

Risk category

This column should be

referenced to the
approved risk
categories utilised by
the institution

Primary Cause (Risk at

Operational level)
This column is to record
what is causing the risk at
operational level:
"What is causing the risk?"

Secondary Cause (Risk at

Business unit level)
This column is to further
breakdown the causes of the risk
to identify the root causes:
"What is causing the risk?"

Effect (Impact)

Exposure in Rand
value

"What happens if the This column is to

risk materializes?"
record the Qualitative
and / or Quantitative
Cost should the risk
materialize.

Financial Risk

Diminishing external
revenue streams.

1. High distribution losses etc. due

to lack of asset
maintenance(Volume)
2. Lack of turnaround strategy
(procedures) to address
decreasing revenue.
3. Recession.

1. The institution
R14,000,000,000.00
cannot fund its capital and reputational
budget/ operations.
damage
2. The institution is
increasingly grant
dependent.

To provide
Weak governance
democratic
processes and
and
accountability.
accountable
government
for all
communities.

Compliance Risk

Non-accountability and
complacency of officials

1. Inadequate discipline e.g

Disciplinary proceedings not
consistently implemented.
2. Governance tone set by senior
management not supporting/
enabling disciplined working
environment.
3. Small team in labour department
to deal with large number of
disciplinary hearings. (Inadequate
capacity).

1. Reputation
damage;
2. Low morale and
productivity.

To ensure a
sustainable
provision of
services.

Service delivery

Lack of skills and

experticies within the
institution's environment.

1. Large number of vacancies due

to political interference, admin
challenges with interviews, union
challenges, competing with private
sector for same skills, upcoming
retirement.
2. High turnover of staff.
3. Vacancies open for extended
periods. Loosing more people than
what institution can train.
4. Increasingly dependent on
consultants for core management
functions e.g. addressing audit
queries, etc.
5. Inadequate staff retention and/
or development strategy.

1. Institution has
received disclaimer/
qualified audit
opinions for the last
four years
2. Fraud and
corruption internally
and externally.
3. Official arrears.
4. Deteriorating cash
flow.
5. Low staff morale.
6. Reputational
damage of institution

Inability to provide
services to the
community.

R5,000,000.00
and loss of investor
confidence

R 8,000,000,000.00

Impact

Likelihood

Inherent risk

This
column
records
the
numeric
value of
the
likelihood
and is
automatic

This is the
inherent risk
category of
each identified
risk and is
automatically
calculated

Existing controls

The drop down

menu should
be utilised to
record the
impact the risk
would have on
the
achievement of
the institution's
strategic
objectives

This
column
records
the
numeric
value of
the
impact
and is
automatic

The drop down

menu should
be utilised to
record the
likelihood of
the risk
occurring within
a given
timeframe in
the absence of
controls

This column
is the inherent
risk value of
each
identified risk
and is
automatically
calculated

Critical

Common

Maximum

25

Major

Likely

High

Major

Likely

High

This column should be

utilised to capture all high
level controls
implemented by the
institution to mitigate the
identified risk

Perceived
control
effectiveness

Residual Exposure in
Rand value

Residual risk

The drop down

menu should
be utilised to
record the
perceived
control
effectiveness
of each
identified risk
as ranked by
the workshop
participants

This column
records the
numeric
value of the
perceived
control
effectiveness

This is the
residual risk
category of
each identified
risk and is
automatically
calculated

This column is
the residual
risk value of
each identified
risk and is
automatically
calculated

1. Revenue
enhancement project.
2. Ad hoc repairs of
infrastructure.
3. Exploring alternative
revenue streams.

Weak

0.80

Maximum

20

R14,000,000,000.00
and reputational
damage

16

1. Revised disciplinary
policy and proceedings
implemented.
2. Additional capacity
appointed in labour unit
to deal with disciplinary
hearings.

Good

0.40

Medium

6.4

R 1,000,000.00

16

Budget linked to
approved establishment

Good

0.40

Medium

6.4

R 3,000,000,000.00

Good

0.40

Low

3.2

R 1,000,000,000.00

It should reflect actual

controls in place at a
given date

This column is to
record the Qualitative
and / or Quantitate
Cost should the risk
materialize after
considering existing
contols.

Annual Workplace Skills

Plan linked to individual
training needs
Implemented
performance
management system
linked to individual
development plans
Approved job
descriptions
Enlarging intern
programme.
Placement of temporary
staff.

