studynotesunisa.co.za€¦ · Web viewRSk2601 Study bank. Enterprise risk management (ERM) is characterised by a. Narrow focus of hazard risks. Comprehensive, inclusive and proactive

RSk2601 Study bank

Enterprise risk management (ERM) is characterised by a

1. Narrow focus of hazard risks2. Comprehensive, inclusive and proactive approach to risk management3. Functional approach to risk management responsibilities4. Lack of consistency in terms of level of detail and reporting formats

The purpose of an ERM policy is to

1. Assist an organisation integrating risk management into its management processes2. Communicate externally that risk management is being practiced3. Satisfy internal and external audit requirements4. Set out how the risks will be managed and controlled

A risk management policy sets out how the risk, which have been identified by the risk assessment procedure, will be managed and controlled. The risk management policy assigns responsibility for performing key tasks, establishes accountability with the appropriate managers, defines boundaries and limits and formalises reporting structures. The policy should address specific responsibilities of the board, internal audit, external audit, the risk committee, the corporate governance committee, the central risk function, employees and third party contractors in implementing risk management. A policy statement defines a general commitment, direction or intention. A policy on risk management expresses an organisation’s commitment to risk management and clarifies its general direction or intention.

What do boards fundamentally seeks from an ERM system?

1. The avoidance of unpleasant surprises and losses2. Integration of risk management, audit and governance3. Robust procedures4. Competent risk management teams

Pg 9 textbook

Which of the following are benefits of ERM?

a. Build confidence with stakeholders and the investment community

b. Align risk appetite and strategyc. Link risk with audit requirementsd. Seize opportunities

Choose the correct combination:

1. A, c2. B, c3. A, b, d4. All of the above

The benefits of ERM include the following:

♦ Increase in the likelihood of a business realising its objectives

♦ Build confidence in stakeholders and the investment community

♦ Comply with relevant legal and regulatory requirements

♦ Align risk appetite and strategy

♦ Improve organisational resilience

♦ Enhance corporate governance

♦ Embed the risk process through the organisation

♦ Minimise operational surprises and losses

♦ Optimise allocation of resources

♦ Identify and manage cross enterprise risks

♦ Link growth, risk and return

♦ Rationalise capital

♦ Seize opportunities

♦ Improve organisational learning

Which of the following is typical to the traditional approach to risk management?

1. Risk management carried out in silos and extensive use of insurance2. A comprehensive approach to managing risks3. Integrating efforts of operations and risk managers4. Viewing risk management as part of everyone’s daily routine

Traditionally, risk management has been segmented and carried out in “silos”. However, with the dynamic environment and the evolving nature of risk, businesses encounter new types of risk while pursuing new business objectives. There is therefore a need for an integrated framework for a holistic approach to risk management.

King III applies to

a. Banksb. Insurance institutionsc. Public sector agenciesd. All listed companies on the JSE


1. A, b2. A, b, d3. A, b, c4. All of the above

King III applies to all listed companies on the JSE, banks, financial and insurance institutions and some public sector agencies.

The King III Report on Corporate Governance introduced which of the following new concepts?

a. Shareholder approval of remuneration policiesb. Alternative dispute resolution (ADR)c. Directors’ performance evaluationd. Business rescue


1. A, c2. A, b, c3. B, c, d4. All of the above

The risk management policy forms part of the ERM

1. Scenario2. Taxonomy3. Framework4. Structure

ERM is composed of seven elements namely: corporate governance, internal control, implementation, risk management framework, risk management policy, risk management process and sources of risk.

Which one of the following is a recognised context stage (first stage) tool to obtain information on the business?

1. GAP analysis2. Database analysis3. Investment analysis4. PEST analysis

Mechanisms

- Finance analysis tools- Risk management process diagnostic- SWOT analysis- PEST analysis

Gap analysis can be used to draw out the main risks to an activity or project and is commonly carried out by calling upon department heads to complete a questionnaire.

During the context stage of a risk study, the ERM team for House and Home elects to examine House and Home’s financial ratios to understand the business’ financial health before moving onto the risk identification stage. This will enable them to

1. Provide a quick and relatively simple way to examine the financial position and performance of House and Home

2. Assess whether House and Home’s records are regularly updated3. Open the dialogue with the finance department and the internal auditors in House and

Home4. Satisfy recommended ERM practices for this stage of the risk process in House and Home

Financial ratios: Financial analysis tools that are used to examine various aspects of financial position and performance and that are widely used for planning, control and evaluation purposes.

A risk checklist is a useful tool for a business to determine

1. Its strengths and weaknesses in the micro environment2. The internal environmental factors which may influence its performance3. The main risks linked to a certain project of the business4. The external environmental factors which may influence its performance

A risk checklist, as described by the PRAM Guide (Simon et al. 1997), is an in-house list of risks “that were identified on previous projects”. Projects in the context of enterprise risk are either capital investment projects or business activities. Risk checklists are often developed from managers’ past experience. Checklists permit managers to capture lessons learnt and assess whether similar risks are relevant to the business activities of today.

The Delphi technique is primarily use in the ________ stage of the risk management process

1. Evaluation2. Analysis3. Identification4. Monitoring and review

Risk identification can be conducted in a number of ways and is a facilitated process typically adopting one or a combination of the following: questionnaires (including the Delphi technique), interviews or interactive workshops using brainstorming, scenario analysis, systems dynamics or the nominal group method. Risk and opportunity identification is commonly a group-oriented approach that draws on the combined knowledge and experience of the individuals selected to participate.

Using a risk identification facilitator from outside the business will

1. Assist with timetabling2. Avoid creating tension in the team when one is selected as the facilitator and others are not3. Avoid problems of bias, lack of independence, hidden agendas, single direction approaches

or pursuit of personal goals4. Avoid the facilitation process or approach being constrained by previous approaches

Facilitation is distinguishable from meeting chairmanship in that the facilitator is not normally a business employee or a member of the project team, contributes nothing more than facilitating skills and has no vote and certainly no casting vote in decision making. There are distinct advantages in not selecting a facilitator from a business function (or the business as a whole) as it avoids problems of bias, lack of independence, hidden agendas and distortion of focus to permit pursuit of personal or departmental goals. To accomplish the aims of facilitation it is common for the facilitator to adopt one of the seven techniques described below, commencing with brainstorming.

Scenario analysis can be used

1. To record ideas in a scenario for clarification and evaluation2. For technological forecasting by experts scenarios3. To identify risks by using case scenarios (best to worse scenarios) to consider possible future

developments4. In an interview to view a situation from a different perspective

Scenario analysis can be used to identify risks by considering possible future developments and exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to analyse a risk, including both the probability of occurrence and potential consequences. It can be used to look back over a fixed period and examine, for instance, major shifts in technology, transportation and property development with a view to considering future change.

Which of the following is a typical output of the Risk Evaluation stage?

1. Industry betas2. Human Resources Plan3. Risk Register4. Profit and loss account

Outputs: Risk register, Modelling results, Decision trees, Quantitative results, Scenario modelling, Sensitivity analysis

A list generated during the risk identification stage to categorise each risk into a type or are in the business, is known as a risk

1. Index2. Taxonomy3. Prompt list4. Check list

A risk prompt list, as described by the first edition of the PRAM Guide (Simon et al. 1997), is a list which “categorises risks into types or areas”.

The number of years required to recover an initial investment is called

1. Net Present Value (NPV)2. Internal Rate of Return (IRR)3. Payback Period (PP)4. Average Rate of Return (ARR)

Payback period (PP): The number of years required to recover an initial investment. It considers the timing of cash flows and therefore the time value of money, thus the payback period should be as short as possible.

Decision analysis is a useful technique to

1. Structure uncertain events and values of outcomes

2. Examine how sensitive the project outcomes are to changes in the business3. Focus on the consequences of combinations of events which are not likely to happen4. Analyse financial models where variables may be uncertain

Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes

Risk transfer is used to

1. Accept the risk in the business2. Transfer the risk to a third party3. Reduce the likelihood of an risk occurring4. Eliminate a risk when a negative outcome is anticipated

Risk reassignment is the strategy used to transfer risk to another entity, business or organisation. Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer does not reduce the severity of the risk but does increase the impact of the risk. The most common method of risk transfer is insurance.

The main reason for controlling risks is to establish whether

1. Risk meetings are happening regularly2. Risk response action are effectively implemented3. A risk database is being maintained4. Meaningful information is used for decision making

The controlling process is based on the information gathered in the monitoring process to form decision-making. It means the business must understand who needs what information for what purpose and when. To give a manager control, the control activities must adhere to the following seven specifications:

Control is a principle of economy.

Controls must be meaningful.

Controls have to be appropriate to the character and nature of the phenomenon measured.

Measurements have to be congruent with the events measured.

Controls have to be timely.

Controls need to be simple.

Controls must be operational

The risk of the exposure of an enterprise to adverse events that erode profitability and in extreme situation, brings about business collapse is __________ risk

1. Financial2. Economic3. Strategic4. Market

Financial risk is the exposure of an enterprise to adverse events that erode profitability and in extreme situations, bring about business collapse.

The uncertainty linked to the recovery of outstanding amounts due is known as _________ risk

1. Exposure2. Default3. Credit4. Recovery

Recovery risk: The risk related to uncertainty over the likely recovery of outstanding amounts due.

Which one of the following is a benefit of operational risk management?

1. Maximising day-to-day profits2. Improving financial planning and management3. Providing a more robust ERM system and correlation of different classes of risks4. Enabling a better understanding of compliance with legal requirements

Operational risk management affords a business benefits by:

• improving the ability to achieve its business objectives;

• providing management the opportunity to focus on revenue generating activities rather than fire-fighting one crisis after another;

• minimising day-to-day losses;

• providing a more robust enterprise risk management system;

• contributing to the establishment of a system which enables the correlation of different classes of risk to be understood and, where appropriate, modelled.

Information technology tools include

1. E-commerce2. Broadband3. E-mails4. Intranets

Information technology

IT is the collection, storage, processing and communication of information by electronic means. There are various types of IT tools, which include the following:

- Software applications- Management information systems- Intranets- Telematics- Information assets

Options, futures and swaps are financial products called

1. Foreign currencies2. Investment options3. Derivatives4. Credits

Derivatives are financial products derived from some other existing product. Examples include options, futures and swaps. Derivates are available to cover many types of exposure including interest rates; foreign currency exchange rates; commodities, such as energy (oil or gas), bullion (e.g. gold and silver), base metals (copper and nickel) and agriculture (e.g. sugar); and equities. Derivatives can be either “exchange traded” or “over the counter”.

Global warming is becoming a common concern all over the world. Which of the following initiatives has been implemented by the South African Government to reduce the effects of global warming?

1. Allowance for greenhouse gas emissions2. Environmental sustainability3. Emission trading protocols4. Carbon tax

Response to global warming

In response to increasing concerns about climate change, several policies and frameworks were put in place in an effort to reduce the effects of global warming. These initiatives include the following:

• Earth Summit – the United Nations Framework Convention on Climate Change, 1992

• The Kyoto Protocol, 2004

• Pollution control targets imposed on countries by the Kyoto Protocol.

• Sufficiency of emission cuts whereby countries commit themselves to cut emissions.

• The US Climate Pact, 2005

• The Copenhagen Accord, 2009

• The European Union taking a leading role to govern global action on climate change

• The Cancun Agreements, 2010

• Domestic government response to climate change whereby governments promulgate legislation on the cutting of carbon emissions

• Levies such as the “carbon tax” levied on the selling price of new vehicles in South Africa

• Emissions trading whereby countries are allowed to buy and sell their agreed allowances of greenhouse gas emissions

Which one of the following factors is important for the development of a sound economic risk management system?

1. An understanding of financial systems and internal controls2. An understanding of the impact of changes in exchange rates on the demand curve3. An understanding of the drivers of environmental sustainability4. An understanding of changes in interest rates

The development of a sound system of economic risk management will depend on a number of issues such as:

• an understanding of the drivers and consequences of inflation;

• an understanding of the impact of changes in exchange rates on the demand curve;

• tracking planned government spending;

• an understanding of government fiscal and monetary policies;

• the taxation regime.

Inflation is defined as

1. A sustained general rise in prices2. A lack of familiarity with the history of changes in the exchange rate of different currencies3. The inability in the short term to obtain cash in a desired currency4. Fluctuations in exchange rates which affect cash flows from overseas investments

Inflation is defined as a sustained general rise in prices. Creeping inflation describes a situation where prices rise a few percent on average each year. Hyperinflation describes a situation where inflation levels are very high. Inflation is believed to cause unemployment and lower economic growth.

Which of the following is a risk control measure in a health and safety management system?

