RSK2601 Complete Questions Answers
RSK2601 Complete Questions Answers
RSK2601 Complete Questions Answers
A risk management policy sets out how the risk, which have been identified by the risk assessment
procedure, will be managed and controlled. The risk management policy assigns responsibility for
performing key tasks, establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures. The policy should address specific responsibilities of
the board, internal audit, external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third party contractors in implementing risk management. A
policy statement defines a general commitment, direction or intention. A policy on risk management
expresses an organisation’s commitment to risk management and clarifies its general direction or
intention.
Pg 9 textbook
1. A, c
2. B, c
3. A, b, d
4. All of the above
♦ Rationalise capital
♦ Seize opportunities
Traditionally, risk management has been segmented and carried out in “silos”. However, with the
dynamic environment and the evolving nature of risk, businesses encounter new types of risk while
pursuing new business objectives. There is therefore a need for an integrated framework for a
holistic approach to risk management.
King III applies to
a. Banks
b. Insurance institutions
c. Public sector agencies
d. All listed companies on the JSE
1. A, b
2. A, b, d
3. A, b, c
4. All of the above
King III applies to all listed companies on the JSE, banks, financial and insurance institutions and
some public sector agencies.
The King III Report on Corporate Governance introduced which of the following new concepts?
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
1. Scenario
2. Taxonomy
3. Framework
4. Structure
1. GAP analysis
2. Database analysis
3. Investment analysis
4. PEST analysis
Mechanisms
Gap analysis can be used to draw out the main risks to an activity or project and is commonly carried
out by calling upon department heads to complete a questionnaire.
During the context stage of a risk study, the ERM team for House and Home elects to examine House
and Home’s financial ratios to understand the business’ financial health before moving onto the risk
identification stage. This will enable them to
1. Provide a quick and relatively simple way to examine the financial position and performance
of House and Home
2. Assess whether House and Home’s records are regularly updated
3. Open the dialogue with the finance department and the internal auditors in House and
Home
4. Satisfy recommended ERM practices for this stage of the risk process in House and Home
Financial ratios: Financial analysis tools that are used to examine various aspects of financial position
and performance and that are widely used for planning, control and evaluation purposes.
A risk checklist, as described by the PRAM Guide (Simon et al. 1997), is an in-house list of risks “that
were identified on previous projects”. Projects in the context of enterprise risk are either capital
investment projects or business activities. Risk checklists are often developed from managers’ past
experience. Checklists permit managers to capture lessons learnt and assess whether similar risks
are relevant to the business activities of today.
The Delphi technique is primarily use in the ________ stage of the risk management process
1. Evaluation
2. Analysis
3. Identification
4. Monitoring and review
Risk identification can be conducted in a number of ways and is a facilitated process typically
adopting one or a combination of the following: questionnaires (including the Delphi technique),
interviews or interactive workshops using brainstorming, scenario analysis, systems dynamics or the
nominal group method. Risk and opportunity identification is commonly a group-oriented approach
that draws on the combined knowledge and experience of the individuals selected to participate.
Facilitation is distinguishable from meeting chairmanship in that the facilitator is not normally a
business employee or a member of the project team, contributes nothing more than facilitating skills
and has no vote and certainly no casting vote in decision making. There are distinct advantages in
not selecting a facilitator from a business function (or the business as a whole) as it avoids problems
of bias, lack of independence, hidden agendas and distortion of focus to permit pursuit of personal
or departmental goals. To accomplish the aims of facilitation it is common for the facilitator to adopt
one of the seven techniques described below, commencing with brainstorming.
Scenario analysis can be used to identify risks by considering possible future developments and
exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best
case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to
analyse a risk, including both the probability of occurrence and potential consequences. It can be
used to look back over a fixed period and examine, for instance, major shifts in technology,
transportation and property development with a view to considering future change.
1. Industry betas
2. Human Resources Plan
3. Risk Register
4. Profit and loss account
Outputs: Risk register, Modelling results, Decision trees, Quantitative results, Scenario modelling,
Sensitivity analysis
A list generated during the risk identification stage to categorise each risk into a type or are in the
business, is known as a risk
1. Index
2. Taxonomy
3. Prompt list
4. Check list
A risk prompt list, as described by the first edition of the PRAM Guide (Simon et al. 1997), is a list
which “categorises risks into types or areas”.
Payback period (PP): The number of years required to recover an initial investment. It considers the
timing of cash flows and therefore the time value of money, thus the payback period should be as
short as possible.
Decision analysis is a useful technique to
Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes
Risk reassignment is the strategy used to transfer risk to another entity, business or organisation.
Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer
does not reduce the severity of the risk but does increase the impact of the risk. The most common
method of risk transfer is insurance.
The controlling process is based on the information gathered in the monitoring process to form
decision-making. It means the business must understand who needs what information for what
purpose and when. To give a manager control, the control activities must adhere to the following
seven specifications:
Controls have to be appropriate to the character and nature of the phenomenon measured.
The risk of the exposure of an enterprise to adverse events that erode profitability and in extreme
situation, brings about business collapse is __________ risk
1. Financial
2. Economic
3. Strategic
4. Market
Financial risk is the exposure of an enterprise to adverse events that erode profitability and in
extreme situations, bring about business collapse.
The uncertainty linked to the recovery of outstanding amounts due is known as _________ risk
1. Exposure
2. Default
3. Credit
4. Recovery
Recovery risk: The risk related to uncertainty over the likely recovery of outstanding amounts due.
• providing management the opportunity to focus on revenue generating activities rather than fire-
fighting one crisis after another;
• contributing to the establishment of a system which enables the correlation of different classes of
risk to be understood and, where appropriate, modelled.
Information technology tools include
1. E-commerce
2. Broadband
3. E-mails
4. Intranets
Information technology
- Software applications
- Management information systems
- Intranets
- Telematics
- Information assets
1. Foreign currencies
2. Investment options
3. Derivatives
4. Credits
Derivatives are financial products derived from some other existing product. Examples include
options, futures and swaps. Derivates are available to cover many types of exposure including
interest rates; foreign currency exchange rates; commodities, such as energy (oil or gas), bullion (e.g.
gold and silver), base metals (copper and nickel) and agriculture (e.g. sugar); and equities.
Derivatives can be either “exchange traded” or “over the counter”.
Global warming is becoming a common concern all over the world. Which of the following initiatives
has been implemented by the South African Government to reduce the effects of global warming?
In response to increasing concerns about climate change, several policies and frameworks were put
in place in an effort to reduce the effects of global warming. These initiatives include the following:
• Earth Summit – the United Nations Framework Convention on Climate Change, 1992
• The European Union taking a leading role to govern global action on climate change
• Levies such as the “carbon tax” levied on the selling price of new vehicles in South Africa
• Emissions trading whereby countries are allowed to buy and sell their agreed allowances of
greenhouse gas emissions
Which one of the following factors is important for the development of a sound economic risk
management system?
The development of a sound system of economic risk management will depend on a number of
issues such as:
Inflation is defined as a sustained general rise in prices. Creeping inflation describes a situation
where prices rise a few percent on average each year. Hyperinflation describes a situation
where inflation levels are very high. Inflation is believed to cause unemployment and lower
economic growth.
Which of the following is a risk control measure in a health and safety management system?
legal risk is the risk arising from violations of or non-compliance with laws, rules, regulations,
prescribed policies and ethical standards. This risk also arises when laws or rules governing certain
products or activities of an organisation’s customers are unclear or untested. Non-compliance can
expose the organisation to fines, financial penalties, payment of damages and the voiding of
contracts. It could also lead to a diminished reputation, reduced franchise value, limited business
opportunities, restricted developments and an inability to enforce contracts.
As a consequence of the diversity of risk, risk management requires a _________ approach
1. Narrow
2. Modern
3. Broader
4. Traditional
As businesses strive for the creation of value for their shareholders they should understand what
risks to take and those to avoid. As businesses grow, they are continuously exposed to greater, more
complex and diverse (of various kinds or forms) and dynamic risks. Therefore, the range of risks that
organisations need to manage has greatly increased. Because of the diversity of risk exposures, risk
management requires a broader approach
Risk management controls risk as far as possible to enable a business to maximise its
1. Opportunities
2. Profits
3. Strengths
4. Wealth
A risk management _______ sets out how the risks which have been identified by the risk
assessment procedure will be managed and controlled.
1. Framework
2. Policy
3. Process
4. Structure
A risk management policy sets out how the risks, which have been identified by the risk assessment
procedure, will be managed and controlled. The risk management policy assigns responsibility for
performing key tasks, establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures.
ERM is a structured and systematic process that is interwoven with existing management
responsibilities. It provides a framework based on analysing risks and opportunities, with an ultimate
objective of creating value for the shareholders. ERM entails the alignment of an organisation’s
strategy, processes, people, technology and knowledge to meet its risk management purpose; and
offers a systematic and integrated way of identifying and responding to all sources of risk. ERM aims
to provide a coherent framework to deal with all risks that result from operating in the ever-
changing economic environment.
The King III Report on Corporate Governance introduced which of the following new concepts?
