Senior Manager: Enterprise Risk Management

POSITION OVERVIEW:
The role will be responsible for the risk management operations of the entire organisation, covering the
identification, assessment, control of risk activities, managing potential risks that could impact NSFAS’s
operations, financial stability, and reputation on a sustainable basis. This includes analysing the various
types of risks, such as financial, operational, strategic, and compliance risks, and developing strategies
to mitigate or transfer these risks. The role will also be required to develop and implement an Enterprise
Risk Management framework, tools, practices, and policies to assess, analyse, manage, and report
NSFAS’s enterprise risks according to an enterprise risk management framework. The Senior Manager
will lead or provide key inputs into the enterprise risk or other committees that oversee the risk
management process and ensure alignment with NSFAS strategies and objectives applicable laws (e.g.,
PFMA) and good governance principles.

RESPONSIBILITIES:

Enterprise Risk Strategy and Framework Development and Deployment

• Drive the development and management of the Enterprise Risk Management framework that
  integrates risk management with the strategic objectives of the organisation, including the
  frameworks for and conduct periodic assessments for specific risk categories to include Fraud
  and Information Technology Security.
• Design and maintain Risk Management Policy, and Risk Appetite Statement in line with ISO
  31000, King IV, and the Public Sector Risk Management Framework, and ensure that
  appropriate risk management policies and procedures are in place and updated as required.to
  identify, assess, prioritize, mitigate, monitor, and report on organisational strategic and business
  unit operational risks
• Participate in the annual improvement of the organization’s enterprise risk management strategy,
  framework, policies, and standards
• Maintain, enhance, and effectively communicate the Enterprise Risk Management framework.
• Drive the development and execution of the organisation’s ERM strategy and embed risk
  management into all business units and processes of the organisation, in line with the risk
  appetite statements and company policy.
• Continuously improve the existing framework to ensure consideration of emerging risks and
  threats.
• Ensure that appropriate governance forums and structures exist to provide operational risk
  oversight and that these structures are documented.
• Provide expert input into committees on operational risk-related matters to ensure informed
  decision-making.
• Manage the development and execution of the risk assessment standard across the
  organisation.
• Undertake research on best practices on enterprise risk implementation through interaction with various risk management committees / bodies / structures and other stakeholders.
• Support the enterprise risk unit management to identify and recommend the drafting of relevant
  policies applicable to the NSFAS environment
• Support the development of business processes and systems that are aligned with the NSFAS
  environment policies

Embed Enterprise Risk Management Framework Within the Organisation

• Drive a risk culture in the business through challenging discussions and communication.
• Assist in the design, implementation, and management of organisation-wide risk management
  processes, including an analysis of the financial, legal, reputational, and regulatory risks that
  impact the organisation and respective business units.
• Develop and implement strategic and operational risk registers. Create and deploy guidelines,
  procedures, and training to management and employees relating to the creation, use, and
  maintenance of Risk Registers to assess, identify, prioritize, and manage risks in their respective
  business units.
• Conduct organization-wide risk assessments to identify current and emerging risks by collecting
  and analyzing Risk Registers, creating risk management, monitoring, and reporting systems, and
  identifying potential areas of operational risk within the organization’s processes and systems,
  and implementing the frequency and monitoring mechanism.
• Facilitate strategic and operational risk assessment across departments and projects and
  identify potential areas of operational risk within the organisation’s processes and systems.
  Including the estimation and prioritization of risks so that it is clear which risks are most
  important and most urgent.
• Ensure emerging risk, risk events, and risk incidents are continuously monitored and addressed.
• Ensure that risk issues identified are monitored, reported, and escalated to the relevant person.
• Review the risk appetite statement and ensure that there is alignment with all the risk
  management functions.
• Assist risk owners with the determination of appropriate measures and mitigation plans for their risks.
• Drive the implementation of risk mitigation strategies and control processes in all business units
  to minimize the impact of operational risks on the organisation’s operations
• Build risk models based on a well-reasoned assessment.
• Monitor and drive the planned risk management actions by management are implemented, and
  monitored as to their effectiveness, and corrective action is taken where responses do not match
  expectations.
• Monitor and track findings associated with the risk and self-control assessment process.
• Oversee the process of maintaining and updating the risk and control matrix in connection with
  the risk and control self-assessment process.
• Constantly monitor and update the enterprise-wide risk registers and applicable risk tools.
• Use external data to benchmark against trends or actual control environments.
• Oversee and drive the project management and documentation requirements for all key risk
  projects.
• Oversee and drive the third-party risk management strategy across the organisation.
• Contribute to the development of a GRC tool for the organisation.
• Work closely and collaborate with the Combined Assurance team, as well as providing regular
  updates and feedback on the combined assurance activities with applicable and accurate risk
  data to ensure the Combined Assurance Team can fulfill their duties on Combined Assurance.
  Including the facilitation of the flow of risk information from the business into various governance
  bodies, including Internal Audit.
• Advise executive and senior management on pending regulatory changes, trends, and best
  practices, and review the potential impact of these changes on the achievement of strategic and
  operational objectives as well as processes and strategies with regard to risk.
• Develop and track risk-based internal systems audit schedule, such as open issues and action
  plans
• Lead the identification, communication, monitoring, measurement, and management of company-wide risks. Examples include Business risk, Fraud risk, Security risks, all managed and
• maintained in the Business continuity plan
• Develop and implement strategies to identify, assess, and manage digital and cybersecurity risks
  across the organisation.
• Collaborate with IT and cybersecurity teams to ensure alignment of digital risk mitigation and
  measures with enterprise-wide risk strategies.
• Monitor evolving technological risks, including those relating to data privacy, cyber threats, cloud
  services, and third-party IT vendors.
• Ensure integration of digital risk into the broader Enterprise Risk Management Framework.
• Report digital risks trends and exposures to executive leadership and relevant governance
  committees

Risk awareness training

• Develop risk awareness guidelines and training materials and deliver periodic training to
  employees. Including the building and maintenance of tools and techniques in enterprise risk
  management for use and reference by business unit management and staff.
• Facilitate training and coach employees on Risk Management topics and initiatives
• Establish and maintain a risk management philosophy and culture through Enterprise Risk
  Management awareness activities, understanding the risk maturity model, establishing risk
  appetite and tolerance levels, and participation in ERM activities.

