Atmanirbhar QNA

Analysis of Topic-wise coverage of all Case
Studies
3 case studies issued by ICAI
Past exam mock test paper (from May 2018 to
Nov 2021)
Past exam paper & solution (from May 2018 to
July 2021)
Query sheets for all past papers and mock test
papers
Case Study Digest
Join our India's Largest Mentor

Buddy Program Visit: www.camonk.com
Understanding Topic Wise Coverage Done By ICAI
Particulars CS. No. Topic Covered Cross reference Page no.
MTP March-18 CS-
CS-1 Design Risk Scenario, Bucketing and Likelihood 1
1
ICAI Case
Identify Risk, Scaling, Risk Treatment, Risk MTP March 18 CS-
studies CS-2 20
Maturity Level, Risk Governance Framework 2
(Web hosted)
SWOT Analysis , Forex (SFM Related),Internal MTP March 18 CS-
CS-3 17
Financial Control) 3
CS-1 Design Risk Scenario, Bucketing and Likelihood CS-1 (Webhosted)
Identify Risk, Scaling, Risk Treatment, Risk
March-18 CS-2
Maturity Level, Risk Governance Framework CS-2 (Web Hosted) 35-60
MTP
SWOT Analysis , Forex (SFM Related),Internal
CS-3
Financial Control) CS-3 (Web Hosted)
October 19 MTP
descriptive Q
CS-1 Financial Ratios similar just figures
are different, MCQ
5 are common
CS-2 Bayes Theorem,NPV,GM,Big Data Analytics NA
May 18 Exam Direct Questions on Chapter-5 : VaR and Expected
61-98
Paper Shortfall,Monte carlo Simulation NA
Direct Questions on Chapter-6 :CDS v/s Credit
Insurance, Five Cs of Credit NA
March 19 CS-3 Co
name different,
CS-3 Key Risks and Measure to Mitigate
Descriptive Q same,
Mcq-5 common
CS-1 Portfolio Risks
NA
A. Types of risk faced, steps to mitigate NA
CS-2
August 18 B. Cyber Risk NA
99-115
MTP A. Types of Risk, Quantitative tools NA
B. Credit risk mitigation NA
CS-3
C. Governance (CHp-7) NA
D. Probability NA
Oct 19 MTP CS-1,

CS-1 Report to Board-Type,Impact,Mitigation 5 MCQs are
common , first 2
descriptive are
same
May 20 MTP CS-2

Nov 18 Exam
Case study 116-137
Paper
background is
CS-2 General, VAriance,SD,Holistic RMF same, 5MCQs
common and
Descriptive Q is
different
October 19 MTP
CS-3 Risk Grading/Rating, Classify Risk & Report
CS-2
CS-1 Key Risks NA
Stakeholders and impact NA
Impact areas NA
Risk Treatment NA
Risk Maturity NA
CS-2
Techniques to track the process of Rm NA
March 19 Political Risk' NA
DLT NA 138-155
MTP
Quantitative tools for Country Risk Assessment NA
May 18 QP CS-3
Co name different,
CS-3 Key Risks and Measure to Mitigate
Descriptive Q same,
Mcq-5 common
CS-1 Expected Monetary Value NA

CS-2 How much risk to take NA
May 19 Exam
Direct Question on Change Management,SFM 156-182
Paper
CS-3 related Questions, factors affecting credit risks, risk
mitigation steps NA
May 18 QP CS-1
descriptive Q
CS-1 Financial Ratios similar just figures
are different, MCQ
5 are common
CS-2 Risk Grading/Rating, Classify Risk & Report Nov 18 QP CS-3
CS-3 Key Risks NA
October 19
183-201
MTP Nov 18 QP CS-1, 5
MCQs are common
CS-4 Report to Board-Type, Impact,
, first 2 descriptive
are same
Direct Q on CDS,Diff b/w credit insurance and

CS-5
CDS, Estimating Credit Default probability NA
CS-1 Machine Learning,NPV,Profitability Index NA
May 20 MTP CS-3

CS-2 Sample Risk Register ,4th MCQ is
different
Nov 19 Exam
CS-3 Probability NA 202-231
Paper
CS-4 Prevent fraud, Credit risk CS-4 MTP May 20
Direct Q on pure risk, relevance of Operational risk,
CS-5 role and responsibility of CRO,Objective and CS-5 MTP May 20
process of RM
CS-1 Inputs on Issues raised NA
Nov 18 QP CS-2
Case study
background is
CS-2 Analytical Report on lending same, 5MCQs
common and
Descriptive Q is
May 20 MTP different 232-257
Nov 19 QP CS-2 ,
CS-3 Sample Risk Register 4th MCQ is
different
CS-4 Prevent fraud, credit risk CS-4 Nov 19 QP
Direct Q on pure risk, relevance of Operational risk,
CS-5
role and responsibility of CRO CS-5 Nov 19 QP
CS-1
Credit Due Diligence NA
CS-2 Pandemic Situation NA
October-20
CS-3 Country Risk, Grading/Bucketing/Swot NA 258-285
MTP
Audit of IC-Financial Reporting, Car (Diesel or
CS-4
Petrol) NA
CS-5 RMF ,ERM NA
CS-1 Specific Internal Controls

NA
Sensitivity Analysis (IPCC) NA
Risk Actions and Risk Responses as per Risk And
Control Matrix NA
Strategic Risks and Key Drivers for assessing that
risk NA
Reputational Risk and Steps to Assess Reputational
CS-2 Risk NA
Purpose of Risk Management Framework. Steps in
Developing RMF NA
Analyze Country Risk NA
Responsibility of CRO who is leader in
implementing ERM NA
Challenges in implementing ERM NA
November- CS-3
Relationship of ERM and BCP NA 286-319
Exam Paper
VaR NA
Stress Testing NA
RCSA Register NA
CS-4 Altman Z score Practical Question NA
Importance of Risk Management NA
Difference between AI and ML NA
Challenges in implementing AI NA
Areas where AI and ML can be applied NA
KRI and RCSA NA
CS-5 RCSA Owner and methods to implement RCSA NA
Processes to be followed before launching new
products to address operational risk NA
Level of Defence NA
How to strengthen Operational Risk NA
Understanding of Business function that could lead
to arise in risk. NA
Internal risk threat metric & IT system controls.
NA
Practice this type of
Understanding of type of risk questions from
CGM
CS-1
Mitigation strategies for data privacy and
cybersecurity risk NA
Development of ERM is at risk-managed maturity
level. NA
Development of ERM is at risk-managed maturity Use index of
level. ATOM Book
Integration of risks in the strategic planning process NA
Advantages of ERM NA
Types of risks faced in pandemic situations CGM page no 44
CS-2 Components of Credit Risk NA
Differences between Sensitivity Analysis and
Jan 21-Exam Scenario Analysis NA 320-357
Paper Basic understanding of ERM objectives NA
Risk culture NA
Delphi Approach NA
Bow-tie NA
CS-3 Criteria for selection of members to Enterprise Risk
Committee NA
Direct question
Conceptual understanding of ERM and BCP from full batch
notes pg. 110
Issues relating to Outsourcing Risk NA
Question on swap, cross hedge, option contract vs
CS-4
forward contract. NA
Risk Register understanding NA
Question on Ratio calculation & Interpreation NA
Understanding of different risk analysis methods NA
CS-5 Difference between Risk Capacity, Risk Exposure,
Risk Tolerance and Risk Appetite Page no 82
Characteristics of a cyber-resilient organisation NA
1.1 Altman Z score
Descriptive question given in different way. Few
calculation mistakes is done by ICAI while Oct 19 MTP, Page
CS-1 calculating Answer. no. 183
1.2 New Question
Other questions are same
Oct 19 MTP, Page
CS-2 All questions along with MCQ are same
no. 185
April 21- MTP Oct 19 MTP, Page 358-374
CS-3 All questions along with MCQ are same
no. 188
4.1 Direct question page no. 9.25
4.2 Direct question page no. 9.17 Case Study 3; Page
CS-4
4.7 New MCQ Page no. 6.12 no 27
Other questions are same
5.1 Different question
Oct 20 MTP, page
CS-5 5.2 Direct question Page no. 2.3
no. 268
All MCQ's are same
Case Study
CS 1 to 20 Check page no. 375 for detail analysis 375-425
Digest
Strategic Risk & advt of viewing it
Risk vs Uncertainty; soft elements that influence the
CS-1 risk appetite
How to minimize the problems that will arise from
the litigation; information Security
CRSA vs ERM; forward Purchase contract; Forex
Vendor management; cyber resilient org. & reverse
CS-2
stress testing
Tools to hedge forex risk
Risk Identification; IFC; ERM
July 21 Exam CS-3 Calculation of Coeffiecent of Variation; how
NA 426-467
Paper external environment can affect the company;
foreign exchange exposure.
Risk Mitigation Process; BCP/DRP; VAR
Calcuation of working capital
CS-4 Role of Risk Management committee & Audit
committee.
Management of Operational Risk
Type of risk; Management of risk
Risk & Vulnerabilities associated in risk; risk &
CS-5
uncertinity
Compliance of Forign loans
Nov 21 MTP Most of the questions are repated, please check page no. 489 for detail analysis. 468-492
INDEX
Sr. Heading and sub-heading P.g. no.
no 3 Case studies (Webhosted by ICAI)
Case study-1 1-19
1 Case study-2 20-26
Case Study-3 27-34
Query Sheet 35-37
March 18 Mock Test Paper
Case studies 38-51
2
Solutions 52-59
Query Sheet 60
May 18 Exam Paper (Exam 1)
3 Question & Answers Key 61-96
Query Sheet 97-98
August 18 Mock Test Paper
Case studies 99-107
4
Solutions 108-113
Query Sheet 114-115
November 2018 Exam Paper (Exam 2)
Query Sheet 136-137
March 2019 Mock Test Paper
Case studies 138-145
6
Solutions 146-153
Query Sheet 154-155
May 2019 Exam Paper (Exam 3)
Query Sheet 181-182
October 2019 Mock Test Paper
Case Studies 183-191
8
Solutions 192-198
Query Sheet 199-201
November 2019 Exam Paper (Exam 4)
Query Sheet 228-231
May 20 Mock Test Paper
Case Studies 232-243
10
Solutions 244-253
Query Sheet 254- 257
INDEX
Sr. Heading and sub-heading P.g. no.
no October 2020 Mock Test Paper
11
Solutions 271-279
Query Sheet 280-285
Nov 2020 Exam Paper (Exam 5)
Case studies
12 286-315
Solutions
Query Sheet 316-319
Jan 2021 Exam Paper (Exam 6)
Case studies
13 320-351
Solutions
Query Sheet 352-357
April 2021 Mock Test Paper
14
Solutions 368-374
Query Sheet NA*
Case Study Digest
Case studies
15 375-420
Solutions
Query Sheet 421-424
July 2021 Exam Paper (Exam 7)
Case studies
16 426-460
Solutions
Query Sheet 461-467
Nov 2021 Mock Test Paper
17
Solutions 480-488
Query Sheet 489-492
* NA: Most of the questions are repated for April 21 MTP Check understanding topic wise coverage.
CA FINAL
ELECTIVE PAPER 6A: RISK MANAGEMENT
Case Study
ZEO Payment Technology is one of promising Financial Technology Start Up

Company in India. ZEO is founded in 2015 and has emerged as one of the largest
player in India’s Domestic Money Transfer (DMT) (Cash to Bank) segment. It is an
award winning Online Transaction platform for DMT, Payments and Travel. ZEO
has won several accolades and awards such as the prestigious National Payments
Excellence Award 2016 organized by the National Payment Council of India for the
largest number of transactions on the IMPS (non-Bank category). ZEO has one of
the largest cash collection network agents in the country to work on cash collection
and banking activities.
RA has founded ZEO and is now aspiring to apply for the Small Payment Bank
License. The application has to be made to a Statutory Authority. As per the
Statutory Authority’s guidelines the payment bank applicant have to submit the top
10 risk scenarios that they would face while operating a Small Payment Bank in
India.
The Board of ZEO would then evaluate the risk scenarios and prepare a formal
report to adopt the risk scenarios with specific risk management actions. Post
discussions at the Board and adoption of the risk scenarios, RA would make the
application to the Statutory Authority for transforming ZEO into a Small Payment
Bank.
Required:
1. Design any 5 risk scenarios in the following format out of risk scenarios given in
Exhibits.
Risk Scenario Title
Scenario description
Impact of scenario
Current measures to
manage risks
(4 marks for each scenarios)
© The Institute of Chartered Accountants of India 1

Page 1 of 492
2. Prepare a report to the Board of ZEO including:
(i) Bucketing of above identified risks
(ii) Likelihood Scale (10 marks)
3. Multi Choice Questions (MCQs)
(i) Which among the following is the most potent measure to prevent a
cyber-attack on a Small Payment Bank?
(a) Control of physical access to the system
(b) Strong Password
(c) Multi-layer authentication
(d) All of the above
(ii) What is the most important advice that the RBI gave to banks to
prevent bank frauds?
(a) Thorough performance evaluation of bank employees.
(b) Conducting investor awareness programs regularly to inform
and train customers to apprehend fraud.
(c) Proactive fraud control initiatives.
(iii) How RBI ensures to prevent money laundering activities?
(a) All cash transactions of more than `10,00,000 requires an
Aadhar number.
(b) Any financial transaction above `500000 required an Aadhar
Number.
(c) Both (a) and (b)
(d) None of the above
(iv) Every unlisted company having a paid up share capital of `10 crore
or more is not required to constitute a/an
(a) Audit committee
(b) Nomination and Remuneration Committee
(c) Risk Management Committee
(d) Suitable policy for training and performance evaluation of
directors.
(v) What is the main source of worry to banks regarding their
customers?
(a) Cashback facilities offered by e-wallet companies.

Page 2 of 492
(b) Non-banks are getting access to their customer information
through third party applications.
(c) Deficiencies in sale of third party investment products by
lenders.
(d) Non-adherence to the RBI instructions with regard to mobile
or electronic banking services.
(vi) In a Risk Enabled and Risk Managed Organisations is
a Monitoring tool to track progress of risk management.
(a) Flow Charts with Risk Flags
(b) Risk Event Maps
(c) Risk Scorecards
(d) Value at Risk
(vii) On likelihood scale an event that happens every 10 years or more in
the industry shall be placed at level .
(a) 1
(b) 2
(c) 3
(d) 4
(viii) The two oil shocks in 1970s triggered unusually severe economic
consequences. These episodes for many institutions represent
stress scenarios.
(a) Normal
(b) Severe
(c) Near Default
(d) Stress to Default
(ix) ABN-Amro Bank, Amsterdam, wants to purchase `15 million against
US$ for funding their Vostro account with Canara Bank, New Delhi.
Assuming the inter-bank, rates of US$ is `51.3625/3700, what
would be the rate Canara Bank would quote to ABN-Amro Bank?
Further, if the deal is struck, the equivalent US$ amount would be.
(a) US$ 2,92,041.86
(b) US$ 2,94,041.86
(c) US$ 2,91,999.22
(d) US$ 2,93,999.22

Page 3 of 492
(x) Which of the following technique to hedge interest rate risk the
premium is least or nil.
(a) Cap
(b) Floor
(c) Collar
(d) None of these (10 x 2 = 20 marks)

Page 4 of 492
Exhibit 1
Cyber-attack on the website and systems
Recently, the systems of a PSU Bank have been hacked to create fake documents
that may have been used to raise money outside India or help in dealing of
prohibited items. The fake document may be letter of credit (LC) or guarantees.
The bank later realised that their SWIFT (Society for World Wide Interbank
Financial Telecommunication) system have been used to create fake documents.
SWIFT is a financial messaging service which is used by banks to move millions of
dollars and documents in various countries.
Therefore, the person who hacked into the system to create a fake LC may put it
before a foreign bank for finance. However, the Indian Bank, whose system has
been used to create a fake L.C., may face a claim for money when a foreign bank
tries to recover its money released against an LC.
Some measures have been taken to prevent such reoccurrences in future. Firstly,
physical access to the system must be controlled. Secondly, strong password and
multi-layer authentication policy should be there. And, lastly, identity and token
management policies are needed to control who has access to data.
SWIFT customers should have in place a system of detecting any unusual activity
and how the staff shall respond when such an untoward event happens.
(Extract from an article)
Exhibit 2
Bank Fraud
In a leading multinational bank, a banking fraud of `400 has been taken place. The
fraud has happened because of the mastermind of an employee named Lalit. The
modus operandi of Lalit was to sell investment products to high net worth
individuals (HNIs). He falsely projected to the HNIs that these financial products
are authorised by the bank’s investment product committee.
So, he lured them by convincing them that their investments would be invested in
lucrative schemes giving good returns. Then, he transferred the funds accumulated
from HNIs to some fictitious accounts. Funds amounting to Rs 400 crore belonging
to about 20 customers were transferred to such accounts. He, then, used the
money to invest it into the stock market.
Modus operandi was simple. He lured customers with a fake circular by SEBI promising 2-
3% returns per month. The fake circular also mentioned a custodian that route investor
funds. Lalit also use some blank cheques and he used this to transfer money out of their
accounts directly to the brokerages to be invested in the stock market.
The RBI has issued master circular advising banks to set up internal control system
to combat frauds and to take pro-active fraud control and enforcement measures.
(Source : Extract from a leading financial daily)

Page 5 of 492
Exhibit 3
Use of company channels for illegal business or money laundering activities
In ABC Bank, allegations of money laundering surfaces. Allegation was that foreign
exchange to the value of 557 crore has been sent out of India through 11 fictitious
firms under the shadow of imports.
Further, investigations disclosed that a person alongwith his partner operated 66
accounts at ABC. Further, bank records showed that `505 was deposited by the
accused and remitted abroad through this bank during 2012 to 2016.
He was making illegal fund transfers to Hong Kong on the basis of forged import
documents. He had two companies in Hong Kong PQ and ZY. Funds were actually
remitted to these two firms. The accounts in Hong Kong were in the CEO Bank
from where the funds were transferred to China.
The Government of India has taken some initiatives to curb the practice of money
laundering as illustrated above on the following lines:
The Government has made it mandatory for banks and financial institutions to
check the original identification documents of individuals dealing in cash above the
prescribed threshold, to weed out the use of forged or fake copies.
As per Rule 9 of RBI, every reporting entity shall at the time of commencement of
an account-based relationship, identify its clients, verify their identity and obtain
information on the purpose and intended nature of the business
relationship. Intermediaries like stockbroker, Chit Fund Company, cooperative
bank, housing finance institution and non-banking finance companies are also
classified as reporting entities.
Biometric identification number Aadhaar and other official documents are required
to be obtained by the reporting entities from anyone opening a bank account as
well as for any financial transaction of Rs 50,000 and above.
The same is also required for all cash dealing of more than Rs 10 lakh or its
equivalent in foreign currency, cash transactions where forged or counterfeit
currency notes have been used and all suspicious transactions.
All cross-border wire transfers of more than Rs 5 lakh in foreign currency and
purchase and sale of immovable property valued at Rs 50 lakh or more also fall
under this category, according to the reporting rules.
The Gazette notification said in case the officially valid document furnished does
not contain updated address, a utility bill like electricity, telephone, post-paid
mobile phone, piped gas or water bill which is not more than two months old can be
considered as a proof of address.
Also, property or municipal tax receipt, pension or family pension payment orders
issued to retired employees by Government departments, or letter of allotment of
accommodation from employer can be considered for the same purpose.

Page 6 of 492
Exhibit 4
Natural Calamity impacting continuity of business operations
Small businesses are personally affected by a storm, earthquake or extreme
weather. Since ZEO payment technology is a small financial technology company,
it can feel the pinch of a natural disaster, in case it happens.
When a natural calamity took place, it affects the supply chain of an organisation
severely. When the devastating flood took place in Thailand in 2011, the impact
was felt the world over, affecting almost every industry from electronics to
automobile. It leads to break down of supply of many crucial components. This
prompted many companies to outsource their supply chain to a few low cost
countries. However, the business of a fintech company may also be impacted if the
physical office from which it conducts its business is also being affected by the
natural disaster.
(Source : Extract from a leading Financial Daily)
Exhibit 5
Non-compliance with legal requirements leading to penalties
ZEO is a fintech company. Peer to Peer (P 2 P) lending is currently in vogue in
ZEO as is te case in other companies. P 2 P lending creates a market for lenders
and borrowers to connect immediately.
Further, with the use of P 2 P remittance platforms such as Transferwise creates a
market place where outgoing remittances are matched with incoming remittances.
For example, if a person in London wants to remit some money to India would
deposit the amount in platforms’ London office. The platforms’ algorithm would
detect another person in India who would want to transfer some money to London.
Then, the platform matches and “nets” the transaction. So, the money never
actually leaves the jurisdiction of a country.
However, the difficulty is that Indian rupee is not freely convertible and Foreign
Exchange Management Act, 1999 i.e. FEMA has provided certain regulations which
curbs the free flow of money. Compliance function has to ensure strict compliance
of Banking Regulation Act, RBI Act, FEMA, Prevention of Money Laundering Act
etc.
All peer-to-peer lending (P2P) platforms will be regulated by the Reserve Bank of
India (RBI), according to a government of India notification. The Reserve Bank of
India (RBI) said, through an 18 September, 2017 gazette notification, those peer-
to-peer lenders (P2P)—companies that provide loan facilitation services from their
platform—will be treated as non-banking financial companies (NBFCs).
The Reserve Bank of India's move to allow up to 100% foreign direct investment
(FDI) in regulated financial services companies other than banks or insurance
companies through the automatic route is likely to benefit several fintech startups

Page 7 of 492
as it is expected to ease equity funding norms, increase investor interest, and also
help them expand into more financial services.
Exhibit 6
Corporate Governance Issues
ZEO Payment Technology is a small unlisted company willing to venture into the
field of Small Payment Bank. ZEO has 6 directors out of which one is independent
director. The paid up share capital of the company is `12 crore. However, the
company is yet to draft a suitable policy for training and performance evaluation of
directors.
Some of the provisions of the Companies Act, 2013 relating to Corporate
Governance have been given in the following sentences. Every company having a
paid up share capital of `10 crore or more has to constitute an audit committee and
shall have atleast two independent directors. Further, it is required to appoint a
Nomination and Remuneration Committee and draft a suitable policy for training
and performance evaluation of directors. Also, a company having a paid share
capital of `50 crore or more OR a turnover of `200 crore or more has to appoint an
internal auditor to conduct internal audit of the functions and activities of the
company.
The new Companies Act has given powers to Serious Fraud Investigation Office
(SFIO) to carry out arrests, raids and seizure in respect of certain offences of the
act which attract the punishment for fraud. Further, as per the section 212, on the
intimation of special resolution passed by the company, SFIO can investigate into
the affairs of the company or on the receipt of a report of the Registrar or inspector
or in the public interest or on request from any Department of the Central
Government or a State Government.
Moreover, the Companies Act, 2013 do not contain any compulsory provision for
constitution of a Risk Management Committee. However, it requires its Board to
develop and implement a risk management policy and identify risks which may
threaten the existence of the company.

Page 8 of 492
Exhibit 7
3.2 million debit cards compromised; IBS, CFDH Bank, CCC Bank,
No Bank and ITU Bank worst hit
Banks in India will either replace or ask users to change the security codes of as
many as 3.2 million debit cards in what's emerging as one of the biggest ever
breaches of financial data in India, people aware of the matter said. Several victims
have reported unauthorised usage from locations in China.
Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and
600,000 on the RuPay platform. The worst-hit of the card-issuing banks are IBS,
Bank, CFDH Banks, CCC Bank and No Bank.
The breach is said to have originated in malware introduced in systems of Sakura
Payment Services, enabling fraudsters to steal information allowing them to steal
funds.
CFDH Bank said it had already taken action in the matter a few weeks back.
"Besides advising those customers who we know have used a non- CFDH Bank
ATM in the recent past to change (their) ATM PIN, we are advising our customers
to use only CFDH Bank ATMs as we believe security controls at some of the other
bank ATMs may not be at par with HDFC Bank ATMs”.
The newspaper had reported on Wednesday that IBS Bank would reissue 600,000
debit cards following a malware-related security breach and has asked customers
to change their PIN numbers as well.
Exhibit 8
Legal suits, claims by third parties

PhoneSe is a third party app owned by Blipmart. And, it becomes a part of UPI
through a partnership with No Bank. Blipmart recently integrated UPI payments on
its website and is offering customers cashback on their e-wallet on PhoneSe UPI
payment.
However, banks have expressed worry that non-banks are getting access to their
customer information through third party applications developed for the Unified
Payment Interface (UPI).
Therefore, PQRST Bank has blocked customers from accessing their accounts
using the PhoneSe UPI applications.
The RBI on June, 2017 has widened the scope of its Banking Ombudsman Scheme
2006 to include deficiencies arising out of sale of third-party investment products
by lenders. Under the amended scheme, a customer would also be able to lodge a

Page 9 of 492
complaint against banks for non-adherence to the RBI instructions with regard to
mobile or electronic banking services.
Following the amendment, the pecuniary jurisdiction of the ombudsman to pass an
award has been doubled from `10 lakh to ` 20 lakh. The ombudsman has been
empowered to award compensation not exceeding ` 1 lakh for loss of time,
expenses incurred and also harassment and mental anguish suffered by the
complainant. There is also an option for customers to go in for appeal in respects
to closed complaints which was not available earlier.
Exhibit 9
Rumors Spark Run On Indian Bank

Wall Street's worries made their way to India Tuesday as CCC Bank , the country's
largest private-sector bank, saw hundreds of clients withdrawing cash at branches
and ATMs in some parts of the country on rumors that the bank could fail.
Chief Executive K.V. Kumar said the rumors were "baseless and malicious."
Central Bank, in an unprecedented move, issued a statement saying there was
enough liquidity at CCC Bank and the Central Bank had arranged to provide
adequate cash to the bank to meet the demands of customers.
So far, CCC is the only Indian bank that has been directly hit by the recent
disasters on Wall Street. Its U.K. subsidiary has $80 million in exposure to Lehman
Brothers , a substantial portion of which may have to be written down, said Ajit
Saxena, an analyst with Benaam Securities, a Mumbai-based financial services
firm, in a report. The subsidiary has a provision of about $12 million against
investment in these bonds.
"The key worry, of course, remains that if any other global bank or financial
institution files for bankruptcy, CCC may have to take further losses, the extent of
which is not known," the Benaam report says. Total capital base of overseas
subsidiaries stood at $800 million in the first quarter of fiscal year 2009.
CCC Bank, through its U.K. and Canadian subsidiaries, has around $5 billion of
investment book (largely bonds, certificates of deposit and other treasury assets).
Of this, roughly 60% is invested in various U.S. and European banks. "The recent
crisis could lead to high MTM [mark-to-market] losses in the overseas investment
book," Saxena added.
According to Indian media reports, anxious CCC customers rushed to withdraw
their money from ATMs and branches after rumors the bank was in trouble due to
exposure to Wall Street's mess.
CCC, which has consolidated assets of $105 billion, saw net profits of $900 million
in fiscal year 2008 on revenue of $10 billion and $155 million in the first quarter of

Page 10 of 492
this year on revenue of $2.2 billion. But it has seen its stock price hammered from
a 52-week high of $37 (Jan. 14) to $9.60 Tuesday.
As of June 30, it had a capital adequacy ratio of 13.4%, well above the regulatory
requirement of 9%. Kumar added that the U.K. subsidiary had zero exposure to
U.S. subprime credit and zero non-performing loans. If only Wall Street was so
lucky.
(Source: Extract from a leading Financial Magazine)
Exhibit 10
EMAIL
From: Lee Port
To: Mr. Z (CEO of ZBO Payment Bank)
Dated:……………………………………
Subject: Pitch Presentation for financing of proposed small payment bank
under the FDI Scheme of Govt. of India
Hi Z,
This has reference to your last week’s Pitch Presentation at Singapore for making
investment in your proposed Small Payment bank in India. While the idea of this
type of banking is naïve in India but the most catchy feature of the same is to reach
consumers through mobile phones rather than traditional system of bank branches
as it is quite uneconomical affair for the banks to open branch in each and every
village of India. This is a good initiate by Govt. of India as a major step towards
financial inclusion in India where a major part of population is living in villages.
Before we forward your proposal of investing the funds in your start-up to the
Board please confirm the following unique features of the proposed Small Payment
Banks:
• Payment bank will reduce the dependency on Cash and will increase m-
commerce as mobile wallet will be used as payment option.
• Payment Bank will invest 75% of its demand deposits in Government
Securities and Treasury Bills and balance 25% can be held as fixed deposits
with other Scheduled Commercial Banks.
• Payment bank can also provide Forex Cards to the travellers.
• Payment Bank will get a big chunk of deposit comparing to commercial banks
due to reason of providing higher interest rates.
In case there is any deviation in above points please let us know immediately.
Thanks,
Lee Port

Page 11 of 492
ELECTIVE PAPER 6A – RISK MANAGEMENT
SUGGESTED SOLUTION – CASE STUDY 1
1.
Source- Exhibit 1
Risk Scenario Title Fraud Risk
Scenario description The system of the Bank can be hacked to create may
face a claim for money when a foreign bank tries to
recover its money released against an LC.
Impact of scenario Huge loss to bank if the number of LC transactions is

large.
Current measures to manage risks Bank should have in place a system of detecting any
unusual activity and how the staff shall respond when
such an untoward event happens.
Some measures must be taken to prevent such

reoccurrences in future. Firstly, physical access to the
system must be controlled. Secondly, strong
password and multi-layer authentication policy should
be there. And, lastly, identity and token management
policies are needed to control who has access to data.
Source- Exhibit 2
Risk Scenario Title Governance or Reputation Risk
Scenario description Using name of bank to customers for higher returns

and opening fictitious accounts.
Impact of scenario Bank may lose its reputation and may face
unwarranted litigations.
© The Institute of Chartered Accountants of India

1 Page 12 of 492
Current measures to manage risks Proper internal control system should be set up to
combat frauds and to take pro-active fraud control and
enforcement measures.
Source- Exhibit 3
Risk Scenario Title Reputation Risk
Scenario description Bank account can be used for illegal transfer of funds
and money laundering activities.
Impact of scenario Bank may face paucity of funds and its reputation
may also take a beating. It will be also being
answerable to various stakeholders.
Current measures to manage risks The bank should check the original identification
documents of individuals dealing in cash above the
prescribed threshold, to weed out the use of forged
or fake copies.
Source- Exhibit 4
Risk Scenario Title Natural Hazardous Risk
Scenario description Small businesses are generally affected by a

storm, earthquake or extreme weather.
Impact of scenario The business of a bank may also be impacted by

the natural disaster by which the physical office
from which it conducts its business is also being
affected by the calamity.
Current measures to manage risks It can insure itself from any natural calamity.

2 Page 13 of 492
Source- Exhibit 5
Risk Scenario Title Regulatory or Compliance Risk
Scenario description In case payment bank is engaged in the business of P

2 P and their receipt and payment of money from India
to any foreign country and vice-versa takes place.
However, the platform matches and netted the
transaction and the money never actually leaves the
jurisdiction of a country.
Since, Indian rupee is not freely convertible and

Foreign Exchange Management Act, 1999 i.e. FEMA
has provided certain regulations which curbs the free
flow of money.
Impact of scenario Non-compliance of FEMA provisions will attract

penalty.
Current measures to manage risks The risk can be managed to a large extent with the
compliance of RBI notifications.
Source- Exhibit 6
Risk Scenario Title Regulatory or Governance Risk
Scenario description The company is yet to draft a suitable policy for training and
performance evaluation of directors and it has not appointed any
committees.
Impact of scenario This may invite penalties from the court and wrath of the
investors.
Current measures to Constitute an audit committee and shall have atleast two
manage risks independent directors. Further, it is required to appoint a
Nomination and Remuneration Committee and draft a suitable
policy for training and performance evaluation of directors.

3 Page 14 of 492
Even though, the Companies Act, 2013 do not contain any
compulsory provision for constitution of a Risk Management
Committee, but it is in the interest of bank to constitute a Risk
Management Committee.
Source- Exhibit 7
Risk Scenario Title Cyber or Technology Risk
Scenario description Breaches of financial data and security of debit

cards were compromised. The malware introduced
in systems enabling the fraudsters to steal
information and allow them to steal funds.
Impact of scenario Penalties and litigations to be faced by bank.
Current measures to manage risks Banks may either replace or ask users to change
the security codes.
Reissue of debit cards and asking customers to

change their PIN numbers as well.
Source- Exhibit 8
Risk Scenario Title Fraud or Data Security Risk
Scenario description Non-banks are getting access to the bank’s

customer information through third party
applications developed for the Unified Payment
Interface (UPI).
Impact of scenario Privacy is the issue here. Customers’ details are

getting compromised.

4 Page 15 of 492
Current measures to manage risks Bank should be very careful while entering into any
agreement with a third party app like PhoneSe.
Agreement shall be entered into only after proper
verification and knowledge about their business.
Source- Exhibit 9
Risk Scenario Title Reputation or Business Continuity Risk
Scenario description The rumour that bank is the only bank which has
been hit directly by the recent disasters and it could
fail.
Impact of scenario This may leads to people flocking to ATMs and

bank branches to withdraw cash. Also, bank’s
stock price hammered.
Current measures to manage risks Such rumour should be taken care of by proper
media and people management. There should be
a prompt response on the part of the Bank to ward
off such rumour with the help of media. Proper
people management requires action on the part of
banks to pacify and inform customers so that future
reoccurrences of such panic situations can be
avoided.
Source- Exhibit 10
Risk Scenario Title Finance or Forex and Interest Rate Risk
Scenario description As banks can issue the Forex Card there may be
some variation in the rates at which same has been
acquired and disposed of.

5 Page 16 of 492
Since the rate of interest offered by the bank on its
deposit is higher in comparison to the traditional
banking and the fund shall be deposited in Govt.
Securities instead of Commercial lending, the
spread between receipt and payment of interest
will be marginalized. Hence any change in the
market interest rate shall lead to erosion in the
spread.
Impact of scenario Loss on account of Forex exchange rate volatility

and squeezing of Interest Spread Gains.
Current measures to manage risks Hedging the forex and interest rate using various
techniques such as Forward, Futures and Option
contracts.
Note: Students are expected to design any 5 risk scenarios in the prescribed format out of
the above-mentioned 10 scenarios.
2.
To: The Board
From: ABC, Risk Consultant
Date: 29 December 2017
Subject: Risk Management
Introduction
This report covers
(ii) Likelihood Scale

6 Page 17 of 492
Risk Risk Scenario Title Bucketing of identified

No. risks
1 Fraud Risk Severe
2 Governance or Reputation Risk Major
3 Reputation Risk Major
4 Natural Hazardous Risk Severe
5 Regulatory or Compliance Risk Major
6 Regulatory or Governance Risk Major
7 Cyber or Technology Risk Major
8 Fraud or Data Security Risk Major
9 Reputation or Business Continuity Risk Moderate
10 Finance or Forex and Interest Rate Risk Moderate
Exhibit Risk Scenario Title Likelihood Scale
1 Fraud Risk Unlikely
2 Governance or Reputation Risk Likely
3 Reputation Risk Likely
4 Natural Hazardous Risk Unlikely
5 Regulatory or Compliance Risk Likely
6 Regulatory or Governance Risk Likely

7 Page 18 of 492
7 Cyber or Technology Risk Very unlikely
8 Fraud or Data Security Risk Likely
9 Reputation or Business Continuity Risk Very unlikely
10 Finance or Forex and Interest Rate Risk Very likely
Conclusion
As a small bank, some of the risk which especially Risk Nos. 5,6 and 8 needs special
attention.
3. (i) (d)
(ii) (c)
(iii) (a)
(iv) (c)
(v) (b)
(vi) (c)
(vii) (b)
(viii) (b)
(ix) (a)
(x) (c)

8 Page 19 of 492
PAPER – 6A: RISK MANAGEMENT
CASE STUDY 2
ABC Ltd. is a Delhi based company. It was established in 2009 and deals in the manufacturing business of
high-end electronics distributed through retail superstore. The company is currently going through a rapid
growth phase. Its products are receiving good response from the market. The company is experiencing the
challenges of retaining good sales employees and developing an efficient financial system. Ravi Narain is
the CFO of the company.
ABC Ltd. has an outdated computerized accounting system which does not lock out the changes made after
the month end.
ABC is looking to develop a more effective and efficient financial system and considering implementing an
incentive plan for sales employees who are currently paid a flat salary.
ABC Ltd has a turnover of ` 800 crores in 2016-17 and was listed on Indian Stock exchange in 2014. Ajay
and Pawan are the newly appointed directors of Finance and Human Resource divisions respectively.
Ajay is a street smart finance professional and he played a critical role in the areas of budgeting and
forecasting, finance and asset management. He has a team of 25 people including Jatin and Mohit who
directly reports to Ajay.
In spite of a limited salary, Ajay maintains a lavish style of living. Jatin maintains the journal entries
according to Ajay’s directions. One day HSBC bank notified Ravi Narain that Ajay’s personal credit card
balances were being paid off by ABC’s account. Since, Ravi Narain was busy for Board Meeting confirmed
that this might be reimbursement of his Travelling Expenses.
Jatin records the internet sales from the company’s retail outlet as well as carries out following functions:
1. Reconciliation of accounts receivable sub-ledger to general ledger
2. Mailing checks to vendors
3. Coding and recording of checks received for deposit
Ravi normally never reviews financial details as he trusts Ajay.
On the Human Resource front, to overcome the problem of retaining the sales employees, the company has
recently hired Pawan as the HR director who is known for developing good HR policies to manage people
effectively and motivate them to perform well.
Pawan advised the management to implement a compensation plan of base salary and bonus instead of fixed
monthly salary. Sales incentive compensation is based on the performance of sales employees. The
performance can be measured by looking at the revenue they generate for the employees. The management
liked the proposal advised by Pawan and the compensation plan is finalized which was as follows.
Base Salary: 35,000/month
Commission: 5% of Sales exceeding 10,00,000/month + 5% extra commission on sales made over and
above 20,00,000/-
Consequently, the present organization structure comes out as follows:

Page 20 of 492
Board of Directors
Managing
director
Ravi IT head Sales &

HR Head
Narayan Marketing
(Finance
Head)
Ajay Kothari
)
(Finance Manager) Pawan Pandey IT Director Sales & Marketing
(Director) Managers
Jatin
(Manager) HR Manager IT Manager Support Staff
Mohit
(Manager)
HR Analysts IT Analysts
After passing some time, the Board of Directors started realizing that the company is facing liquidity crunch.
Also, the introduction of new compensation plan resulted in unhealthy competition among employees.
Some employees were less willing to provide assistance to struggling co-workers and would prefer to improve
their own productivity. It also promoted an environment of excessive risk – taken by the sales employees for
pursuing short term profits.
The company has a system of identification of risk but only at the functional level and not for processes.
Further these Risks are not communicated among various organization levels.
A. Questions
The Board of Directors approaches you and requests you to submit a report on the following aspects:
(i) Identify the Risks that may be possible and their nature. (5 Marks)
(ii) Scaling of these identified risks based on ICAI Guide on Risk Based Internal Audit. (5 Marks)
(iii) Any three to four approaches to identify and assess the risk. (5 Marks)
(iv) Course of action to be followed to treat these risks. (5 Marks)
(v) Matters on which Risk Governance Framework can define a policy statement. (5 Marks)
(vi) Risk Maturity Level and reasons for the same. (5 Marks)

Page 21 of 492
B. Multiple Choice Questions
1. As per the ………. risk has been defined as resulting from significant conditions, events, circumstances,
actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute
its strategies, or from the setting of inappropriate objectives and strategies.
(a) Basel II
(b) ICAI - SA 315
(c) CIMA
(d) None of these
2. Which of the following is not the classification of risk as stated by Enterprise Risk Management?
(a) Knowledge risk
(b) Operational risk
(c) Financial risk
(d) Residual risk
3. Which of the following is not the benefit of the risk management plan?
(a) Saving Valuable resources: time, income, assets, people and property can be saved it fewer claims
occur.
(b) Creating a safe and secure environment for staff, visitors and customers
(c) Reducing legal liability and increasing the stability of your operations
(d) Provide an absolute assurance that risks will be mitigated.
4. In which of the following techniques to assess and evaluate risks, a panel of experts are appointed and
each of them gives his/her opinion in a written and independent manner:
(a) Judgment and intuition
(b) The Delphi approach
(c) Scoring
(d) Quantitative techniques
5. Which of the following is not the risk type that often overlaps or is caused by operational failure?
(a) Regulatory Risk
(b) Financial Risk
(c) Credit Risk
(d) Legal Risk
6. Technique involving acceleration of payments of hard currency and delaying payments of soft currency
payables to hedge forex exposure is called
(a) Netting
(b) Managing Blocked Funds
(c) Leading and Lagging
3

Page 22 of 492
(d) None of these
7. Which of the following option gives the effect of it purchases into a floating rate of interest that is bounded
on both high side and the low side?
(a) Cap Option
(b) Floor Option
(c) Collar Option
(d) Swaption
8. Which of the following exposure measures the effect of fluctuations in foreign exchange rate on the
value of the firm?
(a) Transaction Exposure
(b) Translation Exposure
(c) Economic Exposure
(d) Industry Exposure
9. More risk in a project can be incorporated by decreasing
(a) Estimated future cash inflows from the project
(b) Initial investment in the project
(c) Required rate of return of the project
(d) Internal rate of return of the project
10. Which of the following action is called hedging?
(a) Protection of a profit already made from having undertaken a risky position
(b) Making profit by accepting risk
(c) Reducing or eliminating exposure to risk
(d) None of these (10 x 2 = 20 Marks)

Page 23 of 492
SUGGESTED SOLUTION
Case study 2
Note: Please note these solutions are for guidance purpose only.
(A)
To: The Board
Date: 6th April 2018
Our Report on the various issues raised is as follows:
(i) The possible Risks and their nature are as follows:

• Financial risk - These risks are associated with the financial assets, structure and transactions of the
particular industry. In other words, these risks are related specifically to the processes, techniques and
instruments utilised to manage the finances of the enterprise, as well as those processes involved in
sustaining effective financial relationships with customers and third parties.
• Operational Risk - These risks are associated with the on-going, day-to-day operations of the
enterprise. In other words, these risks associated with the operations of an organization. It is the risk of
loss resulting from failure of people employed in the organization, internal process, systems or external
factors acting upon it to the detriment of the organization. It includes Legal Risk and excludes strategic
and Reputational Risks as they are not quantifiable.
(ii) Scaling of Risk as identified above:
• Measurement of the likelihood of risk
Financial Risk – Likely (score 4)
Operational Risk – Likely (score 4)
• Risk Consequences
Financial Risk – Major
Operational Risk – Major
(iii) Four approaches are suggested to identify and assess the risk as below:
• Analysis of processes – Under this technique, material or significant business processes are flow
chartered. This will facilitate identification of process level operational risks. An approach that helps
improves the performance of business activities by analysing current processes and making decisions
on new improvements.
• Brainstorming – Under brainstorming a group of employees put forward their ideas or sensation of
risk. The employees estimate the risk based on their past experience or intuition involves a focused
group of managers working together to identify potential risks, concerns, root causes, failure modes,
hazards, opportunities and criteria for decisions and/or options for treatment. Brainstorming should
1
Page 24 of 492
stimulate and encourage free-flowing conversation amongst a group of knowledgeable and focussed
people with a fair/objective outlook. The group should not be biased or critical. It is one of the best and
most popular ways to identify both risks and key controls and is the basis for most successful risk
workshops.
• Questionnaires & Interviews - Focused on detecting the concerns of staff with respect to the risks or
threats that they perceive in their operating environment. During a Structured interview, interviewees
are asked through a set of prepared questions to encourage the interviewee to present their own
perspective and thus identify risks. Structured interviews are frequently used during consultation with
key stakeholders when designing the risk management framework. Structured interviews are good to
assess risk appetite and tolerance when developing risk appetite statements. A specialist in risk
prepares interviews with various management level members of the company in order to elicit the
concerns.
• Checklists are information aids to reduce the likelihood of failures from potential hazards, risks or
controls that have been developed usually from past experience, either as a result of a previous risk
assessment or as a result of past failures or incidents or history or industry learning. Auditors often
prepare checklists of key controls to aid in their assessment of control effectiveness and the internal
control environment. Checklists are good guiding tools; however, can lead to herd mentality and risk
managers can miss out on fresh risk thinking and the big picture.
Note: Students can also mention any four techniques other than above.
(iv) Suggested course of action to reduce/ manage risk i.e. risk treatment is as follows:
• Strengthening of Internal Controls System
• Setting up limits for the sanction of amounts.
• Setting up operational risk management department.
Note: Students can also mention other course of action based on their work experience.
(v) The Risk Management (Governance) Framework should define a policy statement on the following
matters:-
(i) Determining when to review the Risk Management Framework (RMF) and the frequency for undertaking
the review.
(ii) Deciding who is responsible for the review. The RMF is generally reviewed by the Audit Committee or
a team of Directors. Once in few years the RMF can be reviewed with external facilitation. This would
provide fresh insights and benchmarking information to the Board.
(iii) Selecting the scope and method for a review. The scope and boundary of the RMF review can be clearly
set out along with the most suited method for review.
(iv) Manner of circulation of results.
(vi) The risk maturity level of the company is “Risk Aware”. The reason is that the risks are identified within
functions and not across processes. Also, risks are not communicated across the enterprise. It is basically a
scattered silo based approach to risk management.
B. Answers to Multiple Choice Questions
1. (b)
2. (d)
3. (d)
2
Page 25 of 492
4. (b)
5. (c)
6. (c)
7. (c)
8. (c)
9. (a)
10. (c)
3
Page 26 of 492
CASE STUDY 3
Sunshine Ltd. is a software company specialized in the software development for their clients. In the last
decade it has earned a good name and fame. For example, a super critical boiler in a thermal power plant
takes 10-12 days to be fine-tuned or synchronized. It means system is shut for power generation and lead to
loss of millions of dollars. Sunshine Ltd. came up with a solution that cuts the time taken to synchronize a
boiler from 10-12 days to 3-4 days through the use of software and services of IT Professionals. The main
strength of Sunshine is the IT professional they employed with it.
It captured data through sensors on the boilers, use the algorithm built in house to check nearly 240
parameters and over 10,000 combinations to tune the boiler.
It also helped a global heating, ventilation and air conditioning firm to bring down the time taken to design an
AC solution in a building or office from 9 days to just 2 hours now.
However, traditional outsourcing business of Sunshine Ltd is dying a slow death as clients cutting their
budgets on such services and shifting their focus on newer areas such as digi tal and cloud.
Three-fourth of the revenue of Sunshine Ltd is from traditional services. However, half of its revenue still
comes from fixed price projects which allow it the flexibility to determine the resources it deploys and use
software tools to deliver services. Now, the aim is to increase that goal by reducing the dependency on people
and more on software led services which coincide with it’s goal of IT Modernization.
Sunshine Ltd. derives a major portion of its revenues from customers discretionary spending which is linked
to their business outlook. It’s major revenues are from UK, USA and other European countries.
Some draft legislations in USA has been made to restrict the availability of work visas. Such protectionist
policies threaten the prospect of global mobility of people which may also affect the work of Sunshine Ltd. as
distributed software development requires free movement of people.
Appreciation of the rupee against any major currency results in the revenue denominated in that currency to
appear lesser in reported terms. Then, there may be different exchange rate when sale took place and when
invoice is collected.
The Internal Financial Control System
The internal Financial Control System of Sunshine Ltd. has been laid down as below:
• Recording and providing reliable financial and operation information.
• Safeguarding assets.
• Ensuring compliance with corporate policies.
• Well defined delegation of power.
• Efficient ERP system.
• Internal audit by one of the big audit firm.
• Periodic audit by specialized third party consultants.
• Audit Committee found internal financial control adequate.

Page 27 of 492
A. Questions
(1) Discuss the SWOT analysis of Sunshine Ltd. (5 Marks)
(2) Briefly explain the political risk to be encountered by Sunshine Ltd. (3 Marks)
(3) Elucidate the types of exposures risks to be encountered by the company. (6 Marks)
(4) How can the company tackle the exposure of difference in exchange rates when sale took place and
when invoice is collected. (12 Marks)
(5) Discuss the efficacy of the Internal Financial Control System of Sunshine Ltd. (4 Marks)
1. Risk Adjusted Discount Rate Method is based on the concept that………
(a) investors demand higher returns from more risky projects
(b) investors demand lower returns from more risky projects
(c) investors demand higher returns from less risky projects
(d) None of these
2. A project has a cost of capital of 10% and a payback period of 2 years with annual cash inflows
commencing from year end 2 to 4 of Rs. 60 crore. The initial investment outlay at the beginning of year
1 shall be
(a) Rs. 67.80 crore
(b) Rs. 74.58 crore
(c) Rs. 60.00 crore
(d) Rs. 95.07 crore
3. If interest rates are 3.4% and 1.4% per annum in USA and UK respectively and spot exchange rate is $
1.40/£ then 90-days forward rate shall be
(a) Rs. 1.346976
(b) Rs. 1.347976
(c) Rs. 1.406976
(d) Rs. 1.407976
4. Which of the following risk will not affect foreign exchange rate?
(a) Investment Risk
(b) Inflation Risk
(c) Interest Rate Risk
(d) Sovereign Risk
5. The purpose of Financial Swap is to reduce .
(a) Interest Rate Risk
(b) Exchange Rate Risk
(c) Credit Risk
(d) Both (a) and (b)
6. In case if principal or interest payment overdue between 61-180 days then as per RBI’s framework for
Revisiting Distressed Assets in Economy they are classified in category .

Page 28 of 492
(a) SMA – 0
(b) SMA – 1
(c) SMA – 2
(d) SMA – 3
7. ______________ as a formal discipline for risk and capital management was born out of financial crises.
(a) Substantive procedures
(b) Test of Controls
(c) Corporate Governance
(d) Stress Testing
8. Which of the following is not a type of country risk?
(a) Political Risk
(b) Financial and Economic Risk
(c) Credit Risk
9. Which of the following risk action describe:
Reducing the risk likelihood or impact by transferring or, otherwise, sharing a portion of the risk. Common
techniques include purchasing insurance cover, outsourcing activities, engaging in hedging
transactions.
(a) Avoid
(b) Reduce/Manage
(c) Transfer/Share
(d) Accept
10. Speech Recognition, Handwriting Recognition and Intelligent Robots uses .
(a) Block Chain Technology
(b) Distributed Ledger Technology
(c) Artificial Intelligence
Exhibit 1
Domestic ratings agency ICRA said that the appreciation in the rupee is aggravating the troubles of the Indian
IT sector, which is already hit by a change in the market landscape and compressing revenue growth.
It said the industry is already reeling under pressures like uncertain macroeconomic environment, lower deal
sizes in digital technologies, cloud adoption and high competitive intensity.
The agency said despite a 8.1 per cent growth in USD revenue, IT players have registered a growth of only
three per cent in the second quarter of the current fiscal, due to the rupee appreciation of four per cent during
the quarter.
Due to the difficulties on the currency front, the agency said the $160 -billion industry will be able to notch a
mid-to-high single digit growth till FY20.

Page 29 of 492
On margins, it said the industry should brace for an impact on margins as price led competition is likely to
intensify and will negatively impact the spreads.
"IT Services players profitability also remains sensitive to rupee depreciation vis -a-vis major currencies such
as USD, GBP and Euro and the same too will have an impact," it said.
Its vice president Gaurav Jain said future growth will be supported by higher spend on digital technologies,
continued cost benefit offered through outsourcing model and market share gains for the Indian IT sector.
"While companies have increased spending on digital technologies and awarding new contracts, the overall
IT budgets have moderated leading to lower incremental spends," he said.
He, however, warned that an increase in the global IT market, which moved up to 67 per cent in 2016 from
60 per cent in 2012, will be limited as Indian IT Services companies, which are in the midst of re -orienting
their business models focusing more on higher-end services such as IT consulting and digital, are lagging
behind the competition.
"We expect large Indian IT companies to grab a higher share of the digital services space over the next three
years," he said.
From a vertical standpoint, manufacturing is outperforming with a 5.8 per cent growth but the largest revenue
contributor of banking and financial services has shown a muted trend over the last few quarters on
macroeconomic conditions including factors like Brexit.
Over the next decade, the agency expects consolidation in the sector due to the margin pressures.
The rating agency, however, said that despite the pressures on growth and profitability, credit profile for the
sector will remain stable.
(Extract from Economic Times)
Exhibit 2
The U.S. government is toughening up the process for renewing a popular foreign work visa.
This week, U.S. Citizenship and Immigration Services advised its officers to "apply the same level of scrutiny"
to extension requests for the H-1B visa, among other sought after visas.
In other words, officers are instructed to review requests for renewal as t horoughly as they would initial visa
applications.
The H-1B is a common visa pathway for high-skilled foreigners to work at companies in the U.S. It's valid for
three years, and can be renewed for another three years. It's a program that's particularly nea r and dear to
the tech community, with many talented engineers vying for one of the program's 85,000 visas each year.
The directive rescinds the previous guidance, which gave "deference" to previously approved visas "as long
as the key elements were unchanged and there was no evidence of a material error or fraud related to the
prior determination."
"This updated guidance provides clear direction to help advance policies that protect the interests of U.S.
workers," said new USCIS Director L. Francis Cissna, who was sworn in this month. President Donald Trump
announced his intent to nominate Cissna last spring.
In April, Trump directed federal agencies to implement a "Buy American, Hire American" strategy, which
included proposing new rules and guidance for preventing fraud and abuse of work visas. The H-1B program,

Page 30 of 492
in particular, is one that President Trump has eyed for reform, criticizing abusers of the program who use the
visa to replace American workers.
Other visas impacted by the new guidance include L-1, for intracompany transfers, TN for Canadian and
Mexican citizens, and O-1, for those with "extraordinary abilities."
Some say the new policy will be unnecessarily burdensome and is aimed at limiting foreign workers.
Betsy Lawrence, the director of government relations for the American Immigration Lawyers Association, told
CNN Tech that the previous guidance made it efficient to review cases. Even then, USCIS had the authority
to question prior decisions and request additional information in reviewing exte nsions.
“We are going to much greater scrutiny of these cases, and thus delays, even when the underlying facts have
not changed," Lawrence told CNNMoney.
Immigration attorney Chris Wright of The Wright Law Firm told CNNMoney that it fits a broader pattern: "It
seems clear that USCIS have been instructed to push back wherever they can..." he said, noting that "the
prevailing attitude seems to be, 'How might we be able to deny this petition?'"
(http://money.cnn.com/2017/10/25/technology/business/h1b-visa-renewal-uscis/index.html)
Exhibit 3
Effect on IT sector due to Brexit
The Indian IT sector, faced with multiple challenges, is already bracing itself for a tough ride with US tightening
its visa norms. Brexit only adds to the growing uncertainty in the business environment for the IT companies.
Of the $108-billion of the IT industry’s estimated exports in 2015-16, 17 per cent was to the UK and about
11.4 per cent to other nations within the EU. For large Indian IT companies, over a fourth of their revenues
come from Europe, in particular from the UK.
Currency has always been a wild card for the IT sector. Wild swings in the pound vis -à-vis dollar and the
rupee, will also impact revenues and profits for Indian IT companies. The British pound revenues make for
10-15 per cent of the overall revenues in the case of TCS, Tech Mahindra and Wipro. For Infosys, GBP
revenue makes for 6.7 per cent of the overall revenue.
With pound depreciating sharply over the past year, dollar revenues of Indian IT companies have been under
pressure. The pound has also depreciated over 20 per cent against the rupee. This can reduce cost arbitrage
for companies outsourcing to the UK.
(Extract from Hindu Business Line)

Page 31 of 492
SUGGESTED SOLUTION
Case study 3
A. (1) SWOT Analysis of Sunshine Ltd. is as follows:

Strength
– Specialization in the software development for their clients.

– Providing unique solutions to the clients.
– IT professional employed with the company.
– Sound Internal Control system
– A major portion of revenue comes from fixed price projects which allow it the flexibility to determine
the resources it deploys and use software tools to deliver services.
Weakness
– Derives a major portion of its revenues from customers discretionary spending which is linked to
their business outlook.
– Three-fourth of the revenue of is from traditional services.
– Dependence on the people.
Opportunity
– More focus on software led services which coincide with newer areas such as digital and cloud.
Threat
– Restrictive visa policy by USA may affect the work of sunshine Ltd. and threaten the prospect of
global mobility of people as distributed software development requires free movement of people.
– Appreciation of the rupee against any major currency results in the revenue denominated in that
currency to appear lesser in reported terms.
– Clients cutting their budgets on such services and shifting their focus on newer areas such as
digital and cloud.
(2) The first political risk is toughening of visa policies by present US Government. The new directive rescinds
the previous guidance, which gave "deference" to previously approved visas as long as the key elements
were unchanged and there was no evidence of a material error or fraud related to the prior determination.
This may affect the free movement of IT people from India across USA thereby also affecting the work of
Sunshine Ltd.
Secondly, the exit of Britain from European Union i.e. Brexit only added to the woes of the IT sector. Of the
$108-billion of the IT industry’s estimated exports in 2015-16, 17 per cent was to the UK and about 11.4 per
cent to other nations within the EU. For large Indian IT companies, over a fourth of their revenues come from
Europe, in particular from the UK. This may affect the profitability position of Sunshine because of the
currency fluctuations.
1
Page 32 of 492
(3) The types of exposures risks to be encountered by Sunshine Ltd. are discussed as below:
Transaction Exposure - It measures the effect of an exchange rate change on outstanding obligations
that existed before exchange rates changed but were settled after the exchange rate changes. Thus, it
deals with cash flows that result from existing contractual obligations. For example, in the case of
Sunshine Ltd. if services are exported to USA for $10,00,000 due in one month and if the dollar
depreciates relative to the rupee, a cash loss occurs. Conversely, if the dollar appreciates relative to the
rupee, a cash gain occurs.
Further, domestic ratings agency ICRA has highlighted that the appreciation in the rupee is aggravating the
troubles of the Indian IT sector, which is already hit by a change in the market landscape and compressing
revenue growth.
Economic Exposure – It refers to the extent to which the economic value of a company can decline
due to changes in exchange rate. ICRA has said that despite an 8.1 per cent growth in USD revenue, IT
players have registered a growth of only three per cent in the second quarter of the current fiscal, due to the
rupee appreciation of four per cent during the quarter.
It also pointed out that IT Services players profitability also remains sensitive to rupee depreciation vis-a-vis
major currencies such as USD, GBP and Euro and the same too will have an impact.
(4) The company tackle the exposure of difference in exchange rates when sale took place and when invoice is
collected through hedging currency risks which are explained as below:
(i) Internal Techniques: These techniques explicitly do not involve transaction costs and can be used
to completely or partially offset the exposure. The techniques relevant to Sunshine Ltd. can be
further classified as follows:
– Invoicing in Domestic Currency : Should the seller (exporter) i.e. Sunshine Ltd. elect to
invoice in foreign currency, perhaps because the prospective customer prefers it that way or
because sellers tend to follow market leader, then the seller should choose only a major
currency in which there is an active forward market for maturities at least as long as the
payment period. Currencies, which are of limited convertibility, chronically weak, or with only
a limited forward market, should not be considered.
– The seller’s ideal currency is either his own, or one which is stable relative to it. But often the
seller is forced to choose the market leader’s currency. Whatever the chosen currency, it
should certainly be one with a deep forward market.
– Price Variation: Price variation involves increasing selling prices to counter the adverse
effects of exchange rate change. This tactic raises the question as to why the company has
not already raised prices if it is able to do so. In some countries, price increases are the only
legally available tactic of exposure management.
– Asset and Liability Management : This technique can be used to manage cash flow
exposures. In essence, asset and liability management can involve aggressive or defensive
postures. In the aggressive attitude, the firm simply increases exposed cash inflows
denominated in currencies expected to be strong or increases exposed cash outflows
denominated in weak currencies. By contrast, the defensive approach involves matching cash
inflows and outflows according to their currency of denomination, irrespective of whether they
are in strong or weak currencies.
(ii) External Techniques: Under this category range of various financial products are used which can
be categorized as follows:
– Money Market Hedging: At its simplest, a money market hedge is an agreement to exchange
a certain amount of one currency for a fixed amount of another currency, at a particular date.
2
Page 33 of 492
For example, suppose a business owner in India expects to receive 1 Million USD in six
months. This Owner could create an agreement now (today) to exchange 1Million USD for
INR at roughly the current exchange rate. Thus, if the USD dropped in value by the time the
business owner got the payment, he would still be able to exchange the payment for the
original quantity of U.S. dollars specified.
– Derivative Instruments: A variety of derivative instruments such as Forward, Futures,
Options and Swap are available to hedge the exposure of foreign exchange .
(5) The Internal Financial Control System of the Sunshine Ltd. is more or less efficient. The reasons are
given as below:
And, finally Audit Committee found internal financial control adequate which shows that Sunshine Ltd. has a
good Internal Financial Control System.
1. (a)
2. (a)
3. (c)
4. (a)
5. (d)
6. (c)
7. (d)
8. (c)
9. (c)
10. (c)
3
Page 34 of 492
Query Sheet for Case studies 1,2 & 3
(Web Hosted By ICAI)
(same as March-18 Mock Test Paper)
CASE STUDY-1
1. Question on Type of Risk, Scenario Description, Impact of Scenario, and Measures to manage
risk:
-List of common measures to manage the risk

Standard Measures to manage Risk
Proper system
Control physical access
Strong password
The appropriate internal control system
Check of original documents
Ensure itself
Comply with RBI regulation
Constitute audit committee and Remu. & nomination
Change the security code frequency
Careful while entering into an agreement
Rumors to be taken care of
Hedge forex and interest rate using forward futures & options contract
Query:
The risk identified by ICAI is different from the one I have identified. Will I get the marks?
There are fewer chances of getting the marks if the risk identified by you is different from that of ICAI;
ideally, what you can do for this type of question identifies 2 or 3 types of risks and write it down in
answer. E.g., Fraud risk or Data Security risk instead of just writing fraud risk generally, if this type of
question needs to be solved at last or avoided since it involves lots of judgment.
2.
(i) Bucketing of the above risk_2.24
(ii)Likelihood Scale_2.25
Page 35 of 492
Query:
How is the Bucketing and Likelihood Scale decided?
It’s purely based on the understanding of the concept, and in few places, it is based on the best judgment
of ICAI generally if this type of question needs to be solved at last or avoided since it involves lots of
judgment.
3. MCQs
(i)- Basic concepts and common sense

(ii)- Basic concepts and common sense
(iii)- Knowledge-based; not from the book
(iv)- Based on the knowledge of corporate law
(v)- Knowledge-based; Common sense; not from the book
(vi)- Direct answer from Page 3.12 of ICAI SM.
(vii)- Direct answer from Page 2.25 of ICAI SM.
(viii)- Direct answer from Page 5.11 of ICAI SM.
(ix)- Simple question based on Bid-Ask concept of FOREX chapter of SFM
(x)- Simple conceptual question based on Interest Rate Risk Management of SFM
CASE STUDY - 2
A.
(i) Possible risk:
a. Financial Risk (1.11 + 1.19)

b. Operational Risk (1.20)
a. How many points should one write if the type of risk is asked?
Ideally, one should write that much risk, which is similar to marks allocated. E.g., for five marks, 5
types of risk should be quoted. (Generally, you will find Operational risk in ICAI answers easily)
b. What all things one should write in the type of risk identified:
One should try to include all the types of content given in the book and try to relate the risk with the
case study. (e.g., for financial risk, which is shown in the answer, ICAI has written all the point, i.e.,
one which is given in Page no. 1.11 & 1.19)
(ii) Scaling on Risk (Likelihood * Consequence) (1.13)

Knowledge Sharing: Whenever the scaling of risk is asked, it always needs to be done based on
Likelihood and Consequences.
(iii) Approaches on identification and assessment of risk (2.10)
(iv) Suggestion on how to reduce/manage risk, i.e., risk treatment

[Students can also mention other courses of action based on their work experience]
(v) Risk management governance framework (7.6)
(vi) Risk maturity level (8.7)
Page 36 of 492
1. Direct answer from page no. 1.05 of ICAI SM.

6. Direct answer from SFM ICAI SM (Forex chapter ).
7. Direct answer from SFM ICAI SM (Interest Rate Risk Management chapter ).
8. Direct answer from SFM ICAI SM (Forex chapter ).
9. Related to the IPCC Content. A bit knowledge-based.
10. Direct answer from SFM ICAI SM (Forex chapter )
CASE STUDY- 3
A.
(1) SWOT analysis was done for one company (2.15)

[Knowledge Sharing: For this type of question, we need to answer based on a case study and try to
include as many points as possible.]
(2) Political Risk _Answer given based on case study_Concept_(5.15)

[How to search for this type of answer?
For this type of question, you need to read the exhibit smartly and cover the problems mentioned.]
(3) Type of exposure risk encountered_SFM_(9.19)
(4) Ways to tackle exposure of difference in exchange rates_SFM_(9.22)

[De, we need to Read SFM chapters?
Yes, you need to read the Foreign exchange risk and Interest Rate risk chapters of SFM to answer this
question.]
(5) Efficacy of the internal control system_(Case study based)
B. Multiple Choice Questions:

1. Direct answer from page no. 8.12 of ICAI SM of Intermediate Chapter.
2. Conceptual but simple calculation related to IPCC and SFM.
3. FOREX based simple calculation
4. Conceptual
5. Conceptual – related to Interest Rate Risk Management and FOREX chapters of SFM.
8. Indirect answer from page no. 5.15 of ICAI SM. A bit conceptual and common sense.
Page 37 of 492
Test Series: March, 2018
MOCK TEST PAPER
FINAL (NEW) COURSE: GROUP – II
Attempt any two out of three case study based questions.

Each Case Study carries 50 Marks.
Time Allowed – 4 Hours Maximum Marks – 100
Question 1
ZEO Payment Technology is one of the promising Financial Technology Start Up Company in India. ZEO is
founded in 2015 and has emerged as one of the largest player in India’s Domestic Money Transfer (DMT)
(Cash to Bank) segment. It is an award winning Online Transaction platform for DMT, Payments and Travel.
ZEO has won several accolades and awards such as the prestigious National Payments Excellence Award
2016 organized by the National Payment Council of India for the largest number of transactions on the IMPS
(non-Bank category). ZEO has one of the largest cash collection network agents in the country to work on
cash collection and banking activities.
RA has founded ZEO and is now aspiring to apply for the Small Payment Bank License. The application has
to be made to a Statutory Authority. As per the Statutory Authority’s guidelines , the payment bank applicant
have to submit the top 10 risk scenarios that they would face while operating a Small Payment Bank in India.
The Board of ZEO would then evaluate the risk scenarios and prepare a formal report to adopt the risk
scenarios with specific risk management actions. Post discussions at the Board and adoption of the risk
scenarios, RA would make the application to the Statutory Authority for transforming ZEO in to a Small
Payment Bank.
Required:
1. Design risk scenarios in the following format out of the risk scenarios given in Exhibits.
Risk Scenario Title

Scenario description
Impact of scenario
Current measures to manage
risks
(4 Marks for each scenario)

2. Prepare a report to the Board of ZEO including:
(ii) Likelihood Scale of above identified risks (10 Marks)
3. Multiple Choice Questions (MCQs)
(i) For ………, it is mandatory to have an Operational Risk Policy approved by the Board.
(a) Banks
(b) Insurance Companies

Page 38 of 492
(c) Listed Companies
(d) Both banks and Listed Companies
(ii) The principles of Risk Appetite includes
(a) Risk appetite can be complex
(b) Risk appetite need not to be measurable
(c) Risk appetite is a single, fixed concept
(iii) ……… is the process of evaluating and defining the cost and benefits associated with risk
consequences.
(a) Risk Assessment
(b) Risk Measurement
(c) Risk Quantification
(d) Risk Assessment
(iv) Risk Management techniques and options includes
(a) Tolerate
(b) Transfer
(c) Terminate
(d) Tackle
(v) Which is the most popular method of estimating volatility?
(a) GARCH Model
(b) EWMA Model
(c) Bayes Theorem
(d) Standard Deviation
(vi) The Key Characteristics, “Risk management and internal control fully embedded into operations”,
comes under which heading of Risk Maturity.
(a) Risk Aware
(b) Risk Defined
(c) Risk Managed
(d) Risk Enabled
(vii) Risks can arise or change due to
(a) Changes in operating environment
(b) New or revamped information systems
(c) New business models, products, or activities
(viii) ……. is the risk of loss resulting from inadequate or failed processes, people and systems and from
external events
(a) Enterprise Risk
(b) Operational Risk
2

Page 39 of 492
(c) Strategic Risk
(d) Governance Risk
(ix) …….. is the credit score which depends upon consumer behaviour.
(a) FICO Score
(b) VANTAGE Score
(c) PLUS Score
(d) ENES Score
(x) Which among the following is the limitation of VaR?
(a) VaR uninformative of tail losses
(b) VaR can create perverse Incentives Structures
(c) VaR is sub-additive
(d) VaR can discourage diversification (10 x 2 = 20 Marks)
Exhibit 1
Cyber-attack on the website and systems
Recently, the systems of a PSU Bank have been hacked to create fake documents that may have been used
to raise money outside India or help in dealing of prohibited items. The fake document may be letter of credit
(LC) or guarantees. The bank later realised that their SWIFT (Society for World Wide Interbank Financial
Telecommunication) system have been used to create fake documents. SWIFT is a financial messaging
service which is used by banks to move millions of dollars and documents in various countries.
Therefore, the person who hacked into the system to create a fake LC may put it before a foreign bank for
finance. However, the Indian Bank, whose system has been used to create a fake L.C., may face a claim for
money when a foreign bank tries to recover its money released against an LC.
Some measures have been taken to prevent such reoccurrences in future. Firstly, physical access to the
system must be controlled. Secondly, strong password and multi-layer authentication policy should be there.
And, lastly, identity and token management policies are needed to control who has access to data.
SWIFT customers should have in place a system of detecting any unusual activ ity and how the staff shall
respond when such an untoward event happens.
(Extract from an article)
Exhibit 2
Bank Fraud
In a leading multinational bank, a banking fraud of Rs. 400 has been taken place. The fraud has happened
because of the mastermind of an employee named Lalit. The modus operandi of Lalit was to sell investment
products to high net worth individuals (HNIs). He falsely projected to the HNIs that these financial products
are authorised by the bank’s investment product committee.
So, he lured them by convincing them that their investments would be invested in lucrative schemes giving
good returns. Then, he transferred the funds accumulated from HNIs to some fictitious accounts. Funds
amounting to Rs. 400 crore belonging to about 20 customers were transferred to such accounts. He, then,
used the money to invest it into the stock market.

