About NAPSA ERM

NAPSA Enterprise Risk Management System

System Overview
System Name: NAPSA Enterprise Risk Management System
Acronym: NAPSA ERM
Organization: National Pension Scheme Authority (NAPSA)
Country: Zambia
Version: 1.0.0
Environment: production
Technical Team: Ontech Solutions Limited
Support Email: info@ontech.co.zm
Purpose

To provide NAPSA with a unified risk management framework that ensures regulatory compliance, protects organizational assets, and enables data-driven decision-making through real-time risk intelligence.

Overview

A comprehensive enterprise risk management platform designed to help NAPSA identify, assess, monitor, and mitigate operational, financial, and strategic risks across the organization.

ISO 31000:2018 Compliance Status

100% Compliant

Overall Status

8/8

Principles Met

All 8 principles

5/5

Framework Elements

Complete framework

7/7

Process Steps

All implemented
Certification Ready: The system is ready for immediate ISO 31000:2018 certification audit.
System Modules
Risk Management

Comprehensive risk register, assessment, and tracking

  • Risk Register with 79 ISO 31000 risk categories
  • Risk Matrix (5x5 likelihood/impact)
  • Risk Assessments and RCSA
  • Automated risk scoring and heat maps
  • Risk treatment planning and monitoring
  • Overdue risk tracking with automated notifications
Risk Case Management

Comprehensive investigation and case tracking system

  • 7-stage lifecycle (Open → Investigation → Review → Approval → Resolution → Closure + Escalation)
  • Cultural and human factors assessment (ISO 31000 Principle 7)
  • Multi-stakeholder collaboration with @mentions
  • Evidence and document management
  • Automated case aging notifications
  • Auto-escalation for overdue cases (>30 days)
Key Risk Indicators (KRI)

Real-time risk indicator monitoring and alerting

  • KRI dashboard with red/amber/green status
  • Threshold-based alerts
  • Trend analysis and forecasting
  • Automated data collection from ERP systems
  • Performance tracking and reporting
Incident Tracking

Incident reporting, investigation, and root cause analysis

  • Incident registration and categorization
  • Root cause analysis framework
  • Impact assessment (financial, operational, reputational)
  • Corrective action tracking
  • Incident trends and analytics
Compliance Management

Regulatory compliance monitoring and reporting

  • Compliance framework mapping
  • Regulatory requirement tracking
  • Compliance assessments and audits
  • Remediation planning
  • Exception reporting
  • Compliance dashboard
Controls Management

Internal controls design and effectiveness monitoring

  • Control library and catalog
  • Control effectiveness testing
  • Control automation workflows
  • Gap analysis
  • Control ownership assignment
Learning & Development

Risk awareness training and certification

  • Course catalog with modules
  • Quiz and examination system
  • Certificate generation with NAPSA logo
  • Mandatory training monitoring
  • Progress tracking and reporting
Analytics & Reporting

Business intelligence and data visualization

  • Executive dashboards
  • Customizable reports (PDF/Excel/CSV)
  • Risk heat maps and trend analysis
  • KRI performance metrics
  • Compliance scorecards
Technical Architecture
Backend
Framework: FastAPI (Python)
Database: PostgreSQL
ORM: SQLAlchemy
Auth: JWT with 2FA support
Scheduling: APScheduler (CaseScheduler, RiskScheduler)
Frontend
Framework: Flask (Lite Frontend)
UI Library: Bootstrap 5 + Font Awesome
Templating: Jinja2
Communication: REST API
Integrations
ERP: Oracle ERP Integration
ICT Systems: ICT Asset & Ticket Management
Project Mgmt: External PM System (Port 32000)
Notifications: Email + SMS (Gateway 388)
Automation
Scheduled Jobs
RiskScheduler
Schedule: Daily at 08:00 AM
  • Check overdue risks
  • Send due date reminders (7/3/1 days)
  • Auto-escalate risks overdue >30 days
CaseScheduler
Schedule: Daily at 09:00 AM and 09:15 AM
  • Check overdue cases
  • Send due date reminders
  • Auto-escalate cases overdue >30 days
Notifications
  • 17 automated notification triggers
  • Channels: Email, SMS
  • Mapping patterns: 4 types
Security
Authentication & Authorization
  • Authentication: JWT tokens with configurable expiry
  • Authorization: Role-based access control (RBAC)
User Roles (8)
Superadmin Admin Risk Manager Risk Officer Compliance Officer Department Head Auditor User
Data Protection
  • Encrypted password storage
  • Audit trails for all actions
  • Confidential case handling
  • Role-based data visibility
System Statistics

102

Users

92

Risks

0

Key Risk Indicators

191

Controls

35

Incidents

20

Risk Cases

83

Risk Treatments

0

Policies

0

Compliance Requirements
Support Information
Technical Team

Ontech Solutions Limited

Contact Email

info@ontech.co.zm

Phone

+260 979 669 350 / +260 972 718 518 / +260 953 015 270

Comprehensive user guides and API documentation available
Detailed Documentation

Access comprehensive technical documentation, implementation guides, and compliance reports.

Compliance & Standards
ISO 31000:2018 Compliance Summary

Complete ISO 31000:2018 compliance status and certification readiness

View Document
Case Management ISO 31000 Alignment

Detailed analysis of case management alignment with ISO 31000 principles

View Document
Cultural Assessment Implementation

ISO 31000 Principle 7: Human and cultural factors implementation

View Document
Case Management
Case Management Roles and Workflow

Complete case management lifecycle, roles, and permissions

View Document
Automation & Notifications
Case Aging Notifications

Automated case aging notifications and escalation system

View Document
Notification System Alignment

Complete notification system and trigger points documentation

View Document
Learning & Security
Learning Module Complete Summary

Learning and training module implementation details

View Document
User Management Complete Summary

User management, RBAC, and access control implementation

View Document