To encourage Inadequate public

involvement participation by
of
communities
communities
in matters of
government.

280875893.xls

Political environment

Inadequate communication 1. Communities are not kept up to

with all stakeholders (e.g
speed with regards to progress
communities).
made to address service delivery
backlogs.
2. Corporate communication
strategy not in place.
3. Politicions distort the information
provided by the administration
5. Internal and external
communication officers not
effective caused by resourcing of
the unit e.g staffing and budgets

1. Stakeholder
dissatisfaction.
2. Increased risk
public protests and
unrest.

R5,000,000.00

Major

Unlikely

Low

Project steering
committees
Imbizo's and awareness
campaigns
Ward committees
Planned consultations
with stakeholders
Official project launches

Page 3 of 18

08/24/2015

Strategic
objective
5

Stimulate
shared
economic
growth, job
creation and
social
development

280875893.xls

Risk description at
Strategic Objective
level

Risk category

Inability to participate Economic

in the shared
environment
economic growth and
create jobs and social
development.

Primary Cause (Risk at

Operational level)

Secondary Cause (Risk at

Business unit level)

Institution unable to meet

significantly increased
demand requirements of its
stakeholders.

1.Institution does not have

funding for bulk infrastructure to
cater for growth.
2. Institution re-active not proactive approach to growth.
4. High turnover of staff.
5. High vacancy rate.

Effect (Impact)

1. Sewerage
operating above
capacity ( in rainy
season spillage in
rivers and dams in
rural areas a health
hazard).
2.Backlogs growing
faster than what
Institution can
provide services.
3. Aged
infrastructure
unable to support
area densification.
4. Institution not
making use/
benefiting from
positive growth
trends.

Exposure in Rand
value
R25,000,000,00.00

Impact

Major

Likelihood

Common

Inherent risk

Maximum

Existing controls

20

Provision for free basic

services

Perceived
control
effectiveness
Weak

Residual Exposure in
Rand value

Residual risk

0.80

Maximum

16

R 18,000,000,000.00

Implemented Local
Economic Development
Strategy
Public Works Programme
Liaison with other
institutions

Page 4 of 18

08/24/2015

Materiality Levels /
Tolerance
This column is to record
the Materiality level/
Tolerance level for this
category of risk as a
percentage of the
relevant financial
statement line item

Tolerance level
exceeded
This column is to
record the Rand
value with which the
Residual Exposure
exceeds the
Materiality Levels/
Tolerance level

Risk owner

The employee that

will be responsible
for reporting on
the movement of
the identified risk
going forwards will
be reflected in this
column

Actions to improve
management of the risk

Action owner

This column should be utilised For every action a

to develop any additional
action owner needs to
actions that need to be
be identified
implemented to improve the
control effectiveness
Care should be taken to
ensure that the actions are
realistic and not a wish list

Time scale

For every action a time

scale needs to be provided
Care should be taken to
ensure that time scales are
realistic and factor into
consideration any external
influences
For example to develop,
approve and implement
could have a number of
time scales

R 5,000,000,000.00

R 3,000,000.00

R 9,000,000,000.00 Chief Financial

Officer

Below tolerance
level

R 3,000,000,000.00

R 0.00

R 2,000,000,000.00

Below tolerance
level

280875893.xls

a) To minimize expenditure in
the budget to the available
budgeted revenue.
b) To prioritize revenue
collection.
c) Explore establishing unit to
levearge on private growth.

1) Chief Financial
Officer

a) End August 2010

b) End December 2010
c) End January 2011

Accounting Officer a) Explore decentralising

disciplinary process.
b) Strenghten performance
management system to act on
incidences of poor
performance.
c) Training for supervisors to
improve disciplinary
processes.

a.) Head: Labour

Relations
b) Head: Human
Resources
c) Head: Human
Resources

a) End September 2010

Human Resources None identified by workshop

Manager
participants

Not applicable

Not applicable

Manager:
Communications
and Institutional
Social
Development

Not applicable

Not applicable

None identified by workshop

participants

b) End December 2010

c) End February 2011

Page 5 of 18

08/24/2015

Materiality Levels /
Tolerance
R 10,000,000,000.00

280875893.xls

Tolerance level
exceeded

Risk owner

R 8,000,000,000.00 Local Economic

Development
Department

Actions to improve
management of the risk
None identified by workshop
participants

Action owner

Not applicable

Time scale

Not applicable

Page 6 of 18

08/24/2015

XXX
Example Risk Register
As at: Day Month 201_

Attendees:

Venue:

280875893.xls

The names of the attendees need to

be reflected in the rows below

Position

Contact number

The venue of the risk assessment workshop

needs to be recorded in the rows provided

Page 7 of 18

08/24/2015

XXX
Example Risk Register
As at: Day Month 201_

Rating factors used in Risk Analysis

Each risk is evaluated in terms of potential loss, likely hood of occurrence and the effectiveness of controls in place to manage the risks according to the criteria set out below

Potential Loss / Impact

Severity Ranking
Critical

Assessment
Negative outcomes or missed
opportunities that are of critical
importance to the achievement of
objectives

5
Major

Negative outcomes or missed

opportunities that are likely to have a
relatively substantial impact on the
ability to meet objectives

4
Moderate

3
Minor

2
Insignificant

Negative outcomes or missed

opportunities that are likely to have a
relatively moderate impact on the
ability to meet objectives

Negative outcomes or missed

opportunities that are likely to have a
relatively low impact on the ability to
meet objectives
Negative outcomes or missed
opportunities that are likely to have a
relatively negligible impact on the
ability to meet objectives

Likelihood
Factor
5

Likelihood category

Category definition

Common

The risk is already occurring, or is likely to

occur more than once within the next 12
months

Likely

The risk could easily occur, and is likely to

occur at least once within the next 12
months

Moderate

There is an above average chance that

the risk will occur at least once in the next
three years

Unlikely

The risk occurs infrequently and is

unlikely to occur within the next three
years

Rare

The risk is conceivable but is only likely to

occur in extreme circumstances

Perceived control effectiveness

Factor
20%

Effectiveness category

Category definition

Very good

Risk exposure is effectively controlled and

managed

Good

Majority of risk exposure is effectively

controlled and managed

40%

Satisfactory

There is room for some improvement

Weak

Some of the risk exposure appears to be

controlled, but there are major
deficiencies

65%
80%

Unsatisfactory

Control measures are ineffective

90%

Inherent risk exposure

Inherent risk exposure
Maximum
High
Medium
Low
Minimum

280875893.xls

Residual risk exposure

Factor

20
15 < 20 20
10 < 15 15
5 < 10 10

<55

Residual risk exposure

Maximum
High
Medium
Low
Minimum

Factor

10
7.5 < 10 10
5 < 7.5 7.5
2.5 < 5 5

< 2.5 2.5

Page 8 of 18

08/24/2015

Risk categories
As the risk environment is so varied and complex it is useful to group potential events into risk categories. By
aggregating events horizontally across an institution and vertically within operational units, allows the development
of an understanding of the interrelationship between events to gain enhanced information as a basis for risk
assessment.
The main categories to group individual risk exposures are provided below. When using this template the
institution should replace the Risk categories in this worksheet with the Risk categories approved by the
institution:

Risk type
Internal

Risk category
Human Resources

Knowledge and information

management

Litigation

Loss \ theft of assets

Material resources
(procurement risk)

Service delivery

Information Technology

Third party performance

Health & Safety

Disaster recovery /
business continuity

Compliance \ Regulatory

Fraud and corruption

Financial

Cultural

Reputation

Risk category
External

Economic Environment

Political environment

Social environment

Natural environment

Technological environment

Legislative environment

aried and complex it is useful to group potential events into risk categories. By
across an institution and vertically within operational units, allows the development
rrelationship between events to gain enhanced information as a basis for risk

ndividual risk exposures are provided below. When using this template the
e Risk categories in this worksheet with the Risk categories approved by the

Description
Risks that relate to human resources of an institution. These risks can
have an effect on an institution's human capital with regard to:
Integrity and honesty;
Recruitment;
Skills and competence;
Employee wellness;
Employee relations;
Retention; and
Occupational health and safety.

Risks relating to an institution's management of knowledge and

information. In identifying the risks consider the following aspects
related to knowledge management:
Availability of information;
Stability of the information;
Integrity of information data;
Relevance of the information;
Retention; and
Safeguarding.

Risks that the institution might suffer losses due to litigation and
lawsuits against it. Losses from litigation can possibly emanate from:
Claims by employees, the public, service providers and other third
party
Failure by an institution to exercise certain rights that are to its
advantage
Risks that an institution might suffer losses due to either theft or loss of
an asset of the institution.

