RSK2601 Complete Questions Answers

RSk2601 Study bank
Enterprise risk management (ERM) is characterised by a
1. Narrow focus of hazard risks

2. Comprehensive, inclusive and proactive approach to risk management
3. Functional approach to risk management responsibilities
4. Lack of consistency in terms of level of detail and reporting formats
The purpose of an ERM policy is to
1. Assist an organisation integrating risk management into its management processes

2. Communicate externally that risk management is being practiced
3. Satisfy internal and external audit requirements
4. Set out how the risks will be managed and controlled
A risk management policy sets out how the risk, which have been identified by the risk assessment
procedure, will be managed and controlled. The risk management policy assigns responsibility for
performing key tasks, establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures. The policy should address specific responsibilities of
the board, internal audit, external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third party contractors in implementing risk management. A
policy statement defines a general commitment, direction or intention. A policy on risk management
expresses an organisation’s commitment to risk management and clarifies its general direction or
intention.
What do boards fundamentally seeks from an ERM system?
1. The avoidance of unpleasant surprises and losses

2. Integration of risk management, audit and governance
3. Robust procedures
4. Competent risk management teams
Pg 9 textbook
Which of the following are benefits of ERM?
a. Build confidence with stakeholders and the investment community

b. Align risk appetite and strategy
c. Link risk with audit requirements
d. Seize opportunities
Choose the correct combination:
1. A, c
2. B, c
3. A, b, d
4. All of the above
The benefits of ERM include the following:
♦ Increase in the likelihood of a business realising its objectives
♦ Build confidence in stakeholders and the investment community
♦ Comply with relevant legal and regulatory requirements
♦ Align risk appetite and strategy
♦ Improve organisational resilience
♦ Enhance corporate governance
♦ Embed the risk process through the organisation
♦ Minimise operational surprises and losses
♦ Optimise allocation of resources
♦ Identify and manage cross enterprise risks
♦ Link growth, risk and return
♦ Rationalise capital
♦ Seize opportunities
♦ Improve organisational learning
Which of the following is typical to the traditional approach to risk management?
1. Risk management carried out in silos and extensive use of insurance

2. A comprehensive approach to managing risks
3. Integrating efforts of operations and risk managers
4. Viewing risk management as part of everyone’s daily routine
Traditionally, risk management has been segmented and carried out in “silos”. However, with the
dynamic environment and the evolving nature of risk, businesses encounter new types of risk while
pursuing new business objectives. There is therefore a need for an integrated framework for a
holistic approach to risk management.
King III applies to
a. Banks
b. Insurance institutions
c. Public sector agencies
d. All listed companies on the JSE
1. A, b
2. A, b, d
3. A, b, c
4. All of the above
King III applies to all listed companies on the JSE, banks, financial and insurance institutions and
some public sector agencies.
The King III Report on Corporate Governance introduced which of the following new concepts?
a. Shareholder approval of remuneration policies

b. Alternative dispute resolution (ADR)
c. Directors’ performance evaluation
d. Business rescue
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
The risk management policy forms part of the ERM
1. Scenario
2. Taxonomy
3. Framework
4. Structure
ERM is composed of seven elements namely: corporate governance, internal control,

implementation, risk management framework, risk management policy, risk management process
and sources of risk.
Which one of the following is a recognised context stage (first stage) tool to obtain information on
the business?
1. GAP analysis
2. Database analysis
3. Investment analysis
4. PEST analysis
Mechanisms
- Finance analysis tools

- Risk management process diagnostic
- SWOT analysis
- PEST analysis
Gap analysis can be used to draw out the main risks to an activity or project and is commonly carried
out by calling upon department heads to complete a questionnaire.
During the context stage of a risk study, the ERM team for House and Home elects to examine House
and Home’s financial ratios to understand the business’ financial health before moving onto the risk
identification stage. This will enable them to
1. Provide a quick and relatively simple way to examine the financial position and performance
of House and Home
2. Assess whether House and Home’s records are regularly updated
3. Open the dialogue with the finance department and the internal auditors in House and
Home
4. Satisfy recommended ERM practices for this stage of the risk process in House and Home
Financial ratios: Financial analysis tools that are used to examine various aspects of financial position
and performance and that are widely used for planning, control and evaluation purposes.
A risk checklist is a useful tool for a business to determine
1. Its strengths and weaknesses in the micro environment

2. The internal environmental factors which may influence its performance
3. The main risks linked to a certain project of the business
4. The external environmental factors which may influence its performance
A risk checklist, as described by the PRAM Guide (Simon et al. 1997), is an in-house list of risks “that
were identified on previous projects”. Projects in the context of enterprise risk are either capital
investment projects or business activities. Risk checklists are often developed from managers’ past
experience. Checklists permit managers to capture lessons learnt and assess whether similar risks
are relevant to the business activities of today.
The Delphi technique is primarily use in the ________ stage of the risk management process
1. Evaluation
2. Analysis
3. Identification
4. Monitoring and review
Risk identification can be conducted in a number of ways and is a facilitated process typically
adopting one or a combination of the following: questionnaires (including the Delphi technique),
interviews or interactive workshops using brainstorming, scenario analysis, systems dynamics or the
nominal group method. Risk and opportunity identification is commonly a group-oriented approach
that draws on the combined knowledge and experience of the individuals selected to participate.
Using a risk identification facilitator from outside the business will
1. Assist with timetabling

2. Avoid creating tension in the team when one is selected as the facilitator and others are not
3. Avoid problems of bias, lack of independence, hidden agendas, single direction approaches
or pursuit of personal goals
4. Avoid the facilitation process or approach being constrained by previous approaches
Facilitation is distinguishable from meeting chairmanship in that the facilitator is not normally a
business employee or a member of the project team, contributes nothing more than facilitating skills
and has no vote and certainly no casting vote in decision making. There are distinct advantages in
not selecting a facilitator from a business function (or the business as a whole) as it avoids problems
of bias, lack of independence, hidden agendas and distortion of focus to permit pursuit of personal
or departmental goals. To accomplish the aims of facilitation it is common for the facilitator to adopt
one of the seven techniques described below, commencing with brainstorming.
Scenario analysis can be used
1. To record ideas in a scenario for clarification and evaluation

2. For technological forecasting by experts scenarios
3. To identify risks by using case scenarios (best to worse scenarios) to consider possible future
developments
4. In an interview to view a situation from a different perspective
Scenario analysis can be used to identify risks by considering possible future developments and
exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best
case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to
analyse a risk, including both the probability of occurrence and potential consequences. It can be
used to look back over a fixed period and examine, for instance, major shifts in technology,
transportation and property development with a view to considering future change.
Which of the following is a typical output of the Risk Evaluation stage?
1. Industry betas
2. Human Resources Plan
3. Risk Register
4. Profit and loss account
Outputs: Risk register, Modelling results, Decision trees, Quantitative results, Scenario modelling,
Sensitivity analysis
A list generated during the risk identification stage to categorise each risk into a type or are in the
business, is known as a risk
1. Index
2. Taxonomy
3. Prompt list
4. Check list
A risk prompt list, as described by the first edition of the PRAM Guide (Simon et al. 1997), is a list
which “categorises risks into types or areas”.
The number of years required to recover an initial investment is called
1. Net Present Value (NPV)

2. Internal Rate of Return (IRR)
3. Payback Period (PP)
4. Average Rate of Return (ARR)
Payback period (PP): The number of years required to recover an initial investment. It considers the
timing of cash flows and therefore the time value of money, thus the payback period should be as
short as possible.
Decision analysis is a useful technique to
1. Structure uncertain events and values of outcomes

2. Examine how sensitive the project outcomes are to changes in the business
3. Focus on the consequences of combinations of events which are not likely to happen
4. Analyse financial models where variables may be uncertain
Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes
Risk transfer is used to
1. Accept the risk in the business

2. Transfer the risk to a third party
3. Reduce the likelihood of an risk occurring
4. Eliminate a risk when a negative outcome is anticipated
Risk reassignment is the strategy used to transfer risk to another entity, business or organisation.
Businesses can use contracts and financial agreements to transfer risk to a third party. Risk transfer
does not reduce the severity of the risk but does increase the impact of the risk. The most common
method of risk transfer is insurance.
The main reason for controlling risks is to establish whether
1. Risk meetings are happening regularly

2. Risk response action are effectively implemented
3. A risk database is being maintained
4. Meaningful information is used for decision making
The controlling process is based on the information gathered in the monitoring process to form
decision-making. It means the business must understand who needs what information for what
purpose and when. To give a manager control, the control activities must adhere to the following
seven specifications:
 Control is a principle of economy.
 Controls must be meaningful.
 Controls have to be appropriate to the character and nature of the phenomenon measured.
 Measurements have to be congruent with the events measured.
 Controls have to be timely.
 Controls need to be simple.

 Controls must be operational
The risk of the exposure of an enterprise to adverse events that erode profitability and in extreme
situation, brings about business collapse is __________ risk
1. Financial
2. Economic
3. Strategic
4. Market
Financial risk is the exposure of an enterprise to adverse events that erode profitability and in
extreme situations, bring about business collapse.
The uncertainty linked to the recovery of outstanding amounts due is known as _________ risk
1. Exposure
2. Default
3. Credit
4. Recovery
Recovery risk: The risk related to uncertainty over the likely recovery of outstanding amounts due.
Which one of the following is a benefit of operational risk management?
1. Maximising day-to-day profits

2. Improving financial planning and management
3. Providing a more robust ERM system and correlation of different classes of risks
4. Enabling a better understanding of compliance with legal requirements
Operational risk management affords a business benefits by:
• improving the ability to achieve its business objectives;
• providing management the opportunity to focus on revenue generating activities rather than fire-
fighting one crisis after another;
• minimising day-to-day losses;
• providing a more robust enterprise risk management system;
• contributing to the establishment of a system which enables the correlation of different classes of
risk to be understood and, where appropriate, modelled.
Information technology tools include
1. E-commerce
2. Broadband
3. E-mails
4. Intranets
Information technology
IT is the collection, storage, processing and communication of information by electronic means.

There are various types of IT tools, which include the following:
- Software applications
- Management information systems
- Intranets
- Telematics
- Information assets
Options, futures and swaps are financial products called
1. Foreign currencies
2. Investment options
3. Derivatives
4. Credits
Derivatives are financial products derived from some other existing product. Examples include
options, futures and swaps. Derivates are available to cover many types of exposure including
interest rates; foreign currency exchange rates; commodities, such as energy (oil or gas), bullion (e.g.
gold and silver), base metals (copper and nickel) and agriculture (e.g. sugar); and equities.
Derivatives can be either “exchange traded” or “over the counter”.
Global warming is becoming a common concern all over the world. Which of the following initiatives
has been implemented by the South African Government to reduce the effects of global warming?
1. Allowance for greenhouse gas emissions

2. Environmental sustainability
3. Emission trading protocols
4. Carbon tax
Response to global warming
In response to increasing concerns about climate change, several policies and frameworks were put
in place in an effort to reduce the effects of global warming. These initiatives include the following:
• Earth Summit – the United Nations Framework Convention on Climate Change, 1992
• The Kyoto Protocol, 2004
• Pollution control targets imposed on countries by the Kyoto Protocol.
• Sufficiency of emission cuts whereby countries commit themselves to cut emissions.
• The US Climate Pact, 2005
• The Copenhagen Accord, 2009
• The European Union taking a leading role to govern global action on climate change
• The Cancun Agreements, 2010
• Domestic government response to climate change whereby governments promulgate legislation

on the cutting of carbon emissions
• Levies such as the “carbon tax” levied on the selling price of new vehicles in South Africa
• Emissions trading whereby countries are allowed to buy and sell their agreed allowances of
greenhouse gas emissions
Which one of the following factors is important for the development of a sound economic risk
management system?
1. An understanding of financial systems and internal controls

2. An understanding of the impact of changes in exchange rates on the demand curve
3. An understanding of the drivers of environmental sustainability
4. An understanding of changes in interest rates
The development of a sound system of economic risk management will depend on a number of
issues such as:
• an understanding of the drivers and consequences of inflation;
• an understanding of the impact of changes in exchange rates on the demand curve;
• tracking planned government spending;
• an understanding of government fiscal and monetary policies;
• the taxation regime.