Page 40 of 492
Modus operandi was simple. He lured customers with a fake circular by SEBI promising 2-3% returns per
month. The fake circular also mentioned a custodian that route investor funds. Lalit also use some blank
cheques and he used this to transfer money out of their accounts directly to the brokerages to be invested in
the stock market.
The RBI has issued master circular advising banks to set up internal control system to combat frauds and to
take pro-active fraud control and enforcement measures.
Exhibit 3
Natural Calamity impacting continuity of business operations
Small businesses are personally affected by a storm, earthquake or extreme weather. Since ZEO payment
technology is a small financial technology company, it can feel the pinch of a natural disaster, in case it
happens.
When a natural calamity took place, it affects the supply chain of an organisation severely. When the
devastating flood took place in Thailand in 2011, the impact was felt the world over, affecting almost every
industry from electronics to automobile. It leads to break down of supply of many crucial components. This
prompted many companies to outsource their supply chain to a few low cost countries. However, the business
of a fintech company may also be impacted if the physical office from which it conducts its business is also
being affected by the natural disaster.
Exhibit 4
Corporate Governance Issues
ZEO Payment Technology is a small unlisted company willing to venture into the field of Small Payment Bank.
ZEO has 6 directors out of which one is independent director. The paid up share capital of the company is
Rs. 12 crore. However, the company is yet to draft a suitable policy for training and performance evaluation
of directors.
Some of the provisions of the Companies Act, 2013 relating to Corporate Governance have been given in the
following sentences. Every company having a paid up share capital of Rs. 10 crore or more has to constitute
an audit committee and shall have atleast two independent directors. Further, it is required to appoint a
Nomination and Remuneration Committee and draft a suitable policy for training and performance evaluation
of directors. Also, a company having a paid share capital of Rs. 50 crore or more OR a turnover of Rs. 200
crore or more has to appoint an internal auditor to conduct internal audit of the functions and activities of the
company.
The new Companies Act has given powers to Serious Fraud Investigation Office (SFIO) to carry out arrests,
raids and seizure in respect of certain offences of the act which attract the punishment for fraud. Further, as
per the section 212, on the intimation of special resolution passed by the company, SFIO can investigate into
the affairs of the company or on the receipt of a report of the Registrar or inspector or in the public interest
or on request from any Department of the Central Government or a State Government.
Moreover, the Companies Act, 2013 do not contain any compulsory provision for constitution of a Risk
Management Committee. However, it requires its Board to develop and implement a risk management policy
and identify risks which may threaten the existence of the company.
Exhibit 5

Page 41 of 492
EMAIL
From: Lee Port
To: Mr. Z (CEO of ZBO Payment Bank)
Dated:……………………………………
Subject: Pitch Presentation for financing of proposed small payment bank under the FDI Scheme of
Govt. of India
Hi Z,
This has reference to your last week’s Pitch Presentation at Singapore for making investment in your
proposed Small Payment bank in India. While the idea of this type of banking is naïve in India but the most
catchy feature of the same is to reach consumers through mobile phones rather than traditional system of
bank branches as it is quite uneconomical affair for the banks to open branch in each and every village of
India. This is a good initiate by Govt. of India as a major step towards financial inclusio n in India where a
major part of population is living in villages.
Before we forward your proposal of investing the funds in your start-up to the Board please confirm the
following unique features of the proposed Small Payment Banks:
 Payment bank will reduce the dependency on Cash and will increase m-commerce as mobile wallet
will be used as payment option.
 Payment Bank will invest 75% of its demand deposits in Government Securities and Treasury Bills
and balance 25% can be held as fixed deposits with other Scheduled Commercial Banks.
 Payment bank can also provide Forex Cards to the travellers.
 Payment Bank will get a big chunk of deposit comparing to commercial banks due to reason of
providing higher interest rates.
In case there is any deviation in above points please let us know immediately.
Thanks,
Lee Port

Page 42 of 492
Question 2
ABC Ltd. has an outdated computerized accounting system which does not lock out the changes made after
the month end.
1. Reconciliation of accounts receivable sub-ledger to general ledger
3. Coding and recording of checks received for deposit
Pawan advised the management to implement a compensation plan of base salary and bonus instead of fixed
monthly salary. Sales incentive compensation is based on the performance of sales employees. The
performance can be measured by looking at the revenue they generate for the employees. The management
liked the proposal advised by Pawan and the compensation plan is finalized which was as follows.
above 20,00,000/-

Page 43 of 492
Board of Directors
Managing
director

HR Head
Narayan Marketing
(Finance
Head)
Ajay Kothari
)
(Director) Managers
Jatin
Mohit
(Manager)
Some employees were less willing to provide assistance to struggling co-workers and would prefer to improve
their own productivity. It also promoted an environment of excessive risk – taken by the sales employees for
pursuing short term profits.
A. Questions
The Board of Directors approaches you and requests you to submit a report on the following aspects:
(i) Identify the Risks that may be possible and their nature. (5 Marks)
(ii) Scaling of these identified risks based on ICAI Guide on Risk Based Internal Audit. (5 Marks)
(iii) Any three to four approaches to identify and assess the risk. (5 Marks)
(iv) Course of action to be followed to treat these risks. (5 Marks)
(v) Matters on which Risk Governance Framework can define a policy statement. (5 Marks)
(vi) Risk Maturity Level and reasons for the same. (5 Marks)

Page 44 of 492
1. As per the ………. risk has been defined as resulting from significant conditions, events, circumstance s,
actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute
its strategies, or from the setting of inappropriate objectives and strategies.
(a) Basel II
(b) ICAI - SA 315
(c) CIMA
(d) None of these
2. Which of the following is not the classification of risk as stated by Enterprise Risk Management?
(a) Knowledge risk
(b) Operational risk
(c) Financial risk
(d) Residual risk
3. Which of the following is not the benefit of the risk management plan?
(a) Saving Valuable resources: time, income, assets, people and property can be saved it fewer claims
occur.
(b) Creating a safe and secure environment for staff, visitors and customers
(c) Reducing legal liability and increasing the stability of your operations
(d) Provide an absolute assurance that risks will be mitigated.
4. In which of the following techniques to assess and evaluate risks, a panel of experts are appointed and
each of them gives his/her opinion in a written and independent manner:
(a) Judgment and intuition
(b) The Delphi approach
(c) Scoring
(d) Quantitative techniques
5. Which of the following is not the risk type that often overlaps or is caused by operational failure?
(a) Regulatory Risk
(b) Financial Risk
(c) Credit Risk
(d) Legal Risk
6. Technique involving acceleration of payments of hard currency and delaying payments of soft currency
payables to hedge forex exposure is called
(a) Netting
(b) Managing Blocked Funds
(c) Leading and Lagging
8

Page 45 of 492
(d) None of these
7. Which of the following option gives the effect of it purchases into a floating rate of interest that is bounded
on both high side and the low side?
(a) Cap Option
(b) Floor Option
(c) Collar Option
(d) Swaption
8. Which of the following exposure measures the effect of fluctuations in foreign exchange rate on the
value of the firm?
(a) Transaction Exposure
(b) Translation Exposure
(c) Economic Exposure
(d) Industry Exposure
9. More risk in a project can be incorporated by decreasing
(a) Estimated future cash inflows from the project
(b) Initial investment in the project
(c) Required rate of return of the project
(d) Internal rate of return of the project
10. Which of the following action is called hedging?
(a) Protection of a profit already made from having undertaken a risky position
(b) Making profit by accepting risk
(c) Reducing or eliminating exposure to risk

Page 46 of 492
Question 3
Sunshine Ltd. is a software company specialized in the software development for their clients. In the last
takes 10-12 days to be fine-tuned or synchronized. It means system is shut for power generation and lead to
loss of millions of dollars. Sunshine Ltd. came up with a solution that cuts the time taken to synchronize a
It also helped a global heating, ventilation and air conditioning firm to bring down the time taken to design an
AC solution in a building or office from 9 days to just 2 hours now.
budgets on such services and shifting their focus on newer areas such as digital and cloud.
software tools to deliver services. Now, the aim is to increase that goal by reducing the dependency on people
and more on software led services which coincide with it’s goal of IT Modernization.
Sunshine Ltd. derives a major portion of its revenues from customers discretionary spending w hich is linked
to their business outlook. It’s major revenues are from UK, USA and other European countries.
Some draft legislations in USA has been made to restrict the availability of work visas. Such protectionist
policies threaten the prospect of global mobility of people which may also affect the work of Sunshine Ltd. as
appear lesser in reported terms. Then, there may be different exchange rate when sale took place and when
invoice is collected.
 Recording and providing reliable financial and operation information.
 Safeguarding assets.
 Ensuring compliance with corporate policies.
 Well defined delegation of power.
 Efficient ERP system.
 Internal audit by one of the big audit firm.
 Periodic audit by specialized third party consultants.
 Audit Committee found internal financial control adequate.
A. Questions
(1) Discuss the SWOT analysis of Sunshine Ltd. (5 Marks)
(2) Briefly explain the political risk to be encountered by Sunshine Ltd. (3 Marks)
10

Page 47 of 492
(3) Elucidate the types of exposures risks to be encountered by the company. (6 Marks)
(4) How can the company tackle the exposure of difference in exchange rates when sale took place and
when invoice is collected. (12 Marks)
(5) Discuss the efficacy of the Internal Financial Control System of Sunshine Ltd. (4 Marks)
1. Risk Adjusted Discount Rate Method is based on the concept that………
(a) investors demand higher returns from more risky projects
(b) investors demand lower returns from more risky projects
(c) investors demand higher returns from less risky projects
(d) None of these
2. A project has a cost of capital of 10% and a payback period of 2 years with annual cash inflows
commencing from year end 2 to 4 of Rs. 60 crore. The initial investment outlay at the beginning of year
1 shall be
(a) Rs. 67.80 crore
(b) Rs. 74.58 crore
(c) Rs. 60.00 crore
(d) Rs. 95.07 crore
3. If interest rates are 3.4% and 1.4% per annum in USA and UK respectively and spot exchange rate is $
1.40/£ then 90-days forward rate shall be
(a) Rs. 1.346976
(b) Rs. 1.347976
(c) Rs. 1.406976
(d) Rs. 1.407976
4. Which of the following risk will not affect foreign exchange rate?
(a) Investment Risk
(b) Inflation Risk
(c) Interest Rate Risk
(d) Sovereign Risk
5. The purpose of Financial Swap is to reduce .
(a) Interest Rate Risk
(b) Exchange Rate Risk
(c) Credit Risk
(d) Both (a) and (b)
6. In case if principal or interest payment overdue between 61-180 days then as per RBI’s framework for
Revisiting Distressed Assets in Economy they are classified in category .
(a) SMA – 0
(b) SMA – 1
(c) SMA – 2
11

Page 48 of 492
(d) SMA – 3
7. ______________ as a formal discipline for risk and capital management was born out of financial crises.
(a) Substantive procedures
(b) Test of Controls
(c) Corporate Governance
(d) Stress Testing
8. Which of the following is not a type of country risk?
(a) Political Risk
(b) Financial and Economic Risk
(c) Credit Risk
9. Which of the following risk action describe:
Reducing the risk likelihood or impact by transferring or, otherwise, sharing a portion of the risk. Common
techniques include purchasing insurance cover, outsourcing activities, engaging in hedging
transactions.
(a) Avoid
(b) Reduce/Manage
(c) Transfer/Share
(d) Accept
10. Speech Recognition, Handwriting Recognition and Intelligent Robots uses .
(a) Block Chain Technology
(b) Distributed Ledger Technology
(c) Artificial Intelligence
Exhibit 1
Domestic ratings agency ICRA said that the appreciation in the rupee is aggravating the troubles of the Indian
IT sector, which is already hit by a change in the market landscape and compressing revenue growth.
It said the industry is already reeling under pressures like uncertain macroeconomic environment, lower deal
sizes in digital technologies, cloud adoption and high competitive intensity.
The agency said despite a 8.1 per cent growth in USD revenue, IT players have registered a growth of only
three per cent in the second quarter of the current fiscal, due to the rupee appreciation of four per cent during
the quarter.
Due to the difficulties on the currency front, the agency said the $160 -billion industry will be able to notch a
mid-to-high single digit growth till FY20.
On margins, it said the industry should brace for an impact on margins as price led competition is likely to
intensify and will negatively impact the spreads.
12

Page 49 of 492
"IT Services players profitability also remains sensitive to rupee depreciation vis -a-vis major currencies such
as USD, GBP and Euro and the same too will have an impact," it said.
Its vice president Gaurav Jain said future growth will be supported by higher spend on digital technologies,
continued cost benefit offered through outsourcing model and market share gains for the Indian IT sector.
"While companies have increased spending on digital technologies and awarding new contracts, the overall
IT budgets have moderated leading to lower incremental spends," he said.
He, however, warned that an increase in the global IT market, which moved up to 67 per cent in 2016 from
60 per cent in 2012, will be limited as Indian IT Services companies, which are in the midst of re -orienting
their business models focusing more on higher-end services such as IT consulting and digital, are lagging
behind the competition.
"We expect large Indian IT companies to grab a higher share of the digital services space over the next three
years," he said.
From a vertical standpoint, manufacturing is outperforming with a 5.8 per cent growth but the largest revenue
contributor of banking and financial services has shown a muted trend over the last few quarters on
macroeconomic conditions including factors like Brexit.
Over the next decade, the agency expects consolidation in the sector due to the margin pressures.
The rating agency, however, said that despite the pressures on growth and profitability, credit profile for the
sector will remain stable.
(Extract from Economic Times)
Exhibit 2
The U.S. government is toughening up the process for renewing a popular foreign work visa.
This week, U.S. Citizenship and Immigration Services advised its officers to "apply the same level of scrutiny"
to extension requests for the H-1B visa, among other sought after visas.
In other words, officers are instructed to review requests for renewal as t horoughly as they would initial visa
applications.
The H-1B is a common visa pathway for high-skilled foreigners to work at companies in the U.S. It's valid for
three years, and can be renewed for another three years. It's a program that's particularly nea r and dear to
the tech community, with many talented engineers vying for one of the program's 85,000 visas each year.
The directive rescinds the previous guidance, which gave "deference" to previously approved visas "as long
as the key elements were unchanged and there was no evidence of a material error or fraud related to the
prior determination."
"This updated guidance provides clear direction to help advance policies that protect the interests of U.S.
workers," said new USCIS Director L. Francis Cissna, who was sworn in this month. President Donald Trump
announced his intent to nominate Cissna last spring.
In April, Trump directed federal agencies to implement a "Buy American, Hire American" strategy, which
included proposing new rules and guidance for preventing fraud and abuse of work visas. The H-1B program,
in particular, is one that President Trump has eyed for reform, criticizing abusers of the program who use the
visa to replace American workers.
13

Page 50 of 492
Other visas impacted by the new guidance include L-1, for intracompany transfers, TN for Canadian and
Mexican citizens, and O-1, for those with "extraordinary abilities."
Some say the new policy will be unnecessarily burdensome and is aimed at limiting foreign workers.
Betsy Lawrence, the director of government relations for the American Immigration Lawyers Association, told
CNN Tech that the previous guidance made it efficient to review cases. Even then, USCIS had the authority
to question prior decisions and request additional information in reviewing exte nsions.
“We are going to much greater scrutiny of these cases, and thus delays, even when the underlying facts have
not changed," Lawrence told CNNMoney.
Immigration attorney Chris Wright of The Wright Law Firm told CNNMoney that it fits a broader pattern: "It
seems clear that USCIS have been instructed to push back wherever they can..." he said, noting that "the
prevailing attitude seems to be, 'How might we be able to deny this petition?'"
(http://money.cnn.com/2017/10/25/technology/business/h1b-visa-renewal-uscis/index.html)
Exhibit 3
Effect on IT sector due to Brexit
The Indian IT sector, faced with multiple challenges, is already bracing itself for a tough ride with US tightening
its visa norms. Brexit only adds to the growing uncertainty in the business environment for the IT companies.
Of the $108-billion of the IT industry’s estimated exports in 2015-16, 17 per cent was to the UK and about
11.4 per cent to other nations within the EU. For large Indian IT companies, over a fourth of their revenues
come from Europe, in particular from the UK.
Currency has always been a wild card for the IT sector. Wild swings in the pound vis -à-vis dollar and the
rupee, will also impact revenues and profits for Indian IT companies. The British pound revenues make for
10-15 per cent of the overall revenues in the case of TCS, Tech Mahindra and Wipro. For Infosys, GBP
revenue makes for 6.7 per cent of the overall revenue.
With pound depreciating sharply over the past year, dollar revenues of Indian IT companies have been under
pressure. The pound has also depreciated over 20 per cent against the rupee. This can reduce cost arbitrage
for companies outsourcing to the UK.
(Extract from Hindu Business Line)
14

Page 51 of 492
MOCK TEST PAPER 1
SUGGESTED SOLUTION
Answer to Question No. 1
Source - Exhibit 1
Risk Scenario Title Fraud Risk

Scenario description The system of the Bank can be hacked to create may face a claim
for money when a foreign bank tries to recover its money released
against an LC.
Impact of scenario Huge loss to bank if the number of LC transactions is large.
Current measures to manage risks Bank should have in place a system of detecting any unusual activity
and how the staff shall respond when such an untoward event
happens.
Some measures must be taken to prevent such reoccurrences in
future. Firstly, physical access to the system must be controlled.
Secondly, strong password and multi-layer authentication policy
should be there. And, lastly, identity and token management policies
are needed to control who has access to data.
Source - Exhibit 2
Risk Scenario Title Governance or Reputation Risk

Scenario description Using name of bank to customers for higher returns and opening
fictitious accounts.
Impact of scenario Bank may lose its reputation and may face unwarranted litigations.
Current measures to manage risks Proper internal control system should be set up to combat frauds
and to take pro-active fraud control and enforcement measures.
Source - Exhibit 3
Risk Scenario Title Natural Hazardous Risk

Scenario description Small businesses are generally affected by a storm, earthquake or
extreme weather.
Impact of scenario The business of a bank may also be impacted by the natural disaster
by which the physical office from which it conducts its business is
also being affected by the calamity.
Current measures to manage risks It can insure itself from any natural calamity.
1
Page 52 of 492
Source - Exhibit 4
Risk Scenario Title Regulatory or Governance Risk

Scenario description The company is yet to draft a suitable policy for training and
performance evaluation of directors and it has not appointed any
committees.
Impact of scenario This may invite penalties from the court and wrath of the investors.
Current measures to manage risks Constitute an audit committee and shall have atleast two independent
directors. Further, it is required to appoint a Nomination and
Remuneration Committee and draft a suitable policy for training and
performance evaluation of directors.
Even though, the Companies Act, 2013 do not contain any
compulsory provision for constitution of a Risk Management
Committee, but it is in the interest of bank to constitute a Risk
Management Committee.
Source- Exhibit 5
Risk Scenario Title Finance or Forex and Interest Rate Risk

Scenario description As banks can issue the Forex Card there may be some variation in the rates
at which same has been acquired and disposed of.
Since the rate of interest offered by the bank on its deposit is higher in
comparision to the traditional banking and the fund shall be deposited in
Govt. Securities instead of Commercial lending, the spread between receipt
and payment of interest will be marginalized. Hence any change in the
market interest rate shall lead to erosion in the spread.
Impact of scenario Loss on account of Forex exchange rate volatility and squeezing of
Interest Spread Gains.
Current measures to Hedging the forex and interest rate using various techniques such as
manage risks Forward, Futures and Option contracts.
(2)
To: The Board
Introduction
This report covers
(ii) Likelihood Scale of above identified risks
Risk No. Risk Scenario Title Bucketing of identified risks
1 Fraud Risk Severe
2 Governance or Reputation Risk Major
3 Natural Hazardous Risk Severe
2
Page 53 of 492
4 Regulatory or Governance Risk Major
5 Finance or Forex and Interest Rate Risk Moderate

Exhibit Risk Scenario Title Likelihood Scale
1 Fraud Risk Unlikely
2 Governance or Reputation Risk Likely
3 Natural Hazardous Risk Unlikely
4 Regulatory or Governance Risk Likely
5 Finance or Forex and Interest Rate Risk Very likely
Conclusion
As a small bank, some of the risk which especially Risk Nos. 2 and 4 needs special attention.
(3) Answers to Multiple Choice Questions

(i) (a)
(ii) (a)
(iii) (c)
(iv) (d)
(v) (a)
(vi) (d)
(vii) (d)
(viii) (b)
(ix) (c)
(x) (c)
Answer to Question No. 2 (A)
To: The Board
Our Report on the various issues raised is as follows:
(i) The possible Risks and their nature are as follows:

• Financial risk - These risks are associated with the financial assets, structure and transactions of the
particular industry. In other words, these risks are related specifically to the processes, techniques and
instruments utilised to manage the finances of the enterprise, as well as those processes involved in
sustaining effective financial relationships with customers and third parties.
3
Page 54 of 492
• Operational Risk - These risks are associated with the on-going, day-to-day operations of the
enterprise. In other words, these risks associated with the operations of an organization. It is the risk of
loss resulting from failure of people employed in the organization, internal process, systems or external
factors acting upon it to the detriment of the organization. It includes Legal Risk and excludes strategic
and Reputational Risks as they are not quantifiable.
(ii) Scaling of Risk as identified above:
• Measurement of the likelihood of risk
Financial Risk – Likely (score 4)
Operational Risk – Likely (score 4)
• Risk Consequences
Financial Risk – Major
Operational Risk – Major
(iii) Four approaches are suggested to identify and assess the risk as below:
• Analysis of processes – Under this technique, material or significant business processes are flow
chartered. This will facilitate identification of process level operational risks. An approach that helps
improves the performance of business activities by analysing current processes and making decisions
on new improvements.
• Brainstorming – Under brainstorming a group of employees put forward their ideas or sensation of
risk. The employees estimate the risk based on their past experience or intuition involves a focused
group of managers working together to identify potential risks, concerns, root causes, failure modes,
hazards, opportunities and criteria for decisions and/or options for treatment. Brainstorming should
stimulate and encourage free-flowing conversation amongst a group of knowledgeable and focussed
people with a fair/objective outlook. The group should not be biased or critical. It is one of the best and
most popular ways to identify both risks and key controls and is the basis for most successful risk
workshops.
• Questionnaires & Interviews - Focused on detecting the concerns of staff with respect to the risks or
threats that they perceive in their operating environment. During a Structured interview, interviewees
are asked through a set of prepared questions to encourage the interviewee to present their own
perspective and thus identify risks. Structured interviews are frequently used during consultation with
key stakeholders when designing the risk management framework. Structured interviews are good to
assess risk appetite and tolerance when developing risk appetite statements. A specialist in risk
prepares interviews with various management level members of the company in order to elicit the
concerns.
• Checklists are information aids to reduce the likelihood of failures from potential hazards, risks or
controls that have been developed usually from past experience, either as a result of a previous risk
assessment or as a result of past failures or incidents or history or industry learning. Auditors often
prepare checklists of key controls to aid in their assessment of control effectiveness and the internal
control environment. Checklists are good guiding tools; however, can lead to herd mentality and risk
managers can miss out on fresh risk thinking and the big picture.
Note: Students can also mention any four techniques other than above.
(iv) Suggested course of action to reduce/ manage risk i.e. risk treatment is as follows:
• Strengthening of Internal Controls System
4
Page 55 of 492
• Setting up limits for the sanction of amounts.
• Setting up operational risk management department.
Note: Students can also mention other course of action based on their work experience.
(v) The Risk Management (Governance) Framework should define a policy statement on the following
matters:-
(i) Determining when to review the Risk Management Framework (RMF) and the frequency for undertaking
the review.
(ii) Deciding who is responsible for the review. The RMF is generally reviewed by the Audit Committee or
a team of Directors. Once in few years the RMF can be reviewed with external facilitation. This would
provide fresh insights and benchmarking information to the Board.
(iii) Selecting the scope and method for a review. The scope and boundary of the RMF review can be clearly
set out along with the most suited method for review.
(vi) The risk maturity level of the company is “Risk Aware”. The reason is that the risks are identified within
functions and not across processes. Also, risks are not communicated across the enterprise. It is basically a
scattered silo based approach to risk management.
1. (b)
2. (d)
3. (d)
4. (b)
5. (c)
6. (c)
7. (c)
8. (c)
9. (a)
10. (c)
Answer to Question No. 3
A. (1) SWOT Analysis of Sunshine Ltd. is as follows:

Strength
– Specialization in the software development for their clients.

– Providing unique solutions to the clients.
– IT professional employed with the company.
– Sound Internal Control system
5
Page 56 of 492
– A major portion of revenue comes from fixed price projects which allow it the flexibility to determine
the resources it deploys and use software tools to deliver services.
Weakness
– Derives a major portion of its revenues from customers discretionary spending which is linked to
their business outlook.
– Three-fourth of the revenue of is from traditional services.
– Dependence on the people.
Opportunity
– More focus on software led services which coincide with newer areas such as digital and cloud.
Threat
– Restrictive visa policy by USA may affect the work of sunshine Ltd. and threaten the prospect of
global mobility of people as distributed software development requires free movement of people.
– Appreciation of the rupee against any major currency results in the revenue denominated in that
currency to appear lesser in reported terms.
– Clients cutting their budgets on such services and shifting their focus on newer areas such as
digital and cloud.
(2) The first political risk is toughening of visa policies by present US Government. The new directive rescinds
the previous guidance, which gave "deference" to previously approved visas as long as the key elements
were unchanged and there was no evidence of a material error or fraud related to the prior determination.
This may affect the free movement of IT people from India across USA thereby also affecting the work of
Sunshine Ltd.
Secondly, the exit of Britain from European Union i.e. Brexit only added to the woes of the IT sector. Of the
$108-billion of the IT industry’s estimated exports in 2015-16, 17 per cent was to the UK and about 11.4 per
cent to other nations within the EU. For large Indian IT companies, over a fourth of their revenues come from
Europe, in particular from the UK. This may affect the profitability position of Sunshine because of the
currency fluctuations.
(3) The types of exposures risks to be encountered by Sunshine Ltd. are discussed as below:
Transaction Exposure - It measures the effect of an exchange rate change on outstanding obligations
that existed before exchange rates changed but were settled after the exchange rate changes. Thus, it
deals with cash flows that result from existing contractual obligations. For example, in the case of
Sunshine Ltd. if services are exported to USA for $10,00,000 due in one month and if the dollar
depreciates relative to the rupee, a cash loss occurs. Conversely, if the dollar appreciates relative to the
rupee, a cash gain occurs.
Further, domestic ratings agency ICRA has highlighted that the appreciation in the rupee is aggravating the
troubles of the Indian IT sector, which is already hit by a change in the market landscape and compressing
revenue growth.
Economic Exposure – It refers to the extent to which the economic value of a company can decline
due to changes in exchange rate. ICRA has said that despite an 8.1 per cent growth in USD revenue, IT
players have registered a growth of only three per cent in the second quarter of the current fiscal, due to the
rupee appreciation of four per cent during the quarter.
6
Page 57 of 492
It also pointed out that IT Services players profitability also remains sensitive to rupee depreciation vis-a-vis
major currencies such as USD, GBP and Euro and the same too will have an impact.
(4) The company tackle the exposure of difference in exchange rates when sale took place and when invoice is
collected through hedging currency risks which are explained as below:
(i) Internal Techniques: These techniques explicitly do not involve transaction costs and can be used
to completely or partially offset the exposure. The techniques relevant to Sunshine Ltd. can be
further classified as follows:
– Invoicing in Domestic Currency : Should the seller (exporter) i.e. Sunshine Ltd. elect to
invoice in foreign currency, perhaps because the prospective customer prefers it that way or
because sellers tend to follow market leader, then the seller should choose only a major
currency in which there is an active forward market for maturities at least as long as the
payment period. Currencies, which are of limited convertibility, chronically weak, or with only
– The seller’s ideal currency is either his own, or one which is stable relative to it. But often the
seller is forced to choose the market leader’s currency. Whatever the chosen currency, it
should certainly be one with a deep forward market.
– Price Variation: Price variation involves increasing selling prices to counter the adverse
effects of exchange rate change. This tactic raises the question as to why the company has
not already raised prices if it is able to do so. In some countries, price increases are the only
legally available tactic of exposure management.
– Asset and Liability Management : This technique can be used to manage cash flow
exposures. In essence, asset and liability management can involve aggressive or defensive
postures. In the aggressive attitude, the firm simply increases exposed cash inflows
denominated in currencies expected to be strong or increases exposed cash outflows
denominated in weak currencies. By contrast, the defensive approach involves matching cash
inflows and outflows according to their currency of denomination, irrespective of whether the y
are in strong or weak currencies.
(ii) External Techniques: Under this category range of various financial products are used which can
be categorized as follows:
– Money Market Hedging: At its simplest, a money market hedge is an agreement to exchange
a certain amount of one currency for a fixed amount of another currency, at a particular date.
For example, suppose a business owner in India expects to receive 1 Million USD in six
months. This Owner could create an agreement now (today) to exchange 1Million USD for
INR at roughly the current exchange rate. Thus, if the USD dropped in value by the time the
business owner got the payment, he would still be able to exchange the payment for the
original quantity of U.S. dollars specified.
– Derivative Instruments: A variety of derivative instruments such as Forward, Futures,
Options and Swap are available to hedge the exposure of foreign exchange .
(5) The Internal Financial Control System of the Sunshine Ltd. is more or less efficient. The reasons are
given as below:
7
Page 58 of 492
And, finally Audit Committee found internal financial control adequate which shows that Sunshine Ltd. has a
good Internal Financial Control System.
1. (a)
2. (a)
3. (c)
4. (a)
5. (d)
6. (c)
7. (d)
8. (c)
9. (c)
10. (c)
8
Page 59 of 492
March-18 Mock Test Paper Query Sheet
(same as 3 case studies Web-Hosted by ICAI)
CASE STUDY-1
1. The question looks easy at first, but it is not so. How can we answer the impact and
measures part?
Yes, it is a bit tricky and time taking.
These parts of the answers need to be based on a thoughtful insight into your experience and overall
knowledge and understanding of the subject. Some are related to the SFM (FOREX and Interest
Rate Risk Management) and Audit subjects while some can be found in Chapter-1,7 and 9 of the
RM ICAI SM. Also, page 282 of the Complete Guidance Module by CA Shivam Palan can also be
used to frame the answers.
2. The answers are based on conceptual knowledge related to the matter given on page 2.25 and
9.14 of ICAI SM.
(similar to Descriptive Question of Case study-1 Web hosted by ICAI)
3. Multiple choice questions:

(i) Direct answer from page no. 9.05 of ICAI SM.
(ii) Direct answer from page no. 3.04 of ICAI SM.
(iii) Direct answer from page no. 2.05 of ICAI SM.
(iv) Direct answer from page no. 3.11 of ICAI SM.
(v) Direct answer from old chapter 4 of ICAI SM.
(vi) Direct answer from page no. 8.07 of ICAI SM.
(vii) Direct answer from page no. 2.03 of ICAI SM.
(viii) Direct answer from page no. 9.01 of ICAI SM.
(ix) Direct answer from page no. 6.35+6.36 of ICAI SM.
(x) Question should include the word “not”; Rest the answer is correct. Direct answer from
page no. 5.07 of ICAI SM.
Case Study-2 and 3 are the same as CS-2 and CS-3 Web hosted by ICAI.
Page 60 of 492
SUGGESTED ANSWERS TO QUESTIONS
FINAL EXAMINATION – GROUP II
(UNDER REVISED SCHEME OF EDUCATION AND TRAINING)
MAY, 2018
PAPER 6A : RISK MANAGEMENT................ Page No. 1 - 34
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
(Set up by an Act of Parliament)

Page 61 of 492
The Suggested Answers published in this volume do not constitute the basis for evaluation of
the students’ answers in the examination. The answers are prepared by the Faculty of the
Board of Studies with a view to assist the students in their education. While due care is taken
in preparation of the answers, if any errors or omissions are noticed, the same may be brought
to the attention of the Director of Studies. The Council of the Institute is not in anyway
responsible for the correctness or otherwise of the answers published herein.
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.
Edition : September, 2018
Website : www.icai.org
Department/Committee : Board of Studies
E-mail : [email protected]
ISBN No. :
Price :
Published by : The Publication Department on behalf of The Institute of

Chartered Accountants of India, ICAI Bhawan, Post Box
No. 7100, Indraprastha Marg, New Delhi- 110 002, India
Typeset and designed at Board of Studies.
Printed by :

Page 62 of 492
DISCLAIMER
This Suggested Answer do not constitute the basis for evaluation of the
student’s answers in the examination. The answers are prepared by the
Faculty of the Board of Studies with a view to assist the students in their
education. While due care is taken in preparation of the answers, if any
error or omission is noticed, the same may be brought to the attention of the
Director of Board of Studies. The Council of the Institute is not in anyway
responsible for the correctness or otherwise of the answers published
herein.
Further, in the Elective Papers which are Case Study based, the solutions
have been worked out on the basis of certain assumptions/views derived
from the facts given in the question or language used in the question. It may
be possible to work out the solution to the case studies in a different manner
based on the assumptions made or views taken.

Page 63 of 492
2 FINAL (NEW) EXAMINATION: MAY 2018
PAPER-6A – RISK MANAGEMENT
The Question Paper comprises three case study questions. The candidates are required to answer
any two case study questions out of three.
Answers to Multi Choice Questions should be indicated clearly, by writing the option chosen (i.e. A
or B or C or D) in capital letters along with reasoning for your choice.
In case, any candidate answers extra question(s)/ sub-question(s) over and above the required
number, then only the requisite number of questions first answered in the answer book shall be
valued and subsequent extra question (s) answered shall be ignored.
Wherever necessary, suitable assumption may be made and disclosed by way of a note.
Working notes should form part of the respective answers.
QUESTION NUMBER - I
(1) ABCD Ltd. is a diversified business group. The consolidated Balance Sheet, Statement of
Profit & Loss and Cash Flow Statement of ABCD Ltd. prepared in analytical format are
given below:
Customer Name : ABCD LTD INR (`) Thousand
31-Mar-16 31-Mar-17
12 months 12 months
Balance Sheet
CORE ASSETS
Land and Buildings 249,572 249,594
Construction in Progress 2,744 7,592
Plant and Machinery 189,892 194,166
Furniture and Fixtures 72,952 71,580
Vehicles 14,339 11,788
Less: Accumulated Depreciation - 307,198 - 320,054
TOTAL FIXED ASSETS 222,301 214,666
Stock 309,806 272,547
Trade Debtors 366,246 308,547
Finance Lease Receivables (Current) 18,728 28,702
Other Debtors 27,988 28,357
Cash and Near Liquid Funds 31,873 31,623

Page 64 of 492
PAPER – 6A: RISK MANAGEMENT 3
Prepayments 8,787 9,763

Less: Trade Creditors -217,121 -230,476
: Other Creditors -153,728 -126,892
Less: Dues to Related Companies -12,299 -16,923
: Taxation -12,189 -8,617
OPERATING CAPITAL EMPLOYED 590,392 511,297
NON-CORE/NON-CURRENT ASSETS
Long Term Lease Receivable 8,848 10,718
Investments in Subsidiaries/Associates 55,226 55,734
Dues from Related Companies 7,547 4,386
TOTAL NON-CORE/NON CURRENT ASSETS 71,621 70,838
OVERALL CAPITALEMPLOYED 662,013 582,135
CAPITAL STRUCTURE
Ordinary Share capital 20,000 20,000
Profit and Loss Account 98,278 61,549
Other Reserves 35,080 36,303
Contribution from shareholders 202,248 202,248
Less: Intangibles -12.112 -9,620
TANGIBLE NETWORTH 343,494 310,480
Minorities 53,422 62,929
Provisions/Other Long Term Liabilities 61,790 56,445
TOTAL 115,212 119,374
EXTERNAL FINANCE
Bank O/D and Short Term Loans 203,307 152,281
Overall Capital Employed 662,013 582,135
Contingent Liabilities 101,000 131,977
Capital Commitments 52,500 50,000
PROFIT AND LOSS ACCOUNT
Sales 1,446,791 1,469,762
Less: Cost of Goods Sold -1,117,664 -1,132,857
GROSS PROFIT 329,127 336,905
Less: Distribution and Selling costs 156,049 160,370
Administration Costs -114,623 -106,887

Page 65 of 492
OPERATING PROFIT 58,455 69,648

Share of Profit of Associate Companies 2,030 10,059
Other Income 24,819 13,703
PROFIT BEFORE INTEREST AND TAX 85,304 93,410
Less: Interest Expense -7,619 -4,777
PROFIT BEFORE TAX 77,685 88,633
Less: Taxation Charge -6,500 -6,500
PROFIT AFTER TAX 71,185 82,133
Minorities -11,976 -16,583
PROFIT AVAILABLE FOR APPOPRIATION 59,209 65,550
RECONCILIATIONB OF RETAINED PROFITS /
(LOSSES)
Profit Available for Appropriation 59,209 65,550
Less: Dividends Paid and Proposed -100,000 -101,056
Adjustment / Transfer(/to) / from Reserves -705 -1,223
RETAIN PROFIT FOR THE YEAR -41,496 -36,729
Profit and Loss B/Forward 139,774 98,278
TOTAL REVENUE RESERVES 98,278 61,549
CASH FLOW
OPERATING CASH FLOW
Operating Profit 58,455 69,648
Depreciation/Amortization Charges 29,421 32,767
ADJUSTED CASH FLOW FROM OPERATIONS 87,876 102,415
WORKING CAPITAL MOVEMENT
(Increase)/Decrease in Stock -34,692 37,259
(Increase)/Decrease in Debtors 9,421 -7,214
(Increase)/Decrease in Creditors 28,665 -8,723
Other Net Working Cap Movement 0 0
NET CASH FLOW FROM OPERATIONS 91,270 123,737
Less: Taxation Paid -1,660 -10,072
Less: Interest Paid -9,652 -4,688
NET FREE CASH FLOW FROM OPERATIONS 79,958 108,977
Less: Dividend paid -105,361 -58,087

Page 66 of 492
Less: Other Cash Outflow -5,923 -8,378

NET CASH FLOW BEFORE INVESTMENT -31,326 42,512
GROUP AND FINANCE
CASH FLOW FROM INVESTMENT AND
GROUP
Net Cash from Fixed Assets -21,747 -25,562
Net Cash from Investment 14,746 13,995
Net Intra-Group Funds Flow 0 0
Others 30,059 19,236
NET CASH FLOW BEFORE EQUITY AND -8,268 50,181
FINACE ACTIVITIES
CASH FLOW FROM EQUITY AND FINANCE
ACTIVITIES
Increase/(Decrease) in Equity 0 0
Increase/(Decrease) in Short Term Debt 5,766 -51,026
Increase/(Decrease) in Long Term Debt 0 0
Other 873 595
NET CASH FLOW FROM EQUITY AND 6,639 -50,431
FINANCE ACTIVITIES
Increase/(decrease) Cash and Near Liquid Funds 1,629 250
TOTAL 8,268 50,181
Additional Information [All amounts in ` 000s] :
Turnover comprises: Equipment and Automotive: 28680, Consumer Products: 71400,
Industrial Products: 29800 and Office Equipment: 17100.
Largest inventory item was trading inventory and finished goods, which towards
2017- end, decreased to 19100 (22200 as at 31 st March, 2016).
Shareholders had purchased long outstanding government receivables, amounting to 4900
of a group company to improve its cash flows. Unused bank facilities as at
31st March, 2017 were 16800.
Sales growth of year 2017 is almost in line with the previous years. Trading inventory and
finished goods as at 31 st March, 2017 was 19100 (22200 as at 31 st March, 2016).
Based on the calculation of major financial ratios, prepare a brief analytical report deriving
the financial risk involved. You can use various areas covering performance, profitability,
working capital management, liquidity and cash flows, capital structure, etc.

Page 67 of 492
Your answer should be supported with relevant workings.

[Financial Ratios: 5 marks; Analytical report for each area: 4 marks each, other areas: 5
marks] [Total: 5 + (5 x 4) + 5 = 30 Marks]
Multiple Choice Questions: Briefly explain the reasoning for your choice which is
mandatory. Answer all of the following (2) to (21) - Each MCQ carries one mark.
(1 x 20 = 20 Marks)
(2) While uncertainty means the existence of more than one possibility, risk is a state of
uncertainty where some of the possibilities may involve an undesirable outcome. Which
one of the following statements correctly describes the above statement?
(A) One may have uncertainty without risk but risk without certainty.
(B) One may have uncertainty without risk but risk without uncertainty.
(C) One may have uncertainty without risk but not risk without certainty.
(D) One may have uncertainty without risk but not risk without uncertainty.
(3) In respect of an organization, Reputation risk means
(A) Risk of possible financial loss to the organization.
(B) Risk of a failure which may lead to violation of the regulatory requirements that the
organization is supposed to comply with.
(C) Risk of the organization's reputation in public view which is a key concern in engaged
media and social media.
(D) None of the above.
(4) The Probability is that Event A occurs, given that Event B has occurred. The conditional
probability of Event A, given Event B, is denoted by:
(A) P(AŀB)
(B) P(BŀA)
(C) P(A)+ P(B)
(5) If the risk manager concludes that a company's strategy is less effective in the market,
then the company is said to face strategic risks. All of the following would be factor for such
strategic risk, EXCEPT
(A) Shifts in customer demand
(B) Increase in interest rates
(C) A global entity entering the market
(D) Technological changes

Page 68 of 492
(6) Which one is an external factor in respect of risks for an insurance company?
(A) Financial position
(B) Machine failure
(C) Staff Morale
(D) Earthquake
(7) If Risk rating is 5, then the risk is called
(A) Severe
(B) High
(C) Moderate
(D) Low
(8) If Corr (X, Y) = -1, then X and Y have
(A) Perfect positive correlation
(B) No correlation
(C) Perfect negative correlation
(9) Which of the following statements is NOT true with respect to Risk Management?
(A) Risk management is as much about identifying opportunities as avoiding or mitigating
losses.
(B) Risk management can be described as 'coordinated activities to direct and control an
organization'
(C) Risk management is an essential business activity for enterprises of all sizes.
(D) Risk management is recognized as an integral component of good management and
governance.
(10) Code of conduct for employees would most likely be contained in which type of Operational
Risk Management Policy?
(A) Departmental Policies
(B) High-Level Policies
(C) Human Resource Polices
(D) Operational Policies
(11) In respect of an enterprise, Knowledge risks are associated with
(A) Management and protection of knowledge and information within the enterprise.
(B) Primary long-term purpose, objectives and direction of the business

Page 69 of 492
(C) On-going day to day operations

(D) None of the above
(12) OECD has developed set of principles for better corporate governance. The principle of
Disclosures and Transparency would NOT include :
(A) Overseeing the process of disclosure and communications
(B) Foreseeable risk factors
(C) The financial and operating results of the company
(D) Company Objectives and non-financial information
(13) RAROC is
(A) Return on capital adjusted for inflation.
(B) Risk-based profitability measurement framework.
(C) Return on gilts
(14) In respect of an exposure, Loss Given Default [LGD] refers to
(A) The actual amount of loss
(B) The amount that is exposed to the default risk
(C) The loss likely to be suffered in the event of a default occurring in the exposure.
(15) Gini coefficient is
(A) One of the most popular index to gauge the rich-n-poor income-that is to measure
inequality in income distribution.
(B) An index to measure the level of corruption perception.
(C) An index to measure the level of crimes, violence and military expenditure.
(16) Enterprise risk governance framework would NOT normally include
(A) Risk Limits
(B) Risk Management Procedures
(C) Risk Appetite Framework
(D) Risk Appetite Statement

Page 70 of 492
(17) Which of the following would NOT be included as a principle in determining the risk appetite
of the company?
(A) Risk appetite is not a single, fixed concept.
(B) Risk appetite can be complex.
(C) Risk appetite needs to measurable.
(D) Risk appetite is about identifying opportunities.
(18) The risk manager would like to know the risk that refers to ineffective and unethical
management of a company by its executives and managerial levels. The risk is known as :
(A) Staffing Risk
(B) Management Risk
(C) Strategic Risk
(D) Governance Risk
(19) Which one of the following that a company would LEAST likely choose as a common risk
management objective when framing the risk management approach?
(A) Enhance the level of risk maturity
(B) Allocate capital more efficiently
(C) Build safeguards against earnings-related surprises
(D) Achieve a better understanding of risk for competitive advantage
(20) The risk manager, in his approach, chose a method for structuring a group communication
process so that the process is effective in allowing a group of individuals as a whole to
deal with a complex problem. This method is BEST known as:
(A) Scoring
(B) Delphi Technique
(C) Judgement and intuition
(D) Simulation.
(21) As per the Standards on Auditing issued by the ICAI, a risk resulting from significant
conditions, events, circumstances, actions or inactions that could adversely affect an
entity's ability to achieve its objectives and execute its strategies, or from the setting of
inappropriate objectives and strategies is BEST known as :
(A) Significant Risk
(B) Business Risk
(C) Inherent Risk
(D) Control Risk. (1 x 20 = 20 Marks)

Page 71 of 492
Answer
(1) Working Notes:

(a) Profitability Ratios
31.03.2016 31.03.2017
(i) Gross Profit Ratio Gross Profit Gross Profit
× 100 × 100
Sales Sales
3,29,127 3,36,905
= ×100 = ×100
14,46,791 14,69,762
= 22.75% = 22.92%
(ii) Net Profit Ratio Net Profit Net Profit
× 100 × 100
Sales Sales
85,304 93,410
= ×100 = ×100
14,46,791 14,69,762
= 5.896% = 6.355%
(iii) Return on Capital Operating Profit Operating Profit
Employed 100 ×100
Capital Employed Capital Employed
58,455 69,648
= ×100 = ×100
5,90,392 5,11,297
= 9.90% = 13.62%
(b) Performance Ratios
31.03.2016 31.03.2017
(i) Inventory Turnover Cost of Goods Sold Cost of Goods Sold
Ratio
Closing Inventory Closing Inventory
1,117,664 1,132,857
= =
22,200 19,100
= 50.34 times = 59.31 times
(ii) Debtor Turnover Ratio Sales Sales
Closing Debtors Closing Debtors
14,46,791 14,69,762
= =
3,66,246 3,08,547
= 3.95 times = 4.76 times

Page 72 of 492
(c) Liquidity Ratios

31.03.2016 31.03.2017
(i) Current Ratio Current Assets Current Assets
Current Liabilities Current Liabilities
763,428 679,539
= =
395,337 382,908
= 1.93 : 1 = 1.77 : 1
(ii) Liquid Ratio Liquid Assets Liquid Assets
4,53,622 4,06,992
= =
3,95,337 3,82,908
= 1.147 : 1 = 1.063 : 1
(d) Capital Structure Ratio
31.03.2016 31.03.2017
Debt Equity Ratio Debt Debt
Equity Equity
61,790 56,445
= =
343,494 310,480
= 0.180 = 0.182
Analytical Report
To: The Management
From: Chief Risk Officer
Date: 12 May 2018
Subject: Analytical Report on Financial Risks Involved
Introduction
This analytical report covers
(i) Performance, Profitability, Working Capital Management, Liquidity and Capital Structure
etc.
(ii) Other areas

Page 73 of 492
(i) Performance, Profitability, Working Capital Management, Liquidity and Capital

Structure etc.
Performance: Performance of the company has been improved in the year ending
31.03.2017 as the Inventory Turnover and Debtor’s Turnover Ratios have been improved.
Profitability: So far as the profitability of the company is concerned there is no improvement
in the Gross Profit Ratio which is almost same. Though some improvement is there in Net
Profit Ratio and Return on Capital Employed due to following reasons:
• Control on Administration Costs
• Decrease in Short Term Debt leading to reduction in reduced interest cost.
Working Capital Management: On this front company is performing well as company is
reducing the investment in the stock or inventory. However, it appears that company is not
using the available credit facilities from the supplier by paying off the old payables.
Liquidity: From the Current Ratio and Liquid Ratio it appears that company enjoys a
comfortable liquidity situation.
Capital Structure: The Debt Equity Ratio of the company is very low indicating that the
company is too conservative in using cheap source of finance.
(ii) Investment by companies in Government Securities indicates that company is too risk
averse and left credit facilities unutilized.
Conclusion: Presently company is not facing any major risk.
(2) (D) The measure of uncertainty refers only to the probabilities assigned to outcomes,
while the measure of risk requires both probabilities for outcomes and losses
quantified for outcomes.
(3) (C) Any event which affects the name or brand image of the entity is Reputational Risk.
(4) (A) The rule of Conditional Probability is: The probability that Event A occurs, given that
Event B has occurred. The conditional probability of Event A, given Event B, is
denoted by the symbol P (A|B).
(5) (B) Increase in interest rate will come under interest rate risk.
(6) (D) Earthquake is an external factor that cannot be controlled.
(7) (C) As per the risk rating table, risk rating between 4-8 will be called Moderate Risk.
(8) (C) According to the properties of Correlation Coefficient, if Corr(X, Y) = -1, then the
variables seems to have perfect negative correlation. The movement in one variable
results in exact opposite movement in the other variables.
(9) (B) The correct sentence is risk management is defined as “coordinated activities to direct
and control an organization with regard to risk”.

Page 74 of 492
(10) (B) or (C) Code of Conduct for employees would most likely be contained in High Level
Policies of Operational Risk Management Policy. They may also be contained in the
human resource policies.
(11) (A) As per ICAI’s Standard of Internal Audit, Knowledge Risks are associated with the
management and protection of knowledge and information within the e nterprise.
(12) (A) The process of disclosure and communications is the responsibility of the Board.
(13) (B) Risk-adjusted return on capital (RAROC) is a risk-based profitability measurement
framework for analysing risk-adjusted financial performance and providing a
consistent view of profitability across businesses.
(14) (C) Loan Given Default refers to the loss likely to be suffered in the event of a default
occurring in an exposure. It takes into account the amount of recoveries likely to be
made post default.
(15) (A) the other two indexes are Corruption Perception Index and Global Peace Index.
(16) (B) Enterprise risk governance framework would not normally include Risk Management
Procedures.
(17) (D) Determination of Risk Appetite starts after identifying opportunities .
(18) (D) Governance relates to in-effective and un-ethical management of a company by its
executives.
(19) (A) Some common risk management objectives chosen by companies to frame their risk
management approach do not include the option “enhance the level of risk maturity”
(20) (B) The Delphi technique is defined as: 'a method for structuring a group communication
process so that the process is effective in allowing a group of individuals as a whole
to deal with a complex problem'.
(21) (B) Other risks are indirectly related to entity’s ability to achieve its objectives and execute
its objectives.
QUESTION NUMBER - II
About the Company
XYZ Limited is a public limited company incorporated in the year 2003. It has the registered
head office in Bhubaneswar, Odisha. The Company has iron ore mines situated in five places
in the State. The main business of the Company is extraction and sale of iron ore to many iron
and steel industries both inside and outside states.
The Company has decided to diversify its business in trading of shares. Also, the Company is
considering the possibility of setting up a Non-Banking Finance Company. For these purposes,
the Company is in the process of doing feasibility studies.

Page 75 of 492
Risk Manager
The Company has approached you, being a senior Risk Manager to look into the proposals. The role
performed by you would include:
• To gather regular risk management related information from external and internal sources.
• Identify the problems and provide possible solutions to the various issues arising in the risk
management.
• To effectively manage specific risk circumstances.
• To monitor the risk of anti-money laundering (AML).
• To monitor the investment portfolio and to analyse the unfavourable movements.
• Advise and make recommendations to the management in the matters of identifying the risks
and quantifying the same.
• Help the management in designing and implementing various risk management strategies and
their related processes in the banking & investment portfolio and to suggest improvements.
• Get updated with the advances happening in the relevant software technology.
• Have a detailed understanding and knowledge of the credit, operational and market risks of the
portfolio and also the software tools used to assess them.
• Understand and reduce the exposures in financial risks by using strategies such as hedging,
credit default swap, insurance etc.
• Proactively analyse the market trends for finding out opportunities in expanding the portfolio.
• Adhere to various laws, procedures relating to the financial operations.
• Gather various information relating to the operations of NBFC in India including credit risk
management and the underlying Guidelines of RBI with respect to capital adequacy norms,
provisioning etc.
Required by the Risk Manager
In order to have a better understanding of the risk factors involved thereon, the Risk Manager
needs a better understanding on the following issues:
(i) The purchase order for a script would be authorised by a manager. The risk manager is
bothered about authorising the order for a wrong script, instead of the intended one by the
manager. Thus, he is interested to learn the controls placed and if any weakness is found
he wants to strengthen the same.
(ii) A machine learning program dynamically responds to change in data / situation by
changing the rules that govern the behavior and the algorithm "learns" from new data inputs
and gets better over time. The risk manager tries to explore the possibility of employing a
new software towards the same.

Page 76 of 492
(iii) Calculation or measuring the loss in the value of the portfolio in a given period of time for
a distribution of historical returns.
(iv) The risk manager is interested to find out as to how the portfolio would fare during the
period of a financial crisis. He is also interested to build the stress testing capabilities and
to explore the ways of using them to meet the broader risk management and business
objectives.
(v) The rules and regulations existing in a foreign country and also the risk factors involved
with reference to the investment climate of that country that are to be considered before
buying shares of a foreign company.
(vi) While applying for a bank loan for the expansion of the portfolio, the parameters of credit
risk that the bank might consider and also the credit scoring model that might be applied
by the bank, while approving such loan to the company. The Company would be offering
some of its immovable properties as collateral to the proposed loan with the bank.
(vii) The certainty equivalence is a guaranteed return that the management would accept rather
than accepting a higher but uncertain return. The risk manager would like to explore the
possibility of "certainty equivalent” technique.
(viii) Effectively employing big data analytics in analysis of various transactions to study the
patterns of investments and also the possibility of using block-chain technology in ensuring
the veracity of the transactions.
You are appointed as a risk management consultant and you are expected to give your valuable
inputs by answering the following.
(a) Multiple Choice Questions:
Answer all of the following – Each MCQ carries one mark (1 x 20 = 20 Marks)
Choose the most appropriate answer from the answer options, and give brief reasoning
for your choice.
(i) The Risk Manager is trying to quantify the level of financial risk in the portfolio using
VaR. Which of the following VaR methods draws a sample from the dataset and
records its VaR ?
(A) Historical Simulation
(B) Delta-Normal Methods
(C) Monte Carlo Simulation
(D) Bootstrap Simulation
(ii) A measure of an investment's excess return, above the risk-free return, per unit of
standard deviation is known as
(A) Beta
(B) Jensen Index

Page 77 of 492
(C) Sharpe Ratio

(D) R Squared
(iii) Which one of the following statements is NOT true with respect to correlation
coefficient properties?
(A) It does not have any units.
(B) Correlation Coefficient value ranges from -1 to +1.
(C) It is a measurement of deviation from the mean for one variable.
(D) It measures the strength of linear relationship between two random variables.
(iv) The Manager is considering to employ VaR to quantify the level of financial risk.
Which one of the following is NOT a limitation of VaR ?
(A) not sub-additive
(B) uninformative of tail losses
(C) can encourage diversification
(D) can create perverse incentives structures
(v) As per BIS capital adequacy rules, banks should operate with a holding period of
(A) one week (or 5 business days)
(B) one week (or 7 days)
(C) two weeks (or 10 business days)
(D) two weeks (or 14 days)
(vi) Real-time risk is defined as the probability of instantaneous or near- instantaneous
loss, and can be due to flash crashes, other market crises, malicious activity by
selected market participants and other events. Which of the following would CHIEFLY
be the cause of such a risk in a financial market?
(A) Deployment of poorly tested algorithm
(B) A malicious activity done by a hacker on a computer belonging to a financial
services company.
(C) Information timing and source risk
(D) Risk of ineffective current market study on financial markets
(vii) While analysing the credit risk, which one of the following internal factors would NOT
be considered by the bank as a credit risk in its transactions?
(A) Ignoring the purpose for which loan was sought by the customer.
(B) Concentration of credit in particular geographical locations or business segments.

Page 78 of 492
(C) Fluctuation in Interest Rates.

(D) Excessive lending to particular industry is subject to cyclical fluctuations.
(viii) The Manager came across "Expropriation Risk", while analysing various risk
scenarios. It refers to :
(A) Unanticipated increase of tax rates applicable for MNCs in the host country
(B) Business of MNCs takenover by host country without or with inadequate
compensation
(C) Prevention of repatriation of earnings of MNCs to their countries
(D) High level of red tapism and corruption in host country
(ix) Risk measures are expected to correctly reflect diversification effects and facilitate
effective decision making. This is achieved in
(A) Stress testing measures
(B) Coherent risk measures
(C) Full revaluation methods
(D) VaR conversion methods
(x) In the context of credit risk for banking business, the trade-off between risk and return
does NOT involve taking the following decision :
(A) Placing of credit cap or limit for each customer
(B) Acceptance or rejection of customer's request
(C) How much compensation should be added while pricing the product.
(D) How much credit risk should be accepted in return of decrease in business.
(xi) According to RBI guidelines issued with respect to CDS, the credit events specified
in the CDS contract may NOT cover
(A) Obligation deceleration
(B) Repudiation/moratorium
(C) Bankruptcy
(D) Failure to pay
(xii) The Manager is looking for a long-term secure technology to help in settlement of
contracts which ensures proper validation. Which of the following would you suggest
him to implement?
(A) Big Data Technology
(B) An ERP with built-in validation rules and Access Control Technologies

Page 79 of 492
(C) Artificial Intelligence

(D) Distributed Ledger Technology
(xiii) The manager has decided to employ stress testing. Recently, it has gained the
attention of the senior management of the company CHIEFLY because of
(A) governance requirements demanded by regulators
(B) measuring and monitoring usage of risk limits
(C) transaction level pricing and decision support
(D) communication of risk exposure across the organisation
(xiv) Co-variance is
(A) the square root of Variance.
(B) the weighted average of possible values.
(C) basically the deviation from the mean.
(D) the relationship between deviations of two variables.
(xv) Which one of the following is NOT a way to calculate the credit risk component as
prescribed by Basel II ?
(A) Credit Risk Mitigation
(B) Control Risk Mitigation
(C) Standardised Approach
(D) Internal Rating based approach
(xvi) The manager likes to place more importance to recent observations and provide
geometrically declining weights on past observations. For this purpose, he WOULD
most like use
(A) Loss Given Default model
(B) Exponentially Weighted Moving Averages model
(C) Altman Z Score model
(D) Generalized Autoregressive Conditional Heteroskedastic model
(xvii) Credit scoring models are mainly used by the credit rating agency to determine the
credit worthiness of an individual. Which of the following is NOT a credit scoring model?
(A) FAKO credit score
(B) MICRO Score
(C) PLUS Score
(D) FlCO Score

Page 80 of 492
(xviii) Which method under a machine learning program would MOST primarily deal with
variables that are quantitative in nature.?
(A) Regression methods
(B) Bayesian methods
(C) Analytical methods
(D) Inferential methods
(xix) In the context of credit risk management techniques, conditions imposed by the lender
on the borrower that certain activities will or will not be carried out and which can be
affirmative or negative in nature are called
(A) Letter of Credit
(B) Due Diligence
(C) Well defined credit approval matrix
(D) Covenants
(xx) The banks while considering the proposal for a wholesale credit, the detailed
appraisal would NOT include
(A) Risk identification, risk allocation and risk mitigation
(B) Covenants/conditions to be stipulated
(C) Internal credit rating model
(D) Nature of Security and its enforceability
(b) Descriptive Questions
(i) There is a 30% probability of increase in a particular share price on Monday. If that
share price increased on Monday, there is a 20% probability that it will increase on
Tuesday. If the price did not increase on Monday, there is a 70% probability that it
will increase on Tuesday. Give your workings.
Using Baye's Theorem, calculate the probability of increase in that share price on
Monday, if the price increased on Tuesday. (4 Marks)
(ii) Briefly explain how big data analytics help in improve the existing processes in Anti -
Money Laundering operations. (4 Marks)
(iii) Calculate the compounded Geometric Mean rate of return for the previous two year -
period. The stock had a return for the three years as follows:
Year 2016 2017 2018
Return 8% -5% 15%
(2 Marks)

Page 81 of 492
(c) (i) The risk manager would like to have your opinion in deciding between VaR and
Expected short fall method as a risk measure. Give your advice explaining the
reasons thereof. (3 Marks)
(ii) What are the advantages of Monte Carlo Simulation? (3 Marks)
(iii) If investment proposal is ` 50,00,000/- and risk-free rate is 6% p.a., calculate Net
Present Value under certainty equivalent technique, given the following inform ation:
Certainty Equivalent
Year Expected Cash Flow (in `)
Coefficient
1 12,00,000 0.87
2 14,00,000 0.84
3 18,00,000 0.93
4 27,00,000 0.82
(4 Marks)
(d) (i) The Manager is looking at the viability of Credit Default Swap contracts. He learnt
that it has similarities with credit insurance. Discuss the differences between CDS
and credit insurance. (6 Marks)
(ii) In the present days, banks face a lot of problems in collections from customers
resulting in increase of NPAs. Hence the banks make attempts to mitigate the risks
of lending to unworthy borrowers by reviewing their five C's of Credit. Briefly explain
them. (4 Marks)
Answer
(a) Multiple Choice Questions (MCQs)
(i) (D) The Bootstrap Simulation is an extension of historical simulation. It draws a
sample from the dataset and records its VaR.
(ii) (C) Sharpe Ratio, is a measure of an investment’s excess return, above the risk -
free return, per unit of standard deviation.
(iii) (C) Option A, B and D are the properties of correlation coefficient, while C is a
distractor.
(iv) (C) One of the limitations of VaR is that it can discourage diversification.
(v) (C) As per Capital Adequacy Rules, banks should operate with a holding period of
two weeks.
(vi) (A) or (B) In the well cited example of real-time risk in the US market, where millions
of dollars were lost in a matter of just 30 minutes, the chief reason was a poorly-
tested algorithm. Further, as mentioned in the question itself, malicious activity
done by a hacker on a computer belonging to a financial services company

Page 82 of 492
would also be a cause of real-time risk.

(vii) (C) Options A, B and D are internal factors affecting the credit risk of a bank, while
Option C i.e. fluctuation in interest rate is an external factor.
(viii) (B) “Expropriation Risk” refers to business of MNCs taken over by host country
without or with inadequate compensation.
(ix) (B) We want risk measures to correctly reflect diversification effects and should
facilitate effective decision making. The answer to this will be found in the theory
of coherent risk measures.
(x) (D) The trade-off between risk and return in the context of Credit Risk calls for
decision “How much Credit Risk should be accepted in return from increase in
sale or business in case of banking?”
(xi) (A) Obligation acceleration is one of the credit events specified in the CDS and not
“Obligation deceleration”.
(xii) (B) An ERP with built in validation rules and Access Control Technologies, if
implemented, will help in settlement of contracts which ensures proper
validation.
(xiii) (B) Stress testing has gained the attention of the senior management chiefly
because of measuring and monitoring usage of risk limits.
(xiv) (D) Covariance is the relationship between deviations of two variables.
(xv) (B) Option A, C and D are prescribed by Basel II, while Option B is a distractor.
(xvi) (B) Exponentially Weighted Moving Averages model (EWMA) model place more
importance to recent observations and provide geometrically declining weights
on past observations.
(xvii) (B) Options A, C and D are credit scoring models, while option B is a distractor.
(Experian’s National Equivalency Score (ENES) is also called FAKO credit.
(xviii)(A) Machine Learning Methods can also be categorized on the basis of the nature
of the variables handled. Regression methods primarily deal with variables that
are quantitative in nature.
(xix) (D) In the context of credit risk management techniques, conditions imposed by the
lender on the borrower that certain activities will or will not be carried out and
which can be affirmative or negative in nature are called Covenants.
(xx) (C) For whole sale credits, the detailed appraisal would inter alia cover Options A,
B and D. Option C is a distractor.
(b) Descriptive Questions
(i) Bayes Theorem shows how a conditional probability of the form P (B|A) may be
combined with the initial probability P(A) to obtain the final probability P(A|B):

Page 83 of 492
P(B | A) * P(A)
P [A|B] = P(B)
P(B | A) * P(A)
=
P(B | A) * P(A) + P(B | A' ) * P(A')
Accordingly let us assume
Prob. of increasing price on Monday = A
Prob. of increasing price on Tuesday = B
0.20 × 0.30
P [Increase on Monday if price increased on Tuesday] =
0.30 ×0.20+ 0.70 × 0.70
0.06
= = 0.1091 or 10.91%
0.55
(ii) The high cost of money laundering cases has prompted banks to seek new ways to
address the severe limitations in current anti-money laundering risk management.
Traditional approaches to anti money laundering remain dependent on rule -based,
descriptive analytics to process structured data. This system clearly has limitations -
without automated algorithms, detecting information within the wealth of data requires
laborious keyword searches and manual sifting through reports.
Big Data analytics can improve the existing processes in AML operations. Its
approaches allow for the advanced statistical analysis of structured data, and
advanced visualization and statistical text mining of unstructured data. These
approaches can provide a means to quickly draw out hidden links between
transactions and accounts, and uncover suspicious transaction patterns.
Advanced analytics can generate real-time actionable insights, stopping potential
money laundering in its tracks, whilst still allowing fund transfers for crucial economic
and human aid to troubled regions. Big data technologies can identify incidents, help
draw a wider picture, and allow a bank to raise the alarm before it’s too late.
(iii) 1 + RG = n (1+ R1 ) × (1+ R2 ) × ....... × (1+ Rn )
=
(1 0.05)(1 0.15) - 1= 0.04522 i.e. 4.52%
(c) (i) Despite the VaR measure being better known than the expected shortfall, the latter
has more advantages:
• Expected shortfall is sensitive to the entire tail of the distribution, whereas VaR
will not change even if there are large increases in some of the losses beyond
the cut-off percentile at which the VaR is being measured.

Page 84 of 492
• Expected Shortfall is a more stable measure than VaR in showing less sensitivity
to data errors and less day to day movement due to irrelevant changes in the
input data.
• With VaR, negative diversification effects can arise whereas expected shortfall
never displays negative diversification effects.
(ii) The main advantage of the use of Monte Carlo simulation is that we can generate
correlated scenarios based on a statistical distribution. Due to which it models
multiple risk factors.
Moreover, we can specifically focus on the tails of extreme loss scenarios. So, Monte
Carlo Simulation method can be used both to calculate VaR as well as to complement
it. Also, it can work both for linear and non linear risks. As unlimited number of
scenarios is generated, this helps in creating correct distributions.
(iii) Calculation of NPV
Year Expected Certainty Equi. Certain Cash PVF PV of Cash
Cash Flow Cash Flow Flow (`) Flow
(`) (`) (`)
1 12,00,000 0.87 10,44,000 0.943 9,84,492
2 14,00,000 0.84 11,76,000 0.890 10,46,640
3 18,00,000 0.93 16,74,000 0.840 14,06,160
4 27,00,000 0.82 22,14,000 0.792 17,53,488
51,90,780
0 Cash Outflow (50,00,000)
1,90,780
Alternative Presentation
n
t  NCFt
NPV= 
t 0 1 rf t
I
12,00,000 × 0.87 14,00,000 × 0.84 18,00,000 × 0.93 27,00,000 × 0.82

= + + + - 50,00,000
(1.06) 2 3 4
(1.06) (1.06) (1.06)
= 51,90,760 –50,00,000
= 1,90,760
(d) (i) CDS contracts have obvious similarities with insurance, because the buyer pays a
premium and, in return, receives a sum of money if an adverse event occurs.
However, there are also many differences, the most important being that an insurance
contract provides an indemnity against the losses actually suffered by the policy
holder on an asset in which it holds an insurable interest. By contrast a CDS provides

Page 85 of 492
an equal payout to all holders, calculated using an agreed, market-wide method. The
holder does not need to own the underlying security and does not even have to suffer
a loss from the default event. The CDS can therefore be used to speculate on debt
objects. The other differences include:
• The seller might in principle not be a regulated entity (though in practice most are
banks);
• The seller is not required to maintain reserves to cover the protection sold (this was
a principal cause of AIG's financial distress in 2008; it had insufficient reserves to
meet the "run" of expected payouts caused by the collapse of the housing bubble);
• Insurance requires the buyer to disclose all known risks, while CDSs do not (the
CDS seller can in many cases still determine potential risk, as the debt instrument
being "insured" is a market commodity available for inspection, but in the case of
certain instruments like CDOs made up of "slices" of debt packages, it can be difficult
to tell exactly what is being insured);
• Insurers manage risk primarily by setting loss reserves based on the Law of large
numbers and actuarial analysis. Dealers in CDSs manage risk primarily by means
of hedging with other CDS deals and in the underlying bond markets;
• CDS contracts are generally subject to mark-to-market accounting, introducing
income statement and balance sheet volatility while insurance contracts are not;
• To cancel the insurance contract the buyer can typically stop paying premiums, while
for CDS the contract needs to be unwound.
(ii) Five C’s of Credit that reviewed by banks in an attempt to mitigate the risk of lending
to unworthy borrowers:
(a) Capacity – This refers to the borrower’s ability to repay the loan. The lenders /
banks will consider the cash flows generated from the underlying business,
timing of repayment and the probability of successful payment of the loan under
various stressed scenarios.
(b) Capital – It is the promoters / borrower money invested in the business and is
an indicator of how much of promoters / borrowers money is at risk if the
business fails. FIs / banks will generally consider the borrowers debt to equity
ratio to understand how much money the lender is being asked to lend as against
the money invested by the promoters / borrower in the business. High debt to
equity ratio indicates that the promoters / borrower already have high levels of
debt / loans and could be having a higher financial risk.
(c) Character – It is the obligation that the borrower feels to repay the loan.
Emphasis is given on the past loan repayment track record, credit history, credit
bureau score. This analysis pertains to the softer aspect of the borrower’s intent
to pay rather emphasis on financials, ratios and cash flows.

Page 86 of 492
(d) Collateral – It is a form of security for the lender in case there is default on the
loan. In case of default, the lender will take possession of the collateral in place
of debt. Collateral can be in the form of tangible assets like land, building, plant,
machinery, cash flows, receivables, project assets etc. and also in the form of
intangible assets like patents, trademarks etc. The loan agreement should be
suitably drafted to include all the relevant details of the collateral. The lender
would ideally want the term of the loan to match the useful life of the collateral.
(e) Conditions – Additionally, apart from the borrower specific criteria’s, lenders
may also consider external factors which may affect borrower’s financials, cash
flows and its underlying ability to repay the loan obligations. End use of the loan/
purpose for taking the loan / debt will also be carefully assessed and the
transaction will be suitably structured.
QUESTION NUMBER - III
(1) You have been recently appointed as Chief Risk Officer of a company which is in Steel
Castings business. Name of the Company is ABC Electro Steel Castings Ltd. [in short,
ABC].
You have been told that ABC is fully committed to strengthen its risk management
capability on continuous basis in order to protect and enhance shareholder value. You
have been told that the risk management framework ensures compliance with the
requirements of amended Clause 49 of the Listing Agreement. The framework establishes
risk management processes across all businesses and functions of the Company. These
processes are periodically reviewed to ensure that the Management controls risks through
properly defined framework.
You are also made aware that the Company has already undertaken an extensive Risk
Management effort that includes introducing Risk Management Manual, comp iling a
comprehensive profile of the key risks to the Company, identifying key gaps in managing
those risks and developing preliminary action plans to address those risks. This effort
accomplishes the following goals:
• responds to the Board's need for enhanced risk information and improved mitigation
plan;
• provides the ability to prioritize, manage and monitor the risk in the business; and
• formalizes the explicit requirements for assessing risks on an ongoing basis, including an
effective internal control and management reporting system.
You are also given information that the Company uses raw materials to manufacture the
steel castings. It is faced with the threat of pressure on margins on sales. To counter the
threat, the Company has taken various steps which include backward integration which
comprises coal mines and iron mines, and brownfield expansions, e.g. sinter plant, sponge

Page 87 of 492
iron plant, coke oven plant, power plant from waste head recovery. It also set up an R & D
to expand its manufacturing capacities with a view to control costs.
You came to know that the Company is ISO-140001-2004 certified and is adhering strictly
to the emission norms applicable for industry.
You are also told that with the thrust given by Government of India on water and water
related projects and with the estimated growth in water requirement, the demand of DI
Pipes is expected to grow substantially and the Company is confident of retaining its
market share.
Labour relations have been excellent throughout the year in spite of number of unions. It
is the result of such cordial and harmonious relations that not a single man -day has been
lost in the last 8 years. The Company believes that labour relations will continue to remain
excellent.
The Company has also Credit insurance policy.
Now, you have been asked to give a report to the Company's Management, which should
contain the key risks affecting the Company, and the measure that can be taken to mitigate
such risks. (30 Marks)
Multiple Choice Questions (2) to (6): Briefly explain the reasoning for your choice
which is mandatory
(2) An excess payment made to a vendor, which is accounted correctly, would be categorized
under which of the following risks?
(A) Financial Reporting risk
(B) Legal risk
(C) Reputation risk
(D) Financial risk (2 Marks)
(3) In Information Technology General Controls, under change management, the risk of
incorrect change is NOT mainly due to
(A) Change being wrongly conceived by the user groups
(B) Change control audit trail not maintained
(C) Change is wrongly executed
(D) Change being carried out without approvals (2 Marks)
(4) Annual Report of the Board of Directors must include a statement indicating the
development and implementation of a risk management policy for a company. This is
mandated by
(A) SEBI through 'Issue of Capital and Disclosure Requirements Regulations'
(B) Information Technology (Amendment) Act, 2008

Page 88 of 492
(C) Companies Act, 2013

(D) Prevention of Money Laundering Act, 2002. (2 Marks)
(5) While taking a decision, the category risk profile bucket that would most likely to escape
attention of the Management is
(A) High Impact-Low Probability
(B) Low Impact-Low Probability
(C) High Impact-High Probability
(D) Low Impact-High Probability (2 Marks)
(6) Governance risks mean significant deficiencies that can impact the reputation, existence
and continuity of the organization. Such deficiencies would NOT occur because of
(A) Inappropriate practices adopted by the Board
(B) Inability of the Board to identify trivial risk facts that can impact business continuity
(C) Failure of the Board to direct and control the organization
(D) Collusion of management to override significant internal control mechanism caus ing
financial losses (2 Marks)
(7) List at least ten tasks in respect of the role of the risk manager. (5 Marks)
(8) Describe the usefulness of 'Artificial Intelligence' (5 Marks)
Answer
(1) Some of the key risks affecting the Company are illustrated below:
(a) Economic Risk: Due to increase in the cost of number of inputs and raw materials
used by the Company, it is faced with the threat of pressure on margins on sales. To
counter this, the Company has taken various steps including backward integration
which comprises own coal mines and iron mines and brownfield expansions e.g.
sinter plant, setting up sponge iron plant, coke oven plant, power plant from waste
heat recovery, upgrading and expanding manufacturing capacities and increasing
efforts on R&D. In addition, cost control measures are an ongoing process.
To avoid price volatility for critical items, the company can attempt to enter into long
term contracts.
(b) Competitor Risk: The Company is exposed to the risk of competition, as the market
is highly competitive with the elimination of physical barriers and entry of new players.
The Company continues to focus on increasing its market share and taking marketing
initiative that help customers in taking better-informed decisions.
The quality improvement efforts have established the brand image of the product as
the most preferred brand with the customers. With the thrust given by Government of

Page 89 of 492
India on water and water related projects and with the estimated growth in water
requirement, the demand of DI pipes is expected to grow substantially, and the
company is confident of retaining its market share.
(c) Foreign Exchange Risk: Considering the large export and imports of raw material,
the Company is exposed to the risk of fluctuation in the exchange rates.
The Company has adopted a comprehensive risk management review system
wherein it actively hedges its foreign exchange exposures within defined parameters,
through use of hedging instruments such as forward contracts, options and swaps.
The company periodically reviews and audits its risk management initiatives through
an independent expert.
(d) Industrial Risk: The company is exposed to labour unrest risk, which may lead to
production slowdown ultimately resulting in plant shutdown.
Labour relations have been excellent throughout the year in spite of number of unions.
It is result of such cordial and harmonious relations that not a single man -day has
been lost in the last 8 years. The Company believes that labour relations will continue
to remain excellent.
(e) Environment Risk: The company is exposed to the risk of Environment and Pollution
Controls, which is associated with such types of industries.
The Company is committed to the conversation of the environment and has adopted
the latest technology for pollution control. The Company is ISO-140001-2004 certified
and is adhering strictly to the emission norms applicable for the industry.
(e) Payment Risk: The company is exposed to the risk of defaults by the customers in
payments.
Since major water infrastructure projects are government founded or foreign aided,
the risk involved in payment defaults is minimum. Further, evaluation of the credit
worthiness of the customers has minimized the risk of default by other segment
customer. Besides, the risk of export receivables is covered under Credit Insurance.
Alternative Answer
Report to Company’s Management
To: The Management
Date: 12 May 2018
Subject: Key risks affecting the company and its mitigation
Introduction
This report covers
(i) Key risks affecting the company

Page 90 of 492
(ii) Measures to be taken to mitigate such risks

(i) Key risks affecting the company
(a) Strategic Risk: It includes the current and prospective impact on earnings,
capital, reputation or good standing of an organization arising from its poor
business decisions, improper implementation of decisions or lack of response to
industry, economic or technological changes. Failure of strategies will advers ely
impact the business objectives and attainment of the goals.
Few major strategies initiated by ABC include:
(i) To reduce the threat of pressure on margin on sales, ABC has taken the
step of backward integration.
(ii) ABC has set up R & D to expand its manufacturing capacities with a view
to control costs.
(iii) The company has taken credit insurance policy.
So, ABC while implementing the above mentioned strategies, it is also facing
the risk of failure of some of its strategies.
(b) Operational Risk: Operational Risk is the risk of loss resulting from inadequate
or failed processes, people and systems and from external events.
As the company is in the manufacturing of steel castings, health and safety of
the workers is a major issue for the management inspite of the fact that labour
relations have been excellent. Further, the introduction of backward integration
also needs continuous monitoring for it’s smooth functioning.
(c) Financial risk: These risks are associated with the financial assets, structure and
transactions of the particular industry. NASDAQ defines Financial Risks as
the risk that the cash flow of an issuer will not be adequate to meet
its financial obligations.
In generic terms finance risk is the possibility that the investment return on an
investment will be different from the historical or expected return, and also takes
into account the magnitude of the difference. This includes the possibility of
losing some or all of the original investment.
In the present case, ABC is already facing threat of pressure on margin on sales.
Further, with the introduction of backward integration with the likely involvement
of huge costs, it has to devise strategies to ward off such threats.
(d) Audit Risk: Audit risk has traditionally been seen strictly as the risk of incorrect
audit conclusions. Contemporary views however include big-picture audit risks;
specifically, that the internal audit-function is not doing the right things or
working in the best ways.
(e) Political Risk: It includes political factors as fall or change in the Government

Page 91 of 492
resulting into changes in government policies and regulations, communal

violence or riots, hostilities with the neighboring countries, etc.
In the present case, the thrust given by the Government of India on water and
water related projects hopes to take ABC to huge success in future. However, if
the Government changes and refuses to pursue with the policies of the previous
government, it will create unnecessary pressure on ABC.
(f) Technology Risk: Technological factors include unforeseen changes in the
techniques of production or distribution resulting into technological
obsolescence, etc.
In the present question, the machines or the techniques of production employed
by ABC may become obsolete in future with the advent of new technology.
(g) Credit Risk: This risk arises from outright default due to the inability or
unwillingness of the customer or counterparty to meet their commitments. Credit
risk is the probability of loss from a credit transaction. It is also called as default
risk.
ABC may face such commitments problems from its customers.
(h) Process Risk: It is the inability of the management to meet its process related
objectives on account of failed activities in a business process. It is a risk of loss
resulting from failure of internal processes, people and systems or from external
events.
The backward integration process of ABC which includes coal mines and i ron
mines as well as brownfield expansions may face problems in the future if the
management has not chalk out a full proof plan as to how to mitigate it.
(i) Compliance Risk: It includes material financial loss or loss of reputation which
may occur as result of its failure to comply with the laws includes regulations,
rules, related self-regulatory organization, standards and code of conduct
applicable to its business activities.
In the present case, ABC may face the risk of non-compliance of clause 49 and
adherence to emission norms applicable for the industry.
(j) Governance Risk: It refers to in-effective, un-ethical management of a company
by its executives and managerial levels. The management of ABC has to be very
careful in this respect.
(ii) Measures to be taken to mitigate such risks
A risk mitigation strategy is an organization's plan for ‘how it will address its identified
risks'. Mitigation and measurement techniques are applied according to the event's
losses, and are measured and classified according to the loss type.
The primary objective of risk treatment is:-

Page 92 of 492
• To contain the risks to a tolerable level within the risk appetite of the organization
(i.e., how much risk the management is ready to accept).
• To give a response to risks (i.e., aspects of addressing risks).
Broadly, the risk responses are categorized into the following buckets:
Sr. Risk action Description
No
1 Avoid Exiting the activities which are increasing the risk of the
organization. For instance, in case of ABC, risk avoidance
may involve the company in exiting some of the activities
initiated under backward integration which is causing
problems and seeing as a potential threat in future. This
way company’s process risk can be mitigated to a great
extent.
2 Reduce/ Action is taken to reduce the risk likelihood or impact, or
Manage/Treat both or treat it altogether. This involves introducing internal
control measures such as introducing internal audit which
ensures the authenticity of the financial transactions and
helps to treat financial risk as well as audit risk.
The company already has credit insurance to manage
credit risk which is a good thing. However, Insurance can
be taken by ABC to mitigate operational risks such as
risks arising out of fire, for instance. Depending on the
cover available and opted for, other losses due to
terrorist attacks, natural disasters etc. can also be
covered. Cash transit insurance and fidelity insurance
are off quoted examples.
Further, implementation of occupational health and safety
management for the health and safety of the workers shall
be initiated by the management to treat such risks, if they
occur in future. The reason is that the workers of the
companies are engaging in such manufacturing process
which may jeopardize their health and safety and
consequently the organization may suffer because of this.
Political Risks cannot be mitigated. The only way is to
establish good relations and complying with all the legal
requirements on a continuous basis.
It seems from the question itself that the management is
ethical and doing its tasks effectively and thereby reducing
its Governance Risk.

