The NLC’s Enterprise Risk Management is governed by the Enterprise Risk Management Framework and Policy. The Board reviewed the Enterprise Risk Management Framework and policy and the Board has adopted four lines of defence for managing the risk. This model defines the roles, responsibilities and accountabilities for managing and reporting and escalating the risk. The model incorporates management, oversight and assurance of risk management, essentially providing four independent reviews on risk in the organisation. The implementation of this model ensures that risk management is embedded in the culture of the organisation and provides assurance to the board, by senior management that risk is managed effectively.

The governance structures and processes are aligned with enterprise risk management (ERM) principles. The Board and their Audit and Risk Committee provide oversight of the risk management activities. The Commissioner utilises the executive management committee to manage the components of risk.


First line of defence	Business unit management and process owners	Manage day-to-day risk origination and management in accordance with risk policy and strategy. Understand the environment and identity the risk, Risk profile, response and control per prioritised risk event Analyse and determine improvement focus Improvement of action plans
Second line of defence	Independent risk management and compliance functions	Provide oversight and challenge to the first line of defence Propose risk policy and strategy Champion implementation of risk policy on strategy Provide assurance to the board
Third line of defence	Independent assurance providers – Internal audit	Provide assurance over effective functioning of the first and second lines of defence functions including independent assessment of the adequacy and effectiveness of the ERM framework
Fourth line of defence	Independent assurance providers – external audit: AGSA and other external assurance providers	Additional line of assurance, provide assurance over effective functioning of the first and second lines of defence functions including independent assessment of the adequacy and effectiveness of the ERM framework. Auditor-General of South Africa reports mainly to the Minister of Trade and Industry and Parliament.

In addition, National Lotteries Commission (NLC) and National Lottery Operator (Ithuba) are jointly monitoring implementation of proposed/future controls for cross-cutting risks between the two organisations.

Combined assurance

Regular communication between the internal and external audit as well as the other lines of defence serves to optimise the areas of reliance and enhance value delivery to all parties. Combined assurance will continue to evolve and further enhance alignment between the key role players from an ERM perspective.

Risk tolerance and risk appetite

The organisation understand and proactively manage the risk within set risk and appetite levels, to optimise service delivery and business returns. The Board has defined its risk appetite and tolerance levels as follows:

Risk appetite
Appetite level	Description
UNACCEPTABLE	The organisation is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, and potential risk of injury to staff.
MODERATELY ACCEPTABLE	The organisation is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, and potential risk of injury to staff.
ACCEPTABLE	The organisation accepts opportunities and risks that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, and potential risk of injury to staff.
Risk tolerance
#	Risk impact	Risk appetite
1	Impaired organisational performance (inefficiency)
2	Litigation
3	Reputational harm
4	Financial and resource wastage/losses
5	Loss/reduction of funding available to communities
6	Non-compliance with legislation
7	Impaired personal security

Managing top risks

In ERM, cognisant must be taken of the advances in technology that are revolutionising businesses and societies, and transforming products, services and business models, which is the effect of the Fourth Industrial Revolution. During the period under review, the Board reviewed the NLC’s strategic risk profile. The following were assessed during the review:

Impact of strategy changes, business environment and emerging issues on risk profile.
Input from executives on significant changes to risks of the organisation.
Inputs from Distributing Agency members and Stakeholders (including suppliers and staff).
Inputs from members of the Board as well as the Audit and Risk Committee through survey and questionnaire.

Residual Risk Acceptability

In order to assist in determining risk acceptability, the following thresholds will be used as guidelines:

Threshold interpretation	Suggested action	Escalation requirements (if any)	Suggested timing
RED – Unacceptable High risk	Management should take immediate action to reduce risk exposure to unacceptable level.	BOARD AUDIT AND RISK COMMITTEE	Immediate action required
YELLOW – Cautionary Medium Risk	Management should constantly monitor the risk exposure and related control adequacy.	BOARD AUDIT AND RISK COMMITTEE	Medium term action – within three months
GREEN – Acceptable Low risk	Management should monitor risks and may consider reducing the cost of control.	AUDIT AND RISK COMMITTEE	Monitor 1 – no immediate action required

The table below depicts the strategic risk profile of the NLC following the review. No emerging risks were identified and one risk relating to Misalignment of Grant processes was retired to operational risk register.