1. Paying employees’ salaries on time2. Having an IT back-up facility at a distant location3. Emergency procedures such as recovery plans following a fire4. A disclaimer delivered with the products, marketed by a company

Legal risk refers to the

1. Risk arising from non-compliance with laws2. Number of competitors moving into and out of the market the business is operating in3. Uncertainty that stems from the exercise of power by government4. Exposure to a potential loss arising from diminishing sales due to changes in market

conditions outside the control of the business

legal risk is the risk arising from violations of or non-compliance with laws, rules, regulations, prescribed policies and ethical standards. This risk also arises when laws or rules governing certain products or activities of an organisation’s customers are unclear or untested. Non-compliance can expose the organisation to fines, financial penalties, payment of damages and the voiding of contracts. It could also lead to a diminished reputation, reduced franchise value, limited business opportunities, restricted developments and an inability to enforce contracts.

As a consequence of the diversity of risk, risk management requires a _________ approach

1. Narrow2. Modern3. Broader4. Traditional

As businesses strive for the creation of value for their shareholders they should understand what risks to take and those to avoid. As businesses grow, they are continuously exposed to greater, more complex and diverse (of various kinds or forms) and dynamic risks. Therefore, the range of risks that organisations need to manage has greatly increased. Because of the diversity of risk exposures, risk management requires a broader approach

Risk management controls risk as far as possible to enable a business to maximise its

1. Opportunities2. Profits3. Strengths4. Wealth

The effective management of risks and opportunities is increasingly seen as an important competitive differentiator, helping businesses achieve success despite difficult economic times. Businesses continuously explore and develop opportunities to sustain earnings and drive long-term increases in shareholder value. It is acknowledged that in their daily activities, businesses are exposed to various risks and that it is necessary to take certain risks to maximise business opportunities. The Board has the overall responsibility to operate an effective risk and opportunity management system that ensures comprehensive and consistent management of all significant risks and opportunities. The benefits of effective risk and opportunity management include the following:

♦ Improved cost certainty

♦ Higher economic returns

♦ Sustainable shareholder value

♦ Increased stakeholder confidence

♦ Reduction of costly disputes and claims

A risk management _______ sets out how the risks which have been identified by the risk assessment procedure will be managed and controlled.

1. Framework2. Policy3. Process4. Structure

A risk management policy sets out how the risks, which have been identified by the risk assessment procedure, will be managed and controlled. The risk management policy assigns responsibility for performing key tasks, establishes accountability with the appropriate managers, defines boundaries and limits and formalises reporting structures.

Enterprise Risk Management (ERM) may be defined as

1. A system aimed at satisfying stock exchange requirements2. A reactive system which responds to events as they unfold3. A ‘tick-box’ process ensuring legislation is complied with4. A systematic process embedded in a company’s system of internal control to support the

fulfilling of the company’s objectives

ERM is a structured and systematic process that is interwoven with existing management responsibilities. It provides a framework based on analysing risks and opportunities, with an ultimate objective of creating value for the shareholders. ERM entails the alignment of an organisation’s strategy, processes, people, technology and knowledge to meet its risk management purpose; and offers a systematic and integrated way of identifying and responding to all sources of risk. ERM aims to provide a coherent framework to deal with all risks that result from operating in the ever-changing economic environment.

The King III Report on Corporate Governance introduced which of the following new concepts?

a. Shareholder approval of remuneration policiesb. Alternative Dispute Resolution (ADR)c. Directors’ performance evaluationd. Business rescue



Pg 98 study guide

Corporate governance affects various business areas. Improving the confidence of domestic and international investors is an example of

1. Overall performance2. Attracting lower-cost capital3. Meeting social obligations4. Employing assets efficiently

Effective corporate governance helps enterprises to attract lower-cost capital by improving the confidence of domestic and international investors and by assuring them that the assets are used in the form agreed upon, whether the investment is in the form of debt or equity. This has a positive impact on both debt and equity. For enterprises to succeed in competitive markets, corporate managers must innovate relentlessly and efficiently, and constantly evolve new strategies to meet changing circumstances.

Which one of the following activities in a company needs to be reported under the triple bottom-line principle?

1. Financial performance2. Technological performance3. Legal performance4. Environmental performance

The King II Report moved away from the single bottom-line principle (i.e. profit for shareholders) to a triple bottom-line principle, which takes into account the environmental, economic and social activities of a company. Besides reporting on their financial performance (single bottom line), corporations must also disclose their social and environmental performances (triple bottom line).

According to ________ , non-executive directors should not receive share options

1. The Companies Act (1973)2. The Companies Act (2008)3. King II4. King III

Pg 101 study guide

Company A is interested in acquiring XYZ Limited. Prior to making a decision, the board requests that management conducts a strategic review of XYZ limited and also performs the following

- An analysis of XYZ Limited- A market analysis- A product, portfolio and matrix analysis, and- An analysis of the general environment

Which one of the following process mechanisms is Company A using?

1. PEST analysis2. SWOT analysis3. Financial analysis4. Gap analysis

A SWOT analysis can be considered as bringing together a strategic review of a business

and in particular (Friend and Zehle 2004):

• the analysis of the firm (internal elements);

• the market analysis (internal and external elements);

• the product, portfolio and matrix analysis (internal and external elements);

• the analysis of the general environment (external elements).

Pareto analysis is used to

1. Identify those risks that will have a dramatic impact on business projects/activities and objectives

2. Determine the expected return of an asset in relation to its risk or risk profile3. Structure decisions, uncertain events and values of outcomes4. Identify the cause of any risk

Pareto analysis

Pareto 5 analysis is used to identify those risks that will have a dramatic impact on business projects/activities and objectives. Such analysis will rank and order the risks according to their impact so that the business can manage the high risks accordingly.

Which stage of the ERM process is concerned with gaining an understanding regarding the background of the business as a whole as well as the specific business activities, processes or projects?

1. Risk analysis2. Risk evaluation3. Monitoring and review4. Establishing the context

Establishing the context is the first stage in the overall seven-stage process of enterprise risk management. Establishing the context is concerned with gaining an understanding of (1) the background to the business as a whole, in general terms, and (2) the specific business activity, process or project, forming the subject of the risk management study. It provides a basic foundation for everything that follows.

Which of the following is a regulatory framework which a business must comply with and embed in its business operations?

1. PEST analysis2. Process mapping3. Compliance system4. Financial analysis tools

The compliance system

The regulatory framework in which a business operates must be embedded in the business operations. The business must also comply with the regulatory framework

A resolution strategy is used

1. By a business to evaluate the effect of uncertainty on planned activity2. To assess how sensitive the project outcomes are to changes in the business3. By a business to respond to a particular recurring risk4. To illustrate the decision options used to arrive at a risk response category

The resolution strategy is a technique used by a business to respond to a particular recurring risk.

Which one of the following risk response strategies uses insurance as one of the methods to respond to risk?

1. Risk retention2. Risk transfer3. Risk reduction4. Risk removal

Risk reassignment is the strategy used to transfer risk to another entity, business or organisation. Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer does not reduce the severity of the risk but does increase the impact of the risk. The most common method of risk transfer is insurance.

Which stage in the ERM process must be on-going in order to increase the success of the implementation of the entire process?

1. Risk treatment2. Risk analysis3. Communication and consultation4. Monitoring and review

Monitoring and review is an on-going process of implementing and examining the success or otherwise of the planned responses. It entails evaluating the perceived benefit of the response, its attendant costs and the likelihood of new risks being triggered by the response. If a decision is taken to implement the response, it has to be clarified who will do so and when.

Risk appetite can be defined as

1. The strategy used to transfer a risk to another entity, business or organisation.2. A reduction of risks by distribution.3. The amount of risk a business is prepared to tolerate at any point in time4. The elimination of a risk when a negative outcome or high-risk exposure is anticipated

Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. The definition for risk appetite is the amount of risk a business is prepared to tolerate (be exposed to) at any point in time. A business risk appetite can vary according to its objectives, culture, environment, perceived financial exposure to certain risks and risk attitudes (risk neutral, seeking and averse).

Scenario analysis can be used

1. For technological forecasting by expert scenarios2. In an interview to view a situation from a different perspective 3. To identify risks by using case scenarios (best to worst scenarios) to consider possible future

developments4. To record ideas in a scenario for clarification and evaluation

Scenario analysis can be used to identify risks by considering possible future developments and exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to analyse a risk, including both the probability of occurrence and potential consequences. It can be used to look back over a fixed period and examine, for instance, major shifts in technology, transportation and property development with a view to considering future change.

The ultimate responsibility for project risk management must rest with the project

1. Coordinator2. Team3. Director4. Manager

Successful PRM cannot be driven from the bottom up but must be championed from the top. Ultimate responsibility for PRM must rest with the project director, who must be instrumental in setting the right culture.

Which one of the following methods is used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations and makes use of random numbers to sample from a probability distribution?

1. Latin hypercube sampling2. Monte Carlo simulation3. Scenario analysis4. Capital Asset Pricing Model (CAPM)

The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations and uses random numbers to sample from a probability distribution. A business can use this method to evaluate duration, demand or throughput and costs.

Potential loss exposure arising from diminishing sales or margins as a result of changes in market conditions, outside of the control of the business, is known as _________ risk

1. Economic2. Financial3. Market4. Strategic

Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or margins due to changes in market conditions, outside of the control of the business”.

Mr Nyoka is a risk manager at Gold Mining Ltd. He is approached by the board of directors to comment on the health and safety system of the business. Which one of the following questions will be the most important one to be asked by Mr Nyoka to determine if Gold Mining Ltd is implementing health and safety measures correctly?

1. Is Gold Mining Ltd implementing a health and safety system which reflects the national legislation on common practice in the mining industry?

2. Is Gold Mining Ltd creating a sound health and safety indicator system?3. Is Gold Mining Ltd creating measurable targets for occupational accidents and hazards in the

working environment?4. Is Gold Mining Ltd identifying common health and safety risks?

Risk management best practice is implemented through the development of a risk management

system, policy and procedures to provide safe systems of work, defining targets, measuring

performance and revisiting procedures in the light of experience. The following are the main

risk mitigation factors:

• Establishing a greater awareness of the legal liabilities of the organisation.

• Gaining an awareness of existing guidance such as BS 8800 which provides guidelines for an effective occupational health system, the International Labour Organisation’s 2001 Guidelines on Occupational Safety and Health Management Systems (ILO-OSH), which were the result of extended international consultations held over 2000–2001, and the OHSAS

18000 Series of International Standards for Occupational Health and Safety Management

Systems.

• Implementation of a health and safety management system – companies that have an occupational safety and health management system (OSH-MS) set up according to the

ILO-OSH have both better safety and productivity records.

• Involvement of the workforce in both planning and running the organisation’s OSH-MS creates improved ownership and participation.

• A functioning, recording, notification and indicator system provides a better picture of the problems and the follow-up that is necessary.

• Measurable targets for reducing occupational accidents and work-related diseases by targeting their causal factors.

• Workplace mapping techniques are an effective tool to identify health and safety problems in the workplace and define the measures necessary to resolve them.

• Development of a public relations response management plan and crisis management plan.

The default by a small number of large customers may lead to ________ as a result of credit risk

1. Tax evasion2. Bribery3. Insolvency4. Profits

Credit risk is the financial loss suffered due to the default of a borrower or counterparty under a contract. Default by a small number of large customers may lead to insolvency.

Failing to execute a well-thought-out strategy is an example of ________ risk

1. Country2. Political3. Operational4. Financial

According to Chapman (2011), adopting the wrong business strategy, failing to execute a well-thought-out strategy and not modifying a successful strategy over time, are examples of operational risk.

_______ is the buying of goods on the internet

1. E-mail2. E-trade3. E-commerce4. E-tailor

Electronic commerce or e-commerce is the buying and selling of goods on the internet. It is doing business electronically.

Ethical risk refers to

1. The breach of environmental legislation2. Moral rules and regulations governing the business world3. The care a person should take before entering into an agreement with another party4. Exposure to events, which may result in criminal prosecution

Ethical risk refers to exposure to events, which may result in criminal prosecution, civil law suits or erosion of reputation. Examples of ethical risk include bribery, false accounting, child labour, tax evasion, money laundering and invasion of privacy.

A ________ policy is a government policy which makes decisions regarding the taxation, borrowing and spending of a country

1. Fiscal2. Monetary3. Economic4. Trade

Macro-economic policy is influenced by government policy through fiscal policy, monetary policy and competing theories. Fiscal policy aims to influence government revenue (taxation) and/expenditure. Macro-economic policy is thus used by governments to influence the level of aggregate demand and supply in the economy.

Which of the following factors can be avoided when implementing a health and safety risk management system?

a. Compensation paymentsb. Civil claimsc. Decrease in insurance premiumsd. Adverse media attention


1. A, b2. A, c, d3. A, b, d4. All of the above

health and safety risk management system helps to avoid:

• health and safety incidents or an increase in the number of incidents and/or their impact;

• non-compliance convictions, criminal prosecutions or enforcement notices;

• civil claims;

• adverse media attention and damage to reputation;

• increase in insurance premiums;

• compensation payments;

• the need to investigate the cause(s) of an accident;

• the need to prepare accident reports, attending hearings or inquest courts;

• the need to arrange for the injured employee’s work to be continued by another employee;

• the need to make staff rehabilitation and return to work arrangements (recognising that

returning staff may need to work at a reduced capacity, at least initially);

• loss of productivity, business, early completion bonuses or future orders;

• the need to engage solicitors and barristers to represent the organisation;

• loss of board, management and supervisor time in responding to incidents.