Inflation is defined as
1. A sustained general rise in prices

2. A lack of familiarity with the history of changes in the exchange rate of different currencies
3. The inability in the short term to obtain cash in a desired currency
4. Fluctuations in exchange rates which affect cash flows from overseas investments
Inflation is defined as a sustained general rise in prices. Creeping inflation describes a situation
where prices rise a few percent on average each year. Hyperinflation describes a situation
where inflation levels are very high. Inflation is believed to cause unemployment and lower
economic growth.
Which of the following is a risk control measure in a health and safety management system?
1. Paying employees’ salaries on time

2. Having an IT back-up facility at a distant location
3. Emergency procedures such as recovery plans following a fire
4. A disclaimer delivered with the products, marketed by a company
Legal risk refers to the
1. Risk arising from non-compliance with laws

2. Number of competitors moving into and out of the market the business is operating in
3. Uncertainty that stems from the exercise of power by government
4. Exposure to a potential loss arising from diminishing sales due to changes in market
conditions outside the control of the business
legal risk is the risk arising from violations of or non-compliance with laws, rules, regulations,
prescribed policies and ethical standards. This risk also arises when laws or rules governing certain
products or activities of an organisation’s customers are unclear or untested. Non-compliance can
expose the organisation to fines, financial penalties, payment of damages and the voiding of
contracts. It could also lead to a diminished reputation, reduced franchise value, limited business
opportunities, restricted developments and an inability to enforce contracts.
As a consequence of the diversity of risk, risk management requires a _________ approach
1. Narrow
2. Modern
3. Broader
4. Traditional
As businesses strive for the creation of value for their shareholders they should understand what
risks to take and those to avoid. As businesses grow, they are continuously exposed to greater, more
complex and diverse (of various kinds or forms) and dynamic risks. Therefore, the range of risks that
organisations need to manage has greatly increased. Because of the diversity of risk exposures, risk
management requires a broader approach
Risk management controls risk as far as possible to enable a business to maximise its
1. Opportunities
2. Profits
3. Strengths
4. Wealth
The effective management of risks and opportunities is increasingly seen as an important

competitive differentiator, helping businesses achieve success despite difficult economic times.
Businesses continuously explore and develop opportunities to sustain earnings and drive long-term
increases in shareholder value. It is acknowledged that in their daily activities, businesses are
exposed to various risks and that it is necessary to take certain risks to maximise business
opportunities. The Board has the overall responsibility to operate an effective risk and opportunity
management system that ensures comprehensive and consistent management of all significant risks
and opportunities. The benefits of effective risk and opportunity management include the following:
♦ Improved cost certainty
♦ Higher economic returns
♦ Sustainable shareholder value
♦ Increased stakeholder confidence
♦ Reduction of costly disputes and claims
A risk management _______ sets out how the risks which have been identified by the risk
assessment procedure will be managed and controlled.
1. Framework
2. Policy
3. Process
4. Structure
A risk management policy sets out how the risks, which have been identified by the risk assessment
and limits and formalises reporting structures.
Enterprise Risk Management (ERM) may be defined as
1. A system aimed at satisfying stock exchange requirements

2. A reactive system which responds to events as they unfold
3. A ‘tick-box’ process ensuring legislation is complied with
4. A systematic process embedded in a company’s system of internal control to support the
fulfilling of the company’s objectives
ERM is a structured and systematic process that is interwoven with existing management
responsibilities. It provides a framework based on analysing risks and opportunities, with an ultimate
objective of creating value for the shareholders. ERM entails the alignment of an organisation’s
strategy, processes, people, technology and knowledge to meet its risk management purpose; and
offers a systematic and integrated way of identifying and responding to all sources of risk. ERM aims
to provide a coherent framework to deal with all risks that result from operating in the ever-
changing economic environment.
The King III Report on Corporate Governance introduced which of the following new concepts?
a. Shareholder approval of remuneration policies

b. Alternative Dispute Resolution (ADR)
c. Directors’ performance evaluation
d. Business rescue
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
Pg 98 study guide
Corporate governance affects various business areas. Improving the confidence of domestic and
international investors is an example of
1. Overall performance
2. Attracting lower-cost capital
3. Meeting social obligations
4. Employing assets efficiently
Effective corporate governance helps enterprises to attract lower-cost capital by improving the
confidence of domestic and international investors and by assuring them that the assets are used in
the form agreed upon, whether the investment is in the form of debt or equity. This has a positive
impact on both debt and equity. For enterprises to succeed in competitive markets, corporate
managers must innovate relentlessly and efficiently, and constantly evolve new strategies to meet
changing circumstances.
Which one of the following activities in a company needs to be reported under the triple bottom-line
principle?
1. Financial performance
2. Technological performance
3. Legal performance
4. Environmental performance
The King II Report moved away from the single bottom-line principle (i.e. profit for shareholders) to a
triple bottom-line principle, which takes into account the environmental, economic and social
activities of a company. Besides reporting on their financial performance (single bottom line),
corporations must also disclose their social and environmental performances (triple bottom line).
According to ________ , non-executive directors should not receive share options
1. The Companies Act (1973)

2. The Companies Act (2008)
3. King II
4. King III
Pg 101 study guide
Company A is interested in acquiring XYZ Limited. Prior to making a decision, the board requests that
management conducts a strategic review of XYZ limited and also performs the following
- An analysis of XYZ Limited

- A market analysis
- A product, portfolio and matrix analysis, and
- An analysis of the general environment
Which one of the following process mechanisms is Company A using?
1. PEST analysis
2. SWOT analysis
3. Financial analysis
4. Gap analysis
A SWOT analysis can be considered as bringing together a strategic review of a business
and in particular (Friend and Zehle 2004):
• the analysis of the firm (internal elements);
• the market analysis (internal and external elements);
• the product, portfolio and matrix analysis (internal and external elements);
• the analysis of the general environment (external elements).
Pareto analysis is used to
1. Identify those risks that will have a dramatic impact on business projects/activities and
objectives
2. Determine the expected return of an asset in relation to its risk or risk profile
3. Structure decisions, uncertain events and values of outcomes
4. Identify the cause of any risk
Pareto analysis
Pareto 5 analysis is used to identify those risks that will have a dramatic impact on business
projects/activities and objectives. Such analysis will rank and order the risks according to their
impact so that the business can manage the high risks accordingly.
Which stage of the ERM process is concerned with gaining an understanding regarding the
background of the business as a whole as well as the specific business activities, processes or
projects?
1. Risk analysis
2. Risk evaluation
4. Establishing the context
Establishing the context is the first stage in the overall seven-stage process of enterprise risk
management. Establishing the context is concerned with gaining an understanding of (1) the
background to the business as a whole, in general terms, and (2) the specific business activity,
process or project, forming the subject of the risk management study. It provides a basic foundation
for everything that follows.
Which of the following is a regulatory framework which a business must comply with and embed in
its business operations?
1. PEST analysis
2. Process mapping
3. Compliance system
4. Financial analysis tools
The compliance system
The regulatory framework in which a business operates must be embedded in the business
operations. The business must also comply with the regulatory framework
A resolution strategy is used
1. By a business to evaluate the effect of uncertainty on planned activity

2. To assess how sensitive the project outcomes are to changes in the business
3. By a business to respond to a particular recurring risk
4. To illustrate the decision options used to arrive at a risk response category
The resolution strategy is a technique used by a business to respond to a particular recurring risk.
Which one of the following risk response strategies uses insurance as one of the methods to respond
to risk?
1. Risk retention
2. Risk transfer
3. Risk reduction
4. Risk removal
method of risk transfer is insurance.
Which stage in the ERM process must be on-going in order to increase the success of the
implementation of the entire process?
1. Risk treatment
2. Risk analysis
3. Communication and consultation
Monitoring and review is an on-going process of implementing and examining the success or
otherwise of the planned responses. It entails evaluating the perceived benefit of the response, its
attendant costs and the likelihood of new risks being triggered by the response. If a decision is taken
to implement the response, it has to be clarified who will do so and when.
Risk appetite can be defined as
1. The strategy used to transfer a risk to another entity, business or organisation.

2. A reduction of risks by distribution.
3. The amount of risk a business is prepared to tolerate at any point in time
4. The elimination of a risk when a negative outcome or high-risk exposure is anticipated
Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. The definition
for risk appetite is the amount of risk a business is prepared to tolerate (be exposed to) at any point
in time. A business risk appetite can vary according to its objectives, culture, environment, perceived
financial exposure to certain risks and risk attitudes (risk neutral, seeking and averse).
Scenario analysis can be used
1. For technological forecasting by expert scenarios

2. In an interview to view a situation from a different perspective
3. To identify risks by using case scenarios (best to worst scenarios) to consider possible future
developments
4. To record ideas in a scenario for clarification and evaluation
Scenario analysis can be used to identify risks by considering possible future developments and
exploring their ramifications for an activity or project. Sets of scenarios reflecting, for example, “best
case” (optimistic), “expected case” (most likely) and “worst case” (pessimistic) may be used to
analyse a risk, including both the probability of occurrence and potential consequences. It can be
used to look back over a fixed period and examine, for instance, major shifts in technology,
transportation and property development with a view to considering future change.
The ultimate responsibility for project risk management must rest with the project
1. Coordinator
2. Team
3. Director
4. Manager
Successful PRM cannot be driven from the bottom up but must be championed from the top.
Ultimate responsibility for PRM must rest with the project director, who must be instrumental in
setting the right culture.
Which one of the following methods is used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and makes use of random numbers to sample from a
probability distribution?
1. Latin hypercube sampling

2. Monte Carlo simulation
3. Scenario analysis
4. Capital Asset Pricing Model (CAPM)
The Monte Carlo simulation is a method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations and uses random numbers to sample from a probability
distribution. A business can use this method to evaluate duration, demand or throughput and costs.
Potential loss exposure arising from diminishing sales or margins as a result of changes in market
conditions, outside of the control of the business, is known as _________ risk
1. Economic
2. Financial
3. Market
4. Strategic
Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or
margins due to changes in market conditions, outside of the control of the business”.
Mr Nyoka is a risk manager at Gold Mining Ltd. He is approached by the board of directors to
comment on the health and safety system of the business. Which one of the following questions will
be the most important one to be asked by Mr Nyoka to determine if Gold Mining Ltd is
implementing health and safety measures correctly?
1. Is Gold Mining Ltd implementing a health and safety system which reflects the national
legislation on common practice in the mining industry?
2. Is Gold Mining Ltd creating a sound health and safety indicator system?
3. Is Gold Mining Ltd creating measurable targets for occupational accidents and hazards in the
working environment?
4. Is Gold Mining Ltd identifying common health and safety risks?
Risk management best practice is implemented through the development of a risk management
system, policy and procedures to provide safe systems of work, defining targets, measuring
performance and revisiting procedures in the light of experience. The following are the main
risk mitigation factors:
• Establishing a greater awareness of the legal liabilities of the organisation.
• Gaining an awareness of existing guidance such as BS 8800 which provides guidelines for an
effective occupational health system, the International Labour Organisation’s 2001 Guidelines on
Occupational Safety and Health Management Systems (ILO-OSH), which were the result of extended
international consultations held over 2000–2001, and the OHSAS
18000 Series of International Standards for Occupational Health and Safety Management
Systems.
• Implementation of a health and safety management system – companies that have an

occupational safety and health management system (OSH-MS) set up according to the
ILO-OSH have both better safety and productivity records.
• Involvement of the workforce in both planning and running the organisation’s OSH-MS creates
improved ownership and participation.
• A functioning, recording, notification and indicator system provides a better picture of the
problems and the follow-up that is necessary.
• Measurable targets for reducing occupational accidents and work-related diseases by targeting
their causal factors.
• Workplace mapping techniques are an effective tool to identify health and safety problems in the
workplace and define the measures necessary to resolve them.
• Development of a public relations response management plan and crisis management plan.
The default by a small number of large customers may lead to ________ as a result of credit risk
1. Tax evasion
2. Bribery
3. Insolvency
4. Profits
Credit risk is the financial loss suffered due to the default of a borrower or counterparty under a
contract. Default by a small number of large customers may lead to insolvency.
Failing to execute a well-thought-out strategy is an example of ________ risk
1. Country
2. Political
3. Operational
4. Financial
According to Chapman (2011), adopting the wrong business strategy, failing to execute a well-
thought-out strategy and not modifying a successful strategy over time, are examples of operational
risk.
_______ is the buying of goods on the internet
1. E-mail
2. E-trade
3. E-commerce
4. E-tailor
Electronic commerce or e-commerce is the buying and selling of goods on the internet. It is doing
business electronically.
Ethical risk refers to
1. The breach of environmental legislation

2. Moral rules and regulations governing the business world
3. The care a person should take before entering into an agreement with another party
4. Exposure to events, which may result in criminal prosecution
Ethical risk refers to exposure to events, which may result in criminal prosecution, civil law suits or
erosion of reputation. Examples of ethical risk include bribery, false accounting, child labour, tax
evasion, money laundering and invasion of privacy.
A ________ policy is a government policy which makes decisions regarding the taxation, borrowing
and spending of a country
1. Fiscal
2. Monetary
3. Economic
4. Trade
Macro-economic policy is influenced by government policy through fiscal policy, monetary policy
and competing theories. Fiscal policy aims to influence government revenue (taxation)
and/expenditure. Macro-economic policy is thus used by governments to influence the level of
aggregate demand and supply in the economy.
Which of the following factors can be avoided when implementing a health and safety risk
management system?
a. Compensation payments
b. Civil claims
c. Decrease in insurance premiums
d. Adverse media attention
1. A, b
2. A, c, d
3. A, b, d
4. All of the above
health and safety risk management system helps to avoid:
• health and safety incidents or an increase in the number of incidents and/or their impact;
• non-compliance convictions, criminal prosecutions or enforcement notices;
• civil claims;
• adverse media attention and damage to reputation;
• increase in insurance premiums;
• compensation payments;
• the need to investigate the cause(s) of an accident;
• the need to prepare accident reports, attending hearings or inquest courts;
• the need to arrange for the injured employee’s work to be continued by another employee;
• the need to make staff rehabilitation and return to work arrangements (recognising that
returning staff may need to work at a reduced capacity, at least initially);
• loss of productivity, business, early completion bonuses or future orders;
• the need to engage solicitors and barristers to represent the organisation;
• loss of board, management and supervisor time in responding to incidents.
There are a number of additional benefits such as:
• increased productivity;
• greater production reliability and reduction in the chance of losing sales to a competitor;
• improvement in staff morale, together with staff retention and recruitment rates;
• reduced staff absenteeism;

