About the Author(s)

Christopher E. Whittle Email symbol
School of Public Management, Governance and Public Policy, College of Business and Economics, University of Johannesburg, Johannesburg, South Africa

Danielle Nel-Sanders symbol
School of Public Management, Governance and Public Policy, College of Business and Economics, University of Johannesburg, Johannesburg, South Africa


Whittle, C.E. & Nel-Sanders, D., 2022, ‘The regulatory framework for enterprise risk management in South African local government’, Africa’s Public Service Delivery and Performance Review 10(1), a610. https://doi.org/10.4102/apsdpr.v10i1.610

Original Research

The regulatory framework for enterprise risk management in South African local government

Christopher E. Whittle, Danielle Nel-Sanders

Received: 21 Oct. 2021; Accepted: 20 May 2022; Published: 23 Sept. 2022

Copyright: © 2022. The Author(s). Licensee: AOSIS.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Background: Enterprise risk management (ERM) entails the processes and procedures applied to mitigate uncertainties that could impact the achievement of objectives. New public management introduced business practices such as ERM to the public sector, which was adopted by the South African government across all three spheres of government including municipalities. Local government is obliged to implement ERM because of legislative requirements, National Treasury prescripts and the adoption of the King IV Code of Corporate Governance.

Aim: To discuss ERM within the public sector and provides the contextualisation of ERM. It sets out the ERM structure, roles and responsibilities required by legislation and good corporate governance. Recommendations to improve ERM are provided.

Setting: Within the South African local government.

Methods: This study adopted a qualitative research approach and applied a research method based on desktop analysis of literature and secondary data sources using unobtrusive research techniques.

Results: Reference is only made to risk in relation to financial management in municipal legislation. National Treasury has guided ERM through the Public Sector Risk Management Framework. The King IV Code provides guidance to local government councils regarding risk governance.

Conclusion: The current legislative framework does not provide adequate guidance for effective ERM. Focus is placed on controls and compliance, which undermines ERM’s potential contribution to value creation. ERM within local government has little predictive value and has limited contribution in ensuring objectives are achieved.

Keywords: enterprise risk management; new public management; risk; corporate governance; local government; South Africa.


The application of enterprise risk management (ERM), which can be defined as within organisations, private and public, has become a common practice. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM:

[A]s a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO 2004:2)

Enterprise risk management emerged as a concept and as management function within corporations in the mid-1990s (Dickinson 2001:360). It was adopted in the public sector because of the New Public Management (NPM) movement in which business practices were absorbed into the public sector. Enterprise risk management is a relatively new discipline within the public sector and in many cases is still immature in its implementation. Consequently, there is a general lack of literature addressing ERM practice at the local government level and guidance for its effective implementation is limited. This article aims to identify the legislative and corporate governance frameworks that regulate ERM within South African municipalities.

This research followed a qualitative approach in which literature and secondary data were analysed through unobtrusive research techniques. The non-reactive techniques applied, which include conceptual, content and historical or comparative analysis (Auriacombe 2016:6–10), were used to gather information through public documents, scholarly literature, legislation, government policies and reports.

This article aims to discuss the origins of ERM within the public sector and provides the contextualisation of ERM within the South African government. It sets out the structure, roles and responsibilities required by legislation and the good corporate governance requirements for ERM in local government. Recommendations for further consideration to improve ERM are provided.

The rise of enterprise risk management in the public sector

The New NPM movement emerged in the late 1970s and 1980s. According to Kisner and Vigoda-Gadot (2017: 534), NPM evolved to become an approach in public administration that employs knowledge and experiences acquired in business management and other disciplines to improve efficiency, effectiveness and general performance of public services in modern bureaucracies.

The NPM had modernisation as its primary agenda and incorporated practices from the private sector in the pursuit of public sector efficiency. In doing so, NPM drew heavily upon private sector performance criteria and practices (Lapsley 2009:1). The NPM-proposed reforms shifted the emphasis from traditional public administration to public management with an entrepreneurial focus (Larbi 1999:iv).

