Our Business
Managing risks as threats
and opportunities
Introduction
Managing risks as threats and opportunities
STRATEGIC RISK PROFILE HEATMAP
The risk heatmap reflects the risk priority for individual risks as at 31 March 2025.
- Risk number refers to risk number of list of risks
- Colour of the risk reflects the current level of control
- Red – Poor
- Orange – Below par
- Yellow – Reasonable
- Blue – Well controlled
- Green – Excellent
- An arrow pointing up indicates an expected increase in the residual risk and a down pointing arrow indicates an expected decrease in the residual risk, with a level arrow indicating that no change is expected, in the short to medium term.
Strategy Level Risks – March 2025
| No. | Risk description | Short term | FY24 | FY23 | FY22 | FY21 |
|---|---|---|---|---|---|---|
| 1 | Inadequate donor recruitment and retention strategies lead to periodic shortages of Group O RBC and Apheresis Platelets |  |
 |
 |
 |
|
| 2 | Suboptimal stakeholder management leads to loss of stakeholder confidence | |
 |
 |
 |
|
| 3 | Inability to remain financially sustainable | |
|
|
|
|
| 4 | Inability to attract and retain a fit-for-purpose workforce | |
|
|
|
|
| 5 | Inadequate data and information life-cycle management | |
 |
- | - | |
| 6 | Possible cybercrime attack (new top risk) | - | - | - | - | |
| 7 | National and International political/socioeconomic instability leading to disruption in business operations | |
 |
- | - | |
| 8 | Impact of weak internal controls on compliance and financial assurance leading to adverse audit outcomes | |
|
|
- | |
| 9 | Non-compliance with regulatory requirements |  |
|
|
|
|
| 10 | Inadequate internal/external infrastructure leading to disruption in business operations | |
 |
- | - | |
| 11 | Possible failure of information technology systems | |
 |
|
|
Cybersecurity posture
SANBS has not experienced material cybersecurity breaches; however, increased phishing activity demonstrates persistent threat exposure.
As SANBS grows its digital footprint and adopts cloud services, the organisation’s cyber‑attack surface expands, requiring stronger controls and contractual safeguards with suppliers.
Controls and investments
Technical controls
SANBS employs a layered defence that includes advanced firewalls, endpoint protection, continuous vulnerability scanning, strong encryption and regular independent security audits.
People and awareness
Ongoing employee awareness programmes and phishing simulations reinforce vigilance and reduce the likelihood of successful social‑engineering attacks.
Third‑party and contractual safeguards
SANBS requires robust third‑party security management and includes clear contractual clauses covering data protection and privacy, incident response, audit and compliance rights, indemnification and liability, and third‑party risk management.
SANBS will maintain an increased investment in prevention, detection and response capabilities, align cloud deployments with strict security and privacy requirements, and sustain regular reviews and independent assurance to protect systems, data and service continuity.
SANBS combines technical controls, people programmes and contractual oversight to mitigate cyber threats while supporting secure digital transformation.