• meeting increasingly stringent lending criteria;
• improved success rate in bidding for contracts;
• improved shareholder satisfaction from meeting increasingly higher health and safety standards.
ABC Limited has been subject to an internal audit. The internal audit report indicated the staff in the
debtors department is not properly trained with regards to completing individual debtor
reconciliations. As a result of this, the reconciliations have incorrect reconciling items. The fact that
the staff are not properly trained is an example of a (an)
1. Risk
2. Risk source
3. Opportunity
4. Internal control
A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is
where the risk comes from
The purpose of an enterprise risk management (ERM) policy is to
1. Assist an organisation in integrating risk management into its management processes

3. Address specific responsibilities of the board and risk committee
4. Systematically apply management processes and practices
The policy should address specific responsibilities of the board, internal audit, external audit, the risk
committee, the corporate governance committee, the central risk function, employees and third
party contractors in implementing risk management.
The main objective of ERM is to ensure that businesses
a. Eliminate existing risks altogether

b. Understand that risk is inescapable in a business activity
c. Understand that taking risk and managing it is the essence of business growth
d. Do not take risks at all
Choose the correct combination
1. B, c
2. A, d
3. B, c, d
4. All of the above
Indicate the correct statement
1. Risk is the deviation of the expected from the actual result

2. Risk implies the presence of uncertainty
3. Uncertainty arises from a person’s perfect state of knowledge about the future events
4. The probability of an event refers to its short-term frequency of occurrence
With reference to the concept of risk of opportunity. Which of the statements are correct?
1. As businesses continuously explore and develop opportunities to sustain earnings it is not

necessary to take certain risks to maximise business opportunities
2. Traditional risk management aims to provide a coherent framework to deal with all risks and
opportunities that result from operating in the ever-changing economic environment
3. The effective management of risks and opportunities assists a business to achieve success
despite difficult economic times
4. Risk averse refers to the tendency to engage in behaviours that have the potential to be
harmful or dangerous
What are the key obstacles in an organisation to make risk management integral with the overall
business strategy?
a. Competition with other priorities

b. Fear of creating a risk-averse and bureaucratic culture
c. Directors consider risk management a task for line management and not the board
d. The board does not understand or appreciate the principles and benefits of ERM
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
There are a number of challenges to the implementation of PRM that occur time and time
again. These include, but are not restricted to:

• lack of clearly defined and disseminated risk management objectives;
• lack of senior executive and project director commitment and support for PRM;
• lack of a risk maturity model to guide the goals for risk management;
• lack of a change process to introduce the discipline (in situations where some form of PRM has not
previously been embarked upon);
• no common risk language (terms and definitions);
• lack of articulation of the sponsor’s risk appetite (i.e. risks the project will and will not take);
• no definition of risk management roles and responsibilities;
• lack of risk management awareness training to build core competencies;
• no integration of risk management with other project disciplines;
• reticence of project personnel to spend time on risk management;
• risk owners not automatically taking responsibility for the risks assigned to them;
• no clear demonstration of how risk management adds value and contributes to project
performance;
• overcomplicated implementation through confusing policies, strategies, frameworks, plans, and

verbose and mutually incompatible procedures;
• lack of alignment between the overall business strategy, the project business model and the
risk management objectives for projects.
Which one of the following is not an example of risk taking behaviour?
1. Themba loves driving his Maserati at high speed, he enjoys the thrill that comes with driving
fast
2. The oil prices have been falling significantly over the past few months, as a result Mr Davies,
an investor, decided to avoid buying a stake in the oil company
3. Siyaqhuba General Dealers is in the retail business, the finance manager decides to take out
a loan from ABSA bank to open a new branch in Soweto with the hope of growing the
business
4. In their quest to win a larger market share, Samsung has decided to invest more funds
towards technological advancement
Which one of the following statements relates to the concept of corporate governance?
1. Controls the internal and external actions of managers, employees and outside business
stakeholders
2. Universal and prescriptive in nature and applicable to only a few companies
3. Assists enterprises to attract higher-cost capital
4. Enhances the dominating of business decisions and objectives by one individual
For an enterprise to achieve and aspire to be a good corporate citizen, is has to empower the board
of directors to
a. Report annually on social, transformation, safety, ethics, health and environmental

management policies and practices
b. Have a silo approach to risk management
c. Report on their HIV/Aids strategic plans and policies
d. Disclose the company’s formal procurement policies
1. A, c
2. B, c, d
3. A, c, d
4. All of the about
ABC Limited is a company listed on the JSE. A majority of the audit committee members that have
been appointed are independent non-executive directors. The chairman of the board and the chief
executive officer are also members of the audit committee. There are six members in total. Three
meetings were held by the audit committee during the year. The audit committee also recommends
to the board which external audit provider they feel should be appointed to conduct the annual
audit. Based on the scenario above, which of the following statements are insufficiencies in the audit
committee’s structure based on King III?
a. A majority of the audit committee members appointed are independent non-executive

directors
b. The chairman of the board and the chief executive officer are both members of the audit
committee
c. There are six members in total
d. The audit committee recommends to the board which external audit provider they feel
should be appointed to conduct the annual audit
1. A, b
2. B, c, d
3. A, c, d
4. All of the above
Which of the following is an activity taken into account by the triple bottom-line principle?
1. Political performance
2. Legal performance
3. Technological performance
4. Environment performance
Which of the following are the benefits of corporate governance?
a. Improves confidence of domestic and international investors and therefore attracting capital
at lower cost
b. Corporate government ensures efficient use of company resources
c. Good corporate governance is essential to ensure adherence to legislation as well as
corporate social responsibility
d. Effective corporate governance may improve overall performance.
1. A, d
2. B, c, d
3. A, c, d
4. All of the above
The ERM process has several stages, the first stage is establishing context, which is concerned with
the understanding of the
a. Specific business activity, process or project forming the subject of risk management
b. Macro and micro environment in which the business operates
c. Background of the business as a whole in general terms
d. Identified risk events (upside and downside)
1. B, c
2. B, c ,d
3. A, b, c
4. All of the above
Which one of the following statements is correct with regards to process mechanisms in Stage 1 of
the ERM process?
1. Financial ratios are used to look at the financial position and performance of a business
2. The risk management process diagnostic can be regulated or constrained by the culture of
business risk
3. The financial performance of a business must be reviewed by looking at the PEST analysis
4. The SWOT analysis can be used to look at the external environment influences on business
performance and market growth or decline
Scenario analysis is used to analyse the
1. Events and trends that will determine an organisations future

2. Profitability of a business
3. Strengths and weaknesses of a business
4. Micro environment over which a business has control over
Risk identification is a crucial step in the ERM process. Indicate which of the following statements are
correct in relation to risk identification?
a. A risk checklist is used to list all the risks that were identified on previous projects within the
business
b. A structured method of risk identification must be implemented so that consistent risk
management can take place
c. Business risk is static and a discrete phase in the process
d. It is important to be able to identify the risks in the business and understand how they fit
into the overall business context
1. A, c
2. B, c, d
3. A, b, d
4. All of the above
Which stage in the ERM process requires a business to design a specific action plan and produce
strategic responses to address the risks and opportunities identified in the business to secure
business objectives?
1. Risk analysis
2. Risk treatment
3. Communication and consultation
The risk treatment stage will assist the business to design a specific action plan and produce strategic
responses to address the risks and opportunities identified in the business to secure business
objectives. This stage is vital in the risk management process because the risk strategy responses and
action plan must be prepared and implemented effectively into the business.
In the monitoring and review stage, control activities must adhere to which of the following?
a. Measurements have to be congruent with the events measured

b. Controls have to be a principle of economy
c. Controls must be operational
d. Controls have to be timely
1. A, b
2. A, b, c
3. A, b, d
4. All of the above
The controlling process is based on the information gathered in the monitoring process to form
decision-making. It means the business must understand who needs what information for what
purpose and when. To give a manager control, the control activities must adhere to the following
seven specifications:
 Control is a principle of economy.
 Controls must be meaningful.
 Controls have to be appropriate to the character and nature of the phenomenon measured.
 Measurements have to be congruent with the events measured.
 Controls have to be timely.
 Controls need to be simple.
 Controls must be operational.
The _______ is the number of years required to recover an initial investment

4. Net Present Value
The risk analysis state provides information on the likelihood of risks and opportunities occurring
and the impact of them to aid in the decision making process. Which of the following activities need
to be conducted?
a. Capital asset pricing model (CAPM) analysis

b. Clarifying the business objectives
c. Causal analysis
d. Decision analysis and influence diagrams
1. A, c
2. A, c, d
3. A, b, d
4. All of the above
Pg 33-34 sg
The _________ is an average annual return expressed as a percentage of initial cost of the project
1. Internal rate of return

2. Average rate of return
3. Payback period
4. Net present value
In relation to CAPM analysis, market risk is measured by its beta. A share with a beta of 1.5 tends to
move up or down by the same percentage point as the equity market
Indicate if the above statement is true or false:
1. True
2. False
An investor holding shares in a holding is exposed to equity market risk. There is a tendency for the
value of the share to move with general stock market movements. In the CAPM, market risk is
measured by its beta. A stock with a beta of 1.0 tends to move broadly in line with the equity
market; a share with a beta of 1.5 tends to move up or down by 1.5% for each percentage point
movement in the market. In the past the Lloyds TSB Group has had a beta of just under 1.5% and
Cadbury Schweppes had a beta of just over 0.5%.2 Some companies have a beta over 1.5. If the
market goes up these shares can be expected to outperform others; in a bear market they can be
expected to fall by more than average. Other shares have betas of 0.5 or less, and these defensive
companies are likely to do relatively well in a bear market while being left behind when the share
prices surge ahead.
Which one of the following statements is incorrect with regards to credit risk?
1. Credit risk is the financial loss suffered due to the default of a borrower or counterparty
under a contract
2. Counterparty risk relates to the certainty surrounding the payment of future amounts
3. Default risk is the probability of the event of default
4. Recovery risk relates to the uncertainty over the likely recovery
_______ risk is considered to be embraced within operational risk
1. Liquidity
2. Currency
3. Funding
4. Reputational
The sources of risk considered to be embraced within operational risk include business risk, crime
risk, disaster risk, information technology risk, legal risk, regulatory risk, reputational risk, systems
risk and outsourcing. Refer to par 16.1 of the prescribed book for more details
Employees working in Company A have access to the Company’s Code of Conduct, which is not
available to external parties. The Code of Conduct is posted on the Company’s
1. Information assets
2. Intranet
3. Management information system
4. E-commerce
Intranets are computer networks based on the same technical standards as the internet but
designed for use within a single organisation. Intranets are cheaper and simpler to install than
proprietary networks, and companies are increasingly using them to circulate internal information
such as phone directories, job openings, training, marketing and publicity material.
Company XYZ is in the process of implementing Project A. They need to identify the legislation that
the project needs to adhere to. This identification of legislation relates to the stage of the PRM
process
1. Establish the context

2. Risk identification
4. Risk analysis
In an individual other than an employee gains unauthorised access to a company computer by the
way of a public telecommunications system, that individual is guilty of
1. Using an unauthorised public telecommunications system

2. Unauthorised access with the intent to commit offences
3. Software malpractice
4. Internet misuse
A breach of ethics can lead to
1. Favourable media coverage

2. Increased share prices
3. Fines
4. Increased profitability
Ethics is inextricably linked with reputation, and a breach of ethics commonly leads to one or more
of the following: reduced share price, reduced profitability, unfavourable media coverage, fines,
additional administration and, in some extreme cases, imprisonment.
A health and safety management system comprise of
1. Management arrangements and risk mitigation

2. Management arrangements, risk control systems and workplace precautions
3. Risk mitigation, risk identification and risk control systems
4. Risk evaluation and workplace precautions
Which one of the following examples is seen as a social risk to a business?
1. The technological changes in a market

2. Inflation and increasing house prices
3. The shrinking percentage of the working population that is of working age
4. Loss of reputation because of a persecution or a dispute with a customer
The ________ policy is a mechanism which is reserve bank uses to manipulate the supply of money,
the supply of credit, interest rates and exchange rates
1. Monetary
2. Trade policy
3. Fiscal
4. Balance of payments
The shooting of striking mine workers by the South African Police Service in August 2012 in the
Marikana area is an example of __________ risk
1. Micro political
2. Macro political
3. Health and safety
4. Environmental
Which of the following is a risk control measure is a health and safety management system?
1. Erecting a security wall around a property

2. Having a back-up facility at a distant location
3. Emergency procedures such as recovery plans following a fire
4. disclaimer delivered with the products marketed by a company
Enterprise risk management (ERM) is designed to improve
1. Capital
2. Business profit
3. Economic activity
4. Business performance
Which of the following are the benefits of effect risk and opportunity management?
a. Improved cost certainty

b. Higher economic returns
c. Sustainable shareholder value
d. Aligning risk appetite and strategy
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
The benefits of effective risk and opportunity management include the following:

Which element in the ERM structure provides the foundation and arrangement for embedding risk
management throughout the organisation at all levels?
1. Internal control
2. Risk management process
3. Corporate governance
4. Risk management framework
Which stage in the risk management framework requires a periodic review with stakeholders on
whether the risk management policy, plan or process requires amendment as a result of changes in
the organisation’s context?
1. Mandate and commitment

2. Implement framework
3. Monitor framework
4. Improve framework
The risk management policy should specifically state its
a. Objectives
b. Limitations on disclosure
c. Where it applies within the organisation
d. Frequency of review
1. A, c
2. A, b, c
3. B, c, d
4. All of the above
In simple terms a policy should address why risk management will be undertaken, who within and
outside the organisation will undertake it, how it will be undertaken by reference to the framework
and process and internal functions, and what those who are responsible will be required to
undertake. Specifically, the policy should state its purpose, objectives, scope (where it applies within
the organisation), related and supporting policies, its degree of confidentiality (any limitations on
disclosure), the frequency of its review and the date it was last updated.
According to the King III
a. a financial director must be appointed to the board for listed companies as from 2009
b. non-executive directors could receive share options based on prior approval
c. a minimum of three executive directors should be appointed to the board
d. the memorandum of incorporation of the company should allow the board to remove any
director from the board
1. a, d
2. a, b, c
3. b, c, d
4. All of the above
Pg 100
The purpose of corporate governance is to
1. Maximise the wealth of its shareholders

