Sheet 1: Universe Regulatory

	
	
	
	
	

		

 
		
		


		


	
	

		


		


	
	

		


		


	
	

		


		


	
	

		


		


	
	

		


		


	
	

		


		


		


		


	
	

		


		


		


		


	
	

		


		


		


		


	
	

		
 - The acts listed below are those acts identified in the South African legislative universe that can be administered in the Council. 
		


		


		


	
	

		
 - The list is by no means in order of importance but is rather in alphabetical order.
		


		


		


	
	

		


		


		


		


	
	

		
#.
		
ELRC Regulatory Universe                                                                               
		
	

		


		
Act Name
		
Category
		
Affected Programme / Business Unit/ Structures
	
	

		
1
		
Administrative Adjudication of Road Traffic Offences Act (AARTO)
		
Secondary
		
SCM
	
	

		
2
		
Basic Conditions of Employment Act (BCEA)
		
Secondary
		
HR
	
	

		
3
		
Compensation for Occupational Injuries and Diseases Act (COIDA)
		
Secondary
		
HR, Finance
	
	

		
4
		
Constitution of Republic of South Africa
		
Secondary
		
All Programmes / Structures
	
	

		
5
		
Employment Equity Act (EEA)
		
Secondary
		
HR
	
	

		
6
		
Employment of Educators Act
		
Core
		
DMS, CBS
	
	

		
7
		
Further Education and Training Colleges Act
		
Core
		
CBS
	
	

		
8
		
Income Tax Act
		
Secondary
		
Finance
	
	

		
9
		
Labour Relations Act (LRA)
		
Core
		
All Programmes / Structures
	
	

		
10
		
National Education Policy Act
		
Secondary
		
CBS
	
	

		
11
		
Occupational, Health and Safety Act (OHSA)
		
Secondary
		
SHE Committee
	
	

		
12
		
Pension Funds Act
		
Secondary
		
HR
	
	

		
13
		
Prevention and Combating of Corrupt Activities Act (PRECCA)
		
Topical
		
All Programmes / Structures
	
	

		
14
		
Prevention of Organised Crime Act (POCA)
		
Topical
		
All Programmes / Structures
	
	

		
15
		
Promotion of Access to Information Act (PAIA)
		
Topical
		
All Programmes / Structures
	
	

		
16
		
Protection of Personal Information Act (PPIA)
		
Secondary
		
All Programmes / Structures
	
	

		
17
		
Public Holidays Act
		
Topical
		
HR
	
	

		
18
		
Skills Development Levies Act
		
Secondary
		
HR
	
	

		
19
		
South African Council of Educators Act
		
Secondary
		
CBS
	
	

		
20
		
South African Qualifications Authority Act
		
Secondary
		
HR
	
	

		
21
		
South African Schools Act
		
Secondary
		
CBS
	
	

		
22
		
Unemployment Insurance Fund
		
Secondary
		
HR
	
	

		
23
		
Children's Bill of Rights of 2007
		
Core
		
DMS, CBS
	
	

		
24
		
Sexual Offences Act 32 of 2007
		
Core
		
DMS, CBS
	
	

		
25
		
Child Care Act 74 of 1983 amended 01 April 2010
		
Core
		
DMS, CBS
	
	

		
26
		
Criminal Procedures Act of 2008
		
Topical
		
DMS, CBS
	
	

		
27
		
Children's Act 38 of 2005
		
Core
		
DMS
	
	

		
28
		


		


		


	



Sheet 2: Universe Policies

	
	
	
	
	
	
	
	

		
ELRC Business Compliance Universe
		
Inherent Risk Level
		
	

		
#
		
Business Unit
		
 #
		
Business Policies and SOPs
		
Compliance Related Risks
		
Likelihood
		
Impact
		
Indicator
	
	

		
1. 
		
Executive Services
		
1
		
Fraud Prevention Plan
		
Financial 
		
Low 
		
Critical
		
Medium (8)
	
	

		
2
		
Performance Information policy
		
Business
		
Medium
		
Critical
		
Medium (12)
	
	

		
3
		
ELRC Constitution
		
Legal; financial; reputational; business 
		
Low
		
Catastrophic
		
Medium (10)
	
	

		
4
		
Policy on Delegations and Scheduling of Authorisation Levels
		
Financial and business
		
Minimum
		
Critical
		
Low (4)
	
	

		
5
		
Risk Management Framework
		
Legal; financial; reputational; business 
		
Medium
		
Major
		
Medium (9)
	
	

		
6
		
Risk Management policy
		
Legal; financial; reputational; business 
		
Medium
		
Major
		
Medium (9)
	
	

		
7
		
Telephone policy
		
Financial
		
Minimum
		
Significant
		
Low (2)
	
	

		
8
		
Consequence Management policy
		


		


		


		


	
	

		
9
		
Corporate Business Continuity Plan
		


		


		


		


	
	

		
10
		
King IV
		
Business
		
Low
		
Critical
		
Medium (8)
	
	

		
2
		
Dispute Management Services
		
11
		
DRS Practice Manual
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
12
		
Fee Policy for Panellists
		
Financial; reputational; business 
		
Low
		
Major
		
Low (6)
	
	

		
3.
		