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
Pg 98 study guide
Corporate governance affects various business areas. Improving the confidence of domestic and
international investors is an example of
1. Overall performance
2. Attracting lower-cost capital
3. Meeting social obligations
4. Employing assets efficiently
Effective corporate governance helps enterprises to attract lower-cost capital by improving the
confidence of domestic and international investors and by assuring them that the assets are used in
the form agreed upon, whether the investment is in the form of debt or equity. This has a positive
impact on both debt and equity. For enterprises to succeed in competitive markets, corporate
managers must innovate relentlessly and efficiently, and constantly evolve new strategies to meet
changing circumstances.
Which one of the following activities in a company needs to be reported under the triple bottom-line
principle?
1. Financial performance
2. Technological performance
3. Legal performance
4. Environmental performance
The King II Report moved away from the single bottom-line principle (i.e. profit for shareholders) to a
triple bottom-line principle, which takes into account the environmental, economic and social
activities of a company. Besides reporting on their financial performance (single bottom line),
corporations must also disclose their social and environmental performances (triple bottom line).
Company A is interested in acquiring XYZ Limited. Prior to making a decision, the board requests that
management conducts a strategic review of XYZ limited and also performs the following
1. PEST analysis
2. SWOT analysis
3. Financial analysis
4. Gap analysis
• the product, portfolio and matrix analysis (internal and external elements);
1. Identify those risks that will have a dramatic impact on business projects/activities and
objectives
2. Determine the expected return of an asset in relation to its risk or risk profile
3. Structure decisions, uncertain events and values of outcomes
4. Identify the cause of any risk
Pareto analysis
Pareto 5 analysis is used to identify those risks that will have a dramatic impact on business
projects/activities and objectives. Such analysis will rank and order the risks according to their
impact so that the business can manage the high risks accordingly.
Which stage of the ERM process is concerned with gaining an understanding regarding the
background of the business as a whole as well as the specific business activities, processes or
projects?
1. Risk analysis
2. Risk evaluation
3. Monitoring and review
4. Establishing the context
Establishing the context is the first stage in the overall seven-stage process of enterprise risk
management. Establishing the context is concerned with gaining an understanding of (1) the
background to the business as a whole, in general terms, and (2) the specific business activity,
process or project, forming the subject of the risk management study. It provides a basic foundation
for everything that follows.
Which of the following is a regulatory framework which a business must comply with and embed in
its business operations?
1. PEST analysis
2. Process mapping
3. Compliance system
4. Financial analysis tools
The regulatory framework in which a business operates must be embedded in the business
operations. The business must also comply with the regulatory framework
The resolution strategy is a technique used by a business to respond to a particular recurring risk.
Which one of the following risk response strategies uses insurance as one of the methods to respond
to risk?
1. Risk retention
2. Risk transfer
3. Risk reduction
4. Risk removal
Risk reassignment is the strategy used to transfer risk to another entity, business or organisation.
Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer
does not reduce the severity of the risk but does increase the impact of the risk. The most common
method of risk transfer is insurance.
Which stage in the ERM process must be on-going in order to increase the success of the
implementation of the entire process?
1. Risk treatment
2. Risk analysis
3. Communication and consultation
4. Monitoring and review
Monitoring and review is an on-going process of implementing and examining the success or
otherwise of the planned responses. It entails evaluating the perceived benefit of the response, its
attendant costs and the likelihood of new risks being triggered by the response. If a decision is taken
to implement the response, it has to be clarified who will do so and when.
Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. The definition
for risk appetite is the amount of risk a business is prepared to tolerate (be exposed to) at any point
in time. A business risk appetite can vary according to its objectives, culture, environment, perceived
financial exposure to certain risks and risk attitudes (risk neutral, seeking and averse).
Scenario analysis can be used to identify risks by considering possible future developments and
exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best
case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to
analyse a risk, including both the probability of occurrence and potential consequences. It can be
used to look back over a fixed period and examine, for instance, major shifts in technology,
transportation and property development with a view to considering future change.
The ultimate responsibility for project risk management must rest with the project
1. Coordinator
2. Team
3. Director
4. Manager
Successful PRM cannot be driven from the bottom up but must be championed from the top.
Ultimate responsibility for PRM must rest with the project director, who must be instrumental in
setting the right culture.
Which one of the following methods is used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and makes use of random numbers to sample from a
probability distribution?
The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and uses random numbers to sample from a probability
distribution. A business can use this method to evaluate duration, demand or throughput and costs.
Potential loss exposure arising from diminishing sales or margins as a result of changes in market
conditions, outside of the control of the business, is known as _________ risk
1. Economic
2. Financial
3. Market
4. Strategic
Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or
margins due to changes in market conditions, outside of the control of the business”.
Mr Nyoka is a risk manager at Gold Mining Ltd. He is approached by the board of directors to
comment on the health and safety system of the business. Which one of the following questions will
be the most important one to be asked by Mr Nyoka to determine if Gold Mining Ltd is
implementing health and safety measures correctly?
1. Is Gold Mining Ltd implementing a health and safety system which reflects the national
legislation on common practice in the mining industry?
2. Is Gold Mining Ltd creating a sound health and safety indicator system?
3. Is Gold Mining Ltd creating measurable targets for occupational accidents and hazards in the
working environment?
4. Is Gold Mining Ltd identifying common health and safety risks?
Risk management best practice is implemented through the development of a risk management
system, policy and procedures to provide safe systems of work, defining targets, measuring
performance and revisiting procedures in the light of experience. The following are the main
• Gaining an awareness of existing guidance such as BS 8800 which provides guidelines for an
effective occupational health system, the International Labour Organisation’s 2001 Guidelines on
Occupational Safety and Health Management Systems (ILO-OSH), which were the result of extended
international consultations held over 2000–2001, and the OHSAS
18000 Series of International Standards for Occupational Health and Safety Management
Systems.
• Involvement of the workforce in both planning and running the organisation’s OSH-MS creates
improved ownership and participation.
• A functioning, recording, notification and indicator system provides a better picture of the
problems and the follow-up that is necessary.
• Measurable targets for reducing occupational accidents and work-related diseases by targeting
their causal factors.
• Workplace mapping techniques are an effective tool to identify health and safety problems in the
workplace and define the measures necessary to resolve them.
• Development of a public relations response management plan and crisis management plan.
The default by a small number of large customers may lead to ________ as a result of credit risk
1. Tax evasion
2. Bribery
3. Insolvency
4. Profits
Credit risk is the financial loss suffered due to the default of a borrower or counterparty under a
contract. Default by a small number of large customers may lead to insolvency.
1. Country
2. Political
3. Operational
4. Financial
According to Chapman (2011), adopting the wrong business strategy, failing to execute a well-
thought-out strategy and not modifying a successful strategy over time, are examples of operational
risk.
1. E-mail
2. E-trade
3. E-commerce
4. E-tailor
Electronic commerce or e-commerce is the buying and selling of goods on the internet. It is doing
business electronically.
Ethical risk refers to exposure to events, which may result in criminal prosecution, civil law suits or
erosion of reputation. Examples of ethical risk include bribery, false accounting, child labour, tax
evasion, money laundering and invasion of privacy.
A ________ policy is a government policy which makes decisions regarding the taxation, borrowing
and spending of a country
1. Fiscal
2. Monetary
3. Economic
4. Trade
Macro-economic policy is influenced by government policy through fiscal policy, monetary policy
and competing theories. Fiscal policy aims to influence government revenue (taxation)
and/expenditure. Macro-economic policy is thus used by governments to influence the level of
aggregate demand and supply in the economy.
Which of the following factors can be avoided when implementing a health and safety risk
management system?
a. Compensation payments
b. Civil claims
c. Decrease in insurance premiums
d. Adverse media attention
1. A, b
2. A, c, d
3. A, b, d
4. All of the above
• health and safety incidents or an increase in the number of incidents and/or their impact;
• civil claims;
• compensation payments;
• the need to arrange for the injured employee’s work to be continued by another employee;
• the need to make staff rehabilitation and return to work arrangements (recognising that
• increased productivity;
• greater production reliability and reduction in the chance of losing sales to a competitor;
• improvement in staff morale, together with staff retention and recruitment rates;
• improved shareholder satisfaction from meeting increasingly higher health and safety standards.
ABC Limited has been subject to an internal audit. The internal audit report indicated the staff in the
debtors department is not properly trained with regards to completing individual debtor
reconciliations. As a result of this, the reconciliations have incorrect reconciling items. The fact that
the staff are not properly trained is an example of a (an)
1. Risk
2. Risk source
3. Opportunity
4. Internal control
A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is
where the risk comes from
The policy should address specific responsibilities of the board, internal audit, external audit, the risk
committee, the corporate governance committee, the central risk function, employees and third
party contractors in implementing risk management.
1. B, c
2. A, d
3. B, c, d
4. All of the above
With reference to the concept of risk of opportunity. Which of the statements are correct?
What are the key obstacles in an organisation to make risk management integral with the overall
business strategy?