The introduction of risk management in the public sector as part of these reforms was heavily influenced by private sector disasters such as the collapse of Barings bank and corporate failures such as WorldCom and Enron. The adoption of risk management was considered to offer public service managers the ability to balance the need to be entrepreneurial, while still focusing on avoiding unnecessary failures. According to Lapsley (2009:15), the adoption of risk management was driven primarily by the fear of failure and ‘… seen as a defensive response by public service managers to avoid the blame culture associated with the public sector, especially the performance management regime’.

In the South African context, no single trigger for public finance management (PFM) reforms as part of the NPM can be identified; however, the primary identified driver of PFM reforms was political change (Pretorius & Pretorius 2008:4).

As a result of the numerous criticisms levelled at NPM, many Anglo-Saxon countries (including South Africa) introduced post-NPM reforms at the end of the 1990s. These new paradigms, which have been identified by scholars in Public Administration, include good (or sound) governance, the Neo-Weberian state, Public Value Management, New Public Governance (NPG), Digital-Era Governance and Public Value Management to name the most prominent ones (De Vries & Nemic 2013:4). Despite the perceived failure of NPM, researchers such as Nemec and De Vries (2012:1–3) state that literature on NPM indicates that many NPM-developed tools and instruments are still to be found all over the world and while in some cases the principles of NPM may have been interpreted and implemented differently, the underlying principles remain relevant.

Increased international demand for good governance has resulted in the discipline of ERM rising to further prominence. The Singapore Code of Corporate Governance, for example, introduced the concept of risk governance as a key principle 2 to the Code as it recognised ‘…that good risk management goes hand-in-hand with good corporate governance’ (PWC n.d.). The need for management of risk is no less a requirement for the public sector, and the International Federation of Accountants (IFAC) indicates that ‘governing bodies of public sector entities need to ensure that effective systems of risk management are established as part of the framework of control’ (IFAC 2001:17). This is further illustrated by the Government Finance Function of HM Treasury (2019:6), which states that as a principle ‘risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed and controlled at all levels’.

The linkage between governance and risk management in local government is confirmed by the Auditor-General in the ‘Consolidated general report on the local government audit outcomes MFMA 2019-20 report’ when he reported that the municipal governance structures assisted the Overstrand municipality to adequately respond to key risk areas and proactively address identified deficiencies (Auditor-General South Africa 2021:49). This report further identified the risk that the deteriorating financial health of municipalities, because of difficulties relating to poor revenue collection, debt write-offs and credit downgrades, would pose a threat to municipalities achieving their planned service delivery targets (Auditor-General South Africa 2021:127). To address the poor financial position of municipalities in general, the Auditor-General states that all ‘municipalities should ultimately strive to attain levels where control environments and robust risk-assessment processes are institutionalised’ (Auditor-General South Africa 2021:155). This however is not the state of local government in South Africa, where municipal finance is in a state of near collapse.

Defining risk

The word ‘risk’ is common and widely used in everyday vocabulary, covering such divergent matters as personal circumstances (health, investments and adventurous activities), societal matters (economic conditions and military food security) and organisational matters (corporate governance, strategy and business continuity). Haimes (2009:1647) identifies the complexity of defining risk with the Society for Risk Analysis identifying 13 definitions of risk in 1981. This is confirmed by Ngwenya (2017:4) who contends that because the risk is contextual, no single definition meets all the possible meanings of risk.