Collective Bargaining Services
		
13
		
Committee Work Procedures
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
4.
		
Human Resource
		
14
		
Human Resource policy
		
Legal; financial; reputational; business 
		
Low
		
Major
		
Low (6)
	
	

		
15
		
Occupational Health and Safety Policy
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
16
		
Disciplinary policy and procedures
		
Legal; financial; reputational; business 
		
Low
		
Critical
		
Medium (8)
	
	

		
17
		
Recruitment and Selection policy
		
Legal; financial; reputational; business 
		
Low
		
Critical
		
Medium (8)
	
	

		
18
		
Performance Management System policy
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
19
		
Leave Management policy
		
Financial; business 
		
Medium
		
Significant
		
Low (6)
	
	

		
20
		
Training and Development policy
		
Financial; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
21
		
Conditions of Services
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
22
		
Payroll SOP
		
Financial, business
		
Low
		
Critical
		
Medium (8)
	
	

		
23
		
ELRC Code of Conduct and Ethics
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
5.
		
Information Communication Technology
		
24
		
Information Technology Hardware and Software Policy
		
Financial; business 
		
Medium
		
Major
		
Medium (9)
	
	

		
25
		
Disaster Recover Plan policy
		
Financial; business 
		
High
		
Critical
		
High (16)
	
	

		
26
		
Business Continuity Plan policy
		
Financial; business 
		
High
		
Critical
		
High (16)
	
	

		
27
		
Incident Management and Procedure Manual
		
Financial; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
28
		
Patch Management policy
		
Financial; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
29
		
IT Change Management policy
		
Financial; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
30
		
User Access System policy
		
Financial; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
31
		
ICT Systems Security
		
Financial; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
32
		
IT Internet and Email policy and SOP
		
Financial; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
33
		
IT Equipment Usage policy
		
Financial; business 
		
Low
		
Major
		
Low (6)
	
	

		
34
		
IT Governance Framework
		
Financial; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
35
		
ITIL
		
Financial; business
		
Medium
		
Critical
		
Medium (12)
	
	

		
36
		
COBIT
		
Financial; business, reputational
		
Medium
		
Critical
		
Medium (12)
	
	

		
6.
		
Media and Research
		
37
		
Communications policy
		
Business
		
Low
		
Major
		
Low (6)
	
	

		
38
		
PAIA manual
		
Legal; financial; reputational; business 
		
Minimum
		
Major
		
Low (3)
	
	

		
39
		
Records Management policy
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
7.
		
Supply Chain Management
		
40
		
SCM policy
		
Legal; financial; reputational; business 
		
High
		
Critical
		
High (16)
	
	

		
41
		
Inventory Management SOP
		
Financial; business 
		
Low
		
Significant
		
Low (4)
	
	

		
42
		
Contract Management SOP
		
Legal; financial; reputational; business 
		
High
		
Critical
		
High (16)
	
	

		
43
		
SCM SOP
		
Legal; financial; reputational; business 
		
High
		
Critical
		
High (16)
	
	

		
44
		
Asset Management policy
		
Financial; business 
		
Low
		
Critical
		
Medium (8)
	
	

		
45
		
Asset Disposal SOP
		
Financial; business 
		
Low
		
Critical
		
Medium (8)
	
	

		
46
		
Policy on Unauthorised, Irregular, Fruitless and Wasteful Expenditure
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		
8.
		
Finance 
		
47
		
Finance Administration policy
		
Financial, business, reputational
		
High
		
Critical
		
High (16)
	
	

		
48
		
Petty Cash policy
		
Financial, business
		
Low
		
Significant
		
Low (4)
	
	

		
49
		
Materiality Framework
		
Financial
		
Low
		
Major
		
Low (6)
	
	

		
50
		
Travel and Subsistence Allowance Policy
		
Financial, business
		
Low
		
Critical
		
Medium (8)
	
	

		
51
		
Panellist Claims SOP
		
Financial, business
		
Low
		
Critical
		
Medium (8)
	
	

		
52
		
Revenue and Receivables SOP
		
Financial, business
		
Low
		
Critical
		
Medium (8)
	
	

		
53
		
Trade and Payables, and Expenses SOP
		
Financial, business
		
Low
		
Critical
		
Medium (8)
	
	

		
54
		
International Financial Reporting Standards (IFRS)
		
Business
		
Minimum
		
Critical
		
Low (4)
	
	

		
9.
		
Internal Audit
		
55
		
Internal Audit Charter
		
Business
		
Low
		
Critical
		
Medium (8)
	
	

		
56
		
Action Plan Management Policy
		
Business
		
Low
		
Critical
		
Medium (8)
	
	

		
57
		
Institute of Internal Auditors (IIA), International Profesional Practices Framework (Code of Ethics, Standards and the Defination of Internal Auditing).
		