Page 93 of 492
3 Transfer/ Share Reducing the risk likelihood or impact by transferring or,

otherwise, sharing a portion of the risk. Common
techniques include purchasing insurance cover,
outsourcing activities, engaging in hedging transactions.
4 Accept No action is taken to affect the risk likelihood or impact.
This is mainly in cases where the risk implications are lower
than the Company’s risk appetite levels. So, ABC has to
see which potential risks it has to concentrate and focused
upon.
In addition to the above, other risk mitigation measures to be employed by ABC
(depending upon the likelihood of the risk) are as follows:-
• Control Self-assessments;
• Calculating reserves and capital requirements;
• Creating culture supportive of risk mitigation;
• Strengthening internal controls, including internal and external audit of systems,
processes and controls, including IS audit and assurance;
• Setting up operational risks limits (so business will have to reduce one or more
of frequency of loss, severity of loss or size of operations);
• Setting up independent operational risk management departments;
• Establishing a disaster recovery plan and backup systems;
• Insurance; and
• Outsourcing operations with strict service level agreements so operational risk
is transferred.
Out of these aforementioned techniques, some of the common risk mitigation
techniques are briefly discussed below:
• Insurance: As already discussed, an organization may buy insurance to
mitigate such risk. Under the scheme of the insurance, the loss is transferred
from the insured entity to the insurance company in exchange of a premium.
However, while selecting such an insurance policy one has to look into the
exclusion clause to assess the effective coverage of the policy.
• Outsourcing: The organization may transfer some of the functions to an outside
agency and transfer some of the associated risks to the agency. For example, it
may outsource the technological aspects to outside firm.
• Service Level Agreements (SLAs): Some of risks can be mitigated by
designing the service level agreement. This may be entered into with the
external suppliers as well as with the customers and users.

Page 94 of 492
(2) (D) The situation mentioned in the question would be categorised under Financial Risk
because it would lead to possible financial loss to the organisation.
(3) (B) Option A, C and D are the causes of the risk of incorrect change, while option B is a
distractor.
(4) (C) As per section 134(3)(n) of the Companies Act, 2013, Annual Report of the Board of
Directors shall include a statement indicating development and implementation of a
risk management policy for the company including identification therein of elements
of risk, if any, which in the opinion of the Board may threaten the existence of the
company.
(5) (A) The high impact low probability often skips the management decision purely because
these incidents are either not foreseen at all in reality or even if they are, they are so
rare but with severe impact that putting a risk mitigation plan for them is very difficult.
(6) (B) Governance risks include inability of the Board to identify principal risk factors that
can impact business continuity. Therefore option (B) does not include among the
deficiencies covered under governance risks.
(7) Ten tasks in respect of the role of the risk manager are as follows:-
(i) Manage the implementation of all aspects of the risk function, including implementation
of processes, tools and systems to identify, assess, measure, manage, monitor and report
risks.
(ii) Select the most suited risk identification techniques and approaches.
(iii) Manage the process for developing risk policies and procedures, risk limits and approval
authorities.
(iv) Monitor major, critical and minor risk issues.
(v) Manage the process for elevating control risks to more senior levels when appropriate.
(vi) Management of risk reporting, including reporting to senior management.
(vii) Prepare high-level user requirements to assist in preparation of Project Initiation
documents.
(viii) Liaison with Business users to prepare Functional risk specifications. Translate business
requirements and functional needs into business / reporting and system specifications.
Ensure technical specifications meet the stated needs of the business.
(ix) Generate project management documents.
(x) Provide User Training for in-house developed risk management systems.
(xi) Conduct compliance & risk assessments.
(xii) Conduct and document audits of risk related compliance to industry standards
(xiii) Define & develop risk policies, procedures, processes & other documentation as required.

Page 95 of 492
(xiv) Implement the risk management program and risk strategy. Ensure the risk management
program is effectively integrated into product development and delivery methodology.
(xv) Participate in local and global discussions to formulate new or enhance existing risk
management processes, policies and standards.
(8) Usefulness of ‘Artificial Intelligence’
Artificial Intelligence is the science that makes intelligent machines especially computer
programs. It is a way of making a computer in a manner in which the intelligent humans think.
It works by studying how human brain thinks and how humans learn, decide and work while
trying to solve a problem, and then the outcomes of this study is used in developing intelligent
software and systems. It has been dominant in many fields such as:
Gaming – It plays a crucial role in strategic games such as chess, poker etc.
Natural Language Processing – It is possible to interact with the computer that understands
natural language spoken by humans.
Expert Systems - There are some applications which integrate machine, software, and special
information to impart reasoning and advising. They provide explanation and advice to the users.
Vision Systems - These systems understand, interpret, and comprehend visual input on the
computer.
For example,
• Doctors use clinical expert system to diagnose the patient.
• Police use computer software that can recognize the face of criminal with the stored
portrait made by forensic artist.
AI is also used in Speech Recognition, Handwriting Recognition, and Intelligent Robots etc.
Artificial Intelligence is dependent on large amounts of data. So proper big data architecture
needs to be set up for AI that involves architecture like Hadoop clusters, Spark Clusters etc. so
that the processing of the data is faster and smooth.

Page 96 of 492
May 2018 Question Paper Query Sheet
Case Study 1 (October 19 MTP descriptive Question are similar just figures are different, 5 MCQs
are common)
Descriptive Questions:
1- It is conceptual with the addition of the Capital structure aspect for which D/E is the perfect
ratio. The analysis requires a conceptual understanding of Financial Ratios. (similar Question
in OCT-19 MTP)
Multiple Choice Questions:
2- Refer page no 1.14 of ICAI SM.

4- Old Chapter 4 of ICAI SM.
5- Refer page no 1.20 of ICAI SM
6- General Knowledge Based
8- Old Chapter 4 of ICAI SM.
10- General Knowledge Based
12- Refer page no 7.21-7.22 of ICAI SM.
Case Study 2
a. Multiple Choice Questions:
(i) Refer page no. 5.5 of ICAI SM

(ii) Refer page no 6.28 of ICAI SM
(iii) Old Chapter 4 of ICAI SM
(iv) Refer page no 5.7 of ICAI SM
(v) Refer page no 5.4 of ICAI SM
(vi) Refer page no 1.7 of ICAI SM
(vii) Refer page no. 6.4 of ICAI SM
(viii) Refer page no. 5.15 of ICAI SM
(ix) Refer page no 5.5 of ICAI SM
(x) Refer page no 6.2 of ICAI SM
Page 97 of 492
(xi) Refer page no 6.23 of ICAI SM.
(xii) Concept-Based Approach on Analytics.
(xiii) Concept -Based on Stress Testing
(xiv) Old Chapter 4 of ICAI SM.
(xv) Refer page no 6.11 of ICAI SM.
(xvi) Old Chapter 4 of ICAI SM.
(xvii) Refer page no 6.34 of ICAI SM
(xviii) Refer page no 9.33 of ICAI SM.
(xix) Refer page no 6.12 of ICAI SM.
(xx) Refer page no 6.15 of ICAI SM.
b. (i)- Based on ICAI SM old Chapter 4 (Bayes Theorem)
(ii)- Direct answer from page no. 9.34 of ICAI SM.
(iii)- Based on ICAI SM old Chapter 4 (Geometric Mean)
c. (i) -Difference between VAR and Expected Shortfall (Refer page no. 5.6 of ICAI SM)
(ii) - Advantages of Monte Carlo Simulation (Refer page no. 5.5 of ICAI SM)
(iii)-NPV under Certainty Equivalent Technique (Practical Question from IPCC)
d. (i)- Difference between CDS and Credit Insurance (Refer page no. 6.24 of ICAI SM)
(ii)-Five Cs of Credit (Refer page no. 6.13)
Case Study 3 (March 19 CS-3 Co name different, Descriptive Question are same, 5 MCQs are
common)
(1)- How can we answer the mitigation measures part- There is hardly any content in the ICAI
SM for the same?
Manageable answer from page 1.19 of the ICAI SM- Also, conceptual understanding is required for the
mitigation measures. (Also, You can refer to page 282 of the Complete Guidance module by CA Shivam
Palan for the mitigation measure summary)
(2) General, You may get an idea from the Types of risk given on Page no. 1.19
(3) Refer to Page no 9.19 of ICAI SM.
(4) Refer to Page no 7.10 of ICAI SM
(5) Refer to Page no 9.14 of ICAI SM
(6) Refer to Page no 7.1-7.2 of ICAI SM.
(7) Direct answer from Page 2.30 of ICAI SM.
(8) Direct answer from Page 9.35 of ICAI SM.
Page 98 of 492
Test Series: August, 2018
MOCK TEST PAPER - 1
Case Study Question Number One
(A) The ABC Bank Ltd. is a bank in India and has a credit portfolio of Rs. 10 billion. The key portfolio features
are given below:
The largest sector exposure is in construction which accounted for 20% of the credit portfolio (others
sectors in the portfolio include cement/steel manufacturers, building material distributors, real estate
developers/builders, automobile manufacturers, tyre manufacturers and investment banks).
The two largest customers account for 30% (they belong to the construction and building materi als
sector).
All obligors in the credit portfolio are situated within India.
The credit products offered by the bank include both short and long term – but the majority is long term
exceeding one year, accounting for 60% of the portfolio.
Most of the funding sources are short term – i.e. short-term deposits and inter-bank borrowings, which
accounted for about 75% of the total funding requirements.
Although entire lending was in Rupees, 45% of the short-term deposits were in non-rupee currencies.
The only collateral it accepts is real estate.
Discuss the portfolio level risks in this portfolio. Is there any significant undiversified risk in this credit
portfolio? If so, suggest how further diversification can be achieved. (30 Marks)
(B) Multiple Choice Questions
(i) A ……….. is the threat that an event or action will adversely affect an enterprise’s ability to
maximize stakeholder value and to achieve its business objectives.
(a) Enterprise Risk
(b) Business Risk
(c) Operational Risk
(d) Financial Risk
(ii) ……… defines financial risk as the risk that the cash flow of an issuer will not be adequate to meet
its financial obligations.
(a) Basel II
(b) Institute of Risk Management
(c) NASDAQ
(d) NYSE
(iii) …….. is the process of evaluating and defining the cost and benefits associated with the risk
consequences.
(a) Risk Quantification
(b) Risk Assessment
(c) Risk Measurement

Page 99 of 492
(iv) Which among the following is not one of the Risk Management techniques?
(a) Tolerate
(b) Transfer
(c) Terminate
(d) Tackle
(v) ……… measures the strength of linear relationship between two random variables.
(a) Covariance
(b) Coefficient of Correlation
(c) Standard Deviation
(d) Mean Deviation
(vi) ……… draws a sample from the dataset and records its VaR.
(a) Historical Simulation
(b) Bootstrap Simulation
(c) Monte Carlo Simulation
(vii) The excess return of a fund relative to the return of a benchmark index is the fund ’s ……….
(a) Alpha
(b) Beta
(c) Sharpe Ratio
(d) R Squarred
(viii) Which among the following is not a governance risk?
(a) The rights of shareholders and key ownership functions are not defined and communicated.
(b) Disclosure and transparency norms are not articulated
(c) Unauthorized related party transactions
(d) Board has defined risk capacity, appetite and risk response strategies
(ix) Which among the following are the characteristics of Risk Defined?
(a) Risks identified within functions and not across processes. Also risks not communicated
across enterprise.
(b) Strategy and policy in place and communicated
(c) Enterprise wide approach to risk management developed and communicated
(d) Risk management and internal control fully embedded into operations
(x) For banks, it is mandatory to have a/an ………. policy approved by the Board.
(a) Operational Risk
(b) Enterprise Risk
(c) Financial Risk
(d) Strategic Risk (2 Marks for each MCQ = 20 Marks)

Page 100 of 492
Case Study Question Number Two
(A) The auditors of ABC Transportation Networks — the debt- laden, listed subsidiary of the infrastructure
finance company ABC Ltd. — have red-flagged the risks faced by the company.
In its limited review report, the statutory auditor has drawn the company’s board of directors attention to
the “existence of material uncertainty on the company’s ability to continue as a going concern” and the
“management plan to raise funds.”
The observation was made in reference to the notes to ABC’s financial results for the quarter ended
June 20, 2018. The closely-held ABC, which owns almost 72 per cent in ABC Transportation Networks,
has tapped its shareholders including the likes of XYZ Insurance Corporation of India, Apex Corporation
of Japan, Sakar Investment Authority, and PQRS to raise Rs. 4,500 crore through equity rights offering.
BIS Capital Markets is understood to have arrived at a fair value of Rs . 349 a share for ABC. PQRS,
which holds 9 per cent in ABC, will take a final decision on the investment once the rights issue price is
announced.
According to an August 7 report by credit rating agency RACI, ABC Transportation Network’s liquidity
will continue to remain stretched due to sizeable near-term debt repayment obligations, high refinancing
risk and high dependence on external funding support to project special purpose vehicles (SPVs). The
‘outlook’ for the ‘standalone debt’ of ABC Transportation Networks may be revised to ‘stable’ if the
company achieves meaningful progress on planned avenues of cash inflows and deleverages its
balance-sheet that would strengthen the financial risk profile.
The notes to the June 30 financial accounts — signed by ABC Transportation Networks managing
director and the one the company’s auditors have referred to — for the quarter ended June 30, 2018,
says: “Though the company has incurred losses during the current quarter and credit rating of some of
its borrowings have been downgraded in the recent period, management is taking various initiatives
including monetization of assets, raising of fresh capital through rights issue of equity shares, refinance
of debt in matured annuity projects and other strategic initiatives to address any uncertaint y relating to
repayment of borrowings in next twelve months and to create sustainable cash flows.
Accordingly, the financial results continue to be prepared on a going concern basis, which contemplates
realisation of assets and settlement of liabilities in an orderly manner.”
The ABC Transportation Networks board had approved a Rs. 3,000 crore rights issue on July 27, 2018.
Credit rating agencies have downgraded ABC Transportation Networks’s bank facilities and debt
securities which do not have ABC backing via under the ‘debt service reserve account’ (DSRA) — where
an issuer opens a DSRA account and funds it (post allotment of securities) by an amount equal to the
next scheduled debt obligation. The amount is raised if credit rating dips.
ABC Transportation Networks suffered loss of Rs. 285 crore for the June quarter against a profit of
Rs. 34.89 crore in the year-ago period. The company’s total debt would be around Rs. 35,000 crore.
ABC/ ABC Transportation Networks spokespersons did not comment on the auditor’s remarks.
Questions
(i) Elaborate the various risks being faced by the ABC Transportation Networks. (9 Marks)
(ii) Discuss the steps which have been taken by the management of ABC Transportation Networks to
counter the risks as mentioned above. (6 Marks)
(B) In August 2018, Expert Bank was faced with a cyber-attack, resulting in nearly Rs. 100 crore being
siphoned off. In most developed countries similar attacks are rare. Such incidents require a large number
of accounts to transfer the stolen money. With stringent KYC norms, anti-money laundering measures,
multi-level transaction authentication requirements and AI (Artificial Intelligence) based real-time
‘unusual’ transaction tracking, carrying out such operations is difficult barring gross negligence by the
bank/ related parties.
3

Page 101 of 492
In most countries, direct money siphoning from banks through cyber-attacks are small-scale frauds
through phishing attacks and cloning/stealing of payment cards/net banking identities/information.
These are high-frequency but low impact events. RBI data and our estimates show that during 2008-17,
banks in India faced 1,30,000 reported cases of cyber fraud involving an estimated Rs . 700 crore. This
is equivalent to just 0.006% of the outstanding deposits of Indian banks. By contrast, a severe cyber-
attack can result in bank failure even when no money is lost directly.
The main threats that a bank faces from cyber-attacks include breach of customer data privacy, loss of
reputation, business discontinuity, loss of assets/business information, post-breach information security
revamping cost, third-party claims and penal actions from regulators. Strong customer data privacy
protection norms and stringent penalties for infringement have been the main drivers of robust cyber
security arrangements by banks in most OECD countries. For example, General Data Protection
Regulations (GDPR) in the EU imposes a penalty of up to €20 million, or up to 4% of the annual
worldwide turnover, for violation of norms.
The extents of data privacy norms in India are far less stringent versus those of the GDPR. Besides, the
predominance of public-sector banks creates the impression of an implicit sovereign guarantee against
the failure of such banks. This reduces the threat of reputation loss of public -sector banks due to cyber-
attacks. Also, the severe implications of a cyber-breach seem to be lost on a large number of bank
managements. These factors could have created a relaxed attitude among banks to cyber-risk
management.
At the same time, even in industrialized countries, the sensitivity of banks to cyber-attacks and
investments for cyber risk management have gone up sharply only in the current decade. For a large
part of this period, Indian banks, especially those in the public sector, were faced with serious asset
quality deterioration, restricting their capacity to invest in cyber security.
Indian banks do not have much choice concerning a major revamp of cyber security. Cyber-attacks are
global in nature and, with better cyber-risk preparedness in OECD countries, hackers are increasingly
focusing on vulnerabilities in emerging-market countries. This can create existentialist problems for
Indian banks. For example, the money siphoned off from Expert Bank is 14 times the bank’s FY18 profit.
The regulatory situation in India is also becoming more stringent. In 2016, the RBI has asked banks to
put in place board-approved, robust cyber-risk management systems. The regulator has also set norms
that put losses due to cyber-attacks almost exclusively on banks. Most importantly, the draft Personal
Data Protection Bill, 2018, has proposed that for breach of personal -data protection, banks would face
penalties similar to those under the GDPR.
Our detailed analysis of cyber-risk management by listed Indian banks shows that there is considerable
divergence in the cyber-risk preparedness of Indian banks. While private-sector banks generally exhibit
greater cyber maturity than the public-sector banks, there are numerous exceptions. The perception that
smaller banks generally have lower levels of cyber-risk preparedness and, thereby, greater vulnerability,
however, does not seem to be true.
Many of the ‘old’ private sector banks appear to be better prepared than their larger peers. Indian b anks
seem to focus more on identification and prevention of cyber-attacks than breach detection, crisis
management in the immediate aftermath of detection and corrective measures thereafter. As examples
of major global banks including the Bank of America, Citi, JP Morgan Chase, PNC, USB or Wells Fargo
suggest, irrespective of the cyber investment, preparedness and management, cyber breach is a near
certainty for banks. Quick breach detection and appropriate corrective actions decide the impact of such
incidents on banks. It is high time that Indian banks wake up to harsh cyber realities.
Questions
(i) Why cybercrimes are difficult to execute in developed countries? (4 Marks)

Page 102 of 492
(ii) What are the main threats that a bank faces from cyber-attacks? What are the remedies for such
threats? Why public sector banks faces less threat of reputation risks due to cyber -attacks?
(6 Marks)
(iii) How the Indian regulatory system has started to plug the loopholes in cyber risk management in
banks? (5 Marks)
(C) Multiple Choice Questions
(i) The Delphi technique is a method which involves getting opinion on a process
(a) From an individual
(b) From a group of individuals
(c) From Regulator
(ii) Which of the following is not an internal risk?
(a) Economic factors as price fluctuations, changes in consumer preferences, inflation, etc.
(b) Technological factors unforeseen changes in the techniques of production or distribution
resulting into technological obsolescence etc.
(c) Physical factors such as fire in the factory, damages to goods in transit, etc.
(d) Human factors as strikes and lock-outs by trade unions; negligence and dishonesty of an
employee; accidents or deaths in the factory etc.
(iii) The concept of risk-based maintenance is an advanced form of :
(a) Probability Centered Maintenance
(b) Risk Centered Maintenance
(c) Control Centered Maintenance
(d) Reliability Centered Maintenance
(iv) The terms risk and uncertainty are often used in the corporate scenario. The measurement of
uncertainty is
(a) A set of possibilities assigned to a set of possibilities
(b) A set of probabilities assigned to a set of possibilities
(c) A set of risks assigned to a set of uncertainties
(d) A set of uncertainties assigned to a set of risks.
(v) Which is not a drawback of Scenario Analysis?
(a) Assumes that the scenarios are equally probable
(b) Subjective in deciding how serious the risks are
(c) Implausible losses might be considered
(d) Considers the correlations between the risk factors
(vi) Which one of the following helps to related characteristics of an event to the probability and severity
of the operational losses?
(a) Monte Carlo Simulation
(b) EWMA Model
(c) Statistical Analysis
5

Page 103 of 492
(d) Factor or Casual Analysis
(vii) Risks which occur even with no changes in the economy are classified as
(a) Dynamic risks
(b) Static risks
(c) Control risks
(d) Speculative risks
(viii) Risk probability and impact assessment generally finds answers to the following questions
EXCEPT
(a) What is control in the business in similar type of industry?
(b) What will it cost the business if it does happen?
(c) The probability and impact Matrix indicates which risks need to be managed.
(d) What is the probability that a risk will occur?
(ix) Poor morale and talent retention is a risk area for –
(a) Sales and Marketing
(b) Human Resources
(c) Finance and Accounts
(d) Information Technology
(x) Following is the view of Warren Buffet on the subject of Risk and Risk Management:
(a) Risk comes from not knowing what you are doing
(b) Risk management is about people and processes
(c) Risk management is a central part of any entity’s strategy management
(d) Risk management is the art of using lessons from the past to mitigate misfortune
(2 marks for each MCQ = 20 Marks)
Case Study Question Number Three
(A) Country ABC takes over the business of a MNC situated in ABC itself by giving inadequate
compensation.
Host country ABC prevents the MNCs to get converted their earning from local currency to foreign
currency to repatriate the same to home country of MNCs. Due to this restrictions even investors in
MNCs business also suffer a lot.
ABC has enforced certain dramatic changes in Rule and Regulations governing the host country. These
sudden changes are of following types:
• Unanticipated increase in tax rates applicable for MNCs operating in the host country.
• Compulsion to hire local workforce.
• Compliances of stricter environmental standards.
ABC is also facing high level of red tapism and corruption at local and higher level and it pose a serious
risk for MNCs operating in the host country as it leads to uncertainty and high cost of oper ation.
The host country revoke an earlier turnkey projects awarded by the Government of host country without
adequate consideration and damages.
(i) Highlight the type of risks being faced by a Multinational Company (MNC) in country ABC in the
following situations. (5 Marks)
6

Page 104 of 492
(ii) What are the qualitative assessment tools to assess the risks faced by Country ABC? (5 Marks)
(B) Splendid Bank has given loan to several big companies. However, the credit appraisal system was very
liberal while granting the loan. Following mistakes are made by the bank which makes it vulnerable to
credit risk.
(i) Lender organization should consider going through the credit scoring agencies to ensure the
customer has the paying ability. It always better to take the help of professionals during this step.
During this stage, credit evaluation is very critical. However, the bank didn’t take the help of a
professional and some loopholes were left while checking the credibility of the customers.
(ii) It’s important for the lender to understand who all have been given trade credit in the past and how
old are the relationship with such counterparty. This will establish a pattern to understand if the
customer has a tendency to maintain the business relation or it’s just a pure business. Also, asking
reference from the third party proves to be independent source to verify the commitment made by
the customers. But, the bank was a bit lackadaisical in its approach and didn’t consult the third
parties.
(iii) When a lender is convinced to provide a line of credit to the customer, it is his duty to have proper
due diligence in place to ensure the line of credit is being placed in safe pair of hands. Irrespective
of the professionals’ involvement in due diligence process, lender still has the moral responsibility
to perform the due diligence on its own. This can be achieved by simply visiting the website,
assessing the market creditability etc. Basically, publically sourced information is pretty useful in
such cases. But, again the bank was negligent on this count.
(iv) Every effort should be made to ensure that the minimal cost of capital should be recovered from
the customer. This can be achieved by simply asking the borrower for a deposit or the collateral.
However, some of the collaterals taken by the bank were substandard.
The mistakes as mentioned above make the bank vulnerable to efficient recovery of the loan given by
it. Advise as to how the bank can mitigate its credit risk. (8 Marks)
(D) Governance risks mean significant deficiencies that can impact the reputation, existence and continuity
of the organisation. These arise on account of failure of the Board to direct and control the organisation
or inappropriate practices adopted by the Board or collusion of management to override significant
internal control mechanism causing financial losses or inability of the Board to identify principal risk
factors that can impact business continuity.
Often these failures are facilitated by corporate governance failures, where boards do not fully
appreciate the risks that the companies are taking (if they are not engaging in reckless risk -taking
themselves), and/or deficient risk management systems.
In view of the above, highlight some of the sound practices from the point of view of Board of Directors
and Audit Committee which aim to help national authorities and firms to continue to improve their risk
governance. (7 Marks)
(E) Dhirendra is forecasting a stock’s performance in 2012 conditional on the state of the economy of the
country in which the firm is based. He divides the economy’s performance into three categories of good,
neutral and poor and the stock’s performance into three categories of increase, constant and decrease.
The estimates are:
• The probability that the state of the economy is good is 20%. If the state of the economy is good,
the probability that the stock price increases is 80% and the probability that the stock price
decreases is 10%.
• The probability that the state of the economy is neutral is 30%. If the state of the economy is
neutral, the probability that the stock price increases is 50% and the probability that the stock price
decreases is 30%.

Page 105 of 492
• If the state of the economy is poor, the probability that the stock price increases is 15% and the
probability that the stock price decreases is 70%.
Vikram, his supervisor, asks him to estimate the probability that the state of the economy is neutral given
that the stock performance is constant. Dhirendra’s best assessment of that probability is closest to
what? (5 Marks)
(F) Multiple Choice Questions
(i) Stress testing in most jurisdictions was a regulatory requirement around:
(a) Solvency assessment
(b) Capital adequacy assessment
(c) Profitability assessment
(ii) The following is not one of the External factors to a bank’s credit risk:
(a) Fluctuation in Exchange Rates
(b) Fluctuation in interest rates
(c) Fluctuation in Government Policies
(d) Fluctuation in Lending Policy
(iii) The following one is not one of the components of credit risk
(a) Default Risk
(b) Exposure Risk
(c) Recovery Risk
(d) Political Risk
(iv) EAD – Exposure at Default refers to
(a) the loss likely to be suffered
(b) the amount that is exposed
(c) the risk of a borrower defaulting on the payment
(v) The following one is not of the governance risks –
(a) Disclosure and transparency norms are not articulated
(b) Rights to key ownership functions are not defined
(c) Responsibilities of the Board of Directors are not undefined
(d) There is no equitable treatment of Shareholders
(vi) We are exposed to risks arising out of the dynamic macroeconomic environment as well as from
internal business environment. The following one is not termed as the Regulatory:
(a) Predatory pricing
(b) Non-renewal of mining leases
(c) Non-availability of protective trade measures
(d) Unanticipated labour unrest

Page 106 of 492
(vii) Basel II norms indicate the recommended governance of operational risk in an organisation by
three lines of defence model. The third line of defence is:
(a) Operational Risk Department
(b) Audit Committee
(c) Function/department/role that owns the process
(viii) An organisation cannot identify an operational loss event by any one of the following triggers:
(a) Customer complaint
(b) Regulatory inspection
(c) Concurrent/management audit
(ix) Mutual Fund A returns 13% over the past year and had a standard deviation of 11%. The risk free
return over the time period is 4%. The Sharpe Ratio would be __________
(a) 1.0
(b) 0.5
(c) 0.82
(d) 0.90
(x) Project X had total revenues of Rs. 1,50,000 and total expenses of Rs. 75,000. The total risk-
weighted assets in the project are Rs. 4,50,000. RORAC (Return on Risk Adjusted Capital) for
Project X is:
(a) 11.1%
(b) 12.5%
(c) 16.67%
(d) 40% (2 Marks for each MCQ = 20 Marks)

Page 107 of 492
TEST SERIES: August, 2018
MOCK TEST PAPER
FINAL (NEW) COURSE: GROUP II
PAPER – 6A : RISK MANAGEMENT
SUGGESTED ANSWERS/HINTS:
Note: Please note that these solutions are for guidance purpose only.
Answers to Case Study One
(A) Significant portfolio risks exist in the portfolio, as given below:
• Construction sector currently constitutes 20% of the portfolio i.e. concentration is high – it has to
be reduced to say 5% of the portfolio. The portfolio is vulnerable to any sectoral downturn, i.e.
significant losses are possible if there is a downturn in the construction sector. Since banks are
highly leveraged and operate on thin margins such risks carry a potential risk that may put the bank
out of business.
• There is also name concentration – two customers account for 30% of the portfolio. Again it is not
comforting that the major names are in the construction and building materials sectors. It is well
known that the building materials sector is strongly correlated with the construction sector. Whilst
ensuring that these names are of top credit quality (AAA category), efforts must be taken to reduce
name concentration to, say, 5% of the portfolio. Also credit assets from other non-correlated (if
possible, negatively correlated) sectors may be pursued.
• Currency risk is significant because of the liability in the form of non-rupee deposits. Appropriate
hedging may be attempted because the entire assets are denominated in local currency, i.e.
rupees.
• Maturity risks are evident because 75% of the deposits and inter-bank borrowings are short term,
while the short-term credit assets only represent 40% (i.e. long-term credit assets make up 60% of
the portfolio). This serious maturity mismatch could spell trouble if there is any trigger on liquidity
in the market. Matching of maturities is important.
• The collateral concentration is also not advisable.
The intelligent efforts of the portfolio manager of this bank can mitigate all these diversifiable risks in
such a manner that there is no serious threat to the bank’s survival. Then the major focus is on
systematic risk. Even systematic shock can, to a great extent, be absorbed by the firm with a well-
diversified portfolio.
(B) Answer to the Multiple Choice Questions
(i) (b)
(ii) (c)
(iii) (a)
(iv) (d)
(v) (b)
(vi) (b)
(vii) (a)
(viii) (d)
(ix) (b)
(x) (a)
1

Page 108 of 492
Answers to Case Study Two
(A) (i) The various risks faced by the ABC Transportation Networks are discussed as below:
Audit Risk - ABC Transportation Networks is facing audit risks as in its limited review report, the
statutory auditor has drawn the company’s board of directors attention to the “existence of material
uncertainty on the company’s ability to continue as a going concern” and the “management plan to
raise funds.”
Financial and Liquidity Risk – As per the definition provided by NASDAQ, Financial Risk is the
risk that the cash flow of an issuer will not be adequate to meet its financial obligations. Liquidity
risk is the potential inability to meet commitments as they fall due.
In the case under consideration, the company is facing both the financial and liquidity risks as it
has been mentioned in the report submitted by a credit rating agency that liquidity will continue to
remain stretched due to sizeable near-term debt repayment obligations, high refinancing risk and
high dependence on external funding support to project special purpose vehicles (SPVs).
Reputation Risk – The company is facing reputation risk as the credit rating agency has
categorically pointed out the following points:
• Having high debt repayment obligations.
• High refinancing risk.
• High dependence on external funding support to project special SPVs.
• Recent downgrading of credit rating.
(ii) The steps which have been taken by the management of ABC Transportation Networks to counter
the risks as mentioned above are given as below:
• Monetization of assets
• Raising of fresh capital through right issue
• Refinance of debt in matured annuity projects
• Other strategic initiatives to address any uncertainty relating to repayment of borrowings in
next twelve months
• To create sustainable cash flows
(B) (i) Cybercrimes are difficult to execute in developed countries because such incidents require a large
number of accounts to transfer the stolen money. With stringent KYC norms, anti-money
laundering measures, multi-level transaction authentication requirements and AI (Artificial
Intelligence) based real-time ‘unusual’ transaction tracking, carrying out such operations is difficult
barring gross negligence by the bank/related parties.
(ii) The main threats that a bank faces from cyber-attacks are as follows:
• breach of customer data privacy,
• loss of reputation, business discontinuity,
• loss of assets/business information,
• post-breach information security revamping cost,
• third-party claims and
• penal actions from regulators.
2

Page 109 of 492
To ward off such threats, strong customer data privacy protection norms and stringent penalties
for infringement should be the norm for maintaining robust cyber security arrangements by banks
as has been practiced in most OECD countries.
The public sector banks faces less threat of reputation risks due to cyber-attacks because of the
predominance of public-sector banks which creates the impression of an implicit sovereign
guarantee against the failure of such banks.
(iii) The regulatory situation in India is also becoming more stringent. In 2016, the RBI has asked banks
to put in place board-approved, robust cyber-risk management systems. The regulator has also set
norms that put losses due to cyber-attacks almost exclusively on banks. Most importantly, the draft
Personal Data Protection Bill, 2018, has proposed that for breach of personal -data protection,
banks would face penalties similar to those under the GDPR.
For example, General Data Protection Regulations (GDPR) in the EU imposes a penalty of up to
€20 million, or up to 4% of the annual worldwide turnover, for violation of norms.
(C) Answers to Multiple Choice Questions
(i) (b)
(ii) (a)
(iii) (d)
(iv) (b)
(v) (d)
(vi) (d)
(vii) (b)
(viii) (a)
(ix) (b)
(x) (a)
Answers to Case Study Three
(A) The type of risks being faced by a Multinational Company (MNC) in country ABC in the following
situations:
(i) Nationalization or Expropriation Risk: This is most common form of risk wherein host country
takes over the business of MNCs without or with inadequate compensation.
(ii) Exchange Control Risk: This form of risk prevents the MNCs to get converted their earning from
local currency to foreign currency to repatriate the same to home country o f MNCs. Due to this
restriction even investors in MNCs business also suffer a lot.
(iii) Taxes, Rule and Regulation Risk: This risk arises mainly due to a sudden or dramatic change in
Rule and Regulations governing the host country.
(iv) Inefficient Legal System: High level of red tapism and corruption at local and higher level pose a
serious risk for MNCs operating in the host country as it leads to uncertainty and high cost of
operation.

Page 110 of 492
(v) Repudiation of Contracts: This type of risk arises on account revocation of earlier awarded
turnkey projects by the Government of host country without adequate consideration and damages.
This risk is also called indirect expropriation risk.
(B) This is one of the simplest techniques for country risk assessment to rank the countries. The methods
employed are:
(i) Numeral Coding: In this method, after considering various factors, a number is assigned to a
country. While the highest number indicates lesser risk, the lowest number indicates higher risk.
(ii) Colour Coding: Different colours can be used to indicate the level of country risk. While Red Color
indicates higher risk, Green Colour indicates a risk free zone.
(iii) Combination of Numeral and Colour: A combination of colour and numeral is also used to
indicate relative level of country risk.
(iv) Other Methods: In addition to above, other methods can also be used which are as follows:
(a) Grade Based Rating – The grade can be assigned such as S & P, Moody’s and Fitch assigns
rating. For example, while USA been assigned rating of Aaa, AA+ and AAA by these agencies
respectively of safer zone, Venezuela has been assigned rating Caa, B- and C indicating
riskier zone.
(b) Event Driven – A very specific negative event such as removal of current government by
military or sovereign default etc. assessed with the probability of happening.
For example, for India, due to its democratic system, the possibility of taki ng over of
Government by military is rare and hence 0% probability can be assigned for this happening.
On the other hand for same event, 70% probability can be assigned in case of Pakistan.
(C) In view of the mistakes mentioned in question, the bank can mitigate its credit risk as follows:
(a) Risk-based pricing: Where the lender feels that borrower is more likely to do default, the lender
may increase the interest rate. This is called as risk-based –pricing. In the method the probability
of default is hedged with the incremental interest rate. This type of method may not provide good
worth in today’s market considering the competitiveness.
(b) Credit insurance: The lender may purchase the credit insurance under which the risk is
transferred from lender to the issuer on payment of certain amount. The best example is the
housing loan insurance. Where the lender asks the borrower to purchase the requisite insurance
to ensure the mortgage is secured. This will ensure that, in case, the borrower becomes a default
party, lender can re-coupe the loan by way of such insurance.
(c) Tightening: Under this method, lender may tighten the norms of lending including the amount to
be lent. For an example, the lender may mitigate the credit risk by reducing the payment period
from 45 to 30 days. Reducing the credit period will provide the early warning indicators to the lender
to analyze and act upon the situation.
(d) Diversification: Lenders may lend to number of small borrowers instead (kinds of borrower) to
diversify the lending pool. This approach will help lender to diversify the risk associated with each
credit line extended. For example, high credit rating borrower ultimately fu nds the low credit risks.
(e) Covenants: The lender may put some covenants like periodic review of financial position; repay
the loan in full in case of certain events like debt coverage ratio shows improvement. Sometimes,
lender also performs an independent audit on the business operation with the proper consent and
according to the contractual agreements.
(f) Consult with professionals: It is the responsibility of the bank in the interest of it’s customers to
take the advice of banking experts from time to time and take corrective measure wherever
required.

Page 111 of 492
(g) Ensuring that collaterals are of required standards: it is the duty of top banking officials to
ensure that the collaterals are not substandard. It may be recalled that one of the leading causes
of the Sub-prime crises was granting of loans on the basis of sub-standard collaterals.
(D) Some of the sound practices which aim to help national authorities and firms to continue to improve their
risk governance from the point of view of Board of Directors and Audit Committee are discussed as
below:
(i) The Board of Directors
(a) avoids conflicts of interest arising from the concentration of power at the board (e.g., by having
separate persons as board chairman and CEO or having a lead independent director where
the board chairman and CEO are the same person);
(b) comprises members who collectively bring a balance of expertise (e.g., risk management and
financial industry expertise), skills, experience and perspectives;
(c) comprises largely independent directors and there is a clear definition of independence that
distinguishes between independent directors and non-executive directors;
(d) sets out clear terms of references for itself and its sub-committees (including tenure limits for
committee members and the chairs), and establishes a regular and transparent
communication mechanism to ensure continuous and robust dialogue and information sharing
between the board and its sub-committees;
(e) conducts periodic reviews of performance of the board and its sub-committees (by the board
nomination or governance committee, the board themselves, or an external party); this
includes reviewing, at a minimum annually, the qualifications of directors and their collective
skills (including financial and risk expertise), their time commitment and capacity to review
information and understand the firm’s business model, and the specialised training required
to identify desired skills for the board or for director recruitment or renewal;
(f) sets the tone from the top, and seeks to effectively inculcate an appropriate risk culture
throughout the firm;
(g) is responsible for overseeing management’s effective implementation of a firm -wide risk
management framework and policies within the firm;
(h) approves the risk appetite framework and ensures it is directly linked to the business strategy,
capital plan, financial plan and compensation;
(i) has access to any information requested and receives information from its committees at least
quarterly;
(j) meets with national authorities, at least quarterly, either individually or as a group.
(ii) The audit committee
(a) is required to be a stand-alone committee, distinct from the risk committee;
(b) has a chair who is an independent director and avoids “dual-hatting” with the chair of the
board, or any other committee;
(c) includes members who are independent;
(d) includes members who have experience with regard to audit practices and financial literacy
at a financial institution;

Page 112 of 492
(e) reviews the audits of internal controls over the risk governance framework established by
management to confirm that they operate as intended;
(f) reviews the third party opinion of the design and effectiveness of the overall risk governance
framework on an annual basis.
(E) Using Bayes Theorem:
P(Constant|Neutral)*P(Neutral)
P [Natural|Constant] =
P(Constant)
0.2*0.3 0.06 0.06

= =  = 0.387
(0.1*0.2  0.2*0.3  0.15*0.5) 0.02  0.06 0.075 0.155
(F) Answers to Multiple Choice Questions

(i) (b)
(ii) (d)
(iii) (d)
(iv) (b)
(v) (c)
(vi) (d)
(vii) (b)
(viii) (d)
(ix) (c)
(x) (c)

Page 113 of 492
MTP August 2018 Query Sheet
Case Study 1
(A) How can we write such answers?
(Portfolio Risks- key portfolio features are given and we have to frame the answer from the Case
study. Purely Conceptual Based on - Diversification of Risk and Portfolio Risk)
(B) Multiple Choice Questions:
(i)- Direct answer from page no. 1.05 of ICAI SM.

(ii)- Direct answer from page no. 1.07 of ICAI SM.
(iii)- Direct answer from page no. 2.05 of ICAI SM.
(iv)- Direct answer from page no. 3.11 of ICAI SM.
(v)- Direct answer from old chapter 4 of ICAI SM.
(vi)- Direct answer from page no. 5.05 of ICAI SM.
(vii)- Direct answer from page no. 6.28 of ICAI SM.
(viii)- Direct answer from page no. 7.01; +7.02 of ICAI SM.
(ix)- Direct answer from page no. 8.07 of ICAI SM.
(x)- Direct answer from page no. 5.06 of ICAI SM.
Case Study 2
A. (i) Manageable answer from page 1.06; + 1.19 of ICAI SM.
(ii) Related to a case study. Can be easily answered if you have read the case study carefully.
B. (i) Related to concepts of Chapter 9 and related to the case study. Manageable.
(ii) Answers are mostly there in the case study’. A careful read through the case study is required.
(iii) Answer is mostly there in the question part of the case study. A careful read through the case
study is required.
C. Multiple-choice Questions
(ii) Direct answer from page no. 1.10 of ICAI SM.
(iii) Direct answer from page no. 1.09 of ICAI SM.
(v) Direct answer from page no. 5.12; +5.13 of ICAI SM.
(vi) The correct option should be Causal instead of Casual, and therefore, it is kind of
common sense that causal/factor analysis helps to relate the characteristics of an event
to the probability of operational losses.
(vii) Direct answer from page no. 1.17 of ICAI SM.
(ix) Direct answer from page no. 1.09 of ICAI SM.
(x) Direct answer from page no. 3.02 of ICAI SM.
Page 114 of 492

Case Study 3
A.
(i)- Direct answer from page no. 5.15 of ICAI SM. (Types of Risk)
(ii)- Direct answer from page no. 5.16+5.17 of ICAI SM. (Quantitative Tools to assess the above risks)
B. Direct answer from page no. 6.12 of ICAI SM. (Credit Risk Mitigation)
D. Direct answer from page no. 7.03+7.04 of ICAI SM. (Sound Practices to improve Risk Governance)
E. Easy calculation, formula based question from old chapter 4 of ICAI SM. (Probability)----Not in the
syllabus now
F. Multiple Choice Questions:

(ii) Based on your basic conceptual knowledge and common sense.
(iii) Direct answer from page no. 6.02+6.03 of ICAI SM.
(v) Direct answer from page no. 7.01+7.02 of ICAI SM.
(vi) Direct answer from page no. 7.15 of ICAI SM.
(vii) Direct answer from page no. 9.08 of ICAI SM. The answer should be (d) and not b since Internal
Audit is the third line of defence and not the Audit Committee.
(ix) Calculation based question; formula given on page 6.28 of ICAI SM.
(x) Calculation based question; formula given on page 6.29 of ICAI SM.
Page 115 of 492

DISCLAIMER
This Suggested Answer hosted on the website do not constitute the basis for evaluation of the
student’s answers in the examination. The answers are prepared by the Faculty of the Board of
Studies with a view to assist the students in their education. While due care is taken in preparation
of the answers, if any error or omission is noticed, the same may be brought to the attention of the
Director of Board of Studies. The Council of the Institute is not in anyway responsible for the
correctness or otherwise of the answers published herein.
Further, in the Elective Papers which are Case Study based, the solutions have been worked out on
the basis of certain assumptions/views derived from the facts given in the question or language used
in the question. It may be possible to work out the solution to the case studies in a different manner

Page 116 of 492
2 FINAL (NEW) EXAMINATION: NOVEMBER, 2018
The Question paper comprises three case study questions. The candidates are required
to answer any two case study questions out of three.
Answers in respect of Multiple Choice Questions are to be indicated in capital letters, i.e. A or
B or C or D as the case may be.
Candidates may use calculator
CASE STUDY: 1
1.1 ABC Co. Ltd. is a manufacturing company and is listed. It has 10000 workers and 1200
employees. The Company is subject to Ind AS 19 in respect of its employee benefits which
include gratuity.
Ind AS 19 is an Accounting Standard applicable to companies which are required to
measure and disclose the amount of accrued liability (Present Value of Benefit Obligation)
in respect of employee benefits in statements of accounts.
As per the Accounting Standard, the accrued liability in respect of, employee benefits can
be determined using actuarial principles. Accordingly, the Company engaged an actuary
for the purposes of the Ind AS 19.
The Company is, liable to make payment of gratuity benefit to its employees as per
Payment of Gratuity Act, 1972. As per the Act, the gratuity benefit is determined using a
formula, which is [15/26] x monthly salary (which is relevant for gratuity calculation) x
number of completed years of service at the date of cessation of service of the employee.
There are terms and conditions mentioned in the Act for payment of gratuity benefit, which
the company is required to comply with the same.
The Company engaged Mr. X, a consultant actuary, to get the actuarial reports certified by
Mr. X as per Ind AS 19 for the last two years.
After submission of the actuarial report by Mr. X, in the third year, Auditors (who were
recently appointed by the Board) observed that Mr. X does not hold any certificate of
fellowship issued by the Indian Actuarial professional body. They pointed out and qualified
the Accounts in their Auditors' Report. They also observed that the Mr. X's reports were
accepted during last two years.
Since the Management is worried over GRC (Governance, Risk and Compliance), the CRO
(Chief Risk Officer) was asked to address the issue pointed out by the Auditors and submit
a report to the Company giving details of the risks and how they can be mitigated.
Now, you are recently appointed as the CRO and you are asked to draft the Report to be
submitted to the Board, and the Report should include:
(a) What is the type of risk the Company is subjected to?
(b) What is the impact of the risk on the Company's performance?

Page 117 of 492
(c) What are the recommendations to mitigate the risks?

(d) What preventive measures could be taken while engaging various professionals in
future, such as engineers, surveyors, valuers etc., who will be required to certify as
per the statutory requirements? (30 Marks)
Choose the accurate or near accurate answer in the following Multiple-Choice Questions.
(10 x 2 Marks = 20 Marks)
(1.2) Cyber Risk broadly refers to the risks an organization is exposed to, due to a situation
where its data or network systems or its transactions are disrupted, compromised by an
intrusive access from a/an
(A) Bug in computer
(B) Virus
(C) External entity
(1.3) Automated controls are dependent on a:
(A) Manual check
B) Predefined system check
(C) Predetermined check
(1.4) Financial loss of ` 6 lacs is given risk grading/rating, which is:
(A) High
(B) Low
(C) Medium
(D) Border
(1.5) The following is the Section of the Companies Act, 2013 that instructs that the Audit
Committee shall review the risk management procedures implemented by the
Management:
(A) 177
(B) 134
(C) 315
(1.6) The following aspect does not indicate the risk maturity of an organization:
(A) Business objectives are defined and communicated across the organization.

Page 118 of 492
(B) Risk appetite is defined and communicated across the organization.

(C) Control environment is strong including tone from the top.
(1.7) Risk management in an organization minimizes the impact of risk on the business with the
help of the following person but does not give guarantee that organization become risk
free:
(A) A company secretary
(B) An internal auditor
(C) An actuary
(D) A chief risk officer
(1.8) Brexit impact scenario has the following associated principal risk:
(A) Brand, Reputation and Trust
(B) Data Security and Data Privacy
(C) Political, Regulatory and Compliance.
(1.9) A FICO score of 750 means:
(A) 1% of chance of default
(B) 2% of chance of default
(C) 8% of chance of default
(D) 61% of chance of default
(1.10) In Quantitative Techniques of Credit Risk Management, Beta is a measure of:
(A) the volatility
(B) an investment's excess return
(C) the active return on an investment
(1.11) Credit insurance is an insurance policy offered for sale to persons in the market and is a
type of :
(A) life insurance
(B) property and casualty insurance
(C) health insurance
(D) reinsurance

Page 119 of 492
Answer to Case Study 1

1.1 To: The Board of Directors, ABC Co. Ltd.
Date: 13 November 2018
Subject: Analytical Report on Risks Involved
Executive Summary
Company is subject to Ind AS 19 in respect of employees benefits which include Gratuity.
In order to meet disclosure requirements of Accounting Standard it required to measure
and disclose the amount of accrued liability (Present Value of Benefit Obligation) in respect
of employee benefit.
Accordingly, around three year back company engaged Mr. X to submit the Actuarial
Report. Although for the last two years the reports submitted by Mr. X was accepted by the
Auditors of the Company without any objection, but this year Auditor observed that Mr. X
does not hold any certificate of fellowship issued by Indian Actuarial professional body and
he qualified Auditor’s Report.
Report of Key concerns raised
This analytical report covers the reply on the various concerns raised by the Board of
Directors.
(a) What is the type of the risk the Company is subject to?
The risk arising from this lapse is ‘Legal Risk’ or ‘Compliance Risk’ as it is resulting
from the failure to comply with statutory or legal requirements.
(b) Impact on Company’s Performance
The various types of impacts on the company’s performance are as follows:
(i) Bringing bad name and reputation for the Company.
(ii) Over or Under Statement of Profit Loss in Income Statement of Company
leading wrong decisions by the Company itself and external parties.
(iii) Wrong financial position of the Company in the Balance Sheet.
(iv) Due to wrong calculation of profit company may have paid wrong dividend in
previous years.
(v) Wrong computation of Cash Flows of the previous years and consequently
leading to wrong budgeting figures.
(vi) Wrong decision based on wrong budgeted figures.
(c) Recommendations to Mitigate such Risks
The recommendations to mitigate such risks are as follows:

Page 120 of 492
1. A dedicated team of experts in the Compliance Department should be employed.

2. A comprehensive management framework can be employed which is designed
to:
➢ Be aware and interpret the changes in the Regulatory Standards and
Compliances and assess their impact on decision making in a time bound
manner.
➢ To ensure continued Operational efficiency and effectiveness of business
processes, risks, compliance process and control mechanism should be
converged.
➢ Assigning of single point of accountability for compliances of various regulatory
requirements in the organization.
(d) Preventive Measures to be taken before engaging various professional in
future:
1. Through verification of documents submitted in support of Qualification and
Experience.
2. Checking the required Qualification as prescribed by applicable Regulation or
Standard.
3. Seeking Letter of Recommendation from any previous employer.
4. Rotation in the appointment of professionals.
Signed
Chief Risk Officer
1.2 (C)
1.3 (B)
1.4 (B) or (C)
1.5 (A)
1.6 (D)
1.7 (D)
1.8 (C)
1.9 (B)
1.10 (A)
1.11 (B)

Page 121 of 492
CASE STUDY: 2
(2.1) Quality Paper Mills Limited is an unlisted company formed in the year' 2003 having the
head office and factory situated at Visakhapatnam. It was manufacturing and selling
papers. The manufacturing of paper was based on bamboo and soft wood.
Some key Profitability Ratios for the FY 2011-12 were:
Percentage of profit after tax to:
Sales 1.84
Fixed Assets 0.83
Capital Employed 1.09
Net-worth 2.01
Equity Capital 3.27
Due to various issues such as, insufficient availability of raw materials, labour unrest,
power problems, environmental pollution etc., the Company stopped production in the
month of March, 2012.
The Company owned a total land of 38 acres as on 31 st March, 2012 in which the factory
and office were situated. It sold 5 acres of vacant land for ` 3 crores and settled the Bank
dues, outstanding wages and statutory liabilities during September 2012.
Extract from Balance Sheet as on 31st March, 2018 ` (in crores)
Investments 2.00
(in the form of shares, debentures, units in mutual funds)
Land (at cost) 3.00
Other fixed assets 1.50
Liabilities Nil
Equity capital 1.00
In April, 2018, the Managing Director of the Company, Mr. Ajit, got the approval of the
Board to revive the Company. He appointed a project consultant to conduct a feasibility
study and also to come out with alternate proposals.
The consultant, after a 3-month study, came out with the following proposals.
Proposal 1 :
To demolish all the buildings and construct residential villas, apartments and independent
houses ans sell them to the public.

Page 122 of 492
Projections of Proposal 1
Project time 3 years
Total sales price ` 30 crores
Cost of construction ` 20 crores
Other expenses (including interest) ` 6 crores
3-year Term Loan from Bank ` 10 crores
Profit ` 4 crores
Suitable modifications to be done in Memorandum and Articles of Association of the
Company. Necessary approvals to be obtained from the Town Planning authorities of the
State government.
Proposal 2 :
To commence paper manufacturing using sugarcane bagasse, which is used as a
substitute for bamboo and soft wood for the production of paper pulp. It is estimated that
30% wet bagasse could be obtained from crushing sugarcane. There are a lot of sugar
mills that are around the place and it may not be a problem to obtain such raw material.
After removing pith (waste fiber) and leftover sugar from the wet bagasse, it could be
converted to pulp. Since sugarcane production is seasonal, suitable preservative
arrangements for the bagasse are to be undertaken.
Since the Company was already producing paper using bamboo and soft wood, it was
suggested to have 20% of total production by using the existing machinery after sufficient
reconditioning. The consultant also suggested to manufacture (i) boards and (ii) newsprint
paper besides production of papers, as there is a growing market both in India and foreign
countries.
Key factors of Proposal 2 ` ( in crores)
Cost of new machineries 10.00
Infrastructure development expenditure etc., (laying of roads and 3.00
conversion of meter-gauge rails to broad-gauge rails in the factory)
Cost towards revamping old machineries 1.25
Initial cost towards purchase of raw materials 1.00
Renovation expenses of staff quarters, office and factory buildings 2.30
Other expenditure 2.45
TOTAL COST 20.00
This was proposed to be met as under:
Fresh share capital from existing shareholders 2.00

Page 123 of 492
Sale of 8 acres of unused land 6.00

Sale of Investments 2.00
Bank Term Loan (` 6 crores) and Working capital loan (` 4 Crore) 10.00
Production can be commenced in Sep. 2019
Projections made:
Financial Year 2019-20 2020-21 2021-22 2022-23 2023-24
` (in crores)
Sales 5 15 25 36 47
Income after interest, tax and
-1.00 0.90 1.50 2.40 3.00
depreciation
The vision of Mr. Ajit is to look forward to the things that the Company could do and not
look back at things that could not be undone.
Hence, he gave his consent to Proposal 2, but he was not prepared to sell the investments.
The project consultant and Mr. Ajit had initial discussion with the Bank. The bankers
principally agreed to the proposal but wanted to know (i) the basis of various calculations
and ratios and the underlying statistical methods employed in order to ascertain the credit
risks, (ii) whether the risk management objectives chosen by the Company to frame the
risk management approach has been done after performing a thorough analysis of process
of risk management cycle by systematically conducting risk identification, risk assessment
and risk mitigation.
Mr. Ajit had the following concerns:
Whether proper risk assessment is done and all types of risks are properly assessed by
the consultant to ensure that the risks are within the tolerable limits (as he inherently felt
that he is taking a lot of risk in reviving the Company)?
While making exports, whether issues are properly addressed in settlement of export bills
in foreign currencies as there is a greater volatility in foreign exchange markets?
Proper risk management exercise to be done to find and communicate key business
weaknesses, threats and opportunities to all levels of management by making them aware
of enterprise-wide risks.
National and international standards are studied and the best of them applied in risk
management techniques.
The auditors would look into the internal controls in various strategic and operational areas
including the controls over financial reporting.
Contingencies and unfavourable conditions are foreseen to the extent possible and
measures are in place which could be invoked at such times.

Page 124 of 492
Proper Corporate Governance framework is developed keeping in mind the

macroeconomic changes, market situation and legislative requirements, besides
promoting adequate disclosures and transparency.
The managing director has approached you, a risk management specialist, to answer the
following questions:
(a) As the Managing Director is concerned whether national and international standards
are studied and could be applied in risk management techniques of the Company,
explain the principles as recommended by OECD for effective implementation of risk
management. (6 Marks)
(b) Write the formulae and calculate (i) variance and (ii) standard deviation for the series
of numbers, 2, 3,6,9, 10. (4 Marks)
(c) The Managing Director is interested to know the functions of Risk Management.
Explain the same. (6 Marks)
(d) Define (i) Business Risk, (ii) Internal Control, (iii) Significant Risk according to SA 315
and (iv) Internal Financial Controls as per Companies Act, 2013. (4 Marks)
(e) The Company has presented the loan proposal to the bank. What are the basic
principles on which the credit risks of the Company would be assessed by the bank?
(6 Marks)
(f) The Management wants to act early and take right decisions by following a holistic
risk management framework. List the benefits of the same. (4 Marks)
Choose the accurate or near accurate answer in the following Multiple Choice Questions.
(2.2) Which one of the following would LEAST likely be included as a source of market risk?
(A) Natural disasters
(B) Technological changes
(C) Recessions
(D) Political turmoil
(2.3) The Bank in the process of the approval of the loan proposal conducts stress tests for
securitised assets as per Basel Committee on Banking Supervision. Which of the following
would NOT be, considered in such an exercise?
(A) The risk control structure of the company
(B) Relevant contractual arrangements and embedded triggers
(C) Exposure to systematic market factors of such assets
(D) The underlying assets

Page 125 of 492
(2.4) Strategic risks are associated with (as per ICAI's Standard of Internal Audit) the following
purpose, objectives and direction of business:
(A) Short-term purpose
(B) Medium term purpose
(C) Long-term purpose
(2.5) The managing director wanted to know the difference between Risk Capacity and Risk
Appetite. It can be BEST described as
(A) Risk Appetite is the overall ability and financial boundary above which the Board can
play their business bets; whereas Risk Capacity is the hard stop limit above which
the Board would like to restrict its business actions.
(B) Risk Capacity is the overall ability and financial boundary within which the Board can
play their business bets; whereas Risk Appetite is the hard stop limit within which the
Board would like to restrict its business actions.
(C) Risk Appetite is the overall ability and financial boundary within which the Board can
play their business bets; whereas Risk Capacity is the hard stop limit within which the
(D) Risk Capacity is the overall ability and financial boundary above which the Board can
play their business bets; whereas Risk Appetite is the hard stop limit above which the
(2.6) A company's decision to move into immature or emerging markets or to launch products
outside its core competencies is BEST known as
(A) Uncertainty
(B) Ambiguity
(C) Complexity
(D) Volatility
(2.7) The global risk indicators, according to the World Economic Forum, that are currently in
trend do not include:
(A) Increasing disparity between the rich and poor.
(B) Global warming and climate changes.
(C) Terrorism leading to intensified nationalism and regional conflicts.
(2.8) In an organisation having high risk-maturity, the internal auditor would need to:
(A) consult by promoting and advising on identification of and response to risks.

Page 126 of 492
(B) evaluate all types of risks impacting all categories of stakeholders and find solutions
to pre-empt the threats before the risk occurs.
(C) concentrate more on carrying out process audits of the risk management processes.
(D) update their risk management processes as they become aware of new or developing
practices.
(2.9) Which one of the following economic variables would be CHIEFLY used to identify
sovereign risk in advance?
(A) Ratio of Import to its Export
(B) Expropriation Risk
(C) Inefficient Legal System
(D) Exchange Control Risk
(2.10) In case of Impact of Business Risk, the Impact area of 'customer' has the following nature
of impact:
(A) Morale
(B) Loyalty
(C) Loss of confidence
(D) Defaults
(2.11) According to ISO 31000 on keys to ERM implementation, which one of the following keys
would provide an opportunity to change and further tailor ERM processes?
(A) Leverage existing resources
(B) Winning support and sponsorship from the top management is a precursor
(C) Building ERM using small but solid steps
(D) Focus on a simple risk model with small number of Top Risks
2.1 (a) While discharging the roles and responsibilities associated with the risk function, the
Risk Managers and Risk Committees should refer to the principles recommended by
OECD. The principles are re-produced hereunder: -
1. It should be fully understood by regulators and other standard setters that
effective risk management is not about eliminating risk taking, which is a
fundamental driving force in business and entrepreneurship. The aim is to
ensure that risks are understood, managed and, when appropriate,
communicated.
2. Effective implementation of risk management requires an enterprise-wide
approach rather than treating each business unit individually. It should be

Page 127 of 492
considered good practice to involve the board in both establishing and

overseeing the risk management structure.
3. The board should also review and provide guidance about the alignment of
corporate strategy with risk-appetite and the internal risk management structure.
4. To assist the board in its work, it should also be considered good practice that
risk management and control functions be independent of profit centers and the
“chief risk officer” or equivalent should report directly to the board of directors
along the lines already advocated in the OECD Principles for internal control
functions reporting to the audit committee or equivalent.
5. The process of risk management and the results of risk assessments should be
appropriately disclosed. Without revealing any trade secrets, the board should
make sure that the firm communicates to the market material risk factors in a
transparent and clear fashion. Disclosure of risk factors should be focused on
those identified as more relevant and/or should rank material risk factors in order
of importance on the basis of a qualitative selection whose criteria should also
be disclosed.
6. With few exceptions, risk management is typically not covered, or is insufficiently
covered, by existing corporate governance standards or codes. Corporate
governance standard setters should be encouraged to include or improve
references to risk management in order to raise awareness and improve
implementation.
(b) Variance is the second moment of the distribution, most common measures of
dispersion. It is basically the deviation from the mean.
2
  X - μ
Var(X) =
n
The square root of Variance is the Standard Deviation. It is denoted by σ (sigma).

2
  X-μ
σ=
n
Standard Deviation of Series

X (X - µ) (X - µ)2
2 -4 16
3 -3 9
6 0 0
9 3 9

Page 128 of 492
10 4 16
Total = 30 50
Mean (µ) = 6
50
Var(X) = = 10
5
50
Standard Deviation (σ) = = 3.16
5
(c) Functions of Risk Management
(i) It is independent of business lines (i.e. it is not involved in revenue generation)
and reports to the CRO;
(ii) It has authority to influence decisions that affect the firm’s risk exposures;
(iii) It is responsible for establishing and periodically reviewing the enterprise risk
governance framework which incorporates the Risk Appetite Framework (RAF),
Risk Appetite Statement (RAS) and risk limits.
(I) The RAF incorporates an RAS that is forward-looking as well as information
on the types of risks that the firm is willing or not willing to undertake and
under what circumstances. It contains an outline of the roles and
responsibilities of the parties involved, the risk limits established to ensure
that the framework is adhered to, and the escalation process where
breaches occur.
(II) The RAS is linked to the firm’s strategic, capital, and financial plans and
includes both qualitative and quantitative measures that can be aggregated
and disaggregated such as measures of loss or negative events (e.g.,
earnings, capital, and liquidity) that the board and senior management are
willing to accept in normal and stressed scenarios.
(III) Risk limits are linked to the firm’s RAS and allocated by risk types, business
units, business lines or product level. Risk limits are used by management
to control the risk profile and linked to compensation programmes and
assessment.
(iv) It has access to relevant affiliates, subsidiaries, and concise and complete risk
information on a consolidated basis; risk-bearing affiliates and subsidiaries are
captured by the firm wide risk management system and are a part of the overall
risk governance framework;
(v) It provides risk information to the board and senior management that is accurate
and reliable and periodically reviewed by a third party (internal audit) to ensure
completeness and integrity;

Page 129 of 492
(vi) It conducts stress tests (including reverse stress tests) periodically and by
demand. Stress test programs and results (group-wide stress tests, risk
categories and stress test metrics) are adequately reviewed and updated to the
board or risk committee. Where stress limits are breached or unexpected losses
are incurred, proposed management actions are discussed at the board or risk
committee. Results of stress tests are incorporated in the review of budgets,
RAF and ICAAP processes, and in the establishment of contingency plans
against stressed conditions.
(d) (i) Business Risk according to SA 315: A risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an
entity’s ability to achieve its objectives and execute its strategies, or from the
setting of inappropriate objectives and strategies.
(ii) Internal Control according to SA 315: The process designed, implemented and
maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations, safeguarding of assets, and compliance with applicable
laws and regulations.
(iii) Significant Risk according to SA 315: An identified and assessed risk of material
misstatement that, in the auditor’s judgment, requires special audit
consideration.
(iv) Internal Financial Control according to Companies Act 2013: The policies and
procedures adopted by the company for ensuring the orderly and efficient
conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the
accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information.
(e) Basic Principles on which the bank would assess the loan proposal of the Company
as follows:
(i) Understand the reality: As a lender you need to ensure that you made your
customer aware of all the charges and fees associated with the credit which you
are planning to extend to the customer. This is critical as customer might be at
negotiation stance to have maximum benefit from your line of credit. Longer time
he takes to negotiate, there is high possibility that pay off will be late. So
communicate the implicit and non-implicit costs that associated with it. Even
administrative aspects are also important as they sometime drive the business
decision to have line of credit or not.
(ii) Check the credibility: It may be possible that customer externally looks reliable
to the organization, but that does not mean that the customer has full ability to

Page 130 of 492
pay off appropriately and regularly. You need to understand the credibility that
the customer possesses. And for that purpose, lender organization should rely
on the reports which are available. Or they can consider going through the credit
scoring agencies to ensure the customer has the paying ability. Even asking for
the basic information will provide you a rough idea about the c redit history of the
customer. It always better to take the help of professionals during this step.
Engage the professional and rely on their expertise. During this stage, credit
evaluation is very critical.
(iii) Ask and Check the references: It’s absolutely ok to ask customer for the
references, list of creditable clients are much more reliable source than anything
else. It’s important to ask for the lender organization to understand who all have
been giving trade credit in the past and how old are the relationship with such
counterparty. This will establish a pattern to understand if the customer has a
tendency to maintain the business relation or it’s just a pure business. Also,
asking reference from the third party proves to be independent source to verify
the commitment made by the customers.
(iv) Due Diligence: When a lender is convinced to provide a line of credit to the
customer, it is his duty to have proper due diligence in place to ensure the line
of credit is being placed in safe pair of hands. Irrespective of the professionals’
involvement in due diligence process, lender still has the moral responsibility to
perform the due diligence on its own. This can be achieved by simply visiting the
website, assessing the market creditability etc. Basically, publicly sourced
information is pretty useful in such cases.
(v) Recovery: Lender organization or its employee must understand that every
single rupee invested in the customer has cost involved in it. An effort should be
made to ensure that this minimal cost of capital should be recovered from the
customer. This can be achieved by simply asking your prospect for a deposit or
the collateral.
(vi) Nature of business: Once should not hesitate to ask for the nature of business
in which borrower is dealing with. This will give a fair bit item on risk exposure
and also provide adequate comfort to the lender.
(f) A holistic risk management framework would empower Board to act early and take
the right decision by:
• Identify top threats to entity and asset protection measures.
• Link risks to more efficient capital allocations and business strategy.
• Develop a common language in the organization for problem solving.
• Effectively respond to an evolving business environment.

Page 131 of 492
2.2 (B)
2.3 (A)
2.4 (C)
2.5 (B)
2.6 (B)
2.7 (D)
2.8 (C)
2.9 (A)
2.10 (B)
2.11 (C)
CASE STUDY: 3
(3.1) Ms. X is new to operational risk management. While analysing the risks of an established
airline based on the Risk Grading /Rating model, she identified the following risks:
(1) Stagnant business growth resulting from competition from other airlines.
(2) Aggressive fleet expansion, which may lead to over-capacities. There are about 170
aircrafts under order, which could also result in massive financial commitments. A
comprehensive feasibility study has been shared by the Company, justifying the
expansion strategy.
(3) Safety standards resulting in crash/disastrous hijacking.
(4) Volatile oil prices. There is a risk of failure to address adequately the challenges of
fluctuating oil prices. Whilst it is usually rising oil prices that hurt airlines, during 2008,
several airlines suffered significant hedging losses as the hedging strategies went
awry, when oil prices plummeted from $147 p/b in July 2008 to $35-40 p/b level.
Please, help Ms. X to classify the above risks, by giving a report to her. (30 Marks)
Choose the accurate or near accurate answer in the following Multiple Choice Questions.
(3.2) One of the principles of Basel Committee on Banking Supervision Principles for sound
stress testing practices and supervision is:
(A) Stress testing should form an integral part of the overall governance and risk
management culture of the bank.
(B) Stress testing should be done in case of mergers or take overs only.
(C) Stress testing should be done at the direction of Reserve Bank of India only.

Page 132 of 492

(3.3) Gini coefficient is an index to measure a country's:
(A) level of corruption.
(B) inequality in income distribution.
(C) level of crimes, violence, military expenditure.
(3.4) Repudiation of Contracts is one of the types of Political risks which is faced by a
Multinational National Corporation (MNC), and this risk arises on account of:
(A) restrictions on repatriation of currency to its home country.
(B) takeover of its business without or with inadequate compensation.
(C) revocation of earlier awarded turnkey projects by the Government of host country
without adequate consideration and damages.
(D) high level of red tapism.
(3.5) The following one is a financial risk:
(A) The cash flow of an issuer will not be adequate to meet its financial obligation.
(B) A fisherman starting a sea voyage on fishing expedition.
(C) An infant climbing on a window pane.
(D) A student writing the examination.
(3.6) The following one is not a technique of Risk Management Techniques:
(A) Tolerate
(B) Transfer
(C) Terminate
(3.7) The probability of rolling double-sixes is, assuming the two die are independent:
(A) 1/6
(B) 1/36
(C) 1/216
(D) 1/12
(3.8) If a long term instrument is rated as "B", this means that instrument carries:
(A) Highest Safety
(B) High Risk

Page 133 of 492
(C) Very High Risk

(3.9) As per the RBI's framework, SMA (Special Mention Account) with sub category 1 (SMA-l)
denotes:
(A) Principal or interest payment overdue between 31-60 days.
(B) Principal or interest payment overdue between 61-180 days.
(C) Principal or interest payment not overdue for more than 30 days.
(3.10) Mutual Fund A gives 12% return over the past year and had a standard deviation of 10%.
The risk free return over the time period was 3%. The Sharpe Ratio for Mutual Fund A is:
(A) 0.9
(B) 0.1
(C) 0.5
(D) 0.07
(3.11) Project A had total revenue of ` 1,00,000, and total expenses of ` 50,000. The total risk-
weighted assets involved in the project are ` 4,00,000. RORAC (Return on Risk Adjusted
Capital) for the Project A is:
(A) 11.1%
(B) 12.5%
(C) 25%
(D) 5%
(3.1) Report to Ms. X

To: Ms. X
Date: 12 May 2018
Subject: Grading/ Bucketing of Various Risks
Introduction
This report covers grading/ bucketing of various identified risks by the client.
Grading of various Risks

Page 134 of 492
Although this risk has a high impact but has low probability as investment involved in
the Airline business is very huge. Accordingly, this risk often skips the management’s
decision as these type events cannot be foreseen. Hence, this risk is bucked in the
category of ‘High Impact – Low Probability’.
(2) Aggressive fleet expansion leading to over-capacities.
Since Airline has already ordered 170 aircrafts there is high probability that it will involve
financial commitments and impact will also be high. Hence, this risk is bucked in the
category of ‘High Impact – High Probability’ and it needs immediate and sufficient
attention of management.
(3) Safety Standards resulting in Crash/ disastrous hijacking
Any crash or dangerous hijacking incidents will create negative publicity, poor image
resulting in a decline in revenue and similar consequences.
Whilst the probability is low, the strong impac t ought to force the seeking of appropriate
mitigants. Hence, the impact is high and can be classified as ‘Low Probability – High
Impact’. It is suggested to ensure the adequacy of safety systems, to establish the
average age of the aircraft and if necessary, to seek the help of an external expert.
(4) Volatile Oil Prices
Oil price fluctuation is a business risk that has serious implications for the profitability of
the airline business. However, since this affects almost all competitors, the impact can be
considered as low and can be categorized as ‘Low Probability – Low Impact’.
Signed
Chief Risk Officer
3.2 (A)
3.3 (B)
3.4 (C)
3.5 (A)
3.6 (D)
3.7 (B)
3.8 (B)
3.9 (A)
3.10 (A)
3.11 (B)

Page 135 of 492
November 2018 Question Paper Query Sheet
Case Study 1 (Oct 19 MTP CS-1, 5 MCQs are common, first 2 descriptive are same)
1.1- (a) and (b) both are case study-related questions but are manageable if the concept is clear.
(c) and (d) are related to the case study, but they are more knowledge-based, requiring a business sense-
plus the clarity of concepts.
1.2 Refer page no. 9.25 of ICAI SM.

1.3 Refer page no. 9.16 of ICAI SM.
1.4-Refer page no. 2.25 of ICAI SM.
1.5- Refer page no. 9.03 of ICAI SM.
1.8- Refer page no.7.14 of ICAI SM.
Case Study 2
(May 20 MTP CS-2 Case study background is same, 5MCQs common and Descriptive Q is different )
2.1(a)- Refer page no. page no. 2.33 of ICAI SM. (OECD Principles for Effective Implementation of
Risk Management)
2.1(b)- Indirect answer based on ICAI SM of IPCC.
2.1(c)- Refer page no. 7.05 of ICAI SM. (Functions of Risk Management)
2.1(d)- (i) Refer page no. 1.05 of ICAI SM.
(ii)- Refer page no. 9.03 of ICAI SM.
(iii)- Refer page no. 1.04 of ICAI SM.
(iv)- Refer page no. 9.03 of ICAI SM.
2.1-(e)- Refer page no. 6.08+6.09 of ICAI SM.
2.1-(f)- Refer page no. 3.10 of ICAI SM. (Benefits of Holistic Risk Management Framework)

2.5- Refer page no. 3.03+3.04 of ICAI SM.
Page 136 of 492

Case Study 3 (Same as Oct-2019 MTP CS-2)

3.1- Linked to page no. 9.14 of ICAI SM, but conceptual understanding is required for relating with the
case study.