Risk is herein seen in the context of enterprise-wide risk management (ERM) which is defined by the International Organization for Standardization (ISO) in Standard 31000:2018 as being ‘the effect of uncertainty on objectives’. This definition is closely aligned with that provided by the King IV Report on Governance for South Africa (IODSA 2016), namely, that risk:

[I]s about the uncertainty of events; including the likelihood of such events occurring and their effect, both positive and negative, on the achievement of the organisation’s objectives. Risk includes uncertain events with a potentially positive effect on the organisation (i.e. opportunities) not being captured or not materialising. (p. 16)

Constitutional governance obligations

South Africa is a constitutional democracy with a three-tier system of government and an independent judiciary. The national, provincial and local levels of government are defined in the Constitution of the Republic of South Africa 1996 (hereinafter referred to as the Constitution) as spheres of government. Chapter 3 of the Constitution describes the three spheres as being ‘distinctive, interdependent and interrelated’ and enjoins them to ‘cooperate in mutual trust and good faith’. Local government, as it is an integral component of the democratic state, is a sphere of government is its own right and is not a function of national or provincial government and has legislative and executive authority in its own sphere of influence (The White Paper of Local Government 1998:75). The South African local government is divided into local, district and metropolitan municipalities, comprising eight metropolitan municipalities (category A), 226 local municipalities (category B) and 44 district municipalities (category C) (SA Government online).

The purpose of local government is to provide democratic and accountable government to local communities and to ensure the provision of services to communities in a sustainable manner. In addition, the aim of the local government is to promote social and economic development, a safe and healthy environment and to encourage the involvement of communities and community organisations in the matters of local government (Sections 152, 153 and 154 of the Constitution). The Constitution (section 152) recognises that not all municipalities have the same capabilities or resources and provides for a caveat for the objectives, namely, that a municipality must achieve these objectives within its financial and administrative capacity. The Constitution provides for, in section 195, inter alia, guidance on good governance in the public sector and expects that the efficient, economic and effective use of resources should be practised. The requirements for good governance and effective administration of the public sector in general and municipalities as required in the Constitution are encapsulated in enabling legislation that regulates the municipalities. This legislative framework for local government also addresses the requirements for risk management to ensure that the objectives of local government, as stated in the Constitution, are achieved.

Legislative framework dealing with enterprise risk management

The preamble of the Municipal Finance Management Act 56 of 2003 (MFMA 2003) states its purpose, namely,

[T]o secure sound and sustainable management of the financial affairs of municipalities and other institutions in the local sphere of government; to establish treasury norms and standards for the local sphere of government, and to provide for matters connected therewith. (p. 1)

The only reference in legislation governing local government addressing risk is found in MFMA management in section 62 of the MFMA, which requires the Accounting Officer (AO) to take reasonable steps to ensure that the resources of the municipality are used effectively, efficiently and economically. In order to do so, the AO must ensure that full and proper records of the financial affairs of the municipality are kept and that the municipality has and maintains effective, efficient and transparent systems of financial and risk management and internal control (MFMA 2003:73). The MFMA further prescribes in section 165 that an internal audit unit should be established, which must:

  • prepare a risk-based audit plan and an internal audit program for each financial year;
  • advise the accounting officer and report to the audit committee on the implementation of the internal audit plan and matters relating to internal audit; internal controls; accounting procedures and practices; risk and risk management. (MFMA 2003:153)

Section 166 of the MFMA requires the municipality to establish an audit committee which should be an independent advisory body that must advise the municipal council, political office-bearers, the AO and the management of the municipality on matters related to, inter alia, risk management (MFMA 2003:154). The Minister of Finance is empowered by section 20 of the MFMA to prescribe uniform norms for the effective implementation of the MFMA. This has resulted in the publication of the revised Local Government Risk Management Framework by the South African National Treasury (hereinafter referred to as Treasury) in January 2018.

Enterprise risk management oversight and roles in local government

The roles related to ERM within local government are divided between the exercise of oversight to ensure its effectiveness and that of implementation and its day-to-day operation.

