Learner Guide

Faculty of
Information Technology
IT Risk Management 600
Year 1 Semester 1
 INTERACTIVE ICONS USED IN THIS LEARNER
GUIDE

Learning Outcomes Study Read Writing Activity

Research Glossary

Key Point
Think Point

Problem(s)
Case Study
Bright Idea
Review Questions

Web Resource

Multimedia Resource
 FACULTY OF INFORMATION TECHNOLOGY

QUALIFICATION TITLE:
BACHELOR OF SCIENCE IN INFORMATION TECHNOLOGY

LEARNER GUIDE
MODULE: IT RISK MANAGEMENT 600

TOPIC 1: INTRODUCTION TO ENTERPRISE RISK MANAGEMENT

TOPIC 2: CORPORATE GOVERNANCE
TOPIC 3: ENTERPRISE RISK MANAGEMENT-ESTABLISHING THE CONTEXT
TOPIC 4: THE ENTERPRISE RISK MANAGEMENT PROCESS
TOPIC 5: OPERATIONAL RISK MANAGEMENT
TOPIC 6: TECHNOLOGICAL RISK MANAGEMENT
TOPIC 7: PROJECT RISK MANAGEMENT
TOPIC 8: BUSINESS ETHICS MANAGEMENT
TOPIC 9: ENTERPRISE RISK MANAGEMENT: EXTERNAL FACTORS
 TOPICS BSc-IT

1 INTRODUCTION TO ENTERPRISE RISK MANAGEMENT

1.1 Introduction Lecture 1

1.2 What is enterprise risk management?

1.3 Approach to risk management

1.4 Benefits of enterprise risk management

1.5 Business growth through risk taking Lecture 2

1.6 Risk and opportunity

1.7 The role of the board

1.8 ERM Structure Lecture 3

Review questions

2 CORPORATE GOVERNANCE

2.1 Introduction
Lecture 4
2.2 Definition of corporate governance

2.3 The impact of corporate governance on business

2.4 The history of corporate governance in South Africa Lecture 5

2.5 The relevance of the King III Report to risk Management

Review questions

3 ENTERPRISE RISK MANAGEMENT-ESTABLISHING THE CONTEXT

3.1 Establishing the context: Stage 1 Lecture 6

3.2 Proposal Preparation

3.3 Proposal writing

3.4 Process Mechanisms Lecture 7

3.5 Risk study process activities

Review questions

4 THE ENTERPRISE RISK MANAGEMENT PROCESS

4.1 Risk Identification: Stage 2 Lecture 8

4.2 Risk analysis: Stage 3

4.3 Risk Evaluation : Stage 4 Lecture 9

4.4 Risk Treatment: Stage 5

4.5 Monitoring and review: Stage 6 Lecture 10

4.6 Communication and Consultation: Stage 7

Review question

5 OPERATIONAL RISK MANAGEMENT

5.1 Introduction Lecture 11

5.2 Definition and scope of operational risks

5.3 Benefits and implementation of operational risks Lecture 12

5.4 Implementation of financial risk management

5.5 Strategy

5.6 People

5.7 Processes and systems Lecture 13

5.8 External events

5.9 Outsourcing

5.10 Measurement Lecture 14

Review questions

6. TECHNOLOGICAL RISK MANAGEMENT

6.1 Introduction Lecture 15

6.2 Scope of technology risk

6.3 Benefits of technology risk management

6.4 Implementation of technology risk management

6.5 Primary technology types Lecture 16

6.6 Responding to technology risk

Review question

7 PROJECT RISK MANAGEMENT

7.1 Introduction Lecture 17

7.2 Defining of project risk and project risk management

7.3 Sources of project risk Lecture 18

7.4 Benefits of project risk

7.5 Implementation of project risk management Lecture 19

7.6 PRM Processes

7.7 Project director’s role

7.8 Project team and the challenges they face Lecture 20

7.9 Techniques used to support PRM

Review questions

8 BUSINESS ETHICS MANAGEMENT

8.1 Introduction Lecture 21-22

8.2 Definition of business ethics risk

8.3 Benefits of ethics risk management Lecture 23

8.4 Factors that affect business ethics

8.5 Implementation of ethical risk management

Review questions

9 ENTERPRISE RISK MANAGEMENT: EXTERNAL FACTORS

9.1 Economic risk Lecture 24

9.4 Environmental risk

9.3 Legal risks

9.4 Political Risks

9.5 Market risk Lecture 25

9.6 Social risk

Review questions
 UNIT ONE | ENTERPRISE RISK MANAGEMENT IN CONTEXT

AIM

At the end of this topic, you should be able to demonstrate, discuss and interpret
risk, risk management and ERM in an overall context and be able to assess corporate
governance in a risk-related context.

Learning Outcomes

After studying this topic you should be able to:

1. Define ERM and discuss its relevance to businesses.

2. Analyze and assess corporate governance in a risk-related context, and

3. Compile an ERM implementation strategy for an enterprise.

LEARNING MATERIAL

Unit 1 deals with Chapter 1 of the prescribed book.

1.1 INTRODUCTION

Risk management is an increasingly important business driver and stakeholders have

become much more concerned about risk. Risk may be a driver of strategic
decisions, it may be a cause of uncertainty in the business or it may simply be
embedded in the activities of the business. An enterprise-wide approach to risk
management enables a business to consider the potential impact of all types of risks
on all processes, activities, stakeholders, products and services. Implementing a
comprehensive approach will result in a business benefiting from what is often
referred to as the ‘upside of risk’.

The global financial crisis in 2008 demonstrated the importance of adequate risk
management. Since then, new risk management standards have been published,
which draw together all developments to provide a structured approach to
implementing ERM.

Many companies perceive a rise in the number and severity of the risks they face.
Some industries confront unfamiliar risks stemming from deregulation. Others worry
about increasing dependence on business-tobusiness information systems and just-
in-time supply/inventory systems. And everyone is concerned about emerging risks
of e-business – from online security to customer privacy. (Economic Intelligence Unit
2001)

1.2 WHAT IS ENTERPRISE RISK MANAGEMENT?

Enterprise risk management (ERM) can be viewed as a natural evolution of the

process of risk management. The Committee of Sponsoring Organizations of
the Tread way Commission (COSO) defines enterprise risk management as: “. .
. a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be
 within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”

ERM is a structured and systematic process that is interwoven with existing

management responsibilities. It provides a framework based on analysing risks
and opportunities, with an ultimate objective of creating value for the
shareholders. ERM entails the alignment of an organisation’s strategy,
processes, people, technology and knowledge to meet its risk management
purpose; and offers a systematic and integrated way of identifying and
responding to all sources of risk. ERM aims to provide a coherent framework
to deal with all risks that result from operating in the ever-changing economic
environment.

1.3 APPROACH TO RISK MANAGEMENT

Traditionally, risk management has been segmented and carried out in “silos”. However,
with the dynamic environment and the evolving nature of risk, businesses encounter
new types of risk while pursuing new business objectives. There is therefore a need for
an integrated framework for a holistic approach to risk management. Businesses have
increasingly become exposed to a whole range of risks including operational, strategic,
financial, market, compliance and regulatory risks. It is clear that an effective risk
management function, based on a broad and integrated framework, is necessary to
ensure that all risks are covered. ERM is therefore a response to the sense of inadequacy
in using a silo-based approach to manage
increasingly interdependent risks (Chapman, 2011). With ERM, risks can be managed
in a coordinated and integrated way across an entire business.

Enterprise Risk Management (ERM) is a response to the sense of inadequacy in using

a silo-based approach to manage increasingly interdependent risks. The discipline of
ERM, sometimes referred to as strategic business risk management, is seen as a
more robust method of managing risk and opportunity and an answer to these
business pressures. ERM is designed to improve business performance. It is a
relatively new approach, whereby risks are managed in a coordinated and integrated
way across an entire business. The approach is less to do with any bold breakthrough
in thinking, but more to do with the maturing, continuing growth and evolution of
the profession of risk management and its application in a structured and disciplined
way (McCarthy and Flynn 2004).

STUDY
Study the section o n “Approach to risk
management” par. 1.2 in Chapter 1 of the
prescribed book.

1.4 BENEFITS OF ENTERPRISE RISK MANAGEMENT

For all types of organizations, there is a need to understand the risks being taken
when seeking to achieve objectives and attain the desired level of reward.
Organizations need to understand the overall level of risk embedded within their
processes and activities. It is important for organizations to recognize and priorities
significant risks and identify the weakest critical controls. When setting out to
improve risk management performance, the expected benefits of the risk
management initiative should be established in advance. The outputs from
successful risk management include compliance, assurance and enhanced decision-
making. Such outputs will provide benefits by way of improvements in the efficiency
of operations, effectiveness of tactics (change projects) and the efficacy of the
strategy of the business. The benefits of ERM include the following:

Enterprise risk management provides enhanced capability to:

• Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad-
based level, that a business is willing to accept in pursuit of its objectives.
Management considers the business’s risk appetite first in evaluating strategic
alternatives, then in setting boundaries for downside risk.
_
• Minimise operational surprises and losses: Businesses have enhanced
capability to identify potential risk events, assess risks and establish
responses, thereby reducing the occurrence of unpleasant surprises and
associated costs or losses.
 • Enhance risk response decisions: ERM provides the rigour to identify and
select among alternative risk responses – risk removal, reduction, transfer or
acceptance. _
• Resources: A clear understanding of the risks facing a business can
enhance the effective direction and use of management time and the
business’s resources to manage risk. _
• Identify and manage cross-enterprise risks: Every business faces a myriad of
risks affecting different parts of the organisation. The benefits of enterprise
risk management are only optimised when an enterprise-wide approach is
adopted, integrating the disparate approaches to risk management within a
company. Integration has to be effected in three ways: centralised risk
reporting, the integration of risk transfer strategies and the integration of
risk management into the business processes of a business. Rather than
being purely a defensive mechanism, it can be used as a tool to maximise
opportunities. _

• Link growth, risk and return: Business’s accept risk as part of wealth
creation and preservation and they expect return commensurate with risk.
ERM provides an enhanced ability to identify and assess risks and establish
acceptable levels of risk relative to potential growth and achievement of
objectives. _
• Rationalise capital: More robust information on risk exposure allows
management to more effectively assess overall capital needs and improve
capital allocation. _
• Seize opportunities: The very process of identifying risks can stimulate
thinking and generate opportunities as well as threats. Reponses need to be
developed to seize these opportunities in the same way that responses are
required to address identified threats to a business.
STUDY

Study the section on “Benefits of Enterprise Risk Management” In Chapter 1 o

prescribed book.

1.5 BUSINESS GROWTH THROUGH RISK TAKING

Risk-taking refers to the tendency to engage in behaviors that have the potential to
be harmful or dangerous, yet at the same time provide the opportunity for some
kind of outcome that can be perceived as positive. Driving fast or engaging in
substance use would be examples of risk- taking behaviour. They may bring about
positive feelings in the moment. However, they can also put you at risk for injury,
such as an accident. Likewise, taking and managing risk is the essence of business
survival and growth.
 The reality is you cannot grow a business without taking risks, and you cannot take
risks without being prepared.
Growth strategies are a real test of leadership and organization. They seek to transform
mindset and culture. They take courage and commitment. They also quickly add cost
and complexity. Failure can be serious to careers and business survival. Given the stakes
and the obvious challenges, it is surprising that success is often undermined by
incomplete or perhaps wishful thinking, loss of control or even loss of nerve.

The entire management team must incorporate the risk dimension fully into any
evaluation or discussion of performance and plans.

Organisations which are more risk conscious have for a long time known that actively
managing risk and opportunity provides them with a decisive competitive advantage.
Taking and managing risk is the essence of business survival and growth.

1.6 RISK AND OPPORTUNITY

The effective management of risks and opportunities is increasingly seen as an

important competitive differentiator, helping businesses achieve success despite
difficult economic times. Businesses continuously explore and develop opportunities
to sustain earnings and drive long- term increases in shareholder value. It is
acknowledged that in their daily activities, businesses are exposed to various risks
and that it is necessary to take certain risks to maximize business opportunities. The
Board has the overall responsibility to operate an effective risk and opportunity
management system that ensures comprehensive and consistent management of all
significant risks and opportunities. The benefits of effective risk and opportunity
management include the following:

• Improved cost certainty

• Higher economic returns
• Sustainable shareholder value
• Increased stakeholder confidence
• Reduction of costly disputes and claims
• Link growth, risk and return
• Rationalize capita
• Seize opportunities
• Improve organizational learning

IT can play several roles in the risk-opportunity relationship (figure 1):

In a typical enterprise on a typical day, IT activities, organized in IT processes, are
deployed. Events occur on a non-stop basis: important technology choices must be
made, repairs for operational incidents must be applied, software problems need to
 be addressed and applications must be built. Each of these events carries risk
and opportunity.

• Value enabler

 
 New business initiatives almost always depend on some involvement of IT:


Enabling successful IT
projects that support the new initiatives and, thus,
 the creation of value


Applying new technology or using new technology in innovative ways to
enable new business initiatives and the creation of value

• Value inhibitor

 
 The reverse side of the previous statements applies as well:

IT-enabled business projects or investments often fail to deliver the
 expected results, so value is not delivered.


The enterprise may fail to identify or capture opportunities for new
business initiatives arising from new technology.

• Value destruction


can cause mild to serious
Some IT events, especially in IT operations,
operational disruption to the enterprise.
Source: http://www.isaca.org/Journal/Past-Issues/2009/Volume-6/Pages/Identify-
Govern-andManage-ITRisk-Part-3-andnbsp-andnbsp-Techniques-and-Uses-for-Risk-IT-
and-Its-S.aspx

1.7 THE ROLE OF THE BOARD

The board of directors plays an essential role in ensuring that an effective ERM
program is in place. The board’s role is to steer the corporation towards corporate
governance policies that support long-term sustainable growth in shareholder
value. The board should:

• Eliminate policies that promote excessive risk-taking for the sake of short-
term increases in stock price performance;
• Establish compensation plans that align goals to long-term value creation,
taking into consideration incentive risks;
• Ensure that appropriate risk management systems are in place to avoid
excessive risk taking, and
• Be comprised of primarily independent, diverse members, which is helpful to
assess a business’ risk profile.

The task for boards of course is to ensure the effectiveness of their risk
model. With this in mind, here are some action items for the strategic risk
management agenda for boards and CEOs to consider:
• Appoint a C-level risk leader empowered not only with the responsibility, but
with the authority to act on all risk management matters.
• Ensure that this leader is independent and can work objectively with the
company’s external advisers (external audit, legal etc.) and the governing
decision maker and oversight function (the CEO and board).
• Be satisfied as to the adequacy of the depth of current risk analysis actions,
from an identification, assessment and mitigation standpoint.
• Be confident that the risk management information board members receive
is accurate, timely, clear and relevant.

Figure 1.1 The role of the board and the integration of risk management. (Adapted
from Garratt (2003)) Reproduced with permission from The Fish Rots from the Head, B.
Garratt, Profile Books Ltd.
As illustrated in Figure 1.1 above, risk and opportunity impinges on the four main
functions of boards: policy formulation, strategic thinking, supervisory management
and accountability. Policy formulation involves setting the culture for the organisation
which should include risk management; strategic thinking entails selecting markets to
pursue and commit resources to those markets on the strength of the risk profile
prepared; supervisory management requires businesses to put in place oversight
management and governance processes including formal risk management
processes. Accountability relates to ensuring that risk mitigation actions have clear
owners who are charged with implementing pre-agreed actions to address the risks
identified, report changes in risk profiles and engage in ongoing risk management.
1.8 E R M STRUCTURE

ERM is composed of seven elements namely: corporate governance, internal control,

implementation, risk management framework, risk management policy, risk
management process and sources of risk.

1.8.1 Corporate governance (board oversight)

Corporate governance is the framework of rules and practices by which a

board of directors ensures accountability, fairness and transparency in a
company's relationship with all its stakeholders (financiers, customers,
management, employees, government and the community).