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
There are a number of challenges to the implementation of PRM that occur time and time
• lack of senior executive and project director commitment and support for PRM;
• lack of a risk maturity model to guide the goals for risk management;
• lack of a change process to introduce the discipline (in situations where some form of PRM has not
previously been embarked upon);
• lack of articulation of the sponsor’s risk appetite (i.e. risks the project will and will not take);
• risk owners not automatically taking responsibility for the risks assigned to them;
• no clear demonstration of how risk management adds value and contributes to project
performance;
• lack of alignment between the overall business strategy, the project business model and the
1. Themba loves driving his Maserati at high speed, he enjoys the thrill that comes with driving
fast
2. The oil prices have been falling significantly over the past few months, as a result Mr Davies,
an investor, decided to avoid buying a stake in the oil company
3. Siyaqhuba General Dealers is in the retail business, the finance manager decides to take out
a loan from ABSA bank to open a new branch in Soweto with the hope of growing the
business
4. In their quest to win a larger market share, Samsung has decided to invest more funds
towards technological advancement
Which one of the following statements relates to the concept of corporate governance?
1. Controls the internal and external actions of managers, employees and outside business
stakeholders
2. Universal and prescriptive in nature and applicable to only a few companies
3. Assists enterprises to attract higher-cost capital
4. Enhances the dominating of business decisions and objectives by one individual
For an enterprise to achieve and aspire to be a good corporate citizen, is has to empower the board
of directors to
1. A, c
2. B, c, d
3. A, c, d
4. All of the about
ABC Limited is a company listed on the JSE. A majority of the audit committee members that have
been appointed are independent non-executive directors. The chairman of the board and the chief
executive officer are also members of the audit committee. There are six members in total. Three
meetings were held by the audit committee during the year. The audit committee also recommends
to the board which external audit provider they feel should be appointed to conduct the annual
audit. Based on the scenario above, which of the following statements are insufficiencies in the audit
committee’s structure based on King III?
1. A, b
2. B, c, d
3. A, c, d
4. All of the above
Which of the following is an activity taken into account by the triple bottom-line principle?
1. Political performance
2. Legal performance
3. Technological performance
4. Environment performance
a. Improves confidence of domestic and international investors and therefore attracting capital
at lower cost
b. Corporate government ensures efficient use of company resources
c. Good corporate governance is essential to ensure adherence to legislation as well as
corporate social responsibility
d. Effective corporate governance may improve overall performance.
1. A, d
2. B, c, d
3. A, c, d
4. All of the above
The ERM process has several stages, the first stage is establishing context, which is concerned with
the understanding of the
a. Specific business activity, process or project forming the subject of risk management
b. Macro and micro environment in which the business operates
c. Background of the business as a whole in general terms
d. Identified risk events (upside and downside)
1. B, c
2. B, c ,d
3. A, b, c
4. All of the above
Which one of the following statements is correct with regards to process mechanisms in Stage 1 of
the ERM process?
1. Financial ratios are used to look at the financial position and performance of a business
2. The risk management process diagnostic can be regulated or constrained by the culture of
business risk
3. The financial performance of a business must be reviewed by looking at the PEST analysis
4. The SWOT analysis can be used to look at the external environment influences on business
performance and market growth or decline
Scenario analysis is used to analyse the
Risk identification is a crucial step in the ERM process. Indicate which of the following statements are
correct in relation to risk identification?
a. A risk checklist is used to list all the risks that were identified on previous projects within the
business
b. A structured method of risk identification must be implemented so that consistent risk
management can take place
c. Business risk is static and a discrete phase in the process
d. It is important to be able to identify the risks in the business and understand how they fit
into the overall business context
1. A, c
2. B, c, d
3. A, b, d
4. All of the above
Which stage in the ERM process requires a business to design a specific action plan and produce
strategic responses to address the risks and opportunities identified in the business to secure
business objectives?
1. Risk analysis
2. Risk treatment
3. Communication and consultation
4. Monitoring and review
The risk treatment stage will assist the business to design a specific action plan and produce strategic
responses to address the risks and opportunities identified in the business to secure business
objectives. This stage is vital in the risk management process because the risk strategy responses and
action plan must be prepared and implemented effectively into the business.
In the monitoring and review stage, control activities must adhere to which of the following?
1. A, b
2. A, b, c
3. A, b, d
4. All of the above
The controlling process is based on the information gathered in the monitoring process to form
decision-making. It means the business must understand who needs what information for what
purpose and when. To give a manager control, the control activities must adhere to the following
seven specifications:
Controls have to be appropriate to the character and nature of the phenomenon measured.
The risk analysis state provides information on the likelihood of risks and opportunities occurring
and the impact of them to aid in the decision making process. Which of the following activities need
to be conducted?
1. A, c
2. A, c, d
3. A, b, d
4. All of the above
Pg 33-34 sg
The _________ is an average annual return expressed as a percentage of initial cost of the project
In relation to CAPM analysis, market risk is measured by its beta. A share with a beta of 1.5 tends to
move up or down by the same percentage point as the equity market
1. True
2. False
An investor holding shares in a holding is exposed to equity market risk. There is a tendency for the
value of the share to move with general stock market movements. In the CAPM, market risk is
measured by its beta. A stock with a beta of 1.0 tends to move broadly in line with the equity
market; a share with a beta of 1.5 tends to move up or down by 1.5% for each percentage point
movement in the market. In the past the Lloyds TSB Group has had a beta of just under 1.5% and
Cadbury Schweppes had a beta of just over 0.5%.2 Some companies have a beta over 1.5. If the
market goes up these shares can be expected to outperform others; in a bear market they can be
expected to fall by more than average. Other shares have betas of 0.5 or less, and these defensive
companies are likely to do relatively well in a bear market while being left behind when the share
prices surge ahead.
Which one of the following statements is incorrect with regards to credit risk?
1. Credit risk is the financial loss suffered due to the default of a borrower or counterparty
under a contract
2. Counterparty risk relates to the certainty surrounding the payment of future amounts
3. Default risk is the probability of the event of default
4. Recovery risk relates to the uncertainty over the likely recovery
_______ risk is considered to be embraced within operational risk
1. Liquidity
2. Currency
3. Funding
4. Reputational
The sources of risk considered to be embraced within operational risk include business risk, crime
risk, disaster risk, information technology risk, legal risk, regulatory risk, reputational risk, systems
risk and outsourcing. Refer to par 16.1 of the prescribed book for more details
Employees working in Company A have access to the Company’s Code of Conduct, which is not
available to external parties. The Code of Conduct is posted on the Company’s
1. Information assets
2. Intranet
3. Management information system
4. E-commerce
Intranets are computer networks based on the same technical standards as the internet but
designed for use within a single organisation. Intranets are cheaper and simpler to install than
proprietary networks, and companies are increasingly using them to circulate internal information
such as phone directories, job openings, training, marketing and publicity material.
Company XYZ is in the process of implementing Project A. They need to identify the legislation that
the project needs to adhere to. This identification of legislation relates to the stage of the PRM
process
In an individual other than an employee gains unauthorised access to a company computer by the
way of a public telecommunications system, that individual is guilty of
Ethics is inextricably linked with reputation, and a breach of ethics commonly leads to one or more
of the following: reduced share price, reduced profitability, unfavourable media coverage, fines,
additional administration and, in some extreme cases, imprisonment.
The ________ policy is a mechanism which is reserve bank uses to manipulate the supply of money,
the supply of credit, interest rates and exchange rates
1. Monetary
2. Trade policy
3. Fiscal
4. Balance of payments
The shooting of striking mine workers by the South African Police Service in August 2012 in the
Marikana area is an example of __________ risk
1. Micro political
2. Macro political
3. Health and safety
4. Environmental
Which of the following is a risk control measure is a health and safety management system?
1. Capital
2. Business profit
3. Economic activity
4. Business performance
Which of the following are the benefits of effect risk and opportunity management?
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
The benefits of effective risk and opportunity management include the following:
1. Internal control
2. Risk management process
3. Corporate governance
4. Risk management framework
Which stage in the risk management framework requires a periodic review with stakeholders on
whether the risk management policy, plan or process requires amendment as a result of changes in
the organisation’s context?
a. Objectives
b. Limitations on disclosure
c. Where it applies within the organisation
d. Frequency of review
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
In simple terms a policy should address why risk management will be undertaken, who within and
outside the organisation will undertake it, how it will be undertaken by reference to the framework
and process and internal functions, and what those who are responsible will be required to
undertake. Specifically, the policy should state its purpose, objectives, scope (where it applies within
the organisation), related and supporting policies, its degree of confidentiality (any limitations on
disclosure), the frequency of its review and the date it was last updated.
a. a financial director must be appointed to the board for listed companies as from 2009
b. non-executive directors could receive share options based on prior approval
c. a minimum of three executive directors should be appointed to the board
d. the memorandum of incorporation of the company should allow the board to remove any
director from the board
1. a, d
2. a, b, c
3. b, c, d
4. All of the above
Pg 100
The purpose of corporate governance is to ensure board oversight of business operations and
facilitate effective, entrepreneurial and prudent management that can deliver the long-term success
of the company.
a. Is not a member of the immediate family of an individual who is employed by the company
in an executive capacity
b. Is not a representative of a shareholder who has the ability to significantly influence
management
c. Is not a professional advisor to the company other than in a director capacity
d. Does not receive remuneration contingent upon the performance of the company
________ is used to examine the business environment to identify changes and potential risks and
prepare for them
1. PEST
2. SWOT
3. Ratios
4. SMART
________ can be used to identify the main risks linked to a certain activity or project of the business
1. Gap analysis
2. PEST analysis
3. Risk taxonomy
4. SWOT analysis
The risk analysis stage will provide information on the likelihood of risks and opportunities occurring
and the impact of them to aid in the decision making process. The risk analysis process will assess all
the risks identified in the risk register. Ample time should be allowed for conducting the risk analysis
stage.