2. Assist an organisation in integrating risk management into its management processes so that
it becomes a routine activity
3. Ensure board oversight of business operations and prudent management that can deliver
the long-term success of the company
4. Provide reasonable assurance regarding the achievement of objectives in reliable financial
reporting
The purpose of corporate governance is to ensure board oversight of business operations and
facilitate effective, entrepreneurial and prudent management that can deliver the long-term success
of the company.
Effective corporate government
1. Promotes the inefficient use of resources

2. Delays overall performance
3. Ensures adherence to legislation
4. Attracts higher cost of capital
According to King III an independent non-executive director
a. Is not a member of the immediate family of an individual who is employed by the company
in an executive capacity
b. Is not a representative of a shareholder who has the ability to significantly influence
management
c. Is not a professional advisor to the company other than in a director capacity
d. Does not receive remuneration contingent upon the performance of the company

1. A, d
2. A, b, c
3. B, c, d
4. All of the above
In terms of the King III code of governance principles
1. Internal audit should be integrated with the risk management process

2. Risk management is separable from the company’s strategic business process
3. Risk management should be performed on an ongoing basis
4. Compliance should not form part of the risk management process
________ is used to examine the business environment to identify changes and potential risks and
prepare for them
1. PEST
2. SWOT
3. Ratios
4. SMART
________ can be used to identify the main risks linked to a certain activity or project of the business
1. Gap analysis
2. PEST analysis
3. Risk taxonomy
4. SWOT analysis
The purpose of risk analysis is to
1. Prevent problems by determining the root cause

2. Provide a judgement of the likelihood of the risks and opportunities occurring and their
impact, should they materialise
3. Assist an organisation in integrating risk management into its management processes so that
it becomes a routine activity
4. Identify the risks to the business which would produce or remove the likelihood of the
business reaching its objectives and opportunities
The risk analysis stage will provide information on the likelihood of risks and opportunities occurring
and the impact of them to aid in the decision making process. The risk analysis process will assess all
the risks identified in the risk register. Ample time should be allowed for conducting the risk analysis
stage.
______ is used to prepare for the possible worst case to best case situation
1. Brainstorming
2. Delphi technique
4. Structured interviews
Lucy did not insure some of her risks because there are control measures already in place to absorb
these risks. What is the risk response strategy that Lucy has undertaken?
1. Risk removal
2. Risk transfer
3. Risk retention
4. Risk reduction
Risk retention is also referred to as acceptance, absorption or tolerance. A business can be in the
position to only be able to accept the risk as the alternative methods, for example risk removal,
reduction and transfer are not available; or it can be more economical to the business to accept the
risk. In the risk retention strategy the options available, timing and the ability to absorb the risk must
be considered.
The process inputs in the risk analysis stage consists of
1. Risk identification, risk recordings and risk checklists

2. Probability trees, utility theory, the Markov chain method and investment appraisals
3. A risk register, risk checklist, risk prompt list and gap analysis
4. Risk identification, risk recording, profit and loss account statements, balance sheet and
industry beta analysis
The process inputs in the risk analysis process will consist of risk study parameters, which include
risk identification, risk recording, profit and loss account assessment, balance sheet assessment and
industry betas. The process outputs will be the risk register including the assessment, which shows
the probability and impact of each risk and opportunity.
Which of the following are techniques that a facilitator can adopt in an interactive workshop?
a. Risk questionnaire
b. Financial analysis tools
c. Brainstorming process
d. Scenario analysis
1. C, d
2. A, b, c
3. A, b, d
4. All of the above
Risk tolerance of an organisation can be expressed in terms of
1. Risk averse, risk neutral and risk seeking attitudes

2. Capital, earning variances, liquidity and balance sheet activities and guidelines for
investment
3. Risk information, high impacts and high probabilities, balance sheet activities and capital
4. Income statements, balance sheet activities, cash flow statements and budget statements
_______ is a technique to employ when evaluating the profitability of an investment proposal for a
particular project
1. Simulation
2. Percentiles
3. Sensitivity analysis
4. Monte Carlo simulation
Sensitivity analysis: A technique employed to evaluate the profitability of an investment proposal for
a particular project. The assessment can indicate how sensitive projected outcomes are to proposed
changes.
The monitoring and review stage
1. Occurs infrequently
2. Is implemented prior to the annual risk report
3. Is implemented to satisfy audit requirements
4. Is a continuous process
A ________ is a statement of how the organisation will accomplish its business objectives
1. Business process map

2. Risk management plan
3. Business plan
4. Marketing plan
The business plan should show how the business would achieve its objectives by looking at all the
factors that might have an impact on the business.
Key Risk Indicators (KRIs)
1. Are statistical information on the business risk reporting processes

2. Are useful views of underlying risk profiles at various levels to assist in decision making
3. Are used to measure a business’s health and performance
4. Assist with business planning and decision making
Which of the following is a typical output of the Risk Analysis stage?
1. Industry betas
2. Human resource plan
3. Profit and loss account
4. Risk register
A company requires all managers at various business units to make use of a standard template when
identify risks and reporting these risks to the Head Office. This process activity is an example of
1. Executing action plans

2. External communication
3. Internal communication
4. Controlling information
43
A company will stay solvent by ensuring that all
1. Current assets exceed current liabilities

2. Assets are converted into money without loss of value
3. Cash obligations can be met by a combination of investment liquidity, funding source and
contingent liabilities
4. Current assets are converted into cash in order to pay the current and long-term liabilities of
the organisation
All companies will only stay solvent by ensuring that all cash obligations (salaries, rents, tax, etc.) can
be met by a combination of investment liquidity, funding sources and contingent liabilities (liabilities
that can be terminated quickly).
Information technology risks include
1. Lack of observance of rules set by a regulatory body

2. Unauthorized access or disclosure of data and data corruption
3. Floods, fires and other natural disasters and terrorist activities
4. The loss arising from legal action against an organisation for inadequate practices
Transcor is a transport company which delivers goods across all nine provinces in South Africa.
Tanscor has an agreement with Avis Trunk Rental to provide them with rental trucks in the event of
their trucks being damaged or vandalised during protest actions. This is called a (an)
1. Business continuity plan

2. Leasing of property plan
3. Lease agreement contract
4. Outsourcing service delivery contract
Brain received a feeding scheme tender through the means of bribery. This tender has resulted in his
business to grow and he made a huge profit. Brain’s way of getting business is
1. Ethical
2. Honest
3. Unethical
4. Intelligent
Health and safety management in an organisation helps to avoid
a. The use of child labour

b. Compensation payments due to workplace accidents
c. Decreasing insurance premiums
d. Adverse media attention which could damage an organisation’s reputation
1. B, d
2. A, c, d
3. A, b, d
4. All of the above
The macro marketing environment consists of which of the following factors?
1. Environmental, society, competitive, health and safety factors

2. Competitive, political, demographical and technological factors
3. Cultural, wealth, market, industry, sustainability, legal and regulatory factors
4. Operational, market, economic, competitive and environment factors
Pg 469 textbook
A country’s inability to meet its financial obligations determines it’s _______ risk
1. Political
2. Country
3. Liquidity
4. Economic
Which of the following examples are specific areas of concern for an organisation relating to
operational risk?
a. Insourcing where firm take on the operational risks of their third parties
b. Highly automated and integrating technology that has the potential to transform risks from
minor manual processing errors to major systematic failures
c. The growth of e-commerce that brings with it some new and potentially significant
operational risks for both consumers and firms
d. Firms that outsource their activities may suffer some loss of control over them, which could
affect the quality and availability of their products.
1. A,b
2. A, c, d
3. A, b, d
4. All of the above
Pg269 tb
Project risk management refers to the
1. Risk exposure of losses resulting from people, processes, systems and external events
2. Management of risk exposures in projects in the pursuit of achieving predefined goals
3. Protection and enhancement of share value to satisfy the other internal controls
4. Management of investments in technology to achieve business objectives and optimise
investment benefits
Which of the following factors could result in or predict corporate failure?
a. Low profit margin

b. Instability in earnings
c. Sharp increase in the price of stock or bond price
d. A lack in management quality
1. A, b
2. A, c, d
3. A, b, d
4. All of the above
Quantitative factors in predicting corporate failure
• Low cash flow to total liabilities
• High debt-to-equity ratio and high debt to total assets
• Low return on investment
• Low profit margin
• Low retained earnings to total assets
• Low working capital to total assets and low working capital to sales
• Low fixed assets to non-current liabilities
• Inadequate interest/coverage ratio
• Instability in earnings
• Small-size company measured in sales and/or total assets
• Sharp decline in price of stock, bond price and earnings
• A significant increase in beta (beta is the variability in the price of the company’s stock relative to a
market index)
• Market price per share is significantly less than book value per share
• A significant rise in the company’s weighted-average cost of capital
• High fixed cost to total cost structure (high operating leverage)
• Failure to maintain capital assets. An example is a decline in the ratio of repairs to fixed assets
Qualitative factors in predicting failure
• New company
• Declining industry
• Inability to obtain adequate financing, and when obtained there are significant loan restrictions
• A lack in management quality
• Moving into new areas in which management lack expertise
• Failure of the company to keep up to date, especially in a technologically oriented business
• High business risk (e.g. positive correlation in the product line; susceptibility to strikes)
• Inadequate insurance coverage
• Fraudulent actions (e.g. misstating inventories to stave off impending bankruptcy)
• Cyclicality in business operations
• Inability to adjust production to meet consumption needs
• Susceptibility of the business to stringent governmental regulation (e.g. companies in the real
estate industry)
• Susceptibility to energy shortages
• Susceptibility to unreliable suppliers
Currency risk is concerned with
1. Inability in the short-term to obtain cash in a desired currency

2. Not having a cash surplus to respond to sudden or unexpected liquidity problems
3. Fluctuations in exchange rates with affects cash flows from overseas investments
4. A lack of familiarity with the history of changes in the exchange rate of different currencies
Which of the following are the sources of risks considered to be embraced within financial risk?
a. System risk
b. Operational risk
c. Interest risk
d. Funding risk
1. A,b
2. A, c, d
3. A, b, d,
4. All of the above
The term financial risk embraces a variety of sources of risk, which include:
♦ liquidity risk;
♦ credit risk;
♦ interest rate risk;
♦ currency risk;
♦ funding risk;
♦ foreign investment risk;
♦ derivatives risk;
♦ systems risk, and
♦ outsourcing risk
Which one of the following is a benefit of effective risk and opportunity management?
1. Improved profit certainty

2. Increased shareholder value
3. Lower economic returns
4. Increased stakeholder confidence
The benefits of effective risk and opportunity management include the following:
The board’s role should be to steer the corporation towards corporate governance policies that
support _______ sustainable growth in ________ value
1. Short-term, shareholder
2. Long-term, shareholder
3. Short-term, stakeholder
4. Long-term, stakeholder
The board’s role is to steer the corporation towards corporate governance policies that support
long-term sustainable growth in shareholder value
The purpose of a risk management framework is to

2. Systematically apply management processes and practices
3. Address specific responsibilities of the board and risk committee
4. Assist an organisation integrating risk management into its management processes
The risk management framework is a basic conceptual structure used to address the risks faced by
an organisation. The purpose of the risk management framework is to assist an organisation in
integrating risk management into its management process so that it becomes a routine activity. The
framework is composed of the following five steps:
• Mandate and commitment
• Design framework
• Implement framework
• Monitor framework
• Improve framework.
Which of the following elements from part of the enterprise risk management (ERM) structure?
a. Internal control
b. External control
c. Corporate governance
d. Sources of risk
1. A,b
2. B, c, d
3. A, c, d
4. All of the above
Risk taking refers to
1. A business’s ability to create value for its shareholders

2. The analysing of risks and opportunities
3. The ability to identify and respond to all sources of risk in an ever-changing economic
environment
4. Behaviours that have the potential to be harmful but at the same time may bring about
positive outcomes
The King II report moved away from ______ bottom-line principle to a _______ bottom-line principle
1. Single, triple
2. Double, triple
3. Single, double
4. Double, single
pg 16
Effective corporate governance
1. Promotes the inefficient use of resources

2. Attracts higher cost of capital
3. Ensure adherence to legislation
4. Retards overall performance
In terms of the King III Code of governance, internal audit must follow a ______ based approach
1. Governance
2. Cash
3. Risk
4. Compliance
Investors are willing to pay a premium for good governance because
1. Corporate governance is in the spotlight and decreases regulatory risks of an enterprise

