Embedding risk management into the three lines model, streamlining combined assurance reporting, the change management process to ensure risk management is a strategic tool that informs decisions, the portfolio view of risk and the alignment between risk management and performance management.

NSA recently won a tender to review the Botswana Government’s ERM Framework against the Commonwealth best practices and the COSO 2017 framework. The specifications of the project included the delivery of practical examples to allow users to effectively implement ERM to enable stakeholders to appreciate the value created from a strategic perspective. Apart from the desktop exercise, the team also facilitated stakeholder engagements with the full spectrum of stakeholders.

More than two hundred stakeholders participated in multiple sessions to engage about their:

  • Expectations
  • The relation between risk and performance
  • The multiple disciplines already practicing some form of risk management (SWOT analysis, Forensic Auditing, External Auditors) and the legacy of duplication
  • The failure of combined assurance to inform decisions and strategic direction
  • The lack of tone at the top with risk management
  • The inability of risk management to provide ongoing information
  • Big data, cybersecurity and general controls
  • New and emerging risks that surprise operational management
  • The reactive response of risk management when new risks are identified
  • The incompleteness of the risk universe
  • The inadequate design and use of risk appetite and variation in performance (risk tolerance)
  • Digitalization of entities.


The extensive stakeholder participation forced the team to revisit the ERM framework and to add key and practical applications to address these shortcomings. Risk management can only work if:

  • Management illustrates tone at the top, which results from an effective change management process
  • The design of the risk assessment and risk recording process to allow for effective breakdown (top-down) of risks and aggregation of risks (bottom-up) when needed
  • Effective use of risk appetite and variation in performance to inform the Council, SMT and the Audit Committee of exposures
  • The effective utilization of detection controls and other data mining tools to inform the key risk indicators
  • Effective use of root cause analysis tools and the Pareto principle to direct improvement of controls.

The training intervention will allow participants to share in the results of the project. NSA redesigned the ERM Framework to apply to municipalities, and attendees will get access to the framework, practical
examples, best practices and toolkits.

Open chat
Hello 👋
Can we help you? Please send a whatsapp for quick responses