______ is used to prepare for the possible worst case to best case situation
1. Brainstorming
2. Delphi technique
3. Scenario analysis
4. Structured interviews
Lucy did not insure some of her risks because there are control measures already in place to absorb
these risks. What is the risk response strategy that Lucy has undertaken?
1. Risk removal
2. Risk transfer
3. Risk retention
4. Risk reduction
Risk retention is also referred to as acceptance, absorption or tolerance. A business can be in the
position to only be able to accept the risk as the alternative methods, for example risk removal,
reduction and transfer are not available; or it can be more economical to the business to accept the
risk. In the risk retention strategy the options available, timing and the ability to absorb the risk must
be considered.
The process inputs in the risk analysis process will consist of risk study parameters, which include
risk identification, risk recording, profit and loss account assessment, balance sheet assessment and
industry betas. The process outputs will be the risk register including the assessment, which shows
the probability and impact of each risk and opportunity.
Which of the following are techniques that a facilitator can adopt in an interactive workshop?
a. Risk questionnaire
b. Financial analysis tools
c. Brainstorming process
d. Scenario analysis
1. C, d
2. A, b, c
3. A, b, d
4. All of the above
_______ is a technique to employ when evaluating the profitability of an investment proposal for a
particular project
1. Simulation
2. Percentiles
3. Sensitivity analysis
4. Monte Carlo simulation
Sensitivity analysis: A technique employed to evaluate the profitability of an investment proposal for
a particular project. The assessment can indicate how sensitive projected outcomes are to proposed
changes.
1. Occurs infrequently
2. Is implemented prior to the annual risk report
3. Is implemented to satisfy audit requirements
4. Is a continuous process
A ________ is a statement of how the organisation will accomplish its business objectives
1. Industry betas
2. Human resource plan
3. Profit and loss account
4. Risk register
A company requires all managers at various business units to make use of a standard template when
identify risks and reporting these risks to the Head Office. This process activity is an example of
43
All companies will only stay solvent by ensuring that all cash obligations (salaries, rents, tax, etc.) can
be met by a combination of investment liquidity, funding sources and contingent liabilities (liabilities
that can be terminated quickly).
Information technology risks include
Transcor is a transport company which delivers goods across all nine provinces in South Africa.
Tanscor has an agreement with Avis Trunk Rental to provide them with rental trucks in the event of
their trucks being damaged or vandalised during protest actions. This is called a (an)
Brain received a feeding scheme tender through the means of bribery. This tender has resulted in his
business to grow and he made a huge profit. Brain’s way of getting business is
1. Ethical
2. Honest
3. Unethical
4. Intelligent
1. B, d
2. A, c, d
3. A, b, d
4. All of the above
The macro marketing environment consists of which of the following factors?
Pg 469 textbook
A country’s inability to meet its financial obligations determines it’s _______ risk
1. Political
2. Country
3. Liquidity
4. Economic
Which of the following examples are specific areas of concern for an organisation relating to
operational risk?
a. Insourcing where firm take on the operational risks of their third parties
b. Highly automated and integrating technology that has the potential to transform risks from
minor manual processing errors to major systematic failures
c. The growth of e-commerce that brings with it some new and potentially significant
operational risks for both consumers and firms
d. Firms that outsource their activities may suffer some loss of control over them, which could
affect the quality and availability of their products.
1. A,b
2. A, c, d
3. A, b, d
4. All of the above
Pg269 tb
1. Risk exposure of losses resulting from people, processes, systems and external events
2. Management of risk exposures in projects in the pursuit of achieving predefined goals
3. Protection and enhancement of share value to satisfy the other internal controls
4. Management of investments in technology to achieve business objectives and optimise
investment benefits
1. A, b
2. A, c, d
3. A, b, d
4. All of the above
• Low working capital to total assets and low working capital to sales
• Instability in earnings
• A significant increase in beta (beta is the variability in the price of the company’s stock relative to a
market index)
• Market price per share is significantly less than book value per share
• Failure to maintain capital assets. An example is a decline in the ratio of repairs to fixed assets
• New company
• Declining industry
• Inability to obtain adequate financing, and when obtained there are significant loan restrictions
• High business risk (e.g. positive correlation in the product line; susceptibility to strikes)
• Susceptibility of the business to stringent governmental regulation (e.g. companies in the real
estate industry)
Which of the following are the sources of risks considered to be embraced within financial risk?
a. System risk
b. Operational risk
c. Interest risk
d. Funding risk
1. A,b
2. A, c, d
3. A, b, d,
4. All of the above
The term financial risk embraces a variety of sources of risk, which include:
♦ liquidity risk;
♦ credit risk;
♦ currency risk;
♦ funding risk;
♦ derivatives risk;
♦ outsourcing risk
Which one of the following is a benefit of effective risk and opportunity management?
The benefits of effective risk and opportunity management include the following:
The board’s role should be to steer the corporation towards corporate governance policies that
support _______ sustainable growth in ________ value
1. Short-term, shareholder
2. Long-term, shareholder
3. Short-term, stakeholder
4. Long-term, stakeholder
The board’s role is to steer the corporation towards corporate governance policies that support
long-term sustainable growth in shareholder value
The purpose of a risk management framework is to
The risk management framework is a basic conceptual structure used to address the risks faced by
an organisation. The purpose of the risk management framework is to assist an organisation in
integrating risk management into its management process so that it becomes a routine activity. The
framework is composed of the following five steps:
• Design framework
• Implement framework
• Monitor framework
• Improve framework.
Which of the following elements from part of the enterprise risk management (ERM) structure?
a. Internal control
b. External control
c. Corporate governance
d. Sources of risk
1. A,b
2. B, c, d
3. A, c, d
4. All of the above
The King II report moved away from ______ bottom-line principle to a _______ bottom-line principle
1. Single, triple
2. Double, triple
3. Single, double
4. Double, single
pg 16
In terms of the King III Code of governance, internal audit must follow a ______ based approach
1. Governance
2. Cash
3. Risk
4. Compliance
Investors are willing to pay a premium for good governance for three reasons.
• They believe that the company will perform better over time, which will mean higher share prices.
• It is a way of reducing risk by either avoiding it altogether or by coping better with adverse events.
• The focus on corporate governance is a trend, but the reality is that no one wants to be left
behind.
A GAP analysis
1. Is used to list all the risks that were identified on previous projects within the business
2. Is a list that categories each risk into a type of area
3. Can be used to identify the main risks linked to a certain activity or project of the business
4. Is a structured checklist to break down the risks and opportunities into manageable
components
A Gap analysis can be used to identify the main risks linked to a certain activity or project of the
business. The method will assist the business to establish where the gap is in the risk associated
within the activity/project so that pro-active or reactive risk measures can be established
1. A,b
2. A,b c
3. B, c, d,
4. All of the above
Governance in companies in South Africa is also a legal requirement as per the Companies Act, 71 of
2008. The Act came into effect in May 2011. Relevant components of the act will be discussed
below.
• promote compliance with the Bill of Rights as provided for in the Constitution, in the application of
company law
∙ encouraging transparency and high standards of corporate governance as appropriate, given the
significant role of enterprises within the social and economic life of the nation
• reaffirm the concept of the company as a means of achieving economic and social benefits
• continue to provide for the creation and use of companies, in a manner that enhances the
economic welfare of South Africa as a partner within the global economy
• promote the development of companies within all sectors of the economy, and encourage active
participation in economic organisation, management and productivity
• create optimum conditions for the aggregation of capital for productive purposes, and for the
investment of that capital in enterprises and the spreading of economic risk
• provide for the formation, operation and accountability of non-profit companies in a manner
designed to promote, support and enhance the capacity of such companies to perform their
functions
• balance the rights and obligations of shareholders and directors within companies
• provide for the efficient rescue and recovery of financially distressed companies, in a manner that
balances the rights and interests of all relevant stakeholders
• provide a predictable and effective environment for the efficient regulation of companies.
The _______ is a method used by a business to evaluate the effect of uncertainty on a planned
activity in a range of situations and uses random numbers to sample from a probability distribution
1. Scenario analysis
2. Monte Carlo Simulation
3. Simulation
4. Latin hypercube sampling
Monte Carlo simulation: A method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations, using random numbers to sample from a probability
distribution.
Which one of the following risk response strategies eliminate a risk when negative outcome or high
risk exposure is anticipated?
1. Risk removal
2. Risk reduction
3. Risk retention
4. Risk transfer
Risk removal: A strategy adopted to eliminate a risk altogether when a negative outcome is
anticipated.
A _______ analysis needs to be conducted to determine the business’ competitive advantage in the
industry/market
1. Business
2. Competitor
3. SWOT
4. PEST
A ________ is used as a communication tool to establish the business process in the first stage fo the
ERM process
The average annual return expressed as a percentage of the initial cost of a project is called the
______
The ARR is an average annual return expressed as a percentage of initial cost of the project.