There are a number of additional benefits such as:

• increased productivity;

• greater production reliability and reduction in the chance of losing sales to a competitor;

• improvement in staff morale, together with staff retention and recruitment rates;

• reduced staff absenteeism;

• meeting increasingly stringent lending criteria;

• improved success rate in bidding for contracts;

• improved shareholder satisfaction from meeting increasingly higher health and safety standards.

ABC Limited has been subject to an internal audit. The internal audit report indicated the staff in the debtors department is not properly trained with regards to completing individual debtor reconciliations. As a result of this, the reconciliations have incorrect reconciling items. The fact that the staff are not properly trained is an example of a (an)

1. Risk2. Risk source3. Opportunity4. Internal control

A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is where the risk comes from

The purpose of an enterprise risk management (ERM) policy is to

1. Assist an organisation in integrating risk management into its management processes2. Communicate externally that risk management is being practiced3. Address specific responsibilities of the board and risk committee4. Systematically apply management processes and practices

The policy should address specific responsibilities of the board, internal audit, external audit, the risk committee, the corporate governance committee, the central risk function, employees and third party contractors in implementing risk management.

The main objective of ERM is to ensure that businesses

a. Eliminate existing risks altogetherb. Understand that risk is inescapable in a business activityc. Understand that taking risk and managing it is the essence of business growthd. Do not take risks at all

Choose the correct combination

1. B, c2. A, d3. B, c, d4. All of the above

Indicate the correct statement

1. Risk is the deviation of the expected from the actual result2. Risk implies the presence of uncertainty3. Uncertainty arises from a person’s perfect state of knowledge about the future events4. The probability of an event refers to its short-term frequency of occurrence

With reference to the concept of risk of opportunity. Which of the statements are correct?

1. As businesses continuously explore and develop opportunities to sustain earnings it is not necessary to take certain risks to maximise business opportunities

2. Traditional risk management aims to provide a coherent framework to deal with all risks and opportunities that result from operating in the ever-changing economic environment

3. The effective management of risks and opportunities assists a business to achieve success despite difficult economic times

4. Risk averse refers to the tendency to engage in behaviours that have the potential to be harmful or dangerous

What are the key obstacles in an organisation to make risk management integral with the overall business strategy?

a. Competition with other prioritiesb. Fear of creating a risk-averse and bureaucratic culturec. Directors consider risk management a task for line management and not the boardd. The board does not understand or appreciate the principles and benefits of ERM



There are a number of challenges to the implementation of PRM that occur time and time

again. These include, but are not restricted to:

• lack of clearly defined and disseminated risk management objectives;

• lack of senior executive and project director commitment and support for PRM;

• lack of a risk maturity model to guide the goals for risk management;

• lack of a change process to introduce the discipline (in situations where some form of PRM has not previously been embarked upon);

• no common risk language (terms and definitions);

• lack of articulation of the sponsor’s risk appetite (i.e. risks the project will and will not take);

• no definition of risk management roles and responsibilities;

• lack of risk management awareness training to build core competencies;

• no integration of risk management with other project disciplines;

• reticence of project personnel to spend time on risk management;

• risk owners not automatically taking responsibility for the risks assigned to them;

• no clear demonstration of how risk management adds value and contributes to project performance;

• overcomplicated implementation through confusing policies, strategies, frameworks, plans, and verbose and mutually incompatible procedures;

• lack of alignment between the overall business strategy, the project business model and the

risk management objectives for projects.

Which one of the following is not an example of risk taking behaviour?

1. Themba loves driving his Maserati at high speed, he enjoys the thrill that comes with driving fast

2. The oil prices have been falling significantly over the past few months, as a result Mr Davies, an investor, decided to avoid buying a stake in the oil company

3. Siyaqhuba General Dealers is in the retail business, the finance manager decides to take out a loan from ABSA bank to open a new branch in Soweto with the hope of growing the business

4. In their quest to win a larger market share, Samsung has decided to invest more funds towards technological advancement

Which one of the following statements relates to the concept of corporate governance?

1. Controls the internal and external actions of managers, employees and outside business stakeholders

2. Universal and prescriptive in nature and applicable to only a few companies3. Assists enterprises to attract higher-cost capital

4. Enhances the dominating of business decisions and objectives by one individual

For an enterprise to achieve and aspire to be a good corporate citizen, is has to empower the board of directors to

a. Report annually on social, transformation, safety, ethics, health and environmental management policies and practices

b. Have a silo approach to risk managementc. Report on their HIV/Aids strategic plans and policiesd. Disclose the company’s formal procurement policies


1. A, c2. B, c, d3. A, c, d4. All of the about

ABC Limited is a company listed on the JSE. A majority of the audit committee members that have been appointed are independent non-executive directors. The chairman of the board and the chief executive officer are also members of the audit committee. There are six members in total. Three meetings were held by the audit committee during the year. The audit committee also recommends to the board which external audit provider they feel should be appointed to conduct the annual audit. Based on the scenario above, which of the following statements are insufficiencies in the audit committee’s structure based on King III?

a. A majority of the audit committee members appointed are independent non-executive directors

b. The chairman of the board and the chief executive officer are both members of the audit committee

c. There are six members in totald. The audit committee recommends to the board which external audit provider they feel

should be appointed to conduct the annual audit


1. A, b2. B, c, d3. A, c, d4. All of the above

Which of the following is an activity taken into account by the triple bottom-line principle?

1. Political performance2. Legal performance3. Technological performance

4. Environment performance

Which of the following are the benefits of corporate governance?

a. Improves confidence of domestic and international investors and therefore attracting capital at lower cost

b. Corporate government ensures efficient use of company resourcesc. Good corporate governance is essential to ensure adherence to legislation as well as

corporate social responsibilityd. Effective corporate governance may improve overall performance.


1. A, d2. B, c, d3. A, c, d4. All of the above

The ERM process has several stages, the first stage is establishing context, which is concerned with the understanding of the

a. Specific business activity, process or project forming the subject of risk managementb. Macro and micro environment in which the business operatesc. Background of the business as a whole in general termsd. Identified risk events (upside and downside)


1. B, c2. B, c ,d3. A, b, c4. All of the above

Which one of the following statements is correct with regards to process mechanisms in Stage 1 of the ERM process?

1. Financial ratios are used to look at the financial position and performance of a business2. The risk management process diagnostic can be regulated or constrained by the culture of

business risk3. The financial performance of a business must be reviewed by looking at the PEST analysis4. The SWOT analysis can be used to look at the external environment influences on business

performance and market growth or decline

Scenario analysis is used to analyse the

1. Events and trends that will determine an organisations future2. Profitability of a business3. Strengths and weaknesses of a business4. Micro environment over which a business has control over

Risk identification is a crucial step in the ERM process. Indicate which of the following statements are correct in relation to risk identification?

a. A risk checklist is used to list all the risks that were identified on previous projects within the business

b. A structured method of risk identification must be implemented so that consistent risk management can take place

c. Business risk is static and a discrete phase in the processd. It is important to be able to identify the risks in the business and understand how they fit

into the overall business context


1. A, c2. B, c, d3. A, b, d4. All of the above

Which stage in the ERM process requires a business to design a specific action plan and produce strategic responses to address the risks and opportunities identified in the business to secure business objectives?

1. Risk analysis2. Risk treatment3. Communication and consultation4. Monitoring and review

The risk treatment stage will assist the business to design a specific action plan and produce strategic responses to address the risks and opportunities identified in the business to secure business objectives. This stage is vital in the risk management process because the risk strategy responses and action plan must be prepared and implemented effectively into the business.

In the monitoring and review stage, control activities must adhere to which of the following?

a. Measurements have to be congruent with the events measuredb. Controls have to be a principle of economyc. Controls must be operationald. Controls have to be timely


1. A, b2. A, b, c3. A, b, d4. All of the above

The controlling process is based on the information gathered in the monitoring process to form decision-making. It means the business must understand who needs what information for what purpose and when. To give a manager control, the control activities must adhere to the following seven specifications:

Control is a principle of economy.

Controls must be meaningful.

Controls have to be appropriate to the character and nature of the phenomenon measured.

Measurements have to be congruent with the events measured.

Controls have to be timely.

Controls need to be simple.

Controls must be operational.

The _______ is the number of years required to recover an initial investment

1. Payback Period (PP)2. Average Rate of Return (ARR)3. Internal Rate of Return (IRR)4. Net Present Value

The risk analysis state provides information on the likelihood of risks and opportunities occurring and the impact of them to aid in the decision making process. Which of the following activities need to be conducted?

a. Capital asset pricing model (CAPM) analysisb. Clarifying the business objectivesc. Causal analysisd. Decision analysis and influence diagrams


1. A, c2. A, c, d3. A, b, d4. All of the above

Pg 33-34 sg

The _________ is an average annual return expressed as a percentage of initial cost of the project

1. Internal rate of return2. Average rate of return3. Payback period4. Net present value

In relation to CAPM analysis, market risk is measured by its beta. A share with a beta of 1.5 tends to move up or down by the same percentage point as the equity market

Indicate if the above statement is true or false:

1. True2. False

An investor holding shares in a holding is exposed to equity market risk. There is a tendency for the value of the share to move with general stock market movements. In the CAPM, market risk is measured by its beta. A stock with a beta of 1.0 tends to move broadly in line with the equity market; a share with a beta of 1.5 tends to move up or down by 1.5% for each percentage point movement in the market. In the past the Lloyds TSB Group has had a beta of just under 1.5% and Cadbury Schweppes had a beta of just over 0.5%.2 Some companies have a beta over 1.5. If the market goes up these shares can be expected to outperform others; in a bear market they can be expected to fall by more than average. Other shares have betas of 0.5 or less, and these defensive companies are likely to do relatively well in a bear market while being left behind when the share prices surge ahead.

Which one of the following statements is incorrect with regards to credit risk?

1. Credit risk is the financial loss suffered due to the default of a borrower or counterparty under a contract

2. Counterparty risk relates to the certainty surrounding the payment of future amounts3. Default risk is the probability of the event of default4. Recovery risk relates to the uncertainty over the likely recovery

_______ risk is considered to be embraced within operational risk

1. Liquidity2. Currency3. Funding4. Reputational

The sources of risk considered to be embraced within operational risk include business risk, crime risk, disaster risk, information technology risk, legal risk, regulatory risk, reputational risk, systems risk and outsourcing. Refer to par 16.1 of the prescribed book for more details

Employees working in Company A have access to the Company’s Code of Conduct, which is not available to external parties. The Code of Conduct is posted on the Company’s

1. Information assets2. Intranet3. Management information system4. E-commerce

Intranets are computer networks based on the same technical standards as the internet but designed for use within a single organisation. Intranets are cheaper and simpler to install than proprietary networks, and companies are increasingly using them to circulate internal information such as phone directories, job openings, training, marketing and publicity material.

Company XYZ is in the process of implementing Project A. They need to identify the legislation that the project needs to adhere to. This identification of legislation relates to the stage of the PRM process

1. Establish the context2. Risk identification3. Monitoring and review4. Risk analysis

In an individual other than an employee gains unauthorised access to a company computer by the way of a public telecommunications system, that individual is guilty of

1. Using an unauthorised public telecommunications system2. Unauthorised access with the intent to commit offences3. Software malpractice4. Internet misuse

A breach of ethics can lead to

1. Favourable media coverage2. Increased share prices3. Fines4. Increased profitability

Ethics is inextricably linked with reputation, and a breach of ethics commonly leads to one or more of the following: reduced share price, reduced profitability, unfavourable media coverage, fines, additional administration and, in some extreme cases, imprisonment.

A health and safety management system comprise of

1. Management arrangements and risk mitigation2. Management arrangements, risk control systems and workplace precautions3. Risk mitigation, risk identification and risk control systems4. Risk evaluation and workplace precautions

Which one of the following examples is seen as a social risk to a business?

1. The technological changes in a market2. Inflation and increasing house prices3. The shrinking percentage of the working population that is of working age4. Loss of reputation because of a persecution or a dispute with a customer

The ________ policy is a mechanism which is reserve bank uses to manipulate the supply of money, the supply of credit, interest rates and exchange rates

1. Monetary2. Trade policy3. Fiscal4. Balance of payments

The shooting of striking mine workers by the South African Police Service in August 2012 in the Marikana area is an example of __________ risk

1. Micro political2. Macro political

3. Health and safety4. Environmental

Which of the following is a risk control measure is a health and safety management system?