The corporate governance framework consists of:

• Explicit and implicit contracts between the company and the
stakeholders for distribution of responsibilities, rights, and rewards;
• Procedures for reconciling the sometimes conflicting interests of
stakeholders in accordance with their duties, privileges, and roles, and
• Procedures for proper supervision, control and information flows to
serve as a system of checks and balances.
 1.8.2 Internal control (sound system of internal control)

The report of the Committee of Sponsoring Organizations of the Treadway

Commission (COSO), Internal Control – Integrated Framework (1992), defines
internal control as “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:

 
 Effectiveness and efficiency of operations
 
 Reliability of financial reporting
 
Compliance with applicable laws and regulations

The aim is to accomplish this through the identification and assessment of

risks facing the business and responding to them by either removing them
or, reducing them or, where it is economic to do so, to transfer them to a
third party.

1.8.3 Implementation

Implementation of risk management can be resourced internally or

externally. The parameters of any planned actions have to be mapped,
communicated and agreed so that the time factor, resources, costs, inputs
and deliverables are understood.

1.8.4 Risk Management Framework

The risk management framework is a basic conceptual structure used to

address the risks faced by an organisation. The purpose of the risk
management framework is to assist an organisation in integrating risk
management into its management process so that it becomes a routine
activity. The framework is composed of the following five steps:

 
 Mandate and commitment
 
 Design framework
 
 Implement framework
 
 Monitor framework
 
Improve framework.
1.8.5 Risk Management Policy

A risk management policy sets out how the risks, which have been identified
by the risk assessment procedure, will be managed and controlled. The risk
management policy assigns responsibility for performing key tasks,
establishes accountability with the appropriate managers, defines boundaries
and limits and formalises reporting structures. The policy should address
specific responsibilities of the board, internal audit, external audit, the risk
committee, the corporate governance committee, the central risk function,
employees and third party contractors in implementing risk management. A
policy statement defines a general commitment, direction or intention. A
policy on risk management expresses an organisation’s commitment to risk
management and clarifies its general direction or intention.

1.8.6 Risk Management Process

According to International Risk Standard, ISO 31000 (2009), a risk

management process is one that systematically applies management policies,
procedures, and practices to a set of activities intended to establish the
context, communicate and consult with stakeholders, and identify, analyse,
evaluate, treat, monitor, and review risk.

1.8.7 Sources of risk

A risk source has the intrinsic potential to give rise to risk. A risk source is
where a risk originates. It is where the risk comes from.

STUDY

Study the section on “Structure” and the diagram showing

the ERM structure, par. 1.9 and Figure 1.2 in Chapter 1 of
the prescribed book.
 REVIEW QUESTION

1. Distinguish between risk and uncertainty. Explain the relationship between risk and
opportunity for an organization like South African Airways (SAA).

2. Discuss the role of the board of directors regarding risk management.

3. What is ERM?
4. Draw a fully labelled diagram showing the ERM structure.

5. Define and explain the terms risk, risk management, risk diversity and risk taking.

1. Which of the following is true?

A. Risk is a deviation of the actual from the expected results
B. Risk implies the presence of uncertainty
C. Uncertainty arises from a person’s imperfect knowledge about future
events
D. All events have a probability of between 0 and 10

2. Which of the following is an example of a hazard?

A. Fire in a warehouse
B. Oil drums stored in a warehouse
C. Earthquakes and storms
D. Explosions

3. Corporate governance is defined in its broadest sense as

A. A formal system of accountability of the board of directors
to stakeholders
B. A formal system of accountability of the board of directors
to shareholders
C. An informal and formal relation between the corporate sector and
its stakeholders
D. An information system of accountability of the board of directors to its
stakeholders

4. Identify the option that best describes the diversification into many
unrelated areas
A. Risk management
B. Good management
C. Uncertainty reduction
D. Sustainability
5. What is Risk Evaluation?
A. looks at the combined effect of the identified risks and opportunities
B. evaluating every risk that has already taken place in a project
C. taking incognisance of every risk happened to the competitor
D. allowing risks to happen and take proper precautions afterward

6. What is Risk Analysis?

A. identification of the probability and impact of the identified risks
B. looks at the combined effect of the identified risks and opportunities
C. evaluating every risk that has already taken place in a project
D. taking incognisance of every risk happened to the competitor

7. How is Database Management useful to risk management?

A. as a breakdown structure for business risk used to identify all
the resources of risk within projects and activities in the business
B. it is used when a business needs to establish the concerns and risks
that arise in a business project/activity through the various stage
C. used to capture all the information of each risk identified in the
business and is an effective way to monitor all the risks and actions
used in the management of all the identified risks
D. All of the above

8. What does money laundering all about?

A. Improper sales marketing
B. bribery of government contracting officers
C. misuse of money for personal interest
D. D inadequate financial accounting
 UNIT TWO | CORPORATE GOVERNANCE

AIM
At the end of this unit, you should have a clear understanding of corporate
governance in an enterprise wide risk-related context.

KEY POINTS

Corporate governance

King III Report

The Companies Act, 2008 (Act No 71 of 2008) Basel III regulation accord
Financial crisis

Learning Outcomes

After studying this topic you should be able to:

• After studying this topic, you should be able to:

• Define corporate governance.
• Outline the reasons for implementing corporate governance.
• Explain why corporate governance is important in terms of its impact on the
business areas of enterprises.
• Discuss the history of corporate governance in South Africa.
• Discuss in detail the relevance of the King III Report to risk management, and
• Discuss the implications of the King III Code of Governance Principles for South Africa
LEARNING MATERIAL

Unit 2 deals with Chapter 2 of the prescribed book.

2.1 INTRODUCTION

Although corporate governance is usually unique to each company, it has a few

universal elements. Corporate governance controls the internal and external actions
of managers, employees and outside business stakeholders. This framework also
outlines the duties, privileges and roles of board members or directors to ensure
such individuals do not take advantage of the company’s resources. Companies may
also include information on the role of shareholders in the organization and their
responsibilities for voting on corporate issues.

Corporate governance usually outlines the goals and objectives of each business
contract. The rate of return, length of the contract, individuals who can approve
contracts and other obligations are usually included in the corporate governance
framework. Corporate governance also creates a system of checks and balances to
govern internal business departments. Such system ensures that no one (individual
or department) dominates business decisions or operates outside the company’s
mission and values.

2.2 DEFINITION OF CORPORATE GOVERNANCE

Corporate governance refers to the relationships among the management of an

organisation, its board, its shareholders and other relevant stakeholders. It also
refers to the specific responsibilities of boards of directors and management to
maintain established relationships.

READ

Read the section o n “Definition of Corporate Governance ” in par.

2.17 in Chapter 2 of the prescribed book.
2.3 THE IMPACT OF CORPORATE GOVERNANCE ON BUSINESS

Corporate governance affects various business areas of an enterprise as discussed

below:

2.3.1 Employing assets efficiently

Effective corporate governance promotes the efficient use of resources within a firm
and the economy at large. When an efficient corporate governance system is in place,
debt, equity and capital flow to enterprises that are capable of investing these
resources efficiently in order to produce goods and services that are most in demand
and have the highest rate of return. In this regard, effective governance helps to grow
and protect scarce resources and to ensure that societal needs are met. Effective
governance should make it possible to replace managers who do not put scarce
resources to efficient use or who are incompetent in what they do.

2.3.2 Attracting lower-cost capital

Effective corporate governance helps enterprises to attract lower-cost capital by

improving the confidence of domestic and international investors and by assuring them
that the assets are used in the form agreed upon, whether the investment is in the form
of debt or equity. This has a positive impact on both debt and equity. For enterprises to
succeed in competitive markets, corporate managers must innovate relentlessly and
efficiently, and constantly evolve new strategies to meet changing circumstances.

2.3.3 Meeting social obligations: complying with laws and regulations

To succeed in the long term, enterprises must comply with the laws, regulations and
expectations of the societies in which they operate. Most corporations take their
corporate citizenship seriously. They contribute to civil societies' needs while some are
opportunistic and have no regard for social or environmental issues. Good corporate
governance is essential to ensure adherence to legislation as well as corporate social
responsibility principles.

2.3.4 Overall performance

If corporate governance is effective, it gives managers a holistic view of the organisation

and holds managers and the board accountable for the management of corporate assets.
Such accountability contributes to the efficient use of resources, attraction of lower-cost
capital and an increase in the responsiveness of the enterprise to society, and will
 therefore lead to the improvement of corporate performance. Effective corporate
governance may not guarantee improved corporate performance at the individual firm
level, but it should increase the likelihood of managers focusing on improving the
performance of enterprises and of their being replaced when they fail to do so.

2.4 THE HISTORY OF CORPORATE GOVERNANCE IN SOUTH AFRICA

In the last few decades, the term "corporate governance" has become a buzzword
throughout the world, and is certainly not new to South Africa. The history of
corporate governance in South Africa can be found in three bodies of knowledge,
namely the Companies Act, 1973 (Act No 61 of 1973), the King I Report on Corporate
Governance of 1994, the King II Report on Corporate Governance of 2002 and the
King Code of Governance in South Africa 2009 (King III). We need to look at the
history of corporate governance in South Africa to understand the relevance of the
King II Report.

2.4.1 T h e Companies Act, 1973

The Companies Act, 1973 encompassed the following aspects of corporate

governance:

• It made provision for the roles, responsibility, accountability, qualification and

disqualification of directors.
• It made provision for the liability of directors and shareholders if a company acts
unlawfully or in bad faith.
• It specified that the enterprise might not supply the directors, the holding
company or subsidiaries with loans.

• It placed limitations on the allocation of share capital to directors.

• It stipulated that directors' shareholding in an enterprise must be declared.
• It placed limitations on the buying and selling of shares by directors within
certain periods.

* Please note that the Companies Act of 1973 has been replaced by the
Companies Act of 2008. Please refer to Appendix 1for an explanation on
new Companies Act of 2008.

2.4.2 The King Report on Corporate Governance of 1994 (King I Report)

With increasing recognition of the importance of corporate governance worldwide in the

early 1990s, the Institute of Directors (IoD) in Southern Africa appointed Mervyn King, SC to
head the committee on corporate governance. The wider definition of corporate
governance was institutionalised by the findings of the committee, together with the
aim and purpose of the King I Report, to promote the highest standard of corporate
governance in South Africa. The King I Report was unique compared with its
counterparts in other countries, with guidelines on financial reporting and its emphasis
on good social, ethical and environmental practices. It advocated an integrated
approach that took all stakeholders (not only the shareholders) into consideration, for
the greater good of society.

2.4.3 The King Report on Corporate Governance of 2002 (King II Report)

After legislative developments, locally and internationally, the 1994 King Report was
revised and replaced by the second King Report on Corporate Governance for South
Africa, 2002. The King II Report moved away from the single bottom-line principle (i.e.
profit for shareholders) to a triple bottom-line principle, which takes into account the
environmental, economic and social activities of a company. Besides reporting on their
financial performance (single bottom line), corporations must also disclose their social
and environmental performances (triple bottom line). This method places greater
emphasis on the non-financial indicators. Companies have to report on the nature and
extent of commitment to social, transformation, ethical, safety, health and
environmental management policies and practices. In a company, this is referred to as
the "triple bottom line".

2.4.4 The King Code of Governance in South Africa, 2009 (King III) 1

King III became necessary because of the anticipated new Companies Act of 2008 that
came into effect on 1 May 2011, and changing trends in international governance. The
review also came at a time when business ethics and corporate governance are
increasingly under the spotlight in view of recent corporate failures and the global
economic meltdown. As with King I and II, the King Committee endeavored to be at the
forefront of governance internationally, and this has again been achieved by focusing
on the importance of reporting annually on how a company has positively affected the
economic life of the community in which it operated during the year under review. In
addition, emphasis has been placed on the requirement to report on how the company
intends to enhance those positive aspects and eradicate or ameliorate any possible
negative impacts on the economic life of the community in which it will operate in the
year ahead.

King III recommends that companies generate sustainability reports according to the
Global Reporting Initiative’s Sustainability Reporting Guidelines. As of June 2010,
companies listed on the Johannesburg Securities Exchange (JSE) are expected to comply
with King III.
2.5 THE RELEVANCE OF THE KING III REPORT TO RISK MANAGEMENT

2.5.1 Consequences

Placing corporate governance in the spotlight means an automatic increase in the legal,
regulatory and reputational risks of an enterprise. Hence, certain legal mechanisms
such as the Companies Act 2008 and the JSE's listing requirements are used to enforce
the King III Report and the Code of Corporate Practices and Conduct. King III applies to
all listed companies on the JSE, banks, financial and insurance institutions and some
public sector agencies.

The consequences of corporate governance in the King III Report relate strongly to how
effectively companies enforced the King I Report in 1994. Companies with good
corporate governance will attract more foreign investments to finance their growth and
will therefore be more competitive in the corporate environment. Good corporate
governance contributes to shareholders' wealth and is a key factor in the investor
decision-making process. Investors are willing to pay a premium for good governance
for three reasons.

• They believe that the company will perform better over time, which
will mean higher share prices.
• It is a way of reducing risk by either avoiding it altogether or by coping
better with adverse events.
• The focus on corporate governance is a trend, but the reality is that
no one wants to be left behind.

2.5.2 Code of governance principles

Corporate governance principles and practices are dynamic and evolving. A code of
governance, which deals with the principles, should be studied with the report in which
recommendations of the best practices for each principle are provided. All entities should
apply the principles in the code and consider the best practice recommendations in the
report. All entities, by way of explanation, should make a positive statement about how the
principles have been applied or have not been applied. Such level of disclosure will allow
stakeholders to comment on and challenge the board on the quality of its governance.
Application will differ for each entity and is likely to change, as the aspiring nature of the
code should drive entities to improve on governance practices constantly. It is important to
understand that the “apply or explain” approach requires more consideration and
explanation of what has actually been done to implement the principles and best practice
recommendations of governance.

Each principle is of equal importance and together forms a holistic approach to

governance. Consequently, substantial application of a code of governance principles
and a report recommending best practices does not achieve compliance. The following
governance of risk principles are addressed in King III:
 Risk management is inseparable from the company’s strategic business and
business processes.
Management should be responsible for the risk management
process.
Management is accountable to the board for designing, implementing and
monitoring the process of risk management and integrating it into the day-to-
day activities of the company.
All staff should practise risk management.
The board should be responsible for the process of risk management.
The board should approve the company’s chosen risk philosophy.
The board should adopt a documented risk management plan.
The board may delegate the responsibility of risk management to a dedicated
risk committee.
Risk assessment should be performed on an ongoing basis.
The board should approve key risk indicators for each risk, as well as tolerance
levels.
Risk identification should be directed in the context of the company’s purpose.
The board should ensure that key risks are quantified and are responded to
appropriately.
Internal audit should provide independent assurance on the risk management
process.
The board should report on the effectiveness of risk management.
The board should ensure that the company’s reputational risk is protected.
The board should determine the extent to which risks relating to sustainability
are addressed and reported on.
The board should ensure that information technology (IT) is aligned with
business objectives and sustainability.
The board should consider the risk of the unknown as part of the qualitative and
quantitative risk assessment process.
Compliance should form part of the risk management process.

STUDY
Study the section on “King III at a glance”, Corporate
Go ve r n a n ce and the new Companies Act of 2008
explained in Appendix 1 at the end of the Study Guide.

2.5.3 The future of corporate governance

The effectiveness of corporate governance is a decisive factor in the very survival or

demise of enterprises. For South African enterprises to be globally competitive, they
must be kept abreast of developments in the rest of the world and take corporate
governance and the King report to heart. Good governance equals good business.
 Good corporate governance is largely the responsibility of corporate citizens. For an
enterprise to achieve and aspire to be a good corporate citizen, it has to empower the
board of directors to:

disclose all practices and understand the importance of a relationship between

the board and the community;
report annually on social, transformation, safety, ethics, health and
environmental management policies and practices;
report on their HIV/Aids strategic plans and
policies; disclose its formal procurement policies;
develop and implement a clearly stated code of ethics, and
Implement the above by complying with the principles of reliability, relevance,
clarity, comparability, time lines and verifiability.