Local Cleaning’s total assets, total current liabilities, and inventory for each of the past 4 years are as
follows
1. 1 79
2. 1 24
3. 0 56
4. 3 26
1. 2 42
2. 1 14
3. 1 79
4. 1 55
Which of the following are typical Key Performance Indicators (KPI’s) used in a business?
a. Employee performance
b. Model risk factors
c. Credit management
d. Control risk indicators
1. A, b, d
2. B, c
3. A, c
4. All of the above
_______ communication is used to deliver open and honest information on the risks that the
business faces and how it responds
1. Business
2. Risk
3. Internal
4. External
A business must also ensure that it effectively implements an external communication and reporting
process/system so that it will be able to deliver open and honest information on the risks faced in
the business and how the business responds to such risks.
Which of the following are inputs for the risk treatment process?
a. Risk register
b. Industry betas
c. Description of the business risk appetite
d. Risk response actions
1. A, d
2. A, b, d
3. A, b, c
4. All of the above
The process inputs in the risk treatment process will be the risk register, industry betas and a
description of the business risk appetite, and details of existing insurance policies.
Graham Capital is in the process of obtaining a loan form XWX Bank. Which of the following factors
must Graham Capital take into consideration?
a. A,c d
b. A, b, c,
c. A, b
d. All of the above
when a company borrows money, it needs to know the basis of interest rate determination, the
interest rate at commencement of the borrowing, the nature of interest rate (fixed or variable), and
the duration of payment. The rate of interest paid depends on the following:
♦ Amount
♦ Term
♦ Forecasts
♦ Inflation
♦ Risk
♦ Opportunity cost
♦ Market
_______ analysis is used to determine past events to serve as reference for the implementation of
risk management measures for future events
1. Probability
2. Causal
3. Expected monetary value (EMV)
4. Capital asset pricing model (CAPM)
Causal analysis
The causes of any risk must be identified. It is important for the business to learn from past events to
implement risk management measures for future events.
1. The business will not be able to identify the key risks and risk events associated with the
business, these risks constantly change
2. The business will be able to identify the key risks associated with the business, these risks
constantly stay the same
3. The business will be able to identify the key risks and risk events associated with the
business, these risks constantly change
Through risk identification, the business will be able to identify the key risks and risk events
associated with the business. The business will constantly change and grow as well as the risks
associated with the business. The business will need to identify risks on a constant basis and identify
the opportunities that may arise in order to enhance its objectives as well as risks that may reduce
the likelihood of the business achieving its objectives. Risk can also be based on two main outcomes
namely the upside and downside of risk
Cell C takes out a fire insurance policy to insure its buildings and office equipment against fire and
allied perils. What form of risk response strategy is Cell C using in the instance?
1. Risk retention
2. Risk removal
3. Risk transfer
4. Risk reduction
The determination of the probability and impact of the identified risks and opportunities is referred
to as risk
1. Identification
2. Evaluation
3. Analysis
4. Review
The risk that a counterparty to a contract will not live up to its contractual obligations is known as
_______ risk
1. Liquidity
2. Counterparty
3. Credit
4. Default
Counterparty risk is the risk to each party of a contract that the counterparty will not live up to its
contractual obligations.
Which one of the following factors influences the aggregate supply curve?
The exposure to a potential loss arising from diminishing sales or margins as a result of changes in
market conditions, outside of the control of the business, is known as _____ risk
1. Interest rate
2. Environmental
3. Market
4. Social
252 textbook
In implementing operational risk management in a business, external events which can occur outside
of the business must be taken in consideration. These events may require a business to have
response strategies in the form of
Which of the following risks are seen as internal micro influences to a business?
Credit insurance
The risk mitigation techniques for market risk will involve risk
1. Network systems
2. Operation research
3. Telematics
4. Broadband
• Software applications
• Intranets
• Telematics
• Information assets
_____ gives an individual exclusive right to reproduce the individual’s own written work
1. Designs
2. Copyright
3. Trademark
4. Patents
The Copyright, Designs and Patents Act 1988 generally gives the owner of copyright the exclusive
right to reproduce the copyrighted work, to prepare derivative works, to distribute copies of the
copyrighted work, to perform the copyrighted work publicly, or to display the copyrighted work
publicly.
1. The exercise of power by opposition parties and the actions of isolated groups
2. The exercise of power by government actors and the actions of non-government groups
3. The exercise of power by imprisoned opponents to the government and the actions of
disaffected groups
4. Small new opposition parties that have yet to obtain widespread effective support
Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups”. This type of risk can be
seen in domestic as well as international markets but is also associated with oversees exposure and
developing countries. The political environment of overseas countries will always have an impact on
the threats and opportunities of a business wanting to expand business overseas.
Question 1
Question 2
The risk management policy of an organisation should address specific responsibilities of the …
The risk management policy of an organisation should address specific responsibilities of the board,
the corporate governance committee and the risk committee.
Question 3
A banks.
B financial institutions.
C investment institutions.
1 a,b
2 a,b,d
3 a,b,c
King II applied to banks, financial and investment institutions, public companies and all listed
companies on the JSE. In contrast King III applies to all entities regardless of the manner and form of
incorporation or establishment and whether in the public, private or non-profit sectors.
Question 4
The King III Report on Corporate Governance was implemented in reaction to new trends in ...
1 environmental practices.
2 international governance.
3 ethical practices.
The King III Report on Corporate Governance was implemented in reaction to new trends in
international governance
Question 5
A business must aspire to be a good corporate citizen by empowering the board of directors to ...
D understand the importance of a relationship between the board and the community.
1 a,c
2 a,b,c
3 b,c,d
A business must aspire to be a good corporate citizen by empowering the board of directors to
implement a code of ethics, report on the HIV/Aids strategic plan and policy, to report on social,
health and transformational policies and practices and understand the importance of a relationship
between the board and the community
Question 6
Which one of the following is not a recognised context stage (first stage) tool to obtain information
on the business?
1 SWOT analysis
2 PEST analysis
3 Financial analysis
4 Sensitivity analysis
The tools (process mechanisms) used in the context stage to obtain information on the business are
financial analysis tools, SWOT analysis, PEST analysis and risk management process diagnostic. The
sensitivity analysis is used in the risk evaluation stage.
Question 7
2 the external environmental factors which may influence the business’s performance.
4 the internal environmental factors which may influence the business’s performance.
A PEST analysis is a useful tool for a business to determine the external environmental factors which
may influence the business’s performance.
Question 8
2 avoid creating tension in the team when one is selected as the facilitator and others are not.
4 avoid problems of bias, lack of independence, hidden agendas, single direction approaches or
pursuit of personal goals.
Using a risk identification facilitator from outside the business will avoid problems of bias, lack of
independence, hidden agendas, single direction approaches or pursuit of personal goals.
Question 9
It was discovered that one in four software development projects exceeds its budget. The probability
of a single project exceeding its budget is …
1 0 to 4.
2 25%.
3 1.
4 infrequent.
The probability of a single project exceeding its budget is 25%. Calculation: 1 ÷ 4 = 0.25
Question 10
A list generated during the risk identification stage which categorises each risk into a type or area is
known as a risk ...
1 checklist.
2 prompt list.
3 taxonomy.
4 index.
A list generated during the risk identification stage which categorises each risk into a type or area is
known as a risk prompt list.
Question 11
The difference between the initial investment amount and the present value of a project’s expected
future cash flows, discounted at the appropriate cost of capital is the …
3 Payback Period.
The difference between the initial investment amount and the present value of a project’s expected
future cash flows, discounted at the appropriate cost of capital, is the Net Present Value (NPV). The
Internal Rate of Return (IRR) is the discount rate that makes NPV equal to 0 or the discount rate that
makes the present value of investment costs equal to the present value of investment benefits. The
Payback Period (PP) is the number of years required to recover an initial investment. The Average
Rate of Return (ARR) is an average annual return expressed as a percentage of the initial cost of the
project
Question 12
Risk appetite …
1 a,b
2 b,c
3 a,b,d
Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. Risk appetite
is defined as the amount of risk a business is prepared to tolerate at any point in time. A business
risk appetite can vary according to the objectives, culture and environment of a business. A business
risk appetite can have an impact on the risk strategy responses and action plan.
Question 13
The main reason for monitoring risks is to establish whether risk response actions are effectively
implemented.
Question 14
Key Performance Indicators (KPIs) are used to measure a business’s health. Key Risk Indicators (KRIs)
refer to captured information that provides a useful view of underlying risk profiles at various levels
to assist decision makers within a business.
Question 15
Mr. Lucky has been appointed as the risk manager for A-Z clothing Ltd. Mr. Lucky must implement a
risk management process for the business. Which of the following risk management stages should
Mr. Lucky implement?
1 a,d
2 a,b,d
3 a,b,c
The stages in the risk management process include establishing the context, monitor and review, risk
identification, risk analysis, risk evaluation, risk treatment, communication and consultation. The
design and improve process is an ongoing process which takes place at commencement and
throughout the risk management process.
Question 1
The uncertainty linked to the recovery of outstanding amounts due is known as:
1 Exposure risk
2 Default risk
3 Credit risk
4 Recovery risk
The uncertainty linked to the recovery of outstanding amounts due is known as recovery risk.
Question 2
Question 3
A Insider trading.