The audit committee

Risk oversight in local government has been vested in an audit committee, which usually is referred to as an audit and risk committee, as it has also been tasked to exercise oversight of ERM from a governance perspective. In local government, an audit committee must be established in terms of Section 166 of the Municipal Finance Management Act. The audit committee is responsible for ‘providing the Accounting Authority/Officer with independent counsel, advice and direction in respect of risk management’ (National Treasury n.d. [c]:7). Where no separate risk management committee (RMC) has been established, the audit committee should assume the same responsibilities that had been ascribed to the RMC.

The audit committee is the only committee recognised in local government legislation as being responsible for the oversight of risk management. In terms of the revised Treasury Internal Audit Framework, risk management is an essential part of effective corporate governance and while it is a management responsibility, management expects the audit committee to oversee and provide advice on the organisation’s risk management (National Treasury n.d. [c]:7–8). The audit committee is required to review:

  • Whether management has a comprehensive risk management framework.
  • Whether a sound and effective approach has been followed in developing strategic risk management plans.
  • The impact of the organisation’s risk management framework on the control environment.
  • The organisation’s fraud prevention plan is to be satisfied that the organisation has appropriate processes and systems in place to capture, monitor and effectively investigate fraudulent activities (National Treasury n.d. [c]:13–14).

The audit committee is the only committee recognised in the MFMA as being responsible for the oversight of risk management. National Treasury (2009:13) identifies the audit committee as playing a distinct and integral role in the risk management process because it independently assesses and oversees the entire risk management function, coupled with counsel and guidance to improve the system. In line with principle 15 of King IV (IODSA 2016:68), the effective function of the role of the audit committee in risk management should enhance the internal controls of the institution not only to assist with sound financial management but also to assist the institution in achieving its public mandate.

The role of the accounting officer

The responsibility for implementing an effective risk management system lies with the AO, who is also responsible for creating an enabling environment for the management of risks and ensuring that the necessary risk management framework and process is implemented to achieve the municipality’s objectives. According to Treasury, the high-level risk management responsibilities of the AO include, inter alia, the following:

  • Setting the tone at the top by supporting ERM and allocating resources for its functioning.
  • Establishing the necessary structures and reporting lines to support ERM.
  • Approving the risk management strategy, risk management policy, risk management implementation plan and fraud risk management policy.
  • Approving the municipality’s risk appetite and risk tolerance.
  • Influencing a ‘risk aware’ culture and approving a code of conduct.
  • Holding management accountable for integrating risk management principles into their day-to-day activities.
  • Ensuring that a conducive control environment exists to ensure that identified risks are proactively managed.
  • Leveraging the audit committee, internal audit, RMC and other appropriate structures for assurance on the effectiveness of risk management and acting upon their recommendations.
  • Providing appropriate leadership and guidance on various aspects of risk management (National Treasury n.d. [a]:6–7).

Although there are many role-players in the typical risk management process, the MFMA holds the AO responsible and accountable for risk management. Some of the responsibilities attached to this accountability arrangement may be delegated to other officials, for example, senior managers, line managers or technical specialists. Section 24 of the Public Sector Risk Management Framework makes provision for the AO to appoint an RMC to assist them to discharge their responsibilities for risk management. According to the Guide for an RMC issued by the National Treasury, such a committee is defined as ‘an oversight committee responsible to the Accounting Authority/Officer for the monitoring of risk management (i.e. to assist in designing, implementing and coordinating the institution’s risk management initiatives)’ (National Treasury n.d. [b]:2). It is therefore clear that the RMC is seen as a management committee and not on the same level as the audit committee, that is not a board-level committee.