Risk management is applied by defining a company's risk tolerance, related strategies

and policies as well as reviewing their effectiveness on an ongoing basis so that the
objectives are clearly defined. Reviewing processes are important for identifying
opportunity areas where effective management can be turned into competitive
advantages. Risk management goes far beyond simply controlling financial risks. The
reputation and future survival of an enterprise are also at stake - that is why enterprises
have to ensure that corporate governance pertaining to risk management is
transparent and disclosed to all stakeholders.

REVIEW QUESTIONS

1. Define corporate governance and discuss its impact on

businesses.
2. Discuss, giving examples, why the implementation of corporate
governance has become a requirement for businesses in South
Africa and globally.

3. Briefly discuss the history of corporate governance in

South Africa.
4. Discuss the principles of good corporate governance as identified
by the King III Report.

.
1. A driver training is an example of
A. Avoidance
B. Elimination
C. Transfer
D. Reduction

2. What entails the macro environment when strategizing?

A. Political, Economical, Technological and Social forces ONLY
B. Technological, Ecological, Governmental and Political forces ONLY
C. Cultural, Legal, Economical, Technological and Ecological forces ONLY
D. Political, Governmental, Legal and Ecological forces ONLY

3. Which one is not part of the PEST analysis?

A. Political factors
B. Economic factors
C. Weather factors
D. Social factors

4. Identify the correct statement:

A. Strategic decisions affect the long-term well-being of the organisation
B. Strategic decisions affect the short-term well-being of the personnel
C. Strategic decisions affect the long-term well-being of the personnel
D. Strategic decisions affect the short-term well-being of the organisation

5. Generic risks require far more attention than product-specific risks.

A. Always
B. In some cases
C. Not really
D. Apparently not

6. Questions that should be asked to assess the overall project risk include:
A. Have top managers formally committed to support the project?
B. Are end-users committed to the project and proposed system
being built?
C. Are requirements fully understood by development team and
customers?
D. A,B,C

7. Which of the following is NOT part of the micro environment?

A. Competitors
B. Customers
C. Technology
D. Publics

8. In company’s environment, company’s customers are part of which of the

following?
A. Internal environment
B. Micro environment
C. Macro environment
D. external environment
9. Cultural values would be part of which of the following factor in
microenvironment?
A. Economic
B. Natural
C. Social
D. Ecological

10. Growth, retrenchment and stability are examples of __________________?

A. Corporate risks
B. Business risks
C. Functional risks
D. both a and c
 UNIT THREE | ENTERPRISE RISK MANAGEMENT ESTABLISHING THE CONTEXT

AIM

At the end of this unit, you will be able to identify and discuss Stage 1 of the ERM
process. Establishing the context will assist you in gaining an understanding of the
background to the business and business activities, processes or projects.

Learning Outcomes

After studying this topic you should be able to:

• Identify and explain the business process for establishing the context;

• Discuss the four process mechanisms for establishing the business context, and;

• Identify and discuss the process activities.

 LEARNING MATERIAL

Unit 3 deals with Chapter 8 of the prescribed book. This section will
discuss Stage 1 of the ERM process.

3.1 ESTABLISHING THE CONTEXT: Stage 1

Stage 1 of the ERM process is establishing the context. It will form the foundation for
all the other stages in the ERM process. Establishing the context will deal with the
business as a whole as well as the business activities, processes and projects. This
stage is used to acquire accurate data and information about the whole business.
Refer to par. 8.1 to 8.3 of the prescribed book.

3.2 PROPOSAL PREPARATION

3.2.1 Planning
Prior to embarking on the written proposal it is prudent to plan the preparation of the
proposal as if it were a project in its own right. This entails obtaining answers to basic
questions such as who, what, when and how:
who is going to write the proposal – will it be a single individual, will marketing
be involved in providing information on previous experience, is support required
for the preparation of diagrams/charts/organograms, is background research
required, are CVs required to be updated?
what will the subject matter be, or was the information gathered during the
interview with the client so complete and precise there is no need for follow-up
questions?
when does the proposal have to be submitted -how many copies of the proposal
are required, is the proposal to be bound or is it to be sent electronically be e-
mail; if by e-mail, should the proposal exclude photographs to cut the file size
down?
how is the proposal to be prepared – what software is required and how will it
be accessed – and if the proposal is to be restricted to a limited number of
pages, what subjects will receive a more comprehensive treatment?
3.3 PROPOSAL WRITING

3.3.1 Task management

This technique treats the proposal as if it were a project in its own right to guide the
tasks to be carried out, the resources required to complete the activities, the sequence
in which the activities will be carried out and the outputs of each task.

3.3.2 Copying text

Consultancies have experience of writing proposals and commonly have a store of
previously completed proposal documents. As writing proposals can be very time-
consuming combined with the fact that proposals normally have several similar
elements, it is common practice for some material to be copied and pasted from
previous proposals. However, there is a danger in this practice, as the reused text may
have been evaluated as poor by previous recipients, be time-elapsed or contain
erroneous information. If the text is poorly edited, reference to other clients, projects
or locations may be left in, giving the impression the proposal was produced in haste,
was not considered important or the author’s organisation is incapable of producing
carefully crafted documents.

3.3.3 Master copy

For large proposals and particularly where there are a number of contributors it may be
appropriate to maintain a hard copy in a hardback folder subdivided with numbered
dividers. This way contributors can see how their element fits within the whole
document to avoid repetition and the use of inconsistent language or terms. Browsing
can highlight terminology, readability, presentation and sequencing issues. Regular
reviews will provide a good indication of progress. Independent assessment will identify
errors and omissions.

3.3.4 Peer review

Ensure the proposal is reviewed by peers. The proposal should be read by colleagues
experienced in preparing proposals with the view to them offering constructive criticism
regarding how it could be improved. If you have concerns about any aspect of the proposal,
draw these to the attention of the reviewer to ensure that they focus on it and address
your concerns. Adequate time should be allowed for the review. The reviewer should be
primed in advance that the document is coming, its likely length and complexity and the
timeframe within which they will have to operate. Ensure that the final proposal is proof-
read and a check is carried out that the language is clear and lucid.

The ERM process can be regulated or be constrained by the culture of business risk
management, resources and plan. It is very important for a business to take note of the
factors that can have an impact on the risk management process.

STUDY

Study the section on the “Process Controls (Constraints)” par.

8.6 in Chapter 8 of the prescribed book.
3.4 PROCESS MECHANISMS

Certain process mechanisms are used in the first stage to obtain information on the
business. They are financial analysis tools, risk management process diagnostic,
SWOT analysis and PEST analysis.

3.4.1 F i n a n c i a l analysis tools (ratios)

Financial ratios are used to look at the financial position and performance of a business.
These ratios are used for planning, evaluation and control purposes, to determine the
financial standing of a business and to aid in the risk analysis process.

3.4.2 R i s k management process diagnostic

Some difficulties can be experienced when risk management processes need to be

implemented in a business. A risk management process must be implemented through
the support of the whole business and over an extended period. Risk management
processes that have already been put in place must constantly be reviewed to establish
the effectiveness of the processes in the business.

3.4.3 SWOT analysis

The overall performance of a business must be reviewed by looking at the business

“strengths, weaknesses, opportunities and threats” also known as the SWOT analysis.

3.4.4 PEST analysis

The growth of the business is also an aspect to analyse when looking at the business in
its full context. The PEST analysis, which stands for “political, economic, social and
technology factors”, can be used to look at the market, in which the business operates.

3.5 RISK STUDY PROCESS ACTIVITIES

Certain activities need to be undertaken to construct a high-level process map of the

business activities or risk breakdown structure to aid in the other stages of the risk
management process. These activities are discussed below.

3.5.1 C l a r i f y i n g and recording the business objectives

The business objectives will be the criteria against which the business strategy’s success
will be measured.
3.5.2 U n d e r s t a n d i n g the business plan

The business plan should show how the business would achieve its objectives by looking
at all the factors that might have an impact on the business.

3.5.3 E x a m i n i n g the industry in which the business operates

It is important to understand that a business can have a very active competitive market
in which it operates. A business must know its industry and the risks associated with
that specific industry.

3.5.4 Establishing the business processes

A process map is used as a communication tool to assist businesses in better

understanding the processes by which it operates. Refer to the business process
definition in par. 8.8.4 of the prescribed book.

3.5.5 Evaluate the projected financial statements

It is important to understand the financial statements of the business because the

statements will show the financial position of the business as well as the future
position. It will indicate what resources need to be put in place to have a sound
financial position and growth in the business.

3.5.6 Resources available

A business must use its resources to the most competitive advantage in the market. If
resources are used effectively, the business can achieve a greater return on its capital
employed.

3.5.7 Change management

A business must understand that change is unavoidable and that the business must
appropriately change processes to achieve the best possible solution.

3.5.8 Marketing plan of the business

One of the dissolving factors in a business is its competitors. A competitor analysis

needs to be conducted to determine the business’ competitive advantage in the
industry/market. It is necessary for a business to be able to react to its competitor at a
faster rate due to the wide variety of information flows and technology used in
marketing techniques.

3.5.9 The compliance system

The regulatory framework in which a business operates must be embedded in the

business operations. The business must also comply with the regulatory framework.
 STUDY
Study the section on “Process Activities” par. 8.8 in
Chapter 8 of the prescribed book.

REVIEW QUESTION

1. Discuss the SWOT and PEST analysis.

2. List the three questions that need to be asked
to understand the risks the business is facing
within an industry.
3. List the elements of a competitor analysis.

1. Risk projection attempts to rate each risk in two ways

A. Likelihood and size
B. Likelihood and probability
C. Likelihood and impact
D. Likelihood and impact

2. Three major categories of risks are

A. Business risks, personnel risks, budget risks
B. Project risks, technical risks, business risks
C. Planning risks, technical, personnel risks
D. Management risks, technical risks, design risks

3. A risk item checklist would contain known and predictable risks from which
of these categories?
A. Product size
B. Development environment
C. Staff size
D. all of them

4. Which of the following is a benefit of enterprise risk management?

A. Increased value of intangible assets
B. Increased organisational effectiveness
C. Improved capital allocation
D. Simplicity
5. In assessing risk it is important to consider the following
A. Top risks currently faced by the enterprise
B. The risks attached to intangible assets crucial to value
creation
C. The root causes of the identified risk
D. An oversight structure

6. Risk Management includes all of the following processes except:

A. Risk Identification
B. Risk Avoidance
C. Risk Response Planning
D. Risk Management Planning

7. An example of risk mitigation is:

A. Using proven technology in the development of a product to
lessen the probability that the product will not work
B. Purchasing insurance
C. Accepting a lower profit if costs overrun
D. a and b

8. Risk mitigation involves all but which of the following:

A. Developing system standards (policies, procedures, responsibility
standards)
B. Obtaining insurance against loss
C. Performing contingent planning
D. Developing planning alternatives

9. Mitigating risk could involve

A. identifying risks, obtaining insurance and developing alternatives
B. developing standards, buying insurance, and planning for
contingencies and alternatives
C. re-scoping the project and reassessing requirements
D. C and D

10. What is risk retention?

A. looks at the combined effect of the identified risks and opportunities
B. its risk acceptance, absorption or tolerance
C. the action of responding to an identified risk
D. is the process of determining which risks may affect as well
as establishing characteristics
 UNIT FOUR | THE ENTERPRISE RISK MANAGEMENT PROCESS

AIM

At the end of this unit, you will be able to explain stages two to seven of the ERM
process. A clear understanding will be gained on the interrelationships between the
different stages in the implementation of the ERM process.

KEY CONCEPTS

Capital asset pricing model (CAPM) analysis

Communication
Gap analysis
Net present value
Probability
Risk appetite
Risk register Risk retention
Scenario analysis

LEARNING OUTCOMES

After studying this topic, you should be able to:

Identify and describe the ERM process for all six stages;
Outline and discuss the process mechanisms in the ERM process for all
six stages;
Outline and explain the ERM process activities for all six stages;
Explain the concepts of risk identification, risk analysis, risk evaluation,
review and monitor, communications and consultation, risk appetite,
risk response strategies, internal and external communication, and

Distinguish between key risk indicators and key performance indicators.

 LEARNING MATERIAL

Unit 4 deals with Chapters 9 - 14 of the prescribed book. Each section will discuss the
remaining six stages (Stages 2 to 7) in the ERM process.
4.1 RISK IDENTIFICATION: Stage 2

Risk identification is a crucial step in the ERM process. As discussed in Study Unit 3, it is
important for a business to understand the business activities and context. In the
second stage, it is important to be able to identify the risks in the business and
understand how they fit into the overall business context.

Through risk identification, the business will be able to identify the key risks and risk
events associated with the business. The business will constantly change and grow as
well as the risks associated with the business. The business will need to indentify risks
on a constant basis and identify the opportunities that may arise in order to enhance its
objectives as well as risks that may reduce the likelihood of the business achieving its
objectives. Risk can also be based on two main outcomes namely the upside and
downside of risk. Refer to par. 9.1 to 9.3 in the prescribed book.

The process inputs will deal with assumptions, business analysis, uncertain events,
lessons learnt and issues regarding the risk identification process. The process output
will be the risk register. A risk register is a tool that can be used by a business to compile
a list of all the risks identified in the business and categorise the risk according to the
impact, probability, risk owner and counter measures.

Refer to par. 9.6 in the prescribed book regarding all the factors that can have an
impact or constraint on the risk identification process.

4.1.1 Process Mechanisms for Stage 2: Risk Identification

 Certain process mechanisms are used in the second stage to identify risks in the
business. The following section will briefly explain some of these mechanisms to give
you an indication of how the risk identification process could be approached:

• Risk checklist
A risk checklist is used to list all the risks that were identified on previous
projects within the business.

• Risk prompt list

A risk prompt list can be seen as a list that categorise each risk into a type or area.
Through this list, the business will be able to identify the main categories of risks
experienced within the business.

• Gap analysis
A Gap analysis can be used to identify the main risks linked to a certain activity or
project of the business. The method will assist the business to establish where the gap
is in the risk associated within the activity/project so that pro-active or reactive risk
measures can be established.

• Risk taxonomy
A Risk taxonomy can be explained as a structured checklist to break down the risks and
opportunities into manageable components, which then can be aggregated for exposure
measurement, reporting and management. This method is used in the risk taxonomy of
software development. Refer to Table 9.1 in chapter 9 of the prescribed book.

• PEST analysis
The business can also use the PEST analysis method in the identification stage to
identify the risk exposure of the business to its external environment. The business can
conduct this analysis in a workshop or brainstorming session.

• SWOT analysis

A SWOT analysis is a very easy and understandable method for a business to identify
the risks and opportunities in the business.

• Database

A risk database can be used to capture all the information of each risk identified in the
business and is an effective way to monitor all the risks and actions used in the
management of all the identified risks.

• Business risk breakdown structure

A breakdown structure for business risk is used to identify all the sources of risk within
projects and activities in the business.
 • Risk questionnaire

A risk questionnaire is used when a business needs to establish the concerns and risks
that arise in a business project/activity through the various stages. The completion of
the questionnaire will show how the business employees respond to risk.

• Risk register

A risk register is used to capture information on a constant basis and to simplify

communication regarding the risks in a business project/activity. Refer to Table 9.2 in
chapter 9 of the prescribed book.

STUDY

Study the section on “Process Mechanisms (Enablers)” par. 9.7

in Chapter 9 of the prescribed book.

4.1.2 Process activities for Stage 2: Risk Identification

In the risk identification process, the activities required are the tasks that are necessary
to capture risk, uncertainty, and record the risks in a log, list or risk register. The
following activities need to be conducted:

• Clarifying the business objectives

The objectives of the business must be clear and understandable so that the risk
identification process will be able to identify the threats or opportunities that may arise
from the business objectives.

• Reviewing the business analysis

The business activities (as described in Study Unit 3) which have been identified in Stage
1: Establishing the context of the risk management process must be reviewed and
examined for sources of risk and opportunities.