2. It is a silo-based approach to management increasingly interdependent risks
3. Of the diversity of risk exposure no one wants to be left behind
4. It is a way of reducing risk by coping better with adverse events or avoiding it altogether
Investors are willing to pay a premium for good governance for three reasons.
• They believe that the company will perform better over time, which will mean higher share prices.
• It is a way of reducing risk by either avoiding it altogether or by coping better with adverse events.
• The focus on corporate governance is a trend, but the reality is that no one wants to be left
behind.
A GAP analysis
1. Is used to list all the risks that were identified on previous projects within the business
2. Is a list that categories each risk into a type of area
3. Can be used to identify the main risks linked to a certain activity or project of the business
4. Is a structured checklist to break down the risks and opportunities into manageable
components
A Gap analysis can be used to identify the main risks linked to a certain activity or project of the
business. The method will assist the business to establish where the gap is in the risk associated
within the activity/project so that pro-active or reactive risk measures can be established
The purpose of the Companies Act (71 of 2008) is to
a. Encourage the efficient and responsible management companies

b. Promote the development of the South African economy by encouraging transparency
c. Promote the development of companies within all sectors of the economy
d. Balance the rights and obligations of shareholders within a company
1. A,b
2. A,b c
3. B, c, d,
4. All of the above
The New Companies Act
Governance in companies in South Africa is also a legal requirement as per the Companies Act, 71 of
2008. The Act came into effect in May 2011. Relevant components of the act will be discussed
below.
Purpose of the act is to:
• promote compliance with the Bill of Rights as provided for in the Constitution, in the application of
company law
• promote the development of the South African economy by:
∙ encouraging entrepreneurship and enterprise efficiency
∙ creating flexibility and simplicity in the formation and maintenance of companies
∙ encouraging transparency and high standards of corporate governance as appropriate, given the
significant role of enterprises within the social and economic life of the nation
• promote innovation and investment in the South African markets
• reaffirm the concept of the company as a means of achieving economic and social benefits
• continue to provide for the creation and use of companies, in a manner that enhances the
economic welfare of South Africa as a partner within the global economy
• promote the development of companies within all sectors of the economy, and encourage active
participation in economic organisation, management and productivity
• create optimum conditions for the aggregation of capital for productive purposes, and for the
investment of that capital in enterprises and the spreading of economic risk
• provide for the formation, operation and accountability of non-profit companies in a manner
designed to promote, support and enhance the capacity of such companies to perform their
functions
• balance the rights and obligations of shareholders and directors within companies
• encourage the efficient and responsible management of companies
• provide for the efficient rescue and recovery of financially distressed companies, in a manner that
balances the rights and interests of all relevant stakeholders
• provide a predictable and effective environment for the efficient regulation of companies.
The _______ is a method used by a business to evaluate the effect of uncertainty on a planned
activity in a range of situations and uses random numbers to sample from a probability distribution
2. Monte Carlo Simulation
3. Simulation
4. Latin hypercube sampling
Monte Carlo simulation: A method used by a business to evaluate the effect of uncertainty on a
planned activity in a range of situations, using random numbers to sample from a probability
distribution.
A risk response flow chart is used
1. To illustrate the decision options used to arrive at a risk response category

2. As a technique by a business to reduce risk and the impact thereof
3. As a technique by a business to respond to a particular recurring risk
4. To reduce the likelihood of an occurrence through risk spreading
Which one of the following risk response strategies eliminate a risk when negative outcome or high
risk exposure is anticipated?
1. Risk removal
2. Risk reduction
3. Risk retention
4. Risk transfer
Risk removal: A strategy adopted to eliminate a risk altogether when a negative outcome is
anticipated.
A _______ analysis needs to be conducted to determine the business’ competitive advantage in the
industry/market
1. Business
2. Competitor
3. SWOT
4. PEST
A ________ is used as a communication tool to establish the business process in the first stage fo the
ERM process
1. Process diagnostic analysis

2. Business objective scenario
3. Process map
4. Financial ratio
A PEST analysis is a useful tool for a business to determine
1. Its strengths and weaknesses in the micro environment

2. The internal environmental factors which may influence the business’ performance
3. The external environmental factors which may influence the business’ performance
4. The main risk linked to a certain project of the business
The average annual return expressed as a percentage of the initial cost of a project is called the
______
1. Net Present Value (NPV)

The ARR is an average annual return expressed as a percentage of initial cost of the project.
Local Cleaning’s total assets, total current liabilities, and inventory for each of the past 4 years are as
follows
The firm’s current ratio for the year ended 2013 is
1. 1 79
2. 1 24
3. 0 56
4. 3 26
current ratio = current assets / current liabilities

Local Cleaning’s total assets, total current liabilities, and inventory for each of the past 4 years are as
follows
The firm’s quick ratio for the year ended 2014 is
1. 2 42
2. 1 14
3. 1 79
4. 1 55
quick ratio = Current assets - inventory/ current liabilities
Which of the following are typical Key Performance Indicators (KPI’s) used in a business?
a. Employee performance
b. Model risk factors
c. Credit management
d. Control risk indicators
1. A, b, d
2. B, c
3. A, c
4. All of the above
_______ communication is used to deliver open and honest information on the risks that the
business faces and how it responds
1. Business
2. Risk
3. Internal
4. External
A business must also ensure that it effectively implements an external communication and reporting
process/system so that it will be able to deliver open and honest information on the risks faced in
the business and how the business responds to such risks.
Which of the following are inputs for the risk treatment process?
a. Risk register
b. Industry betas
c. Description of the business risk appetite
d. Risk response actions
1. A, d
2. A, b, d
3. A, b, c
4. All of the above
The process inputs in the risk treatment process will be the risk register, industry betas and a
description of the business risk appetite, and details of existing insurance policies.
Graham Capital is in the process of obtaining a loan form XWX Bank. Which of the following factors
must Graham Capital take into consideration?
a. Interest rate at commencement of the loan

b. Interest rate at the end term of the loan
c. Duration of payment
d. Nature of the interest rate
a. A,c d
b. A, b, c,
c. A, b
d. All of the above
when a company borrows money, it needs to know the basis of interest rate determination, the
interest rate at commencement of the borrowing, the nature of interest rate (fixed or variable), and
the duration of payment. The rate of interest paid depends on the following:
♦ Amount
♦ Term
♦ Forecasts
♦ Inflation
♦ Risk
♦ Opportunity cost
♦ Market
_______ analysis is used to determine past events to serve as reference for the implementation of
risk management measures for future events
1. Probability
2. Causal
3. Expected monetary value (EMV)
4. Capital asset pricing model (CAPM)
Causal analysis
The causes of any risk must be identified. It is important for the business to learn from past events to
implement risk management measures for future events.
Which one of the following statements about risk identification is correct?
1. The business will not be able to identify the key risks and risk events associated with the
business, these risks constantly change
2. The business will be able to identify the key risks associated with the business, these risks
constantly stay the same
3. The business will be able to identify the key risks and risk events associated with the
business, these risks constantly change
Through risk identification, the business will be able to identify the key risks and risk events
associated with the business. The business will constantly change and grow as well as the risks
associated with the business. The business will need to identify risks on a constant basis and identify
the opportunities that may arise in order to enhance its objectives as well as risks that may reduce
the likelihood of the business achieving its objectives. Risk can also be based on two main outcomes
namely the upside and downside of risk
Cell C takes out a fire insurance policy to insure its buildings and office equipment against fire and
allied perils. What form of risk response strategy is Cell C using in the instance?
1. Risk retention
2. Risk removal
3. Risk transfer
4. Risk reduction
The determination of the probability and impact of the identified risks and opportunities is referred
to as risk
1. Identification
2. Evaluation
3. Analysis
4. Review
The risk that a counterparty to a contract will not live up to its contractual obligations is known as
_______ risk
1. Liquidity
2. Counterparty
3. Credit
4. Default
Counterparty risk is the risk to each party of a contract that the counterparty will not live up to its
contractual obligations.
Which one of the following factors influences the aggregate supply curve?
1. Increase investment in education

2. Consumer spending
3. Government spending
4. Exports and imports
The exposure to a potential loss arising from diminishing sales or margins as a result of changes in
market conditions, outside of the control of the business, is known as _____ risk
1. Interest rate
2. Environmental
3. Market
4. Social
Which one of the following statements is correct?
1. A higher quick ratio indicates a better liquid position

2. The current ratio indicated a better liquid position
3. The current ratio excludes inventory
4. Current ratio is the relationship between non-current assets and non-current liabilities
252 textbook
In implementing operational risk management in a business, external events which can occur outside
of the business must be taken in consideration. These events may require a business to have
response strategies in the form of
1. Change and knowledge management

2. Change management and business contingency plans
3. Project and knowledge management
4. Project management and business contingency plans
Which of the following risks are seen as internal micro influences to a business?
1. Project, market and legal risks

2. Economic, political and environmental risks
3. Ethical, project and technological risks
4. Social, ethical, health and safety risks
Credit insurance
1. Eliminates uncertainty over the likely recovery of outstanding amounts due

2. Relates to an uncertainty surrounding the payment of future amounts
3. Prevents a customer form defaulting on a payment
4. Mitigates action for credit risk to protect a business against bad debt
Credit insurance is the mitigation action for credit risk.
What is insider trading?
1. Buying or selling company shares from within the stock exchange

2. Buying or selling company shares when privileged corporate information has not yet been
made public.
3. Buying or selling company shares from within business premises
4. Buying or selling shares in a company when news reports show that the share price has
fallen
The risk mitigation techniques for market risk will involve risk

2. Indicators, register and mapping
3. Identification, measurement and reporting
4. Analysis and modelling
Risk mitigation techniques for market risk will involve risk identification, measurement and
reporting. It is also very important for a business to take out an insurance policy.
Information technology tools include
1. Network systems
2. Operation research
3. Telematics
4. Broadband
• Software applications
• Management information systems
• Intranets
• Telematics
• Information assets
_____ gives an individual exclusive right to reproduce the individual’s own written work
1. Designs
2. Copyright
3. Trademark
4. Patents
The Copyright, Designs and Patents Act 1988 generally gives the owner of copyright the exclusive
right to reproduce the copyrighted work, to prepare derivative works, to distribute copies of the
copyrighted work, to perform the copyrighted work publicly, or to display the copyrighted work
publicly.
Political risk refers to the uncertainty that stems from
1. The exercise of power by opposition parties and the actions of isolated groups
2. The exercise of power by government actors and the actions of non-government groups
3. The exercise of power by imprisoned opponents to the government and the actions of
disaffected groups
4. Small new opposition parties that have yet to obtain widespread effective support
Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups”. This type of risk can be
seen in domestic as well as international markets but is also associated with oversees exposure and
developing countries. The political environment of overseas countries will always have an impact on
the threats and opportunities of a business wanting to expand business overseas.
Question 1
The purpose of a risk management framework is to …
1 assist an organisation in integrating risk management into its management processes.
2 communicate externally that risk management is being practiced.
3 satisfy internal and external audit requirements.
4 show that the organisation is following contemporary practices.
The purpose of a risk management framework is to assist an organisation in integrating risk

management into its management processes.
Question 2
The risk management policy of an organisation should address specific responsibilities of the …
1 board, the corporate governance committee and the risk committee.
2 stock exchange committee, the marketing committee and the board.
3 risk committee, the board and the remuneration committee.
4 remuneration and marketing committee.
The risk management policy of an organisation should address specific responsibilities of the board,
the corporate governance committee and the risk committee.
Question 3
King II applied to ...
A banks.
B financial institutions.
C investment institutions.
D all listed companies on the JSE.
1 a,b
2 a,b,d
3 a,b,c
4 all of the above
King II applied to banks, financial and investment institutions, public companies and all listed
companies on the JSE. In contrast King III applies to all entities regardless of the manner and form of
incorporation or establishment and whether in the public, private or non-profit sectors.
Question 4
The King III Report on Corporate Governance was implemented in reaction to new trends in ...
1 environmental practices.
2 international governance.
3 ethical practices.
4 economical and social responsibilities.
The King III Report on Corporate Governance was implemented in reaction to new trends in
international governance
Question 5
A business must aspire to be a good corporate citizen by empowering the board of directors to ...
A implement a code of ethics.
B eport on the HIV/Aids strategic plan and policy.
C to report on social, health and transformational policies and practices.
D understand the importance of a relationship between the board and the community.
1 a,c
2 a,b,c
3 b,c,d
4 all of the above
A business must aspire to be a good corporate citizen by empowering the board of directors to
implement a code of ethics, report on the HIV/Aids strategic plan and policy, to report on social,
health and transformational policies and practices and understand the importance of a relationship
between the board and the community
Question 6
Which one of the following is not a recognised context stage (first stage) tool to obtain information
on the business?
1 SWOT analysis
2 PEST analysis
3 Financial analysis
4 Sensitivity analysis
The tools (process mechanisms) used in the context stage to obtain information on the business are
financial analysis tools, SWOT analysis, PEST analysis and risk management process diagnostic. The
sensitivity analysis is used in the risk evaluation stage.
Question 7
A PEST analysis is a useful tool for a business to determine …
1 its strengths and weaknesses in the micro environment.
2 the external environmental factors which may influence the business’s performance.
3 the main risks linked to a certain project of the business.
4 the internal environmental factors which may influence the business’s performance.
A PEST analysis is a useful tool for a business to determine the external environmental factors which
may influence the business’s performance.
Question 8
Using a risk identification facilitator from outside the business will …
1 assist with timetabling.
2 avoid creating tension in the team when one is selected as the facilitator and others are not.
3 avoid the facilitation process or approach being constrained by previous approaches.
4 avoid problems of bias, lack of independence, hidden agendas, single direction approaches or
pursuit of personal goals.
Using a risk identification facilitator from outside the business will avoid problems of bias, lack of
independence, hidden agendas, single direction approaches or pursuit of personal goals.
Question 9
It was discovered that one in four software development projects exceeds its budget. The probability
of a single project exceeding its budget is …
1 0 to 4.
2 25%.
3 1.
4 infrequent.
The probability of a single project exceeding its budget is 25%. Calculation: 1 ÷ 4 = 0.25
Question 10
A list generated during the risk identification stage which categorises each risk into a type or area is
known as a risk ...
1 checklist.
2 prompt list.
3 taxonomy.
4 index.
A list generated during the risk identification stage which categorises each risk into a type or area is
known as a risk prompt list.
Question 11
The difference between the initial investment amount and the present value of a project’s expected
future cash flows, discounted at the appropriate cost of capital is the …
1 Net Present Value.
2 Internal Rate of Return.
3 Payback Period.
4 Average Rate of Return.
The difference between the initial investment amount and the present value of a project’s expected
future cash flows, discounted at the appropriate cost of capital, is the Net Present Value (NPV). The
Internal Rate of Return (IRR) is the discount rate that makes NPV equal to 0 or the discount rate that
makes the present value of investment costs equal to the present value of investment benefits. The
Payback Period (PP) is the number of years required to recover an initial investment. The Average
Rate of Return (ARR) is an average annual return expressed as a percentage of the initial cost of the
project
Question 12
Risk appetite …
A can also be referred to as risk attitude, tolerance, preference or capacity.
B is the amount of risk a business is prepared to tolerate.
C has no impact on the risk strategy responses and action plan.
D varies according to the objectives, culture and environment of businesses.
1 a,b
2 b,c
3 a,b,d
4 all of the above
Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. Risk appetite
is defined as the amount of risk a business is prepared to tolerate at any point in time. A business
risk appetite can vary according to the objectives, culture and environment of a business. A business
risk appetite can have an impact on the risk strategy responses and action plan.
Question 13
The main reason for monitoring risks is to establish whether ...
1 risk meetings are happening regularly.
2 a risk database is being maintained.
3 risk response actions are effectively implemented.
4 key risk documents are on display in key locations.
The main reason for monitoring risks is to establish whether risk response actions are effectively
implemented.
Question 14
Key Performance Indicators (KPIs) …