3.7- From ICAI SM old chapter 4 concept
Page 137 of 492

MOCK TEST PAPER
Case Study Question Number One
XYZ Textiles Ltd. is a textile company operating in India. It has comprehensive risk management policy. The risk
management inter alia provides for review of the risk assessment and mitigation procedure, laying down
procedure to inform/ report the Board in the matter and for periodical review of the procedure to ensure that
executive management controls risks through a properly defined framework.
During the year, the Audit Committee, which has been designated by the Board for the purpose, reviews the
adequacy of the risk management framework of the company, the key risks associated with the business of the
company and the measures and steps in place to mitigate the same.
1.1 What details you would present at the Board Meeting in respect of key risks affecting the XYZ Textiles
Ltd. (30 Marks)
Choose the correct answers to the following questions: 2 Marks x 10 = 20 Marks
1.2 Auditors have to use the following for risk assessment:
(a) Delphi Approach
(b) Theory of Probability
(c) Judgement and Intuition
1.3 GARCH model is the-most popular method to estimate:
(a) Severity
(b) Frequency
(c) Volatility
1.4 The following is not one of simplest techniques for country risk assessment to rank the countries:
(a) Numeral Coding Method
(b) Colour Coding Method
(c) Event Driven Method
(d) Taxation Method
1.5 Monotonicity is:
(a) the risk of the portfolio which is dependent on assets within the portfolio
(b) the size of the portfolio
(c) the portfolio with greater future returns will likely have less risk
1.6 Covenants are
(a) conditions imposed by the lender on the borrower that certain activities will or will not be carried
out.
(b) are transactions to adequately secure should the borrower default.
(c) be insurance contracts purchased by 'the borrower at the instance of lender.
1

Page 138 of 492
1.7 Economic capital, in relation to a firm, is :
(a) the amount of capital stipulated in the law to commence business.
(b) the amount of capital needed to ensure the solvency for a given risk profile.
(c) the amount of working capital.
1.8 ERM is a management process, ultimately owned by the
(a) CEO
(b) Board of Directors
(c) Shareholders
(d) None of the above.
1.9 Phishing is :
(a) a fraud technique to get access to the; victim's computer systems.
(b) a technique to create a fraudulent transaction to benefit financially.
(c) a technique to encrypt the entire data on an individual or entity's computer system to ruin the
business.
(d) a financial transaction that an organization performs outside its network
1.10 SMA-1 refers to the following classification basis:
(a) Principal or interest payment not overdue for more than 30 days.
(b) Principal or interest payment not overdue between 31-60 days.
(c) Principal or interest payment not overdub between 61-180 days.
(d) Principal or interest payment not overdub between 181-365 days.
1.11 Chief Risk Officer (CRO) would not perform the following :
(a) Reviews the third-party opinion of the design and effectiveness of the overall risk governance
framework on an annual basis.
(b) Is involved in the setting of risk-related performance indicators for business units.
(c) Is independent of business lines and has the appropriate stature in the firm as his/her
performance, compensation and budget is reviewed and approved by the risk committee.
(d) Meets periodically with the board and risk committee without executive &rectors or management
present.
Case Study Question Number Two
AFL, an MNC is sole producer of ‘Nikhar’ chewing gum, the latest craze in India in replacement of tobacco.
With the increasing sale in some of the previous years, the company has managed to secure all necessary
funding for rapid expansion of its product as not only it gained popularity in India but also in neighboring
countries such as Bangladesh, Pakistan and Nepal. The factory is situated in backward district of Haryana.
Recently one ‘NGO’ named ‘Nasha Mukt’ started misgiving about the product amongst the key sections of
society. And, there are no such regulation that it cannot be sold to people less than 18 years of age as it
does not have any harmful effect. However, some health professions have also joined the mission of NGO
as to the long-term effects of the product.
Due to all these reasons a further research on this is planned by Ministry of Health. The Board of Director’s
are hopeful of increase in its sales amongst adult and also rise in exports to neighboring countries.
2

Page 139 of 492
Further Board is also interested in introducing advanced technologies that allows different branches
(modes) to securely propose, validate and record state of changes (or updates) to a synchronized ledger
that is distributed across worldwide.
However, Board has little time to combat with the issues that are managed at Corporate Level and
concentrate on expansion plans.
AFL’s has developed Enterprise Wide approach to risk management and is communicated. Also, the Risk
Register in place.
Risk Strategy and policy is in place and is communicated and also the Risk appetite is defined.
2.1 You have been appointed as Chief Risk Officer and asked to prepare a report for Board covering the
following aspects:
(a) Defining the different stakeholders involved and assessing the impact upon them of the Risk.
(5 Marks)
(b) Impact areas and their nature of impacts. (3 Marks)
(c) Available Risk Treatment Options. (3 Marks)
(d) Explaining the Risk Maturity Level of the company. (3 Marks)
(e) Techniques that can be used to track the progress of Risk Management. (2 Marks)
(f) Various types of Political Risks to which company can be exposed to. (4 Marks)
(g) Benefits likely to be derived from a synchronized ledger that is distributed across the network’s
modes. (4 Marks)
(h) Quantitative tools that can be used to assess the neighboring Country Risk. (4 Marks)
(2 Marks for Report Format)
Multiple Choice Questions 2 Marks x 10 = 20 Marks
2.2 While uncertainty means the existence of more than one possibility, risk is a state of uncertainty where
some of the possibilities may involve an undesirable outcome. Which one of the following statements
correctly describes the above statement?
(a) One may have uncertainty without risk but risk without certainty.
(b) One may have uncertainty without risk but risk without uncertainty.
(c) One may have uncertainty without risk but not risk without certainty.
(d) One may have uncertainty without risk but not risk without uncertainty.
2.3 The risk manager would like to know the risk that refers to ineffective and unethical management of a
company by its executives and managerial levels. The risk is known as:
(a) Staffing Risk
(b) Management Risk
(c) Strategic Risk
(d) Governance Risk
2.4 While taking a decision, the category risk profile bucket that would most likely to escape attention of
the Management is
(a) High Impact-Low Probability
(b) Low Impact-Low Probability
(c) High Impact-High Probability
(d) Low Impact-High Probability
3

Page 140 of 492
2.5 Before commencement of the project, various risks factors have to be considered for feasibility study. In a
case where a project feasibility is based on a particular land acquisition and the cost of treating it, in term s
of legal fees is much higher, the appropriate recommendation the consultant would provide is to:
(a) Terminate the Project
(b) Treat the project
(c) Transfer the project
(d) Continue the Project
2.6 Which of the following would NOT be included as a principle in determining the risk appetite of the
company?
(a) Risk appetite is not a single, fixed concept.
(b) Risk appetite can be complex.
(c) Risk appetite needs to measurable.
(d) Risk appetite is about identifying opportunities.
2.7 If Corr (X, Y) = -1, then X and Y have
(a) Perfect positive correlation
(b) No correlation
(c) Perfect negative correlation
(d) None of the above.
2.8 The Manager is considering to employ VaR to quantify the level of financial risk. Which one of the
following is NOT a limitation of VaR ?
(a) not sub-additive
(b) uninformative of tail losses
(c) can encourage diversification
(d) can create perverse incentives structures
2.9 As per BIS capital adequacy rules, banks should operate with a holding period of
(a) one week (or 5 business days)
(b) one week (or 7 days)
(c) two weeks (or 10 business days)
(d) two weeks (or 14 days)
2.10 RAROC is
(a) Return on capital adjusted for inflation.
(b) Risk-based profitability measurement framework.
(c) Return on gilts
2.11 Annual Report of the Board of Directors must include a statement indicating the development and
implementation of a risk management policy for a company. This is mandated by
(a) SEBI through 'Issue of Capital and Disclosure Requirements Regulations'
(b) Information Technology (Amendment) Act, 2008
(c) Companies Act, 2013
(d) Prevention of Money Laundering Act, 2002.
4

Page 141 of 492
Case Study Question Number Three
About the Company
ABC Limited is a public limited company incorporated in the year 2003. It has the registered head office in
Bhubaneswar, Odisha. The Company has iron ore mines situated in five places in the State. The main
business of the Company is extraction and sale of iron ore to many iron and steel industries both inside and
outside states.
The Company has decided to diversify its business in trading of shares. Also, the Company is considering
the possibility of setting up a Non-Banking Finance Company. For these purposes, the Company is in the
process of doing feasibility studies.
Risk Manager
The Company has approached you, being a senior Risk Manager to look into the proposals. The role perform ed
by you would include:
• Identify the problems and provide possible solutions to the various issues arising in the risk management.
• To monitor the risk of Anti-Money Laundering (AML).
• Advise and make recommendations to the management in the matters of identifying the risks and
quantifying the same.
• Help the management in designing and implementing various risk management strategies and their related
processes in the banking & investment portfolio and to suggest improvements.
• Have a detailed understanding and knowledge of the credit, operational and market risks of the portfolio
and also the software tools used to assess them.
• Understand and reduce the exposures in financial risks by using strategies such as hedging, credit default
swap, insurance etc.
• Gather various information relating to the operations of NBFC in India including credit risk management and
the underlying Guidelines of RBI with respect to capital adequacy norms, provisioning etc.
In order to have a better understanding of the risk factors involved thereon, the Risk Manager needs a
better understanding on the following issues:
(i) The purchase order for a script would be authorised by a manager. The risk manager is bothered
about authorising the order for a wrong script, instead of the intended one by the manager. Thus, he i s
interested to learn the controls placed and if any weakness is found he wants to strengthen the same.
(ii) A machine learning program dynamically responds to change in data / situation by changing the rules
that govern the behavior and the algorithm "learns" from new data inputs and gets better over time.
The risk manager tries to explore the possibility of employing a new software towards the same.
(iii) Calculation or measuring the loss in the value of the portfolio in a given period of time for a distribution
of historical returns.

Page 142 of 492
(iv) The risk manager is interested to find out as to how the portfolio would fare during the period of a
financial crisis. He is also interested to build the stress testing capabilities and to explore the ways of
using them to meet the broader risk management and business objectives.
(v) The rules and regulations existing in a foreign country and also the risk factors involved with reference
to the investment climate of that country that are to be considered before buying shares of a foreign
company.
(vi) While applying for a bank loan for the expansion of the portfolio, the parameters of credit risk that the
bank might consider and also the credit scoring model that might be applied by the bank, while
approving such loan to the company. The Company would be offering some of its immovable
properties as collateral to the proposed loan with the bank.
(vii) The certainty equivalence is a guaranteed return that the management would accept rather than
accepting a higher but uncertain return. The risk manager would like to explore the possibility of
"certainty equivalent” technique.
(viii) Effectively employing big data analytics in analysis of various transactions to study the patterns of
investments and also the possibility of using block-chain technology in ensuring the veracity of the
transactions.
3.1 You are appointed as a risk management consultant and you are expected to give your valuable inputs
by answering the following.
(a) There is a 30% probability of increase in a particular share price on Monday. If that share price
increased on Monday, there is a 20% probability that it will increase on Tuesday. If the price did
not increase on Monday, there is a 70% probability that it will increase on Tuesday. Give your
workings.
Using Baye's Theorem, calculate the probability of increase in that share price on Monday, if the
price increased on Tuesday. (4 Marks)
(b) Briefly explain how big data analytics help in improve the existing processes in Anti -Money
Laundering operations. (4 Marks)
(c) Calculate the compounded Geometric Mean rate of return for the previous two year-period. The
stock had a return for the three years as follows:
Year 2016 2017 2018
Return 8% -5% 15% (2 Marks)
(d) (i) The risk manager would like to have your opinion in deciding between VaR and Expected
short fall method as a risk measure. Give your advice explaining the reasons thereof.
(3 Marks)
(ii) What are the advantages of Monte Carlo Simulation? (3 Marks)
(iii) If investment proposal is Rs. 50,00,000/- and risk-free rate is 6% p.a., calculate Net Present
Value under certainty equivalent technique, given the following information:
Year Expected Cash Certainty Equivalent Coefficient
Flow (in Rs.)
1 12,00,000 0.87
2 14,00,000 0.84
3 18,00,000 0.93
4 27,00,000 0.82
(4 Marks)

Page 143 of 492
(e) (i) The Manager is looking at the viability of Credit Default Swap contracts. He learnt that it has
similarities with credit insurance. Discuss the differences between CDS and credit
insurance. (6 Marks)
(ii) In the present days, banks face a lot of problems in collections from customers resulting in
increase of NPAs. Hence the banks make attempts to mitigate the risks of lending to
unworthy borrowers by reviewing their five C's of Credit. Briefly explain them. (4 Marks)
Choose the correct answer from the following. Each question carries two marks. 2 x 10 = 20
3.2 OECD has developed set of principles for better corporate governance. The principle of Disclosures
and Transparency would NOT include :
(a) Overseeing the process of disclosure and communications
(b) Foreseeable risk factors
(c) The financial and operating results of the company
(d) Company Objectives and non-financial information
3.3 Bad credit history has the impact on borrower's future. A BCO score is a powerful measure of the
creditworthiness as a lender might refer. If FICO score is 750, the chance of default is :
(a) 1%
(b) 2%
(c) 8%
(d) 61%
3.4 Risk measures are expected to correctly reflect diversification effects and facilitate effective decision
making. This is achieved in
(a) Stress testing measures
(b) Coherent risk measures
(c) Full revaluation methods
(d) VaR conversion methods
3.5 The following one is not the property for a coherent risk measure :
(a) Subadditivity
(b) Homogeneity
(c) Monotonicity
(d) Monatomicity
3.6 The manager likes to place more importance to recent observations and provide geometrically
declining weights on past observations. For this purpose, he WOULD most like use
(a) Loss Given Default model
(b) Exponentially Weighted Moving Averages model
(c) Altman Z Score model
(d) Generalized Autoregressive Conditional Heteroskedastic model
3.7 Sample is not :
(a) Representative of the population.
(b) Sufficiently large
(c) Chosen group of population.
(d) Randomly selected.
7

Page 144 of 492
3.8 Which one of the following that a company would LEAST likely choose as a common risk management
objective when framing the risk management approach?
(a) Enhance the level of risk maturity
(b) Allocate capital more efficiently
(c) Build safeguards against earnings-related surprises
(d) Achieve a better understanding of risk for competitive advantage
3.9 In risk rating table, if risk rating is 7, it needs corrective action :
(a) within one week
(b) within one month
(c) immediately
(d) Nil
3.10 Strategic risks are associated with:
(a) the on-going, day to day operations;
(b) the primary long-term purpose, objectives and direction of business;
(c) the management and protection of knowledge and information within the enterprise;
(d) processes, techniques and instruments utilized to manage the finances of the enterprise.
3.11 As per the Standards on Auditing issued by the ICAI, a risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an entity's ability to achieve its
objectives and execute its strategies, or from the setting of inappropriate objectives and strategies is
BEST known as :
(a) Significant Risk
(b) Business Risk
(c) Inherent Risk
(d) Control Risk.

Page 145 of 492
MOCK TEST PAPER
Solutions
Answers to Case Study One
1.1 The details that could be presented to and discussed at the Board Meeting would be as under, in
respect of the key risks affecting the Company are illustrated below:
Economic Risk
Due to the opening of world trade and diminishing tariffs, XYZ Textiles is faced with the threat of pressure
on margins on products.
To counter these, it stepped up its focus on value added products by upgrading and expanding
manufacturing capacities and increasing R & D. In addition, structural cost optimization and cost control
measures have been initiated.
Competitor Risk
The market is highly competitive with the elimination of fiscal barriers and inroads of large conglomerates
into the country with inorganic growth strategies. The company continued to focus on increasing its m arket
share and taking marketing initiatives that help customers in making informed decisions.
Project Execution Risk
The company is in the process of setting up cement capacities and captive thermal power plants. In the
fibre business also, plans to increase the capacity are under implementation. The project execution is
largely dependent upon land purchase, project management skills, timely delivery by the equipment
suppliers and adherence to schedule by civil contractors. Any delay in project implementation will impact
revenue and profit for that period. The Company has been continuously reviewing the project exec ution to
ensure that the implementation schedules are adhered to.
Human Resource Risk
The Company's ability to deliver value also depends on its ability to attract, train, motivate, empower and
retain the best professional talents. These abilities have to be developed across Company's rapidly
expanding operations. There is significant competition from emerging service sectors, which poses inherent
risks associated with the ability to hire and retain skilled and experienced professionals.
The Company continuously benchmarks HR policies and practice with the best in the industry and c arries
out necessary improvement to attract and retain best talent and build intellectual capital.
Foreign Exchange Risk
The Company's policy is to hedge its long-term foreign exchange risk as well as short-term exposures
within the defined parameters. Long term foreign exchange liability is fully hedged, and hedges are on held
to maturity basis. As imports (including capital goods import) exceeded exports, the Company has suitably
hedged the differential short-term exposure from currency risk.
Interest Rate Risk
The Company is exposed to interest rate fluctuations on its borrowings. It uses a judicious mix of fixed and
floating rate debts within the stipulated parameters. It continuously monitors its interest rate exposures and
whenever required, uses hedging tools to minimize interest rate risk.

Page 146 of 492
Commodity Price Risk
The Company is exposed to the risk of price fluctuation on raw materials, energy sources as well as
finished goods. However, considering the normal correlation in the prices of raw materials and finishe d
goods, the risk is reduced. The Company's strategy of backward integration, like pulp and caustic soda for
VSF (viscose staple fibre) helps in minimizing the effect of increase in prices of raw materials. Setting up of
captive power plants aids in controlling the impact of rise in energy cost, which is a major cost element.
Forward integration in value added products for e.g. specialty fibre in VSF, ready mix concrete in cement
enables to reduce the price fluctuation in the finished goods.
(6 Marks each for explaining one category of Risk – Maximum 30 Marks)
1.2 (c)
1.3 (c)
1.4 (c)
1.5 (c)
1.6 (a)
1.7 (b)
1.8 (b)
1.9 (a)
1.10 (b)
1.11 (a)
Answers to Case Study Two
2.1 Report
To
The Board of Director
AFL
Sub: Risk Management Report
As desired by Board of Director our report on the various issues is as follows:
(a) Different stakeholders involved and assessment of the impact of Risk upon them:
S. Stakeholders Nature of Impact
No.
1 Owners, Boards & Failure to achieve objectives, Delays, Change
Management management, disruption, financial losses, etc.
2 Society Loss of confidence, health hazards, direct or indirect
financial losses, disruption in life style, etc.
3 Consumer Health, financial losses, loss of confidence, etc.
4 Employee Life, health, morale, engagement, attrition
5 Vendor/supplier Loyalty, relationship, payment terms, attrition
6 Government, Regulators Revenue loss, delays in project implementations, loss of
public confidence, etc.
7 Investors Loss of confidence, lower returns, litigation, financial
losses, etc.

Page 147 of 492
(b) Impact areas and their nature of impacts
Sr. No. Impact Areas Nature of Impact
1 Strategy and business Delays, change management, failure to achieve objectives
objectives
2 Financial Direct or indirect financial loss
3 Customer Loyalty, relationship, payment terms, attrition
4 Employee Morale, engagement, attrition
5 Vendor/supplier Loyalty, relationship, payment terms, attrition
6 Compliance Delays, penalties, offences, defaults, imprisonment
7 Reputation/Brand equity Loss of confidence, public exposures, litigation, etc .
(c) Available Risk Treatment Options

Sr. No. Risk action Description
1 Avoid Exiting the activities giving rise to risk. Risk avoidance may involve
exiting a product line, declining expansion to a new geographical
market, or selling a division.
2 Reduce/Manage Action is taken to reduce the risk likelihood or impact, or both. This,
typically, involves any of the myriad of everyday business
decisions. This is involves addressing the root cause of the risk
factor.
3 Transfer/Share Reducing the risk likelihood or impact by transferring or, otherwise,
sharing a portion of the risk. Common techniques include
purchasing insurance cover, outsourcing activities, engaging in
hedging transactions.
4 Accept No action is taken to affect the risk likelihood or impact. This is
mainly in cases where the risk implications are lower than the
Company’s risk appetite levels.
(d) Since the company’s Risk Strategy and Policy is in place and is communicated and also the Risk
appetite is defined the Risk Maturity level is ‘Risk Managed’.
(e) Techniques that can be used to track the progress of Risk Management are as follows:
Technique Description
Risk Questionnaires Designed to identify the relevant risks and create risk
history
Flow Charts with Risk Flags Designed to identify operational risks embedded in the
processes
Identified Controls to manage Recognize controls and test their adequacy and operative
risks effectiveness
Risk Event Maps Identify potential events that can have a significant impact
on business to avoid negative surprises
Risk Scorecards A Monitoring tool to track progress of risk management
Capital Budgeting A financial analysis tool to evaluate the future cash flow
benefits arising from risk management actions against the
costs of risk consequences

Page 148 of 492
Value at Risk A financial analysis tool to evaluate the impact of the
worst case scenario of a risk event
Risk Heat Maps A Monitoring tool to track progress of risk management
using qualitative assessment of probability and impact of
risk
(f) The various types of political risks which ultimately can affect the profit of the company are as
follows:
(i) Nationalisation or Expropriation Risk: This is most common form of risk wherein host
country takes over the business of MNCs without or with inadequate compensation.
(ii) Exchange Control Risk: This form of risk prevents the MNCs to get converted their earning
from local currency to foreign currency to repatriate the same to home country of MNCs.
Due to this restrictions even investors in MNCs business also suffer a lot.
(iii) Taxes, Rule and Regulation Risk: This risk arises mainly due to a sudden or dramatic
change in Rule and Regulations governing the host country. These sudden changes can be
in any of following type of forms:
• Unanticipated increase tax rates applicable for MNCs operating in the host country.
(iv) Inefficient Legal System: High level of red tapism and corruption at local and higher level
pose a serious risk for MNCs operating in the host country as it leads to uncertainty and
high cost of operation.
(v) Repudiation of Contracts: This type of risk arises on account revocation of earlier awarded
turnkey projects by the Government of host country without adequate consideration and
damages. This risk is also called indirect expropriation risk.
(g) Benefits likely to be derived from a synchronized ledger that is distributed across the network’s
modes.
• Significant reduction in operational complexity
• Major increase in processing speeds and consequent asset availability
• Higher operating efficiency due to lowered reconciliation requirements
• Transparency and immutability in transaction record keeping
• Network security and safety due to distributed architecture
• Overall reduction in credit and operational risk
(h) Quantitative tools that can be used to assess the neighbouring Country Risk
S. No. Index Basis
1 Corruption It is one of the most popular indicator published by
Perception Index Transparency International. The ranking is numeral based
ranging from 0-10. While 0 indicate least corrupt, 10 indicate
highly corrupt.
2. Democracy Index Published by Economic Intelligent, countries are classified
into following four groups.
• Full democracy (8 to 10)
• Flawed Democracy ( 6 to 10)
• Hybrid Regime (4 to 5.9)
4

Page 149 of 492
• Authoritarian Regime (0 to 3.9)
This index is based on following 5 categories:
❖ Electoral process pluralism
❖ Civil liberties
❖ Functioning of Government
❖ Political Participation
❖ Political Culture
3. Freedom in the This survey is conducted by Freedom House and provides
world on the basis of study of Political rights and civil liberties. It
uses rating based on 1-7 scale indicating 1 being most free
and 7 being least free.
4. Gini Coefficient It is one of the most popular index to gauge the rich-n-poor
income countries. It measures inequality in income
distribution. It uses scales 0 to 1, where 0 indicates total
equality and 1 indicates total inequality.
5. Global Peace This index is published by Vision of Humanity and derived
Index from key information such level of crimes, violence, military
expenditure etc.
6. Human Published by UN rates, the countries on the basis of
Development following factors:
Index ❖ Education level
❖ Literacy Rate
❖ Year of Schooling
❖ Income
❖ Life Expectancy and
❖ Standard of Living
It uses the scale of 0 to 1, where 0 being the least
developed while 1 being the highest developed.
Signed
Chief Risk Officer
Answers to Multiple Choice Questions
2.2 (c)
2.3 (d)
2.4 (a)
2.5 (a)
2.6 (d)
2.7 (c)
2.8 (c)
2.9 (c)
2.10 (b)
2.11 (c)

Page 150 of 492
Answers to Case Study Three
3.1 (a) Bayes Theorem shows how a conditional probability of the form P (B|A) may be combined with
the initial probability P(A) to obtain the final probability P(A|B):
P(B | A) * P(A)
P [A|B] = P(B)
P(B | A) * P(A)
= P(B | A) * P(A) + P(B | A' ) * P(A')
Accordingly let us assume
Prob. of increasing price on Monday = A
Prob. of increasing price on Tuesday = B
0.20 × 0.30
P [Increase on Monday if price increased on Tuesday] =
0.30 ×0.20+ 0.70 × 0.70
0.06
= = 0.1091 or 10.91%
0.55
(b) The high cost of money laundering cases has prompted banks to seek new ways to address the
severe limitations in current anti-money laundering risk management. Traditional approaches to
anti money laundering remain dependent on rule-based, descriptive analytics to process
structured data. This system clearly has limitations - without automated algorithms, detecting
information within the wealth of data requires laborious keyword searches and manual siftin g
through reports.
Big Data analytics can improve the existing processes in AML operations. Its approaches allow
for the advanced statistical analysis of structured data, and advanced visualization and statistical
text mining of unstructured data. These approaches can provide a means to quickly draw out
hidden links between transactions and accounts, and uncover suspicious transaction patterns.
Advanced analytics can generate real-time actionable insights, stopping potential money
laundering in its tracks, whilst still allowing fund transfers for crucial economic and human aid to
troubled regions. Big data technologies can identify incidents, help draw a wider picture, and
allow a bank to raise the alarm before it’s too late.
(c) 1 + RG = n (1+ R1 ) × (1+ R2 ) × ....... × (1+ Rn )
=
(1 0.05)(1 0.15) - 1= 0.04522 i.e. 4.52%
(d) (i) Despite the VaR measure being better known than the expected shortfall, the latter has
more advantages:
• Expected shortfall is sensitive to the entire tail of the distribution, whereas VaR will no t
change even if there are large increases in some of the losses beyond the cut-off
percentile at which the VaR is being measured.
• Expected Shortfall is a more stable measure than VaR in showing less sensitivity to
data errors and less day to day movement due to irrelevant changes in the input data.
• With VaR, negative diversification effects can arise whereas expected shortfall never
displays negative diversification effects.
(ii) The main advantage of the use of Monte Carlo simulation is that we can generate correlated
scenarios based on a statistical distribution. Due to which it models multiple risk factors.

Page 151 of 492
Moreover, we can specifically focus on the tails of extreme loss scenarios. So, Monte Carlo
Simulation method can be used both to calculate VaR as well as to complement it. Also, it
can work both for linear and non linear risks. As unlimited number of scenarios is generated,
this helps in creating correct distributions.
(iii) Calculation of NPV
Year Expected Certainty Equi. Certain Cash PVF PV of Cash Flow
Cash Flow Cash Flow Flow
(Rs.) (Rs.) (Rs.) (Rs.)
1 12,00,000 0.87 10,44,000 0.943 9,84,492
2 14,00,000 0.84 11,76,000 0.890 10,46,640
3 18,00,000 0.93 16,74,000 0.840 14,06,160
4 27,00,000 0.82 22,14,000 0.792 17,53,488
51,90,780
0 Cash Outflow (50,00,000)
1,90,780
Alternative Presentation
n
t  NCFt
NPV= 
t 0 1 rf t
I
12,00,000 × 0.87 14,00,000 × 0.84 18,00,000 × 0.93 27,00,000 × 0.82

= +
2
+
3
+
4
- 50,00,000
(1.06) (1.06) (1.06) (1.06)
= 51,90,760 –50,00,000
= 1,90,760
(e) (i) CDS contracts have obvious similarities with insurance, because the buyer pays a premium
and, in return, receives a sum of money if an adverse event occurs.
However, there are also many differences, the most important being that an insurance
contract provides an indemnity against the losses actually suffered by the policy holder on
an asset in which it holds an insurable interest. By contrast a CDS provides an equal payout
to all holders, calculated using an agreed, market-wide method. The holder does not need
to own the underlying security and does not even have to suffer a loss from the default
event. The CDS can therefore be used to speculate on debt objects. The other differences
include:
• The seller might in principle not be a regulated entity (though in practice most are banks);
• The seller is not required to maintain reserves to cover the protection sold (this was a
principal cause of AIG's financial distress in 2008; it had insufficient reserves to meet the
"run" of expected payouts caused by the collapse of the housing bubble);
• Insurance requires the buyer to disclose all known risks, while CDSs do not (the CDS seller
can in many cases still determine potential risk, as the debt instrument being "insured" is a
market commodity available for inspection, but in the case of certain instruments like CDOs
made up of "slices" of debt packages, it can be difficult to tell exactly what is being
insured);

Page 152 of 492
• Insurers manage risk primarily by setting loss reserves based on the Law of large numbers
and actuarial analysis. Dealers in CDSs manage risk primarily by means of hedging with
other CDS deals and in the underlying bond markets;
• CDS contracts are generally subject to mark-to-market accounting, introducing income
statement and balance sheet volatility while insurance contracts are not;
• To cancel the insurance contract the buyer can typically stop paying premiums, while for
CDS the contract needs to be unwound.
(ii) Five C’s of Credit that reviewed by banks in an attempt to mitigate the risk of lending to
unworthy borrowers:
(1) Capacity – This refers to the borrower’s ability to repay the loan. The lenders / banks
will consider the cash flows generated from the underlying business, timing of
repayment and the probability of successful payment of the loan under various
stressed scenarios.
(2) Capital – It is the promoters / borrower money invested in the business and is an
indicator of how much of promoters / borrowers money is at risk if the business fails.
FIs / banks will generally consider the borrowers debt to equity ratio to understand how
much money the lender is being asked to lend as against the money invested by the
promoters / borrower in the business. High debt to equity ratio indicates that the
promoters / borrower already have high levels of debt / loans and could be having a
higher financial risk.
(3) Character – It is the obligation that the borrower feels to repay the loan. Emphasis is
given on the past loan repayment track record, credit history, credit bureau score. This
analysis pertains to the softer aspect of the borrower’s intent to pay rather emphasis
on financials, ratios and cash flows.
(4) Collateral – It is a form of security for the lender in case there is default on the loan. In
case of default, the lender will take possession of the collateral in place of debt.
Collateral can be in the form of tangible assets like land, building, plant, machinery,
cash flows, receivables, project assets etc. and also in the form of intangible assets
like patents, trademarks etc. The loan agreement should be suitably drafted to include
all the relevant details of the collateral. The lender would ideally want the term of the
loan to match the useful life of the collateral.
(5) Conditions – Additionally, apart from the borrower specific criteria’s, lenders may also
consider external factors which may affect borrower’s financials, cash flows and its
underlying ability to repay the loan obligations. End use of the loan/ purpose for taking the
loan / debt will also be carefully assessed and the transaction will be suitably structured.
3.2 (a)
3.3 (b)
3.4 (b)
3.5 (c)
3.6 (b)
3.7 (b)
3.8 (a)
3.9 (b)
3.10 (b)
3.11 (b)
8

Page 153 of 492
MTP March 2019 Query Sheet
Case Study 1
1.1- Manageable answer (case study related May Refer page no.1.19 of the ICAI SM. Please note down
some new risks as are given in the suggested answers- for future answer purposes, although, if you
mention some other risks and you have conceptually justified it, then also it will be acceptable.

1.3- Question from old chapter 4. (Not in Syllabus now)
1.4- Refer page no. 5.16; +5.17 of ICAI SM.
1.5- Refer page no 5.06 of ICAI SM.
1.6- Refer page no. 6.12 of SM. (a bit knowledge-based)
1.7- Refer page no .29 of ICAI SM.
Case Study 2
2.1 Descriptive Questions:

(a)- Refer page no.2.28 of ICAI SM. (Impact of Risks on Stakeholders)
(b)- Refer page no.2.23 of ICAI SM. (Impact Areas and Nature of Impact)
(c)- Refer page no.2.21 of ICAI SM. (Risk Treatment Options)
(d)- Case Study-related. Can Refer page no. 8.07 of ICAI SM.
(e)- Refer page no. 3.12 of ICAI SM. (Techniques to track the progress of Risk management.)
(f)- Refer page no.5.15 of ICAI SM. (Political Risks)
(g)- Refer page no. 9.35 + 9.36 of ICAI SM. (Distributed Ledger Technology)
(h)- Refer page no 5.17+5.18 of ICAI SM. (Assessing Country Risk)

2.7- Refer old chapter-4 of ICAI SM.
Page 154 of 492

Case Study 3 (May 18 QP CS-3 Co name different, Descriptive Q same, Mcq-5 common)
3.1
(a) Related to Bayes theorem concept from old chapter 4 of ICAI SM.
(b) Refer page no. 9.34 of ICAI SM. (Big Data Analytics)
(c) Refer old chapter 4 of ICAI SM. (Geometric Mean)
(d) (i)- Refer page no. 5.06 of ICAI SM. (Difference between VaR and Expected Shortfall)
(d) (ii)- Refer page no. 5.05 of ICAI SM. (Advantages of Monte Carlo Simulation)
(d) (iii)- Related to page no. 8.16 of ICAI SM of IPCC Chapter of Capital Budgeting.
(e) (i)- Refer page no. 6.24 of ICAI SM. (CDS v/s Credit Insurance)
(e) (ii)- Refer page no. 6.13 of ICAI SM(5 Cs of Credit)
3.2- Refer page no.7.21+7.22 of ICAI SM.

3.5- Refer page no. 5.06 of ICAI SM. The answer should be Monotonicity (option d). The answer
given in ICAI suggested is incorrect.
3.6- Refer old chapter 4 of ICAI SM.
3.7- Common sense + Refer old chapter 4 of ICAI SM.
Page 155 of 492

DISCLAIMER
This Suggested Answer hosted on the website do not constitute the basis
for evaluation of the student’s answers in the examination. The answers are
prepared by the Faculty of the Board of Studies with a view to assist the
students in their education. While due care is taken in preparation of the
answers, if any error or omission is noticed, the same may be brought to the
attention of the Director of Board of Studies. The Council of the Institute is
not in anyway responsible for the correctness or otherwise of the answers
published herein.
have been worked out on the basis of certain assumptions/views derived
from the facts given in the question or language used in the question. It may
be possible to work out the solution to the case studies in a different manner

Page 156 of 492
The Question paper comprises three case study questions. The candidates are required
to answer any two case study questions out of three.
Answers in respect of Multiple Choice Questions are to be indicated in capital letters, i.e. A or
B or C or D as the case may be.
Candidates may use calculator
CASE STUDY: 1
Mr. Krish is having an experience of 15 years in manufacturing and selling pharmaceutical
products. He is the managing partner of M/s. Krish Pharma situated in Mumbai.
In the month of May 2018, he came across a notification No. F. No. 10(6)/2016- DBA-II/NER
dated 12th April, 2018 issued by Ministry of Commerce and Industry which announced a scheme
called “North East Industrial Development Scheme (NEIDS), 2017”.
The scheme provides
(i) Central Capital Investment Incentive (30% of the investment in plant & machinery with an
upper limit of ` 5 crore),
(ii) Central Interest Incentive (3% interest on working capital for 5 years),
(iii) Central Comprehensive Insurance Incentive (Reimbursement of 100% insurance premium
for 5 years),
(iv) Income Tax Reimbursement of centre’s share for 5 years,
(v) GST reimbursement of Central Govt. share of CGST & IGST for 5 years,
(vi) Employment Incentive under which additional 3.67% of the employer’s contribution to EPF
in addition to Govt. bearing 8.33% Employee Pension Scheme (EPS) contribution of the
employer in PMRPY and
(vii) Transport incentive on finished goods movement by Railways (20% cost of the
transportation), by Inland Waterways Authority (20% of the cost of transportation) & by air
(33% of cost transportation of air freight) from the station/port/airport nearest to unit to the
station/port/airport nearest to the destination point. Also, under this scheme, a single unit
can avail overall benefits up to ` 200 crores.
He immediately formulated an idea to commence a private limited company in the state of
Assam to commence manufacturing and selling of pharmaceutical products. He checked the
said scheme and ensured that the proposed manufacturing of products would be eligible under
the scheme.

Page 157 of 492
With the help of a consultant he floated a private limited company in Assam and constructed
factory and office buildings in a 15-year leased land of 30000 sq.ft. The initial contribution of
` 10 crores was made by him along with his other family members. The consultant, who was
appointed for preparing the project proposal, totally estimated a cost of ` 20 crores for the entire
project including purchase of new machinery. He also estimated that there might be a probable
project cost overrun of 5%. The company could manufacture the pharma products from 1 st April,
2019.
The consultant putforth the following:
• The consultant has employed various statistical tools for arriving out at various projections
made in the project. He had also prepared a detailed cash / funds flow analysis for three
years commencing from 1 st April, 2019.
• To approach the bank for a 10-year term loan of ` 10 crores
• Initially, for two years, the company could face liquidity problems and suggested to go for
a working capital loan of ` 2 crores initially.
• To consider alternative logistic arrangements for moving the finished goods to various
parts of the country.
• To consider the possibility of exporting the finished products to friendly foreign countries.
• To appoint (i) an internal auditor to look into various control aspects and (ii) a statutory
auditor for ensuring required compliances.
• A risk committee would be constituted with a main focus to conduct a detailed company-
wide risk management program including the possible oversights and as far as possible
strive to include all the foreseeable risk situations, possible measures to prevent the same
and steps to be taken for mitigation.
• Prepare a detailed process manual and safety manual and periodically to revise the same
with the improvements happening.
As a risk management consultant, you are required to clarify the following to the management.
1. Multiple Choice Questions:
Choose the correct answer in the following Multiple Choice Questions:
1.1 For calculating ‘the cash flow available to pay current debt obligations’, the bank would
most likely use which of the following calculations?
(A) (PAT + Dep + Interest) / (Current portion of long-term debt + Dep + Interest)
(B) (PAT + Dep) / (Current portion of long-term debt + Dep)
(C) (PAT + Dep + Interest). / (Current portion of long-term debt + Interest)

Page 158 of 492
(D) (PAT + Interest) / (Current portion of long-term debt + Interest)

1.2 What is the probability of getting a tail each time, if the coin is flipped for eight times ?
(A) 1/32
(B) 1/256
(C) 1/128
(D) 1/64
1.3 The company is preparing a process manual for its manufacturing activities. The process
manual would LEAST likely contain:
(A) technology used in the sub-process
(B) factory specifications
(C) specific individual roles
(D) controls to be tested
1.4 The company, while analyzing the significance and assigning priority to the risks, would
plot the identified risks in a matrix chart. This would be done under:
(A) Qualitative Analysis
(B) Impact Analysis
(C) Likelihood Analysis
(D) Quantitative Analysis
1.5 An internal auditor, who is appointed would LEAST likely look into which of the following
aspects, when concluding on the company’s risk maturity level?
(A) Control environment is strong including the tone from the top
(B) Risk appetite is defined and communicated across the organization
(C) Regularly reviewing and monitoring the objectives set as part of the framework
(D) Business objectives are defined and communicated
1.6 Which one of the following is a NOT type of risk that the company would face in its
investment project decision making?
(A) Decision making under uncertainty
(B) Decision making under probability
(C) Decision making involving risk
(D) Decision making under certainty

Page 159 of 492
1.7 If the company, in its estimation, has over-stated the revenue without considering any
internal controls, the same would be classified under:
(A) Residual Risk
(B) Operational Risk
(C) Knowledge Risk
(D) Inherent Risk
1.8 The bank while processing the application for the loan would like to measure the interest
rate risk. Which of the following techniques, the bank would not consider for measuring
such interest rate risk?
(A) Value at Risk
(B) Simulation
(C) Frequency of Loss
(D) Maturity Gap Analysis
1.9 The company would like to make an analysis based on sequence or development of events
which start from one set of assumptions in order to evaluate or map various outcomes of
a particular situation. This is better known as:
(A) Scenario analysis
(B) Risk appetite analysis
(C) Historical experience analysis
(D) Stress test analysis
1.10 The company, in its risk management process, tries to minimise the probability of the
negative risks as well as enhancing the opportunities by creating risk mitigation strategies,
preventive plans and contingency plans. This step would be performed under:
(A) Evaluate the Risk
(B) Treat the Risk
(C) Analyse the Risk
(D) Review the Risk (10 x 2 Marks = 20 Marks)
1.11 As per the suggestion of the consultant to Mr. Krish, a risk committee was constituted
appointing an Independent Director as chair of the Committee. The committee identified
the risks that the company would face, but did not give any solutions to mitigate the same.
A consultant was asked to provide the advice on mitigation of the risks and sound practices

Page 160 of 492
that should be adopted. Now you are appointed as the consultant, please give a report
describing the advices that would be given to the company. (6 Marks)
1.12 In the above report under 1.11, it was mentioned ‘a loss would occur or no loss would
occur and there would be no possibility for gain’. Explain this risk and different types of
such risks. (4 Marks)
1.13 Since Mr. Krish wanted to export his company’s goods, describe the various qualitative
tools that may be used to measure country risk assessment. (4 Marks)
1.14 In view of the company’s exposure to various stakeholders not only in India and also
outside India, describe the challenges that the company would be facing while developing
the risk management and oversight practices. (4 Marks)
1.15 Mr. Krish wanted to analyse the cash flows, explain to him any two types of cash flows that
you wish to consider. (2 Marks)
1.16 The company is expecting the following risks and opportunities in the installation of various
machinery:
(1) There is a 7% probability of belatedly receiving the parts for the machinery and this
would cause an additional cost of ` 7 Lakhs.
(2) By effective dealings with the suppliers of the machinery parts, the probability that
the company could save ` 3 Lakhs is 40%.
(3) When fitting the machinery there is a 60% probability that the two parts would not fit
together and the expected cost of the same is ` 6 Lakhs.
(4) By simplifying the processes, the company expects to save ` 1.60 Lakhs in the
installation of machinery with a probability of 6%
(5) The expected defects in the design would cost the company a sum of ` 1 Lakh with
a probability of 10% :
Calculate the expected monetary value of the cost of these risks and opportunities.
(6 Marks)
1.17 Explain the safety risks that the company has to address. (4 Marks)
Answer Case Study 1
Multiple Choice Questions
1.1 (C)
1.2 (B)
1.3 (D)
1.4 (A)

Page 161 of 492
1.5 (C)
1.6 (B) or (D)
1.7 (D)
1.8 (C)
1.9 (A)
1.10 (B)
1.11 Report to Management
To: Management of Krish Pharma Ltd.
From: Risk Management Consultant
Date: 7 June 2019
Subject: Measures to Mitigate Risks and Sound Practices to be followed.
The Risk committee:
(a) Is required to be a standalone committee, distinct from the audit committee;
(b) Has a chair who is an independent director and avoids “dual – hatting” with the chair
of the board, or any other committee;
(c) Includes members who are independent;
(d) Includes members who have experience with regard to risk management issues and
practices;
(e) Discusses al risk strategies on both an aggregated basis and by type of risk;
(f) Is required to review and approve the firms risk policies at least annually;
(g) Oversees that management has in place process to ensure the firms adherence to
the approved risk policies.
1.12 These Risks are called ‘Pure Risks’. In a pure risk situation, a loss occurs or no loss occurs
– there is no possibility for gain. These uncertainties may be due to perils such as fire,
floods, etc. or may arise from human action such as theft, accident etc. There are certain
risk events that can only result in negative outcomes such as fire accidents or leakage of
harmful chemicals from a manufacturing plant. These risks are hazard risks or pure risks,
and these may be thought of as operational or insurable risks.
A good example of a hazard risk faced by many organizations is that of theft.
There are different types of pure risks:

Page 162 of 492
• Personal risks - It includes early death, sudden accident and disability,

unemployment, etc.
• Property risks - reduction in value of assets due to physical damage, fire, theft, etc.
• Liability Risks – the risk of legal liability for damages accruing to customer, suppliers,
vendors, etc. Such risks are also connected with compensation payable to employees
for injuries and other harm afflicted in the workplace.
Above risks are insurable.
1.13 Qualitative Measures to measure Country Risks are as follows:
(i) Numeral Coding: In this method, after considering various factors, a number is
assigned to a country. While the highest number indicates lesser risk, the lowest
number indicates higher risk.
(ii) Colour Coding: Different colours can be used to indicate the level of country risk.
While Red Color indicates higher risk, Green Colour indicates a risk free zone.
(iii) Combination of Numeral and Colour: A combination of colour and numeral is also
used to indicate relative level of country risk.
(iv) Other Methods: In addition to above, other methods can also be used which are as
follows:
(a) Grade Based Rating – The grade can be assigned such as S & P, Moody’s and
Fitch assigns rating. For example, while USA been assigned rating of Aaa, AA+
and AAA by these agencies respectively of safer zone, Venezuela has been
assigned rating Caa, B- and C indicating riskier zone.
(b) Event Driven – A very specific negative event such as removal of current
government by military or sovereign default etc. assessed with the probability of
happening.
1.14 The challenges that M/s Krish Pharma would be facing while developing the risk
management and oversight practices are as follows:
• linking risks to strategy;
• better defining risks;
• developing corporate responses to risks that manage to address all five key
dimensions (strategy, people, detail, tasks, and drivers);
• effectively considering stakeholders’ and gatekeepers’ concerns; and
• addressing all these issues from a whole-enterprise perspective.

Page 163 of 492
1.15 Two types of Cash flows that Krish can consider are as follows:
(a) Operating Cash flow - The first set of cash flow transactions is from operational
business activities. Cash flows from operations starts with net income and then
reconciles all noncash items to cash items within business operations. For example,
accounts receivable is a noncash account. If accounts receivables go up, it means
sales are up, but no cash was received at the time of sale. The cash flow statement
deducts receivables from net income because it is not cash. Also included in cash
flows from operations are accounts payable, depreciation, amortization and
numerous prepaid items booked as revenue or expenses but with no associated cash
flow
(b) Investment cash flow - Cash flows from investing activities includes cash spent on
property, plant and equipment. This is where analysts look to find changes in capital
expenditures (CAPEX). While positive cash flows from investing activities is a good
thing, investors prefer companies that generate cash flows primarily from business
operations, not investing and financing activities.
(c) Financing cash flow - Cash flows from financing is the last business activity detailed
on the cash flow statement. The section provides an overview of cash used in
business financing.
Analysts use the cash flows from financing section to find the amount paid out in
dividends or share buybacks. Cash obtained or paid back from capital fundraising
efforts, such as equity or debt, is also listed.
1.16 Expected Monetary Value of Risks and Opportunities
S. Particulars Risks Opportunity
No.
1 Belatedly receiving the parts for 0.07 x ` 7 Lakhs
the machinery = ` 49,000 -----
2 Effective Dealing with suppliers 0.40 x ` 3 Lakhs
of the machinery parts ----- = ` 1,20,000
3 Two parts of machine does fit 0.60 x ` 6 Lakhs
together. = ` 3,60,000 -----
4 Simplifying the Process 0.06 x ` 1.60 Lakhs
----- = ` 9,600
5 Defects in the Design 0.10 x ` 1 Lakh
= ` 10,000 -----
Total ` 4,19,000 ` 1,29,600

Page 164 of 492
1.17 Safety Risks that Krish Pharma has to address:

• Spills on floors or tripping hazards, such as blocked aisles or cords running across
the floor. Working from heights, including ladders, scaffolds, roofs, or any raised
work area.
• Unguarded machinery and moving machinery parts; guards removed or moving parts
that a worker can accidentally touch.
• Electrical hazards like frayed cords, missing ground pins, improper wiring.
• Confined spaces.
• Machinery-related hazards (lockout/tag out, boiler safety, forklifts, etc.).
CASE STUDY: 2
Peer Group Analysis
ABC Constructions, a customer prospect, is compared against two peers :
` Cr. New Customer Peer 1: Peer 2: Non
Latest FYE ABC Constructions Customer Customer
31.03.2011 PQR XYZ
Constructions Construct*
31.03.2011 31.03.2011
Sales 259.7 458.4 689.7
Gross Profit Margin (GPM) 25.4% 17.7% 18.1%
Net Profit Margin 5.63% 6.10% 5.9%
Bank Borrowings (Funded) Nil 50 147.1
Provision for Bad Debts (2011) 12.1 32 4.81
Trade Debtors on 31.03.2011 59.7 160.3 480
% of Provision to Trade Debtors 20.3% 20.0% 1.0%
EBITDA 22 51 87.3
EBITDA Margin 8.2% 11.1% 12.6%
Net Debt Net Cash Position 18 30
Net Debt/EBITDA N.A. 0.35x 0.24x
S&P/Moody's Rating BBB+ BBB BBB-
* Listed company in the stock market

Page 165 of 492
Comments
A comparison with two other prominent peer group companies shows that ABC is more
conservative and enjoys relatively better GPM. The better Margin is attributable to the careful
selection of contracts and efficiency of operations. The relatively lower Net Profit Margin reflects
the aggressive debtors provisioning policy adopted by ABC compared to its peers. ABC
continues to be nil geared. In view of the recent construction sector slowdown, ABC and PQR
Constructions had booked substantial additional provision on debtors, however ABC is more
conservative. However, XYZ Construct hardly increased the provisions during 2010, despite
having significant exposure to some of the troubled companies, which drew criticisms from a
few equity analysts (such as Silverman Sachs), who cover this stock. Overall, ABC can be
considered as a reasonably strong player in this market segment.
Choose the correct answer in the following:
2.1 ABC Constructions has holdings in a Bank, which is subject to Basel Il norms. In that bank,
Operation Risk states :
(A) the risk of loss resulting from inadequate or failed processes, people and systems
and from external events.
(B) the risk of loss resulting from inadequate or failed processes, people and systems
and from internal events.
(C) the risk which is not an overarching concept interrelated with several other types of
risk, and cannot be viewed in isolation.
2.2 In the measurement of ‘Risk consequences’, if the level on a scale of 5 is 3, then it is :
(A) Insignificant
(B) Minor
(C) Moderate
(D) Major
2.3 According to WEF [World Economic Forum] and current trend, the following one is not a
global risk indicator :
(A) Increasing disparity between the rich and the poor.
(B) Global warming and climate changes.
(C) Intelligent devices replacing human intervention, impacting employment,
manufacturing and services sector
(D) Population has more females.

Page 166 of 492
2.4 Based on the data: Default: 10%; Amount of Exposure: ` 1,00,000; and Recovery Rate:
1%, the random loss is ` --- -----:
(A) 9,900
(B) 1,000
(C) 9,000
(D) 1,00,000
2.5 According to the UN International Strategy for Disaster Reduction (ISDR), Mumbai is the
most vulnerable in the world in terms of total population exposed to coastal flood hazard.
Is the statement True?
(A) Yes
(B) No
2.6 Every company has risk appetite. One of the following key principles has not underpinned
Risk Appetite:
(A) which can be complex.
(B) which needs to be measurable.
(C) which is not a single, fixed concept.
(D) which is none of the above.
2.7 Probability of an event always is a number which is:
(A) 0 to 1
(B) -1 to +1
(C) 0 to 10
(D) 0 to 100
2.8 If the long term instrument is rated as “BBB”, this means that the instrument carries:
(A) Highest Safety
(B) Moderate Safety
(C) High Risk
(D) Moderate Risk
2.9 In a listed company, the ‘risk committee’ is required to be:
(A) Audit committee
(B) Stand-alone committee

Page 167 of 492
(C) A committee which should contain all directors of the company.

2.10 In case of an airlines company which is subject to hijack, the high impact low probability is
seen:
(A) with severe impact that putting a risk mitigation plan is very difficult.
(B) with no impact that putting a risk mitigation plan is very difficult.
(C) with no impact that putting a risk mitigation plan is not necessary.
(D) with severe impact that putting a risk mitigation plan is not necessary at all.
2.11 The key question for the Chief Risk Officer is how much risk do the company: Constructions
ABC take? Outline the key principle that would underpin risk appetite. (10 Marks)
2.12 What does the rating ‘BBB’ ‘indicate? List at least six credit rating agencies in India.
Describe Credit Risk Rating Process. (1 + 3 + 4 = 8 Marks)
2.13 For Construction ABC and its peers, what risks can arise in Risk Assessment with respect
to the data furnished in the Peer Group Analysis? (12 Marks)
Answer Case Study 2
2.1 (A)
2.2 (C)
2.3 (D)
2.4 (A)
2.5 (A)
2.6 (D)
2.7 (A)
2.8 (B)
2.9 (B)
2.10 (A)
2.11 The following are some of the key questions for the Chief Risk Officer are how much risk
do the company:

Page 168 of 492
• What is the probability that things can go wrong? (Probability) This view will have to
be taken strictly on the technical point of view and should not be mixed up with past
experience. While deciding on the class to be accorded, one has to focus on the
available measures that can prevent such happening.
• What is the cost if what can go wrong does go wrong? (Exposure)
The following key principles have underpinned risk appetite:
(1) Risk appetite can be complex. Excessive simplicity, while superficially attractive,
leads to dangerous waters: far better to acknowledge the complexity and deal with it,
rather than ignoring it.
(2) Risk appetite needs to be measurable. Otherwise there is a risk that a statement may
become empty and vacuous.
(3) Risk appetite is not a single, fixed concept. There will be a range of appetites or
ranges for different risks which need to be aligned and these appetites may vary over
time. Like in sourcing decisions, the Board may set vendor business share limits as
they would be make the entity dependent on few vendor companies that could
eventually impact business continuity or range of quality defects.
(4) Risk appetite should be developed in the context of an organization’s risk
management capability, which is a function of risk capacity and risk management
maturity. Risk management remains an emerging discipline and some organizations,
irrespective of size or complexity, do it much better than others. This is in part due to
their risk management culture (a subset of the overall culture), partly due to their
systems and processes, and partly due to the nature of their business. However, until
an organization has a clear view of both its risk capacity and its risk management
maturity, it cannot be clear as to what approach would work or how it should be
implemented.
(5) Risk appetite must be integrated with the control culture of the organization. The Risk
Management framework explores this by looking at both the propensity to take risk
and the propensity to exercise control. The framework promotes the idea that the
strategic level is proportionately more about risk taking than exercising control, while
at the operational level the proportions are broadly reversed. Clearly the relative
proportions will depend on the organization itself, the nature of the risks it faces and
the regulatory environment within which it operates.
2.12 Rating of ‘BBB’ indicates the Moderate Safety Level.
Few leading credit rating agencies in India are as follows:
• Credit Rating Information Services of India Limited (CRISIL)

Page 169 of 492
• Indian Credit Rating Agency (ICRA)

• Credit Analysis and Research Ltd (CARE)
• Fitch Ratings India Private Limited (Fitch)
• Equifax
• Credit Information Bureau India Limited (CIBIL)
• High Mark Credit Information Services
• SME Rating Agency of India Ltd (SMERA)
• Brickwork Rating India Private Limited (Brickwork)
Credit Risk Rating Process
Credit Risk Rating or Credit Rating is an important tool to manage large ticket exposures
credit risk. The rating provides a consistent and common scale for measurement of credit
risk of a loan asset in terms of Probability of Default (PD) across products and sectors.
Coupled with estimation of Loss Given Default (LGD), it enables the organisation to make
an estimate of credit cost for the loan assets and thus, helps to differentiate among loan
assets as objectively as possible. PD is measured by the internal rating assigned to the
Borrower and assesses the likelihood that the Borrower will default on its debt obligations.
LGD is measured by the value of the security/ collateral / cash flow cover (project finance)/
DSRA/other credit enhancements for the particular facility provided by the Borrower, after
applying haircut to each assets sub class, which will form a cover for the outstanding
facility, once a default has occurred.
Each Bank / FI would have an internal credit rating model which takes into account critical
success parameters relevant for each industry, competitive forces within the industry,
regulatory issues while capturing financial parameters, management strengths, project
parameters, etc. and the LGD models take into consideration the cover expected to be
available for recovery based on asset or cash flows that could be accessed after a default
has happened. The LGD model also factors in the estimated time to invoke different types
of securities for applying suitable discounting factors.
Each proposed debt commitment is rated before taking a sanction decision and all such
ratings of assets in the portfolio are periodically reviewed by banks / FIs. Revised ratings
are awarded for the borrower if there is deterioration in the financial parameters from the
originally assessed and projected, adverse changes in industry / sector, changes in
government regulations etc. Each corporate loan is then assessed for rating migration
(upward or downward movement) throughout the loan life cycle.
2.13 Following Risks can arise in Risk Assessment with respect to data furnished:

Page 170 of 492
(a) Changes in operating environment. Changes in the regulatory or operating

environment can result in changes in competitive pressures and significantly different
risks.
(b) New personnel. New personnel may have a different focus on or understanding of
internal control.
(c) New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
(d) Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
(e) New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
(f) New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
(g) Corporate restructurings. Restructurings may be accompanied by staff reductions and
changes in supervision and segregation of duties that may change the risk associated
with internal control.
(h) Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
(i) New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.
CASE STUDY- 3
M/s. ABC Spinning Mills Limited is an unlisted company founded in the year 2003. It procures
cotton yarn from the ginneries and manufactures cone yarn, which is mainly used by power loom
textile sector. The company also exports the cotton yarn to neighboring countries such as
Bangladesh, Nepal and Sri Lanka. The sale bills are raised in the respective currencies of such
countries.
The company is situated in a total area of 45 acres, out of which, 20 acres are lying vacant. It
has a fixed deposit of ` 10 crores with a bank and has secured an overdraft limit ` 5 crores
against the same. The average utilization on the OD was ` 3 crores during the Financial Year
2018-19.
The Board of directors decided to effectively utilize the vacant land and surplus funds and
construct an additional manufacturing unit to manufacture polyester yarn by the end of March,
2020. The Board also considered the possibility of going for public issue. A consultant was
appointed to go through the above proposals and provide his opinions.

Page 171 of 492
The consultant came out with the following observations/suggestions:

• It was suggested to have the product mix of manufacturing 70% cotton yarn and 30%
polyester yarn from 1st April, 2020. The estimated earnings before interest and tax for the
cotton yarn and polyester yarn would be ` 2 crores and ` 30 lakhs respectively for the FY
2020-21. The above product mix was suggested after studying the market demand of
polyester yarn.
• The project would cost a total of ` 30 crores. A 10-year bank term loan of ` 20 crores
@12% to be obtained and the balance to be raised from the existing shareholders. It was
also suggested to fully utilise the OD to meet the working capital requirements in future.
• New machinery, which are fully automated and computer controlled, to be purchased from
a London based company. The company requires a letter of credit (unfunded) towards the
same. The above machinery uses the latest technology and is based on intuitive machine
learning.
• Based on the market study, it was observed that the existing customers would also buy
the polyester yarn.
• At present, the pollution level was above the tolerable industry level, resulting in increased
bronchitis problems among the workers and the company had spent an additional amount
of ` 20 lakhs towards medical expenses of 48 workers. It was observed that workers who
were affected did not wear the face masks regularly.
• The roof of the stock storage facility did not have proper against various weather
conditions. The loss on account of the same was ` 10 lakhs during the FY 2018-19. The
cost of renovation of the facility is estimated to cost ` 1 crore. An additional loan, repayable
at the end of one year, from bank to be obtained at an interest of 14%.
• The company did not receive insurance compensation towards the additional amount spent
on medical expenses and the stock loss incurred.
• To provide a monthly advance of ` 10 lakhs to each of the eight agricultural co-operative
societies, where the cotton growing farmers are members. Such advance would be
adjusted in the subsequent month against the purchases made from the respective
societies. This step is taken to ensure continuous supply and reduce the volatility in prices
of raw materials.
• A new comprehensive ERP software to be installed covering both the existing and future
operations.
• The managers’ in-charge failed to oversee the controls involved in the operations which
resulted in control failures in various activities.

Page 172 of 492
• The exchange rate fluctuated resulting in reduction of anticipated selling prices on export
sales made to foreign countries. Few foreign buyers of a particular country did not pay their
dues, citing violence in their country.
• Due to stiff competition, the company is forced to sell some varieties of yarn manufactured,
below the cost price. It was observed that existing machinery used in manufacturing, where
regular maintenance was not done, required reconditioning so as to have better
productivity. This could involve an additional cost of ` 2 crores.
• In lieu of the above observations, the consultant suggested to address the above issues,
assess and evaluate the risks faced and then proceed with the proposal to go-in for public
issue. The board of directors has taken note of the risks and have decided to address
these by appropriate consideration at their level.
As the risk management consultant, you are required to assist the management in answering
the following questions raised by them.
Multiple Choice Questions. Each question carries 2 marks.
Choose the correct answer in the following:
3.1 A software error, in the automated computer-controlled imported machinery, in case of raw
material may lead to wasted production.
This would more LIKELY be called as:
(A) Operational Loss
(B) Business Disruption Loss
(C) Propagation Error Loss
(D) Program Error Loss
3.2 From the present and proposed operations of the company which of the following is NOT
an opportunity risk?
(A) purchase of new machinery
(B) diversifying into new products
(C) payment of purchase advance
(D) stiff competition faced by the company
3.3 The company's proposal for the new project would LEAST likely to have the specific risk
of:
(A) error of estimation in resources and allocation
(B) completion of the project in scheduled time

Page 173 of 492
(C) estimation of cash flows

(D) regulatory restrictions on industry
3.4 The determining of the risks that might impact the timely completion of the project would
be done MOSTLY as a part of:
(A) Risk Management Planning
(B) Risk Identification
(C) Quantitative Risk Analysis
(D) Qualitative Risk Analysis
3.5 The bank while appraising the proposal for the term loan would verify the stature of the
directors with respect to the following, EXCEPT:
(A) verify that the name of the director appears in the list of defaulters by way reference
to his DIN
(B) use independent source of confirmation of identity of the director, in case of doubt
(C) verify the ability to infuse further capital by the directors for the expansion of business
(D) review of director’s status as Politically Exposed Persons (PEPs)
3.6 In the product mix, EBIT would increase by 4% for every increase of 10% of manufacturing
cotton yarn and a decrease of ` 10 lakhs for every decrease of 10% in manufacturing of
polyester yarn. Which of the following would be the ideal mix of cotton yarn and polyester
yarn products?
(A) 70% : 30%
(B) 80% : 20%
(C) 90% : 10%
(D) 100% : 0%
3.7 Out of the workers affected with bronchitis, 50% are aged over 49 years. The probability
of catching bronchitis was 75% of the workers, who did not regularly wear face masks. The
ratio of the men and women workers affected was 3:1. How many women workers, aged
less than 50 years, did not regularly wear the face masks?
(A) 6
(B) 8
(C) 16
(D) 24

Page 174 of 492
3.8 When deciding on the selection of maintenance policies of the machinery, the same should
be based on:
(A) minimizing the potential consequences
(B) some form of Monte Carlo analysis
(C) reliability instead of risk
(D) risk instead of reliability
3.9 The economic risks faced by the company would LEAST likely to include which of the
following?
(A) disruptions in a production process
(B) lapsing of deadlines for construction of a new operating facility
(C) payment of contractual penalties for delayed sales
(D) hike in the price for raw materials
3.10 The default by the foreign buyers could have been avoided, if the company referred to the:
(A) Global Peace Index
(B) Gini Coefficient Index
(C) Delinquency Index
(D) Democracy Index (10 x 2 Marks = 20 Marks)
Descriptive Questions on CASE STUDY:
3.11 The movement of data to the proposed ERP system would involve certain operational risks
to be addressed. Describe the points that have to be covered in such deployment exercise.
(4 Marks)
3.12 What issues the board of directors would consider and questions they would ask in
addressing the present and future risks of the company at the board level? (4 Marks)
3.13 Briefly discuss the role of risk assessment with respect to financial reporting. (2 Marks)
3.14 One way of completely or partially offsetting the exposure from the fluctuations in the prices
of foreign currencies would be to raise the sale bills in Indian currency without affecting
the transaction costs Explain the same. (4 Marks)
3.15 The Bank while extending loan facilities to the company would be facing a number of risks
such as refusal or inability of the company to pay the loan partially or in full or in time.
Briefly describe the internal and external factors affecting such risks. (4 Marks)
3.16 Suggest the types of countermeasures for vulnerabilities faced by the company while
assessing and evaluating risks. (2 Marks)

Page 175 of 492
3.17 The company at present is facing a number of risks. There are also some indirect risks that
the company may be necessitated to face. Enumerate them. (4 Marks)
3.18 Briefly enumerate the risks of dealing with the buyers of a foreign country, in which there
are changes in the political scenarios as well as adverse decisions taken by the ruling
Government of that foreign country. (4 Marks)
3.19 Briefly explain the risk mitigation process in providing the letter of credit facility to the
company. (2 Marks)
Answer Case Study 3
3.1 (A)
3.2 (D)
3.3 (D)
3.4 (B)
3.5 (C)
3.6 (A)
3.7 (A)
3.8 (D)
3.9 (C)
3.10 (A)
3.11 Point to be covered before deployment of ERP System.
• Data, both dynamic and static
• Functionality mapping from old to new system, and any changes to be adequately
familiarised within user groups
• Exception reports that could help track any incorrect migration points
• User acceptance test scripts to be intelligent enough to enable the usage of the new
system after adequate granular review
• An emergency roll back plan in case some significant unpredictable issue comes up
in migration deployment.
• An auditor or operational risk manager is required to carry out a review of the data
integrity and the functionality of the systems that have an impact on the financials of
the organisation. This risk is not only restricted to financial reporting, but any risk that
could jeopardise the business process, including regulatory, financial and other risks.

Page 176 of 492
3.12 The following are some of the issues that directors may have to consider and the questions
they should ask:
A degree of risk is inevitable in business operations. To obtain higher returns, innovate
and secure market leadership one may need to adopt a higher risk strategy. Not innovating
and being risk averse can result in the stagnation of the enterprise. A Board should
establish and communicate its risk appetite and agree to the level of risk it is prepared to
accept in different areas of corporate operation. Which stakeholder should be involved and
how should they be engaged? Does the risk culture of the board match to that of the
organization and its aspirations? If not, what changes are required and how might they be
brought about?
What are the risk oversight functions of the board and how effectively are they being
discharged? For example, is annual reporting of risk to shareholders fair and balanced?
Would confidence accounting present a clearer picture? Within the governance structure,
what arrangements have been made for risk governance which involves setting a strategy
and policies for the management of risks and monitoring the performance of those to whom
risk and security responsibilities are delegated?
Policies could cover the transfer of risk, such as whether or not to hedge or insure against
certain risks, depending upon the costs and practicalities involved. They could establish
criteria and thresholds for reporting and guiding management responses. Directors need
to ensure effective processes and practices are in place for the identification and
management of risks. How complex and comprehensive do these needs to be once the
most likely and significant risks have been addressed?
Assumptions and business models should be periodically challenged. An assessment of
the implications, consequences and dependencies of certain corporate strategies, policies
and projects might reveal exposure and vulnerability. Corporate systems and processes
need to be sufficiently resilient to be able to withstand the simultaneous materialization of
multiple risks.
3.13 A direct relationship exists between the degrees of risk that a significant deficiency or
material weakness could exist in a particular area of the company's internal financial
controls over financial reporting and the amount of audit attention that should be devoted
to that area. In addition, the risk that a company's internal financial controls over financial
reporting will fail to prevent or detect a misstatement caused by fraud usually is higher than
the risk of failure to prevent or detect error.
The auditor should focus more of his or her attention on the areas of highest risk. On the
other hand, it is not necessary to test controls that, even if deficient, would not present a
reasonable possibility of material misstatement to the financial statements. The complexity
of the organisation, business unit, or process, will play an important role in the auditor's
risk assessment and the determination of the necessary procedures.

Page 177 of 492
3.14 Yes, raising of sale bills in Indian Currency avoids foreign exchange exposure. But buyers'
preferences may be for other currencies. Many markets, such as oil or aluminium, in effect
require that sales be made in the same currency as that quoted by major competitors,
which may not be the seller's own currency.
In a buyer's market, sellers tend increasingly to invoice in the buyer's ideal currency. The
closer the seller can approximate the buyer's aims, the greater chance he or she has to
make the sale.
Should the seller elect to invoice in foreign currency, perhaps because the prospective
customer prefers it that way or because sellers tend to follow market leader, then the seller
should choose only a major currency in which there is an active forward market for
maturities at least as long as the payment period. Currencies, which are of limited
convertibility, chronically weak, or with only a limited forward market, should not be
considered.
The seller’s ideal currency is either his own, or one which is stable relative to it. But often
the seller is forced to choose the market leader’s currency. Whatever the chosen currency,
it should certainly be one with a deep forward market. For the buyer, the ideal currency is
usually its own or one that is stable relative to it, or it may be a currency of which the
purchaser has reserves.
3.15 The Internal and External factors affecting the risks such as refusal or inability to pay the
loan partially or in full or in time are as follows:
(i) Internal Factors: These factors are internal to the bank, some of these are as follows:
(a) Concentration of credit in particular geographical locations or business
segments.
(b) Excessive lending to particular industry is subject to cyclical fluctuations.
(c) Ignoring the purpose for which loan was sought by the customer.
(d) Poor Quality or Liberal Credit Appraisal while granting the loan.
(e) Absence of efficient recovery mechanism.
(ii) External Factors: These factors are external to the bank and beyond its controls.
These factors not only impact the profitability of borrower but also effect their
repayment capability. Some of such external factors are as follows:
(a) Fluctuation in Exchange Rate.
(b) Change in Govt. Policies.
(c) Fluctuation in Interest Rates.
(d) Change in Political Environment of the own country.
(e) In case of Foreign project change in Country Risk profile.

Page 178 of 492
3.16 Following are the countermeasures for vulnerabilities:

(i) Deterrent controls reduce the likelihood of a deliberate attack.
(ii) Preventative controls protect vulnerabilities and make an attack unsuccessful or
reduce its impact.
(iii) Corrective controls reduce the effect of an attack.
(iv) Detective controls discover attacks and trigger preventative or corrective controls.
3.17 Following are indirect risks the company may be facing:
• If your suppliers are affected, you may run out of the products you sell, or the
materials you need to make products.
• If your customers are personally affected their priorities may change and you could
experience a reduced demand for your products or services.
• If your general location is affected, you and your customers may not be able to access
your premises, or your utilities could be affected.
• For example, you could lose power, which could mean you:
❖ will not be able to operate your business;
❖ may need to throw out any perishable goods and replace them, which can be
costly.
3.18 Risks of dealing with the buyers of a foreign country, in which there are changes in the
political scenario as well as adverse decision taken by the ruling Government of that
country are as follows:
(i) Nationalisation or Expropriation Risk: This is most common form of risk wherein host
country takes over the business of MNCs without or with inadequate compensation.
(ii) Exchange Control Risk: This form of risk prevents the MNCs to get converted their
earning from local currency to foreign currency to repatriate the same to home country
of MNCs. Due to this restriction even investors in MNCs business also suffer a lot.
(iii) Taxes, Rule and Regulation Risk: This risk arises mainly due to a sudden or dramatic
change in Rule and Regulations governing the host country. These sudden changes
can be in any of following type of forms:
• Unanticipated increase tax rates applicable for MNCs operating in the host
country.

Page 179 of 492
(iv) Inefficient Legal System: High level of red tapism and corruption at local and higher
level pose a serious risk for MNCs operating in the host country as it leads to
uncertainty and high cost of operation.
(v) Repudiation of Contracts: This type of risk arises on account revocation of earlier
awarded turnkey projects by the Government of host country without adequate
consideration and damages. This risk is also called indirect expropriation risk.
3.19 Following are the different types of credit risk mitigation methods in the process of
providing the Letter of Credit (if fully funded):
(a) On Balance Sheet Netting: On balance sheet netting of mutual claims/reciprocal cash
balances between the bank and the counterparty creates effective security and
collaterals.
This norm accordingly be recognised as an acceptable form of credit risk; in order take
in account a funded credit risk mitigation, the underlying arrangement has to go
through the legal test.
(b) Collateral: The assets/security which are retained or deposited with bank against
grant of any loan advances, debt or credit lines. The typical examples are
• Cash or cash equivalents – Cash or Hand loans
• Gold Pledging
• Corporal Debt Securities
• Debt securities issued by banks, local authorities and certain other entities which
meet stated credit quality criteria;
• Short term debt securities with an acceptable rating;
• equities or convertible bonds listed on the various indices
• units in a collective investment scheme such as mutual funds, provided that they
have a daily price quotation and invest only in instruments which are themselves
eligible for recognition as specified under the by-laws.

Page 180 of 492
May 2019 Question Paper Query Sheet
Case Study 1

1.2- A simple answer from old chapter 4 of ICAI SM.
1.3- Common sense + Conceptual answer
1.6- Conceptual + Common sense.
1.8- Refer page no. 11.05 of ICAI SM of SFM (Interest Rate Risk chapter).
1.10- Refer page no. 3.07 of ICAI SM
Descriptive Questions on Case Study:
1.11- Direct answer from page no. 7.03+7.04 of ICAI SM.

1.12- Direct answer from page no. 1.16 of ICAI SM.
1.13- Direct answer from page no. 5.16 of ICAI SM. (Country Risk Assessment)
1.15- Direct answer from page no. 6.32 of ICAI SM. (Cash Flow Analysis)
1.16- Simple calculation based question based on basic concepts.
1.17- Direct answer from page no. 1.21+1.22 of ICAI SM.(Safety Risks)
Case Study 2
2.4- Direct answer based on the formula on page no. 6.03+6.04 of ICAI SM
2.7- Common sense + old chapter 4 of ICAI SM.
Page 181 of 492

2.10- Concept-based; but manageable.
Descriptive Questions On Case Study:
2.11- Direct answer from page no. 2.14+3.04 of ICAI SM
2.12- Direct answer from page no. 6.15+6.16+6.18 of ICAI SM (Credit Ratings)
Case Study 3
3.1- Concept-based; Anything related to a fault in the process will have operational risk involved.
3.3- Refer page no. 8.03 of IPCC chapter.
3.4- Conceptual answer based on the matter given on page 3.06 of ICAI SM.
3.6- Case study Based
3.7- Based on the case study and ICAI old chapter 4 concept
3.10- Global Peace Index is derived from key information such as level of crimes, violence. Thus it
helps understand the default by the foreign buyers.
Descriptive Questions on Case Study:
3.14- Direct answer from page no. 9.22 of ICAI SM SFM FOREX chapter.
3.16- Direct answer from page no. 2.08 of ICAI SM
3.17- Related to a case study; Manageable (Types of risks faced by the company)
Page 182 of 492

Test Series: October 2019
MOCK TEST PAPER 1
CASE STUDY: 1
ABCD Ltd. is a diversified business group. The consolidated Balance Sheet, Statement of Profit & Loss and
Cash Flow Statement of ABCD Ltd. prepared in analytical format are given below:
Customer Name: ABCD LTD. INR (Rs.) Thousand
31-Mar-18 31-Mar-19
12 months 12 months
BALANCE SHEET
CORE ASSETS
TOTAL FIXED ASSETS (A) 222,301 214,666
TOTAL CURRENT ASSETS (B) 763,428 679,539
TOTAL CURRENT LIABILITIES (C) 395,337 382,908
OPERATING CAPITAL EMPLOYED (A) + (B) – (C) 590,392 511,297
TOTAL NON-CORE/NON CURRENT ASSETS (D) 71,621 70,838
OVERALL CAPITAL EMPLOYED (A) + (B) - (C) + (D) 662,013 582,135
CAPITAL STRUCTURE
Ordinary Share capital 20,000 20,000
Contribution from shareholders 202,248 202,248
Less: Intangibles -12,112 -9,620
TANGIBLE NET WORTH (E) 343,494 310,480
OTHERS (F) 115,212 119,374
EXTERNAL FINANCE (G)
OVERALL CAPITAL EMPLOYED (E) + (F) + (G) 662,013 582,135

Sales 1,446,791 1,469,762
GROSS PROFIT 329,127 336,905
Less: Distribution and Selling costs - 156,049 - 160,370

Page 183 of 492
: Administration Costs -114,623 -106,887
Minorities -11,976 -16,583
Additional Information [All amounts in Rs. 000s] :
Largest inventory item was trading inventory and finished goods, which towards 2019-end, decreased to
19100 (22200 as at 31st March, 2018).
Similarly, the figures of Trade Debtors and Creditors was as follows:
31-Mar-18 31-Mar-19
Trade Debtors 366246 308547
Trade Creditors 217121 230476
Shareholders had purchased long outstanding government receivables, amounting to 4900 of a group
company to improve its cash flows. Unused bank facilities as at 31 st March, 2019 were 16800.
Sales growth of year 2019 is almost in line with the previous years. Trading inventory and finished goods as
at 31st March, 2019 was 19100 (22200 as at 31st March, 2018).
Descriptive Questions
1.1 Based on the calculation of major financial ratios, prepare a brief analytical report deriving the
financial risk involved covering areas of Performance, Profitability, and Working Capital Management
etc.
Your answer should be supported with relevant workings. (15 Marks)
Multiple Choice Questions. Each Question carries 2 marks.
Choose the correct answer in the following Multiple Choice Questions
1.2 While uncertainty means the existence of more than one possibility, risk is a state of uncertainty where
some of the possibilities may involve an undesirable outcome. Which one of the following statements
correctly describes the above statement?
(A) One may have uncertainty without risk but risk without certainty.
(B) One may have uncertainty without risk but risk without uncertainty.
(C) One may have uncertainty without risk but not risk without certainty.
(D) One may have uncertainty without risk but not risk without uncertainty.

Page 184 of 492
1.3 In respect of an organization, Reputation risk means
(B) Risk of a failure which may lead to violation of the regulatory requirements that the organization
is supposed to comply with.
(C) Risk of the organization's reputation in public view which is a key concern in engaged media and
social media.
1.4 Which one is an external factor in respect of risks for an insurance company?
(B) Machine failure
(C) Staff Morale
(D) Earthquake
1.5 If Risk rating is 5, then the risk is called
(A) Severe
(B) High
(C) Moderate
(D) Low
1.6 RAROC is
(C) Return on gilts
(D) None of the above (2 x 5 = 10 Marks)
CASE STUDY: 2
Ms. X is new to operational risk management. While analysing the risks of an established airline based on
the Risk Grading /Rating model, she identified the following risks:
(2) Aggressive fleet expansion, which may lead to over-capacities. There are about 170 aircrafts under
order, which could also result in massive financial commitments. A comprehensive feasibility study has
been shared by the Company, justifying the expansion strategy.
(3) Safety standards resulting in crash/disastrous hijacking.
(4) Volatile oil prices. There is a risk of failure to address adequately the challenges of fluctuating oil
prices. Whilst it is usually rising oil prices that hurt airlines, during 2008, several airlines suffered
significant hedging losses as the hedging strategies went awry, when oil prices plummeted from $147
p/b in July 2008 to $35-40 p/b level.
2.1 Please, help Ms. X to classify the above risks, by giving a report to her. (15 Marks)

Page 185 of 492
2.2 One of the principles of Basel Committee on Banking Supervision Principles for sound stress testing
practices and supervision is:
(A) Stress testing should form an integral part of the overall governance and risk management
culture of the bank.
2.3 Gini coefficient is an index to measure a country's:
2.4 The following one is a financial risk:
2.5 If a long term instrument is rated as "B", this means that instrument carries:
(A) Highest Safety
(B) High Risk
(C) Very High Risk
2.6 As per the RBI's framework, SMA (Special Mention Account) with sub category 1 (SMA-l) denotes:
CASE STUDY: 3
You have been recently appointed as Chief Risk Officer of a company which is in Steel Castings business.
Name of the Company is ABC Electro Steel Castings Ltd. [in short, ABC].
You have been told that ABC is fully committed to strengthen its risk management capability on continuous
basis in order to protect and enhance shareholder value. You have been told that the risk management
framework ensures compliance with the requirements of amended Clause 49 of the Listing Agreement. The
framework establishes risk management processes across all businesses and functions of the Company.
These processes are periodically reviewed to ensure that the Management controls risks through properly
defined framework.