• Need for risk and opportunity identification

It is essential for a business to understand the need to identify risks. A structured

method of risk identification must be implemented so that consistent risk management
can take place.
 • Risk and opportunity identification
For the risk and opportunity identification process to be effective, all the
stakeholders must support it.

• Facilitation

It is important to have techniques that can be used to best identify the risks and
opportunities to suit every circumstance. Facilitation needs to be conducted through
interactive workshops to inform the business on how to identify the risks. Thus, the
responsibilities for a facilitator in an interactive workshop are as depicted in Figure 4
below.

Gaining a Consensus on the Risks, the Opportunities and their

Interdependencies

To have a consensus on the risks and opportunities is essential so that the business can
assign risks to risk owners and managers in the risk management process.

• Risk Register

A risk register will be drafted after all the process activities have been conducted. The
risk register can be used as a proactive tool in the risk identification process.

4.2 RISK ANALYSIS: Stage 3

The risk analysis stage will provide information on the likelihood of risks and
opportunities occurring and the impact of them to aid in the decision making process.
The risk analysis process will assess all the risks identified in the risk register. Ample
time should be allowed for conducting the risk analysis stage. Refer to par. 10.1 to 10.3
of the prescribed book.

READ

Read the sections on “Process Inputs” and “Process Outputs” par.

10.4 - 10.5 in the prescribed book.

The process inputs in the risk analysis process will consist of risk study parameters,
which include risk identification, risk recording, profit and loss account assessment,
balance sheet assessment and industry betas. The process outputs will be the risk
register including the assessment, which shows the probability and impact of each risk
and opportunity.
4.2.1 Process Mechanisms for Stage 3: Risk Analysis
Probability is the main process mechanism used in the risk analysis’s process.
Probability is shown on a scale of 0 to 1. If there is no chance of an event occurring, the
probability will be 0, and if there is a chance of the event occurring, the probability will
be
1. Refer to Table 1 for an example of probability.

It is important for a business to understand probability. For example, a business can

apply to be considered for a contract appointment to render a service to another
organisation. The particular business is one of four businesses who tendered for the
contract. Thus, each business has a probability of 25% of success in obtaining the
contract. A business will need to decide which probability distribution method and
probability impact matrix to use in the risk analysis stage. Refer to the example under
Par. 10.7.1.

4.2.2 P r o c e s s activities for Stage 3: Risk Analysis

In the risk analysis process the activities that need to take place are the tasks that are
necessary to capture the likelihood of the risk occurring and the impact so that it can be
recorded in the risk register. The following activities need to be conducted:

• Causal analysis

The causes of any risk must be identified. It is important for the business to learn from
past events to implement risk management measures for future events. Refer to Figure
10.4 in the prescribed book for the main causes of event diagram, which identify the
relationships, and categories of risks.

• Decision analysis and influence diagrams

Decision analysis is used to structure decisions, uncertain/chance events and values of

outcomes. The influence diagram can be used to assist in the development and
understanding of the risks and the actions to be taken in the decision making process.
Such analysis will provide a framework for the decisions, events, managing of problems,
reducing large volumes of data and sensitivity analysis in the business. Refer to Figures
10.5 and 10.6 in the prescribed book.
 • Pareto analysis

Pareto 5 analysis is used to identify those risks that will have a dramatic impact on
business projects/activities and objectives. Such analysis will rank and order the risks
according to their impact so that the business can manage the high risks accordingly.

• Capital asset pricing model (CAPM) analysis

The CAPM model is used to determine the expected return of an asset in relation to its
risk or risk profile. The higher the risk, the higher the return will be for an investment.
Market risk is measured by its beta in the CAPM model. Refer to the section “Required
Rates of Return” in par. 10.8.4 of the prescribed book.

• Define risk evaluation categories and values

It is important to conduct qualitative and quantitative assessments in the risk analysis

process. Qualitative assessments explain the impact of the risks, whereas quantitative
assessment will consist of numeric assessments, which can involve financial and timing
risks. It is best to manage the most severe risks that the business has identified.

4.3 RISK EVALUATION: Stage 4

The risk evaluation stage will evaluate the results obtained in the risk analysis stage.
Stage 4 will focus on both the risk exposure and opportunity that may arise from a
business activity. All the information gathered in the risk analysis process is integrated
into the risk evaluation process. The risk evaluation stage will evaluate the financial
impact (loss or gain) of a risk in a business in numerical terms. Refer to par. 11.1 to 11.3
in the prescribed book.

READ

Read the sections on “Process Inputs” and “Process Outputs” par.

11.4 - 11.5 in the prescribed book.

The process input in the risk evaluation process will consist of the risk register. The risk
register will now illustrate all the risks and risk categories in the business as well as
important information such as who the relative risk owner/manager is. The risk register
will have more background information, which can be used in the risk evaluation stage.
The process outputs will consist of the following:
 • Sensitive analysis.
• Quantitative schedule and cost risk analysis results.
• Decision tree.
• Scenario modelling.
• Investment model results.
• Revised risk register.

Refer to par. 11.6 in the prescribed book regarding all the factors that can have an
impact or constraint on the risk evaluation process.

4.3.1 Process Mechanisms for Stage 4: Risk Evaluation

This section will briefly explain the process mechanism used in the risk evaluation
process.

• Probability trees

A probability tree is a method used by a business to ensure that all possible outcomes of a
risk event have been taken into account. A probability distribution is a list of possible
outcomes with associated probabilities. Thus, a probability tree will illustrate all possible
probability distributions for a certain risk event. A probability tree can be used to illustrate
both a dependent event and an independent event. The probability of any
6
event (E) is a number between 0 and 1. Thus, 0 ≤ P(E) ≤ 1 and is the sum of the
probabilities of any set of mutually exclusive (only one event can occur at a time) and
non-mutually exclusive (the events cover all possible outcomes) events which equals 1.
Read par. 11.7.1 to get an understanding on how a probability tree can be used to
calculate the probabilities that may arise from an independent and a dependent event.

In some cases, the decision outcome of an event can have more than one outcome. In
such an event, the EMV will be calculated by using the weighted outcomes, which is
calculated using the probabilities assigned to each outcome, for example,
successes/profit and failures/losses. The theory requires that the probabilities and
outcomes be determined.
The EMV will be used to select the decision alternative with the highest monetary
value. Read par. 11.7.2 and understand the examples given to illustrate how the EMV is
calculated.

• Utility theory and functions

The utility theory is used when an alternative decision does not necessary reflect relative
attractiveness to a decision maker. In the EMV method, the decision alternative was chosen
which yielded the largest monetary value, but such decision might not be the most
preferred decision for the business. The utility theory was adapted in an attempt to explain
why people make decisions differently than suggested by the EMV criterion. It can be
considered that business decision makers can each have a different attitude
towards certain outcomes. The utility theory will thus measure personal attitudes
towards risk by decision makers. The utility function illustrates how the same monetary
payoff/outcome might have different levels of utility for decisions makers. Decision
makers can be classified under the following attitudes towards risks (Refer to Table 2):

Table 2: Risk attitudes

READ
Read par. 11.7.3 in the prescribed book and refer to Figure 11.5 on
p.205 for an illustration on the utility function.

• Decision trees

A decision tree is used to illustrate decision problems graphically. A decision tree

consists of different decision nodes, with interconnected branches, which represent the
different alternatives for a particular decision. Figure 5 depicts the typical layout of a
decision tree.

Figure 1: Decision tree illustrated graphically

 The decision tree is used to determine the decision with the largest
EMV.
READ

Read par. 11.7.4 in the prescribed book to

understand the construction and rolling back of a
decision tree.

• Markov chain

The Markov chain method is used to combine the ideas of probability with those of
matrix algebra. It assumes that the probabilities remain fixed over time but the system
being used is able to change from one position to another. These fixed variables will be
used as transition possibilities.

• Investment appraisal

The investment appraisal method is used when a business needs to decide which
project to embark on. Such projects are usually high capital investment projects and it
is thus required by the business to decide which project will be feasible, affordable and
successful. The business must consider the risks as well as the benefits of each project.
Four techniques can be used by the business to decide which project to embark on.
Please refer to these techniques in Table 3 below.

Table 3: Investment appraisal techniques

Technique Description

1. Average rate of return The ARR is an average annual return expressed as a

percentage of initial cost of the project.
 2. Payback period (PP) The number of years required to recover an initial
investment. It considers the timing of cash flows and
therefore the time value

3. Net present The difference between the initial investment amount and
value (NPV) the present value of a project’s expected future cash
flows, discounted at the appropriate cost of capital. The
NPV is a direct measure of the value a project creates for a

4. Internal rate of return The discount rate that makes NPV equal to 0 or the discount
(IRR) rate that makes the present value of an investment costs
equal to the present value of the investments benefits. The

4.3.2 Process activities for Stage 4: Risk Evaluation

In the risk evaluation process, the following activities can be conducted:

• Basic concepts of probability

Refer to par.11.8.1 of the prescribed book to understand the basic principles of

probability, which can be used by a business to measure, expected outcomes for
mutually exclusive and non-mutually exclusive events.

• Sensitivity analysis

The sensitivity analysis method can be used by a business to assess how sensitive the
project outcomes are to changes in the business. The method uses one variable and
examines the effect of that specific variable on the project.

• Scenario analysis

Scenario analysis is a useful decision making method to focus on the consequences of

the combinations of events that would have been ignored by the business because it
was regarded as an event that has never happened or is very unlikely to happen. The
business can draw up different views (optimistic and pessimistic scenarios) of an event
to get a feel of the “upside” potential and “downside” risk, which can be associated
with a project.

• Simulation
 Simulation is a method used to analyses financial or time models, where the variables may
be uncertain, for example costs, duration, opportunities or risks. Simulation can only be
used when a business has statistical software or commercially available spreadsheets.

• Monte Carlo simulation

The Monte Carlo simulation is a method used by a business to evaluate the effect of
uncertainty on a planned activity in a range of situations and uses random numbers to
sample from a probability distribution. A business can use this method to evaluate
duration, demand or throughput and costs. Refer to par. 11.8.5 of the prescribed book
to understand how Monte Carlo simulation, percentiles and correlations work, as well
as the benefits of the Monte Carlo simulation method.

• Latin hypercube sampling

This sampling method is used to re-create the probability distributions specified by

distribution functions accurately and is a more modern technology method than the
Monte Carlo simulation method.

• Probability distributions defined from expert opinion

Some risk analysis models involve subjective estimates and thus further information
needs to be gathered by the business to get a better understanding of the analysis.

4.4 RISK TREATMENT: Stage 5

The risk treatment stage will assist the business to design a specific action plan and
produce strategic responses to address the risks and opportunities identified in the
business to secure business objectives. This stage is vital in the risk management
process because the risk strategy responses and action plan must be prepared and
implemented effectively into the business. Refer to par. 12.1 to 12.3 in the prescribed
book.

The process inputs in the risk treatment process will be the risk register, industry betas
and a description of the business risk appetite, and details of existing insurance policies.
The process outputs will be the risk response (i.e. remove, reduce or transfer) actions.

Refer to par. 12.6 in the prescribed book regarding all the factors that can have an
impact or constraint on the risk treatment process.

4.4.1 Process Mechanisms for Stage 5: Risk Treatment

This section will briefly explain the process mechanisms used in the risk treatment
process.

• Resolution strategy

The resolution strategy is a technique used by a business to respond to a particular

recurring risk.

• Risk response flow chart

A risk response flow chart is used to illustrate the decision options used to arrive at a
risk response category. The chart will assist decision makers in a business to determine
whether it is more appropriate to transfer a risk than to remove it. Refer to par. 12.7 in
Chapter 12 of the prescribed book.

4.4.2 P r o c e s s activities for Stage 5: Risk Treatment

The process activities in the risk treatment stage assist in transforming the prioritized
list of risks in the business into a concrete plan of action for risk resolution. It is
important to understand the activities that need to be implemented to design an
effective risk action plan.

prescribed book.

4.4.3 Risk appetite

Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity.
The definition for risk appetite is the amount of risk a business is prepared to tolerate
(be exposed to) at any point in time. A business risk appetite can vary according to its
objectives, culture, environment, perceived financial exposure to certain risks and risk
attitudes (risk neutral, seeking and averse). It is very important for a business to
determine its risk appetite/tolerance and inform its senior managers about the
business risk culture in which it operates. Senior managers must assist the board in
implementing decisions on projects within business risk tolerance levels.

4.4.4 Risk response strategies

The following risk response strategies can be used by a business in the risk
treatment stage:

• Risk reduction
 Risk reduction can also be referred to as treatment or mitigation. Risk reduction can be
seen as risk diversification (reduction of risks by distribution) for example, where a
business invests in multiple stocks to reduce risk and the impact of the risk. Two
approaches to reduce risk can be followed namely:


likelihood of a risk
reducing the
 occurring, and;

limiting the loss should the risk
materialize.

Methods used to reduce the likelihood of occurrence or impact of risk by a business is

protection, controls, maintenance and risk spreading.

• Risk removal

Risk removal can also be referred to as avoidance, elimination, exclusion and

termination. Risk removal is used to eliminate a risk when a negative outcome/impact
or high-risk exposure is anticipated. For example, doing business with a country that has
political uncertainty may be too risky to make the opportunity worthwhile (a potential
for loss has been eliminated). When a business wants to remove risk, factors such as
opportunity, business objectives and costs involved must be considered. All three of
these concepts must be taken into regard. For example, when a business decides not to
introduce a new product or ending the production of an existing product and ceasing
operations that have been carried out in the past.

• Risk reassignment or transfer

Risk reassignment is the strategy used to transfer risk to another entity, business or
organisation. Businesses can use contracts and financial agreements to transfer risk to a
third party. Risk transfer does not reduce the severity of the risk but does increase the
impact of the risk. The most common method of risk transfer is insurance. For example
the financial consequences of the loss is transferred to the insurance company. When a
business transfers risk the business must consider the objectives of the parties, ability
to manage the risk, risk context and cost effectiveness of the transfer.

• Risk retention

Risk retention is also referred to as acceptance, absorption or tolerance. A business can

be in the position to only be able to accept the risk as the alternative methods, for
example risk removal, reduction and transfer are not available; or it can be more
economical to the business to accept the risk. In the risk retention strategy the options
available, timing and the ability to absorb the risk must be considered.
4.5 MONITORING AND REVIEW: Stage 6

The risk monitoring and review stage is a key stage in the ERM process. It may become
necessary for a business to review all the previous stages in the risk management
process because new information became available or circumstances changed in the
business. The monitoring and review stage must be carried out in order to increase the
success of the implementation of the entire ERM process. Refer to par.
13.1 to 13.3 of the prescribed book.

The process input in the risk monitoring and review stages will be the risk register,
where the business can go back to and review all the risks in the register. The process
outputs will be regular updates of the risk register and reports on the effectiveness of
the risk response actions.

Refer to par. 13.6 of the prescribed book regarding all the factors that can have an
impact or constraint on the risk monitoring and review process.

4.5.1 Process Mechanisms for Stage 6: Monitoring and Review

Two primary mechanisms that can be used in this stage, namely meeting agendas and
pro formas. (Refer par. 13.7 in the prescribed book).

4.5.2 Process activities for Stage 6: Monitoring and Review

In the risk monitoring and review process the activities that need to take place are the
tasks that are necessary to ensure that this stage is managed proactively which
executes responses, monitors effectiveness and then intervenes to implement
corrective action. The following activities need to be conducted:

• Executing

All the actions planned in the risk treatment stage to respond to risks and opportunities
must be effectively executed by the business.

• Monitoring

When executing action plans, it is vital to monitor progress to differentiate the

movement in risk exposure. Monitoring is the collection of information on the risk for
later use. The monitoring process must identify the successes achieved in the planned
responses to the risks and opportunities and be able to identify the changes in the
business environment, which might lead to new emerging risks. Thus, the monitoring
and review processes implemented by the business can improve business knowledge
on the lessons learned to improve the future ERM process.