Business Continuity

• Oversee the development and testing of the Business Continuity Plans and ensure alignment
  with the organisation’s risk profile
• Integrate disaster recovery and crisis response into the RM strategy

Annual Risk Assessment & Reporting

• Manage the annual risk assessment process for the organisation as a whole as well as for all
  Business Units and disseminate results organization-wide.
• Prepare, submit, and present an organisation-wide risk management report to senior
  management and prepare the same for submission to the audit & risk committee and board.

Enterprise Risk Management Maturity Assessment & Evaluation

• Identify and deploy resources to conduct an organisation-wide enterprise risk management
  maturity status, and report to the Board, Senior Management, and Business Units.
• Monitor industry trends and regulatory developments to ensure the organization’s operational
  risk management practices are in line with industry best practices and regulatory requirements.

Reporting

• Compile monthly assurance risk reports, and reports for the various meetings ERM runs and
  chairs.
• Support enterprise risk reporting requirements for Executive Management and the Audit and
  Risk Committee of the Board
• Manage Risk Management Committee meetings (logistics, agenda, packs, minutes).
• Assist business leaders with risk-driven communications (i.e., strategy slides).
• Provide input into the Annual Integrated Report
• Report on unit strategic and operational gaps, interventions, and status of ERM
• Report on the operational plan implementation progress
• Report on risk matters, considering the outcome of internal & external audit, & risk
  assessments.

Performance Management & Ethics

• Ensure your performance contracting and review process compliance with policy and timeframes

Stakeholder Engagement & Relationships

• Participate in the liaison with all stakeholders on risk matters
• Participate in the resolution of stakeholder queries and complaints in line with policies and
  procedures
• Serve as a key liaison between the organisation and oversight bodies (e.g., AGSA, National
  Treasury) on risk matters

Project Facilitation & Management

• Support the compilation of risk strategy documents on key and high-risk projects in the
  organisation managed by the Project Unit.

Risk, Compliance Monitoring & Evaluation

• Participate in ensuring the risk and compliance of internal and external audits of ERM and
  implementation of audit findings/ recommendations
• Drive and provide guidance and input to management to ensure identified key controls have
  established risk mitigation procedures designed by management;
• Support the compilation, evaluation, and analysis of organisational reports in line with the ERM
  framework

Information & Knowledge Management

• Collaborate with stakeholders to build systems that enable the management of data obtained
  from different sources
• Collaborate with stakeholders to use their experience, education and understanding to obtain
  knowledge from this information

DESIRED SKILLS AND EXPERIENCE

Minimum requirements:

• NQF Level 7 in Enterprise Risk Management, or related fields in Enterprise Risk Management
• Enterprise Risk Management Certified Professional (ERMCP) or equivalent
• Member of IRMSA (Institute of Risk Management South Africa)
• Computer literacy – Intermediate MS Package Suite
• Driver’s License
• 10 years’ experience, of which 5 should be at a supervisory / managerial position in the public
  service or private sector.
• Thorough understanding of compliance with ISO 31000, COSO , and National Treasury
  Framework
• In depth knowledge of Risk Management process design, development, implementation, and
  maintenance
• In depth knowledge of Business Continuity Management
• Knowledge of business operational processes and risk management, inc.l:
  o Cybersecurity governance and compliance
  o Digital transformation risk assessment
  o Data privacy and protection (POPIA) IT general controls and system integrity risk
  o Knowledge of cybersecurity frameworks (e.g. NIST)
  o Knowledge of Risk-Based auditing
  o Knowledge of PFMA

Preferred

• Post Graduate NQF Level 8 in Risk Management or related fields
• Computer literacy – Advanced MS Package Suite
• 10 Years’ experience in a similar role in the public or private sector
• Advanced project and policy management
• Risk and compliance knowledge and experience
• Digital risk management knowledge and experience

Skills & Competencies

• Planning and organizing
• Strategic thinking and Problem-solving
• Analytical thinking
• Exceptional written, verbal, and presentation communication
• Financial acumen
• Business process
• Research
• Detail-oriented
• Innovative
• Critical thinking
• Attention to detail
• People management, coaching, and stakeholder engagement.
• Ethical conduct, resilience, and adaptability
• Ability to influence and drive change

PLEASE NOTE
Closing date: 04 August 2025

Interested applicants must complete and submit an Employment Application Form available on the
NSFAS website. The form must be supported by a detailed Curriculum Vitae which includes amongst
other things the vacancy name/position title you are responding to, copies of academic qualifications,
Identity Document, and names of three contactable referees. The response must be addressed to
the following email address: jobs@nsfas.org.za
The NSFAS does not consider late applications. The NSFAS talent acquisition team only corresponds
with Shortlisted Candidates. Should you not hear from the NSFAS talent acquisition team within 2
months from the closing date, please consider your application unsuccessful. Appointments will be
made in line with the NSFAS Employment Equity goals and targets

We wish you all the best with your applications