1. Erecting a security wall around a property2. Having a back-up facility at a distant location3. Emergency procedures such as recovery plans following a fire4. disclaimer delivered with the products marketed by a company

Enterprise risk management (ERM) is designed to improve

1. Capital2. Business profit3. Economic activity4. Business performance

Which of the following are the benefits of effect risk and opportunity management?

a. Improved cost certaintyb. Higher economic returnsc. Sustainable shareholder valued. Aligning risk appetite and strategy



The benefits of effective risk and opportunity management include the following:






Which element in the ERM structure provides the foundation and arrangement for embedding risk management throughout the organisation at all levels?

1. Internal control2. Risk management process3. Corporate governance4. Risk management framework

Which stage in the risk management framework requires a periodic review with stakeholders on whether the risk management policy, plan or process requires amendment as a result of changes in the organisation’s context?

1. Mandate and commitment2. Implement framework3. Monitor framework4. Improve framework

The risk management policy should specifically state its

a. Objectivesb. Limitations on disclosurec. Where it applies within the organisationd. Frequency of review



In simple terms a policy should address why risk management will be undertaken, who within and outside the organisation will undertake it, how it will be undertaken by reference to the framework and process and internal functions, and what those who are responsible will be required to undertake. Specifically, the policy should state its purpose, objectives, scope (where it applies within the organisation), related and supporting policies, its degree of confidentiality (any limitations on disclosure), the frequency of its review and the date it was last updated.

According to the King III

a. a financial director must be appointed to the board for listed companies as from 2009b. non-executive directors could receive share options based on prior approvalc. a minimum of three executive directors should be appointed to the board

d. the memorandum of incorporation of the company should allow the board to remove any director from the board


1. a, d2. a, b, c3. b, c, d4. All of the above

Pg 100

The purpose of corporate governance is to

1. Maximise the wealth of its shareholders2. Assist an organisation in integrating risk management into its management processes so that

it becomes a routine activity3. Ensure board oversight of business operations and prudent management that can deliver

the long-term success of the company4. Provide reasonable assurance regarding the achievement of objectives in reliable financial

reporting

The purpose of corporate governance is to ensure board oversight of business operations and facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of the company.

Effective corporate government

1. Promotes the inefficient use of resources2. Delays overall performance3. Ensures adherence to legislation4. Attracts higher cost of capital

According to King III an independent non-executive director

a. Is not a member of the immediate family of an individual who is employed by the company in an executive capacity

b. Is not a representative of a shareholder who has the ability to significantly influence management

c. Is not a professional advisor to the company other than in a director capacityd. Does not receive remuneration contingent upon the performance of the company


1. A, d2. A, b, c3. B, c, d4. All of the above

In terms of the King III code of governance principles

1. Internal audit should be integrated with the risk management process2. Risk management is separable from the company’s strategic business process3. Risk management should be performed on an ongoing basis4. Compliance should not form part of the risk management process

________ is used to examine the business environment to identify changes and potential risks and prepare for them

1. PEST2. SWOT3. Ratios4. SMART

________ can be used to identify the main risks linked to a certain activity or project of the business

1. Gap analysis2. PEST analysis3. Risk taxonomy4. SWOT analysis

The purpose of risk analysis is to

1. Prevent problems by determining the root cause2. Provide a judgement of the likelihood of the risks and opportunities occurring and their

impact, should they materialise3. Assist an organisation in integrating risk management into its management processes so that

it becomes a routine activity4. Identify the risks to the business which would produce or remove the likelihood of the

business reaching its objectives and opportunities

The risk analysis stage will provide information on the likelihood of risks and opportunities occurring and the impact of them to aid in the decision making process. The risk analysis process will assess all the risks identified in the risk register. Ample time should be allowed for conducting the risk analysis stage.

______ is used to prepare for the possible worst case to best case situation

1. Brainstorming2. Delphi technique3. Scenario analysis4. Structured interviews

Lucy did not insure some of her risks because there are control measures already in place to absorb these risks. What is the risk response strategy that Lucy has undertaken?

1. Risk removal2. Risk transfer3. Risk retention4. Risk reduction

Risk retention is also referred to as acceptance, absorption or tolerance. A business can be in the position to only be able to accept the risk as the alternative methods, for example risk removal, reduction and transfer are not available; or it can be more economical to the business to accept the risk. In the risk retention strategy the options available, timing and the ability to absorb the risk must be considered.

The process inputs in the risk analysis stage consists of

1. Risk identification, risk recordings and risk checklists2. Probability trees, utility theory, the Markov chain method and investment appraisals3. A risk register, risk checklist, risk prompt list and gap analysis4. Risk identification, risk recording, profit and loss account statements, balance sheet and

industry beta analysis

The process inputs in the risk analysis process will consist of risk study parameters, which include risk identification, risk recording, profit and loss account assessment, balance sheet assessment and industry betas. The process outputs will be the risk register including the assessment, which shows the probability and impact of each risk and opportunity.

Which of the following are techniques that a facilitator can adopt in an interactive workshop?

a. Risk questionnaireb. Financial analysis toolsc. Brainstorming process

d. Scenario analysis


1. C, d2. A, b, c3. A, b, d4. All of the above

Risk tolerance of an organisation can be expressed in terms of

1. Risk averse, risk neutral and risk seeking attitudes2. Capital, earning variances, liquidity and balance sheet activities and guidelines for

investment3. Risk information, high impacts and high probabilities, balance sheet activities and capital4. Income statements, balance sheet activities, cash flow statements and budget statements

_______ is a technique to employ when evaluating the profitability of an investment proposal for a particular project

1. Simulation2. Percentiles3. Sensitivity analysis4. Monte Carlo simulation

Sensitivity analysis: A technique employed to evaluate the profitability of an investment proposal for a particular project. The assessment can indicate how sensitive projected outcomes are to proposed changes.

The monitoring and review stage

1. Occurs infrequently2. Is implemented prior to the annual risk report3. Is implemented to satisfy audit requirements4. Is a continuous process

A ________ is a statement of how the organisation will accomplish its business objectives

1. Business process map2. Risk management plan3. Business plan4. Marketing plan

The business plan should show how the business would achieve its objectives by looking at all the factors that might have an impact on the business.

Key Risk Indicators (KRIs)

1. Are statistical information on the business risk reporting processes2. Are useful views of underlying risk profiles at various levels to assist in decision making3. Are used to measure a business’s health and performance4. Assist with business planning and decision making

Which of the following is a typical output of the Risk Analysis stage?

1. Industry betas2. Human resource plan3. Profit and loss account4. Risk register

A company requires all managers at various business units to make use of a standard template when identify risks and reporting these risks to the Head Office. This process activity is an example of

1. Executing action plans2. External communication3. Internal communication4. Controlling information

43

A company will stay solvent by ensuring that all

1. Current assets exceed current liabilities2. Assets are converted into money without loss of value3. Cash obligations can be met by a combination of investment liquidity, funding source and

contingent liabilities4. Current assets are converted into cash in order to pay the current and long-term liabilities of

the organisation

All companies will only stay solvent by ensuring that all cash obligations (salaries, rents, tax, etc.) can be met by a combination of investment liquidity, funding sources and contingent liabilities (liabilities that can be terminated quickly).

Information technology risks include

1. Lack of observance of rules set by a regulatory body2. Unauthorized access or disclosure of data and data corruption3. Floods, fires and other natural disasters and terrorist activities4. The loss arising from legal action against an organisation for inadequate practices

Transcor is a transport company which delivers goods across all nine provinces in South Africa. Tanscor has an agreement with Avis Trunk Rental to provide them with rental trucks in the event of their trucks being damaged or vandalised during protest actions. This is called a (an)

1. Business continuity plan2. Leasing of property plan3. Lease agreement contract4. Outsourcing service delivery contract

Brain received a feeding scheme tender through the means of bribery. This tender has resulted in his business to grow and he made a huge profit. Brain’s way of getting business is

1. Ethical2. Honest3. Unethical4. Intelligent

Health and safety management in an organisation helps to avoid

a. The use of child labourb. Compensation payments due to workplace accidentsc. Decreasing insurance premiumsd. Adverse media attention which could damage an organisation’s reputation


1. B, d2. A, c, d3. A, b, d4. All of the above

The macro marketing environment consists of which of the following factors?

1. Environmental, society, competitive, health and safety factors2. Competitive, political, demographical and technological factors3. Cultural, wealth, market, industry, sustainability, legal and regulatory factors4. Operational, market, economic, competitive and environment factors

Pg 469 textbook

A country’s inability to meet its financial obligations determines it’s _______ risk

1. Political2. Country3. Liquidity4. Economic

Which of the following examples are specific areas of concern for an organisation relating to operational risk?

a. Insourcing where firm take on the operational risks of their third partiesb. Highly automated and integrating technology that has the potential to transform risks from

minor manual processing errors to major systematic failuresc. The growth of e-commerce that brings with it some new and potentially significant

operational risks for both consumers and firmsd. Firms that outsource their activities may suffer some loss of control over them, which could

affect the quality and availability of their products.


1. A,b2. A, c, d3. A, b, d4. All of the above

Pg269 tb

Project risk management refers to the

1. Risk exposure of losses resulting from people, processes, systems and external events2. Management of risk exposures in projects in the pursuit of achieving predefined goals3. Protection and enhancement of share value to satisfy the other internal controls

4. Management of investments in technology to achieve business objectives and optimise investment benefits

Which of the following factors could result in or predict corporate failure?

a. Low profit marginb. Instability in earningsc. Sharp increase in the price of stock or bond priced. A lack in management quality


1. A, b2. A, c, d3. A, b, d4. All of the above

Quantitative factors in predicting corporate failure

• Low cash flow to total liabilities

• High debt-to-equity ratio and high debt to total assets

• Low return on investment

• Low profit margin

• Low retained earnings to total assets

• Low working capital to total assets and low working capital to sales

• Low fixed assets to non-current liabilities

• Inadequate interest/coverage ratio

• Instability in earnings

• Small-size company measured in sales and/or total assets

• Sharp decline in price of stock, bond price and earnings

• A significant increase in beta (beta is the variability in the price of the company’s stock relative to a market index)

• Market price per share is significantly less than book value per share

• A significant rise in the company’s weighted-average cost of capital

• High fixed cost to total cost structure (high operating leverage)

• Failure to maintain capital assets. An example is a decline in the ratio of repairs to fixed assets

Qualitative factors in predicting failure

• New company

• Declining industry

• Inability to obtain adequate financing, and when obtained there are significant loan restrictions

• A lack in management quality

• Moving into new areas in which management lack expertise

• Failure of the company to keep up to date, especially in a technologically oriented business

• High business risk (e.g. positive correlation in the product line; susceptibility to strikes)

• Inadequate insurance coverage

• Fraudulent actions (e.g. misstating inventories to stave off impending bankruptcy)

• Cyclicality in business operations

• Inability to adjust production to meet consumption needs

• Susceptibility of the business to stringent governmental regulation (e.g. companies in the real estate industry)

• Susceptibility to energy shortages

• Susceptibility to unreliable suppliers

Currency risk is concerned with

1. Inability in the short-term to obtain cash in a desired currency2. Not having a cash surplus to respond to sudden or unexpected liquidity problems3. Fluctuations in exchange rates with affects cash flows from overseas investments4. A lack of familiarity with the history of changes in the exchange rate of different currencies

Which of the following are the sources of risks considered to be embraced within financial risk?

a. System riskb. Operational riskc. Interest riskd. Funding risk


1. A,b2. A, c, d3. A, b, d,4. All of the above

The term financial risk embraces a variety of sources of risk, which include:

♦ liquidity risk;

♦ credit risk;

♦ interest rate risk;

♦ currency risk;

♦ funding risk;

♦ foreign investment risk;

♦ derivatives risk;

♦ systems risk, and

♦ outsourcing risk

Which one of the following is a benefit of effective risk and opportunity management?

1. Improved profit certainty2. Increased shareholder value3. Lower economic returns4. Increased stakeholder confidence

The benefits of effective risk and opportunity management include the following:






The board’s role should be to steer the corporation towards corporate governance policies that support _______ sustainable growth in ________ value

1. Short-term, shareholder2. Long-term, shareholder3. Short-term, stakeholder4. Long-term, stakeholder

The board’s role is to steer the corporation towards corporate governance policies that support long-term sustainable growth in shareholder value

The purpose of a risk management framework is to

1. Communicate externally that risk management is being practiced2. Systematically apply management processes and practices3. Address specific responsibilities of the board and risk committee4. Assist an organisation integrating risk management into its management processes

The risk management framework is a basic conceptual structure used to address the risks faced by an organisation. The purpose of the risk management framework is to assist an organisation in integrating risk management into its management process so that it becomes a routine activity. The framework is composed of the following five steps:

• Mandate and commitment

• Design framework

• Implement framework

• Monitor framework

• Improve framework.