Risk No	Strategic risks	Key responses/mitigation	Risk rating inherent	Risk rating residual	Opportunities	Capitals (icons)
1	Conflict of interest	Declaration of interest process and declaration narratives Annual disclosures by board members, employees, DAs, beneficiaries (grant recipients), suppliers and other stakeholders Independent whistleblowing hot-line Adherence to Code of ethics, Corporate values, Human resource ethics and disciplinary processes Proactive communication of organisational impact to stakeholders (spreading good news) Reputation management (perception survey)	Critical (15)	Low (6)	Publishing of relevant polices in line with King IV disclosure requirements Intensify training and awareness of all stakeholders
2	Fraud risk	Fraud prevention plan Segregation of duties Pre- and post-adjudication grand funding site visits Verification grand funding application process Rigorous Supervision and supervisory reviews	Critical (20)	High (10)	Ongoing assessment of effectiveness of hotline Ongoing screening of employees prior to employment Periodic screening of employees Ongoing fraud risk assessment Ongoing investigation of all reported cases of alleged fraud and corruption Analysis of Delinquent Beneficiaries Register and risk profiling of beneficiaries Strengthening of verification process Integrated communications strategy to include fraud issues
3	Illegal lotteries	Civil litigation and recovery from illegal lotteries Ongoing benchmarking with similar jurisdictions to proactively regulate illegal lotteries Criminal prosecution of illegal lottery operators Joint-enforcement with other law enforcement agencies Research to identify different forms of illegal lotteries conducted to ascertain possibility of regulating these illegal lotteries Media monitoring to identify illegal Collaboration with other regulators such as gambling boards.	Critical (25)	High (13)	Policy review to enhance Enforcement Analyse the findings of the research and implement appropriate recommendations Policy review to enhance enforcement Analyse the findings of the research and implement appropriate recommendations
4	Inadequate stakeholder relationships	Identified stakeholder matrix in annual performance plan Communication strategy in place Stakeholder programmes Stakeholder relations and engagement strategy Stakeholders Indaba Stakeholder survey Signed MoU with strategic partners Provincial offices established and fully operational Implementation of marketing and communications strategy Implementation of approved marketing and communications policies and procedures Customer relationship management	High (12)	Low (5)	Ongoing stakeholder engagement Implementation of Public Affairs policies, strategy programmes and procedures Customer focused strategy (to respond to public perception) Communications strategy focused on closing the gap between public expectations and actual available funding Optimise the powers granted to the Board in terms of the Lotteries Act (To manage and communicate with beneficiaries on available benefits/products and limits thereof)
5	Continuity and sustainability	Grant application procedure Protection afforded by the Act (sustainability) Performance management of the license operator Financial sustainability strategy Disaster recovery policy Off-site backup system Business continuity plan	Critical (20)	Low (8)	Full implementation of the financial sustainability strategy Full implementation of the business continuity plan
6	Non-compliance with prescribed timeframes	Open call system approved by the Board Strategy and plan for open call system implementation Board resolution on how to deal with applications without mandatory documents War-room established to deal with the back-log	Critical (16)	High (8)	Implementation of the strategy and plan for the implementation of open call system Continuous follow-ups with the dti on the appointment of full-time DA’s Implement Board resolution on how to deal with non-compliant applications
7	Information management and security management of next generation cyber threats	Minimum information security standards Information classification policy PAIA ‘Disciplinary process for known breaches of information confidentiality Information security planning and monitoring of critical Information security controls information security awareness campaigns and training staying abreast of security technology requirement	Critical (16)	High (11)	Communicate information classification policy to all staff Enforce information classification policy Employees and key stakeholders to formally acknowledge organisational information security standards Use of technology systems to prevent and detect breach of security
8	ICT infrastructure and systems	Approved ICT strategy Daily backups of the server IT governance oversight Disaster recovery plan	Critical (16)	Low (8)	Upgraded Enterprise Architecture System (Integrated platform – align ICT strategy with new legislation and business process review) Business to identify required services for activation in the case of a disaster Identification of a disaster recovery site
9	Non-compliance with regulatory requirements by National Lottery Operator	License monitoring matrix developed and monitored Independent systems audit (Independent Verification System). Weekly, monthly and quarterly reviews conducted	Critical (16)	Low (8)	Continuous engagement and guidance with the new operator Management review on IVS, security and information reliability and report back to BoD

Opportunities

Opportunities emanating from risks are considered and incorporated during the strategic planning process. These include any favourable current or prospective situation within the organisation’s environment, such as trends, change or factors overlooked which could be facilitated to allow the organisation to enhance its competitive edge.

Increased social impact
Enhanced operational efficiency
Technology advancement
Increased monitoring of project efficiency
Technological infrastructure localisation
Repositioning of the organisation
Regulatory improvement
Partnerships with other stakeholders
Fourth Lottery Licence
“Africanisation” of the lottery