Risks relating to an institution's material resources. Possible aspects to

consider include:
Availability of material;
Costs and means of acquiring \ procuring resources; and
The wastage of material resources
Every institution exists to provide value for its stakeholders. The risk
will arise if the appropriate quality of service is not delivered to the
citizens.
The risks relating specifically to the institution's IT objectives,
infrastructure requirement, etc. Possible considerations could include
the following when identifying applicable risks:
Security concerns;
Technology availability (uptime);
Applicability of IT infrastructure;
Integration / interface of the systems;
Effectiveness of technology; and
Obsolescence of technology.

Risks related to an institution's dependence on the performance of a

third party. Risk in this regard could be that there is the likelihood that a
service provider might not perform according to the service level
agreement entered into with an institution. Non performance could
include:
Outright failure to perform;
Not rendering the required service in time;
Not rendering the correct service; and
Inadequate / poor quality of performance.
Risks from occupational health and safety issues e.g. injury on duty;
outbreak of disease within the institution.
Risks related to an institution's preparedness or absence thereto to
disasters that could impact the normal functioning of the institution e.g.
natural disasters, act of terrorism etc. This would lead to the disruption
of processes and service delivery and could include the possible
disruption of operations at the onset of a crisis to the resumption of
critical activities. Factors to consider include:
Disaster management procedures; and
Contingency planning.
Risks related to the compliance requirements that an institution has to
meet. Aspects to consider in this regard are:
Failure to monitor or enforce compliance
Monitoring and enforcement mechanisms;
Consequences of non compliance; and
Fines and penalties paid.
These risks relate to illegal or improper acts by employees resulting in
a loss of the institution's assets or resources.

Risks encompassing the entire scope of general financial management.

Potential factors to consider include:
Cash flow adequacy and management thereof;
Financial losses;
Wasteful expenditure;
Budget allocations;
Financial statement integrity;
Revenue collection; and
Increasing operational expenditure.

Risks relating to an institution's overall culture and control environment.

The various factors related to organisational culture include:
Communication channels and the effectiveness;
Cultural integration;
Entrenchment of ethics and values;
Goal alignment; and
Management style.
Factors that could result in the tarnishing of an institution's reputation,
public perception and image.

Description
Risks related to the institution's economic environment. Factors to
consider include:
Inflation;
Foreign exchange fluctuations; and
Interest rates.
Risks emanating from political factors and decisions that have an
impact on the institution's mandate and operations. Possible factors to
consider include:
Political unrest;
Political interference;
Local, Provincial and National elections; and
Changes in office bearers.
Risks related to the institution's social environment. Possible factors to
consider include:
Unemployment; and
Migration of workers.
Risks relating to the institution's natural environment and its impact on
normal operations. Consider factors such as:
Depletion of natural resources;
Environmental degradation;
Spillage; and
Pollution.
Risks emanating from the effects of advancements and changes in
technology.

Risks related to the institution's legislative environment e.g. changes in

legislation, conflicting legislation.

XXX
Example Risk Register
As at: Day Month 201_

Inherent risk vs Residual risk exposure

80

Impact

70

60

50
Inherent risk
Residual risk

40

30

20

10

0
1

Likelihood

Note: Risk numbers refer to risks on risk register

Explanation: Risks shown on the left hand side are higher inherent risks. The greater the gap between the inherent and residual risk
the more effective the controls mitigating the risks are. Management should concentrate on controlling high inherent risks,
especially those with a low control effectiveness.
Note
The risk graph is automatically generated. Care should however be taken to ensure that the information recorded in the risk register has
been reflected in the risk graph. Should any additional rows be inserted or deleted care should be taken to ensure that the source data of the
graph reflects the actual rows needed to generate the graph. This is done by right clicking on the graph and selecting source data.
Once the source data screen comes up select series. You need to ensure that the values and category (X) axis labels reflects the correct rows
for both inherent and residual risk. To change from inherent risk to residual risk click on residual risk and the residual risk information will be reflected

280875893.xls

Page 17 of 18

08/24/2015

How to use this worksheet

1)
2)
3)
4)
5)
6)
7)
8)
11)

You type in the attendees / positions and venue

You type in risk name, description and background
Select the Impact (E), Likelihood (G) ratings
Sort by the small column next to Inherent risk rating
You type in current controls, actions, owners, timelines
You select a Control effectiveness (L)
You sort by the small column next to Residual risk.
Check bar graph
Print all sheets except for the "How to use" to have a complete report of the workshop

280875893.xls

Page 18 of 18

08/24/2015