Page 186 of 492
You are also made aware that the Company has already undertaken an extensive Risk Management effort
that includes introducing Risk Management Manual, compiling a comprehensive profile of the key risks to
the Company, identifying key gaps in managing those risks and developing preliminary action plans to
address those risks. This effort accomplishes the following goals:
• responds to the Board's need for enhanced risk information and improved mitigation plan;
• formalizes the explicit requirements for assessing risks on an ongoing basis, including an effective
internal control and management reporting system.
You are also given information that the Company uses raw materials to manufacture the steel castings. It is
faced with the threat of pressure on margins on sales. To counter the threat, the Company has taken
various steps which include backward integration which comprises coal mines and iron mines, and
brownfield expansions, e.g. sinter plant, sponge iron plant, coke oven plant, power plant from waste head
recovery. It also set up an R & D to expand its manufacturing capacities with a view to control costs.
You came to know that the Company is ISO-140001-2004 certified and is adhering strictly to the emission
norms applicable for industry.
You are also told that with the thrust given by Government of India on water and water related projects and
with the estimated growth in water requirement, the demand of DI Pipes is expected to grow substantially
and the Company is confident of retaining its market share.
Labour relations have been excellent throughout the year in spite of number of unions. It is the result of
such cordial and harmonious relations that not a single man-day has been lost in the last 8 years. The
Company believes that labour relations will continue to remain excellent.
3.1 Now, you have been asked to give a report to the Company's Management, which should contain the
key risks affecting the Company. (15 Marks)
3.2 An excess payment made to a vendor, which is accounted correctly, would be categorized under
which of the following risks?
(B) Legal risk
(C) Reputation risk
(D) Financial risk
3.3 In Information Technology General Controls, under change management, the risk of incorrect change
is NOT mainly due to
(A) Change being wrongly conceived by the user groups
(B) Change control audit trail not maintained
(C) Change is wrongly executed
(D) Change being carried out without approvals
implementation of a risk management policy for a company. This is mandated by
(A) SEBI through 'Issue of Capital and Disclosure Requirements Regulations'

Page 187 of 492
(D) Prevention of Money Laundering Act, 2002.
the Management is
(D) Low Impact-High Probability
3.6 Governance risks mean significant deficiencies that can impact the reputation, existence and
continuity of the organization. Such deficiencies would NOT occur because of
(D) Collusion of management to override significant internal control mechanism causing financial
losses (2 x 5 = 10 Marks)
CASE STUDY: 4
ABC Co. Ltd. is a manufacturing company and is listed. It has 10000 workers and 1200 employees. The
Company is subject to Ind AS 19 in respect of its employee benefits which include gratuity.
Ind AS 19 is an Accounting Standard applicable to companies which are required to measure and disclose
the amount of accrued liability (Present Value of Benefit Obligation) in respect of employee benefits in
statements of accounts.
As per the Accounting Standard, the accrued liability in respect of, employee benefits can be determined
using actuarial principles. Accordingly, the Company engaged an actuary for the purposes of the Ind AS 19.
The Company is, liable to make payment of gratuity benefit to its employees as per Payment of Gratuity
Act, 1972. As per the Act, the gratuity benefit is determined using a formula, which is [15/26] x monthly
salary (which is relevant for gratuity calculation) x number of completed years of service at the date of
cessation of service of the employee. There are terms and conditions mentioned in the Act for payment of
gratuity benefit, which the company is required to comply with the same.
The Company engaged Mr. X, a consultant actuary, to get the actuarial reports certified by Mr. X as per
Ind AS 19 for the last two years.
After submission of the actuarial report by Mr. X, in the third year, Auditors (who were recently appointed by
the Board) observed that Mr. X does not hold any certificate of fellowship issued by the Indian Actuarial
professional body. They pointed out and qualified the Accounts in their Auditors' Report. They also
observed that the Mr. X's reports were accepted during last two years.
Since the Management is worried over GRC (Governance, Risk and Compliance), the CRO (Chief Risk
Officer) was asked to address the issue pointed out by the Auditors and submit a report to the Company
giving details of the risks and how they can be mitigated.
4.1 Now, you are recently appointed as the CRO and you are asked to draft the Report to be submitted to
the Board, and the Report should include:
6

Page 188 of 492
(b) What is the impact of the risk on the Company's performance? (15 Marks)
4.2 A FICO score of 750 means:
4.3 Automated controls are dependent on a:
(A) Manual check
(B) Predefined system check
4.4 The following is the Section of the Companies Act, 2013 that instructs that the Audit Committee shal l
review the risk management procedures implemented by the Management:
(A) 177
(B) 134
(C) 315
4.5 The following aspect does not indicate the risk maturity of an organization:
4.6 Brexit impact scenario has the following associated principal risk:
CASE STUDY: 5
Good Morning Ltd. is a start-up company specializing in three-dimensional modelling and solutions. The
brainchild behind the company is Mr. Good and Morning who formulated the idea of providing 3D solutions
to mid engineering is and engineers.
Before the foundation of the company, the founders hired a consultant to study the feasibility of the project
whether they could establish various branches in major cities across the country and, offer solutions
throughout the country and also ex- to select' EU and US regions. The consultant after analysing all the
aspects of a feasibility study including technical, economic and financial concluded that the project is
feasible if the market is tapped within the next 18 months. He had employed various statistical techniques
and tools in his detailed analysis.
7

Page 189 of 492
For the purpose of formation of the company, the founders sold their idea and raised Rs. 20 crores by way
of bank loan from Bank of London., Terms of the loan are as follows:
Loan Amount – Rs. 20 crores
Rate of Interest – 11.25 percent
Tenure – 10 Years
They provided a joint property as collateral Security for an equivalent amount. Further, they also pooled Rs.
10 crores from known sources, from a foreign country. In order to safe guard their investment in the
company, the foreign investors wanted a report on;
(i) RBI's guidelines on Credit Default Swap (CDS),
(ii) How the Basel II norms were applied in the Indian banking sector and the risk management measures
with regard to loans sanctioned by them,
(iii) risk appetite of the management,
(iv) how various risks are addressed by management,
(v) forming of risk management committee by the company
(vi) uncertainties existing in the industrial climate,
(vii) periodic audits to be carried out and
(viii) the BCP mechanism
Expected revenue of the company are as follows:
2020-21 - Rs. 18 crores
2021-22 - Rs. 27 crores
2022-23 - Rs. 32 crores
10% p.a. growth from thereafter.
Also, the founder were informed that the key to measure the success of the project is proper accou nting. An
ERP was implemented to record the financial transactions and several controls were put in place to
prevent/detect any undesired events from occurring.
Recently Mr. Good learnt from a journal that organizations possessing details of EU citizens mu st comply
with the stringent GDPR regulations. In case the organization need to comply with GDPR, there should be
proper framework built in the organization.
Further they learnt that the companies Act 2013 requires a company's Board to develop and implemen t a
proper risk management policy to identify those risks that cause a doubt on the going concern assumption
of the company.
The company was keen to adopt sound Risk Governance Practices as well as the company grows.
However, a major risk that the company faces is the technology that constantly changes.
The company has planned to provide solutions to customers located abroad as well. In that case, the
company would be receiving the foreign currency.
The founders are worried about the volatility of the market and thus would like to cover their exposure by
taking an appropriate position in the market.

Page 190 of 492
5.1 Based on the above scenario, answer the following questions:
(a) Explain briefly the key features of Reserve Bank of India guidelines on CDS. (6 Marks)
(b) Differentiate between Credit Insurance and Credit Default Swaps. (6 Marks)
(c) Explain the methods of Estimating Probability of Credit Default. (3 Marks)
5.2 Before commencement of the project, various risks factors have to be considered for feasibility study.
In a case where a project feasibility is based on a particular land acquisition and the cost of treating it
in terms of legal fees is much higher, the appropriate recommendation the consultant would provide is
to:
(A) Terminate the Project
(B) Treat the Project
(C) Transfer the Project
(D) Continue the Project
5.3 The Delphi technique is a method which involves getting opinion on a process
(A) From an Individual
(B) From Group of Individuals
(C) From Regulator
5.4 Which of the following is not an Internal risk ?
(A) Economic factors as price fluctuations, changes in consumer preferences, inflation, etc.
(B) Technological factors unforeseen changes in the techniques of production or distribution resulting
into technological obsolescence etc.
(C) Physical factors such as fire in the factory, damages to goods in transit, etc.
(D) Human factors as strikes and lock-outs by trade unions; negligence and dishonesty of an
employee; accidents or deaths in the factory etc.
5.5 The concept of risk-based maintenance is an advanced form of :
(A) Probability Centered Maintenance
(B) Risk Centered Maintenance
(C) Control Centered Maintenance
(D) Reliability Centered Maintenance
5.6 Operational risk is an overarching concept interrelated with
(A) Several other types of risk, and can. be viewed in isolation.
(B) Several other types of risk, and can be viewed with no financial impact.
(C) Several other types of risk, and cannot be viewed in isolation

Page 191 of 492
Test Series: October, 2019
MOCK TEST PAPER 1
Solutions
ANSWERS TO CASE STUDY: 1
1.1 Working Notes:

(a) Profitability Ratios
31.03.2018 31.03.2019
(i) Gross Profit Ratio Gross Profit Gross Profit
× 100 × 100
Sales Sales
3,29,127 3,36,905
= × 100 = × 100
14, 46,791 14,69,762
= 22.75% = 22.92%
(ii) Net Profit Ratio Net Profit Net Profit
× 100 × 100
Sales Sales
85,304 93,410
= × 100 = ×100
14, 46,791 14,69,762
= 5.896% = 6.355%
(iii) Return on Capital Employed Operating Profit Operating Profit
100 ×100
Capital Employed Capital Employed
58, 455 69,648
= ×100 = ×100
5,90,392 5,11,297
= 9.90% = 13.62%
(b) Performance Ratios
31.03.2018 31.03.2019
(i) Inventory Turnover Ratio Cost of Goods Sold Cost of Goods Sold
Closing Inventory Closing Inventory
1,117,664 1,132,857
= =
22,200 19,100
= 50.34 times = 59.31 times
(ii) Debtor Turnover Ratio Sales Sales
Closing Debtors Closing Debtors
14,46,791 14,69,762
= =
3,66,246 3,08,547
= 3.95 times = 4.76 times

Page 192 of 492
(c) Liquidity Ratios
31.03.2018 31.03.2019
(i) Current Ratio Current Assets Current Assets
763,428 679,539
= =
395,337 382,908
= 1.93 : 1 = 1.77 : 1
Analytical Report
To: The Management
Date: 15 October 2019
Subject: Analytical Report on Financial Risks Involved
Introduction
This analytical report covers Performance, Profitability, Working Capital Management, Liquidity
etc.
Performance: Performance of the company has been improved in the year ending 31.03.2019 as
the Inventory Turnover and Debtor’s Turnover Ratios have been improved.
Profitability: So far as the profitability of the company is concerned there is no improvement in
the Gross Profit Ratio which is almost same. Though some improvement is there in Net Profit
Ratio and Return on Capital Employed.
Working Capital Management: On this front company is performing well as company is
reducing the investment in the stock or inventory. However, it appears that company is not using
the available credit facilities from the supplier by paying off the old payables.
Liquidity: From the Current Ratio it appears that company enjoys a comfortable liquidity
situation.
Conclusion: Presently company is not facing any major risk.
Signed/-
Chief Risk Officer
1.2 (D)
1.3 (C)
1.4 (D)
1.5 (C)
1.6 (B)
2.1 Report to Ms. X
To: Ms. X
Introduction
2

Page 193 of 492
This report covers grading/ bucketing of various identified risks by the client.
Although this risk has a high impact but has low probability as investment involved in the Airline
business is very huge. Accordingly, this risk often skips the management’s decision as these type
events cannot be foreseen. Hence, this risk is bucked in the category of ‘ High Impact – Low
Probability’.
Since Airline has already ordered 170 aircrafts there is high probability that it will involve financial
commitments and impact will also be high. Hence, this risk is bucked in the category of ‘ High
Impact – High Probability’ and it needs immediate and sufficient attention of management.
Any crash or dangerous hijacking incidents will create negative publicity, poor image resulting in
a decline in revenue and similar consequences.
Whilst the probability is low, the strong impact ought to force the seeking of appropriate
mitigants. Hence, the impact is high and can be classified as ‘Low Probability – High Impact’. It
is suggested to ensure the adequacy of safety systems, to establish the average age of the
aircraft and if necessary, to seek the help of an external expert.
Oil price fluctuation is a business risk that has serious implications for the profitability of the
airline business. However, since this affects almost all competitors, the impact can be considered
as low and can be categorized as ‘Low Probability – Low Impact’.
Signed/-
Chief Risk Officer
2.2 (A)
2.3 (B)
2.4 (A)
2.5 (B)
2.6 (A)
3.1 To: The Management
Subject: Key risks affecting the company
This report covers some of the key risks affecting the Company are illustrated below:
(a) Economic Risk: Due to increase in the cost of number of inputs and raw materials used by the
Company, it is faced with the threat of pressure on margins on sales. To counter th is, the
Company has taken various steps including backward integration which comprises own coal
mines and iron mines and brownfield expansions e.g. sinter plant, setting up sponge iron plant,
coke oven plant, power plant from waste heat recovery, upgrading and expanding manufacturing
capacities and increasing efforts on R&D. In addition, cost control measures are an ongoing
process.

Page 194 of 492
To avoid price volatility for critical items, the company can attempt to enter into long term
contracts.
(b) Competitor Risk: The quality improvement efforts have established the brand image of the
product as the most preferred brand with the customers. With the thrust given by Government of
India on water and water related projects and with the estimated growth in water requi rement, the
demand of DI pipes is expected to grow substantially, and the company is confident of retaining
its market share.
(c) Foreign Exchange Risk: Considering the large export and imports of raw material, the Company
is exposed to the risk of fluctuation in the exchange rates.
The Company has adopted a comprehensive risk management review system wherein it actively
hedges its foreign exchange exposures within defined parameters, through use of hedging
instruments such as forward contracts, options and swaps. The company periodically reviews
and audits its risk management initiatives through an independent expert.
(d) Industrial Risk: The company is exposed to labour unrest risk, which may lead to production
slowdown ultimately resulting in plant shutdown.
Labour relations have been excellent throughout the year in spite of number of unions. It is result
of such cordial and harmonious relations that not a single man-day has been lost in the last 8
years. The Company believes that labour relations will continue to remain excellent.
(e) Environment Risk: The company is exposed to the risk of Environment and Pollution Controls,
which is associated with such types of industries.
The Company is committed to the conversation of the environment and has adopted the latest
technology for pollution control. The Company is ISO-140001-2004 certified and is adhering
strictly to the emission norms applicable for the industry.
(f) Payment Risk: The company is exposed to the risk of defaults by the customers in payments.
Since major water infrastructure projects are government founded or foreign aided, the risk
involved in payment defaults is minimum. Further, evaluation of the credit worthiness of the
customers has minimized the risk of default by other segment customer. Besides, the risk of
export receivables is covered under Credit Insurance.
Signed/-
(Risk Manager)
3.2 (D)
3.3 (B)
3.4 (C)
3.5 (A)
3.6 (B)
4.1 Report to Board of Directors
To: The Board of Directors, ABC Co. Ltd.
This analytical report covers the reply on the various concerns raised by the Board of Directors.

Page 195 of 492
The risk arising from this lapse is ‘Legal Risk’ or ‘Compliance Risk’ as it is resulting from the
failure to comply with statutory or legal requirements.
(ii) Over or Under Statement of Profit Loss in Income Statement of Company leading wrong
decisions by the Company itself and external parties.
(iv) Due to wrong calculation of profit company may have paid wrong dividend in previous years.
(v) Wrong computation of Cash Flows of the previous years and consequently leading to wrong
budgeting figures.
Signed/-
Chief Risk Officer
4.2 (B)
4.3 (B)
4.4 (A)
4.5 (D)
4.6 (C)
5.1 (a) Key features of RBI guidelines on CDS
• Participants in the CDS market are classified as either users or market ma kers. User
entities are permitted to buy credit protection (buy CDS contracts) only to hedge their
underlying credit risk on corporate bonds. Such entities are not permitted to hold credit
protection without having eligible underlying as a hedged item. The users cannot buy CDS
for amounts higher than the face value of corporate bonds. This is the most important point
of difference, as there was no such limitation in United States of America prior to 2008, and
hence many Institutional players had taken huge long positions (in CDS) without having any
exposure to reference asset.
• Since the users are envisaged to use the CDS only for hedging their credit risks, assumed
due to their investment in corporate bonds, they shall not, at any point of time, maintain
naked CDS protection i.e. CDS purchase position without having an eligible underlying
bonds held by them and for periods longer than the tenor of corporate bonds held by them.
• The eligible entities under user’s category would be Commercial Banks, PDs, NBFCs,
Mutual Funds, Insurance Companies, Housing Finance Companies, Provident Funds, Listed
Corporates, Foreign Institutional Investors (FIIs) and any other institution specifically
permitted by the Reserve Bank of India.
• CDS will be allowed only on listed corporate bonds as reference obligations. However, CDS
can also be written on unlisted but rated bonds of infrastructure companies. This is another
major area of difference between the US markets and RBI guidelines. In United States of
America, the CDS were written on various pass through securities like Mortgage Backed
Security (MBS), Collateralized Debt Obligation (CDO) etc, whereas as per the RBI

Page 196 of 492
guidelines, the CDS are specifically restricted for listed corporate bonds, the obvious reason
being that there is no big market of pass through securities in India as it is in US.
• The credit events specified in the CDS contract may cover: Bankruptcy, Failure to pay,
Repudiation/moratorium, Obligation acceleration, Obligation default, Restructuring approved
under Board for Industrial and Financial Reconstruction (BIFR) and Corporate Debt
Restructuring (CDR) mechanism and corporate bond restructuring.
• Since, CDS are traded mainly over-the-counter (OTC), the contracting parties therefore
have to agree upon the terms and conditions of the CDS individually. In order to facilitate
documentation, and to avoid disputes as to whether a credit event had actually occurred
and how a contract should best be settled, CDS contracting parties (in the international and
US market) generally refer to the International Swaps and Derivatives Association (ISDA)
Master Agreement. In India, the RBI guidelines specifically states that Fixed Income Money
Market and Derivatives Association of India (FIMMDA) shall devise a Master Agreement for
Indian CDS
• Regarding the Settlement procedures, the RBI Guideline states that the parties to the CDS
transaction shall determine upfront, the procedure and method of settlement
(cash/physical/auction) to be followed in the event of occurrence of a credit even t and
document the same in the CDS documentation. However it further adds that for transactions
involving users, physical settlement is mandatory. For all other transactions, market -makers
have been permitted to opt for any of the three settlement methods (physical, cash and
auction), provided the CDS documentation envisages such settlement
• Further, the guidelines specifically provide norms for Prevention of mis -selling and market
abuse, wherein it requires protection sellers to ensure that CDS transactions shall be
undertaken only on obtaining from the counterparty, a copy of a resolution passed by their
Board of Directors, authorizing the counterparty to transact in CDS.
• RBI has also incorporated certain reporting requirements in the guidelines which would
require market makers to report their CDS trades with both users and other market makers
on the reporting platform of CDS trade repository within 30 minutes from the deal time. The
users would be required to affirm or reject their trade already reported by the market- maker
by the end of the day. In addition to these reporting requirements the participants are also
required to report to respective regulators (e.g. IRDA for Insurance companies) information
as required by them such as risk positions of the participants vis-à-vis their net worth and
adherence to risk limits, etc.
(b) Difference between Credit Insurance and Credit Default Swaps
CDS contracts have obvious similarities with insurance, because the buyer pays a premium and,
in return, receives a sum of money if an adverse event occurs.
However, there are also many differences, the most important being that an insurance contract
provides an indemnity against the losses actually suffered by the policy holder on an asset in
which it holds an insurable interest. By contrast a CDS provides an equal payout to all holders,
calculated using an agreed, market-wide method. The holder does not need to own the
underlying security and does not even have to suffer a loss from the default event. The CDS can
therefore be used to speculate on debt objects.
The other differences include:
• The seller might in principle not be a regulated entity (though in practice most are banks);
• The seller is not required to maintain reserves to cover the protection sold (this was a
principal cause of AIG's financial distress in 2008; it had insufficient reserves to meet the
"run" of expected payouts caused by the collapse of the housing bubble);

Page 197 of 492
• Insurance requires the buyer to disclose all known risks, while CDSs do not (the CDS se ller
can in many cases still determine potential risk, as the debt instrument being "insured" is a
market commodity available for inspection, but in the case of certain instruments like CDOs
made up of "slices" of debt packages, it can be difficult to tell exactly what is being insured);
• Insurers manage risk primarily by setting loss reserves based on the Law of large numbers
and actuarial analysis. Dealers in CDSs manage risk primarily by means of hedging with
other CDS deals and in the underlying bond markets;
• CDS contracts are generally subject to mark-to-market accounting, introducing income
statement and balance sheet volatility while insurance contracts are not;
• To cancel the insurance contract the buyer can typically stop paying premiums, while for
CDS the contract needs to be unwound
(c) Types of Estimation of Probability of Credit Default
1. Pooling Method: This method relies on the historical data and assumes that past defaults
are a reasonable predictor for future likelihood of losses. Historical Probability Default (PD)
is calculated by taking the ratio of the facilities that have defaulted to the total facilities that
existed in the concerned time frame, usually a year. In this method, the facilities are divided
into different categories/pools based on their risk drivers.
2. Statistical Method: Data on characteristics of retail obligors and corporate obligors can be
used to estimate their respective probability of defaults. Various statistical techniques can
be employed on the data to estimate PD for defined time horizons. The statistical model
specifies the relationship between the inputs and the outcome – PD. The parameters
determined depend on the data used to develop the model.
One of the most recommended statistical techniques to estimate PD is logistic regression.
This method of regression is applicable when the dependent variable is binary i.e. takes one
of the two available values i.e. default & non default. This variable indicates whether or not
the loan/debt has gone into default over a certain time horizon, usually a year. Some of the
common variable sources used to estimate the PD of a corporate are financial statements,
owner’s data, type of loan, size of loan, and industry of the company. Similarly, for retail
obligors, variable sources could be customer demographics, income statistics, age of loan,
and number of late payments etc.
3. Structural Method: This method is generally applicable for listed corporate entities wherein
structural models are used to calculate the probability of default for a corporate based on
the value of its assets and liabilities. This technique is a sophisticated approach and
requires valuation models to be applied for firm valuation.
Over a period of time, we propose to collate other statistical relevant i nputs to explore
possibilities of using statistical method for PD calculation as well as to improve portfolio
quality.
5.2 (A)
5.3 (B)
5.4 (A)
5.5 (D)
5.6 (C)

Page 198 of 492
MTP October 2019 Query Sheet
Case Study 1 (May 18 Question Paper CS-1 descriptive Questions are similar just figures are
different, 5 MCQs are common)
1.1-Application based question, involving the ratio analysis as studied in Intermediate or IPCC;
Content/Formulae on page 6.31 of ICAI SM.
1.2- Direct answer from page 1.14 of ICAI SM.
1.3- Indirect answer from page 1.20 of ICAI SM and direct from page 9.11 of ICAI SM.
1.4- Common sense question
Case Study 2 (Nov 18 Question paper CS-3)

2.1- Linked to page no. 9.14 of ICAI SM, but conceptual understanding is required for relating with the
case study.
2.3- Refer page no. 5.17 and 5.18 of ICAI SM.
2.5- Common sense question
Case Study 3
3.1- The suggested answer contains only 6 risks, most of which are completely different from the
ones given in the ICAI SM. How can we be expected to answer those specific risks, and how many
risks should we aim to identify and write in the answer?
Page 199 of 492

As far as the different types of risks are concerned, it is not a matter of worry – if you are writing some
other types of risks, other than the ones as suggested. It is an issue of justification- whether you are able
to satisfy the examiner as to the presence of the types of risks in the case scenario, that you have written.
And since it is a 15 marks question- attempt should be made to identify 15 risks, which if not possible
then please identify 8 risks to be on a safer side.
Multiple-choice Questions:
3.2- Query- There is a bit of confusion prevailing with regards to the first and last options; Please
clarify.
(page no. 9.11 of ICAI SM Financial reporting risk arises due to the misstatements of the financials,
while financial risk arises due to the risk of possible financial loss to the organization. Therefore, the
answer is financial risk.
3.4- Direct answer from page 7.09 and 7.10 of ICAI SM.
3.6- Direct answer from page 7.01 of ICAI SM( Principal risk facts instead of trivial).
Case Study 4 (Nov 18 Question Paper CS-1, 5 MCQs are common, first 2 descriptive Questions
are same)
4.1- How can we write such short answers as suggested and still be certain about fetching 15
Marks. Also, we don’t have enough material regarding the impact of Legal risk. How do we
elaborate on that?
The answer suggested by ICAI is, although, very short- but this is what they expect from us- to act and
answer like risk professionals; If we write crisp, to the point answers- proper marks will certainly be
awarded. And for the impact of Legal risk- there is some content on pages 9.11 and 1.20 of the ICAI
SM- but I do agree, it is lesser than what is required to frame the answer as suggested. Again, we need
to think as risk professionals and link our FR and Audit knowledge with the Risk management scenario-
and that is how we can certainly reach near to the quality of answer as suggested. (For more
understanding of linkage of subject Refer concept building batch of Sir)
(Types of Risk and its impact on the Company’s performance)
Page 200 of 492

4.6- Direct answer from page 7.14 of ICAI S
Case Study 5
5.1- (a)- Are we expected to write all 9 points as mentioned in the ICAI SM and the suggested
answers?
RBI guidelines on CDS are given on page 6.22 of the ICAI SM; Although, writing just 6 points should
suffice, but if you do not have time constraints during your paper- it is always on the safer side to write
all the 9 points.
5.1- (b)- Direct answer from page 6.24 of ICAI SM.
5.1- (c)- Direct answer from page 6.20.
Page 201 of 492

DISCLAIMER
Studies with a view to assist the students in their education. While due care is taken in
preparation of the answers, if any error or omission is noticed, the same may be brought to the
attention of the Director of Board of Studies. The Council of the Institute is not in anyway
Further, in the Elective Papers which are Case Study based, the solutions have been worked
out on the basis of certain assumptions/views derived from the facts given in the question or
language used in the question. It may be possible to work out the solution to the case studies
in a different manner based on the assumptions made or views taken.

Page 202 of 492
The Question paper comprises five case study questions. The candidates are required
to answer any four case study questions out of five.
Answers in respect of Multiple Choice Questions are to be marked on the OMR Answer Sheet
only. Candidates may use calculator
CASE STUDY: 1
Environmental concerns and various issues relating to availability of oil have made it necessary
for the automobile sector to adopt battery operated/electric technology. ABC Scooters Limited
decided to commence production of battery-operated electric scooters under Startup India
Programme from April, 2019. The said company is a two-wheeler manufacturing company in
Maharashtra. It was formed in the year 1997. It was manufacturing and selling 125-cc gearless
scooters. The project technical manager of the company studied the feasibility of the project
and noted the following:
• The battery-operated electric scooter falls under the category of Battery Electric Vehicle
(BEV). It will get the power to run from battery packs. It will not have an internal combus tion
engine or a fuel tank.
• It has a choice to use either of the two types of batteries (i) nickel metal hydride (NiMH) (ii)
Lithium-ion (Li-ion)
• The usage of Li-ion batteries has become the industry standard and is preferred over NiMH
batteries.
• The vehicle can be fitted with an in-built wireless connectivity, GPS navigator, digital
console and mobile charger.
• Data such as the speed of the vehicle, mileage, time taken to charge, the condition of the
battery and health of the engine could be collected and shared with the central sever
through an application installed in the user's mobile. Such data would be automatically
analyzed by software in the company's server and which in turn would give automated
response to the users on various parameters.
• The mobile application would also provide the user information about the availability of
nearby charging station, facility to reserve the time for charging and to make online
payment.
• Standard charges can be used for charging the vehicles. A charge for four hou rs would
make the vehicle run for 150 kms. at an average speed of 30 kms. per hour.
• Charging Stations to be established in petrol pumps on trial basis.
Suitable modifications were done to the manufacturing facility and trial production
commenced in January, 2019.

Page 203 of 492
The risk management consultant engaged to explore the various risk aspects of the
proposal made the following observations:
• The estimated project cost of manufacturing NiMH Batteries (Project A) and Li-ion Batteries
(Project B) ` 30 Lakhs and ` 34 Lakhs respectively.
• During the trial run of 50 vehicles for 100 kms. at an average speed of 30 kms. per hour,
five vehicles broke down due to battery failure.
• Based on projections made, the worst-case and best-case scenarios were analyzed using
statistical tools. There are no precedents available to compare the results projected in the
scenarios.
• The company can export the vehicles to neighboring countries. Thus, forward exchange
contract with bank could be entered. The estimated US Dollar rate on 30th April, 2019 was
` 69.50 per dollar and it was expected that the rupee would weaken by 2% at the end of 3
months.
• The consultant stressed upon. to the management that the risk management should be a
continuous and developing process which runs throughout the company and improvements
are to be made proactively in the areas of: Strategy, dynamically adopted Tactics,
achieving Operational Objectives and Compliances.
• The consultant elaborated on counter measures such as, periodic inspections of the supply
chain mechanisms (SCM) and periodic staff training. The same to consider measures to
be taken in case of shortage of availability of raw materials, skilled man -power and
reduction in sales. There would be a disruption in company's SCM but that would not
impact the ERM process and there is a 10% probability that the project would not be
successful.
You are required to answer the following questions:
Choose the most appropriate answer from the answer options.
(1.1) During second trial run of another 50 vehicles with the same conditions as that of the first
trial run, it was found that three vehicles broke down due to battery failure. The combined
probability of vehicle break-down due to battery failure is:
(A) 0.006
(B) 0.080
(C) 0.160
(D) 0.06
(1.2) Forward exchange contract was entered into on 30th April 2019 with the bank for USD
10,000 for 3 months with its expected figure. The actual USD Rate on expiry of contract
was ` 71/-. The company has:

Page 204 of 492
(A) Earned a profit of ` 1,390/-

(B) Incurred a loss of ` 1,100/-
(C) Incurred a loss of ` 1,500/-
(D) Earned a profit of ` 1,420/-
(1.3) Which one of the following would MOST likely be called a systemic risk?
(A) Failure of the outsourced person to supply the raw materials on time.
(B) Risk of skilled employees leaving the employment of the organization en masse and
joining the company of a competitor.
(C) Break down of machinery.
(D) Risk of disruption in the functioning of the entire industry.
(1.4) From your point of view, which of the following argument is correct with respect to the
consultant's opinion on SCM?
(A) Consultant is wrong as it increases speculative risks.
(B) Consultant is right as it minimises the project risk.
(C) Consultant is wrong as it has an effect on ERM process.
(D) Consultant is right as it does not have an impact on human resource risk.
(1.5) The company's method of analyzing the stress scenario would chiefly be generated from:
(A) Events that will cause movements in the relative risk factors.
(B) Events that will have adverse risk factor movements.
(C) Events that will lead to control failures and exposures.
(D) Events that will have the attention of the board of directors.
(1.6) Discuss the methodology that you would suggest for analyzing the data on vehicular
movement. (6 Marks)
(1.7) Net present value and probability distribution for Project A and Project B:
Project A Project B
NPV estimates (`) Probability NPV estimates ( `) Probability
12,00,000 0.10 12,00,000 0.40
11,00,000 0.20 11,00,000 0.30
9,00,000 0.30 9,00,000 0.20

Page 205 of 492
7,50,000 0.40 7,50,000 0.10

1.00 1.00
(i) Compute the expected net present values of projects A and B.
(ii) Compute the profitability index (Pl) of each project and suggest which Project can be
undertaken. (5 Marks)
(1.8) Briefly explain the areas of improvements suggested by the consultant with reference to
the operations of the company. (4 Marks)
Answer
1.1 (A)
1.2 (B)
1.3 (D)
1.4 (C)
1.5 (A)
1.6 The data on vehicular movement is available to the company and the same creates
probabilities for near real-time analysis.
Machine learning which is a standard software code is characterized by explicit rules that
a computer is supposed to perform.
Deep learning and reinforced learning are good examples of newly developed machine
learning techniques.
Machine learning techniques can be divided into two primary groups; 1) Supervised
Learning and 2) Unsupervised Learning
For the company to process and analyse the data from the vehicles, the method of
Unsupervised Machine Learning is suggested for the following reasons:
• As the data obtained from the vehicle is huge, statistical methods that aim to delve
into the challenging realm of data that has no dependent or response variable i.e.
there is no variable that supervises the behaviour of the algorithm.
• The primary aim of this kind of analysis is to understand the relationships between
the variables or between the observations.
• The algorithms behind the unsupervised learning allow the computer systems to
process complex processing tasks than the supervised learning method.

Page 206 of 492
• As the data obtained are clustered into various groups by the unsupervised learning
method, the reporting part is made easy.
1.7 Calculation of NPV and Profitability Index
(i) Expected NPV of the Projects:
Project A
= ` 12,00,000 x 0.10 + ` 11,00,000 x 0.20 + ` 9,00,000 x 0.30 + ` 7,50,000 x 0.40
= ` 1,20,000 + ` 2,20,000 + ` 2,70,000 + ` 3,00,000
= ` 9,10,000
Project B
= ` 12,00,000 x 0.40 + ` 11,00,000 x 0.30 + ` 9,00,000 x 0.20 + ` 7,50,000 x 0.10
= ` 4,80,000 + ` 3,30,000 + ` 1,80,000 + ` 75,000
= ` 10,65,000 or ` 10.65 Lakh
(ii) Computation of Profitability Index (PI)
Project A
PV of Cash Inflows = ` 30,00,000 + ` 9,10,000 = ` 39,10,000 or ` 39.10 Lakh
` 39.10Lakh
PIA = = 1.3033
` 30.00Lakh
Project B
PV of Cash Inflows = ` 34,00,000 + ` 10,65,000 = ` 44,65,000 or ` 44.65 Lakh
` 44.65Lakh
PI = = 1.3132
B `34.00Lakh
Decision: Since NPV as well PI of Project B is more, the same project should be
chosen.
1.8 The areas of improvement suggested by consultants with reference to the operation of
company are:
Strategy: Strategic decisions are mostly long term and taken by the top management,
such as, to become the market leader in the e-scooter category. As the company is
venturing into new realms, periodical risk assessment is to be done exploring the
possibilities of different strategic options, analyse them and adopting the best strategic
decisions.
Dynamically adopting tactics: Tactical decisions are mostly taken by the middle level of
management. In order to achieve the strategic decision of achieving the goal to be come

Page 207 of 492
the market leader, many tactical decisions, such as, expanding the business to new areas,
introducing new products and services are to be taken periodically.
Achieving operational objectives: Any disruption to the operations would cause
inconvenience to the company in achieving the various targets, reduction in profits etc.,
The company has to identify such disruptions and bottlenecks well in advance and take
proactive actions to reduce the likelihood of such events occurring and therefore limit the
damages, such as, ensuring continuous supply of raw materials to the production unit
which in turn would ensure smooth production.
Compliances with various regulatory mechanisms: Of late, significant changes are
made in various regulatory authorities in the country. Much time and cost could be saved
in ensuring the timely compliances, such as, timely filing of various returns, payment of
taxes, adherence to the rules and regulations etc.
CASE STUDY: 2
M/s. Modern Realty Developers is a partnership concern situated in Chennai. The current project
of the firm is construction of 20 luxury apartments in the outskirts of Chennai. Each apartment
is identical and the ultimate selling price of each apartment is ` 2.50 crores. The project had
commenced in April, 2018 and the project completion is scheduled to be completed in
September, 2019. Two apartments remained un-booked. A term loan was taken for ` 12 crores
in April 2018 with no moratorium period.
Key figures :
Item Projected Actual

Project Completion 60% 45%
Collections from Customers ` 27 Crores ` 25 Crores
Term Loan payable to bank 12 installments 10 installments
Payments outstanding towards supply of materials ` 2 Crores ` 3 Crores
Salaries and Wages payable Nil 25 lakhs
Outstanding statutory payments Nil 50 Lakhs
Other issues faced:
• Workers hired were not adequately skilled.
• Scarcity of the Raw Material-river sand. Compelled to use substitute- M-Sand.
• Increase in price of construction materials by 10% over the estimated price.
• Acute water scarcity in Chennai.
• Accidents occurred. Workers and the site supervisors did not follow the safety regulations.

Page 208 of 492
The construction industry today favours low cost housing aimed at the middle-class section of
people. This is due to the availability of concessions in the form of reduced interest rates,
interest subsidy and tax benefits. The workers at the construction site faced dust and pollution
problems. The neighbours around the site were complaining about the increasing dust levels.
It was suggested that the workers use protective face masks and spray water to the buildings
under construction. Data variables about the (i) dust control measures and (ii) dust levels were
collected and correlation between the above two variables was calculated for further analysis.
When preparing the cement mortar, it was decided to use 1 part of cement and 6 parts of sand.
Drawing samples from 20 places, where cement mortar was applied, it was found that at 3
places such ratio was not maintained. The management contemplated to provide training in (i)
handling the equipment, (ii) work culture, (iii) safety programs.
Funds were earmarked for payment of income-tax. The same was utilized to purchase cement
and bricks. Hence the payment of income-tax could not be made on the due date.
The firm received a notice from the bank asking for repayment of the outstanding dues
immediately failing which, the bank would take precautionary steps to make the firm to prepay
the loan.
Answer the following:
Choose the most appropriate from the answer options:
(2.1) Instance of non-payment of income-tax on the due date would most likely show:
(A) Risk appetite is lower than the risk capacity.
(B) The firm has taken an internal risk.
(C) The firm has considered it as a residual risk.
(D) Risk appetite is higher than the risk capacity.
(2.2) Which of the following is MOST likely the reason that prompted the bank to issue such a
notice?
(A) The bank felt that it is facing Exposure Risk.
(B) The bank felt that it is facing Default Risk.
(C) The bank felt that it is facing Recovery Risk.
(D) The bank felt that it is facing Guarantee Risk.
(2.3) The proposed action of the management to provide training and safety programs would
fall under:
(A) Risk Alternatives.

Page 209 of 492
(B) Insurance Alternatives.

(C) Operational Alternatives.
(D) Strategic Alternatives.
(2.4) What extra information is required to calculate the covariance discussed in the scenario?
(A) Correlation Coefficient.
(B) Sample Means.
(C) Standard Deviation.
(D) Conditional Probability.
(2.5) If the tolerable limit for exception was 6% in the case of cement mortar sampling, the
most likely conclusion would be:
(A) the control risk is high.
(B) the detection risk is high.
(C) the control risk is low.
(D) the detection risk is low. (5 x 2 Marks = 10 Marks)
(2.6) Briefly explain the types of risks faced by the firm. (6 Marks)
(2.7) Prepare a sample risk register on dust and pollution risk faced in the activities of the firm.
(5 Marks)
(2.8) Briefly explain the benefits of ‘Improved risk measurement and Management’ to the
management. (4 Marks)
Answer
2.1 (D)
2.2 (A)
2.3 (B)
2.4 (C)
2.5 (A)
2.6 The types of risk can be faced by the firm are as follows:
(i) Market Risk: The firm is facing Market Risk due to adverse change in raw material
cost and scarcity of water. There is lull in the demand for big housing projects as most
of the middle-class households are moving towards low cost housing. Hence the firm
could not sell/ book the two apartments.

Page 210 of 492
(ii) Operational Risk: Risk of loss resulting from failure of people employed in the
organization as workers are not adequately trained and accidents are occurring at the
site. In addition to this workers and supervisors are not following safety instructions.
The inefficiency of the workers resulted in wastage of material and caused delay. The
substitute for natural sand might result in poor finishing and less mortar bonding.
Water scarcity forced the firm to pay extra money for the construction.
(iii) Compliance Risk: As payment of Income Tax not made out on time. Hence it might
face action from the Income Tax Department.
(iv) Strategic Risk: Since the current and prospective impact on earning is adverse.
(v) Financial Risk: The risks in connection with the cash flows and the pressure given
by the bank in its notice for the repayment of the loan.
(vi) Credit Risk: The inability of the firm to repay the outstanding dues to the bank.
(vii) Liquidity Risk: The act of paying for the purchase of bricks and cement from out of
the funds earmarked for the payment of Income Tax shows the firm is facing the
same.
(viii) Reputation Risk: As the project is getting delayed, the firm is subject to reputation
risk.
(ix) Legal Risk: The persons who have booked the apartments may sue the firm or ask
for compensation for the delay in completion.
(x) Safety Risk: The workers are not following the safety standards.
(xi) Environment Risk: The increased dust and pollution cause environmental risks
2.7 Sample Risk Register on dust and pollution risk faced by the firm
Risk Dust and Pollution Risk.
Causes Usage of electric drills, hammers, cement & sand mixing
etc.,
Consequences Workers health affected, complaints from neighbours,
regulatory authorities imposing fines etc.
Ownership Owned by the site supervisors.
Inherent risk score Seven out ten. This is calculated before implementing
controls towards containing the dust and pollution
Controls Provide safety masks, helmets, boots, hand gloves to
workers. Sprinkle water periodically so that the minute
waste does not fly.
Residual risk score Four out of ten. After implementing the controls, residual
risk stands at this level.

Page 211 of 492
Process Processes to control the dust are implemented

Action for further To explore and study measures adopted by the other
mitigation industry players. To educate and train the workers.
Action owner Site Manager.
Due Date Within three months.
2.8 The Risk Management Payoff Model of Epstein and Rejc, 2005, demonstrates how
improved risk measurement and management provides benefits throughout the
organization. Benefits extend to:
1. Enhanced working environment
Safety measures are to be addressed by giving training which in turn would increase
the performance of the workers.
2. Improved allocation of resources to the risks that really matter
Key risk areas identified and resources are allocated.
3. Sustained or improved corporate reputation
By completing the project on time would increase the credibility of the firm.
4. Other gains, all of which lead to prevention of loss, better performance and
profitability, and increased shareholder value.
By following better project management, the firm can reduce the wasteful expenditure
and thereby achieving improved profitability.
CASE STUDY: 3
Ms. Rita is running a shopping mall RUBIK for the past six years. Sales for the year ended 31 st
March, 2019 was ` 10 Crores. In January 2019, a new branded shopping mall was started and
from the said month there was a decline of 10% in sales of RUBIK.
Ms. Rita started studying the various aspects of risk management which are applicable and also
capable of being applied to her business.
Ms. Rita started building the spending profiles of the customers based on their pin -codes.
The user ID of an employee who was dismissed last year was not deleted. The employee
accessed the computer system remotely and transferred an amount off 5 lakhs to his bank
account from Ms. Rita's bank account. Only on the next day of the transaction, Ms. Rita was
able to find it out who then deleted the ex-employees ID, besides changing the password of her
bank account. She lodged a complaint to the cyber-crime cell. It was noticed by her that the
flash floods in the year 2015, which was the worst rainfall in 100 years in Chennai, had caused
extensive damage to the goods in the ground floor. She decided to include the same in the risk
consideration. She is also contemplating to borrow ` 2 Crores as long term loan for 15 years
from the bank for the modernization of the shopping mall. She is nervous on taking on the burden

Page 212 of 492
of such a huge loan amount. Due to sudden power spike, the computer server crashed resulting
in 15-day data loss. Hence, Ms. Rita proposes to outsource the back-up services to a service
provider situated in Hyderabad, besides installing a back-up server at the office.
Ms. Rita is estimating the sales of various products. She came out with the following:
• She is forecasting the sales performance for the FY 2019-2020 conditional on the market
state of the country in which her business is based. She divides the market's
performance into three categories of good, neutral and poor and the sales performance
into three categories of increase, constant and decrease. The estimates are:
• Probability that the market state is good is 45%. In this state, probability for increase in
sales is 70% and probability for decrease in sales is 15%.
• Probability that the market state is neutral is 30%. In this state, probability for increase in
sales is 50% and probability for decrease in sales is 30%.
• If the market state is poor, probability of increase in sales is 25% and probability of
decrease in sales is 60%.
You are requested to help Ms. Rita by answering the following:
(3.1) The bank transfer off ` 5 lakhs could have been avoided if there was a strong:
(A) Segregation of duties control
(B) Data encryption
(C) User access management
(D) Firewall mechanism
(3.2) The samples are drawn out from the profiles of the customers for further analysis. Such
an act of drawing the sample is known as:
(A) Stratified sampling method.
(B) Purposive sampling method.
(C) Systematic sampling method.
(D) Clustered sampling method.
(3.3) In the decision to include the damages due to flash floods in risk consideration, which of
the following MOST likely should be given importance?
(A) Strategic Plan.
(B) Contingency Plan.

Page 213 of 492
(C) Operational Plan.

(D) Tactical Plan.
(3.4) Which of the following would LEAST likely enable the identification of new risks?
(A) Periodically running some trend analysis reports to analyse incidents.
(B) Conducting root cause analysis.
(C) Using benchmarking techniques for comparing the risks with competitors.
(D) Recording incidents in a register.
(3.5) The proposal to engage the service provider at Hyderabad is an example of:
(A) Risk avoidance.

(B) Risk mitigation.
(C) Risk transfer.
(D) Risk acceptance. (5 x 2 Marks = 10 Marks)
Descriptive Questions on CASE STUDY:
(3.6) Calculate the probability assuming the market state is neutral as the sales performance is
more or less constant. (6 Marks)
(3.7) List the various Risk Maturity Levels and their Key Characteristics. (5 Marks)
(3.8) Briefly explain the economic risks that could be faced by Ms. Rita. (4 Marks)
Answer
3.1 (C)
3.2 (A) or (D)
3.3 (B)
3.4 (C)
3.5 (B)
3.6 Calculation of Probability
Using Bayes Theorem:
P(Constant | Neutral) * P(Neutral)

P [Neutral|Constant] =
P(Constant )
0.30×0.20
= (0.45×0.15 + 0.30×0.20 + 0.25×0.15)

Page 214 of 492
0.06
= 0.0675 + 0.06 + 0.0375
= 0.3636 i.e. 36.36%
3.7 The table given below shows the levels of risk maturity. Key Characteristics at Different
Levels of Risk Maturity: -
Risk Maturity Key Characteristics
Risk Naive No formal approach developed for risk management.
Risk Aware Scattered silo based approach to risk management. Risks
identified within functions and not across processes. Also risks
not communicated across enterprise.
Risk Defined Strategy and policy in place and communicated. Risk appetite
defined.
Risk Managed Enterprise wide approach to risk management developed and
communicated. Risk register in place.
Risk Enabled Risk management and internal control fully embedded into
operations. Organization in readiness to convert market
uncertainties into opportunities.
3.8 The various economic risks that could be faced by Ms. Rita are as follows:
(i) The competitor opening a shopping mall nearby reduced the sales of the concern.
(ii) Lower income received as the sales are declining.
(iii) Increased cost of operations due to outsourcing back-up services to a service
provider situated in Hyderabad.
(iv) Increased interest burden of loan services of Rs. 2 crores proposed to be taken for
modernisation of Mall.
(v) Lack of capital for modernisation of the shopping mall has necessitated to obtain loan
from the bank which would result in payment of interest to the bank.
(vi) Liquidity crunch would have a bearing on operational expenses.
CASE STUDY: 4
A company in the financial services sector has been fined by the Regulator for various breaches
of relevant regulations owing to which they suffered Reputation Loss and Credibility among
customers and the public. There is a possibility that some of the Directors and Officers may be
penalised and could be sued by the shareholders for losses suffered and wrongs committed.
The Board and the Top Management of the company were quite worried about this tum of events
as breach of Corporate Governance norms and non-compliance of laws and regulations were
not expected to happen in the company.

Page 215 of 492
You have been appointed as the new Chief Risk Officer to review and ensure best practices
in Corporate Governance particularly in the areas of compliance, disclosures, consumer
protection, management of frauds and financial crime and ethical conduct in the organisation. It
is a well understood fact that in the financial services sector, Regulators are active and
regulatory risk is one of the major risks faced by companies in this sector. You are also aware
that there have been many scandals and collapses in the financial sector world-wide and you
share the concern of the Board that it is important to set benchmarks for governance in the
company.
Keeping in mind that disclosures are information that is meant for shareholders, consumers who
have bought products from the company and for other stakeholders such as employees, agents,
other intermediaries and those in the ecosystem of the company, you are asked to reshape the
disclosure policy of the company in tune with regulations and best practices.
Consumer protection is increasingly being focused on by Regulators. Consumer Forums, Courts
and other bodies raise their voices against customer service deficiencies and penalise
companies. They are shamed when such information is circulated in the media. The CRO is
asked to ensure that conduct risk is better managed by a cultural change in the organisation.
Fraud and financial crime are on the rise and these can be happening with the connivance of or
wholly by employees and even at senior management levels. Cyber-crimes, frauds and losses
are becoming common place and there is a need to ensure that systems are security proofed
and employees are made aware of the risks. This can be further risk proofed by raising the
ethical standards and putting place necessary controls to ensure that the conduct of everyone
in the institution is ethical and upright.
You have been asked to advise the Board and draft suitable policies for upgrading corporate
governance practices and risk management. To bring about cultural change in areas that is
dependent on management and employee conduct. To create a culture that is customer oriented
and strongly against violations of regulations. To discourage opaque practices that give rise to
arbitrary decisions at operational levels as these work against customers, reputation and bottom
line of the company.
Based on such a background and considering the OECD guidelines on corporate Governance,
please answer the following questions.
Choose the most appropriate answer from the following
(4.1) Corporate Governance risk is intended to identify deficiencies that can damage the
following important existential aspects of the company.
Point out the wrong answer.
(A) Reputation.
(B) Existence.

Page 216 of 492
(C) Sales growth.

(D) Continuity.
(4.2) A holistic risk management framework would empower the Board to Point out the wrong
answer.
(A) Identify top threats to the entity and asset protection measures.
(B) Link risks to more efficient capital allocations and business strategy.
(C) Develop a common language in the organisation for problem solving.
(D) Look back strategy made to ensure that best practices are continued.
(4.3) Stress Tests are important for Banks and are an important aspect for Board/Corporate
Governance oversight. Choose the right reason for conducting Stress Tests from the
options given below:
(A) To deal with natural and manmade asset and disaster risks.
(B) To manage optimally business and portfolio downside movement.
(C) To manage political and country risks.
(D) To prevent fraud risks, malpractices and financial crimes.
(4.4) Credit risk mitigation in Banks is a key concern of the Board. It can include the following
except one. Point out which answer is inappropriate.
(A) Norms of lending are tightened.
(B) Credit insurance.
(C) Making Covenants with the borrowers.
(D) Verification of assets.
(4.5) Normally every Board of a company should have a Risk Committee. Among other things
the following are the duties of this Committee except one, which?
(A) Risk Committee discusses every matter in the agenda of the Board prior to the Board
Meeting.
(B) Is required to review and approve the company's risk policies at least annually.
(C) Discusses all the risk strategies on both aggregate basis and by risk type.
(D) Oversees that management puts in place robust processes to ensure adherence to
the risk policies approved by the Board. (5 x 2 Marks = 10 Marks)
(4.6) Explain Corporate Governance referring to OECD guidelines and explain how the Board
can shield against Corporate Governance Risks. (5 Marks)

Page 217 of 492
(4.7) What is the type of risk management that is to be initiated by the Board/Management so
as to prevent frauds and financial crimes? (5 Marks)
(4.8) How can Credit Risk Management be upgraded to ensure that risk of default is kept to the
minimum. (5 Marks)
Answer
4.1 (C)
4.2 (D)
4.3 (B)
4.4 (D)
4.5 (A)
4.6 There are many areas of risk that a company may face relating to governance risks. The
absence of an effective corporate governance framework and properly documented
governance policies can create serious risks. There has to be equitable treatment of
shareholders, and the role of stakeholders have to be defined, communicated and
monitored, to prevent risks in these areas.
There are disclosure and transparency norms and if they are not articulated, considerable
risks arise. The various responsibilities of the Board cannot be left undefined, nor
undocumented or not reviewed. If the Board has not defined risk capacity, appetite and
risk response strategies, and initiated a proper enterprise risk management policy and
approach to risks, there can arise risks for governance.
The Board cannot be ignorant of the risks facing the company. Risk managers should be
independent and be not implementing strategy. The Risk management function and the
CRO should report directly report to the Board. Board should ensure that risk management
and oversight practices should not face challenges and all stakeholder concerns should be
met. Boards need to look at the long term; many risks will arise if the focus is on the short
term. They need to disclose the process of risk management and the results of risk
assessments. They should ensure that whistle-blower matters are attended, and shield the
company against negative media reports, shareholder activism, unauthorised related party
transactions, disputes among promoter/owners and other shareholders.
An independent assessment of risk governance framework has to be initiated so that there
is an improving risk management capability for the company. The risk management
framework (RMF) should define a policy statement on matters such as determining when
to review the RMF and the frequency for undertaking the review, and deciding who is

Page 218 of 492
responsible for the review. This may be done by the Audit Committee or a team of Directors
or with external facilitation and selecting the scope and review. The results have to be sent
to the various layers of the company and risk management tightened and enhanced.
4.7 Fraud risk is an inherent risk which arises from the opportunities to make an unlawful gain
by an internal employee or an external person or entity by exploiting the gaps in the
processes of the organisation. Fraud risk in financial reporting also has assumed
importance. The COSO framework has been enhanced to ensure highest degree of
accuracy and completeness in financial statements. Operational control failures such as
those that allow an employee to deliberately tamper with the data can lead to fraud risk
owing to poorly designed reporting of data.
Fraud risk can be reduced by ensuring that there are controls in place, such as proper
verification by the same or another person. There has to be reconciliation of facts and
figures. Equally important is the segregation of duties which will not allow a person of one
department to carry out the entire transaction on his own. There is also the need fo r
physical controls such as safekeeping of money, documents, legal agreements in safe
vaults etc. Use of two keys may be required when dealing with high amounts of cash or
high value documents. There has to be supervisory controls, exception triggers and p roper
authorisation and approval. There has to be proper preventive controls, detective controls,
manual controls and automated controls.
The Board has to see that the Internal Audit Function has carried out their management
function in ensuring that internal controls and other defences are in place so that the
chances of fraud and financial crimes are minimised and there is a tightening based on
reviews.
4.8 The first step is to identify credit risks and hence there is need to study borrower’s profile
to understand the borrower’s financial stability, regularity in payments, possibility of default
risk, the source of income etc.
Credit risk has to be migrated through means such as funded and non -funded risk
mitigation. Funded credit is when the bank has recourse to cash or assets of the buyers.
Funded credit mitigation methods include On Balance Sheet Netting of mutual
claims/reciprocal cash balances between the bank and counterparty. Another method is
collateral method whereby assets or security is retained or deposited with the bank against
grant of any loan advances, debit or credit lines. These can be in the form of cash, gold,
Corporate Debt Securities etc.
Unfunded credit risk mitigation process involves an unsecured obligation of third party ,
where this entity is more credit worthy than the primary borrower.
BASEL II has provided updated norms for the financial market, which has three main

Page 219 of 492
pillars. The first is more focussed on credit risk. It provides three different ways of
managing credit risks:
1. Standardised approach based on credit rating and risk weight,
2. Internal rating-based approach with a basic foundational and higher-level advanced
approach,
3. Credit risk mitigation steps through CDS and counter party risk approaches as also
through securitisation.
There are other methods to enable proper credit rating:
1. Risk based pricing: Where the risk of default is higher, the interest rate will be
increased.
2. Credit insurance: The lender can transfer the risk to an insurer such as in housing
loans to ensure that the mortgage is secured.
3. Tightening: Lender can tighten the norms for lending.
4. Diversification: By lending to a greater number and kinds of small borrowers to
diversify the lending pool.
5. Covenants: Covenants may be entered into with the borrowers for review, full
payment in case of improvement in debt coverage ratio, audit of business operation
etc.
There can also be qualitative techniques of credit risk management duly implemented by
three levels of approach as under:
a. Transaction risk management
b. Portfolio risk management
c. Policies and processes that keep improving the risk management of all lending
activities.
Financial institutions also attempt to mitigate lending risks by performing credit analysis o n
individuals and businesses by a review of the borrower’s five C’s which are capacity,
capital, character, collateral and conditions.
CASE STUDY: 5
A manufacturing company had a major loss occurring to them in the pure risk category, namely
a flood loss in its premises. The loss caused severe damage to buildings, compound walls, plant
and machinery on the main factory floor and basements as also stock including stock in the
open. Motor vehicles and other mechanised transport were also damaged by entry of water into
their engines. The loss happened in the middle of the monsoon season. The factory was insured
and as the company did not have any claim for the last 10 years the insurance department and

Page 220 of 492
risk management department had become careless and the level of underinsurance was overall
40% in relation to the replacement value of the assets.
The claim process was slow and tedious as the company did not have any knowledge of claim
processes and the kind of papers and documents that were needed to be submitted to prove
the various kinds of losses and how to make the estimates to compute the amount to be claimed.
It had to depend on the insurance company's agent and surveyor to help them to see that they
complied with the obligations that have to be met when losses occur such as informing the civil
and police authorities of the loss; and in saving damaged materials from further loss and
segregating them; in measuring the physical dimensions of the loss and estimating the cost of
repairs and reconstruction; in producing the account books showing the value of assets and
stocks lost etc.
There had to be many visits by the surveyor and many rounds of negotiations for the claim to
process and the company did not get the claim for a long period.
The company also found that the expected loss reimbursement or indemnity, as is technically
known in insurance terminology, did not get allowed as the policies taken had terms which made
deduction of depreciation necessary and also because all assets were not insured at full value
and hence underinsurance applied. This caused not only considerable delay in the formalities
of the claim, but also the amount assessed was below the expectations of those who took the
decisions relating to insurance as their knowledge was incomplete and the advice. The
concerned department could not explain under what risk management policy and practices of
the company they had taken decisions which made the company ineffective in getting indemnity
to the extent they could have got and that also by through a speedier settlement.
In view of the delay in the settlement of the claim the company faced a financial struggle to get
the factory back to normalcy during which the company made losses and its interest cost rose
very high. It had to lay off workers owing to which the employee morale was hit. As production
could not be resumed early enough, the loyalty of stockists and customers began to fall. In view
of all this, the insurance and risk management departments were asked to review its risk
management policies and practices with regard to pure or insurable risks. The final decisions
included steps such as to insure the factory on reinstatement value, to ensure review of the sum
insured every year, to take on add on covers for debris removal and the like.
The company appointed a new Insurance Officer, with additional duties to assist the Risk
Management Department in the management of pure risks. He researched and found that
insurance is essential in areas such as property protection, loss of earnings, liability insurance
for the firm, its Directors and other employees. Protection of employee lives and health was
becoming a norm in organised industries. Health Insurance had become necessary as an
employee benefit. The Board of Directors were concerned about the emerging risks that faced
the Directors on the Board and the Officers of the company for wrongful actions and the need

Page 221 of 492
to have a well-designed Directors and Officers Liability insurance cover; as also insurance for
product liability and any other liabilities that can arise because liability claims can be very large
and may lie hidden for many years. Increasingly authorities are directly s lapping criminal and
civil cases against the company when loss of lives take place and where products are concerned
especially those exported to foreign countries; product liability insurance has become almost a
compulsory requirement.
In examining existing insurance practices, many poor practices were identified. For instance,
many low-level losses which were claimable the concerned departments were not reporting the
claims to the insurance department and hence many claims which were of lower amounts but
were claimable were found to be unrecovered. Hence reporting processes had to be reworked
and made known across the organisation. Similarly, loss prevention in tune with insurance
requirements were not properly carried out and, in the process, there were p ossibilities that the
insurance claim, if such arise could have been turned down or paid at a lower amount on account
of breach of conditions and warranties in the policy.
There are still questions that were to be examined relating to risks in the context of insurance
and risks which cannot be insured. You are asked to look at some of these questions.
Choose the correct answer to the following questions.
(5.1) Insurable risks are most likely to arise from which of the following categorisation of risks.
(A) Hazard Risks.
(B) Control Risks.
(C) Opportunity Risks.
(5.2) In Annual Reports it is necessary to have a section on Management Discussion and
Analysis. One of the following is not necessary to be discussed in the above section.
(A) Opportunities and Threats.
(B) Risk and concerns.
(C) Details of managing insurance risks.
(D) Internal Control systems and their adequacy.
(5.3) Credit risk is insurable and has various components as per list seen below except one -
point out the exception.
(A) Recovery Risk.
(B) Collateral Risk.

Page 222 of 492
(C) Exposure Risk.

(D) Rejection risk.
(5.4) The purpose of risk evaluation is to do the following, one of which is not essential. Which?
(A) Identify probabilities of failures and threats.
(B) Calculate the exposure i.e. possible damage or loss.
(C) Make control recommendations keeping cost-benefit analysis in mind.
(D) Get consensus from all concerned.
(5.5) Certain risks are called pure risks. In this kind of risks either a loss occurs or no loss
occurs. There is no scope for gain. Which of the following is not a pure risk ?
(A) Early Death.
(B) Physical damage.
(C) Loss in the share market.
(D) Liability for damages due to negligence/wrong doing. (5 x 2 Marks = 10 Marks)
(5.6) Define what a pure risk is and distinguish it from other types of risks. Explain why insurance
coverage for pure risk is important. (4 Marks)
(5.7) Why operational risk management is important for the management of a company to avoid
losses whether insurable or not? (4 Marks)
(5.8) What is the role and responsibility of the Risk Manager? What are the objectives and
process of risk management to prevent losses? (7 Marks)
Answer
5.1 (A)
5.2 (C)
5.3 (D)
5.4 (D)
5.5 (C)
5.6 Pure Risk
Pure Risks are associated with uncertainties which may cause loss. In a pure risk situation,
a loss occurs or no loss occurs – there is no possibility for gain. These uncertainties may
be due to perils such as fire, floods, etc. or may arise from human action such as theft,
accident etc.

Page 223 of 492
Distinguish Pure Risk from other risks

There are certain risk events that can only result in negative outcomes such as fire
accidents or leakage of harmful chemicals from a manufacturing plant. These risks are
hazard risks or pure risks, and these may be thought of as operational or insurable risks.
A good example of a hazard risk faced by many organizations is that of theft. There are
different types of pure risks:
• Personal risks - It includes early death, sudden accident and disability,
unemployment, etc.
• Liability Risks - the risk of legal liability for damages accruing to customer, suppliers,
vendors, etc. Such risks are also connected with compensation payable to employees
for injuries and other harm afflicted in the workplace.
Importance of insurance coverage for pure risks
There are risks which are not insurable even though there may be no gain in them. These
include:
Fundamental Risks which are impersonal in nature, present in the nature and the
economy which has pervasive effects. Such include war, inflation, mass unemployment
etc. Generally, these are not insurable and it is left to the government to deal with the effect
of these events.
Dynamic Risks are risks which arise due to changes in the economy like fluctuations in
price levels, consumer preferences, shift in technology etc. These are again not considered
insurable as they are less predictable and pervasive.
However, Particular Risks are risks which have their origin in individual events which can
be clearly controlled such as road accidents. These risks are considered insurable subject
to conditions.
Risks are also categorized into hazard risks which is another term for pure risks which are
insurable, while Control risks are pure uncertainty risks and are associated with project
management and these risks are hard to quantify. Finally, there are opportunity risks which
are also called speculative risks. These have opportunity for gain and hence are not
insurable.
5.7 The operational risk is important for management of company because of following
reasons:
(a) The Companies Act 2013 (Sections 134 and 177) lays down clear expectations from
Boards of organisations in assessing the robustness of risk management framework
implemented by the company. Section 134 instructs that Board of Directors should

Page 224 of 492
include a statement on development and implementation of risk management

framework for the company, including identification of risks, which as per Board’s
opinion could threaten the very existence of the company.
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term ‘internal
financial controls’ as “the policies and procedures adopted by the company for
ensuring the orderly and efficient conduct of its business, including adherence to
company’s policies, the safeguarding of its assets, the prevention and detection of
frauds and errors, the accuracy and completeness of the accounting records, and the
timely preparation of reliable financial information.”
Section 177 instructs that the Audit Committee shall review the risk management
procedures implemented by the management.
Schedule IV instructs that Independent Directors are required to get assurance that
systems of risk management are robust and defensible.
(b) Paragraph 4(c) of the Standard on Auditing (SA) 315 “Identifying and Assessing the
Risks of Material Misstatement Through Understanding the Entity and Its
Environment” defines the term ‘internal control’ as “the process designed,
implemented and maintained by those charged with governance, management and
other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations, safeguarding of assets, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the
components of internal control.”
(c) Clause 49 of the Listing Agreement, indicates that disclosures are to be made to the
Board of Directors on risk management, on whether the company has laid down any
procedures to inform Board members about the risk assessment and mitigation
procedures.
(d) The ICAI Guidance Note on Audit of Internal Financial Controls over Financial
Reporting has several sections pertinent to the understanding of operational controls
underlying in the processes;
While the Guidance Note does not explicitly dwell on operational risk per se, the overall
approach and methodologies mentioned in the Note rest on, and derive from an implied
understanding of the auditor’s understanding of operational risks and the mitigating
controls of the organisation; for instance, the auditor is expected to have a thorough
understanding of the automated and manual controls that lie in each of the processes that
have a direct bearing on the financials of the organisation.

Page 225 of 492
5.8 The role of the Risk Manager includes following tasks: -

1. Manage the implementation of all aspects of the risk function, including
implementation of processes, tools and systems to identify, assess, measure,
manage, monitor and report risks.
2. Select the most suited risk identification techniques and approaches.
3. Manage the process for developing risk policies and procedures, risk limits and
approval authorities.
4. Monitor major, critical and minor risk issues.
5. Manage the process for elevating control risks to more senior levels when
appropriate.
6. Management of risk reporting, including reporting to senior management.
7. Prepare high-level user requirements to assist in preparation of Project Initiation
documents.
8. Liaison with Business users to prepare Functional risk specifications. Translate
business requirements and functional needs into business / reporting and system
specifications. Ensure technical specifications meet the stated needs of the business.
9. Generate project management documents.
10. Provide User Training for in-house developed risk management systems.
11. Conduct compliance & risk assessments.
12. Conduct and document audits of risk related compliance to industry standards
13. Define & develop risk policies, procedures, processes & other documentation as
required.
14. Implement the risk management program and risk strategy. Ensure the risk
management program is effectively integrated into product development and delivery
methodology.
15. Participate in local and global discussions to formulate new or enhance existing risk
management processes, policies and standards.
Objectives of risk management
The first step to defining risk management goals and risk management objectives is to
define the organization's shared vision. Once the shared vision is articulated, overall risk
management goals and objectives must be defined.
While a vision statement is often aspirational, the goals and objectives should ordinarily
describe in simple terms what is to be accomplished. They should be actionable by the
organization. They should be defined in the context of the organization’s business strategy.

Page 226 of 492
Risk Management Process

All risk management processes follow the same basic steps, although sometimes different
description may be used to describe these steps. Together these 5 risk management
process steps combine to deliver a simple and effective risk management process.
Step 1: Identify the Risk
Uncover, recognize and describe risks that might affect your project or its outcomes. There
are a number of techniques one can use to find business risks. During this step you start
to prepare your Risk Register.
Step 2: Analyse the risk
Once risks are identified thereafter determine the likelihood and consequence of each risk.
Develop an understanding of the nature of the risk and its potential to affect business goals
and objectives. This information is also entered in the Risk Register.
Step 3: Evaluate or Rank the Risk
Evaluate or rank the risk by determining the risk magnitude, which is the combination of
likelihood and consequence. Make decisions about whether the risk is acceptable or
whether it is serious enough to warrant treatment. These risk rankings are also added to
the Risk Register.
Step 4: Treat the Risk
This is also referred to as Risk Response Planning. During this step assess the highest
ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk
levels. Minimize the probability of the negative risks as well as enhancing the opportunities
by creating risk mitigation strategies, preventive plans and contingency plans.
Step 5: Monitor and Review the risk
Review the Risk Register and use it to monitor, track and update risks.

Page 227 of 492
Case Study 1
1.1 – Probability based MCQ related to the case study from old chapter 4 of ICAI SM.
1.2 – How is the answer a loss of 1100/-?
FOREX related question. Exchange rate expected after Rupee weakening by 2% is 69.5+2%=70.89 Rs.
Per $. Now 71-70.89=0.11; 0.11*10000= 1100/- loss (Could have received Rs. 710000 but due to the
contracted rate, the received amount is only Rs. 708900.)
1.3 – Slightly related to the thing mentioned on page no. 6.21 under CDS heading; Mainly conceptual
1.4 – Answer related to the last para of the case study- if carefully read; a bit conceptual;
1.5 - Related to the case study; Also, based on conceptual understanding
1.6- Indirect answer from page 9.33 of the ICAI SM. A bit conceptual though, since you need to relate
the data and matter mentioned in the case study with the concepts that you have understood regarding
Machine Learning;
1.7- Manageable practical question from the IPCC chapter concepts. (NPV and Profitability Index)
1.8- Related to the second last para of the case study. Conceptual understanding is required to frame the
answer, but still manageable. You just need to explain thoroughly, what you have written and relate it
with the case study- such that it justifies the point.
Case Study 2 (May 20 MTP CS-3 ,4th MCQ is different)

2.1- Based on conceptual understanding and related to the case study– If the income tax has not been
paid on the due date, then that means that the enough finances were not available for the payment of
income-tax. And this can happen only when the risk has been taken more than the capacity to take risks
and this, in turn, will happen only when the appetite to take risks is greater than the risk capacity;
2.2- The options are really confusing; 3 out of the 4 are also looking correct answers; How can we
arrive at the correct answer?
Page 6.3 of ICAI SM- The confusion can arise amongst the exposure, default and recovery options. But
there has been no default on the part of the firm till now, and since there is no default, therefore, there
has been no recovery risk as well. It is just the uncertainty associated with the future ability of the firm
that has made the bank issue the notice- which happens only due to the exposure risk.
Page 228 of 492

2.3- Can you please justify the answer; insurance alternatives?
Training programs are a kind of risk mitigation measure, and insurance is also the same. Rest all the
options are not the risk mitigation measures. So, instead of getting insurance, the firm can go for training
programs so that the risk of failure during the operations reduces – and it’s even a better mitigation
measure than the insurance since insurance acts as a cure in terms of providing for the lost finances
whereas training acts as a preventive measure.
2.4- Related to the concepts of Standard deviation and Covariance. (SD is there in the IPCC Chapter,
but mostly you can find both in SFM Portfolio Management Chapter).
2.5- How is the control risk high in case of the given scenario?
The control risk is high in the case under consideration because against the prescribed tolerable limit of
6% and there is a mismatch of 15% in the samples. (As clarified by ICAI over mail)
2.6- Linked to the case study and understanding of the types of risks as given on page 1.19 of ICAI SM.
2.7- How can we prepare the risk register. There is no proforma given in the SM, as such?
Although, there is no proforma given as such – related to the risk register – but there is still the
availability of contents of a risk register, as on page 8.4 of the ICAI SM, and those contents can be
converted to a table and related with the case study to answer this question.
Case Study 3
3.1- Indirect answer from page 9.19 of ICAI SM.
3.2- Common sense based question, although, not present in the ICAI SM.
3.3- Concept based; Since flood is a type of contingency that no one can foresee, therefore, that is the
answer.
3.4- Concept based but manageable;
3.5- Related to the Risk Mitigation concepts as on page 2.10+2.20 of ICAI SM. But more of a concept
based question.
3.6- Answer based on formula from old chapter 4 of ICAI SM.
3.7- Direct answer from page no. 8.07 of ICAI SM. (Risk Maturity levels)
3.8- Concept based, related to the case study; Manageable; (Economic Risks)
Page 229 of 492

Case Study 4 (CS-4 MTP May 20)
4.1- The options are really confusing. How the answer is Sales Growth?
Common sense -based question. Sales growth is the primary factor that will drive the existential aspect
of any company; Even if a company is having good reputation, is existing and is continuing its business-
but then also – if it is not growing its sales quantum, then it would not be able to survive in the future
and that’s why it is important for the existence;
4.3- Based on the conceptual understanding of the stress testing, as given in chapter 5(Refer page no.
5.7 of ICAI SM).
4.4- Refer page 6.12 of ICAI SM.
4.5- Refer page 7.03 and 7.04 of ICAI SM.
4.6- Answer suggested by ICAI, but it seems like we will never be able to frame such an answer.
What do we do as students?
The concepts of seventh chapter are a mix of theoretical concepts and what is happening in the practical
world regarding the corporate governance. As students, certainly the answer would not match the one
as suggested by ICAI, but still it can be framed from the OECD guidelines as on page 7.20 and the Risk
Management framework as on page 7.06. Also, please keep yourself updated as to what all is happening
in the corporate world- so that points related to whistle blowers and media reports, etc. come to your
mind while writing such answers.
4.7- Manageable answer from page 9.11, 1.21, 9.13 and a bit of the learning from the audit world,
regarding internal control, etc.
4.8-It is not certain as to what the question is asking. How do we write such answers?
The answer is manageable from the content mentioned in 6th chapter of ICAI SM. In such a situation, it
is safer to cover more concepts and write small points about all of them.
Case Study 5 (CS-5 MTP May 20)

5.3-Refer page no.6.02 and 6.03 of ICAI SM.
Page 230 of 492

5.5- Basic Conceptual question on Categorization of Risks by Paul Hopkins (Refer page no. 1.16 of
ICAI SM.)
5.7- Direct answer from page 9.02 and 9.03 of ICAI SM (write 4 reasonably sized points)
5.8- Direct answer from page 2.30 of ICAI SM. (write 12 small points)
Page 231 of 492

Test Series: May 2020
MOCK TEST PAPER 1
The question Paper comprises five case study questions. The candidates are required to answer any four
case study questions out of five.
CASE STUDY: 1
XYZ Limited is a public limited company incorporated in the year 2003. It has the registered head office in
outside states.
The following issues raised by Risk Manager (a naïve person with no experience) just appointed by the
company.
(i) The purchase order for a script would be authorised by a manager. Further all the related work from
trading upto settlement and recording shall be under the control of manager and his team appointed by
him.
(ii) Exploring the possibility of using machine learning program dynamically responds to change in data /
situation by changing the rules that govern the behavior and the algorithm "learns" from new data inputs
and gets better over time.
(iii) Calculation of worst scenario loss in the value of the portfolio in a given period of time for a distribution
(iv) Infusion of funds by the customers whose identity may not be properly known.
(v) Factors that are to be considered before buying shares of a foreign company.
(vi) While applying for a bank loan for the expansion of the portfolio, the parameters that the bank might
consider while approving such loan to the company.
(vii) The management is interested in a guaranteed return rather than accepting a higher but uncertain return.
(viii) Carrying out analysis of various transactions to study the patterns of investments and ensuring the
veracity of the transactions.
(ix) How to reduce the exposures in financial risks.
(x) How to reduce the exposures in compliance risks.
1.1 Suppose you are appointed as a Risk Management consultant and you are expected to give your
valuable inputs on the above issues raised. (1½ marks for each point =15 Marks)

Page 232 of 492
1.2 A measure of an investment's excess return, above the risk-free return, per unit of standard deviation is
known as
(A) Beta
(B) Jensen Index
(C) Sharpe Ratio
(D) R Squared
1.3 As per BIS capital adequacy rules, banks should operate with a holding period of
(A) one week (or 5 business days)
(B) one week (or 7 days)
(C) two weeks (or 10 business days)
(D) two weeks (or 14 days)
1.4 Which one of the following is NOT a way to calculate the credit risk component as prescribed by
Basel II?
(A) Credit Risk Mitigation
(B) Control Risk Mitigation
(C) Standardised Approach
(D) Internal Rating based approach
1.5 In case company buys shares of a Foreign Company and keep it for longer period then for which type
of exposure it shall exposed to .
(A) Transaction Exposure
(B) Translation Exposure
(C) Economic Exposure
(D) All of these
1.6 The banks while considering the proposal for a wholesale credit, the detailed appraisal would NOT
include
(A) Risk identification, risk allocation and risk mitigation
(B) Covenants/conditions to be stipulated
(C) Internal credit rating model
(D) Nature of Security and its enforceability (5 x 2 Marks = 10 Marks)
CASE STUDY: 2
Quality Paper Mills Limited is an unlisted company formed in the year' 2004 having the head office and factory
situated at Visakhapatnam. It was manufacturing and selling papers. The manufacturing of paper was based
on bamboo and soft wood.

