University of Pretoria Logo
English |  Afrikaans |    
Risk Management and Internal Audit


UP recognises the importance of risk management as integral to good corporate governance. UP is therefore required to systematically manage and regularly update its risk profile at a strategic, macro-operational and operational level. The aim of risk management is to ensure that significant, actual and potential risks facing our organisation, are identified, assessed, evaluated and managed in an effective way.

Risks are identified by following a structured approach strongly focusing on organisational objectives at the various levels of the organisation. Management and employees are continuously encouraged to identify significant risks facing the organisation and communicate these risks through the appropriate structures provided.

Central to the risk management process at UP is the Strategic Risk Management Committee (hereafter referred to as the Committee). In the University context this Committee is responsible for the assessment and evaluation of significant risks and it ensures that there are appropriate forums and focus on feedback with regard to management of risks through an appropriate system of control. 

The pool of previously identified and potential new significant risks facing the University is presented to the Committee annually.  Following a process of elimination as per criteria, the Committee identifies a reduced list of possible strategic risks. These risks are then assessed in terms of impact and likelihood in order to determine inherent risk exposure. (The number of risks might be adjusted during the assessment phase due to overlapping that could result in a reduction in the number of risks included in the final Risk Register.)

After the risk rating has been concluded and accountability at Executive level established, each significant risk is distributed to the responsible member of the Executive. This member, in conjunction with his management team is tasked by the Committee to identify relevant measures currently implemented to manage the identified risks. The control measure information is incorporated into existing information and each significant risk with its mitigating measures is presented to the Committee for evaluation. The control appropriateness of the measures are evaluated and the perceived residual risk exposure determined.

For all Critical and high risks the Risk Management Policy of the University requires that the risk owner prepares a Risk Treatment Plan to indicate additional measures/controls to be implemented to manage the risk to more acceptable levels. These Risk Treatment Plans are approved by the Executive and presented to the Audit and Risk Management Committee of Council.

The above risk information is combined into a formal Risk Register to provide comprehensive information on the most significant risks and control measure information. To promote accountability and ownership for the management of these risks, a hard and soft copy of this document is distributed to all members of the Executive and relevant senior management. 

The above document fulfils a multipurpose role in that it not only forms the core of current risk management activities but the information gathered also plays a significant role in the risk-based approach followed by the internal auditors when compiling the internal audit plan.

A similar methodology to the one used for the management of strategic risks is implemented at the Faculties/Directorate level.  The macro-operational and operational level risk registers will be updated and presented to the Committee annually.