• Controlling
The controlling process is based on the information gathered in the monitoring process
to form decision-making. It means the business must understand who needs what
information for what purpose and when. To give a manager control, the control
activities must adhere to the following seven specifications:

Control is a principle of economy.

Controls must be meaningful.
Controls have to be appropriate to the character and nature of the
phenomenon measured.
Measurements have to be congruent with the events
measured. Controls have to be timely.
Controls need to be simple.
Controls must be operational.

4.6 COMMUNICATION AND CONSULTATION: Stage 7

The risk communication and consultation stage will be used across all the other ERM
process stages. It is essential for a business to understand how effectively the process
outputs of each stage is communicated and understood by decision makers. Refer to
par. 14.1 to 14.3 of the prescribed book.

The process inputs in the risk communication and consultation process will consist of
the risk register, risk responses, response progress, early warning indicators and Key
Performance Indicators (KPI’s). The process outputs will be the risk reports, press
releases, internal e-mails, company internet site, internal newsletters and posters.
Refer to par. 14.6 of the prescribed book regarding all the factors that can have an
impact or constraint on the risk communication and consultation process.

4.6.1 Process Mechanisms for Stage 7: Communication and Consultation

Three primary mechanisms that can be used in this stage. They are as follows:

Generic communication and consultation

plan Templates for posters and newsletters
Project database
 4.6.2 Process activities for Stage 7: Communication and Consultation
In the risk communication and consultation process, the activities that need to
take place are the tasks that are necessary to ensure that the overall risk
management process is effective. Refer to par. 14.8 of the prescribed book.

4.6.3 Internal communication

A business must ensure that it effectively implements an internal communication and
reporting process/system to increase accountability and ownership of risk and
opportunity management. Refer to par. 14.9 of the prescribed book to understand the
different communication processes to implement.

4.6.4 External communication

A business must also ensure that it effectively implements an external communication
and reporting process/system so that it will be able to deliver open and honest
information on the risks faced in the business and how the business responds to such
risks. Refer to par. 14.10 of the prescribed book to understand the different processes
to implement.

STUDY

Study the sections on “Internal Communication” and “External

Communication” in Chapter 14 of the prescribed
book.

4.6.5 Key risk indicators vs key performance indicators

A business must clearly distinguish between key risk indicators (KRI) and key
performance indicators (KPI).

• KRI’s

KRI’s refer to captured information that provides useful views of underlying risk profiles
at various levels to assist decision makers within a business. The following can be seen
as the four types of KRI’s:

o Inherent or exposure risk indicators.

o Control risk indicators.
o Composite indicators.
o Model risk factors.

• KPI’s
 KPI’s refer to high level snapshots of the health and performance of a business based on
specific predefined measures for example statistical information on the business. The
following can be seen as seven types of KPI’s:

 
Statutory KPI’s, such as GAAP 9 or legal regulatory requirements.
 
Profitability per business unit/product/customer.


  
Exception reporting.
  
Employee performance, such as assets under management or profit per customer.
  
Competitiveness, such as market share.

 
Cost management, such as return on assets (ROA) on IT or new delivering channel
monitoring.
 
Credit management, such as time to settlement or credit exposure.

REVIEW QUESTION

1. Discuss the importance of risk identification in the ERM process.

2. Facilitation is an important process to use in the risk identification
stage. Discuss the responsibilities of a facilitator.
3. Discuss probability as a process mechanism for the risk analysis stage.
4. Draw a graph, which illustrates the utility function within the risk
evaluation stage.
5. Define investment appraisal as a concept in the risk evaluation stage.
6. Discuss risk appetite as a risk treatment strategy in a business.
7. Outline the seven specifications required by a manager to implement a control
process in the monitoring and review stage.
8. Discuss internal and external communication within the ERM process.
9. Distinguish between key risk indicators and key performance indicators.

1. Risk tables are sorted by

A. Probability and cost
B. Probability and impact
C. Probability and size
D. Probability and exposure
2. An effective risk management plan will need to address which of the following
issues?
A. Risk avoidance
B. Risk monitoring
C. Contingency planning
D. all of the above
3. Hazard analysis focuses on the identification and assessment of potential
hazards that can cause
A. Project termination
B. Schedule slippage
C. External problems
D. Entire system to fail

4. Which of the following is not a component of a risk management

structure/framework
A. Risk management process
B. Community governance
C. Corporate governance
D. Internal control

5. The impact of corporate governance on business areas of the enterprise include

the following
A. Employing assets efficiently
B. Meeting economic obligations
C. Improving overall performance
D. Attracting lower cost-capital

6. A SWOT analysis is an example of

A. position analysis
B. risk analysis
C. strategic analysis
D. shareholder value analysis

7. Which of the following is not a limitation of SWOT analysis:

A. Organisational strength may not lead to competitive advantage
B. SWOT gives a one shot view of a moving target
C. SWOT focus on the external environment is too broad and integrative
D. SWOT overemphasises a single dimension of strategy

8. Which of the following is correct:

A. risk is a deviation of the actual from the expected results
B. Risk implies the presence of uncertainty
C. Uncertainty arises from a person’s lack of knowledge about future
events
D. all events have a probability between 0 and 10
9. A risk flow-chat
A. its strategy used to transfer risk to another entity, business or
organisation
B. it is avoidance, elimination, exclusion and termination of a risk
due to negative outcomes
C. its risk mitigation thus reduction by distribution
D. is used to illustrate the decision options used to arrive at a risk
response category

10. In ERM, simulation talks about

A. potential worst case loss at a specific confidence level over a
certain period of time.
B. potential worst case loss over indefinite period of time.
C. money in risk management.
D. is method used to analyse financial or time models, where the
variables maybe uncertain
 UNIT FIVE | OPERATIONAL RISK MANAGEMENT

AIM

At the end of this unit, you will be able to point out the elements, attributes and
features of operational risk and describe an appropriate response strategy in view of
ERM.

LEARNING OUTCOMES

After studying this topic, you should be able to:

• Define and explain the importance of operational risk.

• Outline and discuss the benefits of operational risk;
• Discuss the factors influencing a sound operational risk management system;
• Outline and discuss the elements of operational risk, and
• Discuss the measurement and mitigation of operational risk.

LEARNING MATERIAL

Unit 5 is based on Chapter 16 of the prescribed book.

 5.1 INTRODUCTION

This chapter examines the one of the internal processes, called operational risk.
Operational risk is the exposure of an enterprise to losses resulting from people,
processes, systems and external events. Operational risk is present in all organisations
and can affect a firm’s solvency, the fair treatment of its clients and the incidence of
financial crime.

5.2 DEFINITION AND SCOPE OF OPERATIONAL RISK

Peccia (2001) defines operational risk as “the potential for loss due to failures of people,
processes, technology and external dependencies”. The sources of risk considered to be
embraced within operational risk include business risk, crime risk, disaster risk,
information technology risk, legal risk, regulatory risk, reputational risk, systems risk
and outsourcing. Refer to par 16.1 of the prescribed book for more details.

5.3 BENEFITS AND IMPLEMENTATION OF OPERATIONAL RISK

Operational risk management affords a business various benefits. The development of a

sound system of operational risk depends on a number of issues.
Operational risk management affords a business benefits by:
  
Improving the ability to achieve its business objectives.

 Providing management the opportunity to focus on revenue generating activities rather
than firefighting one crisis after another.
  
Minimising day-to-day losses.
  
Providing a more robust enterprise risk management system.


Contributing to the establishment of a system, which enables the correlation of different
classes of risk to be understood and, where appropriate, modelled.

5.4 IMPLEMENTATION OF FINANCIAL RISK MANAGEMENT

The development of a sound system of operational risk management will depend on a
number of issues such as:

 
The risk management system not overly constraining risk taking, slowing down decision
making processes or limiting the volume of business undertaken.

 The implementers of the risk management framework being separate individuals to the
managers of the individual business units.
  
Risks being managed at an appropriate level in the organisation.

 the disclosure of risks when they exist, rather
The development of a culture which rewards
than encouraging managers to hide them.

5.5 STRATEGY

The business strategy is the overall approach to achieving business objectives.

According to Chapman (2011), adopting the wrong business strategy, failing to execute
a well-thought-out strategy and not modifying a successful strategy over time, are
examples of operational risk.
5.4.1 Definition of strategy risk
A business’s strategy is a business’s overall approach to achieving its objectives.
Objectives are the results required within a particular timeframe, and results are the
measure of performance.

Strategy is a description of what the business will do and the rationale behind it. For
example, Virgin Mail
Order’s early strategy for music record sales was to compete in the market place by
means of mail order (as its company name suggests), undercutting record sale prices
offered by the existing well-established high street retailers. Adopting the wrong
business strategy, failing to execute a well thought-out strategy or not modifying a
successful strategy over time to reflect changes in the business environment are forms
of operational risk. Strategic risk, then, may be defined as the risk associated with initial
strategy selection, execution or modification over time, resulting in a lack of
achievement of overall objectives.

5.6 PEOPLE

There is always a human factor to consider in undertaking any business activity. The
knowledge, experience, capability and reliability of the persons involved in all of the
business processes are critical risk factors. People risk continue to be the major
contributing factor in many dramatic failures and, despite the difficulties of measuring this
kind of risk, it needs to be targeted in any programme aimed at improving risk
management. People risk may therefore be defined as a combination of the detrimental
 impact of employee behaviour and employer behaviour. The following serve as
examples of people risk:

  
Absenteeism rates
  
Labour turnover
  
Accident rates
  
Productivity
 
 Quality of finished goods customer satisfaction

READ

Read t h e sections on “People” and “Figure 16.3: Taxonomy of

People Risk” in Chapter 16 of the prescribed book.

5.7 PROCESSES AND SYSTEMS

According to Chapman (2011), processes and systems risk is the failure of processes or
systems due to their poor design, complexity or non-performance resulting in
operational losses. Consequently, a business may experience problems such as inability
to meet orders, poor quality control and fraud and information security failure.
READ

Read “Figure 16.5: Taxonomy of Processes an d Systems Risk”

in chapter 16 of the prescribed book.

5.8 EXTERNAL EVENTS

External events are events that occur outside the business which may require a
response in the form of change management or the establishment of contingency
events to cope with, e.g. natural catastrophes.

5.9 OUTSOURCING

Modern organizations, in order to reduce operational costs and become more

competitive, have designed and implemented several key strategies. One is that of
outsourcing. Outsourcing produces multiple benefits, the most important being the
following: reduced costs, reorganizing the staff structure, increase the level of working
capital, improve the quality of products and services and reduce the level of business
risk. It also eliminates some conflicts with the workers, while decreasing some wasteful
activities.
5.10 MEASUREMENT

It is necessary to measure the impact of those issues likely to have the greatest
detrimental effect on the operation of the business. Measurement enables businesses
to set aside monies to cope with adverse events and to know the extent of insurance
required.

RIVIEW QUESTION

1. Define operational risk.

2. With the aid of examples, identify the operational risks faced by South African
Airways
3. (SAA). What are the benefits to SAA of implementing operational risk
management?
4. What measures can SAA put in place to mitigate operational risks?
5. Briefly discuss people as one of the main underlying risk factors comprising
operational risk management.

1. Which factors affect the probable consequences likely if a risk does occur?
A. Risk cost
B. Risk timing
C. Risk scope
D. Risk resources

2. A risk referent level is a risk component value (performance, cost, support,

and schedule) or combination of values that cause a project to be terminated.
A. Risk shifting
B. Risk avoidance
C. Exactly as illustrated
D. False

3. The reason for refining risks is to break them into smaller units having different
consequences.
A. Guaranteed
B. Generally
C. Correct
D. Wrong

4. Risk monitoring involves watching the risk indicators defined for the project and
not determining the effectiveness of the risk mitigation steps themselves.
A. Absolutely
B. Accurate
C. True
D. Falsified
5. The word tactic is most likely to be associated with:
A. Business Risk
B. Corporate Risk
C. Operational Risk
D. Functional Risk

6. ABSA suffers loss due to adverse market movement of a security. The security was
however held beyond the defeasance period. What is the type of the risk that the
bank has suffered?
A. Market Risk
B. Operational Risk*
C. Market Liquidation Risk
D. Credit Risk

7. Sanjeev was just named Risk Manager of ABC Company. He has decided to create a
risk management program which considers all of the risks faced by ABC—pure,
speculative, operational, and strategic—in a single risk management program. Such a
program is called a
A.financial risk management program.
B. enterprise risk management program.
C. fundamental risk management program.
D. consequential risk management program.
 UNIT SIX | TECHNOLOGICAL RISK MANAGEMENT

AIM

At the end of this unit, you will be able to describe technology risk management,
identify the primary types of technology of interest to organizations, sources of risk
and possible responses.

KEY CONCEPTS

• Technology risk
• Communications technology
• Information technology (IT) governance
• Broadband
• Electronic (E)-commerce
• Control technology.

LEARNING OUTCOMES

• After studying this topic, you should be able to:

• Define technology risk.
• Discuss the scope and benefits of technology risk.
• Discuss the types of technology and the risks associated with each IT tool, and;
• Discuss how businesses respond to technology risk.
 LEARNING MATERIAL

Unit 6 is based on Chapter 17 of the prescribed book.

6.1 INTRODUCTION

Chapter 18 of the prescribed book examines the internal processes, called technological
risk. The majority of today’s technologies are information, communication and controls.
These technologies can raise productivity, lower costs and drive growth of
organisations. Changes in technology can therefore be both an opportunity and a
threat in terms of market share and market development. Although there is a wide
range of technologies, the common ones considered important to business and
discussed in this chapter are information, communication and control. The chapter
deals with the definition of technology risk management, the primary types of
technologies essential to business, sources of risk and possible responses.

6.2 SCOPE OF TECHNOLOGY RISK

A sample of the sources of risk that are considered to be embraced within the term
“technology risk” are recorded below. The potential list is considerable. Any examination of
the sources of risk needs to be tailored to the specific activities of a business.
  
Lack of investment in technology and the resultant erosion of ability to compete.
  
Inadequate technology governance and in particular IT governance.
  
Inadequate management of outsourcing.
  
Lack of alignment of IT to the business objectives.

Inadequate protection against viruses, hacking and loss of confidentiality of

information. _ Inadequate flexibility of production to be able to economically
produce small production runs.

6.3 BENEFITS OF TECHNOLOGY RISK MANAGEMENT

The benefits of implementing and embedding technology risk management in an

organisation are discussed in the prescribed book. Technology risk management affords
a business benefits as it:

Improves the quality of information for decision making. Business leaders who
succeed will take advantage of a new way of doing business based on the
increasing velocity of information  and building advanced processes and
 products faster than the competition.

Sets out the risks to investment
in technology and promotes a proactive approach to
 managing technology projects.

Maps the threats to existing business practices from emerging business-to-
customer relationships. Gates claims “Today US businesses are ahead of
businesses in other countries in the adoption of digital technologies. The many
  to risk taking, individual empowerment and labour
reasons include an openness
mobility” (Gates 1999).

 loss of market share arising from a competitor’s
Draws attention to exposure to the
improvement in product design.
 
 
Forces a continuous review of developments in technology within manufacturing processes
(technology advances can improve productivity).

  into the disbenefits of not aligning technology to strategy and business
Provides insights
operations.

To get the full benefit of technology, business leaders will streamline and
modernise their process and their organisation. The goal is to make business
reflex nearly instantaneous and to make strategic thought an ongoing, iterative
 process not something done every  12 to 18 months, separate from the daily
flow of the business
 (Gates 1999).
READ

Read the section on the “Benefits of Technology

Risk Management” par. 17.3 in the prescribed
book.

6.4 IMPLEMENTATION OF TECHNOLOGY RISK MANAGEMENT

The development of a sound management system for technology risk, the effective
implementation thereof depends on whether attention is paid to a number of issues.