1 are useful to directors to assess whether their annual bonuses will be awarded.
2 assist with business planning.
3 are used to measure a business’s health.
4 help understand the market as a whole.
Key Performance Indicators (KPIs) are used to measure a business’s health. Key Risk Indicators (KRIs)
refer to captured information that provides a useful view of underlying risk profiles at various levels
to assist decision makers within a business.
Question 15
Mr. Lucky has been appointed as the risk manager for A-Z clothing Ltd. Mr. Lucky must implement a
risk management process for the business. Which of the following risk management stages should
Mr. Lucky implement?
a Establish the context, monitor and review.
b Risk identification, risk analysis and risk evaluation.
c Design and improve the process.
d Risk treatment, communication and consultation.
1 a,d
2 a,b,d
3 a,b,c
4 all of the above
The stages in the risk management process include establishing the context, monitor and review, risk
identification, risk analysis, risk evaluation, risk treatment, communication and consultation. The
design and improve process is an ongoing process which takes place at commencement and
throughout the risk management process.
Question 1
The uncertainty linked to the recovery of outstanding amounts due is known as:
1 Exposure risk
2 Default risk
3 Credit risk
4 Recovery risk
The uncertainty linked to the recovery of outstanding amounts due is known as recovery risk.
Question 2
Which one of the following is not a benefit of operational risk management?
1 Maximising day-to-day profits.
2 Minimising day-to-day losses.
3 Improving ability to achieve business objectives.
4 Providing a more robust enterprise risk management system.
The following are benefits of operational risk management:
- Minimising day-to-day losses.

- Improving ability to achieve business objectives.
- Providing a more robust enterprise risk management system.
- Contributing to the establishment of a system which enables the correlation of different
classes of risk to be understood and, where appropriate, modelled.
- Providing management the opportunity to focus on revenue generating activities rather than
fire-fighting one crisis after another
Question 3
Which of the following are examples of unethical business practices?
A Insider trading.
B Money laundering.
C Invasion of privacy.
D Inadequate internal controls.
1 a,b
2 a,b,c
3 a,b,d
4 all of the above
Insider trading, money laundering, invasion of privacy and inadequate internal controls are examples
of unethical business practices
Examples of unethical practices by companies that were prosecuted or suffered reputational
damage because of the behaviour of employees and who attracted negative media attention include
the following:
- Bribery in the private sector

- Money laundering
- Improper sales and marketing
- Inadequate financial accounting
- Bribery of government contracting officers
- Inadequate internal controls
- Failure to follow quality standards and procedures
- Environmental irresponsibility
- Employee claims of sexual harassment
- Black listing of international, national or local organisations
- Insider trading
- Exploitation of third world countries
- Health and safety irresponsibility
- Invasion of privacy
Question 4
A-Z Mining takes health and safety extremely seriously. In order to improve human reliability in the
workplace, A-Z Mining may introduce …
A human reliability analysis.
B training.
C reward schemes
D workplace precautions
1 b,c
2 a,b,c
3 a,b,d
4 all of the above
In order to improve human reliability in the workplace, A-Z Mining may introduce human reliability
analysis, training and reward schemes.
Question 5
… risk deals with basic macro-economic theory together with fiscal and monetary policies.
1 Economic
2 Country
3 Financial
4 Political
Economic risk deals with basic macro-economic theory and fiscal and monetary policies. Country risk
is a collection of risks associated with investing in a foreign country. Financial risk is the exposure of
an enterprise to adverse events that erode profitability and in extreme situations, bring about
business collapse. Political risk is the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups
Question 6
Market risk refers to the …
1 movement in the company share price over time.
2 number of competitors moving into and out of the market the business is operating in.
3 exposure to losses arising from the change to the cost of raw materials.
4 exposure to a potential loss arising from diminishing sales due to changes in market conditions
outside the control of the business.
Market risk refers to the potential loss exposure arising from diminishing sales due to changes in
market conditions outside the control of the business.
Question 7
The sources of risk embraced under economic risk include the following:
a Fall in demand
b Government policies
c Exchange Rates
d. Fall in Supply
1 a,c
2 b,c,d
3 a,b,c
4 all of the above

The sources of risk embraced under economic risk include fall in demand (a shift in the aggregate
demand curve), government policies (including interest rates and trade protectionism), exchange
rates, movement in house prices and inflation.
Question 8
Which one of the following methods is used to calculate Value-at-risk?
1 Monte Carlo.
2 Pest Analysis.
3 Economic value added.
4 Economic simulations.
The Monte Carlo method is used to calculate Value-at-risk.
Question 9
In implementing operational risk management in a business, external events which can occur outside
of the business must be taken into consideration. These events may require a business to have
response strategies in the form of:
1 Change and knowledge management.
2 Project and knowledge management.
3 Change management and business contingency plans.
4 Project management and business contingency plans.
In implementing operation risk management in a business, external events which can occur outside
of the business must be taken into consideration. These events may require a business to have
response strategies in the form of change management and business contingency plans.
Question 10
Control technology can be defined as …
1 the collection, storage and processing of information by electronic means.
2 specific computer-based production control systems.
3 network systems in which computers are linked to one another over a network..
4 IT governance to manage the risks and constraints of IT.

Control technology can be defined as specific computer-based production control systems.
Question 1
Nedbank Group has a strong risk culture and follows worldclass enterprisewide risk management,
which aligns strategy, policies, people, processes, technology and business intelligence in order to
evaluate, manage and optimise the opportunities, threats and uncertainties the group may face in its
ongoing efforts to maximise sustainable shareholder value.
BACKGROUND TO RISK AND BALANCE SHEET MANAGEMENT IN NEDBANK
Enterprisewide Risk Management (ERM) integrates risk, finance and balance sheet management
across the group’s risk universe, including business units and operating divisions, geographical
locations and legal entities. Against this backdrop, all risks – including those associated with
sustainability – are managed according to a ‘three lines of defence’ governance model. It is Nedbank
Group’s view that a strong risk governance process is the foundation for successful risk management
and balance sheet management, which is why this model represents the core of the business’s
Enterprisewide Risk Management Framework (ERMF). The ERMF places emphasis on accountability,
responsibility, independence, reporting, communications and transparency, and comprises 17 key
risk categories that are managed, monitored, measured and reported on by the first, second and
third line-of-defence functions across the group.
1.1 In the extract, Nedbank Group’s risk and balance sheet management statement is referring to
the King Code of Governance Principles 2009 (King III). Discuss the principles listed in the risk and
balance sheet management statement of Nedbank Group? (7)
Any seven of the following principles could have been identifies from the risk and balance sheet
management statements of Nebank Group:
Principe: Definition and explanation based on Kind Code of Governance Principles for SA 2009
- Communications:
o Effective communication with stakeholders is essential for building and maintaining
their trust and confidence. Communication to stakeholders should be in clear and
understandable language.
- Independence:
o Independence is the absence of undue influence and bias which can be affected by
the intensity of the relationship between the director and the company.
- Responsibility:
o The state or position of having control or authority and being accountable for ones
actions and decisions.
- Reporting:
o Integrated reporting and disclosure. The company needs a holistic and integrated
representation of the company’s performance in terms of both its finance and its
sustainability.
- Sustainability:
o Sustainability of a company means conducting operations in a manner that meets
existing needs without compromising the ability of future generations to meet their
needs. It means having regard to the impact that the business operations have on
economic life of the community in which it operates. Sustainability includes
environmental, social and governance issues.
- Transparency:
o Easy to understand or recognise; obvious; candid; open; frank.
- Accountability:
o Being responsible and able to justify and explain decisions and actions.
- Responsible leadership:
o The board should provide effective leadership based on an ethical foundation. The
board should ensure that all deliberations, decisions and actions are based on the
four values underpinning good governance and ensure that each director adheres to
the duties of a director.
- Risk based internal audit:
o Internal audit should be risk-based and every year the internal auditors should
furnish an assessment to the board generally on the system of internal controls and
to the audit committee specifically on the effectiveness of internal financial controls.
- Compliance:
o Companies must comply with all applicable laws. The board should delegate to
management the implementation of an effective compliance framework and
processes. Compliance risk should form an integral part of the companies risk
management processes. Compliance should be an ethical imperative.
1.2 Identify any six (6) additional governance of risk principles adressed in the King III report not
specifically listed by Nedbank Group. (6)
Any six of the following addition governance of risk principles addressed in the King III report can be
discussed:
- Management should be responsible for the risk management process. Management is

accountable to the board for designing, implementing and monitoring the process of risk
management and integrating it into the day-to-day activities of the company.
- All staff should practise risk management.
- The board should be responsible for the process of risk management.
- The board should approve the company’s chosen risk philosophy.
- The board should adopt a documented risk management plan.
- The board may delegate the responsibility of risk management to a dedicated risk
committee.
- Risk assessment should be performed on an on-going basis.
- The board should approve key risk indicators for each risk, as well as tolerance levels.
- Risk identification should be directed in the context of the company’s purpose.
- The board should ensure that key risks are quantified and are responded to appropriately.
- Internal audit should provide independent assurance on the risk management process.
- The board should report on the effectiveness of risk management.
- The board should ensure that the company’s reputational risk is protected.
- The board should determine the extent to which risks relating to sustainability are addressed
and reported on.
- The board should ensure that information technology (IT) is aligned with business objectives
and sustainability.
- The board should consider the risk of the unknown as part of the qualitative and
quantitative risk assessment process.
- Compliance should form part of the risk management process.
Question 2
Mr. Khumalo has just been appointed as the new CEO of Local Coal Mining Ltd. He approaches you
as the risk manager to gain a better understanding of the implementation of risk management in the
company.
Briefly describe the difference between an enterprise risk management framework, policy and
process to Mr. Khumalo to give him a better understanding of the implementation of risk
management in Local Coal Mining Ltd.
- Mandate and commitment: Risk management must come from the top down in an
organisation (organisations management).
- Design framework: Understanding the organisation and its context, establishing the risk
management policy, determining accountability for risk management, embedding risk
management in all of the organisation’s practices/processes ect.
- Implement framework: Timing of implementation of framework should be planned and
training sessions is required.
- Monitor framework: Periodically review with internal and external stakeholders whether the
risk management framework, policy, plan and process require amendments.
- Improve framework: Based on the results of the monitor process, decisions should be made
on whether the risk management framework step should be amended.
Risk management policy
the central risk function, employees and third party contractors in implementing risk management.
A policy statement defines a general commitment, direction or intention. A policy on risk

management expresses an organisation’s commitment to risk management and clarifies its general
direction or intention. The policy should state its purpose, objectives, scope, related and supporting
policies, and its degree of confidentiality, frequency of review and date of last update.
Risk management process
According to the International Risk Standard, ISO 31000 (2009), a risk management process is one
that systematically applies management policies, procedures, and practices to a set of activities
intended to establish the context, communicate and consult with stakeholders, and identify, analyse,
evaluate, treat, monitor, and review risk.
According to Chapman the process can be broken down into 7 stages: context, identification,
analysis, evaluation, treatment, monitoring/review and communication and consultation. All the
processes are repeated through the organisation up to the implementation of the risk response
actions.
Question 3
3.1 Identify and describe four (4) risk response strategies which can be used by a business in the
enterprise risk management treatment stage. (8)
The following risk response strategies can be used by a business in the risk treatment stage:
Risk reduction
Risk reduction can also be referred to as treatment or mitigation. Risk reduction can be seen as risk
diversification (reduction of risks by distribution) for example, where a business invests in multiple
stocks to reduce risk and the impact of the risk√. Two approaches to reduce risk can be followed
namely:
- Reducing the likelihood of a risk occurring, and;

- Limiting the loss should the risk materialise.
Methods used to reduce the likelihood of occurrence or impact of risk by a business is protection,
controls, maintenance and risk spreading.
Risk removal
Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk
removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is
anticipated. For example, doing business with a political uncertain country may be too risky to make
the opportunity worthwhile (a potential for loss has been eliminated). When a business wants to
remove risk, factors such as opportunity, business objectives and costs involved must be considered.
All three of these concepts must be taken into regard. For example, when a business decides not to
introduce a new product or terminating the production of an existing product and ceasing
operations that have been carried out in the past.
Risk reassignment or transfer
Businesses can use contracts and financial agreements to transfer risk to a third party. Transferring a
risk does not reduce its likely severity; it just moves it to another party. In some cases risk transfer
can increase the impact of the risk, as the party to whom the risk is transferred is unaware that it is
required to absorb it. The most common method of risk transfer is insurance. For example the
financial consequences of the loss is transferred to the insurance company. When a business
transfers risk the business must consider the objectives of the parties, ability to manage the risk, risk
context and cost effectiveness of the transfer.
Risk retention
Risk retention is aslo reffered to as acceptance, absorption or tolerance. A business may be forced in
a position to accept the risk as an alternative method, for example risk removal, reduction and
transfer are not available; or it may be more economical to the business to accept the risk. When
following a risk retention strategy the options available, timing and the ability to absorb the risk
must be considered
3.2 Distinguish between key risk indicators (KRI) and key performance indicators (KPI) and give two
examples of each of the types of KRIs and KPIs.
A business must clearly distinguish between key risk indicators (KRI) and key performance indicators
(KPI).
Key Risk Indicators (KRI)
KRI’s refer to captured information that provides useful views of underlying risk profiles at various
levels to assist decision makers within a business. The following are seen as KRI types:
- Inherent or exposure risk indicators

- Control risk indicators
- Composite indicators
- Model risk factors
Key Performance Indicators
KPI’s refer to high level snapshots of the health and performance of a business based on specific
predefined measures for example, statistical information on the business√. The following are seen as
KPI types:
Any two types can be mentioned:
- Statutory KPI’s, such as GAAP or legal regulatory requirements.