Which of the following elements from part of the enterprise risk management (ERM) structure?

a. Internal controlb. External controlc. Corporate governanced. Sources of risk


1. A,b2. B, c, d3. A, c, d4. All of the above

Risk taking refers to

1. A business’s ability to create value for its shareholders2. The analysing of risks and opportunities3. The ability to identify and respond to all sources of risk in an ever-changing economic

environment4. Behaviours that have the potential to be harmful but at the same time may bring about

positive outcomes

The King II report moved away from ______ bottom-line principle to a _______ bottom-line principle

1. Single, triple2. Double, triple3. Single, double

4. Double, single

pg 16

Effective corporate governance

1. Promotes the inefficient use of resources2. Attracts higher cost of capital3. Ensure adherence to legislation4. Retards overall performance

In terms of the King III Code of governance, internal audit must follow a ______ based approach

1. Governance2. Cash3. Risk4. Compliance

Investors are willing to pay a premium for good governance because

1. Corporate governance is in the spotlight and decreases regulatory risks of an enterprise2. It is a silo-based approach to management increasingly interdependent risks3. Of the diversity of risk exposure no one wants to be left behind4. It is a way of reducing risk by coping better with adverse events or avoiding it altogether

Investors are willing to pay a premium for good governance for three reasons.

• They believe that the company will perform better over time, which will mean higher share prices.

• It is a way of reducing risk by either avoiding it altogether or by coping better with adverse events.

• The focus on corporate governance is a trend, but the reality is that no one wants to be left behind.

A GAP analysis

1. Is used to list all the risks that were identified on previous projects within the business2. Is a list that categories each risk into a type of area3. Can be used to identify the main risks linked to a certain activity or project of the business4. Is a structured checklist to break down the risks and opportunities into manageable

components

A Gap analysis can be used to identify the main risks linked to a certain activity or project of the business. The method will assist the business to establish where the gap is in the risk associated within the activity/project so that pro-active or reactive risk measures can be established

The purpose of the Companies Act (71 of 2008) is to

a. Encourage the efficient and responsible management companiesb. Promote the development of the South African economy by encouraging transparencyc. Promote the development of companies within all sectors of the economyd. Balance the rights and obligations of shareholders within a company


1. A,b2. A,b c3. B, c, d, 4. All of the above

The New Companies Act

Governance in companies in South Africa is also a legal requirement as per the Companies Act, 71 of 2008. The Act came into effect in May 2011. Relevant components of the act will be discussed below.

Purpose of the act is to:

• promote compliance with the Bill of Rights as provided for in the Constitution, in the application of company law

• promote the development of the South African economy by:

encouraging entrepreneurship and enterprise efficiency∙ creating flexibility and simplicity in the formation and maintenance of companies∙ encouraging transparency and high standards of corporate governance as appropriate, given the ∙

significant role of enterprises within the social and economic life of the nation

• promote innovation and investment in the South African markets

• reaffirm the concept of the company as a means of achieving economic and social benefits

• continue to provide for the creation and use of companies, in a manner that enhances the economic welfare of South Africa as a partner within the global economy

• promote the development of companies within all sectors of the economy, and encourage active participation in economic organisation, management and productivity

• create optimum conditions for the aggregation of capital for productive purposes, and for the investment of that capital in enterprises and the spreading of economic risk

• provide for the formation, operation and accountability of non-profit companies in a manner designed to promote, support and enhance the capacity of such companies to perform their functions

• balance the rights and obligations of shareholders and directors within companies

• encourage the efficient and responsible management of companies

• provide for the efficient rescue and recovery of financially distressed companies, in a manner that balances the rights and interests of all relevant stakeholders

• provide a predictable and effective environment for the efficient regulation of companies.

The _______ is a method used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations and uses random numbers to sample from a probability distribution

1. Scenario analysis2. Monte Carlo Simulation3. Simulation4. Latin hypercube sampling

Monte Carlo simulation: A method used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations, using random numbers to sample from a probability distribution.

A risk response flow chart is used

1. To illustrate the decision options used to arrive at a risk response category2. As a technique by a business to reduce risk and the impact thereof3. As a technique by a business to respond to a particular recurring risk4. To reduce the likelihood of an occurrence through risk spreading

Which one of the following risk response strategies eliminate a risk when negative outcome or high risk exposure is anticipated?

1. Risk removal2. Risk reduction3. Risk retention4. Risk transfer

Risk removal: A strategy adopted to eliminate a risk altogether when a negative outcome is anticipated.

A _______ analysis needs to be conducted to determine the business’ competitive advantage in the industry/market

1. Business2. Competitor3. SWOT4. PEST

A ________ is used as a communication tool to establish the business process in the first stage fo the ERM process

1. Process diagnostic analysis2. Business objective scenario3. Process map4. Financial ratio

A PEST analysis is a useful tool for a business to determine

1. Its strengths and weaknesses in the micro environment2. The internal environmental factors which may influence the business’ performance3. The external environmental factors which may influence the business’ performance4. The main risk linked to a certain project of the business

The average annual return expressed as a percentage of the initial cost of a project is called the ______

1. Net Present Value (NPV)2. Internal Rate of Return (IRR)3. Payback Period (PP)4. Average Rate of Return (ARR)

The ARR is an average annual return expressed as a percentage of initial cost of the project.

Local Cleaning’s total assets, total current liabilities, and inventory for each of the past 4 years are as follows

The firm’s current ratio for the year ended 2013 is

1. 1 792. 1 243. 0 564. 3 26

current ratio = current assets / current liabilities

Local Cleaning’s total assets, total current liabilities, and inventory for each of the past 4 years are as follows

The firm’s quick ratio for the year ended 2014 is

1. 2 422. 1 143. 1 794. 1 55

quick ratio = Current assets - inventory/ current liabilities

Which of the following are typical Key Performance Indicators (KPI’s) used in a business?

a. Employee performanceb. Model risk factorsc. Credit managementd. Control risk indicators


1. A, b, d2. B, c3. A, c4. All of the above

_______ communication is used to deliver open and honest information on the risks that the business faces and how it responds

1. Business2. Risk3. Internal4. External

A business must also ensure that it effectively implements an external communication and reporting process/system so that it will be able to deliver open and honest information on the risks faced in the business and how the business responds to such risks.

Which of the following are inputs for the risk treatment process?

a. Risk registerb. Industry betasc. Description of the business risk appetited. Risk response actions


1. A, d2. A, b, d3. A, b, c 4. All of the above

The process inputs in the risk treatment process will be the risk register, industry betas and a description of the business risk appetite, and details of existing insurance policies.

Graham Capital is in the process of obtaining a loan form XWX Bank. Which of the following factors must Graham Capital take into consideration?

a. Interest rate at commencement of the loanb. Interest rate at the end term of the loanc. Duration of paymentd. Nature of the interest rate


a. A,c db. A, b, c,c. A, bd. All of the above

when a company borrows money, it needs to know the basis of interest rate determination, the interest rate at commencement of the borrowing, the nature of interest rate (fixed or variable), and the duration of payment. The rate of interest paid depends on the following:

♦ Amount

♦ Term

♦ Forecasts

♦ Inflation

♦ Risk

♦ Opportunity cost

♦ Market

_______ analysis is used to determine past events to serve as reference for the implementation of risk management measures for future events

1. Probability2. Causal3. Expected monetary value (EMV)4. Capital asset pricing model (CAPM)

Causal analysis

The causes of any risk must be identified. It is important for the business to learn from past events to implement risk management measures for future events.

Which one of the following statements about risk identification is correct?

1. The business will not be able to identify the key risks and risk events associated with the business, these risks constantly change

2. The business will be able to identify the key risks associated with the business, these risks constantly stay the same

3. The business will be able to identify the key risks and risk events associated with the business, these risks constantly change

Through risk identification, the business will be able to identify the key risks and risk events associated with the business. The business will constantly change and grow as well as the risks associated with the business. The business will need to identify risks on a constant basis and identify the opportunities that may arise in order to enhance its objectives as well as risks that may reduce the likelihood of the business achieving its objectives. Risk can also be based on two main outcomes namely the upside and downside of risk

Cell C takes out a fire insurance policy to insure its buildings and office equipment against fire and allied perils. What form of risk response strategy is Cell C using in the instance?

1. Risk retention2. Risk removal3. Risk transfer4. Risk reduction

The determination of the probability and impact of the identified risks and opportunities is referred to as risk

1. Identification

2. Evaluation3. Analysis4. Review

The risk that a counterparty to a contract will not live up to its contractual obligations is known as _______ risk

1. Liquidity2. Counterparty3. Credit4. Default

Counterparty risk is the risk to each party of a contract that the counterparty will not live up to its contractual obligations.

Which one of the following factors influences the aggregate supply curve?

1. Increase investment in education2. Consumer spending3. Government spending4. Exports and imports

The exposure to a potential loss arising from diminishing sales or margins as a result of changes in market conditions, outside of the control of the business, is known as _____ risk

1. Interest rate2. Environmental3. Market4. Social

Which one of the following statements is correct?

1. A higher quick ratio indicates a better liquid position2. The current ratio indicated a better liquid position3. The current ratio excludes inventory4. Current ratio is the relationship between non-current assets and non-current liabilities

252 textbook

In implementing operational risk management in a business, external events which can occur outside of the business must be taken in consideration. These events may require a business to have response strategies in the form of

1. Change and knowledge management2. Change management and business contingency plans3. Project and knowledge management4. Project management and business contingency plans

Which of the following risks are seen as internal micro influences to a business?

1. Project, market and legal risks2. Economic, political and environmental risks3. Ethical, project and technological risks4. Social, ethical, health and safety risks

Credit insurance

1. Eliminates uncertainty over the likely recovery of outstanding amounts due2. Relates to an uncertainty surrounding the payment of future amounts3. Prevents a customer form defaulting on a payment4. Mitigates action for credit risk to protect a business against bad debt

Credit insurance is the mitigation action for credit risk.

What is insider trading?

1. Buying or selling company shares from within the stock exchange2. Buying or selling company shares when privileged corporate information has not yet been

made public.3. Buying or selling company shares from within business premises4. Buying or selling shares in a company when news reports show that the share price has

fallen

The risk mitigation techniques for market risk will involve risk

1. Monitoring and review2. Indicators, register and mapping3. Identification, measurement and reporting4. Analysis and modelling

Risk mitigation techniques for market risk will involve risk identification, measurement and reporting. It is also very important for a business to take out an insurance policy.

Information technology tools include

1. Network systems 2. Operation research3. Telematics4. Broadband

• Software applications

• Management information systems

• Intranets

• Telematics

• Information assets

_____ gives an individual exclusive right to reproduce the individual’s own written work

1. Designs2. Copyright3. Trademark4. Patents

The Copyright, Designs and Patents Act 1988 generally gives the owner of copyright the exclusive right to reproduce the copyrighted work, to prepare derivative works, to distribute copies of the copyrighted work, to perform the copyrighted work publicly, or to display the copyrighted work publicly.

Political risk refers to the uncertainty that stems from

1. The exercise of power by opposition parties and the actions of isolated groups2. The exercise of power by government actors and the actions of non-government groups3. The exercise of power by imprisoned opponents to the government and the actions of

disaffected groups4. Small new opposition parties that have yet to obtain widespread effective support

Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of power by government actors and the actions of non-government groups”. This type of risk can be seen in domestic as well as international markets but is also associated with oversees exposure and developing countries. The political environment of overseas countries will always have an impact on the threats and opportunities of a business wanting to expand business overseas.

Question 1

The purpose of a risk management framework is to …

1 assist an organisation in integrating risk management into its management processes.

2 communicate externally that risk management is being practiced.

3 satisfy internal and external audit requirements.

4 show that the organisation is following contemporary practices.

The purpose of a risk management framework is to assist an organisation in integrating risk management into its management processes.

Question 2

The risk management policy of an organisation should address specific responsibilities of the …

1 board, the corporate governance committee and the risk committee.

2 stock exchange committee, the marketing committee and the board.

3 risk committee, the board and the remuneration committee.

4 remuneration and marketing committee.

The risk management policy of an organisation should address specific responsibilities of the board, the corporate governance committee and the risk committee.

Question 3

King II applied to ...

A banks.

B financial institutions.

C investment institutions.

D all listed companies on the JSE.


1 a,b

2 a,b,d

3 a,b,c

4 all of the above

King II applied to banks, financial and investment institutions, public companies and all listed companies on the JSE. In contrast King III applies to all entities regardless of the manner and form of incorporation or establishment and whether in the public, private or non-profit sectors.

Question 4

The King III Report on Corporate Governance was implemented in reaction to new trends in ...

1 environmental practices.

2 international governance.

3 ethical practices.

4 economical and social responsibilities.

The King III Report on Corporate Governance was implemented in reaction to new trends in international governance

Question 5

A business must aspire to be a good corporate citizen by empowering the board of directors to ...

A implement a code of ethics.

B eport on the HIV/Aids strategic plan and policy.

C to report on social, health and transformational policies and practices.

D understand the importance of a relationship between the board and the community.


1 a,c

2 a,b,c

3 b,c,d

4 all of the above

A business must aspire to be a good corporate citizen by empowering the board of directors to implement a code of ethics, report on the HIV/Aids strategic plan and policy, to report on social, health and transformational policies and practices and understand the importance of a relationship between the board and the community

Question 6

Which one of the following is not a recognised context stage (first stage) tool to obtain information on the business?