The development of a sound system of technology risk management will depend on

attention being paid to a number of issues, including but limited to those listed below.
A key aspect of technology risk management is not being outwitted by the competition
and as a minimum keeping apace with their developments. The ideal goal being to set
the pace.
Managing investment in technology to secure the business objectives and
optimise investment benefits. _
Ensuring the right information reaches the right people at the right time through
a combination of management information systems, intranets and e-mail. _
Understanding the risks of outsourcing and to manage them. _
Monitoring competitors to avoid being “outmanoeuvred” by the introduction of
new technologies that shift industrial boundaries. _
Embracing new developments in e-commerce.
Implementing information security.

6.5 PRIMARY TECHNOLOGY TYPES

As pointed out in the introduction, risk management can be quite helpful to identify
opportunities for the improvement of processes. Labour intensive and complicated
processes have the potential for more errors compared to streamlined and simplified
processes.
6.5.1 Information Technology

IT is the collection, storage, processing and communication of information by electronic

means. There are various types of IT tools, which include the following:

• Software applications
• Management information systems
• Intranets
• Telematics
• Information assets

6.5.2 Communications Technology

Communications technology includes the following:

• Conference calls.
• E-commerce using the internet
• Broadband
• E-mail
• Network systems

6.5.3 Control Technology

Control technology consists of computer-based production control systems, which

include the following:
 • Computer-aided design (CAD)
• Computer-aided manufacture (CAM)
• Flexible manufacturing systems (FMSs)
• Mechatronics
• Computer-integrated manufacture.
• Manufacturing resource planning (MRP)
• Operational research (OR)

6.6 PRIMARY TECHNOLOGY TYPES

READ

Read the s e c t i o n on “ Primary Technology Types” par.

17.5 in Chapter 17 of the prescribed book.

6.6.1 Information technology

o Information technology is the collection, storage, processing and
communication of information by electronic means. Examples of
information technology “tools” include:
o Software applications include spreadsheets, databases, word processing,
graphics packages, drawing packages, desktop publishing, presentation
packages and expert systems. Spreadsheets save considerable time, make
repeated calculations simple, aid accuracy, allow managers to set up
mathematical models, investigate the effects of different strategies such as
asking “what-if?” questions and provide many tools for analysis. For
example, they provide graph and chart facilities together with compound
interest, depreciation, optimisation and goal seek functions. Databases are a
set of files organised to provide easy access to their content. Expert systems
cover a particular area of expertise and draw conclusions from computer
stored knowledge obtained from specialists with domain knowledge. Their
purpose is to capture the expertise of key people and
making their knowledge available to users of the programme.
o Management information systems (MIS) are systems designed by
organisations to collectand report information on projects and
programmes which allow managers to plan, monitor and evaluate their
performance.
o Intranets are computer networks based on the same technical standards
as the internet but designed for use with a single organisation. Intranets
are cheaper and simpler to install than proprietary networks, and
companies are increasingly using them to circulate internal information
such as phone directories, job openings together with training, marketing
and publicity material.
• Telematics is the term given to the technology that enables remote access
to vehicle data over a wireless network.
 • Information assets, increasingly the lifeblood of any business, covers
subjects like customer contacts, manufacturing process innovation, product
design and IT development.

6.6.2 Software applications

This risk type deals with failures in IT applications. Applications are typically proprietary off
the- shelf software packages, customised proprietary software, bespoke software
commissioned from a vendor or software developed in-house. Certain applications, such as
those which are “job specific” and used for accounting, marketing, project management
and human resources will be the domain of the departments of the same name whereas
there will be other packages such as word processing and spreadsheets which will be used
right across the business. The impact of any one application failing to perform as expected
can range from a minor irritation to a major downtime during which employees are idle or
they are unable to tackle priority tasks. The degree of impact will also be dependent on
whether the application is department specific or is used company-wide and whether the
application is “loaded” on a server or whether its is “loaded” on individual PCs. Customised
bespoke software developed in-house can be the most problematical. For example,
applications that are not easily maintained and changed over time (to reflect changing
needs) may form a constraint to introducing further change. Applications that are poorly
documented or not well structured may be difficult to fault-rectify with confidence. In
addition significant defects can be introduced unwittingly by software developers when
only minor changes are made, as they were not the original authors and do not appreciate
the structure of the application. These types of risk require software engineering
capabilities particularly for maintenance, enhancement, integration, testing and release
management and subsequent change management, system administration, monitoring and
problem management.

6.6.3 Management information systems

Management information systems for projects include scope definition, work
breakdown structures, organisational breakdown structures, programming, budgeting,
change control, value management, earned value analysis, risk management and
contingency planning. The risk associated with these systems relates to the lack of
implementation or their poor execution in terms of the accuracy of the data they
contain, the completeness, currency (whether they are kept up to date), revision
control or lack of the creation of a baseline from which to measure progress.

6.6.4 Intranets
Intranets are touching everyone’s lives from theUSMarine Corps (who have adopted a
situation awareness application) to physicians in southern Virginia and North Carolina
(who can access patients’ records remotely over the web) to school children in Reading
(England) who can access the school intranet remotely. Intranets can offer considerable
time-savings to a business if they contain information which is readily accessible by a
significant percentage of the employee population. The downside risk is that should an
intranet be unavailable for any length of time, that same employee group would be
unable to perform some or many of their routine tasks.
6.7 RESPONDING TO TECHNOLOGY RISK

A number of initiatives have been put forward to mitigate technology risk. These
include IT governance, investment and projects.

RIVIEW QUESTIONS

1. Define technology risk and discuss the possible sources for this kind of risk.
2. With examples, discuss the various types of IT tools used by SAA in its endeavor
to manage technological risk.
3. Discuss the risks associated with the use of e-mails in an organisation.
4. With the use of examples, discuss how an organisation like SAA responds to technology
risk.

1. Risk Management objectives may be classified into four main categories namely
A. strategic objectives
B. operational objectives
C. compliance objectives
D. reporting objectives

2. Identify the correct option

A. 1,2&4
B. 1,2&3
C. 1,3&4
D. 2,3&4

3. Which of the following tasks are important in establishing a basis from which to
launch an ERM strategy:
A. Evaluating the adequacy of specific measures, policies and
procedures
B. targeting risk and processes
C. evaluating risk management performance
D. the development of common language and framework

4. In a business environment focusing on risk management, what is a threat?

A. an unfavourable condition that may not be accepted by the
organisation leadership
B. an unfavourable situation that can hinder the ideas towards
developing a good strategy
 C. an unfavourable condition in the external environment that
may hinder an organisations effort to achieve its goals
D. all of the above

5. 8% Government of South African security is quoted at SAR 120/- The current

yield on the security, will be
A. 12%
B. 9.6%
C. 6.7%*
D. 8%
6. A company declares SAR 2/- dividend on the equity share of face value of SAR
5/-. The share is quoted in the market at SAR 80/- the dividend yield will be----
A. 20%
B. 4%
C. 40%
D. 2.5%

7. An increase in cash reserve ratio will cause yield curve to

A. Shift downward *
B. Remain unchanged
C. Become steeper
D. Become flatter

8. When interest rates go up, prices of fixed interest bonds –

A. Go up
B. Go down*
C. Remain unchanged

9. VaR is not enough to assess market risk of a portfolio. Stress testing is desirable
because
A. It helps in calibrating VaR module
B. It helps as an additional risk measure
C. It helps in assessing risk due to abnormal movement of market
parameters*
D. It is used as VaR measure is not accurate enough

10. Large Government borrowing can cause yield curve to shift upward.
A. False
B. True *
C. Difficult to say
D. Remains same
 UNIT SEVEN | PROJECT RISK MANAGEMENT

AIM

At the end of this unit, you will be able to discuss project risk management and the
challenges encountered in embedding risk management within a project.

LEARNING OUTCOMES

• After studying this topic, you should be able to:

• Distinguish between project risk and PRM;
• Identify the sources and discuss the benefits of PRM to a business
• Discuss the challenges associated with the implementation of PRM;
• Discuss the project risk management process;
• Discuss the roles of the project director, and
• Discuss the challenges faced by a project team.

LEARNING MATERIAL

Unit 7 is based on Chapter 18 of the prescribed book.

7.1 INTRODUCTION

Unit 7 examines the internal processes, namely Project Risk Management (PRM) since
technology improvements are introduced as projects. A project is defined as a unique
activity with defined objectives, undertaken in pursuit of achievement of beneficial
change, typically constrained by limited resources. Any project has definite start and
finish dates. Unless a project is appropriately managed, it has the potential to damage
the organization’s reputation, erode stakeholder relationships, diminish the share price
and critically undermine financial performance. Chapter 18 explores some of the
challenges encountered in integrating risk management with a project.

7.2 DEFINITION OF PROJECT RISK AND PROJECT RISK MANAGEMENT

Project risk management is an important aspect of project management. According to

the Project Management Institute's PMBOK Risk management is one of the ten
knowledge areas in which a project manager must be competent. Project risk is defined
by PMI as 'an uncertain event or condition that, if it occurs, has a positive or negative
effect on a project’s objectives'
Good Project Risk Management depends on supporting organisational factors, clear
roles and responsibilities, and technical analysis skills.
Project risk management in its entirety, includes the following process
groups[1]
Risk Management Planning – decide how to approach, plan and execute
the risk management activities for a project
Risk Identification – determine which risks might affect the project and
their characteristics
Qualitative Risk Analysis – prioritize risks for subsequent analysis and
action by assessing their probability of occurrence and impact
Quantitative Risk Analysis – numerically analyze the effect on the
overall project objectives
Risk Response Planning – develop options and actions to enhance
opportunities and reduce threats to project objectives
Risk Monitoring and Control – track identified risks, identify new risks,
execute response plans and evaluate effectiveness

7.3 SOURCES OF PROJECT RISK

The term “project risk” embraces the sources of project risk. The sources of project risk
are considerable and emanate from the external business environment, the industry
within which an organisation sits, the sponsor’s organisation and the project itself.

Sources of project risk includes the following:

Funding
Design complexities
New technology or new application
 Regulatory
Offsite shipments/receiver
sites Resource limitations
Numerous project assumptions

7.4 BENEFITS OF PRM

PRM has the “potential” to afford a business a series of benefits. Such benefits are
discussed in the prescribed book.
Benefits of Risk Management for a Project

Project contingency can make or break a project. Having too much contingency is
uncompetitive; having too little contingency increases the chance of failure. Risk
assessment—or allowing for uncertainty within estimates—helps set contingency
levels, with a preferred level of risk, and gives the confidence level of outcome targets.

Contingency is often set at the task level, and it is common to add some contingency to
every estimate. The amount of contingency added may even be a fixed amount—10
percent, for example. However, it is much better to set contingency at the project
level. In other words, use the ranges on the task estimates to understand what
contingency should be set for the project as a whole. Setting contingency at the project
level reflects the reality that some tasks may be delayed whereas others may be
completed on time or be finished early. The amount of management reserve can be set
by the same principle—allowing drawdown against risks that were identified at the
start of the project.

In addition to setting the right level of contingency, risk assessment also benefits the
project team by giving it a forum for expressing concerns and for challenging or
defending assumptions. Removing the restriction of having to work with deterministic
(single-point) estimates allows team members to give open and honest opinions of what
is likely to happen. A risk assessment workshop is an important—but often ignored—
occasion for the project team to come together. It can lead to discussion and
clarification of the scope of project tasks, and missing work is often identified. As a
result of the workshop, the project team reaches an improved awareness and
understanding of the status of the whole project. Although the cost and schedule
disciplines for a project are often separate, it is important for these groups to confer
with each other. A risk assessment workshop can bring these disciplines together.

7.5 IMPLEMENTATION OF PRM

Risk management can be quite helpful to identify opportunities for the improvement of
processes. Labour intensive and complicated processes have the potential for more
errors compared to streamlined and simplified processes. Common challenges in
implementing PRM include the following:
 Lack of clearly defined and disseminated risk management objectives
Lack of senior executive and project director commitment and
support Lack of risk maturity model
Lack of a change process to introduce the discipline
No common risk language (terms and definitions)
Lack of articulation of the project sponsor’s risk appetite
No definition of roles and responsibilities
Lack of risk management awareness training to build core competencies
Lack of integration of risk management with other project disciplines
Reticence of project personnel to spend time on risk management Risk
owners not automatically taking responsibility for assigned risks
No clear demonstration of how risk management adds value and contributes to
project performance
Overcomplicated implementation from an unclear risk policy, strategy,
framework, plan and procedure
Lack of alignment between the business strategy, business model and the risk
management objectives
Lack of the integration of risk management activities into the day-today
activities of project managers

STUDY

Study the section on “Embedding Project Risk Manageme”of the prescribed

book.

7.6 PRM PROCESS

The PRM process should provide a methodical, efficient and effective way of managing
risks to delivery of a project. The process includes establishing the context, risk
identification, analysis, evaluation, treatment, monitoring and review; and
communication and consultation.

7.6.1 Establish the context

The establishment of context involves both external and internal dimensions.

The external dimension relates to political, legal, regulatory, market,

technological and economic settings. It is important to establish the legislation
that the project will adhere to, such as health and safety legislation and
sustainability goals, and obtaining the necessary approvals.

The internal dimension relates to the organisation’s strategic objectives, its

structure, policies, processes, stakeholders, culture, reputation, capabilities
(including capital and people) and concurrent projects.
 Once a project has been approved and commenced, progress should be checked
against the project’s business case to check whether the project is still viable
and planned benefits are still realisable.

7.6.2 Risk identification

Risk identification is the process of determining which risks may affect the project as
well as establishing their characteristics.

7.6.3 Risk analysis

Risk analysis involves the identification of the probability and impact of the identified
risks and opportunities. Analysis can be qualitative or quantitative depending on the
requirements of the risk process and the information available. Qualitative assessments
use labels such as high, medium or low, whereas quantitative measurements provide
percentage likelihoods (e.g. 50%) and an impact in terms of time and cost.

7.6.4 Risk evaluation

Risk evaluation typically looks at the combined net effect of the identified risks and
opportunities.

7.6.5 Risk treatment

Risk treatment is the action of responding to an identified risk.

7.6.6 Risk monitoring and review

Monitoring and review is an on-going process of implementing and examining the

success or otherwise of the planned responses. It entails evaluating the perceived
benefit of the response, its attendant costs and the likelihood of new risks being
triggered by the response. If a decision is taken to implement the response, it has to be
clarified who will do so and when.

7.6.7 Communication and consultation

Communication and consultation take place at commencement and throughout the risk
management process. The activities of the communication and consultation process are
the tasks undertaken in striving to ensure that the risk management process is
effective. Refer to par.
18.6.7 in the prescribed book for the details of the activities involved.
 STUDY

Study the section o n the “Project Risk Management Process” in the

prescribed book.

7.7 PROJECT DIRECTOR’S ROLE

The director has overall responsibility for the delivery of the project in terms of
satisfying the stated objectives. Refer to Par. 18.8 in the prescribed book for details
of the project director’s role.

7.8 PROJECT TEAM AND THE CHALLENGES THEY FACE

The composition of the project team and the way it performs will have a fundamental
impact on the realisation of the project’s objectives. Team performance is a major
source of potential risk. A number of issues can undermine the effectiveness of teams,
which include the following:

Lack of team structure

Lack of definition of roles
Lack of responsibility assignment
matrix Poor leadership
Poor team communication

7.9 TECHNIQUES USED TO SUPPORT PRM

Details of the above are discussed in par. 18.9.1 in the prescribed book.

STUDY
Study the section on “Techniques used to
Support Project Risk Management”, par. 18.12 in
Chapter 18 of the prescribed book.
 REVIEW QUESTION

1. Distinguish between project risk and project risk management.

2. You are appointed as the project manager for Group Five Construction (Pty) Ltd, a
company that has been awarded a tender to build Reconstruction and
Development Programme (RDP) houses in Gauteng. You have organised a meeting
to plan risk management.

(i) Who could be the possible attendees to this meeting? (At least four).
Identify the sources of risk associated with this project and discuss the benefits
and five common challenges encountered in the implementation of PRM.
Briefly discuss the application of the project management process to this
particular low- income housing construction project.