Business
		
Low
		
Critical
		
Medium (8)
	
	

		
58
		
Combined Assurance Policy Framework
		
Business
		
Low
		
Critical
		
Medium (8)
	
	

		
59
		
Compliance Management policy
		
Legal; financial; reputational; business 
		
Medium
		
Critical
		
Medium (12)
	
	

		


		


		


		


		


		


		


		


	
	

		
Compliance Related Risks
		


		


		


		


		


		


		


	
	

		
□ Legal impact: Regulatory or legal action brought against the organization or its employees that could result in fines, penalties or imprisonment.
		


		


		


		


		


		


		


	
	

		
□ Financial impact: Negative impacts with regard to the organization’s bottom line, and material loss. 
		


		


		


		


		


		


		


	
	

		
□ Reputational impact: Damage to the organization’s reputation or brand—for example, bad press or social media discussion, loss of customer trust, 
		


		


		


		


		


		


		


	
	

		
   or decreased employee morale.
		


		


		


		


		


		


		


	
	

		
□ Business impact: Adverse events that could significantly disrupt the organization’s ability to operate.
		


		


		


		


		


		


		


	



Sheet 3: Risk Model

	
	
	
	
	

		
Risk Model (How do we measure risk) - ELRC RM Framework
		


		


		


		


		


	
	

		
Each risk is evaluated in terms of potential loss, likelihood of occurrence and the effectiveness of controls in place to manage the risks according to the criteria set down below
		


		


		


		


		


	
	

		


		


		


		


		


		


	
	

		
Risk = Threat Likelihood x Magnitude of Impact
		


		


		


		


		


	
	

		


		


		


		


		


		


	
	

		
Threat Likelihood
		


		


		


		


		


	
	

		


		


		


		


		


		


	
	

		
Probability Factor
		
Rating
		
Measure Criteria
		
Qualification Criteria
		


		


	
	

		
Almost Certain
		
5
		
Certain to occur almost every time
		
Almost certain to occur in the current circumstances
		


		


	
	

		
High
		
4
		
Will occur frequently, 1 out of 10 times
		
More than an even chance of occurring
		


		


	
	

		
Medium
		
3
		
Will occur sometimes, 1 out of 100 times
		
Could occur fairly often
		


		


	
	

		
Low
		
2
		
Will seldom occur, 1 out of 1000 times
		
Small likelihood but could happen
		


		


	
	

		
Minimum
		
1
		
Will almost never occur, 1 out of 10 000 times
		
Not expected to happen – event would be a surprise
		


		


	
	

		


		


		


		


		


		


	
	

		
Potential Loss / Impact
		


		


		


		


		


	
	

		
Magnitude impact is the potential loss to the business should the risk materialized, rated as follows:
		


		


		


		


		


	
	

		


		


		


		


		


		


	
	

		
Severity Ranking
		
Rating
		
Continuity of Service Delivery
		
Safety & Environment
		
Technical Complexity
		
Financial
	
	

		
Catastrophic
		
5
		
Risk event will result in widespread and lengthy reduction in continuity of service delivery to customers of greater than 48 hours 
		
Major environmental damage. Serious injury (permanent disability) or death of personnel or members of the public. Major negative media coverage
		
Use of unproven technology for critical system / project components. High level of technical interdependencies between system components 
		
Leads to termination of the project 
	
	

		
Critical
		
4
		
Reduction in service delivery or disruption for a period ranging between 24 & 48 hours over a significant area 
		
Significant injury of personnel or public. Significant environmental damage. Significant negative media coverage 
		
Use of new technology not previously utilised by the organisation for critical systems / project components
		
Cost increase > 20% 
	
	

		
Major
		
3
		
Reduction in service delivery or disruption for a period between 8 & 47 hours over a regional area 
		
Lower level environmental, safety or health impacts. Negative media coverage 
		
Use of unproven or emerging technology for critical systems / project components 
		
Cost increase > 10% 
	
	

		
Significant
		
2
		
Brief local inconvenience (work around possible). Loss of an asset with minor impact on operations 
		
Little environmental, safety or health impacts. Limited negative media coverage 
		
Use of unproven or emerging technology for systems / project components 
		
Cost increase < 10% 
	
	

		
Negligible
		
1
		
No impact on business or core systems 
		
No environmental, safety or health impacts and/or negative media coverage 
		
Use of unproven or emerging technology for non-critical systems / project components 
		
Minimal or no impact on cost 
	
	

		


		


		


		


		


		


	
	

		
Effectiveness of Operating Controls
		


		


		


		


		


	
	

		


		


		


		


		


		


	
	

		
Control Strength
		
Control Rating
		
Description
		
Control Weight
		


		


	
	

		
No control
		
5
		
Controls/ management activities not existing and/or major deficiencies and don’t operate as intended.
		
1%
		


		


	
	

		
Weak
		
4
		
Limited controls and/or management activities are in place.
		
25%
		


		


	
	

		
Satisfactory
		
3
		
Controls and/or management activities are in place with significant opportunities for improvement.
		
50%
		


		


	
	

		
Strong
		
2
		
Controls and/or management activities are properly designed and operating with limited opportunity of improvement.
		
75%
		


		


	
	

		
Very strong
		
1
		
Controls and/or management activities are properly designed and operating as intended.
		
90%