Enterprise risk management (ERM) is how organisations systematically identify, assess, treat, and monitor the risks that could prevent them from achieving their objectives. In the African context — with its unique combination of political risk, currency volatility, infrastructure constraints, and rapidly evolving regulation — ERM is not just best practice; it is an operational necessity. This guide explains how to build an ERM framework that works in practice for South African and broader African organisations. Organisations ready to implement ERM with technology can explore GRC software designed for South Africa.
Why ERM Is Not Optional in Africa
African organisations face a risk environment that differs significantly from developed markets:
- Regulatory complexity: Multiple overlapping frameworks — King IV, FICA, POPIA, sector regulators, JSE requirements — create a dense compliance landscape
- Political and sovereign risk: Policy changes, expropriation risk, and political instability affect planning horizons
- Infrastructure dependency: Load shedding, logistics disruptions, and telecommunications reliability create operational risks with no equivalent in Europe or North America
- Currency volatility: Rand depreciation and cross-border currency risk affect financial planning and performance
- Governance expectations: King IV, the JSE Listings Requirements, and international investors all expect mature risk governance
Organisations that manage these risks systematically outperform those that don't — not because they avoid all risk, but because they make better-informed decisions about which risks to accept and which to mitigate.
COSO ERM: The Five Components
The COSO ERM framework (updated 2017) is one of the most widely adopted globally and aligns well with South African governance expectations. It organises ERM across five interconnected components:
| Component | Focus | Key Activities |
|---|---|---|
| Governance & Culture | Sets the tone for risk management | Board risk oversight, risk culture, risk appetite setting |
| Strategy & Objective-Setting | Links risk to strategy | Risk tolerance aligned to strategy, scenario analysis |
| Performance | Identifies and manages risk to objectives | Risk identification, assessment, prioritisation, response |
| Review & Revision | Ensures ERM remains current | Ongoing monitoring, periodic review, improvement cycles |
| Information, Communication & Reporting | Enables informed decision-making | Risk registers, dashboards, board reporting, disclosures |
ISO 31000 vs COSO ERM
ISO 31000 is a process standard — it defines how risk management should be conducted. COSO ERM is a management framework — it defines how risk integrates with strategy and performance. Both are complementary: ISO 31000 guides the day-to-day risk process; COSO ERM shapes how ERM connects to organisational decision-making at the executive and board level.
Building Your ERM Framework: 6 Steps
Step 1: Establish Risk Governance
Define who is responsible for risk at every level — the board's risk committee, the Chief Risk Officer (or equivalent), business unit risk owners, and control function oversight. Document this in a Risk Management Policy approved by the board. Without clear accountability, ERM degenerates into a documentation exercise.
Step 2: Define Risk Appetite
Risk appetite is the amount of risk the organisation is willing to accept in pursuit of its objectives. It must be set by the board, expressed in measurable terms (not vague statements), and cascaded into risk tolerances at the business unit level. A risk appetite statement that says "we have low appetite for compliance risk" is meaningless without specifying what "low" means in measurable terms.
Step 3: Establish a Risk Taxonomy
A risk taxonomy is the organisation's standardised classification of risk types. Common top-level categories include: Strategic, Operational, Financial, Compliance/Regulatory, Reputational, and Technology risk. Consistent taxonomy ensures comparability across business units and enables portfolio-level risk analysis.
Step 4: Build Your Risk Register
The risk register is the operational core of ERM. It captures risk descriptions, inherent ratings, control effectiveness, residual ratings, risk owners, and treatment plans. Critically, it must be a living document — reviewed regularly and updated when the risk environment changes, not produced once a year for board consumption.
Step 5: Implement Controls and Monitoring
Each risk with a residual rating above the risk appetite threshold must have an active treatment plan. Controls must be documented, tested for effectiveness, and linked directly to the risks they mitigate. Monitoring calendars ensure controls are tested at appropriate intervals.
Step 6: Report to Governance Bodies
ERM only adds value if risk information reaches decision-makers. Board-level reporting should focus on the risk profile, changes in top risks, appetite breaches, and emerging risks. Management reporting should drive accountability for risk treatment actions. The frequency and format of reports should match the governance structure.