1. Software risks always involves two characteristics

A. Firefighting and crisis management
B. Known and unknown risks
C. Uncertainty and loss
D. Staffing and budget

2. Software risk impact assessment should focus on consequences affecting

A. Planning, resources, cost, schedule
B. Marketability, cost, personnel
C. Business, technology, process
D. Performance, support, cost, schedule

3. A focused differentiation risk analysis aims at securing competitive advantage

A. By providing niche members with a top-of-the-line product at a premium price
B. By catering to buyers looking for an upscale product at an attractively low price
C. With a product offering carefully designed to appeal to the unique preferences
and needs of a narrow, well-defined group of buyers
D. Hollowing out a firm's own capabilities and losing touch with activities and
expertise that contribute fundamentally to the firm's competitiveness and
market success

4. The risks of a focused strategy based on either low-cost or differentiation

include
A. The chance that competitors outside the niche will find effective ways to
match the focuser's capabilities in serving the target niche
B. The potential for the preferences and needs of niche members to shift over time
towards many of the same product attributes and capabilities desired by buyers in
the mainstream portion of the market
C. The potential for the segment to become so attractive that it is soon inundated
with competitors, intensifying rivalry and splintering sales, profits and growth
prospects
D. All of these
5. One of the big dangers in crafting a risk assessment is that managers, torn
between the pros and cons of the various generic strategies, will opt for
A. A low-cost provider strategy because it is usually the safest, least
risky competitive strategy
B. A "stuck-in-the-middle" strategy
C. A broad differentiation strategy because it is frequently the most
profitable competitive strategy
D. It is generally wise to use a company's resource strengths to attack rivals in
those competitive areas where they are strong

6. The competitive attraction of entering into strategic alliances and collaborative

partnerships is
A. In allowing companies to bundle competencies and resources that are more
valuable in a joint effort than when kept separate
B. Speeding new products to market more quickly
C. Enabling greater vertical integration
D. To create a core cost-efficient operation out of the combined companies

7. Product life-cycle entails

A. introduction, acceleration, deceleration, maturity and decline
B. introduction, maturity, acceleration, decline and deceleration
C. introduction, decline, deceleration, maturity and acceleration
D. any of the above

8. The 40-20-40 rule suggests that the least amount of development effort be
spend on
A. estimation and planning
B. analysis and design
C. coding
D. testing

9. The purpose of earned value analysis is to

A. determine how to compensate developers based on their productivity
B. provide a quantitative means of assessing software project progress
C. provide a qualitative means of assessing software project progress
D. set the price point for a software product based on development effort

10. The best indicator of progress on a software project is the completion

A. of a defined engineering activity task
B. of a successful budget review meeting on time
C. of successful review of a defined software work product
D. successful acceptance of project prototype by the customer
 UNIT EIGHT |

BUSINESS ETHICS MANAGEMENT

AIM

At the end of this unit, you will be able to identify and discuss the key aspects of
business ethics to aid in the broader risk management context.

LEARNING OUTCOMES

After studying this topic, you should be able to:

• Define business ethics management and explain its importance to businesses;

• Outline sources of ethical risk;

• Discuss the benefits of ethical risk management;

• Discuss the reasons for unethical behavior, and

• Identify and discuss the components of a business ethics programme.

LEARNING MATERIAL

Unit 8 is based on Chapter 19 of the prescribed book.

8.1 INTRODUCTION

Ethics is inextricably linked with reputation, and a breach of ethics commonly leads to
one or more of the following: reduced share price, reduced profitability, unfavorable
media coverage, fines, additional administration and, in some extreme cases,
imprisonment. As with other aspects of risk management, the management of risks
associated with ethical conduct will determine its performance, position and prolonged
existence. This study unit therefore explores the key aspects of business ethics to aid an
allinclusive risk management.

8.2 DEFINITION OF BUSINESS ETHICS RISK

Chapman (2011) defines ethics as the branch of business that addresses questions about
morality. Morality is a sense of behavioural conduct that differentiates intentions, decisions
and actions between those that are good and evil, and right and wrong. Business ethics
therefore refers to moral rules and regulations governing the business world. Ethical risk
refers to exposure to events, which may result in criminal prosecution, civil law suits or
erosion of reputation. Examples of ethical risk include bribery, false accounting, child
labour, tax evasion, money laundering and invasion of privacy.

STUDY

Study the sections on “Definition of Business Ethics Risk” and “Scope

of Business Ethics Risk” par 19.1 – 19.2 in Chapter 19 of the prescribed
book.

8.3 BENEFITS OF ETHICS RISK MANAGEMENT

The benefits of ethics risk management are discussed in the prescribed book.
 READ

Read the section on the “Benefits of Ethics Risk Management” par.

19.3 in the prescribed book.

8.4 FACTORS THAT AFFECT BUSINESS ETHICS

Examples of ethical codes that govern businesses include honesty, objectivity, integrity,
carefulness, openness, respect for intellectual property and confidentiality. Refer to
par. 19.6 “Factors that Affect Business Ethics” in Chapter 19 of the prescribed book.
Examples of unethical practices by companies that were prosecuted or suffered
reputational damage because of the behaviour of employees and who attracted
negative media attention include the following:

Bribery in the private

sector Money laundering
Improper sales and marketing
Inadequate financial accounting
Bribery of government contracting
officers Inadequate internal controls
Failure to follow quality standards and
procedures Environmental irresponsibility
Employee claims of sexual harassment
Black listing of international, national or local
organisations Insider trading
Exploitation of third world countries
Health and safety irresponsibility
Invasion of privacy

8.5 IMPLEMENTATION OF ETHICAL RISK MANAGEMENT

One approach in addressing risk exposure from a breach of ethics is to devise and
implement an ethics system across the organisation as a means of preventive action. A
business ethics programme aims to achieve specific expected outcomes, such as
increasing awareness of ethics issues, improving decision making and reducing
misconduct. The areas of focus for an ethics manual, is based on four primary
orientations as follows:

A compliance-based approach
A protecting senior management approach
A satisfying external stakeholders
approach A values-based approach

The four primary orientations are not mutually exclusive. However, the degree of
application of these areas of focus is based on four orientation levels, namely
compliance, risk management, reputation enhancement and benefit. For an
organisation to be truly responsible, it must fully embrace all four levels of identity.

A business ethics system can be composed of seven sequential components as shown in

Figure 19.3 in the prescribed book on page 369. The components are as follows:

• Vision
• Context
• Establish
• Implement

REVIEW QUESTION

1. Identify and discuss the sources of ethical risk in an academic institution like
Unisa.
2. Define business ethics management and discuss the benefits of implementing
ethics risk management in an organisation.
3. List and discuss the reasons for the emergence of unethical behaviour in an
organisation.
 1. Risk information sheets (RIS) are never an acceptable
substitute for a full risk mitigation, monitoring, and
management (RMMM) plan.
A. True but not exactly
B. True to the core
C. False to the core
D. False but comparable

2. 'Reputation' in the context of an organization's

resources can provide competitive advantage because:
A. It is difficult to copy
B. It is based on word-of-mouth
C. It is a threshold resource
D. It is explicit

3. Which one of the following is not a good choice that a company must make
to complement and supplement its choice of one of the risk competitive
strategies?
A. Whether to enter into strategic alliances or collaborative partnerships B.
Whether and when to employ offensive and defensive moves
C. Whether to employ a market share leadership strategy
D. Attacking a market leader is always unwise

4. Strategic alliances
A. Are the cheapest means of developing new technologies and getting new
products to market quickly
B. it’s collaborative arrangements where two or more companies join
forces to achieve mutually beneficial strategic outcomes
C. it’s a proven means of reducing the costs of performing value chain
activities
D. Attacking a market leader is always unwise

5. Which of the following is not a typical reason that many alliances

prove unstable or break apart?
A. Diverging objectives and priorities
B. An inability to work well together
C. The emergence of more attractive technological paths that are better
pursued alone or with other partners
D. Disagreement over how to divide the profits gained from joint
collaboration
 UNIT NINE |EXTERNAL INFLUENCES – MACRO FACTORS

AIM

At the end of this unit, you will be able to discuss the six external influences (macro
factors) that may have a national and international impact on a business.

LEARNING OUTCOMES

• After studying this topic, you should be able to:

• Define economic, environmental, legal, political, market and social risk.
• Discuss the benefits of economic, environmental, legal, political, market and social
risk.
• Discuss the implementation of economic, environmental, legal, political, market
and social risk.
• Explain the scope of economic, environmental, legal, political, market and social
risk, and;
• Discuss the factors that affect economic, environmental, legal, political, market and
social risk.

LEARNING MATERIAL

Unit 9 deals with Chapters 21 to 26 of the prescribed book and will discuss the
six external influences (macro factors) in ERM.
9.1 ECONOMIC RISK

The first of the six macro-factors that affect the business-operating environment is
economic risk. Chapman (2011) defines economic risk as the influence of national
macroeconomics on the performance of individual business. Government policy affects
national macroeconomics through the manipulation of aggregate demand and
consumer spending. However, businesses have no control over national influence on
aggregate demand. Refer to par. 21.1 in the prescribed book for the complete definition
of economic risk.

9.1.1 The scope of economic risk

The sources of risk embraced under economic risk include the following:

• Fall in demand
• Government policies
• Movement in house prices
• Exchange rates
• Inflation

9.1.2 Benefits of implementing economic risk management

 Benefits derived from economic risk management include:

• Improvement of knowledge of where the government is planning public

spending;
• Providing an understanding of the impact of inflation and interest on demand;
• Providing an understanding of how the short-term behaviour of the gross domestic
product (GDP) impacts employment, prices and standard of living, and;
• Promoting rigorous market research before entering new markets in both the
domestic and international markets.

The development of a sound system of economic risk management depends

on a number of factors namely:

• An understanding of the drivers and consequences of inflation;

• An understanding of the impact of changes in foreign exchange
rates on the demand curve;
• Tracking planned government spending
• An understanding of government fiscal and monetary policies, and
• An understanding of the taxation regime
STUDY

Study the sections on “Benefits of Economic Risk

Management” and
“Implementation of Economic Risk Management”: par.21.3 -
21.4 in Chapter 21 of the prescribed book.

9.1.3 Factors affecting economic risk

• Micro-economics

Micro-economics is driven by households, whose members have need for goods and
services. Consumers have resources (incomes, assets, time and energy) with which to
satisfy their wants, However, the limitation of these resources force consumers to
make choices. Given a set of prices, each household will make choices that in aggregate
affect those prices.

• Macro-economics

Macro-economic studies the total amount of deployment of each of the major factors
of production, the total volume of output produced and income earned in the whole
economy; the average level of prices in all product markets; and the growth of the
economy’s total output. The three most important concepts are output, income and
expenditure. They are the main indicators of a nation’s economic performance. The
most important empirical measure of these variables is called the gross domestic
product (GDP). GDP is the value of total output actually produced in the whole
economy over some period.
 • Government policy

Macro-economic policy is influenced by government policy through fiscal policy,

monetary policy and competing theories. Fiscal policy aims to influence government
revenue (taxation) and/expenditure. Macro-economic policy is thus used by
governments to influence the level of aggregate demand and supply in the economy.
Monetary policy is the attempt by government or the central bank (the SA Reserve Bank
in South Africa) to manipulate the money supply, the supply of credit, interest rates and
other monetary variables to achieve the fulfilment of policy goals.

• Aggregate demand

Aggregate demand denotes the spending on goods and services produced in an

economy. It is made up of four elements namely: consumer spending (C), investment
expenditure ((I), government spending (G) and net expenditure on exports and imports
(X-M). The elements are used to construct aggregate demand curves in order to
determine the GDP. Dramatic changes in the aggregate demand may arise from
changes in the underlying constituents of aggregate demand. The underlying
constituents are as follows:

  
Determinants of consumer spending
  
Determinants of investment expenditure
  
Determinants of government spending
 
Determinants of net expenditure on exports and imports

 
Aggregate supply


Aggregate supply (AS) is the total output of the economy at a
  point in time. The AS curve is affected by
given price level at a given
several factors namely:
  
An increase in the capital stock due to a reduction in interest

rates;
  
An improvement in the expectations of business executives;
  
Continuing technological change;
  
Increased investment in education;
  
A reduction in unemployment benefits, and
  
Schemes to improve the geographical mobility of workers.
 
Inflation

Inflation is defined as a sustained general rise in prices. Creeping inflation describes a

situation where prices rise a few percent on average each year. Hyperinflation describes
 a situation where inflation levels are very high. Inflation is believed to cause
unemployment and lower economic growth.

• Interest rate risk

Changes in interest rates affect business and consumer behaviour in a number of ways,
namely changes in the exchange rate, discretionary expenditure, savings and borrowing.

• House prices

House sales are often treated as an economic barometer. Such expenditures are both
large and variable and they exert a major impact on the economy. Interest rates are a
large part of total mortgage payments. Small changes in interest rates cause a relatively
large change in annual mortgage payments. Changes in interest rates can have a large
effect on the demand for new housing.

• International trade and protection

In order to understand the risks and opportunities associated with the production of
goods for export, businesses need to understand the mechanisms of international trade
and protectionism imposed by governments.

• Methods of protection

− Tariff – tax placed on imported commodities

− Import quota
– limits the quantity of commodities that may be
shipped into the country
− Domestic policies that reduce the demand for
imported commodities
 
 Trade policy – a government may choose to impose or tighten currency controls.
 
Currency risk

Currency risk is the risk that the expected cash flow from overseas investments are
adversely affected by fluctuations in exchange rates. There are two types of foreign
exchange risk namely accounting or translation exposure and economic exposure.
There are various ways in which hedging can be done, namely netting, leading and
lagging, forward market hedge, fuel market hedge, currency futures, currency hedging
and money market risk
 9.2.ENVIRONMENTALRISK

Environmental risk is the actual or potential threat of adverse effects on living

organisms and environment by effluents, emissions, wastes, resource depletion, etc.,
arising out of a business’ activities.

9.2.1 Scope of environmental risk

Environmental risk for businesses is considered to include, but not limited to

  
pollution of land, water, air;
  
increased regulation and higher operational costs;
  
prosecution arising from the lack of observance of rules set by a regulatory body;

  publicity as a result of pollution events, resulting in a
reputational risk from adverse
reduced customer base;

 
destruction of facilities or loss of manufacturing as a result of severe weather conditions,
and
 
loss of oil production, resulting in higher energy costs.

“
Where a business is engaged in overseas transactions involving large sums, an adverse
movement in exchange rates can be catastrophic and so it will usually adopt some form
of “hedging” to minimise the risk.” (Chapman)

9.2.2 Benefits of implementing environmental risk management

READ

Read par. 22.3 in the prescribed book on the “Benefits of Environ-

mental Risk Management”.



Implementation: The development of a sound system of risk management depends on
 several issues, namely



 
the risk management system not overly constraining risk taking, slowing down decision-
making processes or limiting the volume of business undertaken;

 the implementers of the risk  management framework being distinct from the managers of
the individual business units;
  
that risks are managed at an appropriate level in the organisation, and

 the disclosure of risks when they exist, rather
the development of a culture, which rewards
than encouraging managers to hide them.

9.2.3 Energy Sources

Businesses today face five known energy problems such as the cost, quality, reliability
and longevity of supplies and the control of emissions. Traditional sources of supply are
being depleted across the world. Renewable energy sources have to be developed to
ensure that future generations have adequate supplies of energy. Such renewable
sources include, wind power, solar power, hydroelectric power, tidal power,
geothermal energy and biomass.

9.2.4 Pollution

Businesses risk prosecution for pollution and breaching environmental legislation.

Prosecutions for air, water and land pollution are myriad.

9.2.5 Global warming

Global warming is the rise in the average temperature of the earth's atmosphere and
oceans, which may have severe consequences for life on earth. Scientists believe that
global warming is primarily caused by increasing concentrations of greenhouse gases
produced by human activities such as the burning of fossil fuels and deforestation. The
greenhouse effect is the “natural” process by which the atmosphere traps some of the
sun’s energy.