1 SWOT analysis

2 PEST analysis

3 Financial analysis

4 Sensitivity analysis

The tools (process mechanisms) used in the context stage to obtain information on the business are financial analysis tools, SWOT analysis, PEST analysis and risk management process diagnostic. The sensitivity analysis is used in the risk evaluation stage.

Question 7

A PEST analysis is a useful tool for a business to determine …

1 its strengths and weaknesses in the micro environment.

2 the external environmental factors which may influence the business’s performance.

3 the main risks linked to a certain project of the business.

4 the internal environmental factors which may influence the business’s performance.

A PEST analysis is a useful tool for a business to determine the external environmental factors which may influence the business’s performance.

Question 8

Using a risk identification facilitator from outside the business will …

1 assist with timetabling.

2 avoid creating tension in the team when one is selected as the facilitator and others are not.

3 avoid the facilitation process or approach being constrained by previous approaches.

4 avoid problems of bias, lack of independence, hidden agendas, single direction approaches or pursuit of personal goals.

Using a risk identification facilitator from outside the business will avoid problems of bias, lack of independence, hidden agendas, single direction approaches or pursuit of personal goals.

Question 9

It was discovered that one in four software development projects exceeds its budget. The probability of a single project exceeding its budget is …

1 0 to 4.

2 25%.

3 1.

4 infrequent.

The probability of a single project exceeding its budget is 25%. Calculation: 1 ÷ 4 = 0.25

Question 10

A list generated during the risk identification stage which categorises each risk into a type or area is known as a risk ...

1 checklist.

2 prompt list.

3 taxonomy.

4 index.

A list generated during the risk identification stage which categorises each risk into a type or area is known as a risk prompt list.

Question 11

The difference between the initial investment amount and the present value of a project’s expected future cash flows, discounted at the appropriate cost of capital is the …

1 Net Present Value.

2 Internal Rate of Return.

3 Payback Period.

4 Average Rate of Return.

The difference between the initial investment amount and the present value of a project’s expected future cash flows, discounted at the appropriate cost of capital, is the Net Present Value (NPV). The Internal Rate of Return (IRR) is the discount rate that makes NPV equal to 0 or the discount rate that makes the present value of investment costs equal to the present value of investment benefits. The Payback Period (PP) is the number of years required to recover an initial investment. The Average Rate of Return (ARR) is an average annual return expressed as a percentage of the initial cost of the project

Question 12

Risk appetite …

A can also be referred to as risk attitude, tolerance, preference or capacity.

B is the amount of risk a business is prepared to tolerate.

C has no impact on the risk strategy responses and action plan.

D varies according to the objectives, culture and environment of businesses.


1 a,b

2 b,c

3 a,b,d

4 all of the above

Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. Risk appetite is defined as the amount of risk a business is prepared to tolerate at any point in time. A business risk appetite can vary according to the objectives, culture and environment of a business. A business risk appetite can have an impact on the risk strategy responses and action plan.

Question 13

The main reason for monitoring risks is to establish whether ...

1 risk meetings are happening regularly.

2 a risk database is being maintained.

3 risk response actions are effectively implemented.

4 key risk documents are on display in key locations.

The main reason for monitoring risks is to establish whether risk response actions are effectively implemented.

Question 14

Key Performance Indicators (KPIs) …

1 are useful to directors to assess whether their annual bonuses will be awarded.

2 assist with business planning.

3 are used to measure a business’s health.

4 help understand the market as a whole.

Key Performance Indicators (KPIs) are used to measure a business’s health. Key Risk Indicators (KRIs) refer to captured information that provides a useful view of underlying risk profiles at various levels to assist decision makers within a business.

Question 15

Mr. Lucky has been appointed as the risk manager for A-Z clothing Ltd. Mr. Lucky must implement a risk management process for the business. Which of the following risk management stages should Mr. Lucky implement?

a Establish the context, monitor and review.

b Risk identification, risk analysis and risk evaluation.

c Design and improve the process.

d Risk treatment, communication and consultation.


1 a,d

2 a,b,d

3 a,b,c

4 all of the above

The stages in the risk management process include establishing the context, monitor and review, risk identification, risk analysis, risk evaluation, risk treatment, communication and consultation. The design and improve process is an ongoing process which takes place at commencement and throughout the risk management process.

Question 1

The uncertainty linked to the recovery of outstanding amounts due is known as:

1 Exposure risk

2 Default risk

3 Credit risk

4 Recovery risk

The uncertainty linked to the recovery of outstanding amounts due is known as recovery risk.

Question 2

Which one of the following is not a benefit of operational risk management?

1 Maximising day-to-day profits.

2 Minimising day-to-day losses.

3 Improving ability to achieve business objectives.

4 Providing a more robust enterprise risk management system.

The following are benefits of operational risk management:

- Minimising day-to-day losses.- Improving ability to achieve business objectives.- Providing a more robust enterprise risk management system.- Contributing to the establishment of a system which enables the correlation of different

classes of risk to be understood and, where appropriate, modelled.- Providing management the opportunity to focus on revenue generating activities rather than

fire-fighting one crisis after another

Question 3

Which of the following are examples of unethical business practices?

A Insider trading.

B Money laundering.

C Invasion of privacy.

D Inadequate internal controls.


1 a,b

2 a,b,c

3 a,b,d

4 all of the above

Insider trading, money laundering, invasion of privacy and inadequate internal controls are examples of unethical business practices

Examples of unethical practices by companies that were prosecuted or suffered reputational damage because of the behaviour of employees and who attracted negative media attention include the following:

- Bribery in the private sector- Money laundering- Improper sales and marketing- Inadequate financial accounting- Bribery of government contracting officers- Inadequate internal controls- Failure to follow quality standards and procedures- Environmental irresponsibility- Employee claims of sexual harassment- Black listing of international, national or local organisations- Insider trading- Exploitation of third world countries- Health and safety irresponsibility- Invasion of privacy

Question 4

A-Z Mining takes health and safety extremely seriously. In order to improve human reliability in the workplace, A-Z Mining may introduce …

A human reliability analysis.

B training.

C reward schemes

D workplace precautions


1 b,c

2 a,b,c

3 a,b,d

4 all of the above

In order to improve human reliability in the workplace, A-Z Mining may introduce human reliability analysis, training and reward schemes.

Question 5

… risk deals with basic macro-economic theory together with fiscal and monetary policies.

1 Economic

2 Country

3 Financial

4 Political

Economic risk deals with basic macro-economic theory and fiscal and monetary policies. Country risk is a collection of risks associated with investing in a foreign country. Financial risk is the exposure of an enterprise to adverse events that erode profitability and in extreme situations, bring about business collapse. Political risk is the uncertainty that stems, in whole or in part, from the exercise of power by government actors and the actions of non-government groups

Question 6

Market risk refers to the …

1 movement in the company share price over time.

2 number of competitors moving into and out of the market the business is operating in.

3 exposure to losses arising from the change to the cost of raw materials.

4 exposure to a potential loss arising from diminishing sales due to changes in market conditions outside the control of the business.

Market risk refers to the potential loss exposure arising from diminishing sales due to changes in market conditions outside the control of the business.

Question 7

The sources of risk embraced under economic risk include the following:

a Fall in demand

b Government policies

c Exchange Rates

d. Fall in Supply


1 a,c

2 b,c,d

3 a,b,c

4 all of the above

The sources of risk embraced under economic risk include fall in demand (a shift in the aggregate demand curve), government policies (including interest rates and trade protectionism), exchange rates, movement in house prices and inflation.

Question 8

Which one of the following methods is used to calculate Value-at-risk?

1 Monte Carlo.

2 Pest Analysis.

3 Economic value added.

4 Economic simulations.

The Monte Carlo method is used to calculate Value-at-risk.

Question 9

In implementing operational risk management in a business, external events which can occur outside of the business must be taken into consideration. These events may require a business to have response strategies in the form of:

1 Change and knowledge management.

2 Project and knowledge management.

3 Change management and business contingency plans.

4 Project management and business contingency plans.

In implementing operation risk management in a business, external events which can occur outside of the business must be taken into consideration. These events may require a business to have response strategies in the form of change management and business contingency plans.

Question 10

Control technology can be defined as …

1 the collection, storage and processing of information by electronic means.

2 specific computer-based production control systems.

3 network systems in which computers are linked to one another over a network..

4 IT governance to manage the risks and constraints of IT.

Control technology can be defined as specific computer-based production control systems.

Question 1

Nedbank Group has a strong risk culture and follows worldclass enterprisewide risk management, which aligns strategy, policies, people, processes, technology and business intelligence in order to evaluate, manage and optimise the opportunities, threats and uncertainties the group may face in its ongoing efforts to maximise sustainable shareholder value.

BACKGROUND TO RISK AND BALANCE SHEET MANAGEMENT IN NEDBANK

Enterprisewide Risk Management (ERM) integrates risk, finance and balance sheet management across the group’s risk universe, including business units and operating divisions, geographical locations and legal entities. Against this backdrop, all risks – including those associated with sustainability – are managed according to a ‘three lines of defence’ governance model. It is Nedbank Group’s view that a strong risk governance process is the foundation for successful risk management and balance sheet management, which is why this model represents the core of the business’s Enterprisewide Risk Management Framework (ERMF). The ERMF places emphasis on accountability, responsibility, independence, reporting, communications and transparency, and comprises 17 key risk categories that are managed, monitored, measured and reported on by the first, second and third line-of-defence functions across the group.

1.1 In the extract, Nedbank Group’s risk and balance sheet management statement is referring to the King Code of Governance Principles 2009 (King III). Discuss the principles listed in the risk and balance sheet management statement of Nedbank Group? (7)

Any seven of the following principles could have been identifies from the risk and balance sheet management statements of Nebank Group:

Principe: Definition and explanation based on Kind Code of Governance Principles for SA 2009

- Communications:o Effective communication with stakeholders is essential for building and maintaining

their trust and confidence. Communication to stakeholders should be in clear and understandable language.

- Independence:o Independence is the absence of undue influence and bias which can be affected by

the intensity of the relationship between the director and the company.- Responsibility:

o The state or position of having control or authority and being accountable for ones actions and decisions.

- Reporting:o Integrated reporting and disclosure. The company needs a holistic and integrated

representation of the company’s performance in terms of both its finance and its sustainability.

- Sustainability:o Sustainability of a company means conducting operations in a manner that meets

existing needs without compromising the ability of future generations to meet their needs. It means having regard to the impact that the business operations have on economic life of the community in which it operates. Sustainability includes environmental, social and governance issues.

- Transparency:o Easy to understand or recognise; obvious; candid; open; frank.

- Accountability:o Being responsible and able to justify and explain decisions and actions.

- Responsible leadership:o The board should provide effective leadership based on an ethical foundation. The

board should ensure that all deliberations, decisions and actions are based on the four values underpinning good governance and ensure that each director adheres to the duties of a director.

- Risk based internal audit:o Internal audit should be risk-based and every year the internal auditors should

furnish an assessment to the board generally on the system of internal controls and to the audit committee specifically on the effectiveness of internal financial controls.

- Compliance:o Companies must comply with all applicable laws. The board should delegate to

management the implementation of an effective compliance framework and processes. Compliance risk should form an integral part of the companies risk management processes. Compliance should be an ethical imperative.

1.2 Identify any six (6) additional governance of risk principles adressed in the King III report not specifically listed by Nedbank Group. (6)

Any six of the following addition governance of risk principles addressed in the King III report can be discussed:

- Management should be responsible for the risk management process. Management is accountable to the board for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the company.

- All staff should practise risk management.- The board should be responsible for the process of risk management.- The board should approve the company’s chosen risk philosophy.- The board should adopt a documented risk management plan.- The board may delegate the responsibility of risk management to a dedicated risk

committee.- Risk assessment should be performed on an on-going basis.- The board should approve key risk indicators for each risk, as well as tolerance levels.- Risk identification should be directed in the context of the company’s purpose. - The board should ensure that key risks are quantified and are responded to appropriately. - Internal audit should provide independent assurance on the risk management process. - The board should report on the effectiveness of risk management. - The board should ensure that the company’s reputational risk is protected. - The board should determine the extent to which risks relating to sustainability are addressed

and reported on. - The board should ensure that information technology (IT) is aligned with business objectives

and sustainability. - The board should consider the risk of the unknown as part of the qualitative and

quantitative risk assessment process.

- Compliance should form part of the risk management process.

Question 2

Mr. Khumalo has just been appointed as the new CEO of Local Coal Mining Ltd. He approaches you as the risk manager to gain a better understanding of the implementation of risk management in the company.

Briefly describe the difference between an enterprise risk management framework, policy and process to Mr. Khumalo to give him a better understanding of the implementation of risk management in Local Coal Mining Ltd.


- Mandate and commitment: Risk management must come from the top down in an organisation (organisations management).

- Design framework: Understanding the organisation and its context, establishing the risk management policy, determining accountability for risk management, embedding risk management in all of the organisation’s practices/processes ect.