Page 233 of 492
Some key Profitability Ratios for the FY 2012-13 were:
Percentage of profit after tax to:
Sales 1.84
Fixed Assets 0.83
Capital Employed 1.09
Net-worth 2.01
Equity Capital 3.27
Due to various issues such as, insufficient availability of raw materials, labour unrest, power problems,
environmental pollution etc., the Company stopped production in the month of March, 2013.
The Company owned a total land of 38 acres as on 31 st March, 2013 in which the factory and office were
situated which was allotted by State Government in 2003 and was eligible for Tax holidays for the period of
10 years from the commencement of operations. It made distressed sale of 5 acres of vacant land for Rs. 3
crores and settled the Bank dues, outstanding wages and statutory liabilities during September 2013.
Extract from Balance Sheet as on 31st March, 2019 Rs. (in crores)
Investments 2.00
(in the form of shares, debentures, units in mutual funds)
Land (at cost) 3.00
Other fixed assets 1.50
Liabilities Nil
Equity capital 1.00
Mr. Ajit, Managing Director and Chairman of the Company, the person who started this company in way back
in 2004. Though he well known person both socially and in the industry because of his dynamism but in the
year 2010 his name appeared in Money Laundering case. In the year 2015 his name was in news due to
allegation of insider trading of the shares of a company which was likely to be acquired by a MNC
conglomerate.
In April, 2019, Mr. Ajit, got the approval of the Board to revive the Company. He appointed a proje ct consultant
to conduct a feasibility study and also to come out with alternate proposals.
The consultant, after a 3-month study, came out with the following proposals.
Proposal 1:
To demolish all the buildings and construct residential villas, apartme nts and independent houses and sell
them to the public.
Projections of Proposal 1
Project time 3 years
Total sales price Rs. 30 crores
Cost of construction Rs. 20 crores
Other expenses (including interest) Rs. 6 crores
3-year Term Loan from Bank Rs. 10 crores
Profit Rs. 4 crores
Suitable modifications to be done in Memorandum and Articles of Association of the Company. Necessary
approvals to be obtained from the Town Planning authorities of the State government.

Page 234 of 492
Proposal 2:
To commence paper manufacturing using sugarcane bagasse, which is used as a substitute for bamboo and
soft wood for the production of paper pulp. It is estimated that 30% wet bagasse could be obtained from
crushing sugarcane. There are a lot of sugar mills that are around the place and it may not be a problem to
obtain such raw material. After removing pith (waste fiber) and leftover sugar from the wet bagasse, it could
be converted to pulp. Since sugarcane production is seasonal, suitable preservative arrangements for the
bagasse are to be undertaken.
Since the Company was already producing paper using bamboo and soft wood, it was suggested to have
20% of total production by using the existing machinery after sufficient reconditioning. The consultant also
suggested to manufacture (i) boards and (ii) newsprint paper besides production of papers, as there is a
growing market both in India and foreign countries.
Key factors of Proposal 2: Rs. (in crores)
Cost of new machineries 10.00
Infrastructure development expenditure etc., (laying of roads and 3.00
conversion of meter-gauge rails to broad-gauge rails in the factory)
Cost towards revamping old machineries 1.25
Initial cost towards purchase of raw materials 1.00
Renovation expenses of staff quarters, office and factory buildings 2.30
Other expenditure 2.45
TOTAL COST 20.00
This was proposed to be met as under:
Fresh share capital from existing shareholders 2.00
Sale of 8 acres of unused land 6.00
Sale of Investments 2.00
Bank Term Loan (Rs. 6 crores) and Working capital loan (Rs. 4 Crore) 10.00
Production can be commenced in Sep. 2020
Projections made:
Financial Year 2020-21 2021-22 2022-23 2023-24 2024-25
Rs. (in crores)
Sales 5 15 25 36 47
Income after interest, tax and depreciation -1.00 0.90 1.50 2.40 3.00
Net Assets 2 6 10 14.40 18.80
Following projected data is related to current items
Current Liabilities Rs. Crore Current Assets Rs. Crore
Creditors for Purchase of Raw Materials 2.00 Stock of Raw Material 1.00
Other Current Liabilities 1.00 WIP 2.00
Finished Goods 1.00
Receivables 3.00
Other Current Assets 2.00

Page 235 of 492
The vision of Mr. Ajit is to look forward to the things that the Company could do and not look back at things
that could not be undone.
Hence, he gave his consent to Proposal 2, but he was not prepared to sell the investments and unused land.
Rather Mr. Ajit is interested in raising this amount through additional loan of same amount and offering these
assets as collaterals.
2.1 He approaches your Bank for additional loan of Rs. 8 crore, You as a Risk Manager of the bank have
been requested to give a detailed analytical report on proposed lending covering the following aspects:
(i) Main Risk that will be faced by bank in the proposed lending and what are its components.
(6 Marks)
(ii) Amount of Loan that you seem to be justified keeping the various factors. (2 Marks)
(iii) Expected loss on the amount of term you recommended if the probability of default is 4% and Loan
Given Default (LGD) is 80%. (3 Marks)
(iv) Calculate the Maximum Permissible Bank Finance (MPBF) as per the Tandon Committee
Recommendations using the norm of a current ratio of 1.33. (4 Marks)
2.2 Which one of the following would LEAST likely be included as a source of market risk?
(A) Natural disasters
(B) Technological changes
(C) Recessions
(D) Political turmoil
2.3 The managing director wanted to know the difference between Risk Capacity and Risk Appetite. It can
be BEST described as
(A) Risk Appetite is the overall ability and financial boundary above which the Board can play their
business bets; whereas Risk Capacity is the hard stop limit above which the Board would like to
restrict its business actions.
(B) Risk Capacity is the overall ability and financial boundary within which the Board can play their
business bets; whereas Risk Appetite is the hard stop limit within which the Board would like to
(C) Risk Appetite is the overall ability and financial boundary above which the Board can play their
business bets; whereas Risk Capacity is the hard stop limit within which the Board would like to
(D) Risk Capacity is the overall ability and financial boundary above which the Board can play their
business bets; whereas Risk Appetite is the hard stop limit above which the Board would like to

Page 236 of 492
2.4 A company's decision to move into immature or emerging markets or to launch products outside its core
competencies is BEST known as
(A) Uncertainty
(B) Ambiguity
(C) Complexity
(D) Volatility
2.5 In case of Impact of Business Risk, the Impact area of 'customer' has the following nature of impact:
(A) Morale
(B) Loyalty
(C) Loss of confidence
(D) Defaults
2.6 According to ISO 31000 on keys to ERM implementation, which one of the following keys would provide
an opportunity to change and further tailor ERM processes?
(A) Leverage existing resources
(B) Winning support and sponsorship from the top management is a precursor
(C) Building ERM using small but solid steps
(D) Focus on a simple risk model with small number of Top Risks
CASE STUDY: 3
M/s. Modern Realty Developers is a partnership concern situated in Chennai. The current project of the firm
is construction of 20 luxury apartments in the outskirts of Chennai. Each apartment is identical and the
ultimate selling price of each apartment is Rs. 2.50 crores. The project had commenced in April, 2018 and
the project completion is scheduled to be completed in September, 2019. Two apartments remained
un-booked. A term loan was taken for Rs. 12 crores in April 2018 with no moratorium period.
Key figures :
Item Projected Actual
Project Completion 60% 45%
Collections from Customers Rs. 27 Crores Rs. 25 Crores
Term Loan payable to bank 12 installments 10 installments
Payments outstanding towards supply of materials Rs. 2 Crores Rs. 3 Crores
Salaries and Wages payable Nil 25 lakhs
Outstanding statutory payments Nil 50 Lakhs
Other issues faced:

• Workers hired were not adequately skilled.
• Scarcity of the Raw Material-river sand. Compelled to use substitute- M-Sand.
• Increase in price of construction materials by 10% over the estimated price.
• Acute water scarcity in Chennai.
6

Page 237 of 492
• Accidents occurred. Workers and the site supervisors did not follow the safety regulations.
The construction industry today favours low cost housing aimed at the middle -class section of people. This
is due to the availability of concessions in the form of reduced interest rates, interest sub sidy and tax benefits.
The workers at the construction site faced dust and pollution problems. The neighbours around the site were
complaining about the increasing dust levels.
It was suggested that the workers use protective face masks and spray water to the buildings under
construction. Data variables about the (i) dust control measures and (ii) dust levels were collected and
correlation between the above two variables was calculated for further analysis.
When preparing the cement mortar, it was decided to use 1 part of cement and 6 parts of sand. Drawing
samples from 20 places, where cement mortar was applied, it was found that at 3 places such ratio was not
maintained. The management contemplated to provide training in (i) handling the equipment, (ii ) work culture,
(iii) safety programs.
Funds were earmarked for payment of income-tax. The same was utilized to purchase cement and bricks.
Hence the payment of income-tax could not be made on the due date.
The firm received a notice from the bank asking for repayment of the outstanding dues immediately failing
which, the bank would take precautionary steps to make the firm to prepay the loan.
Answer the following:
3.1 Instance of non-payment of income-tax on the due date would most likely show:
(A) Risk appetite is lower than the risk capacity.
(B) The firm has taken an internal risk.
(C) The firm has considered it as a residual risk.
(D) Risk appetite is higher than the risk capacity.
3.2 Which of the following is MOST likely the reason that prompted the bank to issue such a notice?
(A) The bank felt that it is facing Risk Exposure.
(B) The bank felt that it is facing Default Risk.
(C) The bank felt that it is facing Recovery Risk.
(D) The bank felt that it is facing Guarantee Risk.
3.3 The proposed action of the management to provide training and safety programs would fall under:
(A) Risk Alternatives.
(B) Insurance Alternatives.
(C) Operational Alternatives.
(D) Strategic Alternatives.
3.4 Risk culture requires .
(A) continuous efforts of communication
(B) building corporate memory

Page 238 of 492
(C) shaping the right risk actions
(D) All of these
3.5 If the tolerable limit for exception was 6% in the case of cement mortar sampling, the most likely
conclusion would be:
(A) the control risk is high.
(B) the detection risk is high.
(C) the control risk is low.
(D) the detection risk is low. (5 x 2 Marks = 10 Marks)
3.6 Briefly explain the types of risks faced by the firm. (6 Marks)
3.7 Prepare a sample risk register on dust and pollution risk faced in the activities of the firm. (5 Marks)
3.8 Briefly explain the benefits of ‘Improved risk measurement and Management’ to the management.
(4 Marks)
CASE STUDY: 4
A company in the financial services sector has been fined by the Regulator for various breaches of relevant
regulations owing to which they suffered Reputation Loss and Credibility among customers and the public.
There is a possibility that some of the Directors and Officers may be penalised and could be sued by the
shareholders for losses suffered and wrongs committed. The Board and the Top Management of the company
were quite worried about this tum of events as breach of Corporate Governance norms and non-compliance
of laws and regulations were not expected to happen in the company.
You have been appointed as the new Chief Risk Officer to review and ensure best practices in Corpora te
Governance particularly in the areas of compliance, disclosures, consumer protection, management of frauds
and financial crime and ethical conduct in the organisation. It is a well understood fact that in the financial
services sector, Regulators are active and regulatory risk is one of the major risks faced by companies in this
sector. You are also aware that there have been many scandals and collapses in the financial sector world -
wide and you share the concern of the Board that it is important to set benchmarks for governance in the
company.
Keeping in mind that disclosures are information that is meant for shareholders, consumers who have bought
products from the company and for other stakeholders such as employees, agents, other intermediaries and
those in the ecosystem of the company, you are asked to reshape the disclosure policy of the company in
tune with regulations and best practices.
Consumer protection is increasingly being focused on by Regulators. Consumer Forums, Courts and other
bodies raise their voices against customer service deficiencies and penalise companies. They are shamed
when such information is circulated in the media. The CRO is asked to ensure that conduct risk is better
managed by a cultural change in the organisation.
Fraud and financial crime are on the rise and these can be happening with the connivance of or wholly by
employees and even at senior management levels. Cyber-crimes, frauds and losses are becoming common
place and there is a need to ensure that systems are security proofed and employees are made aware of the
risks. This can be further risk proofed by raising the ethical standards and putting place necessary controls
to ensure that the conduct of everyone in the institution is ethical and upright.

Page 239 of 492
You have been asked to advise the Board and draft suitable policies for upgrading corporate governance
practices and risk management. To bring about cultural change in areas that is dependent on management
and employee conduct. To create a culture that is customer oriented and strongly against violations of
regulations. To discourage opaque practices that give rise to arbitrary decisions at operational levels as these
work against customers, reputation and bottom line of the company.
Based on such a background and considering the OECD guidelines on corporate Governance, please answer
the following questions.
4.1 Corporate Governance risk is intended to identify deficiencies that can damage the following important
existential aspects of the company.
Point out the wrong answer.
(A) Reputation.
(B) Existence.
(C) Sales growth.
(D) Continuity.
4.2 A holistic risk management framework would empower the Board to Point out the wrong answer.
(A) Identify top threats to the entity and asset protection measures.
(B) Link risks to more efficient capital allocations and business strategy.
(C) Develop a common language in the organisation for problem solving.
(D) Look back strategy made to ensure that best practices are continued.
4.3 Stress Tests are important for Banks and are an important aspect for Board/Corporate Governance
oversight. Choose the right reason for conducting Stress Tests from the options given below:
(A) To deal with natural and manmade asset and disaster risks.
(B) To manage optimally business and portfolio downside movement.
(C) To manage political and country risks.
(D) To prevent fraud risks, malpractices and financial crimes.
4.4 Credit risk mitigation in Banks is a key concern of the Board. It can include the following except one.
Point out which answer is inappropriate.
(D) Verification of assets.
4.5 Normally every Board of a company should have a Risk Committee. Among other things the following
are the duties of this Committee except one, which?
(A) Risk Committee discusses every matter in the agenda of the Board prior to the Board Meeting.
(B) Is required to review and approve the company's risk policies at least annually.
(C) Discusses all the risk strategies on both aggregate basis and by types of risks.

Page 240 of 492
(D) Oversees that management has in place robust processes to ensure adherence to the risk policies
approved by the Board. (5 x 2 Marks = 10 Marks)
4.6 Explain Corporate Governance referring to OECD guidelines and explain how the Board can shield
against Corporate Governance Risks. (4 Marks)
4.7 What is the type of risk management that is to be initiated by the Board/Management so as to prevent
frauds and financial crimes? (3 Marks)
4.8 How can Credit Risk Management be upgraded to ensure that risk of default is kept to the minimum.
(8 Marks)
CASE STUDY: 5
A manufacturing company had a major loss occurring to them in the pure risk category, namely a flood loss
in its premises. The loss caused severe damage to buildings, compound walls, plant and machinery on the
main factory floor and basements as also stock including stock in the open. Motor vehicles and other
mechanised transport were also damaged by entry of water into their engines. The loss happened in the
middle of the monsoon season. The factory was insured and as the company did not have any claim fo r the
last 10 years the insurance department and risk management department had become careless and the level
of underinsurance was overall 40% in relation to the replacement value of the assets.
The claim process was slow and tedious as the company did not have any knowledge of claim processes and
the kind of papers and documents that were needed to be submitted to prove the various kinds of losses and
how to make the estimates to compute the amount to be claimed. It had to depend on the insurance
company's agent and surveyor to help them to see that they complied with the obligations that have to be
met when losses occur such as informing the civil and police authorities of the loss; and in saving damaged
materials from further loss and segregating them; in measuring the physical dimensions of the loss and
estimating the cost of repairs and reconstruction; in producing the account books showing the value of assets
and stocks lost etc.
There had to be many visits by the surveyor and many rounds of negotiatio ns for the claim to process and
the company did not get the claim for a long period.
The company also found that the expected loss reimbursement or indemnity, as is technically known in
insurance terminology, did not get allowed as the policies taken had terms which made deduction of
depreciation necessary and also because all assets were not insured at full value and hence underinsurance
applied. This caused not only considerable delay in the formalities of the claim, but also the amount assessed
was below the expectations of those who took the decisions relating to insurance as their knowledge was
incomplete and the advice. The concerned department could not explain under what risk management policy
and practices of the company they had taken decisions which made the company ineffective in getting
indemnity to the extent they could have got and that also by through a speedier settlement.
In view of the delay in the settlement of the claim the company faced a financial struggle to get the factory
back to normalcy during which the company made losses and its interest cost rose very high. It had to lay off
workers owing to which the employee morale was hit. As production could not be resumed early enough, the
loyalty of stockists and customers began to fall. In view of all this, the insurance and risk management
departments were asked to review its risk management policies and practices with regard to pure or insurable
risks. The final decisions included steps such as to insure the factory on reinstatem ent value, to ensure review
of the sum insured every year, to take on add on covers for debris removal and the like.
10

Page 241 of 492
The company appointed a new Insurance Officer, with additional duties to assist the Risk Management
Department in the management of pure risks. He researched and found that insurance is essential in areas
such as property protection, loss of earnings, liability insurance for the firm, its Directors and other employees.
Protection of employee lives and health was becoming a norm in organised industries. Health Insurance had
become necessary as an employee benefit. The Board of Directors were concerned about the emerging risks
that faced the Directors on the Board and the Officers of the company for wrongful actions and the need to
have a well-designed Directors and Officers Liability insurance cover; as also insurance for product liability
and any other liabilities that can arise because liability claims can be very large and may lie hidden for many
years. Increasingly authorities are directly slapping criminal and civil cases against the company when loss
of lives take place and where products are concerned especially those exported to foreign countries; product
liability insurance has become almost a compulsory requirement.
In examining existing insurance practices, many poor practices were identified. For instance, many low -level
losses which were claimable the concerned departments were not reporting the claims to the insurance
department and hence many claims which were of lower amounts but were claimable were found to be
unrecovered. Hence reporting processes had to be reworked and made known across the organisation.
Similarly, loss prevention in tune with insurance requirements were not properly carried out and, in the
process, there were possibilities that the insurance claim, if such arise could have been turned down or paid
at a lower amount on account of breach of conditions and warranties in the policy.
There are still questions that were to be examined relating to risks in the context of insurance and risks which
cannot be insured. You are asked to look at some of these questions.
Choose the correct answer to the following questions.
5.1 Insurable risks are most likely to arise from which of the following categorisation of risks.
(A) Hazard Risks.
(B) Control Risks.
(C) Opportunity Risks.
5.2 In Annual Reports it is necessary to have a section on Management Discussion and Analysis. One of
the following is not necessary to be discussed in the above section.
(A) Opportunities and Threats.
(B) Risk and concerns.
(C) Details of managing insurance risks.
(D) Internal Control systems and their adequacy.
5.3 Credit risk is insurable and has various components as per list seen below except one - point out the
exception.
(A) Default Risk.
(B) Collateral Risk.
(C) Exposure Risk.
(D) Rejection risk.
5.4 The purpose of risk evaluation is to do the following, one of which is not essential. Which ?
11

Page 242 of 492
5.5 Certain risks are called pure risks. In this kind of risks either a loss occurs or no loss occurs. There is
no scope for gain. Which of the following is not a pure risk?
(A) Early Death.
(B) Physical damage.
(C) Loss in the share market.
(D) Liability for damages due to negligence/wrong doing. (5 x 2 Marks = 10 Marks)
5.6 Define what a pure risk is and distinguish it from other types of risks. Explain why insurance coverage
for pure risk is important. (5 Marks)
5.7 Why operational risk management is important for the management of a company to avoid los ses
whether insurable or not? (4 Marks)
5.8 What is the role and responsibility of the Risk Manager? (6 Marks)
12

Page 243 of 492
Test Series: May 2020
MOCK TEST PAPER 1
Solutions
1.1 Point-wise inputs on the issues raised are as follows:

(i) It might be possible that purchase manger may authorise the order for a wrong script, instead of the
intended one by the manager or intentionally there may be under issue comparing with authorised script.
Further, since all related works are also under of the Manager he might influence other employees and
commits fraud. In such case proper Internal Control System need to be placed and other related employees
should not be under his control.
(ii) The risk manager tries to explore the possibility of employing new software towards the same. If
possible he should employ Artificial Intelligence and Machine Learning Language dynamically responds to
change in data / situation.
(iii) The Risk Manager should use Risk Models such as Value at Risk (VaR), Stress Testing etc. to measure
the possible loss during the period of time.
(iv) The Risk Manager should monitor the risk of Anti-Money Laundering (AML).
company.
bank might consider and also the credit scoring model that might be applied by the bank, while approving
such loan to the company. The Company would be offering some of its immovable properties as collateral
to the proposed loan with the bank. Especially the value of collateral is an important consideration as the
value of Fixed Assets such as houses etc. may be high during buoyant market not otherwise.
(vii) The risk manager should explore the possibility of "certainty equivalent” technique.
transactions.
(ix) Understand and reduce the exposures in financial risks by using strategies such as hedging, credit
default swap, insurance etc.
(x) Gathering various information relating to the operations of NBFC in India including credit risk management
and the underlying guidelines of RBI with respect to capital adequacy norms, provisioning etc.
(½ Marks for each correct point = Max. 15 Marks)
1.2 (C)
1.3 (C)
1.4 (B)
1.5 (B)
1.6 (C)

Page 244 of 492
2.1 (i) The main risk that will be faced by the Bank is Credit Risk and various components of this risk are as
follows:
(1) Default Risk – This risk means the missing a payment obligation (of principal or interest or both). Default
Risk can be measured by probability of default. It depends on credit worthiness of a borrower which in turn
depends upon various factors such as management of organization, size of business, strength and
reputation of promoters etc.
(1 Mark)
(2) Exposure Risk – This implies the uncertainty associated with future level or amount of risk. In other
words, this risk is mainly associated with unexpected action of other party say prepayment of loan before
due date or request for refund of deposit before due date.
In some cases, say for amortized credit such risks does not exists as period of receipt is known with greater
certainty. Due to uncertainty generally off balance sheet items create such risks. However, in such cases,
the exposure is not associated with client’s behavior rather behaviors of market which keeps on changing
constantly. In case value of derivative position turns out to be positive there is credit risk as it will lose
money, if other party defaults. To overcome such risk normally derivative instrument are used.
(1 Mark)
(3) Recovery Risk – This risk is related to recoveries in the event of default, which in turn depends upon
various factors such as quality of guarantee provided by borrower, and other surrounding circumstances.
This risk can be minimized through Collateral and Third Party Guarantee. However, existence of these two
risk management tool also carries risk.
(a) Collateral Risk: Although collateral reduces the credit risk but it happens only if collateral can be sold at
a significant value. The quickness in realization of collateral depends upon its nature and prevailing market
conditions. In normal course, fixed asset collateral normally carries low realizable value than cash
collateral. However, if in buoyant market say in case of a property even a fixed asset in the form of a house
property carries a higher value. With the use of collateral, the credit risk becomes twofold:
• Uncertainty related to access it and disposing encumbrances which may be legal in some cases.
• Uncertainty related to the value realizable from the collateral which may be subject to various
factors. To some extent the 2008 crisis was due to overvaluation of collateral against which
borrowers were granted hefty loan and at the time of realisation the collateral value was very less.
(b) Third Party Guarantee Risk: This collateral is a kind of simple transfer of risk on Guarantor and in case
guarantor defaults then risk again comes back to lender.
(4 Marks)
(ii) In my opinion the Term Loan upto maximum Rs. 6 crore can be extended to bank as mentioned above
the value of collateral itself depends on many factors hence the loan of same amount of will be quite risky.
(2 Marks)
(iii) To measure random loss, following formula can be used:
D X A X LGD
D = Default %
A = Amount of Exposure
LGD = Loss Given Default
Accordingly, the expected loss on the term loan of Rs. 6 Crore shall be:
4% x Rs. 6 Crore x 80% = Rs. 19,20,000
(3 Marks)
2

Page 245 of 492
(iv) Calculation of Maximum Permissible Bank Finance (MPBF) as per 2nd Method of Lending (Tandon
Committee Recommendations) is as under:
Particulars Amount (Rs. in Crore)
1. Total Current Assets (TCA) 8.00
2.. Less : Current Liabilities other than banking borrowing 3.00
3. Working Capital Gap (WCG) (1-2) 5.00
4. Less : 25% of Total Current Assets (25% of 1) 2.00
5. Maximum Permissible Bank Finance (MPBF) (3-4) 3.00
With this additional borrowing the Current Liabilities shall become Rs. 6 Crore (3 + 3) and the new Current
Ratio shall become 1.33 (Rs. 8 Crore/Rs. 6 Crore).
(4 Marks)
2.2 (A)
2.3 (B)
2.4 (B)
2.5 (B)
2.6 (C)

3.1 (D)
3.2 (A)
3.3 (B)
3.4 (D)
3.5 (A)
3.6 The types of risk can be faced by the firm are as follows:
(i) Market Risk: The firm is facing Market Risk due to adverse change in raw material cost and scarcity of
water. There is lull in the demand for big housing projects as most of the middle-class households are
moving towards low cost housing. Hence the firm could not sell/ book the two apartments.
(ii) Operational Risk: Risk of loss resulting from failure of people employed in the organization as workers
are not adequately trained and accidents are occurring at the site. In addition to this workers and
supervisors are not following safety instructions. The inefficiency of the workers resulted in wastage of
material and caused delay. The substitute for natural sand might result in poor finishing and less mortar
bonding. Water scarcity forced the firm to pay extra money for the construction.
(iii) Compliance Risk: As payment of Income Tax not made out on time. Hence it might face action from the
Income Tax Department.
(iv) Strategic Risk: Since the current and prospective impact on earning is adverse.
(v) Financial Risk: The risks in connection with the cash flows and the pressure given by the bank in its
notice for the repayment of the loan.

Page 246 of 492
(vi) Credit Risk: The inability of the firm to repay the outstanding dues to the bank.
(vii) Liquidity Risk: The act of paying for the purchase of bricks and cement from out of the funds earmarked
for the payment of Income Tax shows the firm is facing the same.
(viii) Reputation Risk: As the project is getting delayed, the firm is subject to reputation risk.
(ix) Legal Risk: The persons who have booked the apartments may sue the firm or ask for compensation for
the delay in completion.
(x) Safety Risk: The workers are not following the safety standards.
(xi) Environment Risk: The increased dust and pollution cause environmental risks
(1 Mark for each correct point = Max. 6 Marks)
3.7 Sample Risk Register on dust and pollution risk faced by the firm
Risk Dust and Pollution Risk.
Causes Usage of electric drills, hammers, cement & sand mixing etc.,
Consequences Workers health affected, complaints from neighbours, regulatory authorities
imposing fines etc.
Ownership Owned by the site supervisors.
Inherent risk score Seven out ten. This is calculated before implementing controls towards
containing the dust and pollution
Controls Provide safety masks, helmets, boots, hand gloves to workers. Sprinkle water
periodically so that the minute waste does not fly.
Residual risk score Four out of ten. After implementing the controls, residual risk stands at this
level.
Process Processes to control the dust are implemented
Action for further mitigation To explore and study measures adopted by the other industry players. To
educate and train the workers.
Action owner Site Manager.
Due Date Within three months.
3.8 The Risk Management Payoff Model of Epstein and Rejc, 2005, demonstrates how improved risk
measurement and management provides benefits throughout the organization. Benefits extend to:
1. Enhanced working environment
Safety measures are to be addressed by giving training which in turn would increase the performance of the
workers.
2. Improved allocation of resources to the risks that really matter
4

Page 247 of 492
Key risk areas identified and resources are allocated.
3. Sustained or improved corporate reputation
By completing the project on time would increase the credibility of the firm.
4. Other gains, all of which lead to prevention of loss, better performance and profitability, and increased
shareholder value.
By following better project management, the firm can reduce the wasteful expenditure and thereby
achieving improved profitability.
4.1 (C)
4.2 (D)
4.3 (B)
4.4 (D)
4.5 (A)
4.6 There are many areas of risk that a company may face relating to governance risks. The absence of an
effective corporate governance framework and properly documented governance policies can create serious
risks. There has to be equitable treatment of shareholders, and the role of stakeholders have to be defined,
communicated and monitored, to prevent risks in these areas.
There are disclosure and transparency norms and if they are not articulated, considerable risks arise. The
various responsibilities of the Board cannot be left undefined, nor undocumented or not reviewed. If the Board
has not defined risk capacity, appetite and risk response strategies, and initiated a proper enterprise risk
management policy and approach to risks, there can arise risks for governance.
The Board cannot be ignorant of the risks facing the company. Risk managers should be independent and be not
implementing strategy. The Risk management function and the CRO should report directly report to the Board.
Board should ensure that risk management and oversight practices should not face challenges and all
stakeholder concerns should be met. Boards need to look at the long term; many risks will arise if the focus is on
the short term. They need to disclose the process of risk management and the results of risk assessments. They
should ensure that whistle-blower matters are attended, and shield the company against negative media reports,
shareholder activism, unauthorised related party transactions, disputes among promoter/owners and other
shareholders.
An independent assessment of risk governance framework has to be initiated so that there is an improving risk
management capability for the company. The risk management framework (RMF) should define a policy
statement on matters such as determining when to review the RMF and the frequency for undertaking the review,
and deciding who is responsible for the review. This may be done by the Audit Committee or a team of Directors
or with external facilitation and selecting the scope and review. The results have to be sent to the various layers
of the company and risk management tightened and enhanced.
5

Page 248 of 492
(4 Marks)
4.7 Fraud risk is an inherent risk which arises from the opportunities to make an unlawful gain by an internal
employee or an external person or entity by exploiting the gaps in the processes of the organisation. Fraud risk in
financial reporting also has assumed importance. The COSO framework has been enhanced to ensure highest
degree of accuracy and completeness in financial statements. Operational control failures such as those that
allow an employee to deliberately tamper with the data can lead to fraud risk owing to poorly designed reporting
of data.
Fraud risk can be reduced by ensuring that there are controls in place, such as proper verification by the same or
another person. There has to be reconciliation of facts and figures. Equally important is the segregation of duties
which will not allow a person of one department to carry out the entire transaction on his own. There is also the
need for physical controls such as safekeeping of money, documents, legal agreements in safe vaults etc. Use of
two keys may be required when dealing with high amounts of cash or high value documents. There has to be
supervisory controls, exception triggers and proper authorisation and approval. There has to be proper
preventive controls, detective controls, manual controls and automated controls.
The Board has to see that the Internal Audit Function has carried out their management function in ensuring that
internal controls and other defences are in place so that the chances of fraud and financial crimes are minimised
and there is a tightening based on reviews.
(3 Marks)
4.8 The first step is to identify credit risks and hence there is need to study borrower’s profile to understand the
borrower’s financial stability, regularity in payments, possibility of default risk, the source of income etc.
Credit risk has to be migrated through means such as funded and non-funded risk mitigation. Funded credit is
when the bank has recourse to cash or assets of the buyers. Funded credit mitigation methods include On
Balance Sheet Netting of mutual claims/reciprocal cash balances between the bank and counterparty. Another
method is collateral method whereby assets or security is retained or deposited with the bank against grant of
any loan advances, debit or credit lines. These can be in the form of cash, gold, Corporate Debt Securities etc.
Unfunded credit risk mitigation process involves an unsecured obligation of third party, where this entity is more
credit worthy than the primary borrower.
(1 Mark)
BASEL II has provided updated norms for the financial market, which has three main pillars. The first is more
focussed on credit risk. It provides three different ways of managing credit risks:
1. Standardised approach based on credit rating and risk weight,
2. Internal rating-based approach with a basic foundational and higher-level advanced approach,
3. Credit risk mitigation steps through CDS and counter party risk approaches as also through securitisation.

Page 249 of 492
There are other methods to enable proper credit rating:
1. Risk based pricing: Where the risk of default is higher, the interest rate will be increased.
2. Credit insurance: The lender can transfer the risk to an insurer such as in housing loans to ensure that the
mortgage is secured.
3. Tightening: Lender can tighten the norms for lending.
4. Diversification: By lending to a greater number and kinds of small borrowers to diversify the lending pool.
5. Covenants: Covenants may be entered into with the borrowers for review, full payment in case of
improvement in debt coverage ratio, audit of business operation etc.
(½ Mark for each correct point = Max. 2 Marks)
There can also be qualitative techniques of credit risk management duly implemented by three levels of
approach as under:
a. Transaction risk management
b. Portfolio risk management
c. Policies and processes that keep improving the risk management of all lending activities.
Financial institutions also attempt to mitigate lending risks by performing credit analysis on individuals and
businesses by a review of the borrower’s five C’s which are capacity, capital, character, collateral and conditions.
(2 Marks)
5.1 (A)
5.2 (C)
5.3 (D)
5.4 (D)
5.5 (C)
5.6 Pure Risk
Pure Risks are associated with uncertainties which may cause loss. In a pure risk situation, a loss occurs or no
loss occurs – there is no possibility for gain. These uncertainties may be due to perils such as fire, floods, etc. or
may arise from human action such as theft, accident etc.

Page 250 of 492
(1 Mark)
Distinguish Pure Risk from other risks
There are certain risk events that can only result in negative outcomes such as fire accidents or leakage of
harmful chemicals from a manufacturing plant. These risks are hazard risks or pure risks, and these may be
thought of as operational or insurable risks. A good example of a hazard risk faced by many organizations is that
of theft. There are different types of pure risks:
• Personal risks - It includes early death, sudden accident and disability, unemployment, etc.
• Liability Risks - the risk of legal liability for damages accruing to customer, suppliers, vendors, etc. Such risks
are also connected with compensation payable to employees for injuries and other harm afflicted in the
workplace.
(½ Marks for each correct point = Max. 1½ Marks)
Importance of insurance coverage for pure risks
There are risks which are not insurable even though there may be no gain in them. These include:
Fundamental Risks which are impersonal in nature, present in the nature and the economy which has pervasive
effects. Such include war, inflation, mass unemployment etc. Generally, these are not insurable and it is left to
the government to deal with the effect of these events.
Dynamic Risks are risks which arise due to changes in the economy like fluctuations in price levels, consumer
preferences, shift in technology etc. These are again not considered insurable as they are less predictable and
pervasive.
However, Particular Risks are risks which have their origin in individual events which can be clearly controlled
such as road accidents. These risks are considered insurable subject to conditions.
(½ Marks for each correct point = Max. 1½ Marks)
Risks are also categorized into hazard risks which is another term for pure risks which are insurable, while
Control risks are pure uncertainty risks and are associated with project management and these risks are hard to
quantify. Finally, there are opportunity risks which are also called speculative risks. These have opportunity for
gain and hence are not insurable.
(1 Mark)
5.7 The operational risk is important for management of company because of following reasons:
(a) The Companies Act 2013 (Sections 134 and 177) lays down clear expectations from Boards of organisations
in assessing the robustness of risk management framework implemented by the company. Section 134 instructs
that Board of Directors should include a statement on development and implementation of risk management

Page 251 of 492
framework for the company, including identification of risks, which as per Board’s opinion could threaten the very
existence of the company.
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term ‘internal financial controls’ as “the
policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business,
including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds
and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable
financial information.”
Section 177 instructs that the Audit Committee shall review the risk management procedures implemented by the
management.
Schedule IV instructs that Independent Directors are required to get assurance that systems of risk management
are robust and defensible.
(b) Paragraph 4(c) of the Standard on Auditing (SA) 315 “Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and Its Environment” defines the term ‘internal control’ as “the
process designed, implemented and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and
compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the
components of internal control.”
(c) Clause 49 of the Listing Agreement, indicates that disclosures are to be made to the Board of Directors on
risk management, on whether the company has laid down any procedures to inform Board members about the
risk assessment and mitigation procedures.
(d) The ICAI Guidance Note on Audit of Internal Financial Controls over Financial Reporting has several
sections pertinent to the understanding of operational controls underlying in the processes;
While the Guidance Note does not explicitly dwell on operational risk per se, the overall approach and
methodologies mentioned in the Note rest on, and derive from an implied understanding of the auditor’s
understanding of operational risks and the mitigating controls of the organisation; for instance, the auditor is
expected to have a thorough understanding of the automated and manual controls that lie in each of the
processes that have a direct bearing on the financials of the organisation.
5.8 The role of the Risk Manager includes following tasks: -
1. Manage the implementation of all aspects of the risk function, including implementation of processes, tools
and systems to identify, assess, measure, manage, monitor and report risks.
2. Select the most suited risk identification techniques and approaches.
3. Manage the process for developing risk policies and procedures, risk limits and approval authorities.
4. Monitor major, critical and minor risk issues.

Page 252 of 492
5. Manage the process for elevating control risks to more senior levels when appropriate.
6. Management of risk reporting, including reporting to senior management.
7. Prepare high-level user requirements to assist in preparation of Project Initiation documents.
8. Liaison with Business users to prepare Functional risk specifications. Translate business requirements and
functional needs into business / reporting and system specifications. Ensure technical specifications meet the
stated needs of the business.
9. Generate project management documents.
10. Provide User Training for in-house developed risk management systems.
11. Conduct compliance & risk assessments.
12. Conduct and document audits of risk related compliance to industry standards
13. Define & develop risk policies, procedures, processes & other documentation as required.
14. Implement the risk management program and risk strategy. Ensure the risk management program is
effectively integrated into product development and delivery methodology.
15. Participate in local and global discussions to formulate new or enhance existing risk management processes,
policies and standards.
10

Page 253 of 492
MTP May 2020 Query Sheet
Case Study 1
1.1- How I Can find the answers to this type of questions?
Although some of these answers can be found in the Study Material itself, questions like these can be
answered only if the Study Material has been read twice at least, with all the conceptual clarity and
inter-linkage of the fundamentals. It is certainly not going to be easy to find the answers in the book
and therefore, for every point, the student needs to think like a risk manager, and believe that he/she is
a risk professional, per se.
1.3- Direct answer from page 5.04 of ICAI SM(heading VaR Parameters).
1.5- Conceptual answer from Translation Exposure heading of SFM ICAI SM.
1.6- Direct answer from page 6.15 of ICAI SM. (Rest 3 options are given under Credit Due diligence
for wholesale financing);
Case Study 2 (Nov 18 Question Paper CS-2 Case study background is same, 5MCQs common and
Descriptive Question is different)
2.1- (i)- Direct answer from page 6.02 and 6.03 of ICAI SM.
2.1-(ii)- There is a typographical error in the question. Consider the value of WIP as Rs. 1 crore and
then solve the question. (As clarified by ICAI)
(Some Clarifications: This question talks about the term loan amount only as the working capital loan
is decided as per Tandon Committee.
This Question asks your opinion, and the amount may differ from ICAI’s Suggested Answers. We have
to decide the amount of loan considering various factors such as collaterals i.e. investments value,
existing borrowings etc. So, you can suggest an amount of loan as per your opinion but will have to
give justification for the same.)
2.1-(iii)- Where can we find the formula for this question?
When the LGD is given, then the formula given on page 6.03 of the ICAI SM can be modified to replace
the formula’s recovery rate portion. LGD can also be viewed as the direct figure of (1-r), i.e., here if
LGD=80%, then the recovery rate is 20%.
Page 254 of 492

2.1-(iv)- Application based- apply the figures to the correct formula as given on page no. 6.5 of ICAI
SM.
2.2- Based on concepts. Market risk is caused by changes in the market variables like changes in demand
and supply, or technological changes and not by changes in the weather or natural disasters.
Case Study 3 (Nov 19 Question Paper CS-2,4th MCQ is different)

3.1- Based on conceptual understanding and related to the case study– If the income tax has not been
paid on the due then that means that enough finances were not available for the income-tax payment.
And this can happen only when the risk has been taken more than the capacity to take risks and this, in
turn, will happen only when the appetite to take risks is greater than the risk capacity;
3.2- The options are really confusing; 3 out of the 4 are looking for correct answers; How can we
arrive at the correct answer?
Page 6.3 of ICAI SM- The confusion can arise amongst the exposure, default and recovery options. But
there has been no default on the part of the firm until now, and since there is no default, there has been
no recovery risk. It is just the uncertainty associated with the firm’s e future ability that has made the
bank issue the notice- which happens only due to the exposure risk.
3.3- Can you please justify the answer insurance alternatives?
Training programs are a kind of risk mitigation measure, and insurance is also the same. Rest all the
options are not the risk mitigation measures. So, instead of getting insurance, the firm can go for training
programs so that the risk of failure during the operations reduces – and it’s even a better mitigation
measure than the insurance since insurance acts as a cure in terms of providing for the lost finances
whereas training acts as a preventive measure.
3.4- Direct answer from page 4.8 of ICAI SM
3.5- How is the control risk high in the given scenario?
The control risk is high in the case under consideration because against the prescribed tolerable limit of
6% and there is a mismatch of 15% in the samples. (As clarified by ICAI over mail)
Page 255 of 492

3.6- Linked to the case study and understanding of the types of risks given on page 1.19 of ICAI SM.
3.7- How can we prepare the risk register. There is no proforma given in the SM, as such?
Although there is no proforma given as such – related to the risk register – there is still the availability
of contents of a risk register, as on page 8.4 of the ICAI SM, and those contents can be converted to a
table and related with the case study to answer this question.
(While preparing the risk register, inherent risk score and residual risk score is subjective. You can
mention the score and give justification for the same. This may not match with ICAI’s Suggested
Answer)
Case Study 4 (CS-4 Nov 19 Question paper)

4.1- The options are really confusing. How the answer is Sales Growth?
Common sense based question. Sales growth is the primary factor that will drive the existential aspect
of any company; Even if a company has a good reputation, is existing and is continuing its business-
but then also – if it is not growing its sales quantum, then it would not be able to survive in the future
and that’s why it is important for the existence;
4.3- Based on the conceptual understanding of the stress testing, as given in chapter 5(page no.5.7 of
ICAI SM).
4.6- Answer which is suggested by ICAI, seems like we will never be able to frame such an answer.
What do we do as students?
The concepts of the seventh chapter are a mix of theoretical concepts and what is happening in the
practical world regarding corporate governance. As students, certainly, the answer would not match the
one as suggested by ICAI, but still, it can be framed from the OECD guidelines as on page 7.20 and the
Risk Management framework as on page 7.06. Also, keep yourself updated as to what all is happening
in the corporate world- so that points related to whistle blowers and media reports, etc. come to your
mind while writing such answers.
4.7- Answer from page 9.11, 1.21, 9.13 and a bit of the learning from the audit world, internal control,
etc.
Page 256 of 492

4.8-It is not certain as to what is the question asking. How do we write such answers?
The answer is from the content mentioned in the 6th chapter of ICAI SM. In such a situation, it is safer
to cover more concepts and write small points about all of them.
Case Study 5 (CS-5 Nov 19 Question Paper)

5.3- Refer page no. 6.02 and 6.03 of ICAI SM.
5.4- Refer page no. 2.14 of ICAI SM. (Basic Conceptual question of Risk evaluation)
5.5-Refer page no.1.16-1.17. (Basic Conceptual question on Categorization of Risks by Paul Hopkins)
5.7- Direct answer from page 9.02 and 9.03 of ICAI SM. (write four reasonably sized points)
5.8- Direct answer from page 2.30 of ICAI SM. (write 12 small points)
Page 257 of 492

MOCK TEST PAPER
The question Paper comprises five case study questions. The candidates are required to answer any four
case study questions out of five.
CASE STUDY: 1
Arjun Limited is one of the leading pharmaceutical companies in India. It has an operational track record of
near five decades. The company was promoted by one of the very reputed families of India. However, it has
been facing several challenges to grow its business in the recent years. Karna Limited is also one of the
leading pharmaceutical companies having operational track record of near three decades and multiple market
leading products. However, it is also facing challenges to grow its business. Hence the management of Karna
Limited has decided to sell its business. The management of Arjun Limited came to know about the decision
of the management of Karna Limited and has decided to adopt the strategy to grow inorganically. After initial
assessment, Arjun Limited believes that if it acquires Karna Limited, it could result into a better product
portfolio, a wider marketing and distribution network and other synergy gains which not only would improve
growth of its existing and acquired product portfolio, but would also improve profitability and consequently
return on capital employed.
The management of Arjun Limited offered ` 10,000 crore cash to the shareholders of Karna Limited as a
sales consideration. The offer was accepted by the shareholders of Karna L imited.
The transaction was funded in the following manner.
 ` 500 crore cash and bank balance available with Arjun Limited as on March 31, 2019
 Promoters of Arjun Limited infused equity share capital of ` 3,500 crore.
 Arjun Limited issued non-convertible debentures of ` 6,000 crore to fund the balance sales consideration.
The management of Arjun Limited had approached many leading debt mutual fund managers to subscribe
the issue of non-convertible debentures.
The debentures were issued in three tranches on March 31, 2019. Debentures in each tranche carries a
coupon rate of 8% p.a. payable semiannually (i.e. compounded and payable semiannually). The repayment
schedule of each tranche is listed below. Debentures matures at Par
Tranche Face Value (FV) of whole tranche Maturity Date
1 ` 2,000 Crore March 31, 2023
2 ` 2,000 Crore March 31, 2024
3 ` 2,000 Crore March 31, 2025
Further, the debenture issue includes following terms
 The debentures are secured by way of charge on intangible assets of the company which are not
recorded on the books of the company. The realizable value of the intangible assets is assessed at
`1,000 crore and is expected to remain constant over a period of ten years. In the event of default,
investor can sell the intangible assets, but will lose right to recover their unpaid exposure.
 Investors and issuer to have put/call option on the debentures. The notice of exercise of the option can
be given at any coupon date and the company has to redeem the debentures on the next coupon date.
1

Page 258 of 492
 Arjun Limited to obtain credit rating of the issued debentures from any recognized credit rating agency.
 Debentures to be listed on the stock exchange within one month of the allotment.
Arjun Limited made the following projections
Projected statement of profit and loss account for the year ended
( ` Crore)
Particulars March 31, 2019 March 31, 2019 March March March March March March
(Before (After 31, 2020 31, 2021 31,2022 31, 2023 31, 2024 31, 2025
Acquisition) Acquisition)
Sales 2,000 2,000 3,600 4,200 4,800 5,400 6,100 6,700
PBIDT 600 600 1,080 1,260 1,440 1,620 1,830 2,010
Interest - - 480 480 480 480 320 160
Depreciation 50 50 100 100 100 100 100 100
PBT 550 550 500 680 860 1,040 1,410 1,750
Tax 165 165 - - - - - -
PAT 385 385 500 680 860 1,040 1,410 1,750
Projected Balance Sheet as on

( ` Crore)
Particulars March 31, March 31, March March March March March March
2019 (A) 2019 (After 31, 2020 31, 2021 31, 2022 31, 2023 31, 2024 31, 2025
Before Acquisition)
Acquisition)
Non-current
Assets
Fixed Assets 1,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500
Goodwill - 6,000 6,000 6,000 6,000 6,000 6,000 6,000
Current Assets
Receivables 500 3,000 3,150 3,300 3,500 3,600 3,700 3,800
Inventory 500 1,000 1,050 1,100 1,200 1,300 1,400 1,500
Cash and Bank 500 - 500 1,180 2,040 1,080 490 240
Total Assets 3,000 13,500 14,200 15,080 16,240 15,480 15,090 15,040
Equities and
Liabilities
Equities
Share Capital & 2,000 5,500 6,000 6,680 7,540 8,580 9,990 11,740
Reserves
Non-current
Liabilities
Non-convertible 6,000 6,000 6,000 6,000 4,000 2,000 -
debentures
Current Liabilities
Trade Payable 1,000 2,000 2,200 2,400 2,700 2,900 3,100 3,300
Total Equities and 3,000 13,500 14,200 15,080 16,240 15,480 15,090 15,040
Liabilities

Page 259 of 492
Assumptions - No dividend, Annual capex requirement = annual depreciation
MICRA, one of the leading credit rating agency has assigned credit rating of ‘AA’ to the debenture issue.
Below is the historical default probability of various rating scale of MICRA
Rating Scale Default probability over

1 year 3 year 6 year
AAA 0.00% 0.00% 0.02%
AA 0.01% 0.12% 0.18%
A 0.18% 2.07% 2.89%
BBB 0.93% 3.91% 5.08%
1.1 Assume you are a credit analyst in a Debt Mutual fund. How would you do the credit due diligence for
recommending the subscription of the debenture issue? (Mention any six aspects and justify it with the
facts of the case) (7 Marks)
1.2 Market interest rate increased to 11% after 1 year for the debentures having similar credit risk profile.
What action would investor/issuer take to optimize its return on capital given no transaction cost?
Mention the risks that issuer will face immediately after exercise of the call/put option by investor/iss uer?
(2 Marks)
1.3 Calculate the Debt Service Coverage Ratio (DSCR) considering opening Cash Balance and Free Cash
Flow available for all the year in which debenture repayment is scheduled. In which year the r isk of
default is maximum? (6 Marks)
1.4 Arjun Limited’s assessment that the new product portfolio will help them to achieve long term desired
growth carries which type of risk?
(A) Operational Risk
(B) Assumption Risk
(C) Strategic Risk
(D) Model Risk
1.5 ABC mutual fund is likely to face following risk on account of subscribing to the issue of listed debentures
of Arjun Limited, except one…………..
(A) Credit Risk
(B) Operational Risk
(C) Interest Rate Risk
(D) Market Risk
1.6 Credit Rating assigned to the debenture issued by Arjun Limited represents……….
(A) High Safety
(B) Adequate Safety
3

Page 260 of 492
(C) Good Safety
(D) Moderate Safety
1.7 Given the long-term cash generating ability of the acquired business, what Arjun Limited could do to
avoid liquidity/refinancing risk?
(A) Remove Put option from the terms of debenture issue
(B) Partially fund its working capital requirement through working capital finance
(C) Longer term-debt repayment schedule to match the cash flow generated from the acquired assets
(D) All of these
1.8 If the company decides to issue foreign currency denominated bonds (US Dollars) it will be exposing
itself to_______ risk but will benefit in terms of ________.
(A) Interest rate risk/ lower transaction cost
(B) Foreign currency fluctuation risk/ lower interest rates
(C) Country risk/ longer maturity terms
(D) Liquidity risk/ lower interest rates (5 x 2 Marks = 10 Marks)
CASE STUDY: 2
XYZ limited is an Airline company in India. It is only the company whose books was positive till last quarter
in terms of profits. Cash Flow was positive and was building cash reserve to face any challenges. Its share
price was at highest & its market capitalisation is on all time high. It was full-service network carrier operating
domestic & internationally.
Due to heavy demand in airline traffic and old aircrafts, it has ordered many new aircraft and was replac ing
old aircraft with the new one. It has borrowed funds for new aircraft for which instalment is due in
September,20.
Suddenly there arise a pandemic situation of virus in the country & across globe where virus had infected
millions of people across globe & taken death of almost lakh of people. There was no medicine to cure such
pandemic problem.
Due to spread of virus, all the airline was shut. It remained shut for almost 3 months. During these 3 months,
Airline company revenue was almost Nil while it has to incur huge cost on salary payment. Its share price
plunges suddenly by 40%. It had downsized its team of employees, delayed payment of staff and
maintenance, deferred lease payment of aircrafts. However due to downsizing many talented employees left
the company. Change the structure of Employee salary with 30% variable & balance fixed and gave
employees leave without salary. Also, all its recoverable amounts from customers remained outstanding & it
is facing cash crunch.
Now after 3 months, airlines have started working. However, it is going to take at least couple of years to
come back to 50% of what they were before spread of pandemic both domestic & international operations.
If you recall the previous instance of 9/11 and what happened subsequent to t hat, it took a lot of time for the
aviation industry to come back. It is not only how fast XYZ starts its normal operations but even after that
visas not being allowed, travel not being allowed, airlines not being allowed. Even after all these are allowed,
there will be apprehension. The first is the economic aspect.

Page 261 of 492
Will people travel, either for leisure or on business? The answer is clearly no. It will take a long time for this
to happen. Then the question is of people going out to destinations and being apprehensive. How many flights
will you operate?
Also, a plane on the ground costs the airline enormously with 50% of them have been taken on lease. So
even while they are on the ground the lease rentals are being paid. It is not only employees who are being
unproductive but also the machines. So, both men and machines are taking a heavy toll.
Now when the flights are put back into operation, the concept of social distancing is be imposed by
government on XYZ. It is only flying one-third of capacity & due to it fares are very high to sustain its
operations.
India being a price-sensitive market. It is again witnessing era of the 1940s and the 1950s where only the
elite could afford to travel.
Analyst believe that company will take at least take 5-6 years to revive itself.
Another important aspect which has come due to this pandemic situation is that lot of people have found
alternative means of working, especially with videoconferencing & other digital platforms. So, it is going to be
a major change as travelling will be less & will impact air traffic.
2.1 Explain type of risks which XYZ limited is facing apart from Pandemic situation. (8 Marks)
2.2 In what ways Enterprise Risk Management can be classified. Explain with referenc e to above case
study. (4 Marks)
2.3 According to Paul Hopkins, risk is divided in what categories. Explain with reference to above case
study. (3 Marks)
2.4 XYZ limited is facing with what kind of Risk.
(A) Operational Risk
(B) Uncontrollable Risk
(C) Financial Risk
(D) Liquidity Risk
2.5 The aim of XYZ ltd in such pandemic situation would be to:
(A) Maintain unsystematic risk at the desired level
(B) Maintain systematic risk at the desired level
(C) Cost to be kept minimum
(D) Both (A) & (B) of the above
2.6 Which of the following statement is false?
(A) Risk caused by Internal factors arises during the ordinary course of business is to be borne by
Company.
(B) Risk caused by External factors arises during the ordinary course of business are not integrally
related to business.

Page 262 of 492
(C) Risk caused by outright default due to inability or unwillingness by customer to pay or honour its
commitment is credit risk.
(D) Risk where change in market interest rate might adversely effect the Net Interest Income Earning
is financial risk.
2.7 Risk consequences currently faced by XYZ limited:
(A) Insignificant
(B) Minor
(C) Catastrophic
(D) Moderate
2.8 Which are the risks which XYZ limited is faces while facing Pandemic situation of virus:
(A) Human Resources risk in terms of poor morale & talent retention
(B) Operational risk in terms of inability to replace old aircraft with new ones
(C) Finance & accounts risk in terms of negative cash flow
(D) All the above (5 x 2 Marks = 10 Marks)
CASE STUDY: 3
SELFIE Ltd. is a lifestyle product company head-quartered in New Delhi. The company was established in
the year 1863 by Mr. Khalid Topiwala. The company’s business model is to manufacture and sell lifestyle
products and accessories targeted towards young population.
The main product includes:- digital and analog wrist watches, compact music players, mobile accessories
and eye wear.
Influenced by the rapid growth and high margins of SELFIE Ltd., another player Facelift Ltd. entered the
market in the year 1885 producing similar products in the life style segment. However, Facelift Ltd. targets
its products to teenagers and young women.
Since, 2008 equity shares of both SELFIE Ltd. and Facelift Ltd. are being traded on Leading Stock
Exchanges.
The financial data of the companies are as follows:
` in Crores
Particulars SELFIE Ltd. Facelift Ltd.
Fixed Assets 35 24
Inventory 14.50 13.19
Trade Creditors 6.95 4.95
Trade Debtors 5.25 5.25
Total Debt – Short Term 9.5 5
SELFIE Ltd. pays dividend on a regular basis, whereas Facelift Ltd. retains profits into the business and
maintain a zero- dividend policy.
SELFIE Ltd. follows a conservative approach and makes cautious decisions. It also launches products in a
phased manner.
6

Page 263 of 492
Facelift Ltd. follows an aggressive approach and takes bold decisions. It launches multiple new products in
one go without taking into consideration the cannibalization effect they may have.
Both the companies have started operations in various other countries including Japan. The revenue from
Japan operations are significant part of revenues for Facelift Ltd.
Mr. Black is a new trainee in the Risk Management department, and he has identified the following risks at
SELFIE Ltd.
a. Inadequate safety mechanisms at production area resulting in life threatening accidents.
b. Extensive capacity expansion and capex plans for doubling production lines. Capex may result in huge
financial commitments. A detailed report has pointed out probability of overcapacity.
c. Turmoil in the currency exchange rates effects prices of raw materials. There is a risk of failure to
address this challenge effectively.
d. Fierce competition from Facelift Ltd may result in negative business growth.
Mr. Smith, a renowned stock analyst is skeptical of ineffective and unethical practices by Management of
Selfie Ltd. and does not advice his clients to invest in the company.
Year End Prices (December) of Equity stock and Dividends for SELFIE Ltd. for the years 2014 to 2020 are
listed below. The actual yearly return on Equity stock of Facelift Ltd . are also mentioned.
Consider the year beginning in January and ending in December.
Year SELFIE Ltd Facelift Ltd
Year End Price (Per Equity Share) Dividend Actual annual Return on Equity Share
` ` (January – December)
2014 28.50 0.14 3%
2015 26.80 0.15 4%
2016 29.60 0.17 4.3%
2017 31.40 0.17 5%
2018 34.50 0.19 4.1%
2019 37.25 0.22 6%
2020 38.10 0.25 6.2%
Average risk-free rate from 1994 to 2000 is 2.8%.

Anuj is forecasting the performance of both companies for the year 20 21. He is specifically concerned about
the risks which the companies are exposed to in Japan. Due to recent turmoil in the currency market,
Japanese Government has imposed a currency control mechanism which prevents outflow of Japanese Yen.
A local company in Japan has filed a lawsuit against Facelift Ltd. for infringement of Intellectual Property
Rights. The outcome of the lawsuit is uncertain.
The media is flooded with news of trade concerns between China and USA. The experts believe that it may
affect Indian industry and economy adversely.
Anuj divides the performance of Japanese Economy into three categories and accordingly the performance
of Facelift Ltd.

Page 264 of 492
Major Concerns in the Indian economy like declining GDP may be a challenge for industries. The ov erall
market Indices like Sensex has shown neutral to moderate appreciation in the last 2 years.
The political parties are raising populist agenda which are not very much inclined towards up -liftment of
economic condition in the economy.
3.1 The standard deviation of annual return on equity stock of Facelift Ltd . during six year period (2014-
2019) is .
(A) 4.2%
(B) 2.5%
(C) 6.15%
(D) 1.06%
3.2 The Co- Efficient Of Variation of annual return on equity stock of Facelift Ltd . during six year period
(2014-2019) shall be approximately .
(A) 0.230
(B) 0.250
(C) 0.315
(D) 0.210
3.3 Which of the following risks is the cause of concern for Mr. Smith?
(A) Process Risk
(B) Governance Risk
(C) Safety Risk
(D) Country Risk
3.4 If the Value at Risk (VaR) at 95% Confidence is ` 2,000, then VaR at 99% Confidence will be closest
to…………….
(A) ` 2,824
(B) ` 2,924
(C) ` 2,895
(D) ` 1,920
3.5 Adoption of Aggressive Approach by Facelift Ltd. expose itself to .
(A) Market Risk
(B) Financial Risk
(C) Operational Risk
(D) Country Risk (5 x 2 Marks = 10 Marks)

Page 265 of 492
3.6 Discuss the major types of Country Risks which an MNC is exposed. Which of these risks is faced by
Facelift Ltd in Japan. (5 Marks)
3.7 Prepare a Report that can be submitted to the Board by Mr. Black covering Grading/ Bucketing of the
risks identified. (5 Marks)
3.8 Explain the meaning of SWOT analysis and identify the SWOT of SELFIE Ltd. (5 Marks)
CASE STUDY: 4
Go Where Ltd is a listed company having its registered office in Kolkata. It provides online pre-booked cab
facility across major cities like Kolkata, Mumbai and Bangalore. Customers ca n book cabs as per their
requirement subject to minimum chargeability of 5 hours. The booking is also accepted on real time basis
subject to availability of the cabs. However it is suggested to make one day prior booking to ensure its
confirmation especially during peak season.
Revenue Model of the Company:
For cabs with seating capacity of 4 person (excluding driver), it is charged on per km basis of ` 10 subject to
minimum amount of ` 1000 for 5 hours. In case of Sedan and SUV cabs (Seating Capacity greater than 4),
it is charged at the rate of ` 13 per km subject to minimum amount of ` 1500 for 5 hours.
Staffing Policy of the Company:
In order to provide best services, the company ensures that all its drivers are professionally trained. It pays
them (Total 200 drivers) with a monthly fixed salary of ` 25,000 along with a variable pay of ` 150 per trip.
Following is the comparative extract of its audited profit and loss account for the year ended 31 st March 2020–
`
Particulars 31st March 2019 31st March 2020
Revenue from Operations 3,45,18,000 1,13,26,500
Other Income 83,15,000 35,57,000
Total Income 4,28,33,000 1,48,83,500
Expenses
Cost of Material Consumed 79,86,400 22,79,500
Employee Benefit Expense 1,04,13,050 89,57,900
Finance Cost 67,50,000 78,45,000
Other Expenses 18,55,000 37,43,000
Total Expense 2,70,04,450 2,28,25,400
Profit Before Tax 1,58,28,550 (79,41,900)
There has been drastic fall in the revenue of the company for the year ended 31st March 2020. With increasing
competition, there has been significant loss of market share. A new competitor has entered the market with
the concept of Self Drive Cars which provide the customers with the cab without driv ers. Further the existing
major market players like Oola and Uberia are able to erode the customer base of ‘Go Where’ with the
introduction of their new schemes of providing instant cabs for the whole day at much competitive prices as
compared to the company concerned.
9

Page 266 of 492
The Other Income of the company arises from short term capital gains from its investment in Stock Market
and Mutual Funds. The company has invested majorly in two different Mutual Fund schemes- The one is
IDIDI Mutual Fund giving an average return of 9% with the standard deviation of 7% and the other is HDBC
Mutual Fund giving an average return of 7% with the standard deviation of 4%. However, the risk free return
over the time period was 3%.
The company proposes to purchase some new model cars that had come into the market for increasing
mileage efficiency.
Board has decided to take few decisions in order to make current business model more viable in the
competitive circumstances-
 In order to reduce fixed payment to drivers, the board is of the opinion to change the current policy from
` 25,000 per month to ` 15,000 per month with escalation in variable pay to ` 200 per trip. It is estimated
that due to this change, around 60 employees will leave the company and in order to replace them, the
company will hire new drivers for whom professional training will be conducted costing ` 1,75,000. The
board is expecting a total number of 35,000 trips in the next year.
 The new model cars that will be purchased for ` 2,75,00,000 having a useful life of 12 years will be
diesel engine cars. The petrol cost exceeds diesel cost per litre by ` 3.50. There will be total of 25 new
diesel cars that are being proposed for purchase in the next year. Each car will give a mileage of 15
kms per litre with an average of 5,00,000 kms per year. If the company purchase petrol engine car, a
total of 30 cars can be purchased with the same amount giving an average mileage of 12 kms per litre
and same useful life with an average of 6,00,000 kms per year. The average cost of diesel for the next
12 years is estimated to be ` 70 per litre. All the cabs will be having a seating capacity of 4 persons and
will be charged at the rate of ` 10 per km.
 The board is planning to incur advertisement expenditure of ` 10,00,000 in the current year which in
turn is expected to increase the revenue of the company by ` 3,00,000 over the period of 5 years.
 Also, the board is in the favour of developing a new application software suitable for smart phones and
tablets with an estimated budget of ` 15,00,000.
4.1 The expected sales growth rate of the company for the year ended 31 st March 2023 is expected to be-
(A) 2.51%
(B) 2.65%
(C) 7.95%
4.2 Using a Discount Factors upto two decimals at the Rate of 8%, the NPV of the decision to incur
advertisement expenditure approximately shall be .
(A) ` 12,00,000 Positive
(B) ` 2,00,000 Negative
(C) ` 12,00,000 Negative
(D) ` 2,00,000 Positive
10

Page 267 of 492
4.3 Out of the two mutual funds that the company has invested in, which of the two gave a better return
relative to the amount of underlying investment risk-
(A) IDIDI Mutual Fund
(B) HDBC Mutual Fund
(C) Both a and b
4.4 The beta of the stock of Go Where Ltd is 0.75. This indicates-
(A) Its excess return is expected to outperform the benchmark by 75% in up markets and underperform
in down markets.
(B) Its excess return is expected to outperform the benchmark by 25% in up markets and underperform
in down markets.
(C) Its excess return is expected to underperform the benchmark by 75% in up markets and outperform
during down markets.
(D) Its excess return is expected to underperform the benchmark by 25% in up markets and outperform
during down markets.
4.5 The Net Benefit obtained by the company due to change in the payment policy to its drivers is -
(A) ` 2,50,000
(B) ` 75,000
(C) – ` 2,50,000
(D) – ` 75,000 (5 x 2 Marks = 10 Marks)
4.6 Suppose you have been appointed as an auditor of Go Where Ltd to conduct an audit of Internal Controls
over Financial Reporting. Explain the circumstances that may cause risk for reliable financial reporting
to the company. Also enlist the statutory provisions related to risk management disclosures applicable
to the company. (8 Marks)
4.7 Evaluate whether the proposal of the board to purchase diesel cars is justified, ignoring time value of
money and tax implications. What other non-financial factors should be considered before taking such
investment decisions. (7 Marks)
CASE STUDY: 5
XYZ Limited, a listed company and is in the business of manufacturing automobile components and main
input constituent is high quality Steel (a part of which is imported). In addition to catering domestic market it
also exports its product western countries. Due to stiff competition from the producers of automobile
components of neighboring country China it has started following liberalized credit policy for its buyers.
Recently Board announced the appointment of AG as the company’s first lead independent director. Despite
opposition by few shareholders, the management offered justifications for the new structure to be more
independent and investor friendly. Investors liked the idea and the announcement brought positive
sentiments to the falling stock prices which increased to ` 75.10, the next day of the announcement. It proved
that investors were optimistic about the future of the company and expected better financial results. AG was
actually appointed and responsible to response to the present state of a ffairs of the company. The company
had been actually witnessing and struggling in the months to address certain corporate governance
challenges. Proxy advisory firm, XYZ, raised alarms and questioned executive compensation package in the
11

Page 268 of 492
years of falling performance. A small shareholder filed a law suit against Board of Directors misuse of
corporate funds.
RG, the present Chairman and CEO, was working with the company since last sixteen years and was a close
family friend of promoters. His leadership style being democratic was liked and praised by everyone. He was
often found meeting people at all levels within the organisation and called for trying new things. His philosophy
diminished conflicts and tensions in pursuit of goal setting and achieving. He believes that as long as dividend
is paid to shareholders and earnings per share increases, the market values the stock. In the last AGM, he
said “The recent decline in financial performance is taken as a publicity stunt by few self interested groups.
The company is on its way towards bright future ahead”.
Further, about the risk management policy of the company CEO quoted following two statements:
“The risk we are ready to assume is keeping in view our corporate goals and essential strategies.”
“Further the boundary of risk that ABC Ltd. considers acceptable shall be based on its capability to manage
the risk identified in risk assessment process.”
The Income Statement Summary of ABC Limited for last three years:
Particulars Year 2016-17 Year 2017-18 Year 2018-19
Revenue (` Crores) 13938 13696 13373
Expenses (` Crores) 9608 9420 9119
Operating Income (` Crores) 4330 4276 4254
Stock Price (`) 65.64 61.00 58.4
Shareholding pattern at the end of Year 2018-19:

Type of Shareholder Percentage Stake
Promoters 51.60
Mutual Funds 7.25
Domestic Financial Institutions and Banks 24.75
Foreign Institutional Investors (TTC plc) 10.40
Corporate Bodies 4.60
Individuals 1.40
Total 100
5.1 On his appointment, what risks AG will identify related to Company’s activities? Draw out a framework
to manage these risks. (6 Marks)
5.2 Other than risks covered above identify the other two major risks ABC Ltd. is facing. (2 Marks)
5.3 What do the statements (in italics) quoted by CEO indicates. (2 Marks)
5.4 What type of major Risk being faced by TTC plc for investment in ABC Ltd. Explain the process to
manage the same risk. (5 Marks)
12

Page 269 of 492
5.5 Which of the following is called Governance Risk?
(A) Risk of control failure, management override, deliberate acts of omission
(B) Ineffective and unethical management of a company by its executives and managerial levels
(C) Inability of management to meet its process related objectives
(D) Management interference in day to day operations.
5.6 Which of the following is not an index for Country Risk Analysis?
(A) Democracy Index
(B) Global Peace Index
(C) Human Perception Index
(D) Gini Coefficient
5.7 For successful ______________ it is necessary that the risk management program should look at the
big picture and identify not only short term risk factors but also long term factors impacting the entire
value chain of business activities and connected communities.
(A) Stakeholder Risk Management
(B) Country Risk Management
(C) Shareholder Risk Management
(D) Enterprise Risk Management
5.8 OECD Guidelines for corporate governance does not include:
(A) Disclosures and Transparency
(B) Equitable treatment of Debenture holders
(C) Responsibilities of the board
(D) Institutional investors, stock markets and other intermediaries
5.9 Opportunities under Risk and Opportunity Disclosure in the Annual Report of an energy company would
not include:
(A) Value realization of by-products by exploring new areas
(B) Creating differentiation through acceleration of new product development
(C) Securing raw material supplies
(D) Oversupply of Crude Oil due to collapsing demand on account of coronavirus-related global
lockdowns. (5 x 2 Marks = 10 Marks)
13

Page 270 of 492
MOCK TEST PAPER
Solutions
1.1 Credit due diligence for recommending subscription of the debentures
1) Assessment of project sponsor: Sponsor is a leading pharmaceutical company in India having
track record of near five decades which provides sufficient comfort with respect to experience and
expertise of the sponsor.
2) Integrity and reputation of the borrowers: Arjun Limited is promoted by one of the reputed
families of India.
3) Track record in the relevant sector: Arjun Limited is acquiring a pharmaceutical company. Arjun
Limited itself has an operational track record of nearly fifty years in the pharmaceutical industry.
4) Sector Perspective: Historically, pharmaceutical sector has been perceived as stable and low risk
business sector
5) Commercial and economic viability: The borrowed amount is being used to fund the acquisition
of Karna Limited. Karna Limited is already an operational entity having commercial and economic
viable products in the market. Hence, the acquisition is commercially viable.
6) Debt servicing capabilities: Debt servicing capabilities includes capability to timely service the
interest payment and timely repayment of the scheduled term debt/debenture.
a. As per the projections shared in the case study, Arjun Limited’s Earnings before Interest
Depreciation and Tax (EBIDT) is sufficient to cover its interest payment liability in all the years
where interest payment is due.
b. Further, as per the projections shared, Arjun Limited is expected to meet its scheduled
debenture redemption liability reflected by projected balance sheet as of March 31, 2023,
March 31, 2024 and March 31, 2025.
7) External Credit Rating: MICRA Limited assigned credit rating of ‘AA’ to the non-convertible
debentures issue of Arjun Limited which indicates high safety.
8) Nature of security and its enforceability: The debentures are secured by way of charge on
intangible assets of the company which are not recorded on the books of the company. T he
realizable value of the intangible assets is assessed at `1,000 crore against the debenture issue
of `6000 crore. Hence value of security is inadequate.
9) Put/call options: Issuer and the debenture holder has the Call/Put options on the debentures.
(1 Marks for each correct point = Max. 7 Marks)
1.2 The debentures issued by Arjun Limited pay interest rate of 8% p.a. If interest rate offered by debentures
having similar credit risk profile is now at 11% p.a. The investor of debentures of Arjun Limited w ill
exercise put option. The issuer faces tow risks in this scenario.