B Money laundering.
C Invasion of privacy.
1 a,b
2 a,b,c
3 a,b,d
Insider trading, money laundering, invasion of privacy and inadequate internal controls are examples
of unethical business practices
Examples of unethical practices by companies that were prosecuted or suffered reputational
damage because of the behaviour of employees and who attracted negative media attention include
the following:
Question 4
A-Z Mining takes health and safety extremely seriously. In order to improve human reliability in the
workplace, A-Z Mining may introduce …
B training.
C reward schemes
D workplace precautions
1 b,c
2 a,b,c
3 a,b,d
In order to improve human reliability in the workplace, A-Z Mining may introduce human reliability
analysis, training and reward schemes.
Question 5
… risk deals with basic macro-economic theory together with fiscal and monetary policies.
1 Economic
2 Country
3 Financial
4 Political
Economic risk deals with basic macro-economic theory and fiscal and monetary policies. Country risk
is a collection of risks associated with investing in a foreign country. Financial risk is the exposure of
an enterprise to adverse events that erode profitability and in extreme situations, bring about
business collapse. Political risk is the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups
Question 6
2 number of competitors moving into and out of the market the business is operating in.
3 exposure to losses arising from the change to the cost of raw materials.
4 exposure to a potential loss arising from diminishing sales due to changes in market conditions
outside the control of the business.
Market risk refers to the potential loss exposure arising from diminishing sales due to changes in
market conditions outside the control of the business.
Question 7
The sources of risk embraced under economic risk include the following:
a Fall in demand
b Government policies
c Exchange Rates
d. Fall in Supply
1 a,c
2 b,c,d
3 a,b,c
Question 8
1 Monte Carlo.
2 Pest Analysis.
4 Economic simulations.
Question 9
In implementing operational risk management in a business, external events which can occur outside
of the business must be taken into consideration. These events may require a business to have
response strategies in the form of:
In implementing operation risk management in a business, external events which can occur outside
of the business must be taken into consideration. These events may require a business to have
response strategies in the form of change management and business contingency plans.
Question 10
3 network systems in which computers are linked to one another over a network..
Question 1
Nedbank Group has a strong risk culture and follows worldclass enterprisewide risk management,
which aligns strategy, policies, people, processes, technology and business intelligence in order to
evaluate, manage and optimise the opportunities, threats and uncertainties the group may face in its
ongoing efforts to maximise sustainable shareholder value.
Enterprisewide Risk Management (ERM) integrates risk, finance and balance sheet management
across the group’s risk universe, including business units and operating divisions, geographical
locations and legal entities. Against this backdrop, all risks – including those associated with
sustainability – are managed according to a ‘three lines of defence’ governance model. It is Nedbank
Group’s view that a strong risk governance process is the foundation for successful risk management
and balance sheet management, which is why this model represents the core of the business’s
Enterprisewide Risk Management Framework (ERMF). The ERMF places emphasis on accountability,
responsibility, independence, reporting, communications and transparency, and comprises 17 key
risk categories that are managed, monitored, measured and reported on by the first, second and
third line-of-defence functions across the group.
1.1 In the extract, Nedbank Group’s risk and balance sheet management statement is referring to
the King Code of Governance Principles 2009 (King III). Discuss the principles listed in the risk and
balance sheet management statement of Nedbank Group? (7)
Any seven of the following principles could have been identifies from the risk and balance sheet
management statements of Nebank Group:
Principe: Definition and explanation based on Kind Code of Governance Principles for SA 2009
- Communications:
o Effective communication with stakeholders is essential for building and maintaining
their trust and confidence. Communication to stakeholders should be in clear and
understandable language.
- Independence:
o Independence is the absence of undue influence and bias which can be affected by
the intensity of the relationship between the director and the company.
- Responsibility:
o The state or position of having control or authority and being accountable for ones
actions and decisions.
- Reporting:
o Integrated reporting and disclosure. The company needs a holistic and integrated
representation of the company’s performance in terms of both its finance and its
sustainability.
- Sustainability:
o Sustainability of a company means conducting operations in a manner that meets
existing needs without compromising the ability of future generations to meet their
needs. It means having regard to the impact that the business operations have on
economic life of the community in which it operates. Sustainability includes
environmental, social and governance issues.
- Transparency:
o Easy to understand or recognise; obvious; candid; open; frank.
- Accountability:
o Being responsible and able to justify and explain decisions and actions.
- Responsible leadership:
o The board should provide effective leadership based on an ethical foundation. The
board should ensure that all deliberations, decisions and actions are based on the
four values underpinning good governance and ensure that each director adheres to
the duties of a director.
- Risk based internal audit:
o Internal audit should be risk-based and every year the internal auditors should
furnish an assessment to the board generally on the system of internal controls and
to the audit committee specifically on the effectiveness of internal financial controls.
- Compliance:
o Companies must comply with all applicable laws. The board should delegate to
management the implementation of an effective compliance framework and
processes. Compliance risk should form an integral part of the companies risk
management processes. Compliance should be an ethical imperative.
1.2 Identify any six (6) additional governance of risk principles adressed in the King III report not
specifically listed by Nedbank Group. (6)
Any six of the following addition governance of risk principles addressed in the King III report can be
discussed:
Question 2
Mr. Khumalo has just been appointed as the new CEO of Local Coal Mining Ltd. He approaches you
as the risk manager to gain a better understanding of the implementation of risk management in the
company.
Briefly describe the difference between an enterprise risk management framework, policy and
process to Mr. Khumalo to give him a better understanding of the implementation of risk
management in Local Coal Mining Ltd.
The risk management framework is a basic conceptual structure used to address the risks faced by
an organisation. The purpose of the risk management framework is to assist an organisation in
integrating risk management into its management process so that it becomes a routine activity. The
framework is composed of the following five steps:
- Mandate and commitment: Risk management must come from the top down in an
organisation (organisations management).
- Design framework: Understanding the organisation and its context, establishing the risk
management policy, determining accountability for risk management, embedding risk
management in all of the organisation’s practices/processes ect.
- Implement framework: Timing of implementation of framework should be planned and
training sessions is required.
- Monitor framework: Periodically review with internal and external stakeholders whether the
risk management framework, policy, plan and process require amendments.
- Improve framework: Based on the results of the monitor process, decisions should be made
on whether the risk management framework step should be amended.
A risk management policy sets out how the risks, which have been identified by the risk assessment
procedure, will be managed and controlled. The risk management policy assigns responsibility for
performing key tasks, establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures. The policy should address specific responsibilities of
the board, internal audit, external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third party contractors in implementing risk management.
According to the International Risk Standard, ISO 31000 (2009), a risk management process is one
that systematically applies management policies, procedures, and practices to a set of activities
intended to establish the context, communicate and consult with stakeholders, and identify, analyse,
evaluate, treat, monitor, and review risk.
According to Chapman the process can be broken down into 7 stages: context, identification,
analysis, evaluation, treatment, monitoring/review and communication and consultation. All the
processes are repeated through the organisation up to the implementation of the risk response
actions.
Question 3
3.1 Identify and describe four (4) risk response strategies which can be used by a business in the
enterprise risk management treatment stage. (8)
The following risk response strategies can be used by a business in the risk treatment stage:
Risk reduction
Risk reduction can also be referred to as treatment or mitigation. Risk reduction can be seen as risk
diversification (reduction of risks by distribution) for example, where a business invests in multiple
stocks to reduce risk and the impact of the risk√. Two approaches to reduce risk can be followed
namely:
Methods used to reduce the likelihood of occurrence or impact of risk by a business is protection,
controls, maintenance and risk spreading.
Risk removal
Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk
removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is
anticipated. For example, doing business with a political uncertain country may be too risky to make
the opportunity worthwhile (a potential for loss has been eliminated). When a business wants to
remove risk, factors such as opportunity, business objectives and costs involved must be considered.
All three of these concepts must be taken into regard. For example, when a business decides not to
introduce a new product or terminating the production of an existing product and ceasing
operations that have been carried out in the past.
Risk reassignment is the strategy used to transfer risk to another entity, business or organisation.
Businesses can use contracts and financial agreements to transfer risk to a third party. Transferring a
risk does not reduce its likely severity; it just moves it to another party. In some cases risk transfer
can increase the impact of the risk, as the party to whom the risk is transferred is unaware that it is
required to absorb it. The most common method of risk transfer is insurance. For example the
financial consequences of the loss is transferred to the insurance company. When a business
transfers risk the business must consider the objectives of the parties, ability to manage the risk, risk
context and cost effectiveness of the transfer.
Risk retention
Risk retention is aslo reffered to as acceptance, absorption or tolerance. A business may be forced in
a position to accept the risk as an alternative method, for example risk removal, reduction and
transfer are not available; or it may be more economical to the business to accept the risk. When
following a risk retention strategy the options available, timing and the ability to absorb the risk
must be considered
3.2 Distinguish between key risk indicators (KRI) and key performance indicators (KPI) and give two
examples of each of the types of KRIs and KPIs.
A business must clearly distinguish between key risk indicators (KRI) and key performance indicators
(KPI).