- Implement framework: Timing of implementation of framework should be planned and training sessions is required.

- Monitor framework: Periodically review with internal and external stakeholders whether the risk management framework, policy, plan and process require amendments.

- Improve framework: Based on the results of the monitor process, decisions should be made on whether the risk management framework step should be amended.

Risk management policy

A risk management policy sets out how the risks, which have been identified by the risk assessment procedure, will be managed and controlled. The risk management policy assigns responsibility for performing key tasks, establishes accountability with the appropriate managers, defines boundaries and limits and formalises reporting structures. The policy should address specific responsibilities of the board, internal audit, external audit, the risk committee, the corporate governance committee, the central risk function, employees and third party contractors in implementing risk management.

A policy statement defines a general commitment, direction or intention. A policy on risk management expresses an organisation’s commitment to risk management and clarifies its general direction or intention. The policy should state its purpose, objectives, scope, related and supporting policies, and its degree of confidentiality, frequency of review and date of last update.

Risk management process

According to the International Risk Standard, ISO 31000 (2009), a risk management process is one that systematically applies management policies, procedures, and practices to a set of activities

intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk.

According to Chapman the process can be broken down into 7 stages: context, identification, analysis, evaluation, treatment, monitoring/review and communication and consultation. All the processes are repeated through the organisation up to the implementation of the risk response actions.

Question 3

3.1 Identify and describe four (4) risk response strategies which can be used by a business in the enterprise risk management treatment stage. (8)

The following risk response strategies can be used by a business in the risk treatment stage:

Risk reduction

Risk reduction can also be referred to as treatment or mitigation. Risk reduction can be seen as risk diversification (reduction of risks by distribution) for example, where a business invests in multiple stocks to reduce risk and the impact of the risk√. Two approaches to reduce risk can be followed namely:

- Reducing the likelihood of a risk occurring, and;- Limiting the loss should the risk materialise.

Methods used to reduce the likelihood of occurrence or impact of risk by a business is protection, controls, maintenance and risk spreading.

Risk removal

Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is anticipated. For example, doing business with a political uncertain country may be too risky to make the opportunity worthwhile (a potential for loss has been eliminated). When a business wants to remove risk, factors such as opportunity, business objectives and costs involved must be considered. All three of these concepts must be taken into regard. For example, when a business decides not to introduce a new product or terminating the production of an existing product and ceasing operations that have been carried out in the past.

Risk reassignment or transfer

Risk reassignment is the strategy used to transfer risk to another entity, business or organisation. Businesses can use contracts and financial agreements to transfer risk to a third party. Transferring a risk does not reduce its likely severity; it just moves it to another party. In some cases risk transfer can increase the impact of the risk, as the party to whom the risk is transferred is unaware that it is required to absorb it. The most common method of risk transfer is insurance. For example the financial consequences of the loss is transferred to the insurance company. When a business

transfers risk the business must consider the objectives of the parties, ability to manage the risk, risk context and cost effectiveness of the transfer.

Risk retention

Risk retention is aslo reffered to as acceptance, absorption or tolerance. A business may be forced in a position to accept the risk as an alternative method, for example risk removal, reduction and transfer are not available; or it may be more economical to the business to accept the risk. When following a risk retention strategy the options available, timing and the ability to absorb the risk must be considered

3.2 Distinguish between key risk indicators (KRI) and key performance indicators (KPI) and give two examples of each of the types of KRIs and KPIs.

A business must clearly distinguish between key risk indicators (KRI) and key performance indicators (KPI).

Key Risk Indicators (KRI)

KRI’s refer to captured information that provides useful views of underlying risk profiles at various levels to assist decision makers within a business. The following are seen as KRI types:

- Inherent or exposure risk indicators- Control risk indicators- Composite indicators- Model risk factors

Key Performance Indicators

KPI’s refer to high level snapshots of the health and performance of a business based on specific predefined measures for example, statistical information on the business√. The following are seen as KPI types:

Any two types can be mentioned:

- Statutory KPI’s, such as GAAP or legal regulatory requirements.- Profitability per business unit/product/customer.- Exception reporting.- Employee performance, such as assets under management or profit per customer.- Competitiveness, such as market share.- Cost management, such as return on assets (ROA) on IT or new delivering channel

monitoring.- Credit management, such as time to settlement or credit exposure.

Question 4

Identify and describe eight (8) common challenges faced by businesses in implementing project risk management.

Any of the following common challenges in implanting PRM can be mentioned:

- Lack of clearly defined and disseminated risk management objectives.- Lack of senior executive and project director commitment and support.- Lack of a risk maturity model.- Lack of a change process to introduce the discipline.- No common risk language (terms and definitions).- Lack of articulation of the project sponsor’s risk appetite.- No definition of roles and responsibilities.- Lack of risk management awareness training to build core competencies.- Lack of integration of risk management with other project disciplines.- Resistance of project personnel to spend time on risk management.- Risk owners not automatically taking responsibility for assigned risks.- No clear demonstration of how risk management adds value and contributes to project

performance.- Overcomplicated implementation from an unclear risk policy, strategy, framework, plan and

procedure.- Lack of alignment between the business strategy, business model and risk management

objectives.- Lack of the integration of risk management activities into the day-to-day activities of project

managers.

Argue the value of good corporate governance to business enterprises. (Hint refer to the four business areas corporate governance might impact on) (10)

1.1 Identify and describe four (4) process activities for risk evaluation which can be used by a business in the ERM evaluation stage. (8)

Basic Concepts of Probability

Chance and the assessment of risk play a major part in a large number of business activities.

Hence, probability has found a wide range of business applications such as in investment appraisals which require an assessment of risk and a measure of expected outcomes. Many of the process activities examined here require an understanding of the concepts of probability.

Probability represents a new set of conceptual tools. Rather than looking at the world as consisting of deterministic situations, where everything is known with certainty, we can now consider a range of outcomes to every situation. More than this, by treating the world as stochastic, it is possible to assess the chance of particular outcomes happening in a given situation. Hence, it is important to consider the range of outcomes possible from a situation, so that recognition is given to even the remote (unlikely) outcomes.

• Sensitivity analysis

The sensitivity analysis method can be used by a business to assess how sensitive the project outcomes are to changes in the business. The method uses one variable and examines the effect of that specific variable on the project.

• Scenario analysis

Scenario analysis is a useful decision making method to focus on the consequences of the combinations of events that would have been ignored by the business because it was regarded as an event that has never happened or is very unlikely to happen. The business can draw up different views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and “downside” risk, which can be associated with a project.

• Simulation

Simulation is a method used to analyse financial or time models, where the variables may be uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a business has statistical software or commercially available spreadsheets.

• Monte Carlo simulation

The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations and uses random numbers to sample from a probability distribution. A business can use this method to evaluate duration, demand or throughput and costs. Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles and correlations work, as well as the benefits of the Monte Carlo simulation method.

• Latin hypercube sampling

This sampling method is used to re-create the probability distributions specified by distribution functions accurately and is a more modern technology method than the Monte Carlo simulation method.

• Probability distributions defined from expert opinion

Some risk analysis models involve subjective estimates and thus further information needs to be gathered by the business to get a better understanding of the analysis.

1.3 Distinguish between Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). In your answer refer to the different types of KRIs and KPIs. (6)

business must clearly distinguish between key risk indicators (KRI) and key performance indicators (KPI).

• KRI’s

KRI’s refer to captured information that provides useful views of underlying risk profiles at various levels to assist decision makers within a business. The following can be seen as the four types of KRI’s:

Inherent or exposure risk indicators.

Control risk indicators.

Composite indicators.

Model risk factors.

• KPI’s

KPI’s refer to high level snapshots of the health and performance of a business based on specific predefined measures for example statistical information on the business. The following can be seen as seven types of KPI’s:

Statutory KPI’s, such as GAAP 9 or legal regulatory requirements.

Profitability per business unit/product/customer.

Exception reporting.

Employee performance, such as assets under management or profit per customer.

Competitiveness, such as market share.

Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.

Credit management, such as time to settlement or credit exposure.

Define the following terms (4)

- Default risk- Exposure risk- Recovery risk- Counterparty risk

- Default risk is the probability of the event of default.- Exposure risk relates to the uncertainty surrounding the payment of future amounts.- Recovery risk relates to the uncertainty over the likely recovery.- Counterparty risk is the risk to each party of a contract that the counterparty will not live up

to its contractual obligations.

Mr Mathews has just been appointed as a new Board member of Sasol Ltd. He approaches you as the risk and compliance management to gain a better understanding of the implementation of corporate governance within the company.

Compile a report addressed to Mr Mathews in which you explain the corporate governance process as well as the board’s responsibility for risk governance. (12)

Governance of risk

• The board’s responsibility for risk governance

The board should be responsible for the governance of risk∙ The board should determine the levels of risk tolerance∙ The risk committee or audit committee should assist the board in carrying out its risk ∙

responsibilities

• The board should delegate to management the responsibility to design, implement and monitor the risk management plan

• Risk assessment

The board should ensure that risk assessments are performed on a continual basis∙ The board should ensure that frameworks and methodologies are implemented to increase the ∙

probability of anticipating unpredictable risks

• The board should ensure that management considers and implements appropriate risk responses

• The board should ensure continual risk monitoring by management

• The board should receive assurance regarding the effectiveness of the risk management process

• The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders

Briefly identify and explain four process activities which need to take place in the risk identification stage. Activity and explanation. (8)

• Risk checklist

A risk checklist is used to list all the risks that were identified on previous projects within the business.

• Risk prompt list

A risk prompt list can be seen as a list that categorise each risk into a type or area. Through this list, the business will be able to identify the main categories of risks experienced within the business.

• Gap analysis

A Gap analysis can be used to identify the main risks linked to a certain activity or project of the business. The method will assist the business to establish where the gap is in the risk associated within the activity/project so that pro-active or reactive risk measures can be established.

• Risk taxonomy

Risk taxonomy can be explained as a structured checklist to break down the risks and opportunities into manageable components, which then can be aggregated for exposure measurement, reporting and management. This method is used in the risk taxonomy of software development. Refer to Table 9.1 in chapter 9 of the prescribed book.

• PEST analysis

The business can also use the PEST analysis method in the identification stage to identify the risk exposure of the business to its external environment. The business can conduct this analysis in a workshop or brainstorming session.

• SWOT analysis

A SWOT analysis is a very easy and understandable method for a business to identify the risks and opportunities in the business.

• Database

A risk database can be used to capture all the information of each risk identified in the business and is an effective way to monitor all the risks and actions used in the management of all the identified risks.

• Business risk breakdown structure

A breakdown structure for business risk is used to identify all the sources of risk within projects and activities in the business.

• Risk questionnaire

A risk questionnaire is used when a business needs to establish the concerns and risks that arise in a business project/activity through the various stages. The completion of the questionnaire will show how the business employees respond to risk.

• Risk register

A risk register is used to capture information on a constant basis and to simplify communication regarding the risks in a business project/activity. Refer to Table 9.2 in chapter 9 of the prescribed book.

Distinguish between internal and external communication (Enterprise risk management process) (2)

A business should establish internal communication and reporting mechanisms in order to support and encourage accountability and ownership of risk and opportunity management.

A business should establish external communication and reporting mechanisms in order to deliver open and honest information on the risks that the business faces and how it is responding.

Briefly explain the concept “political risk”. Use examples to highlight your answer (4)

Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of power by government actors and the actions of non-government groups”. This type of risk can be seen in domestic as well as international markets but is also associated with oversees exposure and developing countries.

For example, political decisions by governmental leaders about taxes, currency valuation, trade tariffs or barriers, investment, wage levels, labour laws, environmental regulations and development priorities, can affect the business conditions and profitability. Similarly, non-economic factors can affect a business. For example, political disruptions such as terrorism, riots, coups, civil

wars, international wars, and even political elections that may change the ruling government, can dramatically affect businesses’ ability to operate.

List four mitigation strategies to minimise political risks in an organisation (4)

Mitigation strategies for political risks

• The following response strategies can be used to minimise political risk in the business:

Undertaking proper planning and exercising due diligence.

Investing in projects or entering into contracts where the host government implemented certain policies that encourage private sector involvement.

Consider projects that are being supported by host governments.

Obtaining insurance against political risks

To be protected from interest rate fluctuations a business can enter into a hedge contract.

Establish a good relationship with the workforce to create a risk friendly environment.

Incorporating strong arbitration language into contracts to address labour disputes.

Enhancing on-site security to be protected against terrorist attacks.

Being attuned to what is happening in the host country.

• The following tools can also be used by a business to mitigate political risks:

Assessing political risk factors

Putting political risk factors in order of priority

Improving relative bargaining power

Mr Samuel has just been appointed as the new CEO of A-Z Supermarket. He approaches you as the risk manager to gain a better understanding of the implementation of enterprise risk management (ERM) within the company. Compile a report addressed to Mr Samuel in which you highlight the merits of ERM (10 marks)

Benefit two: standardized risk reporting

ERM supports better structure, reporting, and analysis of risks. Standardized reports that track enterprise risks can improve the focus of directors and executives by providing data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas.