- Profitability per business unit/product/customer.
- Exception reporting.
- Employee performance, such as assets under management or profit per customer.
- Competitiveness, such as market share.
- Cost management, such as return on assets (ROA) on IT or new delivering channel
monitoring.
- Credit management, such as time to settlement or credit exposure.
Question 4
Identify and describe eight (8) common challenges faced by businesses in implementing project risk
management.
Any of the following common challenges in implanting PRM can be mentioned:
- Lack of clearly defined and disseminated risk management objectives.

- Lack of senior executive and project director commitment and support.
- Lack of a risk maturity model.
- Lack of a change process to introduce the discipline.
- No common risk language (terms and definitions).
- Lack of articulation of the project sponsor’s risk appetite.
- No definition of roles and responsibilities.
- Lack of risk management awareness training to build core competencies.
- Lack of integration of risk management with other project disciplines.
- Resistance of project personnel to spend time on risk management.
- Risk owners not automatically taking responsibility for assigned risks.
- No clear demonstration of how risk management adds value and contributes to project
performance.
- Overcomplicated implementation from an unclear risk policy, strategy, framework, plan and
procedure.
- Lack of alignment between the business strategy, business model and risk management
objectives.
- Lack of the integration of risk management activities into the day-to-day activities of project
managers.
Argue the value of good corporate governance to business enterprises. (Hint refer to the four
business areas corporate governance might impact on) (10)
1.1 Identify and describe four (4) process activities for risk evaluation which can be used by a
business in the ERM evaluation stage. (8)
Basic Concepts of Probability
Chance and the assessment of risk play a major part in a large number of business activities.
Hence, probability has found a wide range of business applications such as in investment appraisals
which require an assessment of risk and a measure of expected outcomes. Many of the process
activities examined here require an understanding of the concepts of probability.
Probability represents a new set of conceptual tools. Rather than looking at the world as consisting
of deterministic situations, where everything is known with certainty, we can now consider a range
of outcomes to every situation. More than this, by treating the world as stochastic, it is possible to
assess the chance of particular outcomes happening in a given situation. Hence, it is important to
consider the range of outcomes possible from a situation, so that recognition is given to even the
remote (unlikely) outcomes.
• Sensitivity analysis
The sensitivity analysis method can be used by a business to assess how sensitive the project
outcomes are to changes in the business. The method uses one variable and examines the effect of
that specific variable on the project.
• Scenario analysis
Scenario analysis is a useful decision making method to focus on the consequences of the
combinations of events that would have been ignored by the business because it was regarded as an
event that has never happened or is very unlikely to happen. The business can draw up different
views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and
“downside” risk, which can be associated with a project.
• Simulation
Simulation is a method used to analyse financial or time models, where the variables may be
uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a
business has statistical software or commercially available spreadsheets.
• Monte Carlo simulation
Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles
and correlations work, as well as the benefits of the Monte Carlo simulation method.
• Latin hypercube sampling
This sampling method is used to re-create the probability distributions specified by distribution
functions accurately and is a more modern technology method than the Monte Carlo simulation
method.
• Probability distributions defined from expert opinion
Some risk analysis models involve subjective estimates and thus further information needs to be
gathered by the business to get a better understanding of the analysis.
1.3 Distinguish between Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). In your
answer refer to the different types of KRIs and KPIs. (6)
business must clearly distinguish between key risk indicators (KRI) and key performance indicators
(KPI).
• KRI’s
levels to assist decision makers within a business. The following can be seen as the four types of
KRI’s:
 Inherent or exposure risk indicators.
 Control risk indicators.
 Composite indicators.
 Model risk factors.
• KPI’s
predefined measures for example statistical information on the business. The following can be seen
as seven types of KPI’s:
 Statutory KPI’s, such as GAAP 9 or legal regulatory requirements.
 Profitability per business unit/product/customer.
 Exception reporting.
 Employee performance, such as assets under management or profit per customer.
 Competitiveness, such as market share.
 Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.
 Credit management, such as time to settlement or credit exposure.
Define the following terms (4)
- Default risk
- Exposure risk
- Recovery risk
- Counterparty risk
- Default risk is the probability of the event of default.

- Exposure risk relates to the uncertainty surrounding the payment of future amounts.
- Recovery risk relates to the uncertainty over the likely recovery.
- Counterparty risk is the risk to each party of a contract that the counterparty will not live up
to its contractual obligations.
Mr Mathews has just been appointed as a new Board member of Sasol Ltd. He approaches you as
the risk and compliance management to gain a better understanding of the implementation of
corporate governance within the company.
Compile a report addressed to Mr Mathews in which you explain the corporate governance process
as well as the board’s responsibility for risk governance. (12)
Governance of risk
• The board’s responsibility for risk governance

∙ The board should be responsible for the governance of risk
∙ The board should determine the levels of risk tolerance
∙ The risk committee or audit committee should assist the board in carrying out its risk
responsibilities
• The board should delegate to management the responsibility to design, implement and monitor
the risk management plan
• Risk assessment
∙ The board should ensure that risk assessments are performed on a continual basis
∙ The board should ensure that frameworks and methodologies are implemented to increase the
probability of anticipating unpredictable risks
• The board should ensure that management considers and implements appropriate risk responses
• The board should ensure continual risk monitoring by management
• The board should receive assurance regarding the effectiveness of the risk management process
• The board should ensure that there are processes in place enabling complete, timely, relevant,
accurate and accessible risk disclosure to stakeholders
Briefly identify and explain four process activities which need to take place in the risk identification
stage. Activity and explanation. (8)
• Risk checklist
A risk checklist is used to list all the risks that were identified on previous projects within the
business.
• Risk prompt list
A risk prompt list can be seen as a list that categorise each risk into a type or area. Through this list,
the business will be able to identify the main categories of risks experienced within the business.
• Gap analysis
A Gap analysis can be used to identify the main risks linked to a certain activity or project of the
business. The method will assist the business to establish where the gap is in the risk associated
within the activity/project so that pro-active or reactive risk measures can be established.
• Risk taxonomy
Risk taxonomy can be explained as a structured checklist to break down the risks and opportunities
into manageable components, which then can be aggregated for exposure measurement, reporting
and management. This method is used in the risk taxonomy of software development. Refer to Table
9.1 in chapter 9 of the prescribed book.
• PEST analysis
The business can also use the PEST analysis method in the identification stage to identify the risk
exposure of the business to its external environment. The business can conduct this analysis in a
workshop or brainstorming session.
• SWOT analysis
A SWOT analysis is a very easy and understandable method for a business to identify the risks and
opportunities in the business.
• Database
A risk database can be used to capture all the information of each risk identified in the business and
is an effective way to monitor all the risks and actions used in the management of all the identified
risks.
• Business risk breakdown structure
A breakdown structure for business risk is used to identify all the sources of risk within projects and
activities in the business.
• Risk questionnaire
A risk questionnaire is used when a business needs to establish the concerns and risks that arise in a
business project/activity through the various stages. The completion of the questionnaire will show
how the business employees respond to risk.
• Risk register
A risk register is used to capture information on a constant basis and to simplify communication
regarding the risks in a business project/activity. Refer to Table 9.2 in chapter 9 of the prescribed
book.
Distinguish between internal and external communication (Enterprise risk management process) (2)
A business should establish internal communication and reporting mechanisms in order to support
and encourage accountability and ownership of risk and opportunity management.
A business should establish external communication and reporting mechanisms in order to deliver
open and honest information on the risks that the business faces and how it is responding.
Briefly explain the concept “political risk”. Use examples to highlight your answer (4)
Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exercise of
power by government actors and the actions of non-government groups”. This type of risk can be
seen in domestic as well as international markets but is also associated with oversees exposure and
developing countries.
For example, political decisions by governmental leaders about taxes, currency valuation, trade
tariffs or barriers, investment, wage levels, labour laws, environmental regulations and
development priorities, can affect the business conditions and profitability. Similarly, non-economic
factors can affect a business. For example, political disruptions such as terrorism, riots, coups, civil
wars, international wars, and even political elections that may change the ruling government, can
dramatically affect businesses’ ability to operate.
List four mitigation strategies to minimise political risks in an organisation (4)
Mitigation strategies for political risks
• The following response strategies can be used to minimise political risk in the business:
 Undertaking proper planning and exercising due diligence.
 Investing in projects or entering into contracts where the host government implemented certain
policies that encourage private sector involvement.
 Consider projects that are being supported by host governments.
 Obtaining insurance against political risks
 To be protected from interest rate fluctuations a business can enter into a hedge contract.
 Establish a good relationship with the workforce to create a risk friendly environment.
 Incorporating strong arbitration language into contracts to address labour disputes.
 Enhancing on-site security to be protected against terrorist attacks.
 Being attuned to what is happening in the host country.
• The following tools can also be used by a business to mitigate political risks:
 Assessing political risk factors
 Putting political risk factors in order of priority
 Improving relative bargaining power
Mr Samuel has just been appointed as the new CEO of A-Z Supermarket. He approaches you as the
risk manager to gain a better understanding of the implementation of enterprise risk management
(ERM) within the company. Compile a report addressed to Mr Samuel in which you highlight the
merits of ERM (10 marks)
Benefit two: standardized risk reporting
ERM supports better structure, reporting, and analysis of risks. Standardized reports that track
enterprise risks can improve the focus of directors and executives by providing data that enables
better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation
strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas.
These reports can also help leaders develop a better understanding of risk appetite, risk thresholds,
and risk tolerances.
One of the major values of ERM risk reporting is improved, timeliness, conciseness, and flexibility of
the risk data. This provides the data needed for improved decision making capabilities within the
executive and director levels, and in other layers of management. ERM helps management recognize
and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating
them in a consolidated format.
Benefit three: improved focus and perspective on risk
ERM develops leading indicators to help detect a potential risk event and provide an early warning.
Key metrics and measurements of risk further improve the value of reporting and analysis and
provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting
organizations to changes in their risk profile.
ERM also permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation,
acceptance, or avoidance. However, effective ERM processes gives management a framework to
evaluate risk as an opportunity to increase competitive positions and exploit certain market and
operational conditions.
Benefit four: efficient use of resources
In organizations without ERM, many individuals may be involved with managing and reporting risk
across operational units. While developing an ERM program does not replace the need for day to
day risk management, it can improve the framework and tools used to perform the critical risk
management functions in a consistent manner. Eliminating redundant processes improves efficiency
by allocating the right amount of resources to mitigating the risk.
Benefit five: effective coordination of regulatory and compliance matters
Bond rating agencies, financial statement auditors, and regulatory examiners, have begun to inquire
about, test, and use monitoring and reporting data from ERM programs. Since ERM data involves
identifying and monitoring controls and mitigation efforts across the organization, this information
can help reduce the effort and cost of such audits and reviews.
Explain the difference between risk removal and risk transfer. Use examples to elucidate your
answer (4 marks)
Risk removal can also be referred to as avoidance, elimination, exclusion and termination. Risk
removal is used to eliminate a risk when a negative outcome/impact or high-risk exposure is
anticipated. For example, doing business with a country that has political uncertainty may be too
risky to make the opportunity worthwhile (a potential for loss has been eliminated). When a
business wants to remove risk, factors such as opportunity, business objectives and costs involved
must be considered. All three of these concepts must be taken into regard. For example, when a
business decides not to introduce a new product or ending the production of an existing product and
ceasing operations that have been carried out in the past.
method of risk transfer is insurance. For example the financial consequences of the loss is
transferred to the insurance company. When a business transfers risk the business must consider
the objectives of the parties, ability to manage the risk, risk context and cost effectiveness of the
transfer.
When it comes to the perception of risk, groups and individuals might perceive risk differently.
Indicate how the Utility Theory explains this phenomenon. (6 marks)
Utility theory assumes that every decision maker uses a utility function that translates each of the
possible payoffs in a decision problem into a non-monetary measure known as utility. The utility of a
payoff represents the desirability (total worth or value) of the outcome of a decision alternative to
the decision maker.
Different decision makers have different attitudes and preferences towards risk and return.
Those who are “risk neutral” tend to make decisions using the maximum EMV decision rule.
However, some decision makers are risk avoiders or “risk averse”, and others look for risk or are
“risk seekers”. The utility functions typically associated with these three types of decision makers are
shown in Figure 11.5. For convenience the utilities are represented on a scale from
0 to 1, where 0 represents the least value and 1 represents the most. Figure 11.5 illustrates how the
same monetary payoff might produce different levels of utility for three different decision makers.
The “risk neutral” decision maker who follows the EMV decision rule has a constant marginal utility
for increased payoffs. That is, every additional pound in payoff results in the same amount of
increase in utility. A “risk averse” decision maker assigns the largest relative utility to any payoff but
has a diminishing marginal utility for increased payoffs in that every additional pound in payoff
results in smaller increases in utility. The “risk seeking” decision maker assigns the smallest utility to
any payoff but has an increasing marginal utility for increased payoffs. That is, every additional
pound in payoff results in larger increases in utility.
Identify the three primary technology types important to a business and give one example of each (6
marks)
Information technology
IT is the collection, storage, processing and communication of information by electronic means.