Risk management committee

The role of the RMC in local government is not that of a board-level committee, but a committee established to advise the AO on risk-related matters. Risk management committee has several high-level responsibilities, including:

  • The review of the risk management policy and strategy.
  • Review the risk appetite and tolerance and recommend for approval by the AO.
  • Review the institution’s risk identification and assessment methodologies to obtain reasonable assurance of the completeness and accuracy of the risk register.
  • Develop goals, objectives, and key performance indicators to measure the effectiveness of the risk management activity.
  • Provide proper and timely reports to the AO on the state of risk management, together with aspects requiring improvement accompanied by the Committee’s recommendations to address such issues (National Treasury n.d. [b]:7–8).
Chief risk officer

According to National Treasury, the primary responsibility of the chief risk officer (CRO) is to assist the institution to embed risk management and leverage its benefits to enhance performance. In this regard, the CRO is accountable to the AO (National Treasury 2020). The CRO should centralise risk management across the municipality, bringing an understanding of the relationships between risks within separate departments that may never have emerged before. In addition, CROs should enable management and the council to make decisions based on a better appreciation of the relationship between risk and reward. Chief risk officers are most effective when they provide a council with a clear understanding of where enterprise risks lie, assist with the development of a risk policy for distributing and offsetting those risks, and communicate the risk in order that managers understand and mitigate it (Economic Intelligence Unit 2005:4–6)

The role of internal audit

Internal auditing should be an independent, objective assurance and consulting activity. Its core role regarding ERM is to provide objective assurance to the municipal council and management on the effectiveness of risk management practice (IIA 2009:3). The Internal Audit (IA) function is responsible for assuring the AO and the audit committee on the adequacy and effectiveness of risk management. Responsibilities of IA in risk management include:

  • Reviewing the risk management policy, strategy, fraud prevention plan, risk reporting lines and the values that have been developed for the institution.
  • Reviewing the appropriateness of risk tolerance levels for the municipality given its risk profile.
  • Assuring the design and functioning of the control environment, information and communication systems and monitoring systems.
  • Providing assurance over the institution’s risk identification and assessment processes and the effectiveness of internal controls to mitigate identified risks.
  • Utilising the results of the risk assessment to develop long term and current year internal audit plans (National Treasury n.d. [d]:7–8).

In addition to the legislated requirements for good governance and risk management within South African local government, other important guidelines and frameworks that address corporate governance and effective ERM exist, which need to be considered.

Corporate governance and risk management frameworks

Although not legislated, the importance of corporate governance code and risk management frameworks cannot be underestimated. In South Africa, as is the case internationally (UK Corporate Governance Code 2018/ ISO 37000 as examples), there has been a move away from a rule-driven approach to governance to one that is based on principle. In these codes, as is the case in the fourth report on Corporate Governance released by the Institute of Directors of South Africa in 2016 (King IV), good governance is about leadership, applying sound principles and not mindless compliance to requirements.

King IV code of good corporate governance

King IV refers to corporate governance as ‘the exercise of ethical and effective leadership by the governing body towards the achievement of the following governance outcomes:

  • ‘Ethical culture
  • Good performance
  • Effective control\Legitimacy’ (IODSA 2016:11).

King IV, unlike earlier codes (King codes I–III which applied only to business entities), is also applicable to the public sector. This is particularly demonstrated by it using the term ‘governing body’ instead of ‘board’ when referring to the structure that has primary accountability for the governance and performance of an organisation. King IV indicates that the definition of a governing includes ‘… among others, the board of directors of a company, the board of a retirement fund, the accounting authority of a state-owned entity and a municipal council’ (IODSA 2016:12).

King IV can be summarised as follows: an ethical governing body will provide leadership to the organisation and, through the application of recommended practices to implement good corporate governance principles, the desired outcomes will be attained. King IV identifies 17 principles, of which 16 are universally applicable to all organisations including local government. In addition to the principles of good governance, King IV includes several supplements which provide high-level guidance and direction on how the code should be interpreted and applied within specific sectors and organisational types. Local government is addressed in part 6.2 – Supplement for municipalities. According to King IV (2016):

[G]ood governance is essential to ensure the success of the municipality itself, and to protect and advance the interests of those whom it serves. Good corporate governance assists by enhancing the functioning of leadership structures, and by providing the arrangements which enable the council to govern the municipality in such a way that it is able to meet its objectives. (p. 79)

Table 1 provides a summary of the governance requirements imposed by King IV on a municipal council.