KRI’s refer to captured information that provides useful views of underlying risk profiles at various
levels to assist decision makers within a business. The following are seen as KRI types:
KPI’s refer to high level snapshots of the health and performance of a business based on specific
predefined measures for example, statistical information on the business√. The following are seen as
KPI types:
Identify and describe eight (8) common challenges faced by businesses in implementing project risk
management.
Argue the value of good corporate governance to business enterprises. (Hint refer to the four
business areas corporate governance might impact on) (10)
1.1 Identify and describe four (4) process activities for risk evaluation which can be used by a
business in the ERM evaluation stage. (8)
Chance and the assessment of risk play a major part in a large number of business activities.
Hence, probability has found a wide range of business applications such as in investment appraisals
which require an assessment of risk and a measure of expected outcomes. Many of the process
activities examined here require an understanding of the concepts of probability.
Probability represents a new set of conceptual tools. Rather than looking at the world as consisting
of deterministic situations, where everything is known with certainty, we can now consider a range
of outcomes to every situation. More than this, by treating the world as stochastic, it is possible to
assess the chance of particular outcomes happening in a given situation. Hence, it is important to
consider the range of outcomes possible from a situation, so that recognition is given to even the
remote (unlikely) outcomes.
• Sensitivity analysis
The sensitivity analysis method can be used by a business to assess how sensitive the project
outcomes are to changes in the business. The method uses one variable and examines the effect of
that specific variable on the project.
• Scenario analysis
Scenario analysis is a useful decision making method to focus on the consequences of the
combinations of events that would have been ignored by the business because it was regarded as an
event that has never happened or is very unlikely to happen. The business can draw up different
views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and
“downside” risk, which can be associated with a project.
• Simulation
Simulation is a method used to analyse financial or time models, where the variables may be
uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a
business has statistical software or commercially available spreadsheets.
The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and uses random numbers to sample from a probability
distribution. A business can use this method to evaluate duration, demand or throughput and costs.
Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles
and correlations work, as well as the benefits of the Monte Carlo simulation method.
This sampling method is used to re-create the probability distributions specified by distribution
functions accurately and is a more modern technology method than the Monte Carlo simulation
method.
Some risk analysis models involve subjective estimates and thus further information needs to be
gathered by the business to get a better understanding of the analysis.
1.3 Distinguish between Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). In your
answer refer to the different types of KRIs and KPIs. (6)
business must clearly distinguish between key risk indicators (KRI) and key performance indicators
(KPI).
• KRI’s
KRI’s refer to captured information that provides useful views of underlying risk profiles at various
levels to assist decision makers within a business. The following can be seen as the four types of
KRI’s:
Composite indicators.
Model risk factors.
• KPI’s
KPI’s refer to high level snapshots of the health and performance of a business based on specific
predefined measures for example statistical information on the business. The following can be seen
as seven types of KPI’s:
Exception reporting.
Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.
- Default risk
- Exposure risk
- Recovery risk
- Counterparty risk
Mr Mathews has just been appointed as a new Board member of Sasol Ltd. He approaches you as
the risk and compliance management to gain a better understanding of the implementation of
corporate governance within the company.
Compile a report addressed to Mr Mathews in which you explain the corporate governance process
as well as the board’s responsibility for risk governance. (12)
Governance of risk
∙ The risk committee or audit committee should assist the board in carrying out its risk
responsibilities
• The board should delegate to management the responsibility to design, implement and monitor
the risk management plan
• Risk assessment
∙ The board should ensure that risk assessments are performed on a continual basis
∙ The board should ensure that frameworks and methodologies are implemented to increase the
probability of anticipating unpredictable risks
• The board should ensure that management considers and implements appropriate risk responses
• The board should receive assurance regarding the effectiveness of the risk management process
• The board should ensure that there are processes in place enabling complete, timely, relevant,
accurate and accessible risk disclosure to stakeholders
Briefly identify and explain four process activities which need to take place in the risk identification
stage. Activity and explanation. (8)
• Risk checklist
A risk checklist is used to list all the risks that were identified on previous projects within the
business.
A risk prompt list can be seen as a list that categorise each risk into a type or area. Through this list,
the business will be able to identify the main categories of risks experienced within the business.
• Gap analysis
A Gap analysis can be used to identify the main risks linked to a certain activity or project of the
business. The method will assist the business to establish where the gap is in the risk associated
within the activity/project so that pro-active or reactive risk measures can be established.
• Risk taxonomy
Risk taxonomy can be explained as a structured checklist to break down the risks and opportunities
into manageable components, which then can be aggregated for exposure measurement, reporting
and management. This method is used in the risk taxonomy of software development. Refer to Table
9.1 in chapter 9 of the prescribed book.
• PEST analysis
The business can also use the PEST analysis method in the identification stage to identify the risk
exposure of the business to its external environment. The business can conduct this analysis in a
workshop or brainstorming session.
• SWOT analysis
A SWOT analysis is a very easy and understandable method for a business to identify the risks and
opportunities in the business.
• Database
A risk database can be used to capture all the information of each risk identified in the business and
is an effective way to monitor all the risks and actions used in the management of all the identified
risks.
A breakdown structure for business risk is used to identify all the sources of risk within projects and
activities in the business.
• Risk questionnaire
A risk questionnaire is used when a business needs to establish the concerns and risks that arise in a
business project/activity through the various stages. The completion of the questionnaire will show
how the business employees respond to risk.
• Risk register
A risk register is used to capture information on a constant basis and to simplify communication
regarding the risks in a business project/activity. Refer to Table 9.2 in chapter 9 of the prescribed
book.
Distinguish between internal and external communication (Enterprise risk management process) (2)
A business should establish internal communication and reporting mechanisms in order to support
and encourage accountability and ownership of risk and opportunity management.
A business should establish external communication and reporting mechanisms in order to deliver
open and honest information on the risks that the business faces and how it is responding.
Briefly explain the concept “political risk”. Use examples to highlight your answer (4)
Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups”. This type of risk can be
seen in domestic as well as international markets but is also associated with oversees exposure and
developing countries.
For example, political decisions by governmental leaders about taxes, currency valuation, trade
tariffs or barriers, investment, wage levels, labour laws, environmental regulations and
development priorities, can affect the business conditions and profitability. Similarly, non-economic
factors can affect a business. For example, political disruptions such as terrorism, riots, coups, civil
wars, international wars, and even political elections that may change the ruling government, can
dramatically affect businesses’ ability to operate.
• The following response strategies can be used to minimise political risk in the business:
Investing in projects or entering into contracts where the host government implemented certain
policies that encourage private sector involvement.
To be protected from interest rate fluctuations a business can enter into a hedge contract.
Establish a good relationship with the workforce to create a risk friendly environment.
• The following tools can also be used by a business to mitigate political risks:
Mr Samuel has just been appointed as the new CEO of A-Z Supermarket. He approaches you as the
risk manager to gain a better understanding of the implementation of enterprise risk management
(ERM) within the company. Compile a report addressed to Mr Samuel in which you highlight the
merits of ERM (10 marks)
ERM supports better structure, reporting, and analysis of risks. Standardized reports that track
enterprise risks can improve the focus of directors and executives by providing data that enables
better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation
strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas.
These reports can also help leaders develop a better understanding of risk appetite, risk thresholds,
and risk tolerances.
One of the major values of ERM risk reporting is improved, timeliness, conciseness, and flexibility of
the risk data. This provides the data needed for improved decision making capabilities within the
executive and director levels, and in other layers of management. ERM helps management recognize
and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating
them in a consolidated format.
ERM develops leading indicators to help detect a potential risk event and provide an early warning.
Key metrics and measurements of risk further improve the value of reporting and analysis and
provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting
organizations to changes in their risk profile.
ERM also permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation,
acceptance, or avoidance. However, effective ERM processes gives management a framework to
evaluate risk as an opportunity to increase competitive positions and exploit certain market and
operational conditions.
In organizations without ERM, many individuals may be involved with managing and reporting risk
across operational units. While developing an ERM program does not replace the need for day to
day risk management, it can improve the framework and tools used to perform the critical risk
management functions in a consistent manner. Eliminating redundant processes improves efficiency
by allocating the right amount of resources to mitigating the risk.
Bond rating agencies, financial statement auditors, and regulatory examiners, have begun to inquire
about, test, and use monitoring and reporting data from ERM programs. Since ERM data involves
identifying and monitoring controls and mitigation efforts across the organization, this information
can help reduce the effort and cost of such audits and reviews.
Explain the difference between risk removal and risk transfer. Use examples to elucidate your
answer (4 marks)
Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk
removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is
anticipated. For example, doing business with a country that has political uncertainty may be too
risky to make the opportunity worthwhile (a potential for loss has been eliminated). When a
business wants to remove risk, factors such as opportunity, business objectives and costs involved
must be considered. All three of these concepts must be taken into regard. For example, when a
business decides not to introduce a new product or ending the production of an existing product and
ceasing operations that have been carried out in the past.
Risk reassignment is the strategy used to transfer risk to another entity, business or organisation.
Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer
does not reduce the severity of the risk but does increase the impact of the risk. The most common
method of risk transfer is insurance. For example the financial consequences of the loss is
transferred to the insurance company. When a business transfers risk the business must consider
the objectives of the parties, ability to manage the risk, risk context and cost effectiveness of the
transfer.
