CPUT’s Virtual Open Day is now open! Click here to visit >>>


Enterprise Risk Management

Enterprise Risk Management (ERM) Services   

Enterprise Risk Management (ERM) Services is an independent combined assurance, second-line of defence function within the portfolio Office of the Vice Chancellor and Principal. CPUT defines enterprise risk management (ERM) as a process, effected by Council, management and other personnel, applied in strategy setting and across the university, designed to identify potential and actual events that may affect the university, and manage risks to be within its risk appetite and tolerance limits, to provide reasonable assurance regarding the achievement of CPUT’s strategic, tactical, and operational goals (COSO, ERM, 2004; 2017).

Council has delegated its responsibility for the design and implementation of an integrated system of risk management and internal control to executive management but retains ultimate accountability to university stakeholders on the same, per King IV Report and Code for Good Governance for South Africa (King IV, 2016). The ERM Services function follows and supports good governance guidance and practices from the Committee on Sponsoring Organisations of the Treadway Commission (COSO)’s ERM Integrated Framework (2004, 2017), the International Organisation for Standardisation (ISO 31 000: 2018) Risk Management Standards, the Institute of Risk Management South Africa (IRMSA)’s Integrated Risk Management Guideline, the International Professional Practices Framework (IPPF) for audit practice, the Association of Certified Fraud Examiners (ACFE)’s Fraud Risk Governance and Management Standards and Professional Practices, the Ethics Institute of South Africa (EISA)’s Ethics Risk Governance and Management Guidance, the Compliance Institute of Southern Africa (CISA)’s Compliance Framework and Compliance Risk Management Standards and Practices, and the Information Systems Audit and Control Association (ISACA)’s IT risk management and assurance standards and practices.

ERM Contact Details

Enterprise Risk Manager: Rueben Chibvongodze

Email: chibvongodzer@cput.ac.za  and enterpriserisk@cput.ac.za

The Enterprise Risk Manager reports administratively (operationally) to the Executive Director in the Office of the Vice Chancellor and Principal, and functionally to the Audit and Risk Oversight Committee (AROC) of Council, in alignment with leading risk governance and risk management practices.

CPUT Risk Governance and Risk Management Reporting Structures

The ERM function, in addition to AROC, also reports to, and / or presents reports as appropriate, to the following risk governance structures and / or Council Committees:


  1. The Institutional Combined Assurance Forum (ICAF)which is an institutional risk management structure, with executive sponsorship and oversight from the Executive Director: Office of the Vice Chancellor, has a specific mandate to facilitate and collaborate on the effective and efficient implementation of the Council approved Combined Assurance Framework.
  2. The committees listed above have specific risk-related mandates per their terms of reference, although all management and Council structures, including Senate, collectively and respectively manage and govern risk.

Purpose of ERM at CPUT

The purpose of ERM at CPUT is to facilitate the embedment of an integrated risk management process as directed by Council, senior management, and other personnel, as initiated in objective and strategy setting and across the university, designed to identify and respond to potential and actual positive (upside / opportunities) and negative (downside / pure risks) to provide reasonable assurance that university strategic, tactical, and operational objectives will be achieved on time, economically, effectively, and efficiently within Council approved risk appetite and tolerance limits.

The university aims to continuously align itself with the highest corporate (institutional) governance standards. The investment in ERM thus enables the university to safeguard its assets, ensure effective and efficient operations, enhance the integrity of data, improving internal financial controls, and enhance the quality of financial reporting, effectively manage pure risks and opportunities, ensure effective fraud risk governance and management, and enable compliance with laws and regulations.

Vision of ERM Services

The CPUT ERM Vision is to be a leading ERM function in Africa with world class capabilities, to integrate risk management across the University to support the CPUT Vision, Mission and Values and increase the likelihood of achieving strategic, tactical and operational goals.  CPUT will accomplish this vision by:

  • Embedding risk management, integrity and ethics within the culture;
  • Proactively identifying future uncertainties and planning for them;
  • Training of employees to think about risks as part of their decision-making process.

Mission of ERM Services

The Mission of CPUT ERM services is to foster a continuous improvement risk aware culture across the University and to integrate risk management into strategic and financial planning processes and decision making within the confines of senior management and Council approved risk appetite and tolerance limits.

Risk Governance and Risk Management Documents



Institutional Risk Management Policy

To specify Council’s strategic direction on the university’s risk governance and management approach.

ERM Framework and Methodology

Provides a point-by-point procedural, strategic, tactical, and operational steps and mechanisms pertaining to the implementation approach of ERM as approved by executive management and Council.

Combined Assurance Framework

Specifies assurance roles for first, second, third, and fourth lines of defence to direct a collaborative integrated risk management approach, as approved and directed by executive management and Council.

ERM Strategy

Provides all strategic ERM initiatives and long-term intentions that executive management and Council have ratified for implementation on a phased year by year basis.

ERM Implementation(s) Plan

A 12 monthly ERM project plan that is replicated across the university and collaboratively implemented by senior, middle, and operational management on behalf of executive management and Council, from an integrated combined assurance perspective.

The CPUT ERM Process and Communication Protocol [A Schematic View]


The ERM function also reports on a quarterly basis to the Governance and Ethics Committee (GEC), through the Ethics Risk Management report, and the Information Technology Governance Committee (ITGC) through the ITGC ERM report, with attendance also at the quarterly Finance Committee (FinCom), and the Investments subcommittee of FinCom (Adapted from COSO ERM, 2017; ISO 31000: 2018; CPUT ERM Framework and Methodology, 2024).

A schematic view of the CPUT ERM reporting and communication structure:

The management of risk at the university is everyone’s responsibility. The development of formal risk management structures help ensure that employees across CPUT understand their responsibilities and are accountable with regard to risk management at every level.

CPUT Combined Assurance Framework: A Schematic View of the Lines of Defence Mechanism

Source: Adapted from the IIA Inc, 2020; CPUT Combined Assurance Framework (2021); CPUT ERM Framework and Methodology (2021, 2024);