TABLE 1: Municipal good governance requirements.

The good governance principles in King IV that are explicitly applicable to the area of risk management include the following:

  • Principle 4: ‘The council should appreciate that the municipality’s core purpose, its risks and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process’ (King IV 2016:81).
  • Principle 8: ‘The council should ensure that its arrangements for delegation within its structures promote independent judgement and assist with balance of power and the effective discharge of its duties’ (King IV 2016:84).
  • Principle 11: ‘The council should govern risk in a way that supports the municipality in setting and achieving its strategic objectives’ (King IV 2016:85).
  • Principle 15: ‘The council should ensure that assurance services and functions enable an effective control environment and that these support the integrity of information for internal decision-making and of the municipality’s external reports’ (King IV 2016:86).

In the supplement for local government, King IV acknowledges that these recommended practices are subject to section 59 of the Municipal Systems Act which requires the council to ‘develop a system of delegation that will maximise administrative and operational efficiency and provide for adequate checks and balances’ (King IV 2016:84). Furthermore, it also recognises that, in terms of section 79 of the Municipal Structures Act, the council may set up committees such as Municipal Public Accounts Committees to assist with oversight of the municipality’s performance.

As municipalities have no authority to appoint an auditor (the Auditor-General serves as the external auditor of all local authorities), the audit committee’s duties with regard to the appointment and independence of the auditor in terms of the code do not apply. The MFMA prescribes the structure and functions of the municipal audit committee and therefore these requirements prevail over the recommended practices in the Code. Where allowed by the legislation, however, King IV’s recommended practices with respect to the execution of the duties of the audit committee should be considered to supplement the minimum standard set by law (King IV 2016:84).

International Organization for Standardization 31000:2018

The South African Bureau of Standards (SABS) operates under the requirements of the Standards Act, 2008 (No. 8 of 2008) as the national standardisation institution in South Africa. The SABS has adopted ISO standard for risk management (ISO 31000:2018) as the South African National Standard (SANS), reissued as SANS 31000:2019. The ISO has issued several risk management-related standards that guide risk management. ISO 73:2009, for example, provides the basic vocabulary to develop a common understanding of risk management concepts and terms and has a generic application across all organisation types and forms. (ISO(a)). Borghesi and Guadenzi (2013:37) indicate that this standard provides a common risk language and lexicon to foster the ‘sharing of information and establishment of metrics and communicating results. The latter can only be successful because of a common language’. The ISO 31000:2018 standard addresses the following:

  • Key terms such as risk, risk management, stakeholder, risk source, event, consequence, likelihood and control are defined.
  • Principles such as stating that the primary purpose of ERM is to create and protect value are established. Eight further principles that should be considered when developing an organisation’s ERM framework are provided.
  • A framework by which ERM can be integrated into the organisation and its structures is introduced.
  • The risk management process, including the elements of risk identification, analysis, evaluation, treatment, monitoring and review as well as communication and consultation is addressed (Veltsos 2018).

The principle-based approach applied by ISO 31000:2018 is well aligned with the principles identified by King IV by which an organisation should be governed. The extent to which the principles, framework and risk management process have been effectively implemented in a municipality will determine its risk maturity.

Local Government Risk Management Framework

The LGRMF also incorporates the requirements of King III and IV insofar as the management of risk is concerned. The LGRMF further states that it is ‘principle’ rather than ‘prescript’ based and ‘… adopts the approach of elucidating the principles, standards, models and practices proven to support and sustain effective risk management’ (National Treasury 2018:22)

The expressed purpose of the LGRMF is to support municipalities to improve and sustain their performance by enhancing their systems of risk management to protect against adverse outcomes and optimise opportunities (National Treasury 2018:21). The MFMA requires municipalities to, inter alia, implement and maintain effective, efficient and transparent systems of risk management and internal control. Treasury clarifies this requirement by stating that:

[…] municipalities should through the risk management process achieve, among other things, the following outcomes needed to underpin and enhance performance:

  • More sustainable and reliable delivery of services;
  • Informed decisions underpinned by appropriate rigour and analysis;
  • Innovation;
  • Reduction of waste (i.e. wasted resources, such as time and money);
  • Prevention of fraud and corruption, unauthorised, fruitless and irregular expenditure;
  • Better value for money through more efficient and effective use of resources; and
  • Better outputs and outcomes through the improved project and program management. (National Treasury 2018:22–23)

Chapter 3 of the LGRMF deals with risk maturity and a simplistic model of risk maturity is provided based on a rating scale with three levels, which will result in the municipality’s risk maturity being classified as fragmented, compliant or risk intelligent. (National Treasury 2018:47). The categories for risk maturity assessment identified in the LGRMF are risk culture, risk strategy and appetite, risk governance, risk resources and infrastructure, risk monitoring and reporting, risk identification, risk assessment and risk management. (National Treasury 2018:49–58). According to National Treasury (2018):

[T]he extent to which risk management will be implemented in a municipality is directly aligned with its culture, capacity and capability to do so, and therefore aligned with its risk management maturity. (p. 44)

The LGRMF identifies the components of risk maturity as set out in Table 2.

TABLE 2: Components of risk maturity.

Assessing the maturity of a municipality’s risk management is of paramount importance as it determines whether the underlying key criteria that could impact the ability to achieve constitutional obligations have been mitigated. The risk maturity assessment, in its current form, is not comprehensive and would require further consideration to provide the level of insight and guidance to local government to improve ERM practices.


No direct reference to ERM is evident in South African municipal legislation – only reference to ‘risk’ which is raised in terms of financial management in the MFMA. However, there are several National Treasury requirements and corporate governance prescripts for ERM within local government in South Africa. The National Treasury’s Public Sector Risk Management Framework has been followed up by the LGRMF, which provides significantly improved guidance to local government on the implementation and management of risk. The LGRMF, in conjunction with the King IV requirements for good governance, addresses the requirements for ERM in local government in South Africa. The component of the LGRMF which deals with risk maturity however requires substantial further development and refinement to enable municipalities to identify shortcomings in ERM practice and implement improvements.


Competing interests

The authors declare that they have no financial or personal relationships that may have inappropriately influenced them in writing this article.

Authors’ contributions

The work is based on a doctoral research by C.E.W., under the supervision of D.N.-S.

Ethical considerations

Ethical clearance to conduct the study was obtained from the University of Johannesburg School of Public Management, Governance and Public Policy Research Ethics Committee (reference number: 2019SPMG09).

Funding information

This research was funded by the supervisory linked bursary of the National Research Foundation.

Data availability

Data sharing is not applicable to this article as no new data were created or analysed in this study.


The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any affiliated agency of the authors.


Auditor-General South Africa, 2021, Consolidated general report on the local government audit outcomes MFMA 2019-20, Auditor-General South Africa, Pretoria.

Auriacombe, C., 2016, ‘Towards the construction of unobtrusive research techniques: Critical considerations when conducting a literature analysis’, African Journal of Public Affairs 9(4), 1–19.

Borghesi, A. & Gaudenzi, B., 2013, Risk management. How to assess, transfer and communicate critical risks, Springer, Milan.

Committee of Sponsoring Organizations (COSO), 2004, Enterprise risk management – Integrated framework, Committee of Sponsoring Organizations of the Treadway Commission.

De Vries, M. & Nemec, J., 2013, ‘Public sector reform: An overview of recent literature and research on NPM and alternative paths’, International Journal of Public Sector Management 26(1), 4–16.

Dickinson, G., 2001, ‘Enterprise risk management: Its origins and conceptual foundation’, The Geneva Papers on Risk and Insurance 26(3), 360–366.