When it comes to the perception of risk, groups and individuals might perceive risk differently.
Indicate how the Utility Theory explains this phenomenon. (6 marks)
Utility theory assumes that every decision maker uses a utility function that translates each of the
possible payoffs in a decision problem into a non-monetary measure known as utility. The utility of a
payoff represents the desirability (total worth or value) of the outcome of a decision alternative to
the decision maker.
Different decision makers have different attitudes and preferences towards risk and return.
Those who are “risk neutral” tend to make decisions using the maximum EMV decision rule.
However, some decision makers are risk avoiders or “risk averse”, and others look for risk or are
“risk seekers”. The utility functions typically associated with these three types of decision makers are
shown in Figure 11.5. For convenience the utilities are represented on a scale from
0 to 1, where 0 represents the least value and 1 represents the most. Figure 11.5 illustrates how the
same monetary payoff might produce different levels of utility for three different decision makers.
The “risk neutral” decision maker who follows the EMV decision rule has a constant marginal utility
for increased payoffs. That is, every additional pound in payoff results in the same amount of
increase in utility. A “risk averse” decision maker assigns the largest relative utility to any payoff but
has a diminishing marginal utility for increased payoffs in that every additional pound in payoff
results in smaller increases in utility. The “risk seeking” decision maker assigns the smallest utility to
any payoff but has an increasing marginal utility for increased payoffs. That is, every additional
pound in payoff results in larger increases in utility.
Identify the three primary technology types important to a business and give one example of each (6
marks)
Information technology
• Software applications
• Management information systems
• Intranets
• Telematics
• Information assets
Communications technology
• Conference calls.
• Broadband
• Network systems
Control technology
Control technology consists of computer-based production control systems, which include the
following:
• Mechatronics
• Computer-integrated manufacture.
Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or
margins due to changes in market conditions, outside of the control of the business”. (Chapman,
2012) A business needs to gain insight into the market structure (size, barriers of entry, product
diversification and number of competitors) in which the business operates. Market risk policies
should take into account business activities, objectives, the regulatory environment, competitiveness
and staff and technology capabilities. Proactive market risk management is vital for a business to
adapt to changing markets.
Mrs Jacobs has just been appointed as the new CEO of CALL4U Ltd. She approaches you as the risk
manager to gain a better understanding of the implementation of enterprise risk management
(ERM) within the company. Compile a report addressed to Mrs Jacobs in which you explain the
elements of an ERM structure. (14 marks)
Corporate governance is the framework of rules and practices by which a board of directors ensures
accountability, fairness and transparency in a company's relationship with all its stakeholders
(financiers, customers, management, employees, government and the community).
• Explicit and implicit contracts between the company and the stakeholders for distribution of
responsibilities, rights, and rewards;
• Procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with
their duties, privileges, and roles, and
• Procedures for proper supervision, control and information flows to serve as a system of checks
and balances.
The report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO),
Internal Control – Integrated Framework (1992), defines internal control as “a process, effected by
an entity’s board of directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
The aim is to accomplish this through the identification and assessment of risks facing the business
and responding to them by either removing them or, reducing them or, where it is economic to do
so, to transfer them to a third party.
1.10.3 Implementation
• Design framework
• Implement framework
• Monitor framework
• Improve framework.
A risk management policy sets out how the risks, which have been identified by the risk assessment
procedure, will be managed and controlled. The risk management policy assigns responsibility for
performing key tasks, establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures. The policy should address specific responsibilities of
the board, internal audit, external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third party contractors in implementing risk management. A
policy statement defines a general commitment, direction or intention. A policy on risk management
expresses an organisation’s commitment to risk management and clarifies its general direction or
intention.
According to International Risk Standard, ISO 31000 (2009), a risk management process is one that
systematically applies management policies, procedures, and practices to a set of activities intended
to establish the context, communicate and consult with stakeholders, and identify, analyse,
evaluate, treat, monitor, and review risk.
A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is
where the risk comes from.
Briefly explain the following six process activities which need to take place in the risk evaluation
stage. (6 marks)
• Sensitivity analysis
The sensitivity analysis method can be used by a business to assess how sensitive the project
outcomes are to changes in the business. The method uses one variable and examines the effect of
that specific variable on the project.
• Scenario analysis
Scenario analysis is a useful decision making method to focus on the consequences of the
combinations of events that would have been ignored by the business because it was regarded as an
event that has never happened or is very unlikely to happen. The business can draw up different
views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and
“downside” risk, which can be associated with a project.
• Simulation
Simulation is a method used to analyse financial or time models, where the variables may be
uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a
business has statistical software or commercially available spreadsheets.
The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and uses random numbers to sample from a probability
distribution. A business can use this method to evaluate duration, demand or throughput and costs.
Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles
and correlations work, as well as the benefits of the Monte Carlo simulation method.
This sampling method is used to re-create the probability distributions specified by distribution
functions accurately and is a more modern technology method than the Monte Carlo simulation
method.
Some risk analysis models involve subjective estimates and thus further information needs to be
gathered by the business to get a better understanding of the analysis.
Distinguish between key risk indicators and key performance indicators. Use examples to elucidate
your answer. (4 marks)
• KRI’s
KRI’s refer to captured information that provides useful views of underlying risk profiles at various
levels to assist desision makers within a business. The following can be seen as the four types of
KRI’s:
Composite indicators.
• KPI’s
KPI’s refer to high level snapshots of the health and performance of a business based on specific
predefined measures for example statistical information on the business. The following can be seen
as seven types of KPI’s:
Exception reporting.
Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.
The sources of risk embraced under economic risk include fall in demand (a shift in the aggregate
demand curve), government policies (including interest rates and trade protectionism), exchange
rates, movement in house prices and inflation.
• Providing an understanding of how the short-term behaviour of the gross domestic product (GDP)
impacts employment, prices and standard of living, and;
• Promoting rigorous market research before entering new markets in both the domestic and
international markets.
Ms Maria Trevor has just been appointed as the new CEO of Local Supermarket Ltd. She approaches
you as the risk manager to gain a better understanding of the implementation of risk management in
the company.
Briefly describe risk management and the seven stages in the risk management process to Ms Maria
Trevor to give her a better understanding of the implementation of risk management in Local
Supermarket Ltd (10 marks)
Identify and describe four process activities for risk analysis which can be used by a business in the
ERM analysis stage (8 marks)
• Causal analysis
The causes of any risk must be identified. It is important for the business to learn from past events to
implement risk management measures for future events.
Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes.
The influence diagram can be used to assist in the development and understanding of the risks and
the actions to be taken in the decision making process. Such analysis will provide a framework for
the decisions, events, managing of problems, reducing large volumes of data and sensitivity analysis
in the business.
• Pareto analysis
Pareto analysis is used to identify those risks that will have a dramatic impact on business
projects/activities and objectives. Such analysis will rank and order the risks according to their
impact so that the business can manage the high risks accordingly.
The CAPM model is used to determine the expected return of an asset in relation to its risk or risk
profile. The higher the risk, the higher the return will be for an investment. Market risk is measured
by its beta in the CAPM model.
It is important to conduct qualitative and quantitative assessments in the risk analysis process.
Qualitative assessments explain the impact of the risks, whereas quantitative assessment will consist
of numeric assessments, which can involve financial and timing risks. It is best to manage the most
severe risks that the business has identified.
Identify and distinguish between the three main attitudes towards risk (6 marks)
Risk neutral – The attitude towards risk that requires no change in the risk/reward balance return for
an increase in risk. Tend to use the EMV method with the highest monetary value.
Risk averse – The attitude towards risk that requires an increase in the return for an increase in the
risk.
Risk seeking – The attitude towards risk whereby a decreased return would be accepted for an
increase in risk
operational risk is “the potential for loss due to failures of people, processes, technology and
external dependencies”. The sources of risk considered to be embraced within operational risk
include business risk, crime risk, disaster risk, information technology risk, legal risk, regulatory risk,
reputational risk, systems risk and outsourcing.
Operational risk in terms of the Basel Accords has been subdivided into seven separate categories.
We examine each of these categories and briefly explain what types of risks they cover.
Internal Fraud. By and large this covers fraud by bank staff such as the stealing of assets, theft of
client information, covering up errors, intentional mismarking of positions, bribery etc.
External Fraud. This occurs where non-bank staff is involved such as in computer hacking, third-party
theft, forgery.
Employment Practices and Workplace Safety. Inequitable staff policies, workers compensation
claims, employee health and safety issues.
Clients, Products and Business Practice. This is a very wide field and generally covers market
manipulation, antitrust issues, improper trading activities, bank product defects, fiduciary breaches,
account churning. The sub-prime Mortgage debacle is a clear example of a product defect. The huge
LIBOR rate rigging scandal which has dominated the news these past few years falls into this
category as well.
Damage to Physical Assets. This covers things like natural disasters, terrorism and vandalism –
anything that results in actual damage or destruction of the bank’s physical assets. These actions
may be deliberate or purely accidental.
Business Disruption and Systems Failures. Power failures, computer software and hardware failures.
A hurricane or a flood that results in banking services being disrupted also falls into this category.
Execution, Delivery and Process Management. This covers things like data capture errors, accounting
errors, failure to meet legal reporting requirement, negligent loss of client assets.