Page 271 of 492
1. Liquidity risk (Refinancing Risk): If the investor exercises the put option on the debentures, Arjun
limited have to redeem all of the outstanding debentures on which put option is e xercised. In this
case Arjun Limited’s cash-flow might be insufficient to meet the immediate redemption requirement,
despite the company being solvent. (1 Mark)
2. Interest Rate risk: Arjun Limited is paying interest at a rate of 8% p.a. However, if the i nvestor
exercise the put option, Arjun Limited has to borrow to refinance the debentures which may carry
higher interest rate. (1 Mark)
1.3 Calculation of the Debt Service Coverage Ratio
Particulars FY 23 FY 24 FY 25
Opening Cash Balance 2,040 1,080 490
Add: PAT 1,040 1,410 1,750
Add: Depreciation 100 100 100
Add: Interest 480 320 160
Less Amount Spent on Capital Expenditure 100 100 100
Less Incremental Working Capital - - -
Total Cash Available for Debt Servicing (A) 3,560 2,810 2,400
Interest Payment liability 480 320 160

Debenture redemption liability 2,000 2,000 2,000
Add: Decline in the working capital requirement - - -
Total Debt Servicing Liability (B) 2,480 2,320 2,160
Debt Service Coverage Ratio (A/B) 1.44 1.21 1.11
1½ x 3 = 4½ Marks
Risk of default is maximum in the year FY 25 where debt service coverage ratio is minimum among all
the years. 1½
1.4 (C) 2
1.5 (B) 2
1.6 (A) 2
1.7 (D) 2
1.8 (B) 2
2.1 XYZ limited if current facing with below risks apart from pandemic risk:
(1) Financial Risk: As the company operation shut for 3 months, XYZ Ltd. with facing financial risk in
terms of negative profit & cash flow.
(2) Credit Risk: It is a probability of loss due to inability or unwillingness of customer to pay its dues.
Due to XYZ Ltd. customer not paying its outstanding amount, it is also facing credit risk.
(3) Liquidity Risk: The potential inability to honour its commitments when it falls due. As XYZ payment
for loan instalment gets due in September, 20, it faces liquidity risk.
(4) Market Risk: It arises due to adverse changes in market variables in terms of commodity prices,
exchange rate, interest rate etc.
2

Page 272 of 492
(5) Operational Risk: It is the risk of loss resulting from the failure of the people working in the
organisation, internal process, systems, or external factors which are detrimental to the interest of
the organisation.
(6) Strategic Risk: It is risk related to Poor business decisions, improper implementation of decision,
lack of response to industry, economic and technological changes which has impact on current &
prospective earning of the organisation.
(7) Interest Rate Risk: Risk associated with changes in market interest rate which effect organisation
net interest earnings.
(8) Staffing Risk: Risk associated with talented employees leaving the organisation which effects the
operations of the company.
(9) Technological Risk: Risk associated with outdated or old technology/products which effect
organisation market share, reputation, customers etc.
2.2 Enterprise risk management (ERM) is a leading best practice approach to effectively manage and
optimize business events that have the potential to impact business objectives or risks, enabling a
company to determine how much uncertainty and risk are acceptable to an organization.
Specifically, ERM can help XYZ Ltd.:
(1) Identification of strategic risk opportunities: Had XYZ Ltd. identified other related Strategic
Opportunities such as road transportation then same can facilitate achieving organizational goals.
(2) Introduction of common language: A common language within the XYZ Ltd. needs to be inculcated
in the organization so that the people recognize problems and adopt a problem solving approach
by developing risk treatment actions.
(3) Providing senior management with the most up-to-date information: Had up-dated information
relating pandemic been provided to management at initial stage then XYZ Ltd. may have taken
decision accordingly.
(4) ERM initiative and adherence to capital market: Since the company is a listed company there is a
need to establish a linkage between the ERM initiative and adherence to capital market reporting
disclosures and other corporate laws and regulations.
(5) Alignment of Annual Performance: There is requirement of alignment of Annual Performance with
the goals with risk identification and management.
(6) Reporting of Business-risk opportunities and challenges: There should be a system of Encouraging
and rewarding upstream reporting of business-risk opportunities and challenges.
(7) Alignment of other risk monitoring initiatives: There should be a system of aligning other risk
monitoring initiatives such as self-appraisals, internal auditing activities, control assessments,
continuous control monitoring, to organizational objectives.
(8) Imagining key Risk Scenarios: There should be a system of imaging key Risk Scenarios that could
potentially result in a stress on the financial position of the company. VaR and Stress Testing are
some of such techniques.
(9) Financial Risk Monitoring: It is a part of the ERM initiative can balance the financial stability
equation of XYZ Ltd. (1 Marks for each correct point = Max. 4 Marks)
2.3 According to Paul Hopkins, risk is generally divided in 3 categories:
(a) Hazard (or Pure) Risks: This are risk which are associated with uncertainties which may cause
loss to the organisation. It may occur loss or no loss occurs but there is no possibility of gain. This
arises from perils such as fire, flood etc. or from human action such as theft, accident etc. They
are also called as operational or insurable risk.
3

Page 273 of 492
There are 3 types of pure risk:
 Personal risk- which may arise due to early death, sudden accident and disability or
unemployment etc.
 Property risk- it arise due to reduction in value of asset due to physical damage, theft, fire etc.
 Liability Risk- It is the risk of legal liability for damages accruing to customers, vendors,
suppliers etc. Such risk is also associated with compensation payable to employees for
injuries and other harm inflicted in the workplace.
(b) Control (or Uncertainty) Risks: These are associated with unknown and unexpected events.
They are also called as uncertainty risk as they are very difficult to quantify. In these circumstances,
it is known that event will occur, but precise consequences of those events are difficult to predict
and control. Therefore, the approach is based on minimising the potential consequences of these
events.
(c) Opportunity (or Speculative) Risks: In such kind of risk, there are 3 outcomes- loss, no loss or
gain. Such risk is deliberately taken with the hope of gain. Such risks are not insurable.
2 Marks
XYZ limited is mainly suffering from Control risk of pandemic which is caused due to external
factors and to some extent XYZ Ltd. is not in position to determine when the impact of pandemic
will finish, and organisation will return to its normalcy. 1 Mark
2.4 (B) 2
2.5 (D) 2
2.6 (D) 2
2.7 (C) 2
2.8 (D) 2
3.1 (D) 2
3.2 (A) 2
3.3 (B) 2
3.4 (A) 2
3.5 (A) 2
3.6 The analysis of country risk is important because it affects the profitability of MNCs. Country risk is also
an important concern for FDI, FPI who invest their money in MNCs.
The following are the major types of country risk.
A. Political risk
Political risk mainly arises out of the changes in the political scenarios as well as the adverse
decisions taken by the ruling government.
1. Nationalisation or expropriation risk -this type of risk occurs wherein the host country takes
over the business of MNCs without or with inadequate compensation.
2. Exchange control risk- this form of risk prevents the MNCs to get converted their earning from
local currency to foreign currency to repatriate the same to the home country. Due to this
restrictions even investors in MNCs business suffer.
4

Page 274 of 492
3. Taxes, rules and regulations risk -
a. Unanticipated increase in tax rates
b. Compulsion to hire local workforce
c. Strict environmental standards
4. Inefficient legal system
5. Repudiation of contracts
(2 Mark)
B. Financial and economic risk
The main risk covered in this category is sovereign risk i.e. default in repayment of borrowing by
the government of the host country. The following economic variables can be used to identify such
type of risk well in advance:-
● Ratio of country's import to its official reserve
● Ratio of import to its export
● Balance of payment surplus/deficit on current account
● Country's Debt service ratio
● Country's external debt to its GDP
(1 Mark)
Country risks faced by Facelift Ltd. in Japan
1. Exchange control risk- restrictions on conversion of Yen.
2. Inefficient legal system- lawsuits have been filed against Facelift Ltd., it faces risks uncertainty
and high cost of operation due to inefficient legal system. (2 Mark)
3.7 To
The Board of Directors
Selfie Ltd.
18 October 2020
Subject: - Grading/bucketing of identified risks
Introduction
This report covers the grading/bucketing of the risks identified by the client.
1. Safety standards leading to life threatening accidents.
Safety concerns or Life threatening accidents will create a negative public image, badwill, loss of
employee trust. Consequently, Industrial Relations may worsen leading to declining revenues.
While the probability is low, the huge impact forces seeking appropriate mitigants. Hence the risk
may be classified as low probability high impact. It is suggested to ensure the adequacy of
safety systems. Expert safety advisor shall be consulted, wherever required.
2. Extensive capacity expansion and capex
Since the extensive capacity expansion plans will surely lead to large capex outflow- it may be
classified as high probability high impact risk which needs immediate management attention.

Page 275 of 492
3. Exchange rate fluctuations:- exchange rate fluctuation and volatile raw materials prices are
serious business concern which affects the profitability. Impact is low because it affects all the
businesses in the industry. Hence it may be classified as low probability low impact.
4. Fierce competition from Googly Ltd
Competition from other players in the industry may have a serious impact on the revenues and
profits. Since the market is growing the probability of negative growth is low. Risk will be
classified as low probability high impact.
Signed
Mr. Black
1 Mark for Report Format
3.8 SWOT analysis is undertaken by an organization to identify its internal strengths and weaknesses, as
well as its external opportunities and threats.
It is intended to specify the objectives of the business venture or project and identifying the internal and
external factors that are favorable and unfavorable to achieve those objectives. 1 Mark
SWOT Analysis of SELFIE Limited.
Strengths Weakness
1. Continuous dividend payout attracting 1. Slow decision-making process
investors 2. Skeptical Corporate governance
2. Extensive expansion plan to meet future policies
demand
Opportunities Threats
1. Expansion in other countries 1. Competition from Facelift Ltd.
2. Growing market demand due to population 2. Country risk from Japan
(1 Mark for each correct Box covering two points = Max. 4 Marks)

4.1 (A) 2
4.2 (D) 2
4.3 (B) 2
4.4 (D) 2
4.5 (B) 2
4.6 According to Section 134(5) of Companies Act 2013, Internal Financial Control refers to “the policies
and procedures adopted by the company for ensuring the orderly and efficient conduct of its business,
including adherence to company’s policies, the safeguarding of its assets, the prev ention and detection
of frauds and errors, the accuracy and completeness of the accounting records and the timely
preparation of reliable financial information”.

Page 276 of 492
Risks relevant to reliable financial reporting include external and internal events, transactions or
circumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and
report financial data consistent with the assertions of management in the financial statements.
1 Mark
Risks can arise or change due to the following circumstances-
 Changes in Operating Environment- Changes in the regulatory or operating environment can result
in changes in competitive pressures and significantly different risks. There has been an increase
in competition for Go Where with introduction of new business model of self driven cars in the
industry. Also, the major existing market players are giving intense competition to the company. In
order to survive, Go Where must come up with necessary modifications in its business model.
 New Personnel- New personnel may have a different focus on understanding of internal controls.
With the change in payment policy, the company is expecting to hire new employees in place of
those leaving the organisation, such new employees may have a diffe rent approach towards
internal controls of the company. The company must clearly explain its SOP and related internal
controls to all the new employees.
 Rapid Growth- Significant and rapid expansion of operations can strain controls and increase the
risk of a breakdown in controls.
 New Technology- Incorporating new technologies into production processes or information
systems may change the risk associated with internal controls. The board of Go Where Ltd is
proposing to develop a new software application. It must ensure that necessary internal controls
related to information systems are adequate and there is no threat to the company information.
Also the company should conduct Information Systems audit at regular intervals.
 New accounting pronouncements- Adoption of new accounting principles or changing accounting
principles may affect risks in preparing financial statements. Go Where Ltd, being a listed company
is required to comply with various regulations. Any changes in Indian Accounting Standards (IND
AS) must be properly incorporated in its financial statements.
1 Mark for each correct point = Max. 3 Marks
The various statutory provisions related to Risk Management disclosures applicable to Go Where Ltd, a
listed company are as follows-
 Section 134 of Companies Act 2013 requires the board of director to confirm in Director’s
Responsibility Statement that they have laid down IFC and such IFC are adequate and were
operating effectively. Also, they should include a statement on development and implementation
of risk management framework for the company, including identification of risks, which as per
Board’s opinion could threaten the very existence of the company.
 The provisions of Audit Committee are also applicable to the company. Section 177 instructs the
Audit Committee to review the risk management procedures implemented by the management.
 As per Schedule IV of Companies Act 2013, Independent Directors should satisfy themselves on
the integrity of financial information and that financial controls and sy stems of risk management
are robust and defensible.
 Also, Clause 49 of Listing Agreement indicates that disclosures are to be made by the board of
directors on risk management, that whether the company has laid down any procedures to inform
board members about the risk assessment and mitigation procedures.
Or
7

Page 277 of 492
 As per Regulation 21 of SEBI (LODR) Regulation 2015 for applicable to top 500 listed entities
determined on the basis of market capitalisation, as at the end of the immediate previous financial
year the board of directors shall constitute a Risk Management Committee and shall define the role
and responsibility of the same Committee and may delegate monitoring and reviewing of the risk
management plan to the committee and such other functions as it may deem fit such function shall
specifically cover cyber security. 1 Mark for each correct point = Max. 4 Marks
4.7
Diesel Car Petrol Car
Cost of Purchase (A) ` 2,75,00,000 ` 2,75,00,000
No. of Car Purchased 25 30
Useful life 12 years 12 years
Km per year 5,00,000 6,00,000
Total Kms 15,00,00,000 21,60,00,000
Total Revenue (B) 15,00,00,000 ` 1,50,00,00,000 21,60,00,000 ` 2,16,00,00,000
(Total Km x Rate per x ` 10 x ` 10
Km)
Mileage 15 Km per litre 12 Km per litre
Total litres to be 100,00,000 litre 180,00,000 litres
consumed
Cost per litre ` 70.00 ` 73.80
Total cost of diesel (C) ` 70.00 ` 70,00,00,000 ` 73.50 ` 132,30,00,000
x 1,00,00,000 x 1,80,00,000
Net Revenue ` 77,25,00,000 ` 80,95,00,000
(B) – (A) – (C)
2 Marks for each correct calculation = Max. 4 Marks
Decision: Since the Net Revenue in case of petrol car is more as compared to diesel car, it is advisable
to purchase petrol engine cars from financial perspective. 1 Mark
However following non financial factors should also be considered while making the purchase decision-
Environmental Factor: Since petrol and diesel are scarce resources, it is a good practice to make best
efficient use of it. Since petrol is giving a lesser mileage as compared to diesel, t here is more
consumption of petrol which also increases environmental pollution. Since the difference between the
two alternatives in Net Revenue is not much higher, the decision should be taken considering other
factors as well. 2 Marks
Note: Students can also mention any other factor drawing reference from the facts given in the Case
Study.
5.1 The major risks being faced by the company due its activities are as follows:
(a) Credit Risk: Since due to stiff competition from other companies XYZ Ltd. has liberalized its credit
policy it is facing the Credit Risk or Default Risk from its buyers.
(b) Liquidity Risk: Further due to non-payment of receivables by the customers XYZ Ltd. can also face
Liquidity Risk i.e. non-availability of enough Cash and equivalents to meet its committed payments.

Page 278 of 492
(c) Foreign Exchange Risk: Since the company is involved both in Imports and Exports it is subject to
Foreign Exchange Risk. 1 Mark for each Correct Point = Max. 2 Marks
Risk Management Framework for the above identified Risks
Risk Risk Arising From Measurement Management

Credit Risk Trade Receivables  Aging Schedule  Credit Insurance
 Altman Score  Credit Default Swap
 VaR  Factoring
 Collateral
Liquidity Risk Trade and other  Aging Schedule  Borrowing facilities
payables  Preparation of from Bank
Cash Budget  Disposal of short-
term Securities.
Foreign Trade Receivables Cash flow forecasting  Forward Contracts
Exchange Risk and Payables  Future Contracts
 Option Contracts
 Money Market Hedge
 Swap Arrangements
1 Mark for each Correct Point = Max. 4 Marks
5.2 The other major risk is being faced by the XYZ Ltd. is Governance Risk as in recent time company is
facing some Governance Issues. 2 Marks
5.3 First Statement of CEO indicates ‘Risk Appetite’ and second statement indicates ‘Risk Capacity’.
2 Marks
5.4 Since TTC plc is making FPI through the shares of XYZ Ltd. it is subject to Country Risk. 1 Mark
Broadly speaking the country risk management process involves the following steps:
(i) Identification of Risk: First and foremost, step in country risk management is identification of risk.
The various quantitative and qualitative techniques can be used to identify the risks.
(ii) Analysis of Risk: Once the risk is identified the next step is analyse the same from various angles.
(iii) Evaluation of Risk Management Techniques: Evaluation of various techniques to manage the risk
is carried out.
(iv) Selection of suitable techniques: Once various techniques have been evaluated next steps comes
of selection of most suitable technique to manage the risk.
(v) Implementation of Techniques: The techniques to manage the risk are implemented.
(vi) Control: Once the selected techniques are implemented they need to be reviewed on periodic and
if required they are revised. 1 Mark for each Correct Point = Max. 4 Marks
5.5 (B) 2
5.6 (C) 2
5.7 (A) 2
5.8 (B) 2
5.9 (D) 2

Page 279 of 492
MTP October 2020 Query Sheet
Case Study 1
1.1) How do we frame this answer?

From page 6.14 of ICAI SM. We have all the relevant points. With the help of those, we need
to relate it with the case study as per our conceptual understanding of the subject.
1.2) Why would the debenture-holders exercise the put option?

It is there in the Derivatives chapter of SFM. A put option is an option to sell the assets at an
agreed price on or before a particular date. And it is obvious that the debenture holders of Arjun
Ltd. would want to earn the interest rate of 11% p.a., instead of 8% p.a., therefore, they would
want to sell these debentures and buy the new ones from the market. The 2 types of risks are
based on common sense and are self-explanatory.
1.3) How do we tackle this type of practical question and how is the amount spent on CAPEX
calculated?
Probably ICAI should not have asked this question because it contains the FCFE concept given
in the “Security Valuation” chapter of SFM. So, try to avoid such questions- but since you have
the SFM module – then the direct formula is there under the heading 6.3.2 CALCULATION
OF FCFE on page 4.11 of the SFM study material.
Here, the trick of CAPEX calculation is the attention to the figure of the fixed assets as given
in the Balance Sheet- which is the same in all the years. And since depreciation is given in the
P/L as 100, therefore, the addition is also 100 –which is making the figure of fixed assets to
stay the same at 3500.
1.4 How and why is the answer strategic risk and not model risk?
As per the question, Arjun Ltd. has decided to adopt the strategy to grow inorganically (meaning thereby
that Growth by way of mergers or takeovers rather than by its own operations), and it is under this
strategy that the new product portfolio has been designed in order to achieve long term desired growth.
Since it is directly related to a business strategy, therefore, it is a Strategic Risk. Moreover, it is not
associated with any financial model or any assumption or any product, process, or system, making it
impossible to have any of the other 3 types of risks as mentioned in the other options.
1.5) Why is the answer operational risk?
Whenever you subscribe to the debentures of any company, there will always be credit risk, interest
rate risk, and market risk; Because there will always be a risk of the company not paying back( credit
risk ), there will always be a risk of the company paying lower interest rates as compared to the market
since interest rates in the market may rise (Interest Rate risk) and there will always be a risk of the
market variables getting more favorable for investment in higher return fetching instruments- when you
can remain stuck in the debentures of a company( Market Risk ); The operations of any company are
Page 280 of 492

never going to affect the risk related to the subscription of debentures of a company, therefore, the
answer is Operational Risk.
1.6) Direct answer from page 6.16 of the ICAI SM.
1.7) How are all the options helping in avoiding liquidity risk/refinancing risk?
Liquidity risk we all know. Refinancing risk refers to the possibility that an individual or company
would not be able to replace a debt obligation with new debt at a critical time for the borrower. Your
level of refinancing risk is strongly tied to your credit rating. To avoid refinancing risk, lenders place
great value on a borrower's history of paying down his or her debt reliably.
Here, if we think carefully, we will come to know that all three options are favouring the ability of
Arjun Ltd. to have greater liquidity than without these options. (A) option will not give any option or
the right to sell the debentures to the holders, that’s why – the company will continue to have the money
of the debenture holders. (B) option will allow continuous cash access like the facility of cash credit,
and the (C) option will allow the liquidity to remain in the hands of the company for a longer period of
time. Therefore, it is All of the above.
1.8) Options are really confusing. How can we arrive at the correct answer?
This question is related to basic understanding. However, yes, it is confusing- but we need to think
carefully as to which answer is the best, most specific, and most relevant answer when sometimes all
or >1 options are apparently falling right. We also need to think about which new point can arise because
of the thing mentioned in the question. Interest Rate risk and liquidity risk are related to any and every
issuance but not specifically only because of issuance in the foreign currency. Out of the country risk
and FOREX risk, we should choose FOREX risk since it is certain to happen and it is a widely
concerning factor. Moreover, lower interest rates are there in the primary FOREX markets – and here
since the US dollar market is mentioned, we can see it on Google that the interest rates are lower there.
Case Study 2
2.1 – Manageable question since types of risks are given on page 1.19;
Also, on page no. 44 of the Complete Guidance book by CA Shivam Palan- you can find the types of
risks faced due to COVID-19.
2.2- From page 8.2, There is no classification as such of ERM given in the study material; One can
confuse the answer with page 1.11, but it talks about the types of risks as per ERM instead of the ERM
classification. Although it would have been better if it was answered on the basis of the content on page
1.11 only, but ICAI has given advantages of ERM given on page no. 8.2 of ICAI SM.
2.3- How can the Paul Hopkins risks be related or linked to the case study?
The simple content is given on pages no.1.16 & 1.17 of the ICAI SM. However, the main risk related
to the above case study is that of Control Risk, since the scenario of a pandemic is highly uncertain and
it is completely uncontrollable.
Page 281 of 492

2.4 – Options are really confusing, which option to choose in such a case?
Here, we need to think that since the main, biggest and most impactful risk is due to the pandemic,
therefore, it is common sense that the risk due to the coronavirus is uncontrollable
2.5- Why is the answer related to both systematic and unsystematic risk, since systematic risk
cannot be controlled the answer should be the only unsystematic risk?
The answer is indirectly given as per page no. 1.21 and 2.22, where the systematic risk is given.
Unsystematic risk is a natural, spontaneous answer. However, for the systematic risk, we need to
understand that it cannot be controlled but we can prepare against it and try to hedge it- and that is what
risk mitigation does (as per page 2.22); Therefore, the answer is both A & B.
2.6 – Direct answer from page 1.20, where the D option is actually interest rate risk but it is mentioned
Financial risk;
2.7- Common sense question- the impact that the coronavirus has on the company XYZ Ltd., as given
in the case study is very significant - both in terms of finances and operations. Therefore, consequences
have to be none other than Catastrophic;
2.8- How are all three risks being faced by XYZ Ltd.?
All 3 types of risks – HR risk (people leaving the organization), Operational risk (shutdown in the
operations), and Negative cash flow risk - are the kind of risks that most businesses have faced during
the pandemic.
Case Study 3
Multiple-choice Questions:
3.1 and 3.2 How have the SD and coefficient of variation been calculated, because none of the
answers are matching with the given options?
Yes, there has been a mistake on the ICAI’s part. The options given in the question have been given as
per the data of all 7 years as mentioned in the question. If we calculate the SD of all 7 years, then we
can arrive at 1.06%. Similarly, if the Coefficient of variation for these 7 years is calculated as per the
correct formula, then we can arrive at 0.230. ( Both concepts are covered in the Intermediate of Capital
Budgeting
3.3-Case study related (Refer page no. 1.21 of ICAI SM.)
3.4- Simple calculation on the basis of formula on page 5.3 of ICAI SM.
Page 282 of 492

3.5- How is the answer Market Risk?
The answer is a market risk because there is a mention of a certain cannibalization effect in the question
which is the reduction of the sales of a company's own products as a consequence of its introduction of
another similar product. This definitely happens because of the external supply and demand forces of
the market, when the consumers in general, begin to like a product more than the previous one – and
automatically the demand of the previous product is wiped out. Therefore, the answer is Market Risk;
3.6-Refer Page No.5.15 of the ICAI SM (Country Risk)
3.7-Refer Page No. 9.14 of ICAI SM; based on the conceptual understanding and relation with the case
study. Turmoil in the exchange rates will be caused only very seldom – therefore, the probability is very
low for that; (Risk Grading/Bucketing)
3.8- Refer Page No.2.15 of the ICAI SM (SWOT Analysis)
Case Study 4
4.1- How has the expected sales growth rate been calculated?
4.2- How is NPV resulting in a positive NPV of Rs.2 Lacs?
4.3- Simple calculation based on the formula given on page 6.28 of ICAI SM.
Page 283 of 492

4.4- Beta is a simple concept in SFM and also on page 6.28 of ICAI SM. Beta is a measure of
a stock's volatility in relation to the overall market. If a stock moves less than the market, the stock's
beta is less than 1.0. High-beta stocks are supposed to be riskier but provide higher return potential;
low-beta stocks pose less risk but also lower returns. On this basis, the answer is D.
4.5- The Net Benefit obtained by the company due to change in the payment policy to its drivers is-
(A) ` 2,01,50,000
(B) ` 2,20,75,000
(C) ` 7,50,000
(D) ` 2,50,000
There will be no change in correct option.
(As changed by ICAI in corrigendum https://resource.cdn.icai.org/61688bos50226.pdf)
How is the benefit coming out to be 2,20,75000/- Is it very tricky?
Yes, a bit tricky.
Particulars Cost under Old Method Cost under New Method
Fixed Salary Cost =25000*200*12 =15000*200*12
=600,00,000 =360,00,000
Variable Cost =35000 trips p.a*150 =35000*200
=52,50,000 =70,00,000
Training Cost - 175000 p.a
Total Cost 6,52,50,000 4,31,75,000
Net Benefit 2,20,75,000
4.6- ICAI’s answer is a bit complex to understand? Also, the distribution of marks is very
uncertain.
The answer has mostly been framed from pages 7.6 and 9.2 of the ICAI SM. It just needs to be related
with the case study- which is manageable provided the case study has been read carefully. In the
situation of the uncertainty of marks, we need to assume that the 2 parts of the question carry equal
weightage.
Page 284 of 492

4.7- How is such a practical question to be handled and presented?
If the RM paper is being attempted, then the Paper 5 preparations are a given in the CA finals. This
question belongs to the Costing subject – relating to the Decision-making chapter. With a slight
application of the analytical side of the brain, it can be managed. The presentation can be in any manner
but attempts should be made to solve it in such a manner – which makes it easier for the examiner to
check your solution;
Case Study 5
5.1- How do we prepare the kind of RMF as has been given in the suggested answers of ICAI?
(Relevant content is available on page 282 of Complete Guidance book + Notes of concept Building
batch by CA ShivamPalan) Although, prima facie anyone will draw just 2 columns – one with risks and
the other one with the management of risk, the “risk arising from” and “risk measurement” columns
can be inculcated in the practice of answering such types of questions in the future.
5.2- Related to the case study and basic understanding of concepts.
5.3- Refer Pages No. 3.3 and 3.4 of the ICAI SM, plus a basic understanding of concepts
5.4- Refer Page No. 5.16 of the ICAI Study Mat- Direct question;
Page 285 of 492

DISCLAIMER
Studies with a view to assist the students in their education. While due care is taken in
preparation of the answers, if any error or omission is noticed, the same may be brought to the
attention of the Director of Board of Studies. The Council of the Institute is not in anyway

Page 286 of 492

The Question paper comprises five case study questions. The candidates are required
Answers in respect of Multiple Choice Questions are to be marked on the OMR Answer Sheet
only. Candidates may use calculator
CASE STUDY: 1
CRPL commenced its business in the year 2003 at Chennai. Presently, it is having twenty chain
stores dealing in fast-moving consumer goods (FMCG). All the stores are situated at Chennai
city. The turnover of CRPL was ` 200 Crores for the financial year 2018-19. Out of the above
stores, fifteen stores are functioning in the company-owned premises and the rest are operated
in lease-hold premises. The main store, which was commenced first, is in the heart of the city.
About the retail chain stores of CRPL:
The main store, along with other retail outlets of CRPL, having the brand name "Classic Retail",
have a centralised management. The business policies and procedures are standardised across
all the stores.
All purchases are centrally done, and the goods are stored in the basement floor in the main
store. After entering the details of goods received, they are barcoded and sent to various stores.
CRPL uses proprietary software for recording all the inward and outward movement of the
goods. Accounting functions including the statutory compliances of all the stores are centrally
done at the accounting department situated in the fourth floor of the main store.
The main advantages of CRPL are that i) most of the stores are strategically located across
the city, ii) centralised purchases help in economies of scale and in better profit margins, iii) the
customers mostly are repeat customers and iv) the customers can get the products across any
store of CRPL.
The customers are given discount points on their purchases, which they can opt to adjust against
their future purchases. The customer database is maintained, and unique id is allotted to the
customers based on their mobile numbers.
The General Manager, Mr. Sumit, is studying the 'intrinsic complexity of the retail store
businesses' across the industry.
E-retailing:
CRPL has an online store also, in which the registered customers can place orders and delivery
would be made to their registered address. The bankers did not settle payments for ten
transactions totalling to ` 2 lakhs, during a period of three months, stating that the credit cards
used were hot-listed. The stores have despatched the goods to those customers.

Page 287 of 492
Issues observed by CRPL:

i. There are no access control restrictions for entering the area in which bar-coding of
products is done.
ii. The store manager of the main store issued orders manually for a product which is fast
selling from a nearby distributor on an urgent basis, without getting approval from the
manager and it was later found that the expiry date on the lot was due to expire in the next
three days.
iii. Sometimes, based on the requirements of another store, goods were transferred from one
store to the other. It was noticed, on a particular-day, 100 quantities of a product were
transferred from one store to another. The receiving store accounted for only 80 quantities.
There were no procedures to acknowledge the receipt and delivery of goods from one store
to the other.
iv. The salesmen were given a leeway of allowing a discount upto 2% on the sale price. It
was found that some salesmen were giving a constant 2% discount to all the customers
with whom they dealt with.
v. CRPL's policy is that the cash collections of each day, must be deposited on the next
working day into the bank account. Such cash was required to be kept in the safety locker
by the cashier of the store. On three days in the past three months, there were cash
shortages to the tune of ` 5 lakhs in four stores. The respective cashiers said that they
have correctly calculated the cash collections and kept the cash in the safety lockers, but
in the next morning the cash was found to be in shortage. One locker key was with the
cashier and the other was with the managing director.
vi. On some days when the general manager was not available, the purchase manager
passed the payments to the suppliers.
vii. CRPL's credit policy allowed a credit off ` 50,000/- only for customers who have purchased
more than ` 3 lakhs on an average in the past three years. It was noticed that two
customers purchased more than ` 1 lakh on credit.
Extracts of few risks faced by CRPL:
Below are some of the risks faced by CRPL as extracted from its Risk and Control Matrix:
i. Risk of inadequate training to the employees of CRPL.
ii. The risk of CRPL being affected by natural calamities.
The probability of flash floods affecting the main store was estimated at i) 1% p.a. and ii)
the loss caused thereon would be ` 25 Lakhs.
The premium quoted by the insurance to cover such event was ` 30,000/- p.a.
iii. The risk of certain products being discarded after the expiry date due to slow moving of
the products.

Page 288 of 492
iv. Risk of theft of products by employees resulting in breach of confidence and loss of
money.
Appointment of a Risk Management consultant:
To study the issues faced by CRPL, a risk management consultant, Mr. Kannan, was appointed
to go through issues and risks and suggest a robust risk management system and formulate
risk policies and procedures relevant to CRPL.
• He conducted a meeting of all the staff and the management and explained to them:
i. risks are those uncertainties of outcome, whether an opportunity or threat, arising out
of actions and events
ii. the importance of capturing and recording the incidents that would adversely affect
the operations of CRPL,
iii. the need for a proper and periodic risk management process which would enable the
management to deal with risks by reducing their likelihood or downside impact as the
same aims to protect the value already created by the company, but also enhances
its future opportunities,
iv. the commitment required of the Board to fix the quantum and extent of risk that it is
willing to take to pursue the objectives, in other words known as Risk Appetite and,
v. the need for implementation of proper controls and ensure their working to alleviate
the issues faced by CRPL.
• He advised them to have values, attitudes, competencies, and behaviour which would in-
tum determine the company's commitment and style of Operational Risk Management.
Children mini theme park project:
• In the main store, adjacent to the building, CRPL is maintaining a garden having an area
of 5,000 sft., which is company-owned. It was observed that an average of 1,000 customers
visited the store per day and out of them 150 families visited with children.
• To tap the potential, Mr. Deepak, the Managing Director (MD), suggested a proposal to
build a children mini theme park in that area. Only children with age group of 3 to 12 would
be admitted from whom entrance fee would be collected. This project is expected to have
a life of 5 years and the initial project cost is estimated at ` 2.50 crores.
On the basis of above, you are required to answer the following questions:
Choose the most appropriate answer from the given options.
(1.1) In which of the following processes of Risk Management, the Risk Register would least
likely be considered?

Page 289 of 492
(A) Risk Analysis

(B) Risk Identification
(C) Risk Ranking
(D) Risk Treatment
(1.2) Which of the following is not a characteristic of Risk Appetite?
(A) In the normal course, evaluating the Risk Appetite is out of audit scope.
(B) Risk Appetite is understanding control and other response activities.
(C) Risk Appetite provides a standard against which a risk can be compared.
(D Internal auditors can do a consulting activity of assisting the Board in fixing the Risk
Appetite.
(1.3) The advice of Mr. Kannan could be better termed as:
(A) Risk Culture
(B) Risk Focus
(C) Risk Framework
(D) Corporate Governance
(1.4) In his study, Mr. Sumit, would least likely be concerned with which of the following?
(A) Online shopping
(B) Frequent changes to prices of the products
(C) Compliance with rules and regulations
(D) Failure in supply chains
(1.5) CRPL could not realise the money of ` 2 lakhs on the credit card transactions described
in the case study. The best management practice to avoid similar occurrences in the future
would be:
(A) Before accepting the order, verify the card number against rejected cards history.
(B) Before processing the order, verify the card number against rejected cards history.
(C) Before despatching the goods, verify the settlement made by the banker.
(D) Verifying the card number against rejected cards history after rejection of the
transaction by the banker.
(1.6) What are the specific controls that you would suggest for the issues observed by CRPL?
(6 Marks)

Page 290 of 492
(1.7) The proposed theme park project, as suggested by Mr. Deepak, is estimated to have i) an
annual cash inflow of ` 75 lakhs and ii) cost of capital is 10%.
Identify which of the three factors, viz., initial project cost, annual cash inflow and project
life in years, the project is most sensitive if the variable is adversely affected by 10%? (Use
annuity factors: for 10% = 3.7908 and 11 % = 3.6959) (5 Marks)
(1.8) Write the risk actions and risk responses for the risks faced by CRPL as extracted from
its Risk and Control Matrix. (4 Marks)
Answer
1.1 (D)
1.2 (B)
1.3 (A)
1.4 (C)
1.5 (C)
1.6 Specific controls suggested for the issues observed by CRPL:
There are several different, but closely related or similar categorisations used in different
kinds of control framework, organisations, but mostly they would fall under these
categories.
(i) Verification: Refers to a control where a control step necessitates the transaction is
verified by a different individual before it is completed.
Cash shortage of ` 5 lakhs could have been avoided if two different persons count
the cash and place it in the safety locker, after signing the cash register. Cash in the
safety locker to be held as a joint custody of a senior officer of the store and the
cashier.
(ii) Reconciliations: Refers to a control where an output of a process step is reconciled
against other known, established sources of information.
One store has sent 100 quantities and the other store has received only 80 quantities.
Proper acknowledgement of receipt / delivery of goods transfer must be in place. This
helps in reconciliation of stock transfer within stores.
(iii) Segregation of duties: Refers to a control where part of the transaction is executed
across two segregated departments / functions / verticals thereby eliminating the risk
of the originating department to carry out the entire transaction on its own.

Page 291 of 492
The purchase manager having initiated the purchases cannot be the same person
who can pass the payment for the purchases. Procedures must be evolved that such
things do not happen in future.
(iv) Physical control: Refers to a control type where physical custody of an asset is the
control.
The area where bar-coding is done is not having access control restrictions. Control
measures are to be implemented that only authorised persons should be able to enter
that area
(v) Supervisory control: Refers to a control where the primary transaction / process is
executed at a particular level in an organisation, but before finalising it, the supervisor
is required to review it and accord an approval.
The sales managers must verify the discounts given by the salesmen periodically. If
a particular salesman is always passing on 2% discount to the customers, he can be
questioned and properly advised on such practice.
(vi) Exception triggers: Refers to a control where a system, or a responsible individual,
throws up regular reports of transactions which are deviant from the accepted,
established process.
The software has not been designed according to the credit policy of the company
and it should not have allowed the excess credit over ` 50,000/-. Controls must be
placed in the software that such violation is not repeated.
(vii) Authorisation / approval: Refers to a control step where, after a processing of a
transaction basis built in controls is almost complete, a final authority reviews it and
approves it.
Even if emergency purchases are made necessary approvals are to be obtained from
the superiors, e.g. store manager without getting approval from the manager issued
manual order.
1.7 To compute the sensitivity of various factors, first we compute the NPV of the project
NPV = - ` 2,50,00,000 + ` 75,00,000 x 3.7908
= - ` 2,50,00,000 + ` 2,84,31,000
= ` 34,31,000
Sensitivity Analysis
(i) Initial Project Cost
If project is increased adversely by 10%
= - ` 2,75,00,000 + ` 2,84,31,000
= ` 9,31,000

Page 292 of 492
34.31 − 9.31
Change in NPV =  100 = 72.865% or 72.87%
34.31
(ii) Annual Cash Flow
If Annual Cash Flow adversely effected by 10%
= -` 2,50,00,000 + ` 67,50,000  3.7908
= -` 2,50,00,000 + ` 2,55,87,900
= ` 5,87,900
34,31,000 − 5,87,900
Change in NPV =  100 = 82.865% or 82.87%
34,31,000
(iii) Present Value of Cash Inflow of each year
Year Present Value Factor Cash Flow Present Value of Cash Flow
(` Lakhs) (` Lakhs)
1 0.9091 75 68.1825
2 0.8264 75 61.9800
3 0.7513 75 56.3475
4 0.6830 75 51.2250
237.735
Balance Left 12.2650
Thus, the period required to in fifth year
12.2650 12.2650
= = 0.263 Years
75 × 0.6209 46.5675
Thus, if project runs for 4 years and 0.263 years then Break Even would occur
representing a fall in
(5 - 4.263)
× 100 = 14.74%
5
Thus, the most sensitive factor is Annual Cash Flow.
1.8 – The action and risk response to various risks identified are as follows:
Risk actions and risk responses for the risks faced by CRPL:
1. Risk: The risk of certain products being discarded after the expiry date due to slow
moving of the products.

Page 293 of 492
Risk Action: Avoid

Response: Since certain products are slowing moving, it is recommended to stop
buying and storing such products. Thereby the risk can be avoided.
2. Risk: Risk of inadequate training to the employees of CRPL.
Risk Action: Reduce / Manage
Response: To reduce / manage the risks of lack of trained staff, the company must
conduct various training programs periodically.
3. Risk: Risk of theft of products by employees resulting in breach of confidence and
loss of money.
Risk Action: Transfer / Share
Response: Breach of confidence by the employees is one of the chief risks. The loss
occurring on account of the same can be covered by taking fidelity insurance, as this
type of insurance covers the loss happening due to theft of products / cash by the
employees.
4. Risk: The risk of CRPL being affected by natural calamities.
Risk Action: Accept
Response: The probability of loss on account of flash floods affecting the store would
be ` 25,000/- p.a. (` 25,00,000 X 1%), while the cost of coverage of the risk by way
of payment of insurance premium is ` 30,000/-. Thus, the cost of control is more than
the estimated risk. In this situation, the company would accept the risk.
CASE STUDY: 2
SUN Fibers Ltd. (SUN), was founded in 2002 to produce nylon fiber at its only plant in Pune by
using new technology and domestic raw materials, the company had developed a steady
franchise among dozens of small, local textile weavers. It supplied synthetic fiber yams used
to weave colorful cloths for making saris, the traditional women's dress of India.
SUN has robust treasury management and has a huge trading portfolio of AA and BB rated
debts. The treasurer is more concern about BB rated debt. In order to hedge this treasury is
planning to use credit default swap (CDS). Information about CDS and the action taken is given
below:
(i) Prime credit spreads are currently trading at 130 basis points (bps) over government
security for 5-year maturities, and 190 bps over for 10-year maturities. The treasury
manager hedges INR 10 million holding of 10-year paper by purchasing the following credit
default swap, written on the 5-year bond.
(ii) The treasurer hedge protects for the first 5 years of the holding. The 10-year bond holding
also earns 75 bps over the shorter-term security for the portfolio manager.

Page 294 of 492
Term 5 years
Reference credit Prime 5-year bond
Credit event The business day following occurrence of specified credit event
Default payment Nominal value of bond x [100 - price of bond after credit event]
Swap premium 3.35%
The management of SUN is concerned about the reputation of the company. Despite making
best efforts in past the reputation of the company has not improved to the level enjoyed by the
close competitor. There is a feeling that existing model also needs to be changed in view of
changed circumstances. Since the inception the company has not reviewed its business model.
The demand and revenue loss are the cause of concern of the company. The management is
worried that despite best quality products they are lagging behind the competitor. There are
multiple suggestions within the organization ranging from change in product, diversification,
increase in geography etc. The board does not have formal strategy document and operational
issues are mainly based on the understanding of the CEO who is promoter also. The company
has been following same strategy since inception in tackling competition.
Except treasury; the risk management in SUN is mostly done at business unit level. The
management is thinking about an integrated risk management system especially considering
the recent investment in South African country by opening a small but new factory. The
management is also concerned about the country risk. In one of the board meetings, it was
highlighted that a risk management framework is missing in the company. The risk department
has promised to inform the Board in this respect. Also risk register is not being maintained in
the company. One version is that it is not useful. The other set of senior executives want it to
be maintained. They have decided to take help of a consultant in this.
The company has recently adopted IND-AS. And it is in the process of establishing a robust
system of expected credit loss (ECL). A recently qualified chartered accountant who is a part
of the treasury team is ready to accept this work and has promised to the treasury head that
she will do it. SUN currently operates with separate and independent risk management,
compliance and audit functions.
(2.1) Assuming now that during the life of the swap, there is a technical default on the Prime 5-
year bond, such that its price now stands at 58. Under the terms of the swap, the protection
buyer delivers the bond to the seller who pays to the protection buyer INR........................
(A) INR 4.2 million
(B) INR 42 million
(C) INR 5 million

Page 295 of 492
(D) INR 4 million

(2.2) In order to assess ECL, Loss Given Default (LGD) is required? Which of the following is
correct definition of Loss Given Default (LGD)?
(A) It measures the remaining economic maturity of the exposure.
(B) It is estimated amount outstanding in a loan commitment if default occurs.
(C) It measures the proportion of the exposure that will be lost if Default occurs.
(D) It measures the likelihood that the borrower will default over a given time horizon.
(2.3) A recently hired junior in a risk management department is wondering how a pure risk
differs from a speculative risk. Which of the following statement is correct in this respect?
(A) A pure risk always has an environmental cause whereas a speculative risk always
involves human error.
(B) A pure risk can be measured in probability terms whereas a speculative risk cannot.
(C) A pure risk is not subject to regulatory control but a speculative risk always is.
(D) Pure risks are associated with uncertainties that can lead to the possibility of a loss,
whereas a speculative risk may lead to a gain.
(2.4) Many companies are taking a broad view of strategic risk that doesn't just focus on
challenges that might cause a particular strategy to fail, but on any major risks that could
affect a company's long-term positioning and performance. Which one of the following is
correct with respect to strategic risks?
(A) Strategic risk are those that arise from fundamental decisions that Board takes
concerning an organisation's objectives.
(B) Strategic risks are subdivided into business and non-business risks.
(C) CEO, board or risk management committee of the board has the oversight of strategic
risk and hence the composition of the Board should be balanced in skills, knowledge
and experience.
(D) All listed in (A), (B) & (C).
(2.5) SUN operates with separate and independent risk management, compliance and audit
functions. The SUN's Board should be aware that
(A) all costs will be reduced and more risks will be eliminated.
(B) holistic risk management processes will be more effective across the company.
(C) this is likely to create a more robust approach to managing risk.
(D) work will often be duplicated and costs will usually be increased.

Page 296 of 492
(2.6) Briefly explain the strategic risks SUN is facing and what broad key risk drivers you would
like to consider assessing that risk? (4 Marks)
(2.7) What is reputational risk? You are hired by the SUN to assess reputational risk. What are
the steps needed to assess reputational risks? (3 Marks)
(2.8) What is the purpose of risk management framework? What could be the steps in
developing risk management framework? (2 Marks)
(2.9) In your opinion what should be done to establish in-house process to analyze country risk
of SUN ? (3 Marks)
(2.10) While you were in the board room one member remarked as under.
"Having too much on the risk register runs the risk of diluting the focus on the key risks "
What would be your response to the above and why? (3 Marks)
Answer
2.1 (A)
2.2 (C)
2.3 (D)
2.4 (D)
2.5 (C) or (D)
2.6 The main strategic risks faced by SUN Ltd. are as follows:
❖ Old Business model not reviewed for a long period of time
❖ Country Risk
❖ Adoption of Ind-AS.
❖ Risk management Framework / Proper risk management strategies are not present
The main key drivers to be considered to assess these risks
❖ Loss of Demand and Revenue
❖ No formal strategy document
❖ Missing of Risk Management in the company
❖ No Risk Register is maintained in the company
2.7 Reputational risk – Adverse publicity regarding an entity’s practices leading to a loss of
revenue or litigation. Any event which affects the name or brand image of the entity is

Page 297 of 492
Reputational Risk. Any adverse publicity, news coverage, comments etc. that has the
ability to dent the trust created by the entity and becomes detrimental to the business of
the entity.
❖ It is a process, involving the following steps:
❖ identifying business functions, assets, vulnerabilities and threats;
❖ assessing the reputational risk
❖ developing a reputational risk management plan;
❖ implementing reputational risk management actions, and
❖ re-evaluating the reputational risks.
2.8 A holistic risk management framework would empower Boards to:
❖ Identify top threats to entity and asset protection measures.
❖ Link risks to more efficient capital allocations and business strategy.
❖ Develop a common language in the organisation for problem solving.
❖ Effectively respond to an evolving business environment.
The RMF should define a policy statement on the following matters:-
(i) Determining when to review the RMF and the frequency for undertaking the review.
(ii) Deciding who is responsible for the review. The RMF is generally reviewed by the
Audit Committee or a team of Directors. Once in few years the RMF can be reviewed
with external facilitation this would provide fresh insights and benchmarking
information to the Board.
(iii) Selecting the scope and method for a review. The scope and boundary of the RMF
review can be clearly set out along with the most suited method for review.
2.9 Country Risk is a major issue of concern in overall management of business. Broadly
speaking the country risk management process involves the following steps:
(i) Identification of Risk: First and foremost, step in country risk management is
identification of risk. The various quantitative and qualitative techniques can be used
to identify the risks.
(ii) Analysis of Risk: Once the risk is identified the next step is analyse the same from
various angles.
(iii) Evaluation of Risk Management Techniques: Evaluation of various techniques to
manage the risk is carried out.

Page 298 of 492
(iv) Selection of suitable techniques: Once various techniques have been evaluated
next steps comes of selection of most suitable technique to manage the risk.
(v) Implementation of Techniques: The techniques to manage the risk are
implemented.
(vi) Control: Once the selected techniques are implemented they need to be reviewed
on periodic and if required they are revised.
2.10 To some extent the given statement is true, as in creating Risk Register Inherent Risks are
identified and recorded. Inherent Risks is their level of risk assuming no internal control.
Accordingly, if all risks are covered whether Residual Risk then it will lose its importance.
CASE STUDY: 3
Headquartered in Mumbai, STEPOIL is one of the India's top 10 oil and gas producers. In 2020,
the company had revenues of INR 700 billion. In the same year, it had over 23,000 employees.
Known for its operational excellence, STEPOIL is a leader in offshore oil production below water
depths of 100 meters. In 2010, STEPOIL's shares were listed on the NSE and BSE. After having
sold its downstream and petrochemical businesses over the past few years, STEPOIL is today
heavily focused on upstream activities (i.e., exploration and development of oil and gas
reserves). Its two business areas focusing on development are divided according to
geographical regions (India and International with the latter being much smaller).
The company maintains a trading portfolio which is managed by a qualified portfolio manager.
In addition, it has four more business areas focusing on marketing, technology, exploration, and
strategy. Considering its complexity of business STEPOIL started to implement enterprise risk
management (ERM) since 2014. Initially, it hired Mr. Aman who had been asked to systemize
the management of risk in finance which previously had been carried out in a fragmented and
uncoordinated way. The result of such exercise was that the risks managed by the finance
department were measured and managed as a portfolio of risks with central oversight. The CEO
of STEPOIL has realized that the same principles could be applied to the whole company, and
that there would be benefits to the company from managing its risks in an integrated way.
An important early milestone in the implementation of ERM came in 2016, when the Risk
Committee, a cross-disciplinary advisory body on risk, was formed. It consists of a broad range
of professionals with different backgrounds, such as the head of strategy, the heads of the
treasury, the chief controllers of different business units, and the head of internal control, in
addition to the CRO. The CRO is yet to get authority and functional autonomy and is facing
obstacle from the CEO.
The idea behind creating the committee was to obtain a forum to which people could put
proposals and general risk issues for analysis and recommendations. However, the internal
audit team is not providing required support in the ERM implementation exercise as they believe
this will reduce their authority in the organization. While STEPOIL's executive officers were
generally positive to the idea behind ERM, they still demanded to know "What is in it for us?" A
large number of executives and some board members still feel that ERM is an administrative

Page 299 of 492
burden. The CRO demonstrated efforts of Mr. Aman and the benefits STEPOIL is getting after
analysis of the costs and benefits from various financial transactions, mostly hedging and
foreign exchange (FX) transactions going on in the company. Mr Aman and the CRO were able
to show that the number of transactions was staggeringly high, and that they were mostly based
on a silo thinking that made no sense at all as seen from the corporate perspective. ERM had
demonstrated the economic justification it needed.
A clear mandate was given in 2018, the risk department was formally set up headed by the
CRO, and started work on developing a common methodology on risk, as well as continuing the
work on developing the company's consolidated risk model that had been initiated four years
earlier. The CRO wants to use Value at Risk (VAR) techniques for quantifying risk so that it
would be easier for the Board to understand the risk. Some of the members of the board has
apprehension about effectiveness of the technique considering mechanical process and
limitation of the model. The CRO is trying best to convince the Board about developing 'a
sophisticated approach to ERM that centers on the principle of value creation and has a vision
to ensure that ERM is thoroughly embedded in the business units' way of doing things despite
the fact it is yet to enjoy the wholehearted support of STEPOIL's executive officers and board
of directors.
The board is concerned about the current risk culture and wants to have an understanding about
the risk culture. The CRO has promised to get an assessment of risk culture done from an
independent consultant.
The business continuity plan (BCP) is currently managed by cyber security team and is not part
of the ERM. The cyber security team's argument is that these two not linked and should be
managed separately.
(3.1) Which one of the following is incorrect with respect to VAR?
(A) It is a unified method of measuring risk.
(B) VAR does not measure liquidity risk.
(C) VAR does not measure operational risk.
(D) VAR is not risk management.
(3.2) Which one of the following is incorrect with respect to ERM?
(A) It is a process effected by an entity's board of directors, management and other
personnel.
(B) It is applied in strategic setting and across the enterprise.
(C) It manages risk to be within risk appetite.

Page 300 of 492
(D) It provides complete assurance regarding the achievement of entity's objective.

(3.3) Which one of the following is incorrect with respect to historical simulation?
(A) The model calculates potential losses using actual historical returns in the risk factors
and so captures the normal distribution of risk factor returns.
(B) Assumption of constant correlations is not needed.
(C) Assumption of constant deltas is not needed.
(D) It is one of the methods of calculation of VAR.
(3.4) For what primary reason could enterprise risk management (ERM) systems fail?
(A) ERM decisions are always ignored across a business when a top down approach is
used.
(B) Financial constraints could compromise the implementation of ERM systems.
(C) Management can never override ERM decisions.
(D) The use of ERM systems do not give the required assistance to risk managers.
(3.5) The CRO wants to purchase software in order to use most sophisticated risk analysis tool.
In your opinion which of the following statements about Monte Carlo Simulation is FALSE?
(A) It can be useful for estimating the stand-alone risk of a project.
(B) It is capable of using probability distributions for variables as input data.
(C) It is the most accurate risk analysis tool because it is based on real data.
(D) It produces both an expected value and a measure of the variability of that value.
(3.6) You have been asked by the management of STEPOIL to define the responsibilities of the
CRO who would be the leader in implementing ERM. (3 Marks)
(3.7) (A) Risk management is considered an administrative burden by some senior executives
of STEPOIL, what in your opinion is creating the obstacle in implementing ERM and
how it will be assessed if you are hired for this purpose? (3 Marks)
(B) Knowing the view of the cyber security team in respect of ERM and BCP, what would
be your explanation to the Board in respect of relationship of ERM and BCP if you
are hired as a risk consultant? (3 Marks)
(3.8) One of the board members of STEPOIL has background in risk management. During the
board meeting she explained that standard model at a 99% confidence level captures event
up to 2.33 standard deviations from the mean asset return level. Her question to the CRO
was about identifying a method which could be used to calculate the effect on the trading

Page 301 of 492
portfolio of a 10 standard deviation move? You are required to identify and describe a
technique that can fulfil the objective of the board member. (3 Marks)
(3.9) Is there a standard way of stress testing? What information it would provide? How does
stress testing complement the VAR framework? (3 Marks)
Answer
3.1 (A)
3.2 (D)
3.3 (A) or (B)
3.4 (B)
3.5 (C)
3.6 The Chief Risk Officer (CRO)
(a) has the organisational stature, skill set, authority, and character needed to oversee
and monitor the firm’s risk management and related processes and to ensure that key
management and board constituents are apprised of the firm’s risk profile and
relevant risk issues on a timely and regular basis; the CRO should have a direct
reporting line to the CEO and a distinct role from other executive functions and
business line responsibilities as well as a direct reporting line to the board and/or risk
committee;
(b) meets periodically with the board and risk committee without executive directors or
management present;
(c) is appointed and dismissed with input or approval from the risk committee or the board
and such appointments and dismissals are disclosed publicly;
(d) is independent of business lines and has the appropriate stature in the firm as his/her
performance, compensation and budget is reviewed and approved by the risk
committee;
(e) is responsible for ensuring that the risk management function is adequately
resourced, taking into account the complexity and risks of the firm as well as its Risk
Assessment Framework (RAF) and strategic business plans;
(f) is actively involved in key decision-making processes from a risk perspective (e.g.,
the review of the business strategy/strategic planning, new product approvals, stress
testing, recovery and resolution planning, mergers and acquisitions, funding and
liquidity management planning) and can challenge management’s decisions and
recommendations;

Page 302 of 492
(g) is involved in the setting of risk-related performance indicators for business units;
(h) meets, at a minimum quarterly, with the firm’s supervisor to discuss the scope and
coverage of the work of the risk management function.
3.7 (A) The obstacle in implementing ERM in the company is lack of support from top
management.
Lack of knowledge of managers in using the risk tools in ERM implementation.
Using improper or unsuitable risk modelling tools would cause an obstacle while
implementing ERM.
This can be done by assessing, managing and communicating business risks.
(B) There is an important relationship between ERM and BCP. The risk assessment that
is required as part of the risk management process and the business impact analysis
that is the basis of business continuity planning (BCP) are closely related. The normal
approach to risk management is to evaluate objectives and identify the individual risks
that could impact these objectives. The output from a business impact analysis is the
identification of the critical activities that must be maintained for the organization to
continue to function.
It can be seen that the ERM approach and the business impact analysis approach
are very similar, because both approaches are based on the identification of the key
dependencies and functions that must be in place for the continuity and success of
the business.
The next activity differs between ERM and BCP, because the former is concerned
with the management of the risks that could impact processes, whereas business
continuity is concerned with actions that should be taken to maintain the continuity of
individual activities.
The business continuity approach, therefore, has the very specific function of
identifying actions that should be taken after the risk has materialized in order to
minimize its impact.
BCP relates to the damage-limitation and cost-containment components of the loss
control. BCP as a part of operational risk should always be part of the ERM and should
be managed separately.
3.8 An approach used by risk managers is to simulate extreme market moves over a range of
different scenarios. One method is to use Monte Carlo simulation.
Monte Carlo Simulation, is more flexible than other methods of estimating VAR. As with
historical simulation, Monte Carlo simulation allows the risk manager to use actual
historical distributions for risk factor returns rather than having to assume normal returns.
A large number of randomly generated simulations are run forward in time using volatility
and correlation estimates chosen by the risk manager. Each simulation will be different,

Page 303 of 492
but in total the simulations will aggregate to the chosen statistical parameters (i.e.,
historical distributions and volatility and correlation estimates). This method is more
realistic as compared to other methods and, therefore, is more likely to estimate VaR more
accurately. However, its implementation requires powerful computers and there is also a
trade-off in that the time to perform calculations is longer.
3.9 Yes, there is a standard way of stress testing Process.
The Stress Test process can be applied to generate current assessments of income and
expenses, losses and capital ratios etc. of a portfolio.
Yes, it complements VAR measure, whose calculations tends to underestimate extreme
losses.
CASE STUDY: 4
Famous Textiles Limited (FTL):
FTL is manufacturing and selling export varieties of textile home furnishings, such as bed, sofa
and pillow covers, curtains, towels etc. made of cotton, rayon, and silk. FTL is based in Karur,
Tamilnadu and the town is famous for manufacturing such products. Out of the total sales of
FTL, nearly 90% were export sales.

Page 304 of 492
Key Financials (figures in crores):

Financial Year 2016-17 2017-18 2018-19
Sales 100 120 150
Gross Profit 10 8 6
EBIT 4 3 2
The management is worried about the poor performance of the company and auditor pointed
out that such a decline in profits may be due to faulty processes in the operations of FTL.
Appointment of risk management specialist:
Ms. Meena, who is specializing in risk management is appointed to go through the various
problems faced by the company, study the bottlenecks in the processes and suggest ways of
removing the same.
Analysis of Operations of FTL by Ms. Meena:
Ms. Meena studied the various operations of FTL, and she found out:
i. The production operations consisted of buying the cotton and other yarns, manufacturing
the fabrics, calendarizing, printing, stitching, and packing and shipping.
ii. The yarns were sent to textile mills, situated near the town, who converted them into fabrics
and sent back to FTL. Such fabrics were sent to service providers for calendaring, dyeing,
printing, and sometimes for stitching. The movement of such goods are recorded and
maintained in 'Monit', which is an in-housed developed application.
iii. There were several process bottlenecks in the operations; wrong items I quantities were
sent for calendaring, wrong designs were printed, delay in maintaining the time schedule,
expected quality standards not met etc.
iv. The service providers who were given the work for printing, sometimes were found to be
using dyes and chemicals in printing the fabrics, which were not approved to be used by
the foreign buyers. The same resulted in rejection of the finished products. The service
providers said that such specifications were not provided to them by FTL.
v. She made cost analysis of various products and found out that cost of some products which
used exclusive designs exceeded the selling rates. There was lack of coordination of
various departments and design changes made by one department were not informed to
other departments involved in the production of the same products, which resulted in extra
expenses.
vi. FTL produced an excess of 5% of a product, to accommodate circumstances for possible
mistakes in the finished products. Ms. Meena noticed that in some cases, there were
excess production to the extent of 10% and the same could not be billed to the buyer.

Page 305 of 492
vii. A cheque for ` 20,000/- was issued to Mr. Kumar, an employee of FTL on 14th Sep 2019
and the entries were passed by the accounts department then and there. In January 2020,
the accountant found out that such cheque was passed for ` 2 lakhs by the bank. The
accountant approached the bank, who accepted the wrong passing of the cheque and
immediately credited the balance of ` 1.80 lakhs to FTL' s bank account.
viii. Pen drives and other portable media devices were extensively used and most of the
computer systems were connected to Internet and the employees were often found to be
surfing various websites that are unconnected to the business of FTL. These resulted in
viruses affecting the computer systems.
Suggestions made by Ms. Meena:
i. The purpose of ISO 31000 is to provide principles and generic guidelines on risk
management that could achieve convergence from a variety of standards, methodologies
and procedures that differ between industries, subject matters, and countries. She
suggested to the management to prepare Risk Management Checklist (RMC) as
enunciated by ISO 31000.
ii. Ms. Meena suggested to the management to consider approaching the bank for a term
loan of ` 3 crores for overhauling the machinery and a working capital loan of ` 1 crore
which would enable the company to benefit from the cash discounts offered by the raw
material suppliers.
iii. The inherent risks in outsourcing would include, i) that the quality in the activities of the
service providers are not according to the quality expectations of the company, ii) the
service providers lack knowledge of the processes to be carried out by them, iii) service
providers failing to meet the deadlines in time schedule etc, She requested the
management to realise the importance of identifying risks and controls associated with the
above risks and advised the management that this could be done through Risk Control
Self-Assessment (RCSA) activity through an objective, quantitative review.
iv. As FTL is exporting its products to various countries, it is highly essential to assess Country
Risk (CR) of those countries. It is a broader concept and covers the adverse impact of host
country's economic, financial, and political environment. For assessing such risks, she
suggested to the management to study the concept of Quantitative Tools and the
connected indices that can be used for Country Risk Analysis (CRA).
v. She also suggested to appoint internal auditors to periodically review various operations
of the company.
vi. She suggested to the management to hold regular and periodic meetings of the
management with departmental and functional heads to discuss various problems faced
by them and to find out solutions for the same.
Therefore, to further study the implications, she was assigned by the management, an additional
task of assessing the post loss risk management.

Page 306 of 492
(4.1) Which of the following is not an index that would be used in the CRA that Ms. Meena was
suggesting to the management to be studied by them?
(A) Human Development Index
(B) Democracy Index
(C) Gini Coefficient Index
(D) Event Driven Index
(4.2) The most important objective in the additional task assigned to Ms. Meena would be?
(A) To reduce the legal requirements.
(B) To ensure the survival of the company.
(C) To lessen the concerns of the management.
(D) To review the available risk management procedures.
(4.3) Which of the following control would have best addressed the wrong passing of the cheque
issued to Mr. Kumar?
(A) Taking photostat copies of all the cheques issued by the company.
(B) Obtaining printouts of statement of accounts from the bank.
(C) Reconciling the bank accounts atleast once in a fortnight.
(D) Verifying the voucher obtained from Mr. Kumar with accounts.
(4.4) The best form of control to address the risk of virus attack in the company would be?
(A) Employing an updated packet filter firewall with strict employee access-control
privileges in all the computers.
(B) Scanning all the files with updated anti-virus software before downloading or copying
in all the computers.
(C) Encrypting the data in the portable media devices.
(D) Disabling portable media ports in all the computers.
(4.5) When preparing the RMC as per the suggestion of Ms. Meena, the checklist under Risk
Strategy would most likely include
(A) Business continuity plans and disaster recovery plans established and regularly
tested.

Page 307 of 492
(B) Risk management responsibilities allocated to an appropriate management

committee.
(C) Arrangements in place to audit the efficiency and effectiveness of the controls in
place for significant risks.
(D) Key dependencies for success identified, together with the matters that should be
avoided. (5 x 2 Marks = 10 Marks)
(4.6) The management wants to see a sample RCSA entry in respect of 'outsourcing
management process' of FTL in the RCSA register proposed to be maintained. You are
requested by the management to write a comprehensive RCSA entry, relating to the 'risk
of service providers failing to meet the deadlines in time schedule'. (6 Marks)
(4.7) The following figures of FTL are available as on 31 st March 2019.
Item Rs. in Crores
Retained earnings 1
Total Assets 21
Total Liabilities 6
Working Capital 1
Market Value of equity 2
Calculate Altman-Z score as on 31 st March 2019. (5 Marks)
(4.8) Risk management and governance are intricately linked, and the management of FTL
would like to know the importance of risk management. Discuss the same. (4 Marks)
Answer
4.1 (D)
4.2 (B)
4.3 (C)
4.4 (B)
4.5 (D)
4.6 Sample entry in the RCSA register covering the Outsourcing Management Process:
1 Process Outsourcing Management Process
2 Sub-process Adhering to time schedule

Page 308 of 492
3 Inherent risk description Risk of service providers failing to meet the deadlines
in time schedule
4 Probability rating of the risk 2 out of 10*
5 Impact rating 1 on a scale of five*
6 Risk type Operational risk
7 Control description Manager (Operations) reviews on a periodical basis
whether the service providers adhere to the timeliness
agreed with FTL
8 Control type Detective
9 Control owner Manager (Operations)
10 Control Test steps i) Maintaining and updating the Works Alloted
Register.
ii) Monitor the movement of goods sent by vehicles
and their arrival in the premises on time.
11 Test results Test results showed minor deviations
12 Residual risk rating 2 out of 10*
13 Financial assertion impact Extremely low
14 Name of the system used Monit
15 Sample description of test For the sample reviews performed by the Manager,
done tested and verified whether timely delivery of service
has been made by Service Providers A and B
4.7 The Workings
X1 = (Working capital / Total Assets)
X2 = (Retained Earnings / Total Assets)
X3 = (Earnings Before interest and Taxes / Total Assets)
X4 = (Market Value of Equity / Book Value of Total Liabilities)
X5 = (Sales / Total Assets)
X1 = 10000000 / 210000000 = 0.0476
X2 = 10000000 / 210000000 = 0.0476
X3 = 20000000 / 210000000 = 0.0952
X4 = 20000000 / 60000000 = 0.3333
X5 = 1500000000 / 210000000 = 7.1429

Page 309 of 492
The Formula
Z = 1.2 x X1 + 1.4 x X2 + 3.3 x X3 + 0.60 x X4 + 1.0 x X5
Z = 1.2 x 0.0476 + 1.4 x 0.0476 + 3.3 x 0.0952 + 0.60 x 0.3333 + 1.0 x 7.1429
Z = 0.0571 + 0.0667 + 0.3142 + 0.20 + 7.1429
Z score = 7.7809 (or 7.781)
4.8 Importance of Risk Management:
• Risk Management is one of the important pillars of Governance and arguably the only
tool to deal with business uncertainty. Risk Management is used most successfully
by Fortune 500 and other large companies to sustain and grow their businesses. Risk
management is recognised as an integral component of good management and
governance. It is an iterative process consisting of steps, which, when undertaken in
sequence, enable continual improvement in decision making.
• Risk management is the term applied to a logical and systematic method of
establishing the context, identifying , analysing , evaluating, treating, monitoring and
communicating risks associated with any activity, function or process in a way that
will enable organisations to minimise losses and maximize opportunities.
• Risk management is as much about identifying opportunities as avoiding or mitigating
losses.
• Risk consequences can be fatal to any business. The expenditure of fixing damage
and/or the loss of valued assets or even customers to competition after a catastrophe
can have a significant impact on the bottom line of a business. By identifying and
managing risks entities are able to actively protect value from any potential
catastrophes and save valuable time and money. A risk management plan and system
is there to do more than identify risk, a good system should also quantify the risk,
predict the impact, and put procedures in place to mitigate the risk, or even eliminate
it to the extent possible.
CASE STUDY: 5
Started in 2018, ALCON is a non-banking finance company (NBFC) and is headquartered at
Pune. The company has reported business of INR 500 Crores in FY 2019-20. Currently, ALCON
has few products and operates mainly in rural and semi-urban areas. COVID-19 changed
economic and operational realities have opened new opportunities for the company.
The strategy and finance team has come out with a next five year plan to capitalize the prevailing
situation. The five year business target is INR 1000 Crores and the company also wants to move
into urban areas. However, the expansion strategies also involve operational risk moving into
different territory. In order to address this the company has hired a full time Chief Risk Officer
(CRO). The CRO has informed the Board that considering the expansion strategies of the
company, the application of advanced analytics, including machine learning (ML) and artificial

Page 310 of 492
intelligence (AI), should be a core part of for the management of operational and non-financial
risk. While the Board agrees with the suggestion of the CRO they are skeptical about the
expected return on such investment.
The Board believes with few exceptions, the financial industry is still playing 'catch up' in AI
terms. For many firms, the experimental AI phase is ongoing, with practical use cases still
emerging. They are wondering whether about the timing of using such technologies and would
like more analysis to conclude whether it is the right time to use such tools in the operations.
The CRO made number of presentations in this respect to the Board and explained that Al, at
its heart, is a set of statistical processes and like any other statistical process, it needs to be
understood and managed in the right way. Applied to certain processes, AI techniques can help
to standardize manual, time-consuming tasks and make them more efficient. This way company
would be able to reduce turnaround time (TAT) and also expects to save significant operational
costs. The CRO further clarified that Al's inherently statistical nature is often hidden behind
buzzwords and hype. The CRO believes that ML techniques will play a key role in operational
risk measurement.
Because a complete list of potential operational risks would be enormous and constantly
growing longer as new products and product platforms would be adopted, a necessary first step
in operational risk management is to sort operational risks into several broad categories. In
addition to organizing an unwieldy area of risk management, categorizing operational risks will
also help with subsequent risk measurement and resource allocation decisions. Considering
changes in the business environment of ALCON there would be impact on all risk categories.
However, the Board has directed the CRO to strengthen operational risk framework of the
company first considering its expansion strategy.
The focus on cyber security was not adequate in the past and it has been decided to improve
cyber risk controls especially considering the rising volume of digital business. While the existing
team is familiar with the basics of firewalls, malware and phishing, they are struggling to connect
the technical aspects of cyber security with the people and process risks that operational risk is
designed to monitor and control. Currently however there is no coordination between cyber
security team and operational risk management team. Currently, the cyber security is managed
as third line of defence and it is restricted to the cyber security team only. In a recent past there
were multiple instances of malware attack and the CRO is reviewing the governance and
practices to ensure that such attacks are minimized.
ALCON has currently outsourced number of operations as a part of cost control and capacity
management exercise. At the current size it was found effective but going forward the
management believes that the current level of controls may not be adequate as increased
operational complexities are bound to increase operational and overall risks.

Page 311 of 492

Choose the correct answer from the given options.
(5.1) Which one of the following is incorrect with respect to an effective operational risk
framework?
(A) Scenario analysis is only looking for rare, catastrophic risks but it does not push the
participants to think outside their comfort zone
(B) Loss data tells us what has already happened and also to consider how to control
and mitigate those risks in the future.
(C) Risk Control Self-Assessment (RCSA) allows us to identify all risks, not just those
that have already materialized.
(D) A Key Risk Indicator (KRIs) predicts that a risk is changing and would allow for
proactive intervention
(5.2) In which one of the following line of defence operational risk management department can
be included?
(A) First
(B) Second
(C) Third
(D) Fourth
(5.3) The CRO informed the Board about malware attacks. One of the board members wanted
to know more about the malware. In your opinion which one of the following can be covered
as part of malware?
(A) A virus
(B) A ransomware
(C) A hacker tool
(D) All of the above
(5.4) The CRO has decided to strengthen governance framework of the risk management. Which
of the following is correct with respect to governance framework of operational risk?
(A) Governance
(B) Culture and awareness
(C) Policy and procedures
(D) All of the above

Page 312 of 492
(5.5) The operational Risk can be divided between people, process, system and external events.
Which of the following is not part of operational risk for ALCON?
(A) Technology risk, Legal and Regulatory Risk
(B) Model Risks
(C) Transaction Risk
(D) Interest Rate Risk (5 x 2 Marks = 10 Marks)
(5.6) (A) What is the difference between Al and ML? (1 Mark)
(B) What are the challenges a typical company like ALCON would face while
implementing AI? (2 Marks)
(C) Considering the nature of business of ALCON, what are the four areas you can
think, where in your opinion AI and ML can be applied? (2 Marks)
(5.7) (A) The CRO has informed to the board that first KRls need to be identified before
implementing RCSA. Do you agree with the suggestion of the CRO? Explain your
answer with reasons. (2 Marks)
(B) Who conducts the RSCA and how it is different from the control assessment? Which
are the two methods you think can be used to implement RCSA? (2 Marks)
(5.8) What processes ALCON should follow before launching new products to address
operational risks? (2 Marks)
(5.9) (A) Cyber security should be treated as another operational risk to be embedded in the
organization's enterprise risk management framework. In your opinion, at what level
of defence (LOD) the cyber security should be considered? (1 Mark)
(B) What would be your three recommendations in order to strengthen operational risk of
ALCON? (3 Marks)
Answer
5.1 (A)
5.2 (B)
5.3 (D)
5.4 (D)
5.5 (D)
5.6 (A) Machine Learning a standard software code is characterized by explicit rules that a
computer is supposed to perform. In case, there is a change in the data / situation, a

Page 313 of 492
programmer needs to change these explicit rules. In contrast, a machine learning

program dynamically responds to change in data / situation by changing the rules that
govern the behaviour.
Machine learning, meanwhile, uses an inductive approach to form a representation
of the world based on the data it sees. It is able to tweak and improve its
representation as new data arrive. In that sense, the algorithm “learns” from new data
inputs and gets better over time.
Artificial Intelligence is the science that makes intelligent machines especially
computer programs. It is a way of making a computer in a similar manner the
intelligent humans think.
It works by studying how human brain thinks and how humans learn, decide and work
while trying to solve a problem, and then the outcomes of this study is used in
developing intelligent software and systems. It has been dominant in many fields such
as Gaming, Natural Language Processing, Expert Systems, Vision Systems etc.
(B) Some of the challenges which a typical company like ALCON is likely to face while
implementing AI are as follows:
(i) Finance industry is still to ‘catchup’ in AI terms.
(ii) For many firms experiment stage of AI is going on.
(iii) Changes in the business environment.
(iv) No coordination between cyber security team and operational risk management
team.
(v) Outsourcing number of operations as a part of Cost Control.
(vi) Board’s skeptical view about the expected return on investment in AI.
(vi) Might involve huge IT expenditure.
(vii) Huge data to be made available
(C) Following are some areas where we can AI and ML can be applied by ALCON:
(i) Development of new products.
(ii) Managing the cyber risks.
(iii) Replying the queries of the customers.
(iv) Analyzing the behaviour of the customers.
(v) Checking of KYC of customers before arriving at any loan.
(vi) Avoiding any regulatory violation.
5.7 (A) No. The suggestion made by the CRO is not correct. It is helpful to complete the
RCSA program before seeking KRIs so that the search can be narrowed down to only

Page 314 of 492
those metrics that are relevant to the risks that have been identified in the RCSA.
(B) RCSA is conducted by the department or business unit. The scoring of risks and
controls reflects not the view of a third party, but the view of the department or
business.
Two methods form implementing RCSA
(i) Questionnaire method: The questionnaire based approach uses a template to
present standard risk and control questions to participants. The content of the
questionnaire is designed by the operational risk team, usually after intensive
discussions across the firm. Each risk category or business process is analysed
and a list of related risks is prepared.
(ii) Workshop method: For each risk, expected controls are identified workshop
method RCSA is discussed in a group setting, with facilitation from the
operational risk department. Each risk is discussed, and related controls are
scored for effectiveness. Once the controls have been scored, the residual risk
is scored, often on a high-medium-low scale, along with related probabilities.
5.8 The process ALCON should follow before launching new product to address operational
risk are as follows:
• identifying business functions, assets, vulnerabilities and threats;
• assessing the risks of launching new product;
• developing a risk management plan;
• implementing risk management actions, and
• re-evaluating the risks.
5.9 (A) Cyber Security should be considered in Second Line of Defence (LOD).
(B) Following are some of the recommendations in order to strengthen the Operational
Risk of ALCON:
(i) Establishing coordination between Cyber Security team and Operational Risk
Management team.
(ii) Have a better control over outsourcing operations
(iii) Carrying out Business Impact Analysis (BIA).