These reports can also help leaders develop a better understanding of risk appetite, risk thresholds, and risk tolerances.

One of the major values of ERM risk reporting is improved, timeliness, conciseness, and flexibility of the risk data. This provides the data needed for improved decision making capabilities within the executive and director levels, and in other layers of management. ERM helps management recognize and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating them in a consolidated format.

Benefit three: improved focus and perspective on risk

ERM develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organizations to changes in their risk profile.

ERM also permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation, acceptance, or avoidance. However, effective ERM processes gives management a framework to evaluate risk as an opportunity to increase competitive positions and exploit certain market and operational conditions.

Benefit four: efficient use of resources

In organizations without ERM, many individuals may be involved with managing and reporting risk across operational units. While developing an ERM program does not replace the need for day to day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.

Benefit five: effective coordination of regulatory and compliance matters

Bond rating agencies, financial statement auditors, and regulatory examiners, have begun to inquire about, test, and use monitoring and reporting data from ERM programs. Since ERM data involves identifying and monitoring controls and mitigation efforts across the organization, this information can help reduce the effort and cost of such audits and reviews.

Explain the difference between risk removal and risk transfer. Use examples to elucidate your answer (4 marks)

Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is

anticipated. For example, doing business with a country that has political uncertainty may be too risky to make the opportunity worthwhile (a potential for loss has been eliminated). When a business wants to remove risk, factors such as opportunity, business objectives and costs involved must be considered. All three of these concepts must be taken into regard. For example, when a business decides not to introduce a new product or ending the production of an existing product and ceasing operations that have been carried out in the past.

Risk reassignment is the strategy used to transfer risk to another entity, business or organisation. Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer does not reduce the severity of the risk but does increase the impact of the risk. The most common method of risk transfer is insurance. For example the financial consequences of the loss is transferred to the insurance company. When a business transfers risk the business must consider the objectives of the parties, ability to manage the risk, risk context and cost effectiveness of the transfer.

When it comes to the perception of risk, groups and individuals might perceive risk differently. Indicate how the Utility Theory explains this phenomenon. (6 marks)

Utility theory assumes that every decision maker uses a utility function that translates each of the possible payoffs in a decision problem into a non-monetary measure known as utility. The utility of a payoff represents the desirability (total worth or value) of the outcome of a decision alternative to the decision maker.

Different decision makers have different attitudes and preferences towards risk and return.

Those who are “risk neutral” tend to make decisions using the maximum EMV decision rule.

However, some decision makers are risk avoiders or “risk averse”, and others look for risk or are “risk seekers”. The utility functions typically associated with these three types of decision makers are shown in Figure 11.5. For convenience the utilities are represented on a scale from

0 to 1, where 0 represents the least value and 1 represents the most. Figure 11.5 illustrates how the same monetary payoff might produce different levels of utility for three different decision makers. The “risk neutral” decision maker who follows the EMV decision rule has a constant marginal utility for increased payoffs. That is, every additional pound in payoff results in the same amount of increase in utility. A “risk averse” decision maker assigns the largest relative utility to any payoff but has a diminishing marginal utility for increased payoffs in that every additional pound in payoff results in smaller increases in utility. The “risk seeking” decision maker assigns the smallest utility to any payoff but has an increasing marginal utility for increased payoffs. That is, every additional pound in payoff results in larger increases in utility.

Identify the three primary technology types important to a business and give one example of each (6 marks)

Information technology

IT is the collection, storage, processing and communication of information by electronic means. There are various types of IT tools, which include the following:

• Software applications

• Management information systems

• Intranets

• Telematics

• Information assets

Communications technology

Communications technology includes the following:

• Conference calls.

• E-commerce using the internet

• Broadband

• E-mail

• Network systems

Control technology

Control technology consists of computer-based production control systems, which include the following:

• Computer-aided design (CAD)

• Computer-aided manufacture (CAM)

• Flexible manufacturing systems (FMSs)

• Mechatronics

• Computer-integrated manufacture.

• Manufacturing resource planning (MRP)

• Operational research (OR)

Explain the concept of market risk of a business. (4 marks)

Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or margins due to changes in market conditions, outside of the control of the business”. (Chapman, 2012) A business needs to gain insight into the market structure (size, barriers of entry, product diversification and number of competitors) in which the business operates. Market risk policies should take into account business activities, objectives, the regulatory environment, competitiveness and staff and technology capabilities. Proactive market risk management is vital for a business to adapt to changing markets.

Mrs Jacobs has just been appointed as the new CEO of CALL4U Ltd. She approaches you as the risk manager to gain a better understanding of the implementation of enterprise risk management (ERM) within the company. Compile a report addressed to Mrs Jacobs in which you explain the elements of an ERM structure. (14 marks)

ERM is composed of seven elements namely: corporate governance, internal control, implementation, risk management framework, risk management policy, risk management process and sources of risk.

1.10.1 Corporate governance (board oversight)

Corporate governance is the framework of rules and practices by which a board of directors ensures accountability, fairness and transparency in a company's relationship with all its stakeholders (financiers, customers, management, employees, government and the community).

The corporate governance framework consists of:

• Explicit and implicit contracts between the company and the stakeholders for distribution of responsibilities, rights, and rewards;

• Procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, and roles, and

• Procedures for proper supervision, control and information flows to serve as a system of checks and balances.

1.10.2 Internal control (sound system of internal control)

The report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control – Integrated Framework (1992), defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

The aim is to accomplish this through the identification and assessment of risks facing the business and responding to them by either removing them or, reducing them or, where it is economic to do so, to transfer them to a third party.

1.10.3 Implementation

Implementation of risk management can be resourced internally or externally. The parameters of any planned actions have to be mapped, communicated and agreed so that the time factor, resources, costs, inputs and deliverables are understood.

1.10.4 Risk management framework


• Mandate and commitment

• Design framework

• Implement framework

• Monitor framework

• Improve framework.

1.10.5 Risk management policy

A risk management policy sets out how the risks, which have been identified by the risk assessment procedure, will be managed and controlled. The risk management policy assigns responsibility for performing key tasks, establishes accountability with the appropriate managers, defines boundaries and limits and formalises reporting structures. The policy should address specific responsibilities of the board, internal audit, external audit, the risk committee, the corporate governance committee, the central risk function, employees and third party contractors in implementing risk management. A policy statement defines a general commitment, direction or intention. A policy on risk management expresses an organisation’s commitment to risk management and clarifies its general direction or intention.

1.10.6 Risk management process

According to International Risk Standard, ISO 31000 (2009), a risk management process is one that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk.

1.10.7 Sources of risk

A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is where the risk comes from.

Briefly explain the following six process activities which need to take place in the risk evaluation stage. (6 marks)

• Sensitivity analysis

The sensitivity analysis method can be used by a business to assess how sensitive the project outcomes are to changes in the business. The method uses one variable and examines the effect of that specific variable on the project.

• Scenario analysis

Scenario analysis is a useful decision making method to focus on the consequences of the combinations of events that would have been ignored by the business because it was regarded as an event that has never happened or is very unlikely to happen. The business can draw up different

views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and “downside” risk, which can be associated with a project.

• Simulation

Simulation is a method used to analyse financial or time models, where the variables may be uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a business has statistical software or commercially available spreadsheets.

• Monte Carlo simulation

The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a planned activity in a range of situations and uses random numbers to sample from a probability distribution. A business can use this method to evaluate duration, demand or throughput and costs. Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles and correlations work, as well as the benefits of the Monte Carlo simulation method.

• Latin hypercube sampling

This sampling method is used to re-create the probability distributions specified by distribution functions accurately and is a more modern technology method than the Monte Carlo simulation method.

• Probability distributions defined from expert opinion

Some risk analysis models involve subjective estimates and thus further information needs to be gathered by the business to get a better understanding of the analysis.

Distinguish between key risk indicators and key performance indicators. Use examples to elucidate your answer. (4 marks)

• KRI’s

KRI’s refer to captured information that provides useful views of underlying risk profiles at various levels to assist desision makers within a business. The following can be seen as the four types of KRI’s:

Inherent or exposure risk indicators.

Control risk indicators.

Composite indicators.

Model risk factors.

• KPI’s

KPI’s refer to high level snapshots of the health and performance of a business based on specific predefined measures for example statistical information on the business. The following can be seen as seven types of KPI’s:

Statutory KPI’s, such as GAAP 9 or legal regulatory requirements.

Profitability per business unit/product/customer.

Exception reporting.

Employee performance, such as assets under management or profit per customer.

Competitiveness, such as market share.

Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.

Credit management, such as time to settlement or credit exposure.

Identify four sources of risk embraced within economic risk (2 marks)

The sources of risk embraced under economic risk include fall in demand (a shift in the aggregate demand curve), government policies (including interest rates and trade protectionism), exchange rates, movement in house prices and inflation.

Argue the importance of implementing economic risk management (4 marks)

Benefits derived from economic risk management include:

• Improvement of knowledge of where the government is planning public spending;

• Providing an understanding of the impact of inflation and interest on demand;

• Providing an understanding of how the short-term behaviour of the gross domestic product (GDP) impacts employment, prices and standard of living, and;

• Promoting rigorous market research before entering new markets in both the domestic and international markets.

Ms Maria Trevor has just been appointed as the new CEO of Local Supermarket Ltd. She approaches you as the risk manager to gain a better understanding of the implementation of risk management in the company.

Briefly describe risk management and the seven stages in the risk management process to Ms Maria Trevor to give her a better understanding of the implementation of risk management in Local Supermarket Ltd (10 marks)

Identify and describe four process activities for risk analysis which can be used by a business in the ERM analysis stage (8 marks)

• Causal analysis

The causes of any risk must be identified. It is important for the business to learn from past events to implement risk management measures for future events.

• Decision analysis and influence diagrams

Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes. The influence diagram can be used to assist in the development and understanding of the risks and the actions to be taken in the decision making process. Such analysis will provide a framework for the decisions, events, managing of problems, reducing large volumes of data and sensitivity analysis in the business.

• Pareto analysis

Pareto analysis is used to identify those risks that will have a dramatic impact on business projects/activities and objectives. Such analysis will rank and order the risks according to their impact so that the business can manage the high risks accordingly.

• Capital asset pricing model (CAPM) analysis

The CAPM model is used to determine the expected return of an asset in relation to its risk or risk profile. The higher the risk, the higher the return will be for an investment. Market risk is measured by its beta in the CAPM model.

• Define risk evaluation categories and values

It is important to conduct qualitative and quantitative assessments in the risk analysis process. Qualitative assessments explain the impact of the risks, whereas quantitative assessment will consist of numeric assessments, which can involve financial and timing risks. It is best to manage the most severe risks that the business has identified.

Identify and distinguish between the three main attitudes towards risk (6 marks)

Risk neutral – The attitude towards risk that requires no change in the risk/reward balance return for an increase in risk. Tend to use the EMV method with the highest monetary value.

Risk averse – The attitude towards risk that requires an increase in the return for an increase in the risk.

Risk seeking – The attitude towards risk whereby a decreased return would be accepted for an increase in risk

Define and explain the importance of operational risk (6 marks)

operational risk is “the potential for loss due to failures of people, processes, technology and external dependencies”. The sources of risk considered to be embraced within operational risk include business risk, crime risk, disaster risk, information technology risk, legal risk, regulatory risk, reputational risk, systems risk and outsourcing.

Operational risk in terms of the Basel Accords has been subdivided into seven separate categories. We examine each of these categories and briefly explain what types of risks they cover.

Internal Fraud. By and large this covers fraud by bank staff such as the stealing of assets, theft of client information, covering up errors, intentional mismarking of positions, bribery etc.

External Fraud. This occurs where non-bank staff is involved such as in computer hacking, third-party theft, forgery.

Employment Practices and Workplace Safety. Inequitable staff policies, workers compensation claims, employee health and safety issues.

Clients, Products and Business Practice. This is a very wide field and generally covers market manipulation, antitrust issues, improper trading activities, bank product defects, fiduciary breaches, account churning. The sub-prime Mortgage debacle is a clear example of a product defect. The huge LIBOR rate rigging scandal which has dominated the news these past few years falls into this category as well.

Damage to Physical Assets. This covers things like natural disasters, terrorism and vandalism – anything that results in actual damage or destruction of the bank’s physical assets. These actions may be deliberate or purely accidental.

Business Disruption and Systems Failures. Power failures, computer software and hardware failures. A hurricane or a flood that results in banking services being disrupted also falls into this category.

Execution, Delivery and Process Management. This covers things like data capture errors, accounting errors, failure to meet legal reporting requirement, negligent loss of client assets.

Documents

studynotesunisa.co.za€¦ · Web viewRSk2601 Study bank. Enterprise risk management (ERM) is characterised by a. Narrow focus of hazard risks. Comprehensive, inclusive and proactive