9.2.6 Response to global warming

In response to increasing concerns about climate change, several policies and

frameworks were put in place in an effort to reduce the effects of global
warming. These initiatives include the following:
• Earth Summit – the United Nations Framework Convention on Climate
Change, 1992
• The Kyoto Protocol, 2004
• Pollution control targets imposed on countries by the Kyoto Protocol.
• Sufficiency of emission cuts whereby countries commit themselves to
cut emissions.
• The US Climate Pact, 2005
• The Copenhagen Accord, 2009
• The European Union taking a leading role to govern global action on
climate change
• The Cancun Agreements, 2010
• Domestic government response to climate change whereby governments
promulgate legislation on the cutting of carbon emissions
• Levies such as the “carbon tax” levied on the selling price of new
vehicles in South Africa
• Emissions trading whereby countries are allowed to buy and sell their
agreed allowances of greenhouse gas emissions
 9.2.7 Environmental sustainability

Environmental sustainability is the maintenance of the factors and practices that

contribute to the quality of the environment on a long-term basis. Sustainability is now
a buzzword in business. Companies are expected to go “green” among the local
community, customers, potential customers and stakeholders in the business. A lack of
attention to environmental and sustainability issues will pose a risk to potential growth.
Refer to par. 22.11 in the prescribed book for further details on environmental
sustainability.

9.3 LEGAL RISK

According to Young (2006), legal risk is the risk arising from violations of or non-
compliance with laws, rules, regulations, prescribed policies and ethical standards.
This risk also arises when laws or rules governing certain products or activities of an
organisation’s customers are unclear or untested. Noncompliance can expose the
organisation to fines, financial penalties, payment of damages and the voiding of
contracts. It could also lead to a diminished reputation, reduced franchise value,
limited business opportunities, restricted developments and an inability to enforce
contracts.

9.3.1 Scope of legal risk

The sources of risk that fall within legal risk are considerable, and may include, but not
limited to the following:
  
Breach of environmental legislation

 listing information in terms of misstatements, material omissions or misleading
Inaccurate
opinions
  
Breach of copyright

 
Loss of business because of senior management time being lost through a protracted legal
dispute
  
Prosecution for breach of the law

Legaldispute with overseas trading partners (differences between local law and English
 law)

 
Loss of reputation because of a prosecution or a dispute with a customer, partner or
supplier
 
Lost legal disputes through poor record keeping

9.3.2 Benefits and implementation of legal risk

STUDY

Study the sections on “Benefits of Legal Risk Management” and

“Implementation of Legal Risk Management” par. 23.3 to 23.4 in
Chapter 23 of the prescribed book.
 9.3.3 Business law

The sources of legal risk emanate from business activities based on the basic
features of the legal system. The primary categories of law are public and
private law.


Public law deals with the relationship between the state and its citizens. The three
 key areas included are constitutional law, administrative law and criminal law.

Privatelaw is primarily concerned with the rights and duties of individuals towards each
other.


Another major distinction is drawn between civil and criminal law.

9.3.4 Companies

Legal risk also arises in the formation of companies. There are rules and
regulations that companies have to abide by, for instance, regarding the
company name, memorandum of association, articles of association,
financing the company, the issue of shares and debentures, the official listing
of securities, the remedy of rescission, protection of minority interests and
duties of directors.

9.3.5 Intellectual property

According to Chapman (2012), intellectual property refers to a product or process that

is marketable and profitable because of its uniqueness. Patent law usually protects such
uniqueness. Patent law gives protection to technological interventions, whilst the law of
copyright protects rights in literacy, musical and artistic works. The law of trademarks
and service marks protects the use of a particular mark if it is used in trade. The law
relating to registered designs protects articles that are mass-produced, but
distinguished from others by a registered design, which appears upon them.


Patents: The issues covered under patents include application, items that can be patented,
exclusions, registration, and infringement.


Copyright: Theissues covered under copyright include ownership, duration and
infringement.


right looks at the colouring, shape, texture and/or material associated
Designs: A design
with a product.
 9.3.6 Employment law

Businesses must comply with employment law in their hiring of staff based on the
principles of the law of contract. Failure to do so, can lead to prosecution. Contracts of
employment must be legal. Other aspects addressed in the employment contract
include terms of remuneration, holiday pay, sick leave and pay, time for antenatal care,
maternity leave and dismissal procedures. Businesses are at risk if employment law is
not understood and adhered to. Refer to par. 23.8 in the prescribed book.

9.3.7 Contracts

The essential ingredients of a valid contract include legality, agreement,

consideration, intention, capacity, genuineness of consent and formalities

Types of contracts
There are two broad categories of contracts namely speciality contracts
and simple contracts.

9.3.8 Criminal liability in business

Criminal law affects the supplier of goods and services with regard to:

• Misleading descriptions of goods and services;

• Misleading price indications about goods and services;
• Safety of consumer goods, and

9.3.9 Computer misuse

There are rules and regulations, which protect businesses from computer misuse.
Computer misuse is now a global dilemma with problems such as “hacking” and virus
infection. Common computer misuses include:

  
Unauthorized access to computer material

  by means of the internet to commit or facilitate
Unauthorized access
further offences
 
Unauthorized modification of computer material
9.4 POLITICAL RISK

Political risk can be defined as “the uncertainty that stems, in whole or in part, from the
exercise of power by government actors and the actions of non-government groups”.
This type of risk can be seen in domestic as well as international markets but is also
associated with oversees exposure and developing countries. The political environment
of overseas countries will always have an impact on the threats and opportunities of a
business wanting to expand business overseas. Refer to par. 24.1 for the complete
definition of political risk.

9.4.1 Scope of Political Risk

Political risks can be divided into two categories.

• Macro political risks

Macro political risks can affect all businesses in a country and may include potential
threats of adverse economical magnitude terrorism, labour disputes, economic
recession, high inflation, civil war, escalating crime or high taxation.

• Micro political risks

Micro political risks only affect specific businesses or industries and may include new
regulations, taxations, tariffs and quotas on a specific business/industry or politically
motivated violence against a specific industry.

STUDY

Study the section on “Micropolitical and Macropolitical Risks” in

the prescribed book.

9.4.2 Benefits and implementation of Political Risk Management

Implementing a sound system of political risk management strategies in a business, will

give rise to certain benefits as described in the prescribed book.

STUDY
Study t h e sections on “Benefits of Political Risk Management ”
and “Implementation of Political Risk Management” in the
prescribed book.

9.4.3 Political risk factors a business may be faced with

 Businesses that conduct their business overseas may have to take note of certain
factors when identifying the different political risks the business may face. The factors
for consideration are as follows:

Contract risk events

SA Government fiscal
policy Pressure groups
Terrorism and blackmail

READ

Read the sections for “Contracts”, “UK Government Fiscal Policy”,

“Pressure Groups” and “Terrorism and Blackmail”
Students will be required know and able to list the factors.

9.4.4 Mitigation strategies for political risks

The following response strategies can be used to minimize political risk in the business:

 
 Undertaking proper planning and exercising due diligence.

Investing in projects or entering into contracts where the host
 government implementedcertain policies that encourage
private sector involvement.
 
 Consider projects that are being supported by host governments.
 
 Obtaining insurance against political risks



To be protected from interest rate fluctuations a business can enter
 into a hedge contract.


Establish a good relationship with the workforce to create a risk
 friendly environment.

 arbitration language into contracts to address
Incorporating strong
 labor disputes.

  
Enhancing on-site security to be protected against terrorist attacks.
 
Being attuned to what is happening in the host country.

The following tools can also be used by a business to mitigate political risks:

 
 Assessing political risk factors
 
 Putting political risk factors in order of priority
 
Improving relative bargaining power
9.5 MARKET RISK

Market risk can be defined as “the exposure to a potential loss arising from diminishing
sales or margins due to changes in market conditions, outside of the control of the
business”. (Chapman, 2012) A business needs to gain insight into the market structure
(size, barriers of entry, product diversification and number of competitors) in which the
business operates. Market risk policies should take into account business activities,
objectives, the regulatory environment, competitiveness and staff and technology
capabilities. Proactive market risk management is vital for a business to adapt to
changing markets. Refer to par. 24.2 in the prescribed book.

9.5.1 Scope of Market Risk

The sources of market risk and opportunity can be seen in Figure 9 below.

The marketing environment of a business can form part of the macro industry and task
environment. The business must also concentrate on the levels of uncertainty in the
marketing environment to be able to monitor, analyse and understand the different
influences affecting the industry.
STUDY

Study the section on the “Scope of Market Risk” in the prescribed book.

9.5.2 Benefits and implementation of Market Risk Management

By implementing a sound system of market risk management strategies in a

business, will give rise to definite benefits.
STUDY

Study the sections on “Benefits of Market Risk Management” and

“Implementation of Market Risk Management” par. 25.3 to 25.4 in
Chapter 25 of the prescribed book.

9.5.3 Market structure

 A market structure can be seen as the characteristics of a market that can determine
business behavior. The following five characteristics have been identified:

  
Number of firms - The number of firms in the market and their relative sizes
 
 Barriers to entry - the ease or difficulty with which new entrants might enter the market.

  
Product homogeneity, diversity and branding: The extent to which goods are similar
 
 Knowledge - The extent to which all businesses in the market share the same knowledge

one business will
Interrelationships within markets: The extent to which the actions of
affect another business (Bargaining power of suppliers and buyers)

9.5.4 Product life cycle stage

It is important for a business to understand a product’s life cycle stages. A product life
cycle stage grows in an S-shaped manner and will then decline to be replaced by a new
product. A product life cycle can grow according to five different stages. Refer to Figure
10 below.

9.5.5 Alternative strategic directions

The alternative strategic directions for a business can be seen as the following: to grow
the business, do nothing or withdraw. Thus, a business plan can be developed to
expand a business in four possible directions.

Market penetration: Sell more of the same to the same market.

Product development: Sell new products to existing customers.
Market development: Seek out new markets for existing products.
Diversification: Sell new products to new groups of customers.
READ

Read the sections in par. 25.7 and Figure 2 5.4 in the prescribed book.
Students must be able to discuss the alternative strategic directions.
 9.5.7 Competition

An oligopolistic market can be characterised by price stability, non-price competition

(product, price, promotion and place), branding and certain market strategies.

9.5.8 Price elasticity/sensitivity

Price elasticity can be seen as the sensitivity of demand to changes in price. It is

measured by dividing change in demand by the percentage change in price. If demand
is not sensitive to price, the business will increase processes to increase revenue,
because the increase in prices leads to a smaller decrease in quantity demanded.

9.5.9 Market risk measurement: Value at risk

Value at risk can be defined as the calculation of the worst possible loss that might be
expected at a given confidence level over a given time period under normal market
conditions. In calculating value at risk, the following methods can be used as discussed
by Chapman:

Historical Simulations Method

Variance-Covariance or Analytical
Method Monte Carlo Method
 READ

Read par. 25.12 in the prescribed book. Students

must be able to understand the concept value at risk.

9.5.10 Risk response planning

A business must clearly set out how market risk will be evaluated throughout the
business. Clear responsibilities, roles and authority levels must be distinguished within
each management strategy for market risk. Broad strategies must be implemented in
the advertising, research and development, product development and diversification
sections within the business. Risk mitigation techniques for market risk will involve risk
identification, measurement and reporting. It is also very important for a business to
take out an insurance policy. Refer to par. 25.13 in the prescribed book. Students must
be able to explain the risk response strategies for market risk.

9.6 SOCIAL RISK

Social risk can be defined as “the society’s impact on business, and not vice versa
(Chapman,
2012). Social risks are seen as social aspects that have an impact on a business’
performance over which the business have no ability to control and minimal
opportunity to influence. It is important for a business to understand the
characteristics, lifestyle choices and social attitudes of its workforce. Workforces are
assumed to take on the behaviours, habits and social cultures within which they work,
function and live. Refer to par. 26.1 in the prescribed book.

9.6.1 Scope of Social Risk

There are seven identified sources of risks when dealing with social risk.

STUDY

Study the section on the “Scope of Social Risk” p a r . 26.2 in Chapter 26 of the
prescribed book.

9.6.2 Benefits and implementation of Social Risk Management

Implementing a sound system of social risk management strategies in a business will

give rise to certain benefits.

STUDY

Study the sections on “Benefits of Social Risk Management” and

“Implementation of Social Risk Management” in the prescribed book.
9.6.3 Factors that may influence social risk within a business

o Education,
o Population movements: demographic
changes, o Social-cultural patterns and trends,
o Crime,
o Lifestyles and social attitudes;
 
 Home improvements
 
 Motherhood, marriage and family formation
 
 Health
 
 Less healthy diets
 
 Smoking and drinking
 
 Long working hours
 
 Stress levels
 
Recreation and tourism

REVIEW QUESTION

1. With the aid of examples, discuss the factors that determine the successful implementation of
a sound system of economic risk management.

2. “Climate change is widely recognized as one of the key environmental challenges facing the
world today”. Discuss this statement with reference to environmental risk management.

3. Discuss why employment is an important determinant of legal risk.

4. Distinguish between macro political and micro political risks.
5. List the eight different sources of market risk and opportunity.
6. Discuss the benefits of market risk management.
7. Discuss the trends in the implementation of social risk management.
 1. A strategic alliance
A. Is a collaborative arrangement where companies join forces to defeat
mutual competitive rivals
B. Involves two or more companies joining forces to pursue vertical integration
C. It’s a formal agreement between two or more companies in which there is
strategically relevant collaboration of some sort, joint contribution of
resources, shared risk, shared control and mutual dependence
D. Aggressively retaliate against rivals pursuing offensive strategies and
prevent against price wars

2. Entering into strategic alliances and collaborative partnerships can

be competitively valuable because
A. Working closely with outsiders is essential in developing new technologies
and new products in virtually every industry
B. Cooperative arrangements with other companies are very helpful in racing
against rivals to build a strong global presence and/or racing to seize opportunities
on the frontiers of advancing technology
C. They represent highly effective ways to achieve low-cost leadership and
capture first-mover advantages
D. Aggressively retaliate against rivals pursuing offensive strategies and
prevent against price wars

3. Gap analysis is
A. an analysis that reduces gap between different risk approaches
B. an analysis used in banking to determine loan worthiness
C. an analysis that compare two systems the present and proposed to find if
its necessary to continue with the proposed one
D. all of the above

4. The task activity network is a useful mechanism for

A. computing the overall effort estimate
B. detecting intertask dependencies
C. determining the critical path
D. specifying the task set to the customer

BIBLIOGRAPHY

1. AIRMIC, Alarm, IRM: 2010. A structured approach to ERM (ERM) and the
requirements of ISO 31000. Available at:
http://theirm.org/documents/SARM_FINAL.pdf. (Accessed:
2. 2013/03/02).
3. Chapman, R.J. 2011. Simple Tools and Techniques for Enterprise
Risk Management.

nd
4. 2 edition. John Wiley & Sons.

5. Committee of Sponsoring Organizations of the Treadway Commission

(COSO), Internal

6. Control – Integrated Framework (1992),

7. Gitman, L.J. 2010. Principles of Managerial Finance: Global and South

African

8. Perspectives. Cape Town, Pearson.

9. http://www.businessdictionary.com/definition/environmentalsustainability.htm
l#ixzz 2Ps8HpOK8

10. ISO (2009). ISO 31000: 2009 Risk Management – Principles and Guidelines,
International Organization for Standardization, Geneva.
11. Peccia, T. (2001). Designing an Operational Risk Framework from a
Bottom-up

12. Perspective. In C. Alexander (ed.), Mastering Risk Volume 2:

Applications. Financial

13. Times, Prentice Hall, Harlow.

14. The Companies Act, 1973

15. The King Report on Corporate Governance of 2002 (King II Report)

16. The King Code of Governance in South Africa, 2009 (King III)

17. Valsamakis, A.C.; Vivian, R.W. and du Toit G.S. 2010. Risk
18. Management. Fourth

19. Edition, Sandton, Heinemann Publishers (Pty) Ltd.

20. Young, J. 2006. Operational Risk Management: The practical application of a

qualitative approach. Fourth edition, Van Schaik Publishers Pretoria.