There are various types of IT tools, which include the following:
• Software applications
• Management information systems
• Intranets
• Telematics
• Information assets
Communications technology
Communications technology includes the following:
• Conference calls.
• E-commerce using the internet
• Broadband
• E-mail
• Network systems
Control technology
Control technology consists of computer-based production control systems, which include the
following:
• Computer-aided design (CAD)
• Computer-aided manufacture (CAM)
• Flexible manufacturing systems (FMSs)
• Mechatronics
• Computer-integrated manufacture.
• Manufacturing resource planning (MRP)
• Operational research (OR)
Explain the concept of market risk of a business. (4 marks)
Market risk can be defined as “the exposure to a potential loss arising from diminishing sales or
margins due to changes in market conditions, outside of the control of the business”. (Chapman,
2012) A business needs to gain insight into the market structure (size, barriers of entry, product
diversification and number of competitors) in which the business operates. Market risk policies
should take into account business activities, objectives, the regulatory environment, competitiveness
and staff and technology capabilities. Proactive market risk management is vital for a business to
adapt to changing markets.
Mrs Jacobs has just been appointed as the new CEO of CALL4U Ltd. She approaches you as the risk
manager to gain a better understanding of the implementation of enterprise risk management
(ERM) within the company. Compile a report addressed to Mrs Jacobs in which you explain the
elements of an ERM structure. (14 marks)
ERM is composed of seven elements namely: corporate governance, internal control,

implementation, risk management framework, risk management policy, risk management process
and sources of risk.
1.10.1 Corporate governance (board oversight)
Corporate governance is the framework of rules and practices by which a board of directors ensures
accountability, fairness and transparency in a company's relationship with all its stakeholders
(financiers, customers, management, employees, government and the community).
The corporate governance framework consists of:
• Explicit and implicit contracts between the company and the stakeholders for distribution of
responsibilities, rights, and rewards;
• Procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with
their duties, privileges, and roles, and
• Procedures for proper supervision, control and information flows to serve as a system of checks
and balances.
1.10.2 Internal control (sound system of internal control)
The report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO),
Internal Control – Integrated Framework (1992), defines internal control as “a process, effected by
an entity’s board of directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
The aim is to accomplish this through the identification and assessment of risks facing the business
and responding to them by either removing them or, reducing them or, where it is economic to do
so, to transfer them to a third party.
1.10.3 Implementation
Implementation of risk management can be resourced internally or externally. The parameters of

any planned actions have to be mapped, communicated and agreed so that the time factor,
resources, costs, inputs and deliverables are understood.
1.10.4 Risk management framework

• Mandate and commitment
• Design framework
• Implement framework
• Monitor framework
• Improve framework.
1.10.5 Risk management policy
the central risk function, employees and third party contractors in implementing risk management. A
policy statement defines a general commitment, direction or intention. A policy on risk management
expresses an organisation’s commitment to risk management and clarifies its general direction or
intention.
1.10.6 Risk management process
According to International Risk Standard, ISO 31000 (2009), a risk management process is one that
systematically applies management policies, procedures, and practices to a set of activities intended
to establish the context, communicate and consult with stakeholders, and identify, analyse,
evaluate, treat, monitor, and review risk.
1.10.7 Sources of risk
A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It is
where the risk comes from.
Briefly explain the following six process activities which need to take place in the risk evaluation
stage. (6 marks)
• Sensitivity analysis
The sensitivity analysis method can be used by a business to assess how sensitive the project
outcomes are to changes in the business. The method uses one variable and examines the effect of
that specific variable on the project.
• Scenario analysis
Scenario analysis is a useful decision making method to focus on the consequences of the
combinations of events that would have been ignored by the business because it was regarded as an
event that has never happened or is very unlikely to happen. The business can draw up different
views (optimistic and pessimistic scenarios) of an event to get a feel of the “upside” potential and
“downside” risk, which can be associated with a project.
• Simulation
Simulation is a method used to analyse financial or time models, where the variables may be
uncertain, for example costs, duration, opportunities or risks. Simulation can only be used when a
business has statistical software or commercially available spreadsheets.
• Monte Carlo simulation
Refer to par. 11.8.5 of the prescribed book to understand how Monte Carlo simulation, percentiles
and correlations work, as well as the benefits of the Monte Carlo simulation method.
• Latin hypercube sampling
This sampling method is used to re-create the probability distributions specified by distribution
functions accurately and is a more modern technology method than the Monte Carlo simulation
method.
• Probability distributions defined from expert opinion
Some risk analysis models involve subjective estimates and thus further information needs to be
gathered by the business to get a better understanding of the analysis.
Distinguish between key risk indicators and key performance indicators. Use examples to elucidate
your answer. (4 marks)
• KRI’s
levels to assist desision makers within a business. The following can be seen as the four types of
KRI’s:
 Inherent or exposure risk indicators.
 Control risk indicators.
 Composite indicators.
 Model risk factors.
• KPI’s
predefined measures for example statistical information on the business. The following can be seen
as seven types of KPI’s:
 Statutory KPI’s, such as GAAP 9 or legal regulatory requirements.

 Profitability per business unit/product/customer.
 Exception reporting.
 Employee performance, such as assets under management or profit per customer.
 Competitiveness, such as market share.
 Cost management, such as return on assets (ROA) on IT or new delivering channel monitoring.
 Credit management, such as time to settlement or credit exposure.
Identify four sources of risk embraced within economic risk (2 marks)
The sources of risk embraced under economic risk include fall in demand (a shift in the aggregate
demand curve), government policies (including interest rates and trade protectionism), exchange
rates, movement in house prices and inflation.
Argue the importance of implementing economic risk management (4 marks)
Benefits derived from economic risk management include:
• Improvement of knowledge of where the government is planning public spending;
• Providing an understanding of the impact of inflation and interest on demand;
• Providing an understanding of how the short-term behaviour of the gross domestic product (GDP)
impacts employment, prices and standard of living, and;
• Promoting rigorous market research before entering new markets in both the domestic and
international markets.
Ms Maria Trevor has just been appointed as the new CEO of Local Supermarket Ltd. She approaches
you as the risk manager to gain a better understanding of the implementation of risk management in
the company.
Briefly describe risk management and the seven stages in the risk management process to Ms Maria
Trevor to give her a better understanding of the implementation of risk management in Local
Supermarket Ltd (10 marks)
Identify and describe four process activities for risk analysis which can be used by a business in the
ERM analysis stage (8 marks)
• Causal analysis
The causes of any risk must be identified. It is important for the business to learn from past events to
implement risk management measures for future events.
• Decision analysis and influence diagrams
Decision analysis is used to structure decisions, uncertain/chance events and values of outcomes.
The influence diagram can be used to assist in the development and understanding of the risks and
the actions to be taken in the decision making process. Such analysis will provide a framework for
the decisions, events, managing of problems, reducing large volumes of data and sensitivity analysis
in the business.
• Pareto analysis
Pareto analysis is used to identify those risks that will have a dramatic impact on business
projects/activities and objectives. Such analysis will rank and order the risks according to their
impact so that the business can manage the high risks accordingly.
• Capital asset pricing model (CAPM) analysis
The CAPM model is used to determine the expected return of an asset in relation to its risk or risk
profile. The higher the risk, the higher the return will be for an investment. Market risk is measured
by its beta in the CAPM model.
• Define risk evaluation categories and values
It is important to conduct qualitative and quantitative assessments in the risk analysis process.
Qualitative assessments explain the impact of the risks, whereas quantitative assessment will consist
of numeric assessments, which can involve financial and timing risks. It is best to manage the most
severe risks that the business has identified.
Identify and distinguish between the three main attitudes towards risk (6 marks)
Risk neutral – The attitude towards risk that requires no change in the risk/reward balance return for
an increase in risk. Tend to use the EMV method with the highest monetary value.
Risk averse – The attitude towards risk that requires an increase in the return for an increase in the
risk.
Risk seeking – The attitude towards risk whereby a decreased return would be accepted for an
increase in risk
Define and explain the importance of operational risk (6 marks)
operational risk is “the potential for loss due to failures of people, processes, technology and
external dependencies”. The sources of risk considered to be embraced within operational risk
include business risk, crime risk, disaster risk, information technology risk, legal risk, regulatory risk,
reputational risk, systems risk and outsourcing.
Operational risk in terms of the Basel Accords has been subdivided into seven separate categories.
We examine each of these categories and briefly explain what types of risks they cover.
Internal Fraud. By and large this covers fraud by bank staff such as the stealing of assets, theft of
client information, covering up errors, intentional mismarking of positions, bribery etc.
External Fraud. This occurs where non-bank staff is involved such as in computer hacking, third-party
theft, forgery.
Employment Practices and Workplace Safety. Inequitable staff policies, workers compensation
claims, employee health and safety issues.
Clients, Products and Business Practice. This is a very wide field and generally covers market
manipulation, antitrust issues, improper trading activities, bank product defects, fiduciary breaches,
account churning. The sub-prime Mortgage debacle is a clear example of a product defect. The huge
LIBOR rate rigging scandal which has dominated the news these past few years falls into this
category as well.
Damage to Physical Assets. This covers things like natural disasters, terrorism and vandalism –
anything that results in actual damage or destruction of the bank’s physical assets. These actions
may be deliberate or purely accidental.
Business Disruption and Systems Failures. Power failures, computer software and hardware failures.
A hurricane or a flood that results in banking services being disrupted also falls into this category.
Execution, Delivery and Process Management. This covers things like data capture errors, accounting
errors, failure to meet legal reporting requirement, negligent loss of client assets.

RSK2601 Complete Questions Answers

Uploaded by

Copyright:

Available Formats

RSK2601 Complete Questions Answers

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSK2601 Complete Questions Answers

Uploaded by

Copyright:

Available Formats

RSk2601 Study bank

Enterprise risk management (ERM) is characterised by a

1. Narrow focus of hazard risks

The purpose of an ERM policy is to

1. Assist an organisation integrating risk management into its management processes

What do boards fundamentally seeks from an ERM system?

1. The avoidance of unpleasant surprises and losses

Which of the following are benefits of ERM?

a. Build confidence with stakeholders and the investment community

Choose the correct combination:

The benefits of ERM include the following:

♦ Increase in the likelihood of a business realising its objectives

♦ Build confidence in stakeholders and the investment community

♦ Comply with relevant legal and regulatory requirements

♦ Align risk appetite and strategy

♦ Improve organisational resilience

♦ Enhance corporate governance

♦ Embed the risk process through the organisation

♦ Minimise operational surprises and losses

♦ Optimise allocation of resources

♦ Identify and manage cross enterprise risks

♦ Link growth, risk and return

♦ Improve organisational learning

Which of the following is typical to the traditional approach to risk management?

1. Risk management carried out in silos and extensive use of insurance

Choose the correct combination:

a. Shareholder approval of remuneration policies

Choose the correct combination:

The risk management policy forms part of the ERM

ERM is composed of seven elements namely: corporate governance, internal control,

- Finance analysis tools

A risk checklist is a useful tool for a business to determine

1. Its strengths and weaknesses in the micro environment

Using a risk identification facilitator from outside the business will

1. Assist with timetabling

Scenario analysis can be used

1. To record ideas in a scenario for clarification and evaluation

Which of the following is a typical output of the Risk Evaluation stage?

The number of years required to recover an initial investment is called

1. Net Present Value (NPV)

1. Structure uncertain events and values of outcomes

Risk transfer is used to

1. Accept the risk in the business

The main reason for controlling risks is to establish whether

1. Risk meetings are happening regularly

 Control is a principle of economy.

 Controls must be meaningful.

 Measurements have to be congruent with the events measured.

 Controls have to be timely.

 Controls need to be simple.

Which one of the following is a benefit of operational risk management?

1. Maximising day-to-day profits

Operational risk management affords a business benefits by:

• improving the ability to achieve its business objectives;

• minimising day-to-day losses;

• providing a more robust enterprise risk management system;

IT is the collection, storage, processing and communication of information by electronic means.

Options, futures and swaps are financial products called

1. Allowance for greenhouse gas emissions