ERM Maturity Levels
Most organisations progress through recognisable ERM maturity stages:
| Level | Description | Typical Characteristics |
|---|---|---|
| 1 — Initial | Ad hoc risk management | Risks managed reactively, no consistent process, no risk register |
| 2 — Developing | Risk register exists but limited use | Annual risk assessments, limited board engagement, risk in silos |
| 3 — Defined | Formal ERM process in place | Consistent methodology, risk appetite defined, quarterly reporting |
| 4 — Managed | ERM integrated into business processes | Risk-informed decisions, control effectiveness measured, real-time monitoring |
| 5 — Optimising | ERM drives competitive advantage | Predictive risk analytics, continuous improvement, strategic risk-taking |
Most South African organisations operate at Level 2–3. The gap between Level 3 and Level 4 is typically closed through technology — replacing spreadsheets and email with integrated GRC platforms.
The Cost of Poor ERM in Africa
The consequences of inadequate ERM are not hypothetical in the African context:
- State capture and SOE failures: Eskom, SAA, and Transnet's governance failures illustrate the systemic cost of weak risk oversight
- Greylisting: South Africa's 2023 FATF greylisting directly reflected inadequate systemic risk management of financial crime
- JSE delistings and restatements: Multiple listed companies have faced regulatory action after ERM failures
- Operational collapses: Infrastructure-dependent businesses without risk-aware contingency planning have suffered disproportionately during energy and logistics disruptions
How Technology Enables ERM at Scale
Manual ERM — spreadsheets, email, and disconnected documents — creates four structural problems:
- Version control failures: Multiple risk register versions circulate simultaneously
- Accountability gaps: Risk owners don't receive automatic reminders; treatment actions are not tracked
- Reporting delays: Consolidating risk data from multiple sources takes weeks
- Audit trail absence: No record of when risks were reviewed, by whom, and what decisions were made
A purpose-built ERM platform resolves all four — providing a single risk register, automated workflows, real-time dashboards, and complete audit trails. For organisations implementing King IV and COSO ERM simultaneously, platform support is often the difference between a functional programme and one that exists only on paper.
Summary
- African organisations face unique risk factors — political risk, currency volatility, load shedding — that make ERM especially critical
- COSO ERM's five components provide a robust framework that aligns with King IV and JSE requirements
- Building ERM requires six steps: governance, risk appetite, taxonomy, risk register, controls/monitoring, and reporting
- Most South African organisations are at ERM maturity Level 2–3; technology is the primary lever to progress to Level 4
- Manual ERM processes create version control, accountability, reporting, and audit trail failures
- Effective ERM produces measurable business value — better decisions, fewer surprises, stronger governance
Frequently Asked Questions
What is the difference between ERM and risk management?
Traditional risk management operates in departmental silos — IT manages IT risk, finance manages financial risk. ERM takes a holistic, organisation-wide view that connects risk to strategy, integrates information across business units, and ensures the board has a complete picture of risk exposure.
Which ERM framework is best for South African organisations?
Most South African organisations align with COSO ERM for the overall framework, ISO 31000 for the risk process, and King IV for governance and oversight. These are complementary, not competing — use King IV to define board accountability, COSO ERM to connect risk to strategy, and ISO 31000 to guide the day-to-day risk management process.
How long does it take to implement ERM?
A basic ERM framework — governance structure, risk appetite, initial risk register, and board reporting — can be established in 3–6 months. Reaching ERM maturity Level 3 (defined, consistent process) typically takes 12–18 months. Technology accelerates implementation significantly by providing pre-built frameworks, workflows, and reporting.
Does King IV require ERM?
Yes. King IV explicitly requires the governing body to oversee risk management across the organisation and ensure that risk management is integrated into strategy and operations. While it applies on an "apply and explain" basis, material non-application of risk governance principles requires public explanation and is heavily scrutinised by investors and regulators.
References
1. COSO. Enterprise Risk Management — Integrating with Strategy and Performance, 2017.
2. ISO 31000:2018. Risk Management — Guidelines. International Organization for Standardization.
3. Institute of Directors South Africa. King IV Report on Corporate Governance for South Africa, 2016.
4. World Bank. Africa's Pulse: Economic Overview. 2025.
5. JSE Limited. Listings Requirements. Updated 2024.
6. South African Reserve Bank. Financial Stability Review. 2025.