Economic Intelligence Unit, 2005, The evolving role of the CRO, pp. 1–11, viewed from http://graphics.eiu.com/files/ad_pdfs/EIU_CRO_WP2.pdf.

Haimes, Y.Y., 2009, ‘On the complex definition of risk: A systems-based approach’, Risk Analysis 29(12), 1647–1654.

HM Treasury, 2019, The orange book: Management of risk – Principles and concepts, viewed from https://www.gov.uk/government/publications/orange-book.

International Federation of Accountants (IFAC), 2001, Governance in the public sector: A governing body perspective, International Public Sector Study, Study 13, International Federation of Accountants, New York, NY.

Institute of Directors in South Africa (IODSA), 2016, King IV report on corporate governance for South Africa, IODSA, Johannesburg.

Institute of Internal Auditors (IIA), 2009, IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management, viewed n.d., from https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf.

International Organization for Standardization (ISO), 31000, 2018, Risk management – Guidelines, International Organization for Standardization, Geneva.

International Organization for Standardization (ISO), ISO guide 73:2009, viewed n.d., from https://www.iso.org/obp/ui/#iso:std:iso:Guide:73:en.

Kisner, M. & Vigoda-Gadot, E., 2017, ‘The provenance of public management and its future: Is public management here to stay?’, International Journal of Public Sector Management 30(6–7), 532–546.

Larbi, G.A., 1999, The new public management approach and crisis states, United Nations Research Institute For Social Development (UNRISD) Discussion Paper No. 112, Geneva.

Lapsley, I., 2009, ‘New public management: The cruellest invention of the human spirit?’, Abacus 45(1), 1–22.

National Treasury, n.d.a, Public sector risk management framework: Guidelines for an accounting authority/officer.

National Treasury, n.d.b, Public sector risk management framework: Guidelines for the risk management committee.

National Treasury, n.d.c, Public sector risk management framework: Guidelines for the audit committee.

National Treasury, n.d.d, Public sector risk management framework: Guideline for internal audit.

National Treasury, 2009, Internal audit framework, 2nd edn., Republic of South Africa.

National Treasury, 2018, Revised local government risk management framework, viewed 30 December 2019, from https://ag.treasury.gov.za/org/rms/lgrmf/Shared%20Documents/Framework/20180131%20Framework.pdf.

National Treasury, 2020, Guidelines for the chief risk officer, viewed 05 January 2020, from https://oag.treasury.gov.za/RMF/Pages/s303ChiefRiskOfficer.aspx.

Nemec, J. & De Vries, M.S., 2012, Global trends in public sector reform, Bruylant, Brussells.

Ngwenya, M., 2017, ‘Assessment of enterprise risk management maturity levels of the insurance industry in Botswana’, Unpublished doctoral thesis, University of South Africa, Pretoria.

Pretorius, C. & Pretorius, N., 2008, A review of public financial management reform literature, DFID, London.

PWC, n.d., What is combined assurance? viewed 27 April 2021, from https://www.pwc.co.za/en/issues/combined-assurance.html.

Republic of South Africa, 1996, Constitution of the Republic of South Africa, 1996, viewed n.d., from https://www.gov.za/documents/constitution-republic-south-africa-1996.

Republic of South Africa, 1998, Local government: White paper on local government, Government Printers, Pretoria.

Republic of South Africa, 2003, Local government: Municipal finance management act no. 56 of 2003, Government Printers, Pretoria.

Veltsos, C., 2018, 10 takeaways from the ISO 31000:2018 risk management guidelines, viewed 06 January 2020, from https://securityintelligence.com/10-takeaways-from-the-iso-310002018-risk-management-guidelines/.


Crossref Citations

1. Adapting enterprise risk management principles to local government in a developing country
Sithenkosi Lungisa, Ogochukwu Iruoma Nzewi, Nqobile Sikhosana
Journal of Governance and Regulation  vol: 12  issue: 4  first page: 38  year: 2023  
doi: 10.22495/jgrv12i4art4