Enterprise Risk Management

Overview of Enterprise Risk Management at CPUT

The University defines Enterprise Risk Management (ERM) as both a discipline and a process effected by Council, Management and other personnel, applied in strategy setting and across the institution, designed to identify actual and potential events (negative, downside, pure risks and upside risks or opportunities) that may affect the institution, and to manage risks to be within its risk appetite and tolerance, to provide reasonable assurance that institutional objectives will be achieved economically, efficiently and effectively.


The CPUT ERM Vision is to establish a world class enterprise risk function to integrate risk management across the university to support the CPUT Vision, Mission and Values and increase the likelihood of achieving strategic, tactical, and operational goals. CPUT will accomplish this vision by:

  • Embedding enterprise risk management within the culture;
  • Proactively identifying future uncertainties and planning for them; and
  • Training (capacitating) employees to think about risks as part of their decision-making process.


The Mission of CPUT ERM Services is to foster a globally renowned and continuous improvement risk aware culture and process across the University and to integrate risk management into strategic and financial planning processes and decision making within the confines of Management and Council approved risk appetite and tolerance limits.

ERM Reporting lines

The Enterprise Risk Manager reports administratively (operationally) to the Executive Director in the Office of the Vice Chancellor, and functionally to the Audit and Risk Oversight Committee (AROC) of Council, in terms of the University’s AROC Charter’s terms of reference. This reporting approach aligns with the King IV Report and Code for Good Governance, South Africa (2016).

Value of ERM

The ERM Function exists to facilitate and recommend the implementation of assessment methodologies designed to determine actual and potential risks that may affect the achievement of objectives relating to the University as a total, integrated institution. The fundamental intention of ERM is to integrate risk into strategic, tactical, and operational decision-making processes, including financial and project management initiatives. Every employee is therefore a risk manager to identify, measure, monitor, respond, and report on key, critical risks, including opportunities to augment institutional risk intelligence capabilities. ERM is a “second line of defence” function and collaborates with Management, Internal and External Audit, Compliance, Quality Management, Institutional Planning, Safety, Health and Environment, and other assurance providers to transversally implement the University’s Council approved Combined Assurance Framework.

ERM Governance Structures

  1. Council.
  2. Audit and Risk Oversight Committee (AROC).
  3. Information Technology Governance Committee (ITGC).
  4. Finance Committee.
  5. Investments SubCommittee of the Finance Committee.
  6. Quality and Risk Management Committee (QARM).
  7. The Risk Champions Forum (RCF).

ERM Documentation and related Resources

  1. Risk Management Policy.
  2. ERM Framework and Methodology.
  3. ERM Strategy and Implementation Plans.

Leading ERM Practices

The University follows and supports leading risk practices and maintains memberships with the following Professional Institutes and Associations:

  1. The Global Association of Risk Professionals (GARP).
  2. The Institute of Internal Auditors (TheIIA Global and its affiliate,
  3. Institute of Internal Auditors South Africa (IIASA).
  4. Institute of Risk Management South Africa (IRMSA).

Contact details

Mr Rueben Chibvongodze, CIA, CRMA
Enterprise Risk Manager
Primary email: Chibvongodzer@cput.ac.za | Alternative email: enterpriserisk@cput.ac.za