Page 315 of 492
By CA Shivam Palan || CA Monk
Case Study 1
1.1 Refer to page no 3.7 of ICAI SM

Based on General Understanding of Risk Register. ( Risk Register (or Risk Log) is a document that
contains all the results of risk analysis and where risk response plans are recorded. So it is only a
record of risk treatment, and risk treatment is based on other RM processes. Hence Risk Register is
least likely to be considered.)
1.2 Refer to page 8.4 of ICAI SM.
1.3 Refer to page no 4.8 of ICAI SM (Definition of Risk Culture as per Basel’s principles for the Sound
Management of Operational Risks.
1.4 Answer related to the case study- if carefully read; a bit conceptual; (Mr.Sumit is studying the
intrinsic complexity of the retail store businesses so he would least likely be concerned with
compliance with rules and regulations.)
1.5 Answer related to the case study- if carefully read; a bit conceptual understanding of controls.
1.6- Indirect answer from page 9.15 of the ICAI SM. A bit conceptual though, since you need to relate
the data mentioned in the case study with the concepts that you have understood regarding
Understanding of Controls.
1.7- Manageable practical question from the IPCC chapter concepts. (Sensitivity Analysis).
1.8- Related to the case study. Conceptual understanding of risk action and risk response is required to
frame the answer but still manageable. (Refer page no 2.21 of ICAI SM)
Case Study 2
2.1- Default Payment = Nominal Value of Bond X {100- price of bond after credit Event}
So in the current case, the price after the default is 58.
Hence Default payment = 10 Million X {100-58}%
= 4.2 Million
2.2- Refer to page no 6.21 of ICAI SM.
2.3- Related to the conceptual understanding of Pure Risks and Speculative Risk.(Refer page no 1.16-
1.17 of ICAI SM)
Page 316 of 492

Jo Monk Banega Wohi CA Banega
2.4: Strategic risks are those that arise from the fundamental decisions that directors take concerning an
organisation’s objectives. Essentially, strategic risks are the risks of failing to achieve these business
objectives.
Strategic risk is the risk that failed business decisions may pose to a company. Strategic risk is often a
major factor in determining a company's worth, particularly observable if the company experiences a
sharp decline in a short period of time. Due to this and its influence on compliance risk, it is a leading
factor in modern risk management.
A useful subdivision of strategic risks is: Business Risks – Risks that derive from the decisions that
the board takes about the products or services that the organisation supplies. They include risks
associated with developing and marketing those products or services, economic risks affecting product
sales and costs, and risks arising from changes in the technological environment which impact on sales
and production.
Non-business Risks – Risks that do not derive from the products or services supplied. For example,
risks associated with the long-term sources of finance used. Strategic risk levels link in with how the
whole organisation is positioned in relation to its environment and are not affected solely by what the
directors decide. Competitor actions will affect risk levels in product markets, and technological
developments may mean that production processes, or products, quickly become out-of-date.
2.5- Based on general understanding.
2.6- Linked to the case study and understanding the strategic risks and identification of key drivers for
assessing the risk.
2.7- Definition of Reputational risk from page no 1.20 of ICAI SM. For steps to assess reputational risk,
draft the answer based on steps in the risk management cycle given on page no. 3.5 of ICAI SM
2.8- Direct answer from page 3.10 of ICAI SM for the first part. For steps in developing RMF refer to
page no. 7.6 of ICAI SM.
2.9. Direct answer from page 5.16 of ICAI SM
2.10. Explanation given in the suggested itself.
Case Study 3
3.1- Conceptual understanding of VAR required.
VAR is used to measure Market risk, liquidity risk, operational risk, etc.
3.2- Refer page no. 8.3 of ICAI SM. (ERM provides reasonable assurance regarding the achievement
of an entity's objectives.)
3.3- Conceptual understanding of ‘ Historical Simulation’. (Refer to page no 121 of Full Batch notes
for further explanation)
By CA Shivam Palan_Target80+RM
Page 317 of 492
3.4- Concept based. (To learn & understand the concept around read from page no 92 to 96 of Full
Batch notes)
3.5- Conceptual understanding of ‘ Monte Carlo Simulation’ (Refer page no 122 of Full Batch notes or
further explanation)
3.7- (A) Based on the understanding from the case study; may seek help from page no 8.4 - Keys to
ERM Implementation- Lack of these keys will be an obstacle in implementing ERM
(B) Refer to Full batch notes page no. 110.
3.8- Concept-based, related to the VAR and methods of measuring it. Page no 5.5 of ICAI SM.
However, one may think of why not other method is not referred in the answer?
Since, Monte Carlo simulation consists of repeatedly simulating the random processes that govern
market prices and rates. Each simulation (scenario) generates a possible value for the portfolio at the
target horizon (e.g., ten days). If we generate enough of these scenarios, the portfolio’s simulated
distribution will converge toward the true, although unknown, distribution. The VaR can be easily
inferred from the distribution. (Refer page no. 122 of Full Batch Notes for further details).
3.9 Direct answer from page no 5.10 for the standard way of Stress Testing. The other two parts are
based on a conceptual understanding of the Stress test process.
Case Study 4
4.1- Refer page no. 5.17 -5.18 of ICAI SM. (Others are indices that can be used for Country Risk
Analysis.)
4.2- Going Concern is the primary and the most important parameter that one should think of first.
4.3- Based on the conceptual understanding of the controls, as given in chapter 9
4.4- Based on the conceptual understanding of the controls, as given in chapter 9
4.5- Refer to page 3.8 of ICAI SM.
4.6- Format for RCSA given on Page no 9.17. For drafting it, conceptual understanding is required.
ICAI answer has added three new columns, i.e. Financial assertion impact, Name of the system used &
Sample Description of test done. However, it is done based on the details available in the case study; if
you feel in the exam that extra points are available, you can also add the other column provided it is
adding value to the report.
4.7- Practical question on Altman- Z score; Page no. 6.26 ICAI SM.
Page 318 of 492
Need to read the case study for few details like Sales during 2018-19.
(If you want to practice the advanced level question solve case study 2 of Test 1 given in Complete
Guidance Book)
4.8- Direct answer from page no 3.9 of ICAI SM,
Case Study 5
5.1- Based on the general understanding of concepts of Chapter 5 & 9 of ICAI SM.
Option A is false since scenario analysis shows multiple pictures.
5.2- Refer to page no.9.7 of ICAI SM.
5.3- Based on General understanding of Cyber Risks.
5.4- Based on a General Understanding of what is covered in the governance framework.
5.5- Based on the case study.
5.6-(A) Direct answer from page 9.33 (about Machine Learning) and 9.35 (about Artificial Intelligence)
of ICAI SM. (It is a long answer and has too much content in the book. Try to cover as many points
from the book you can while writing the answer depending on the time available to score well in such
answers.) Also, try to relate the answer with a case study. {Also, Refer to page no 176 for full batch for
a Better understanding of the topic}
(B) Conceptual and General understanding of the implementation of AI. Refer to page no 177 of Full
Batch notes
(C) General understanding of areas where AI can be applied by the industry. {Refer page no 177 of Full
Batch Notes}
5.7- (A) General Understanding on RCSA and KRI (Refer page no 9.21 of ICAI SM.Hint:- RCSA can
be built using the KRI)
Note that since KRI tells us how risky the activity is, which is well be known after assessment of risk,
i.e. done through RCSA
(B) Conceptual understanding of ‘RCSA and methods of implementation’. (Not given in the book)
5.8- ICAI has drafted the answer based on steps in the risk management cycle given on page no. 3.5 of
ICAI SM.
5.9. (A) Based on the understanding of ‘ Line of Defence’.
(B) Based on General understanding.
Page 319 of 492
DISCLAIMER
This Suggested Answer hosted on the website do not constitute the basis for
evaluation of the student’s answers in the examination. The answers are
prepared by the Faculty of the Board of Studies with a view to assist the
students in their education. While due care is taken in preparation of the
answers, if any error or omission is noticed, the same may be brought to the
attention of the Director of Board of Studies. The Council of the Institute is not
in anyway responsible for the correctness or otherwise of the answers
published herein.
have been worked out on the basis of certain assumptions/views derived from
the facts given in the question or language used in the question. It may be
possible to work out the solution to the case studies in a different manner

Page 320 of 492
2 FINAL (NEW) EXAMINATION: JANUARY 2021
The Question Paper comprises five case study questions. The candidates are required to
answer any four case study questions out of five.
Answers to Multi Choice Questions are to be marked on the OMR answer sheet only.
Answer to other questions to be written on the descriptive type answer book
Answer to MCQs, if written in the descriptive type answer book will not be evaluated.
Candidates may use calculator.
CASE STUDY: 1
About the Company:
 BCSPL, situated in TIDEL Park, Chennai, is providing computer system related services
to offshore major Information Technology (IT) companies. It was established in the year
2015 and has good reputation in its provision of services. BCSPL has 300 staff
consisting of software professional and accounting and administrative staff. At present
Virtual Office Management System (VOMS) is enabled in the laptop computers of about
30% of its staff. BCSPL is thinking of adopting VOMS for the working of its entire staff
members.
VOMS:
 VOMS is a service in which a range of functions relating to a company is provided that
facilitates their staff to work remotely by accessing such functionalities through Internet.
The main aim of VOMS is to enable the staff members to seamlessly connect to the
computing services of BCSPL irrespective of the time and geographical distance. BCSPL
proposes to approach a cloud services provider to hold the data on cloud and run cloud-
based software services.
New Proposal:
 To accomplish, expanding VOMS to 100% of its staff, SPL proposes to buy good quality
laptops and provide them to the remaining members of the staff.
Security concerns of BCSPL:
 With the increase in cyber-attacks and the important and confidential nature of the data
being handled, BCSPL is very much concerned about the possible compromise of the
data. Cyber-attack may happen in the form malicious software attacks, hacking, phishing,
ransomware attacks etc. The staff may not be thoroughly aware in the security aspects of
the system. Mr. Peter, BCSPL's IT manager suggested to implement robust security

Page 321 of 492
measures including installation of strong firewall mechanism, installation of Virtual

Private Network (VPN) etc., to counter the increasing security risks.
Integrating Risk in the Strategic Planning Process:
 As the proposed adoption of VOMS is a strategic move by BCSPL, the strategic risks
associated with the same have to closely monitored as they would have an impact on
BCSPL' s ability to deliver its goals which are generally articulated in the strategic plan or
intent document of BCSPL. Given the velocity with which threats and risk events strike,
BCSPL would find it useful to integrate significant risk factors in the strategic planning
processes.
 The management knows that the strategy of BCSPL should make it clear as to how it
intends to mitigate or manage risks and maximize opportunities and BCSPL should
develop objectives and strategies accordingly by allocating the resources in a planned
manner.
Risk Management:
 As the new proposal might bring-in many unknown risk factors, BCSPL wants to (i)
embed risk management and internal controls into its various operations and (ii) make
sure that enterprise-wide approach to risk management is developed and communicated
across BCSPL. BCSPL requested Mr. Kishore, the Risk Manager, to suggest some
techniques to the achieve the above.
 BCSPL is aware that the primary responsibilities for risk management and the associated
controls are with the management and the management is required to adopt suitable
policies, procedures and strategies as the philosophy of embracing the risk management
increases day-by-day. BCSPL is required to show that effective risk evaluation has
revealed the risks that BCSPL is exposed to and have appropriate controls are in place
that would prevent materialisation of possible risks.
Term Loan from Bank:
 To meet the needs of purchase of laptops, BCSPL decided to approach its bankers for a
term loan for ` 2 crores.
Choose the most appropriate answer from the given options:
(1.1) Which of the, following statements is not true about the new proposal of BCSPL bringing
in risks?
(A) Rapid changes in information systems can change the risks relating to internal
controls.

Page 322 of 492
(B) Significant expansion of operations can strain controls and increase the risk of a
breakdown in controls.
(C) New personnel may have the same focus on understanding of internal controls.
(D) Incorporating new technologies into information systems may change the risk
associated with internal controls.
(1.2) Which of the following is an internal risk threat metric about the cyber-risk that BCSPL
may face in its proposal to implement VOMS in all the computer systems?
(A) The number IT system requests emanating from unidentified IP addresses.
(B) The number of IT controls that have been self-certified as working correctly.
(C) The number of IT security incidents reported by similar organisations in the past one
year.
(D) The number of social engineering attempts reported within BCSPL.
(1.3) Mr. Peter's suggestion is an example of:
(A) risk control
(B) risk avoidance
(C) risk transfer
(D) risk retention
(1.4) The proposal of BCSPL would have an impact on the stakeholders and while taking such
decision, the management least likely would consider:
(A) Information about the internal and external environment.
(B) Recognition of risk and opportunity.
(C) Deploying scarce resources and recalibrates activities to changing circumstances.
(D) Risk of legal liability for damages accruing to customers.
(1.5) Before approving the term loan, if the banker 'performs an inadequate check on KYC of
BCSPL and assuming that a violation is committed by BCSPL, it would be known as:
(A) Regulatory Risk
(B) Credit Risk
(C) Sanction Risk
(D) Control Risk (5 x 2 Marks = 10 Marks)

Page 323 of 492
(1.6) Suggest some best practices to address the data privacy and cyber-security risks in the
VOMS proposed to be implemented by BCSPL. (6 Marks)
(1.7) Explain the risk management techniques that Mr. Kishore would suggest to BCSPL.
(5 Marks)
(1.8) Discuss the integrating of risks in the strategic planning process of BCSPL. (4 Marks)
Answer
1.1 (C)
1.2 (A) or (B)
1.3 (A) or (D)
1.4 (A) or (D)
1.5 (A)
1.6 Following are some best practices to address the data privacy and cyber-security risk
 Identification of risk areas. Whether it is own or outsourced network, internet,
individual computers, mobile devices etc. Prioritization of resources and effort can
be managed accordingly.
 Adequately restricting access to systems is the common way to prevent cyber risk;
this is done by password protection at various levels, from common user to
administrator level.
 Encryption solutions on individual computers is also done in a manner that if lost,
the unauthorised entity cannot download the data into an external storage device.
 There are several technology solutions that create an adequate firewall of the
organisation’s systems to protect them from hacking from outside.
 A regular vulnerability testing of the firewall and periodic review to upgrade it is one
of the main tasks of the information security manager. Detection of a test -attack is
very important part of the preventive mechanism; an attacker may attempt to cause
a minor violation to test the organisation’s network security before causing a major
incident.
 A response strategy to a cyber-attack incident is also important as part of risk
management. The measures to prevent or mitigate customer disputes, legal
indemnities, assess and minimize the financial impact of a cyber -attack, and
governance over decision making and investments to restore the system

Page 324 of 492
functionalities to its secure state, are all important considerations. The root cause of
these incidents and the impact have to be adequately documented.
Alternative Answer
Best practices to address the data privacy and cyber-security risks:
 Disabling removable devices in the laptops: The connecting ports and removable
media such as use of pen drives are to be disabled in the laptops. The users are not
allowed to install any software and access restrictions are to be in place for visiting the
Internet sites.
 Use of security measures: The data must be encrypted during transmission.
Strong firewall and anti-virus software to be installed with periodic updating of
patches and updates.
 Securing home networks: The staff must be instructed to ensure that their home
networks, in which they would be using the company provided laptops, are secured.
 Periodical updating of security policies: Data security policy, network policy,
Internet usage policy, user security policy etc., must be periodically reviewed,
updated and such updated policies must be timely communicated to the staff.
 Personal Device Protocol: The staff are going to use company's devices that are
connected to company's network through secured Virtual Private Network (VPN).
With the increase in number of devices connected, there must be a strong
authentication mechanism. Personal devices of the staff must never be allowed to
access the VPN. Use of personal emails in the corporate network should be
discouraged.
 Usage of video conferencing faculties: Before selecting and implementing the
services for video conferencing to be utilised, adequate study must be performed.
There is a risk of data piracy with the use of weaker software.
1.7 Techniques that would be suggested by Mr. Kishore:
The Risk Enabled and Managed organisations uses the following techniques.
Technique Description
Risk Questionnaires Designed to identify the relevant risks and create risk
history
Flow Charts with Designed to identify operational risks embedded in the
Risk Flags Processes
Identify Controls to Recognize controls and test their adequacy and operative
manage risks Effectiveness
Risk Event Maps Identify potential events that can have a significant impact
on business to avoid negative surprises

Page 325 of 492
Risk Scorecards A Monitoring tool to track progress of risk management

Capital Budgeting A financial analysis tool to evaluate the future cash flow
benefits arising from risk management actions against the
costs of risk consequences
Value at Risk A financial analysis tool to evaluate the impact of the worst
case scenario of a risk event
Risk Heat Maps A Monitoring tool to track progress of risk management
using qualitative assessment of probability and impact of
risk
Alternative Solution
Insurance is generally used by organisations to mitigate operational risks that can be
insured. Insurance coverage is commonly available for risks arising out of fire, for
instance. Depending on the cover available and opted for, other losses due to terror ist
attacks, natural disasters etc. can also be covered.
Recently a new concept of Cyber risk insurance has also come up, and there are
companies offering cover against the risk of damages due to lawsuits / compensation on
account of being a victim of cyber-attack, due to which data of customers, vendors or any
other counter-party can be leaked to an unauthorised, malevolent entity.
1.8 Integrating Risk in the Strategic Planning Process:
 BCSPL in its proposal to adopt 100% VOMS, may have to identify cyber-attack
threats at the stage of business plan preparation and respond by investing in a
suitable internal control such as a best in class Firewall device.
 Strategic risks might arise to affect BCSPL's strategic plan of installing and running
VOMS to 100%, from internal operations or external factors. Internal factors such
as resistance to change by the staff members and the external factors such as
pandemic affecting the pockets of geographical regions, against which BCSPL has
no control.
 New legislation that regulates the data protection in the countries/regions which
would significantly impact the operations of BCSPL
 BCSPL's proposal to expand VOMS to 100%, involves a strategic objective to be
achieved and the same may require a specific set of skills required for installing and
running VOMS and the same may not be readily available with BCSPL.
 BCSPL's proposal to approach a cloud services provider for holding its data and
running cloud-based software services may make BCSPL more vulnerable to
information security breaches.

Page 326 of 492
CASE STUDY: 2
About DHSS:
 BHSS is running classes for higher secondary education in Madurai, Tamil Nadu since
1995. It is following rules and regulations, syllabus and examination of Tami Nadu Board
of Higher Secondary Education (TNBHSE) under Department of Education, Government
of Tamil Nadu. The school is famous for its teaching and coaching and has produced
many state level rankers. The toppers got admission into prestigious engineering a nd
medical colleges on merit. For the academic year, the school had a total strength of 1200
students.
BHSS School Core Committee (BSCC):
BSCC, consisting of twelve committee members, is running the school. It met in April 2020
and discussed the various aspects of the pandemic situation affecting the functioning of the
school and its teaching and coaching activities. Mr. Pandian is the Chairman of BSCC. The
following issues were discussed at the meeting:
 New Mode of Teaching: Because of the present pandemic situation, the students may not
be able to attend the school. Therefore, it has been decided to teach the students online
through Internet.
 A committee, viz., Online Teaching Committee (OTC) is to be formed consisting of 5
teachers and 2 committee members, to help in preparing and testing the teaching
materials and conducting online classes to students. The online learning module would
be named Bright Digital Learning Module (BDLM).
 Necessary technology infrastructure is to be created for running the online classes such
as buying suitable computers, software, audio-video (AV) equipment, printers and high-
speed Internet data connection and devices. Besides the above, latest anti -virus software
and suitable firewall mechanism are to be installed to prevent virus attack and hacking
attempts.
 It was also decided to conduct online examination for the students at frequent intervals.
The examination content would be created by the respective class teachers and
supervised by the OTC members.
 Training to teachers and students: Sufficient training on the preparation of teaching and
examination contents to be given as well as training to be given on the delivery of content
as well as handling the A V equipment.
The teachers who are not familiar with computers are to be additionally trained.
 A technical support team will be made ready who will support not only the teachers
handling the online classes but also the technical queries received from the students.
Suitable dashboards would be displayed in the interface of BDLM.

Page 327 of 492
 Online Class Fee Collection: It is initially decided to collect ` 1,000 per month from each
student as online class fee.
 It is to be ensured that the online classes are to be commenced on-time. Periodic
updates would have to be given to each parent's registered mobile number and / or email
account.
 BSCC members are aware that when hosting BDLM online, BHSS would face a variety of
Internet Security Risks (ISR). Each aspect in the online BDLM can be a possible target of
cyber-attack.
Adoption of Enterprise Risk Management (ERM) approach:
 In pursuant to the discussions, the BSCC members decided to study and adopt risk
management strategies and practices throughout the operations of BHSS. They would
like to engage in the process of assessing risk and acting in such a manner, or
prescribing policies and procedures, to avoid or minimize loss associated with such risk.
 BSCC members are considering the option to prepare a list of possible risks and the
proposed treatment of such risks.
Projection of Risks:
 BSCC members developed hypotheses based on financial projections and estimated a
possibility of 30% in failing to achieve the projected collections if there is a fall in 25% in
admission of students to the online classes. Different scenarios were analysed and
calculations were made on the sensitivity of the projections by changing the assumed
parameters, such as, the number of students who might enrol for various courses, fee
collection from each student, the duration of the course etc.
Bank Loan Proposal:
 The committee estimated a capital expenditure of ` 60 Lakhs and decided to approach
Cholan Bank Limited (CBL) for a term loan of ` 50 lakhs repayable in 5 years and a
working capital loan of ` 10 Lakhs. The members of BSCC offered to give their personal
lands and buildings as collateral to the proposed loans and would act as guarantors of
the loans. The market value of the collateral offered is ` 2 crores. BHSS did not have any
previous loans either with the bank or from others.
(2.1) Which one of following most likely would be of some help to BHSS, if ERM approach is
adopted?
(A) To define the risk appetite of the organization.
(B) Align annual performance goals with risk identification and management.

Page 328 of 492
(C) To assess the company's risk profile, risk appetite and key areas of risk.
(D) Define & develop risk policies, procedures, processes & other documentation as
required.
(2.2) The primary objective of Risk Treatment methodology proposed to be adopted by BHSS
would be to:
(A) Give a response to risks.
(B) Ease the pressure from parents and students.
(C) Comply with the guidelines relating to the pandemic situation issued by the
Government.
(D) Conduct periodic risk assessments.
(2.3) In the hypotheses developed by BSCC members, there might be a risk of acceptance of
hypotheses and the associated projections that should have been rejected. Such a
situation is best known as:
(A) Design Level Error
(B) Transaction Level Error
(C) Type I Error
(D) Type II Error
(2.4) Which of the following would not be considered as an inherent risk for the ISR that would
be faced?
(A) Identity Theft
(B) Inadequate Content
(C) Impersonation
(D) Inadequate Authentication
(2.5) By introducing BDLM, BHSS is attempting to convert negative risk events into positives
by creating a focussed group of experts who brainstorm on breakthrough proposals that
could help BHSS move in a positive direction. This contemporary phenomenon is
commonly referred to as
(A) Incident Analysis
(B) Scenario Analysis
(C) Idea Funnel
(D) Risk Heat Maps (5 x 2 Marks = 10 Marks)

Page 329 of 492
(2.6) Discuss the risks that would be faced by BHSS in the current pandemic situation and the
proposed introduction of BDLM. (6 Marks)
(2.7) Explain the credit risk components that CBL would consider with specific reference to the
loan proposal of BHSS. (5 Marks)
(2.8) Briefly explain the difference between Scenario Analysis and Sensitivity Analysis.
(5 Marks)
Answer
2.1 (B)
2.2 (A)
2.3 (D)
2.4 (B)
2.5 (C)
2.6 Risks that would be faced by BHSS:
1. Financial Risk:
 There may be insufficient inflow of funds, if required number of students do not
join which would cause great strain on the financial operations of BHSS.
2. Liquidity Risk:
 If sufficient fees collections are not received from the students, there would be
a liquidity problem and the same may prevent BHSS from paying the loan dues
within time.
3. Market Risk:
 There are adverse changes in the present conditions due to pandemic
situation. This would pose a risk to BHSS.
4. Operational Risk:
 The external conditions prevailing in the current pandemic situation would
have an impact on the day-to-day operations of BHSS.
5. Strategic Risk:
 The decision to adopt online teaching by BHSS is a strategic one. Failure of
strategies will adversely impact the business objectives and attainment of the
goals.

Page 330 of 492
6. Regulatory Risk:
 The Government may change the pandemic guidelines and policies to be
followed by the schools from time-to-time, such as, changes in maximum
amount of fees to be collected, maximum hours per day for conducting the
online classes etc. Any changes ln the rules and regulations which may have
a negative Impact on the activities of BHSS can be classified under this risk.
7. Reputation Risk:
 If the quality of the online teaching is not up-to the mark, BHSS's reputation
may go down and this will pose a risk
8. Staffing Risk:
 The staff may not be experienced to handle the newly proposed online
teaching system.
9. Technology Risk:
 The technology used in the online teaching may have to be changed with the
changing technologies and this would impose additional cost to BHSS.
10. Business Continuity Risk:
 If in case, the online teaching system is hacked, BHSS may not be able to
continue the operations and necessary backup and recovery controls should
be in place.
11. Information (data security) Risk:
 Risk of unauthorised data access to the online teaching system as BHSS
heavily would depend on information technology. Unauthorised data access
might lead to theft of resources painstakingly created by BHSS.
12. Security Risk:
 BHSS's system may be hacked and this might pose a risk to BHSS.
13. Governance Risk:
 lf the management of the school is improperly conducted, there would arise
governance risk.
Alternative Answer
The various types of risks that will be faced by BHSS during the pandemic tine and
introduction of DDLM are as follows:
(i) Maintenance Cost of huge infrastructure: Since now there is a remote possibility of
starting of physical classes for long period, the cost of maintenance of such
infrastructure may continue for longer period.

Page 331 of 492
(ii) Loss of Revenue: Since due to the situation of uncertainty, there may be a fall in the
registration of new entrants.
(iii) Teacher’s Salary: Despite the fact that there may be no physical classes, BHSS has
to pay salary to the current teaching staff in order to retain them.
(iv) Poor Results: Due to uncertainty in conducting of Entrance Examinations it might be
possible that some selected students who have been prepared by Institute may not
produce the good result as expected.
(v) New IT infrastructure: Funds shall be needed to create new infrastructure.
(vi) Cyber Risk: Since the system will be connected to students on pan India basis there
is risk of cyber risk.
(vii) Integrity of Examination system: Since practice examination shall be conducted
online, the integrity of same shall be a big issue and it will be bit difficult to judge the
performance of students.
2.7 The credit risk components that CBL would consider with specific reference to the loan
proposal of BHSS are as follows:
(i) Default Risk – This risk means the missing a payment obligation (of principal or
interest or both). Default Risk can be measured by probability of default. It depends
on credit worthiness of a borrower which in turn depends upon various factors such
as management of organization, size of business, strength and reputation of
promoters etc.
 CBL would check credit worthiness of the committee members who are offering
collaterals for the loans and reputation of them and of BHSS.
(ii) Exposure Risk – This implies the uncertainty associated with future level or amount
of risk. In other words, this risk is mainly associated with unexpected action of other
party say prepayment of loan before due date or request for refund of deposit
before due date.
 The bank may even ask BHSS to repay the loan in full before the due date if the
performance of BHSS is not satisfactory in the future.
(iii) Recovery Risk – This risk is related to recoveries in the event of default, which in
turn depends upon various factors such as quality of guarantee provided by
borrower, and other surrounding circumstances. This risk can be minimized through
Collateral and Third-Party Guarantee. However, existence of these two risk
management tools also carries risk.
 In the proposed loan, the members of BSCC offered to give their personal lands
and buildings and the market value of the same is Rs. 2 Crores.
(iv) Collateral Risk: Although collateral reduces the credit risk but it happens only if
collateral can be sold at a significant value. The quickness in realization of collateral

Page 332 of 492
depends upon its nature and prevailing market conditions. In normal course, fixed
asset collateral normally carries low realizable value than cash collateral. However,
if in buoyant market say in case of a property even a fixed asset in the form of a
house property carries a higher value.
With the use of collateral, the credit risk becomes twofold:
(a) Uncertainty related to access it and disposing encumbrances which may be
legal in some cases.
 CBL will ensure that the collaterals offered by the committee members of
BSCC do not have any encumbrance.
(b) Uncertainty related to the value realizable from the collateral which may be
subject to various factors.
 It would be ensured by CBL that the assets offered as collateral have the
capability of easily salability in the event of default of BHSS in the loan
repayments.
(v) Third Party Guarantee Risk: This collateral is a kind of simple transfer of risk on
Guarantor and in case guarantor defaults then risk again comes back to lender.
 CBL would ensure that the Committee members who are the guarantors for the
loan have sufficient assets to cover the loan. For this purpose, CBL would obtain
and scrutinize the financial statements of the Committee members.
2.8 Sensitivity analysis and Scenario analysis both help to understand the impact of the
change in input variable on the outcome of the project. However, there are certain basic
differences between the two.
Sensitivity analysis calculates the impact of the change of a single input variable on the
outcome of the project viz., NPV or IRR. The sensitivity analysis thus enables to identify
that single critical variable that can impact the outcome in a huge way and the range of
outcomes of the project given the change in the input variable.
Scenario analysis, on the other hand, is based on a scenario. The scenario may be
recession or a boom wherein depending on the scenario, all input variables change.
Scenario Analysis calculates the outcome of the project considering this scenario where
the variables have changed simultaneously. Similarly, the outcome of the project would
also be considered for the normal and recessionary situation. The variability in the
outcome under the three different scenarios would help the management to assess the
risk a project carries. Higher deviation in the outcome can be assessed as higher risk
and lower to medium deviation can be assessed accordingly.
Scenario analysis is far more complex than sensitivity analysis because in scenario
analysis all inputs are changed simultaneously considering the situation in hand while in
sensitivity analysis only one input is changed and others are kept constant.

Page 333 of 492
CASE STUDY: 3
About the Company
Blue Hospital (BH) is a reputed chain of hospitals located in the National Capital Region
(NCR). The BH package of services includes: inpatient hospital delivery services, outpatient
ambulatory services, home health, drug rehabilitation and alcohol treatment and retail services
including diagnostic, laboratory, sports medicine, rehabilitation and imaging. BH's trauma
center is one of the NCR's busiest. In addition BH operates one of the only air ambulance
services in the region and has its own health insurance company providing health benefits for
its employees and others.
Review of Risk Management Function
BH's risk management function had been outsourced to a single firm named RLM for
approximately eight years. Immediately after joining BH as a Chief Ris k Officer (CRO), Ms.
Sana commissioned an independent assessment of the risk management function as she was
uncertain whether outsourcing model was an effective risk management structure for BH. The
Board has asked Ms. Sana to do her own assessment also of the existing risk management
practices after reviewing the findings of that independent study from the outside firm. The
Board has also asked the CRO to consider Delphi and Bow-Tie techniques of risk analysis.
Observations made by CRO
1. The studies suggested that the circumstances that led to the initial outsourcing decision
no longer existed. Also, BH had grown considerably in size and complexity to warrant
both a high level of direct accountability by a senior leader and their own team and a
strategic approach to the management and mitigation of risks. Another issue these
processes uncovered was that the outsourcing model was less effective in proactive data
mining and trend analysis that could be used to create actionable risk and quality
initiatives to prevent or mitigate risk events in the future.
2. BH did not have a forum to look across the organization to assess interrelated risks and
potential impact on the organization or how multiple risks could correlate.
3. The CRO is also concerned that Business Continuity Plan (BCP) is not properly
implemented in the organization. Also, employees think that there is no difference
between Enterprise Risk Management (ERM) and BCP. One of the Audit Committee of
Board (ACB) members has remarked that ERM approach and the business impact
analysis approach are very similar and there is no difference.
4. The CRO has flagged the fact that risk culture within BH must improve and there is no
narrative approach of risk management in place for those risks which can not be
adequately or accurately reflected by a numeric or quantitative method. Therefore, while
developing new risk management approach narrative approach to risk management must
be considered especially considering the nature of business of BH.

Page 334 of 492
Action plan
After a presentation to the Board by the CRO, BH began a three-step approach to reestablish
a risk management function in the organization and create a strategic approach to
management of risks.
Step one was laying the groundwork or a design-build phase to create the foundation for a
high functioning internal risk management department including adding the necessary
business intelligence data structure.
Step two was the introduction into the organization of an ERM framework and the
establishment of an Enterprise Risk Committee (ERC) at the highest level of the organization.
It was determined that an advisory group of executives should serve together as a
coordinating body to look at diverse risks to the organization from whatever source. The
advisory group shall be called ERC and is chartered to look more expansively and from a
strategic point of view at risks in order to understand the inter-relatedness and cumulative
impact on the organization. Further, the selection of key individuals who will form part of the
ERC will be based on a broad parameter to be developed by the CRO after taking inputs from
a consultant and after obtaining approval of the Board. They will meet regularly not only to
continually reassess the critical risks faced by the hospital but also to report on progress in
each of the initiatives that is associated with critical risk.
Step three is focused on the maturation of the ERM approach to risk identification and
management at a strategic level as well as the expansion of and integration of ERM principles
throughout the organization.
Choose the most appropriate answer from the answer options:
(3.1) Which one of the following is incorrect with respect to ERM?
(A) It is a process effected by an entity's board of directors, management and other
personnel.
(B) It is applied in strategic setting and across the enterprise.
(C) It manages risk to be within risk appetite.
(D) It provides complete assurance regarding the achievement of entity's objective.
(3.2) What are some examples of internal drivers of an organization's risk culture?
(A) Resource allocation and risk attitude
(B) Risk appetite and risk tolerance
(C) Employee records
(D) All of the options

Page 335 of 492
(3.3) The Delphi Technique is a method that attempts to move a group of experts toward a
consensus opinion. When using the Delphi technique in practice which one of the
following is incorrect?
(A) Each individual expert in the group is asked a question. The answer that each
expert develops individually after consulting the others in the group is reported to
the entire group.
(B) Each individual expert in the group is asked a question. The answer that each
expert develops individually without consulting the others in the group is reported to
the entire group.
(C) The question reported at group level is posed again separately to the expert, who is
instructed to consider revising their response based on the results that were
reported to the group.
(D) The question and response cycle continues for a predetermined number of rounds
or until a consensus is achieved.
(3.4) Which one of the following is incorrect about the bow-tie technique?
(A) The purpose of the Bow-tie technique is to demonstrate that sources of risk can
lead to events that have consequences.
(B) The event shown in the centre of the bow-tie would be listed in terms of the
component of the organization that is impacted by the event. These components are
people, premises, processes and products
(C) The Bow-tie technique cannot be only used to illustrate the four types of controls
namely preventive, detective and corrective but not directive.
(D) The Bow-tie technique can be used m many ways, including the representation of
opportunity risks.
(3.5) Which one of the following is not correct in reference to the sound risk culture in a
company?
(A) At all level of the organisation understand and appreciate the positive and negative
results that a risk event can bring.
(B) An appropriate risk reward balance consistent with the risk appetite is achieved
when taking on risks.
(C) An effective system of controls commensurate with the scale and complexity is
properly put in place.
(D) Previous mistakes are not considered while shaping the right risk actions.

Page 336 of 492
(3.6) While recommending selection of individuals in the ERC, if you were hired as a
consultant, what should be the three broad parameters? (3 Marks)
(3.7) Would you agree with the view that there is no difference between ERM and BCP?
Provide reasoned answer. (3 Marks)
(3.8) How could a Narrative Approach be used to better identify and assess risks that are not
easily quantified? (4 Marks)
(3.9) Outsourcing of services has its place in risk management. What are the five key issues
you would consider to make sure that what has been outsourced meets the continuing
needs of the organization and is consistent with its strategy, vision and brand promis e?
(5 Marks)
Answer
3.1 (D)
3.2 (D)
3.3 (A) or (D)
3.4 (C) or (D)
3.5 (D)
3.6 Broad parameters that an individual in the ERC should possess are as follows:
(i) has a chair who is an independent director and avoids “dual-hatting” with the chair
of the board, or any other committee;
(ii) includes members who are independent;
(iii) includes members who have experience with regard to risk management issues and
practices;
The ERC council should be made up of key individuals who
i. understand the strategic direction of the enterprise,
ii. represent most major segments in the enterprise, and
iii. have significant decision-making and budgetary authority to make changes happen.
3.7 Although Business Continuity Plan (BCP) is now an integral part of Operational Risk
Management that can be triggered as part of an overall disruption that is caused by any
or a combination thereof. However, link between BCP and Enterprise Risk Management

Page 337 of 492
(ERM) cannot be denied as ERM is concerned with the risks facing the whole
organization and BCP takes an approach that business continuity arrangements should
be in place.
The BCP approach is to ensure the continuity of operations across the whole
organization and is obviously part of an ERM approach. Hence, BCP can be considered
a part of ERM, but it is not the whole of ERM activity.
The basis of ERM is that the stakeholder expectations and the core processes of the
organization that deliver those expectations are the focus of the risk assessment
process. The continuation of core business processes is also the basis of BCP and the
intention of ERM is to ensure that the core processes are maintained as it is basis of
stakeholder expectations.
However, if we talk about the difference in emphasis while ERM seeks to identify the
risks that could impact the core processes, BCP seeks to identify the critical business
functions that need to be maintained in order to achieve continuation of the business.
Thus, it can be concluded that there is a good deal of similarity between BCP and style of
ERM but both approaches are complementary to each other.
Because both approaches are based on the identification of the key dependencies and
functions that must be in place for the continuity and success of the business.
I do not agree with the view that there is no difference between ERM and BCP. ERM and
BCP differ because the former is concerned with the management of the risks that could
impact core processes, whereas BCP is concerned with actions that should be taken to
maintain the continuity of individual activities. The BCP, therefore, has the very specific
function of identifying actions that should be taken after the risk has materialized in order
to minimize its impact. BCP relates to the damage-limitation and cost-containment
components of loss control.
3.8 Narrative Analysis is a process to analyze future events by considering alternative
outcomes or alternative worlds i.e. making scenarios.
Scenario making involves preparing a brief narrative or description of a hypothetical
situation of how a future event or events might turn out or look like.
For each scenario, the management reflects and analyses the potential consequences
and potential causes when analysing risk.
Scenario analysis can be used effectively to identify opportunities for fraud, forecasting,
managing financial risks, etc.
Not all risks of an organization easily quantified. Reputation is a good example of a risk
for a hospital like BH that is often viewed as an intangible and therefore difficult to

Page 338 of 492
quantify and best expressed through narrative reporting when numerica l expression can
be unreliable. For hospitals the narrative in risk management could be constructed
similarly to that of medicine.
 The first is active listening.
 The second is putting into writing what happened, beyond the basics of the incident.
What was the environment at the time, were there emotional Issues that surrounded
the event or incident; and what happened in the days, weeks, or moments that led
to the event?
 The third is sharing the narrative with those affected by it whether it is an individual
or an entire organization.
It is a myth that the narrative approach is not just for ex post facto analysis of events.
Narrative can be used to describe critical risks that the organization faces. This is
important to multiple reasons. First, the narrative can more fully explain the problem and
how it might produce loss. Second, many people are more attuned and responsive to
stories because they help individuals to visualize the concept. Third, narratives more
fully describe the circumstances of the organization and may lead management to
understand risk more holistically in association with attitudes, aptitudes, and environment
that may produce or exacerbate losses.
3.9 The various key issues that need to be looked into to ensure that outsourc ing meets the
continuing needs of the organisation and is consistent with its strategy, vision and brand
 Clearly defined objective of outsourcing; this has to be brought into the scope of
work;
 Contractual documentation to be adequate to ensure the service provider does only
what is assigned and to the standard mutually agreed to by all parties involved;
 Legal indemnities to the organisation to be assessed while hiring a service provider;
 In agreements where the client and the service provider are in different states or in
different countries, the respective countries’ or states’ laws have to be complied
with;
 The BCP of the service provider has to be reviewed.
 The operational risk assessment covering regulatory risks, financial risk, financial
reporting risk and other risks as delivery to end customers of the client in case the
service provider fails to deliver for whatever reason.
 If technology or its disaster recovery itself is outsourced, all the attention is required
to ensure the business operations work as designed and agreed.

Page 339 of 492
 Potential impact of outsourcing on end to end processes when making a decision to
outsource?
 Need to apply operational risk management and governance practices to
outsourcing arrangements including risk associated with sub-contracting
 Identification and assessment of conflict of interest with the service provider
 Due diligence of service provider
 Adequacy of responsibility and oversight over the outsourcing arrangement
 Documentation, exit strategies and BCP
CASE STUDY: 4
OE, the Company is a leading manufacturer of garments headquartered at Delhi. Its
customers are located in Europe and the USA. Major portion (80%) of the revenue is from
export business. OE has borrowed in foreign currency and INR as well.
The Company is exposed to the impact of interest rate changes primarily through its borrowing
activities. The Company's objective is to mitigate the impact of interest rate changes on
earnings and cash flows and on the market value of its borrowings. In accordance with its
policy, the Company targets its fixed-rate debt as a percentage of its net debt between a
minimum and maximum percentage.
As the Company transacts business globally and is subject to risks associated with changing
foreign currency exchange rates. The Company's objective is to reduce fluctuations
associated with foreign currency exchange rate changes in its earnings and cash flow,
enabling management to focus on core business issues and challenges.
The Company enters into option and forward contracts that change in value as foreign
currency exchange rates change, to protect the value of its existing foreign currency assets,
liabilities, firm commitments and forecasted but not firmly committed foreign currency
transactions. In accordance with policy, the company hedges its forecasted foreign currency
transactions for periods generally not to exceed two years within an established minimum and
maximum range of annual exposure. Cross-currency swaps are used by the company to
effectively convert foreign currency-denominated borrowings into INR denominated
borrowings. It's also uses swaption and zero cost collar for hedging purposes.
Despite having a robust risk management practices the management of OE is concerned
about the operating forex exposure. OE has been maintaining risk-register knowing well that a
well-constructed and dynamic risk register is at the heart of a successful risk management
initiative. However, during a risk review process it was uncovered that senior management has
started believing that attending a risk assessment workshop and producing a risk register is a
risk management obligations and therefore no ongoing actions are required.

Page 340 of 492
Further, considering disruption in value chain in the garment business and its strong p resence
in Europe and it has a plan to open a garment manufacturing unit in Birmingham UK which will
be wholly owned subsidiary of OE. The management believes this would reduce delivery time
and hence would help in getting more business. Also the locational advantages enjoyed by
competitors from Turkey can be addressed with this strategy. Recently number of buyers from
Europe has started giving orders to suppliers in Bangladesh due to labour cost advantages
and faster depreciating Bangladeshi Taka. Considering this OE has also plan to open a factory
in Bangladesh.
(4.1) Suppose OE issued a callable bond two years ago and it has three more years to go
before the first call date. If interest rates have fallen over the past two years and you
believe rates will not stay this low and that it would be in the firm's best interes t to
lengthen the duration of the liabilities, which of the following is one· potential strategy to
accomplish the objective of lengthening the duration while also securing the lowering
interest rate.
(A) buy a payer swaption
(B) sell a payer swaption
(C) buy a receiver swaption
(D) sell a receiver swaption
(4.2) Which of the following best describes a zero cost collar within the context of interest rate
derivatives?
(A) A zero cost collar is a long (short) position in an interest rate cap and a short (long)
position in an interest rate floor where the cost of the cap (floor) exactly offsets the
revenue from the floor (cap).
(B) A zero cost collar is a long (short) position in an interest rate cap and a short (long)
position in an interest rate floor where the cost of the cap (floor) is less than the
(C) A zero cost collar is a long (short) position in an interest rate cap and a short (long)
position in an interest rate floor where the cost of the cap (floor) is greater than the
(D) A zero cost collar is an option that pays off only if interest rates remain within a
designated range.
(4.3) The modem long-term currency swap can be viewed as:
(A) a spot sale and a forward purchase.
(B) a combination of forward contracts, each of them having zero initial market value.

Page 341 of 492
(C) a combination of forward contracts, each of them having, generally, a non-zero

initial market value but with a zero initial market value for all of them taken together.
(D) a spot transaction and a combination of forward contracts, each of them having,
generally, a non-zero initial market value but with a initial market value for all of
them taken together.
(4.4) A cross-hedge
(A) involves the use of forward contracts, a combination of spot and market and money
market transactions and other techniques to protect from foreign exchange loss.
(B) is a technique designed to hedge exposure in one currency by the use of futures or
other contracts on another currency that is correlated with the first currency.
(C) involves an exchange of cash flows in two different currencies between two
companies.
(D) involves a loan contract and a source of funds to carry out that contract in order to
hedge transaction exposure.
(4.5) As the financing of a foreign project by the parent ____ relative to the financing provided
by the subsidiary, the parent's exchange exposure ____.
(A) increases; decreases
(B) decreases; increases
(C) increases; increases
(D) decreases; decreases (5 x 2 Marks = 10 Marks)
(4.6) Discuss the condition under which exchange rate changes may actually reduce the risk
of foreign investment. (3 Marks)
(4.7) You are hired by OE to review its operating forex exposure. Discuss two determinants of
forex operating exposure. Bases on the information given in the Case Study, identify any
one activity of OE which is likely to address the operating forex exposure? What would
be the implications of purchasing power parity for operating exposure? (4 Marks)
(4.8) What are the advantages and disadvantages of financial hedging of the firm's operating
exposure vis-a-vis operational hedges and what are the advantages of a currency
options contract as a hedging tool compared with the forward contract? (4 Marks)
(4.9) What is the purpose of risk register? What would typically a risk register would cover? Do
you think there are disadvantages associated with the use of risk registers? (4 Marks)

Page 342 of 492
Answer
4.1 (D)
4.2 (A)
4.3 (D)
4.4 (B)
4.5 (C)
4.6 It is not always necessary that exchange rate changes need not always increase the risk
of foreign investment.
If covariance between exchange rate changes and the local market returns is negative
enough to offset the positive variance of exchange rate volatility, changes in exchange
rate can actually reduce the risk of foreign investment.
4.7 The main determinants of a OE’s operating exposure are as follows:
(1) the structure of the markets in which the firm sources its inputs, such as labor and
materials, and sells its products, and
(2) the OE’s ability to mitigate the effect of exchange rate changes by adjusting its
markets, product mix, and sourcing.
The plan to open a factory in Bangladesh is an example of addressing operating forex
exposure.
So far as implication of purchasing power parity for operating exposure is concerned if
the exchange rate changes are matched by the inflation rate differential between
countries, OEs’ competitive positions will not be altered by exchange rate changes and
OE will not subject to operating exposure.
4.8 While financial hedging can be implemented quickly and that too with relatively low costs,
the operational hedges are costly, time-consuming. However, in financial hedging it is
difficult to hedge against long-term, real exposure with financial contracts. Also,
operating hedging is not easily reversible.
The main advantage of currency option contract is that not only option contract provide
hedging against the risk but also allows to take the benefit of move ment in the exchange
rate because of element of choice not an obligation. Option thus provides a hedge
against ex post regret that forward hedger might have to suffer. Thus, hedger can
eliminate the downside risk while retaining the upside potential.
4.9 The purpose of the risk register is to form an agreed record of the significant risks that
have been identified. Also, the risk register will serve as a record of the control activities

Page 343 of 492
that are currently undertaken. It will also be a record of the additional actions that are
proposed to improve the control of the particular risk. Other information about risks will
also be included in the risk register.
Typically, the risk register will cover the significant risks facing the organization or the
project. It will record the results of the risk assessment related to the process, operation,
location, business unit or project under consideration.
There are disadvantages associated with the use of risk registers, including the danger
that the information recorded in the risk register will not be used in a dynamic way. The
risk register could become a static record of risk status, rather than the risk action plan
for the organization.
Alternative Answer
The purpose of Risk Register is as follows:
 Risk register is a record of risk, risk assessments; risk mitigation and action plans
prepared by the responsible parties that help to support overall ERM and controls
disclosures reporting process.
 Risk register is continuously updated and has columns for risk, causes, consequences,
ownership, inherent risk score, controls, residual risk score, process, action for further
mitigation, action owner, due date, etc.
Typically, the risk register will cover the following:
 Risk
 Causes
 Consequences
 Ownership
 Inherent risk score
 Controls
 Residual risk score
 Process
 Action for further mitigation
 Action owner
 Due Date
So far as the disadvantage of using Risk Register is concerned it has been seen that
sometimes it becomes a static i.e., a non-living document.

Page 344 of 492
CASE STUDY: 5
About the Company
HC is a leading restaurant company headquartered at Mumbai. It has 500 outlets operating
across India and is listed on both BSE and NSE. As a result of COVID-19 the performance of
the company was not good during first half of FY 2020-21. But the company has now made
started using extensively online mode of order taking, payment and delivery. The operating
model has now been completely revamped. The company has now created data base of
customers which helps in marketing new products This has started showing results but has
also exposed the Company with new risks including cyber risks.
Recent Developments
Recently Company was attacked by malware which affected the operations of the Company
for two days. Cyber security was not an agenda just six month back. But with change in the
operating model this has become one of the key risk of HC. The Board believes that now the
Company will have to invest in cyber security to minimize the possibility of a having a cyber
loss. It is well known that even the companies with the best IT security and highest
expenditure on cyber protection still suffer successful cyber-attacks. However, Companies
need to have contingency plans for managing the financial impact on their balance sheet of a
potential large loss from a cyber-attack. The management is aware that cyber-attacks have
been responsible for many missed quarterly earnings reports, which have been punished by
shareholders, credit providers and business counterparties. It is more expensive in terms of
the interest rates charged to access funds through borrowing after the event has occurred,
particularly if credit ratings have been impaired as a result of cyber -attack.
A recent internal assessment indicates that it is still operating at 60% of the Pre-COVID level
and hence needs further fund for operations.
HC has also acquired a Company named PC which is in food delivery business. The revenue
of the PC has been rising during last two years. PC however is poorly managed and the Board
of HC believes that they can transform it well and this acquisition would create synergy in
terms increase in revenue and saving in the operating costs. The owner would raise the fund
for acquisition from own sources and a private equity investor.
Plans of the Company
Considering the revival of economy, the Company wants to expand by opening 10 more
outlets by the end of March 2021. And for this also it need borrowing which is available under
various scheme announced by the Government of India. The Company has started the
process of making financial analysis of the performance so that the Board is fully aware about
the information being sent to the lenders.

Page 345 of 492
HC has a plan to open few outlets in UK to serve Indian customers. But before committing
huge Capex it wants to make a proper financial viability analysis. The Board members also
want this analysis to cover analysis with respect to parent in order to satis fy the shareholders
of HC.
Actions taken by the Company
The Company has hired a consultant to review entire risk management practices of HC and
suggest suitable and practical solution to make it cyber-resilient. The consultant has been
specifically asked to cover sensitivity analysis, scenario analysis and use of Monte Carlo
Analysis especially considering the high uncertainties in the external environment so that
adequate steps are taken to mitigate the risks.
The Key remark of one of the Board member was: "We believe that risk management
decisions should be based on objective assessments of risk and be as evidence-based as
possible. You should be able to estimate how various security measures and risk mitigation
processes will affect your risk profile and to justify their implementation by how much they will
reduce the risk of unacceptable loss."
The Board has given general guidance with respect to risk tolerance and wants this should
also be covered in the consultant's report. They are aware that some companies may tolerate
the occasional minor loss from cyber-attacks. In fact, it may be too costly relative to the value
to make an organization invulnerable and to prevent any cyber loss occurrence at all. But
most companies want to avoid having a severe loss above a certain threshold, particularly one
that will cause reputation damage, lead to missing earnings targets, materially damage the
balance sheet, trigger a rating downgrade, or threaten the viability of the organization itself.
(5.1) HC has the following balance sheet (in INR millions):
Bills Payables 100 Net PPE 1200
Accounts Payable 200 Inventories 300
Accruals 100 Accounts Receivables 400
Total Current Liabilities 400 Cash 100
Long -Term Debt 600 Total Current Assets 800
Equity 1000
Total Liabilities and Equity 2000 Total Assets 2000

Page 346 of 492
HC's Days Sales Outstanding (DSO) on a 365-day basis is 40, which is above the
industry average of 30? Assume that HC is able to reduce its DSO to the industry
average without reducing sales and the Company takes the freed-up cash and uses it to
reduce its outstanding long-term bonds. If this occurs, what will be the new current ratio?
(A) 1.75
(B) 1.33
(C) 2.33
(D) 1.25
(5.2) You have been asked to compare performance of HC with another Company Y. You have
collected the following information:
 The two companies have the same total assets.
 HC has a higher total assets turnover than Company Y.
 HC has a higher profit margin than Company Y.
 Company Y has a higher inventory turnover ratio than HC.
 Company Y has a higher current ratio than HC.
Which of the following statements is the most correct?
(A) HC must have a higher net income.
(B) HC must have a higher ROE.
(C) Company Y must have a higher ROA.
(D) Company Y must have higher profit margin.
(5.3) Which of the following statements about risk analysis techniques is FALSE?
(A) In sensitivity analysis, the dependent variable is plotted on the y-axis and the
independent variable on the x-axis. The steeper the slope on the resulting line the
less sensitive the dependent variable is to changes in the independent variable.
(B) Sensitivity analysis is incomplete, because it fails to consider the probability
distributions of the independent variables.
(C) In Monte Carlo simulation, probable future events are simulated on a computer
generating estimated rates of return and risk indexes.
(D) Scenario analysis is a risk analysis technique that considers both the sensitivity of
the dependent variable to changes in the independent variables and the range of
likely values of these variables.

Page 347 of 492
(5.4) In the case of PC, at present the investment in working capital is 22% of sales. The
Board of HC believes that it can be reduced that dramatically to 20 % in the first year of
ownership, 18% in the second year and then finally 15% in the third year. This level of
15% will then be the stable level of working capital investment for the business. What is
the acquisition value of this working capital reduction if sales remain constant at INR 100
million per annum and your cost of capital is 10%? (rounded off)
(A) INR 7 million
(B) INR 5.8 million
(C) INR 10.7 million
(D) INR 8 million
(5.5) Broad categories of malware include
(A) 'Virus' - computer code inside a host program.
(B) 'worm' - a stand-alone piece of compiled software as a program that can replicate
itself.
(C) 'Trojan horse' - a program that appears to do one thing but actually does something
different.
(D) All of the options (5 x 2 Marks = 10 Marks)
(5.6) What are risk capacity and risk exposure? Explain the difference between risk exposure,
risk tolerance and risk appetite? (6 Marks)
(5.7) What are the two defining characteristics of cyber-resilient organization?
What is reverse stress testing in case of a cyber-resilient organization? (2 Marks)
(5.8) Discuss the difference between performing the capital budgeting analysis from the parent
firm's perspective as opposed to the project perspective. (3 Marks)
(5.9) Discuss the four types of direct pay out cost if HC suffers from the cyber-attack.
(4 Marks)
Answer
5.1 (A)
5.2 (A)
5.3 (A)
5.4 (B)
5.5 (D)

Page 348 of 492
5.6 Risk capacity is the level of risk an organization considers itself capable of absorbing,
based on its earnings power, without damage to its dividend paying ability, its strategic
plans and, ultimately, its reputation and ongoing business viability. It is based on a
combination of budgeted, forecast and historical revenues and costs, adjusted for
variable compensation, dividends and related taxes.
Risk exposure is an estimate of potential loss based on current and prospective risk
positions across major risk categories - primary risks, operational risk and business risk.
It builds as far as possible on the statistical loss measures used in the day-to-day
operating controls. Correlations are taken into account when aggregating potential
losses from risk positions in various risk categories to obtain an overall estimate of the
risk exposure. The risk exposure is assessed against a severe but plausible constellation
of events over say a one-year time horizon to a 95 per cent confidence level or a 'once in
20 years' event.
Risk exposure is the actual risk that the organization is taking and this may not be same
as the risk appetite that the board believes is appropriate for the organization.
Risk appetite is established by the board, which sets an upper boundary on aggregate
risk exposure.
The concept of tolerate is normally concerned with the organization being willing to retain
or tolerate a risk, even if it is higher than the organization would choose to accept. The
other concept is that of risk tolerance. Many organization use risk tolerance in the
engineering sense to represent the range of risk that is broadly acceptable. As with the
engineering use of the word tolerance, risk tolerance zones define the boundaries within
which an organization desires the level of risk to be confined. An organization may have
to tolerate risks that have a current level beyond its comfort zone and its risk appetite.
On occasions, an organization may even have to tolerate risks that are beyond its actual
risk capacity. However, this situation would not be sustainable, and the organization
would be vulnerable during this period.
Risk tolerance relates to a specific or individual risk, rather than the more general
approach represented by risk appetite. Risk appetite refers to the amount and type of
risk that an organization is willing to pursue or retain.
5.7 Defining characteristics of cyber-resilient organization are as follows:
 Identification of risk areas: whether it is own or outsourced network, internet,
individual computers, mobile devices etc. Prioritization of resources and effort can
be managed accordingly.
 Adequately restricting access to systems is the common way to prevent cyber risk;

Page 349 of 492
 Encryption solutions on individual computers is also done in a manner that if lost,

the unauthorised entity cannot download the data into an external storage device.
 There are several technology solutions that create an adequate firewall of the
 A regular vulnerability testing of the firewall and periodic review to upgrade it is one
incident.
 A response strategy to a cyber-attack incident is also important as part of risk
indemnities, assess and minimize the financial impact of a cyber-attack, and
Like some institutions failed during global financial crises, this period represented stress
to default scenario. It involves extremely unlikely events which force the companies to
think about the firm’s most serious vulnerabilities and design stress to default scenarios
accordingly.
5.8 There exists a big difference between the project and parent cash flows due to tax rules,
exchange controls. Management and royalty payments are returns to the parent firm. The
basis on which a project shall be evaluated depend on one’s own cash flows, cash flows
accruing to the parent firm or both.
Evaluation of a project on the basis of own cash flows entails that the project should
compete favourably with domestic firms and earn a return higher than the local
competitors. If not, the shareholders and management of the parent company shall invest
in the equity/government bonds of domestic firms. A comparison cannot be made since
foreign projects replace imports and are not competitors with existing local firms. Project
evaluation based on local cash flows avoid currency conversion and eliminates problems
associated with fluctuating exchange rate changes.
For evaluation of foreign project from the parent firm’s angle, both operating and financial
cash flows actually remitted to it form the yardstick for the firm’s performance and the
basis for distribution of dividends to the shareholders and repayment of debt/interest to
lenders. An investment has to be evaluated on basis of net after tax operating cas h flows
generated by the project. As both types of cash flows (operating and financial) are
clubbed together, it is essential to see that financial cash flows are not mixed up with
operating cash flows.

Page 350 of 492
5.9 Type of direct pay-out costs include:

(i) The response and forensics costs of the IT security team, both internal personnel
and typically involving external consultants, that has to diagnose what happened as
quickly as possible and render the system safe from further exploitation.
(ii) New technology, equipment, software, and systems may need to be purchased to
remedy vulnerabilities.
(iii) Compensation for people whose personal data is compromised, including costs of
notification, managing their enquiries and providing customer support, providing
credit watch services, and payouts for any losses these individuals may suffer.
(iv) Legal costs to defend any litigation that might be brought against the company,
including the costs of settling the action or losing the case and paying damages or
even punitive awards.

Page 351 of 492
Jan 2021 Question Paper Query Sheet
By CA Shivam Palan || CA Monk_Target80+RM
Case Study 1:
1.1 MCQ deals with the basic understanding of business functions that would give rise to risks. The risk
managers need to know what risk arises or changes due to various circumstances. Refer page no. 7.7.
1.2. Concept based on internal risk threat metric & IT system controls.
1.3 Mr. Peter suggested implementing robust security measures, including installing a firewall,
installing Virtual Private Network (VPN), etc., to counter the increasing security risks.
So, Installing of a firewall acts as Detective control & Corrective control ----> Hence the risk strategy
can be Risk Retention or Risk Reduction.
1.4 Based on an understanding of subject and Case study.
1.5 KYC is a mandate issued by RBI for all bank customers, and hence a violation of KYC is a
regulatory risk. Refer page no 1.20 for the understanding of Regulatory risk. Also please practice this
type of question from our Complete guidance and Atom book; many questions of this type is covered
there.
Note: Various questions have multiple answers; however, you are supposed to mark only one correct
answer in the exam.
1.6 Mitigation strategies for data privacy and cybersecurity risks are directly given on ICAI module
page no. 9.27.
The alternative answer given is based on understanding the concept; please note the same in some places
since this can be used in other questions.
1.7 Development of ERM is at risk-managed maturity level. The management wants to track the
effectiveness of internal control and implementation of ERM. The same could be done by the techniques
given on page 3.12 of the ICAI module for risk enabled and managed organisations.
Note: For this type of question, refer to the index shared in ATOM Book; it will help you solve all
these questions.
1.8 Integration of risks in the strategic planning process is given on page 4.4 of the ICAI module, and
the same has to be written with examples that correlate to the case study. For this type of question, you
must understand the concepts.
Additional Learning: Please do read about VPN detail given on Full batch notes page no. 173.
Page 352 of 492

(Building India’s Largest Mentor Buddy Program)
Case Study 2:
2.1 The correct answer is from the advantages of ERM given on page 8.2 from the ICAI module.
2.2 This is a direct question from page 2.21 of the ICAI module.
2.3 This question is from the Hypothesis chapter.
Design errors are unavoidable in any construction project and can negatively affect cost, schedule and
safety performance.
In statistical hypothesis testing, a type I error is the rejection of a true null hypothesis (also known as a
"false positive" finding or conclusion; example: "an innocent person is convicted"), while a type II error
is the non-rejection of a false null hypothesis (also known as a "false negative" finding or conclusion;
example: "a guilty person is not convicted").
Type I error (false positive): the test result says you have coronavirus, but you actually don’t.
Type II error (false negative): the test result says you don’t have coronavirus, but you actually do.
2.4 Case study Based, also refer to page no 26 of full batch notes to better understand the inherent risk
concept.
2.5 This is a direct question from page 1.18 of the ICAI module. Same question from Our Complete
Guidance Book. Question no 45 page no. 8.
2.6 Types of risks faced in pandemic situations. A similar question is there in the Complete Guidance
Module page 44 (Direct Question from our Book). As the question is for six marks and not mentioned
in the question of how many risks need to be written, you need to write all the types of risk you find.
Note: Always try to relate the type of risk with the question. (ICAI Material first, then Relevant content
from Question). To Practice more of this type of question, refer to page no. 329 to 407 of Complete
Guidance Book.
2.7 Direct question on components of Credit Risks from page 6.2 of ICAI module. Use the ATOM
Book Index to find such types of questions.
2.8 This is a direct question on the differences between Sensitivity Analysis and Scenario Analysis
given in IPCC Module page 8.2.
Page 353 of 492
Case Study 3:
3.1 This question is on a basic understanding of ERM objectives. Also, it’s important to note that it’s
very difficult to give complete assurance to anyone.
3.2 Question based on an understanding of risk culture. Read page no 103 of full batch notes.
3.3 Detailed understanding of the Delphi Approach is required to solve this MCQ. This is given in Full
Batch notes page 70. In the ICAI module, it is on page 2.7.
3.4 Detailed understanding of Bow-tie is required to solve this MCQ. Complete details of Bow Tie
Analysis is given in Full Batch notes on page 76.
3.5 Question based on an understanding of risk culture. Read page no 103 of full batch notes.
Note: Most of the questions are directly or Indirectly from our Complete Guidance, ATOM &
Full Batch notes; hence it is highly recommended to watch the lectures of the full batch. If it’s not
possible, at least go through the notes of the same.
3.6 Question is about criteria for selection of members to the Enterprise Risk Committee. (A Bit of
reference of Audit can be given)
3.7 This question is about the conceptual understanding of ERM and BCP. The same is also given in
Full Batch notes page 110.
3.8 Narrative Approach is a term that subsumes a group of approaches that rely on the written or spoken
words or visual representation of individuals. These approaches typically focus on the lives of
individuals as told through their own stories.
For a better understanding of the concept, think of Reputational Risk.
3.9 Issues relating to Outsourcing Risk is a direct question from ICAI module page 9.25.
Page 354 of 492
Case Study 4:
4.1 OE has a callable bond, and the interest rates are expected to rise, so the company needs to have a
swap agreement where they can pay a fixed rate and receive a floating rate of interest. This can be done
by buying a payer swaption or selling a receiver swaption, but selling the receiver swaption will earn
you a premium, whereas buying a payer swaption needs premium payment.
4.2 A zero-cost collar is a form of options collar strategy to protect a trader's losses by purchasing calls
and put options that cancel each other out. To implement a zero-cost collar, the investor buys an out of
the money put option and simultaneously sells, or writes, an out of the money call option with the same
expiration date.
4.3 You need to analyse all the options given and select which option fits the arrangement of a long
term currency swap.
4.4 A cross hedge is used to manage risk by investing in two positively correlated securities with similar
price movements. Although the two securities are not identical, they have enough correlation to create
a hedged position, providing prices move in the same direction.
4.5 Based on an understanding of the concept.
4.6 Based on an understanding of the concept.
4.7 Case study & understanding based.
4.8 Differences between operating and financial hedging can be written from chapter 11 of SFM and
basic understanding of the above hedging strategies.
Option contracts v/s Forward contracts.
4.9 Full Batch notes page 81, understanding about Risk Register.
Page 355 of 492
Case Study 5:
5.1. You have to first calculate the accounts receivable using the new receivable turnover ratio. The
difference will be then used to pay off the long term debt; hence the current assets will reduce, and the
current ratio will fall to 1.75.
Daily sales outstanding (DSO): Days sales outstanding (DSO) measure the average number of days that
it takes a company to collect payment for a sale.
DSO on 365 days basis is 40 means, the collection cycle is40 days,& the industry cycle is 30 days. So
if the company moves to Industry average, its AR will be
Accounts Receivable = 400/40*30= 100 Million
Amount collected = 100 Million
This amount is used to repay long term debt.
Hence new current Ratio = Current Asset/Current Liabilities.
= (300+300+100)/400
= 1.75
To practice this type of question, refer to Case Study 21 & Case Study 22 of ATOM Book.
5.2 For this type of question, your understanding of the ratios needs to be very strong.
This question is about the interpretation & understanding of the ratios; refer to page no. 186 of full batch
notes or formula sheets which is shared.
5.3 Basic understanding of different risk analysis methods are required to solve this MCQ. Refer to the
concept of sensitivity analysis.
Page 356 of 492
5.4
5.5 Malware is intrusive software that is designed to damage and destroy computers and computer
systems. Malware is a contraction for “malicious software.” Examples of common malware include
viruses, worms, Trojan viruses, spyware, adware, and ransomware.
5.6 The detailed meaning and difference between Risk Capacity, Risk Exposure, Risk Tolerance and
Risk Appetite is given on Page 82 of Full Batch notes. Direct question from our Full batch Notes.
Also, refer to the ICAI standard answer which has been given.
5.7 Defining characteristics of a cyber-resilient organisation is the same as the adequate measures of
mitigating cyber risk on page 9.27 of the ICAI Module.
5.8 Based on an understanding of the subject & topic. (New Type of Question)
5.9 Based on an understanding of the subject & topic. (New type of Question)
Page 357 of 492
Test Series: April 2021
MOCK TEST PAPER
CASE STUDY: 1
ABCD Ltd. is a diversified business group. The consolidated Balance Sheet, Statement of Profit & Loss and
Cash Flow Statement of ABCD Ltd. prepared in analytical format are given below:
Customer Name: ABCD LTD. INR (Rs.) Thousand
31-Mar-18 31-Mar-19
12 months 12 months
BALANCE SHEET
CORE ASSETS
TOTAL FIXED ASSETS (A) 222,301 214,666
TOTAL CURRENT ASSETS (B) 763,428 679,539
TOTAL CURRENT LIABILITIES (C) 395,337 382,908
OPERATING CAPITAL EMPLOYED (A) + (B) – (C) 590,392 511,297
TOTAL NON-CORE/NON CURRENT ASSETS (D) 71,621 70,838
OVERALL CAPITAL EMPLOYED (A) + (B) - (C) + (D) 662,013 582,135
CAPITAL STRUCTURE
Equity Share Capital (Rs. 10 each share) 222,248 222,248
Less: Intangibles -12,112 -9,620
TANGIBLE NET WORTH (E) 343,494 310,480
OTHERS (F) 115,212 119,374
EXTERNAL FINANCE (G)
OVERALL CAPITAL EMPLOYED (E) + (F) + (G) 662,013 582,135

Sales 1,446,791 1,469,762
GROSS PROFIT 329,127 336,905
Less: Distribution and Selling costs - 156,049 - 160,370
Administration Costs -114,623 -106,887
Page 358 of 492

Minorities -11,976 -16,583
Additional Information [All amounts in Rs. 000s] :
Largest inventory item was trading inventory and finished goods, which towards 2019 -end, decreased to
19100 (22200 as at 31st March, 2018).
Similarly, the figures of Trade Debtors and Creditors was as follows:
31-Mar-18 31-Mar-19
Trade Debtors 366246 308547
Trade Creditors 217121 230476
Sales growth of year 2019 is almost in line with the previous years.
Opening Operating Capital for the financial year 2018-19 was 611,000.
Currently the share of ABCD Ltd. is quoted in market at Rs. 80.70 per share.
1.1 Suppose ABCD approaches to a Bank for a consortium loan to finance a big project and you as a risk
consultant has been requested by the bank to give your opinion covering the following measures:
(i) Quantum of Liquid Assets in relation to the size of the company.
(ii) Profitability of the company reflecting the company’s age and earning power.
(iii) Operating Efficiency apart from tax and leveraging factors.
(iv) Market dimensions that can show up security price fluctuations as a possible red flag.
(v) Total Asset Turnover. (15 Marks)
1.2 An excess payment made to a vendor, which is accounted correctly, would be categorized under
which of the following risks?
(B) Legal risk
(C) Reputation risk
Page 359 of 492

(D) Financial risk
1.3 In respect of an organization, Reputation risk means
(B) Risk of a failure which may lead to violation of the regulatory requirements that the organization
is supposed to comply with.
(C) Risk of the organization's reputation in public view which is a key conce rn in engaged media and
social media.
1.4 Which one is an external factor in respect of risks for an insurance company?
(B) Machine failure
(C) Staff Morale
(D) Earthquake
1.5 If Risk rating is 5, then the risk is called
(A) Severe
(B) High
(C) Moderate
(D) Low
1.6 RAROC is
(C) Return on gilts
CASE STUDY: 2
About one and half year back Ms. X was appointed as Chief Risk Officer of an Airline Company. Though
she was naïve to risk management professional knowledge and skills but at the time of her interview she
presented some documents in support of her claim that she is as expert of Risk Management. Around one
month the Risk Committee asked her to provide a report on various risks the company is exposed to and
their bucketing according to their impacts. Accordingly, about 15 days befo re Ms. X furnished a report to the
Committee. The next the HR Head of the company contacted the Head of Committee stating that from
some source they came to know that Ms. X is very naïve to Risk Management profession and documents
presented at the time of interview are forged one. Somehow Ms. X came to know about the same findings
by HR about her. After that neither she is coming to the office or she is picking up the phone.
You a recently qualified Chartered Accountant have recently have joined the compan y in Finance
Department has been called up by the CFO and have been requested to look into the report submitted by
Ms. X to confirm whether it is OK to present before the Board of Director for their discussion at the meeting
scheduled to be held at the earliest.
Page 360 of 492

The report submitted by Ms. X is as follows:
To: Board of Directors
From: Ms. X
Date: ------------------
The company is facing some of the under-mentioned Operational Risks which and the grading/ bucketing of
these identified operational risks is in italics.
(1) Stagnant business growth due to Covid 19 and competition from other airlines.
This risk is bucked in the category of ‘ Low Probability – Low Impact’.
(2) Aggressive fleet expansion leading to over-capacities. Aggressive fleet expansion, which may lead to
over-capacities. There are about 170 aircrafts under order, which could also result in massive financial
commitments. A comprehensive feasibility study has been shared by the Company , justifying the
expansion strategy.
This risk is bucked in the category of ‘Low Probability – High Impact’.
This risk can be classified as ‘High Impact – High Probability’
(4) Volatile Oil Prices. Volatile oil prices. There is a risk of failure to address adequately the challenges of
fluctuating oil prices. Whilst it is usually rising oil prices that hurt airlines, during 2008, several airlines
suffered significant hedging losses as the hedging strategies went awry, when oil prices plummeted
from $147 p/b in July 2008 to $35-40 p/b level.
This risk can be categorized as ‘High Impact – Low Probability’
2.1 You are required to comment whether Report is in order or not. Further you are also required to revise
the same Report on the lines of your suggestions. (15 Marks)
2.2 One of the principles of Basel Committee on Banking Supervision Principles for sound stress testing
practices and supervision is:
(A) Stress testing should form an integral part of the overall governance and risk management
culture of the bank.
2.3 Gini coefficient is an index to measure a country's:
2.4 The following one is a financial risk:
4
Page 361 of 492

2.5 If a long term instrument is rated as "B", this means that instrument carries:
(A) Highest Safety
(B) High Risk
(C) Very High Risk
2.6 As per the RBI's framework, SMA (Special Mention Account) with sub category 1 (SMA-l) denotes:
CASE STUDY: 3
ABC Co. Ltd. is a manufacturing company and is listed. It has 10000 workers and 1200 employees. The
Company is subject to Ind AS 19 in respect of its employee benefits which include gratuity.
Ind AS 19 is an Accounting Standard applicable to companies which are required to measure and disclose
the amount of accrued liability (Present Value of Benefit Obligation) in respect of employee benefits in
statements of accounts.
As per the Accounting Standard, the accrued liability in respect of, employee benefits can be determined
using actuarial principles. Accordingly, the Company engaged an actuary for the purposes of the Ind AS 19.
The Company is, liable to make payment of gratuity benefit to its employees as per Payment of Gratuity
Act, 1972. As per the Act, the gratuity benefit is determined using a formula, which is [15/26] x monthly
salary (which is relevant for gratuity calculation) x number of completed years of service at the date of
cessation of service of the employee. There are terms and conditions mentioned in the Act for payment of
gratuity benefit, which the company is required to comply with the same.
The Company engaged Mr. X, a consultant actuary, to get the actuarial reports certified by Mr. X as per
Ind AS 19 for the last two years.
After submission of the actuarial report by Mr. X, in the third year, Auditors (who were recently appointed by
the Board) observed that Mr. X does not hold any certificate of fellowship issued by the Indian Actuarial
professional body. They pointed out and qualified the Accounts in their Auditors' Report. They also
observed that the Mr. X's reports were accepted during last two years.
Since the Management is worried over GRC (Governance, Risk and Compliance), the CRO (Chief Risk
Officer) was asked to address the issue pointed out by the Auditors and submit a report to the Company
giving details of the risks and how they can be mitigated.
3.1 Now, you are recently appointed as the CRO and you are asked to draft the Report to be submit ted to
the Board, and the Report should include:
(b) What is the impact of the risk on the Company's performance? (15 Marks)
Page 362 of 492

3.2 A FICO score of 750 means:
3.3 Automated controls are dependent on a:
(A) Manual check
(B) Predefined system check
3.4 The following is the Section of the Companies Act, 2013 that instructs that the Audit Committee shall
review the risk management procedures implemented by the Management:
(A) 177
(B) 134
(C) 315
3.5 The following aspect does not indicate the risk maturity of an organization:
3.6 Brexit impact scenario has the following associated principal risk:
CASE STUDY: 4
Sunshine Ltd. is a software company specialized in the software development for their clients. In last
takes 10-12 days to be fine-tuned or synchronized. It means system is shut for power generation and lead
to loss of millions of dollars. Sunshine Ltd. came up with a solution that cuts the time taken to synchronize a
Additionally company has started using Machine Learning and Artificial Intelligenc e.
6
Page 363 of 492

It also helped a global heating, ventilation and air conditioning firm to bring down the time taken to design
an AC solution in a building or office from 9 days to just 2 hours now.
budgets on such services and shifting their focus on newer areas such as digital and cloud.
software tools to deliver services. Now, the aim is to increase that goal by reducing the dependency on
people and more on software led services which coincide with its goal of IT Modernization.
Sunshine Ltd. derives a major portion of its revenues from customers discretionary spending which is linked
to their business outlook. Its major revenues are from UK, USA and other European countries.
Some draft legislations in USA have been made to restrict the availability of work visas. Such protectionist
policies threaten the prospect of global mobility of people which may also affect the work of TCS as
appear lesser in reported terms. Then, there may be different exchange rate when sale took place and
when invoice is collected.
 Recording and providing reliable financial and operation information.
 Safeguarding assets.
 Ensuring compliance with corporate policies.
 Well defined delegation of power.
 Efficient ERP system.
 Internal audit by one of the big audit firm.
 Periodic audit by specialized third party consultants.
 Audit Committee found internal financial control adequate.
4.1 Advise Sunshine Ltd. the various aspects it should cover before outsourcing any business.
(5 Marks)
4.2 Briefly explain the main issues that can surface from technology risk from an Auditor’s or Operational
Risk Professional’s perspective. (10 Marks)
4.3 Risk Adjusted Discount Rate Method is based on the concept that ……….……
(A) investors demand higher returns from more risky projects
(B) investors demand lower returns from more risky projects
(C) investors demand higher returns from less risky projects
(D) None of these
Page 364 of 492

4.4 A project has a cost of capital of 10% and a payback period of 2 years with annual cash inflows
commencing from year end 2 to 4 of Rs. 60 crore. The initial investment outlay at the beginning of
year 1 shall be …………
(A) Rs. 67.80 crore
(B) Rs. 74.58 crore
(C) Rs. 60.00 crore
(D) Rs. 95.07 crore
4.5 Which of the following risk will not affect foreign exchange rate?
(A) Investment Risk
(B) Inflation Risk
(C) Interest Rate Risk
(D) Sovereign Risk
4.6. The purpose of Financial Swap is to reduce …………
(A) Interest Rate Risk
(B) Exchange Rate Risk
(C) Credit Risk
(D) Both (a) and (b)
4.7 Credit risk mitigation in Banks is a key concern of the Board. It can include the following except one.
Point out which answer is inappropriate?
(D) Verification of assets. (2 x 5 = 10 Marks)
CASE STUDY: 5
ABC Limited, a listed company, announced the appointment of AG as the company’s first lead independent
director. Despite opposition by few shareholders, the management offered justifications for the new
structure to be more independent and investor friendly. Investors liked the idea and the announcement
brought positive sentiments to the falling stock prices which increased to Rs. 75.10, the next day of the
announcement. It proved that investors were optimistic about the future of the company and expected
better financial results. AG was actually appointed and responsible to response to the present state of
affairs of the company. The company had been actually witnessing and struggling in the months to address
certain corporate governance challenges. Proxy advisory firm, XYZ, raised alarms and questioned
executive compensation package in the years of falling performance. A small shareholder filed a law suit
against Board of Directors misuse of corporate funds.
RG, the present Chairman and CEO, was working with the company since last sixteen years and was a
close family friend of promoters. His leadership style being democratic was liked and praised by everyone.
He was often found meeting people at all levels within the organisation and called for trying new things. His
philosophy diminished conflicts and tensions in pursuit of goal setting and achieving. He believes that as
long as dividend is paid to shareholders and earnings per share increases, the market values the stock. In
the last AGM, he said “The recent decline in financial performance is taken as a publicity stunt by few self
interested groups. The company is on its way towards bright future ahead”.
Page 365 of 492

The Income Statement Summary of ABC Limited for last three years:
Particulars Year 2017 Year 2018 Year 2019
Revenue (Rs. Crores) 13938 13696 13373
Expenses (Rs. Crores) 9608 9420 9119
Operating Income (Rs. Crores) 4330 4276 4254
Stock Price (Rs.) 65.64 61.00 58.4
Shareholding pattern at the end of Year 2019:
Type of Shareholder Percentage Stake
Promoters 51.60
Mutual Funds 7.25
Domestic Financial Institutions and Banks 24.75
Foreign Institutional Investors 10.40
Corporate Bodies 4.60
Individuals 1.40
Total 100
5.1 What should RG and other members of the BOD do? (5 Marks)
5.2 Suppose you are Statutory Auditor of ABC Ltd. and you want to carry out risk assessment of ABC Ltd.
for financial reporting purpose then mention the circumstances in which risk can arise or changed.
(10 Marks)
5.3 Which of the following is called Governance Risk?
(A) Risk of management override, deliberate acts of omission
(B) Ineffective and unethical management of a company by its executives and managerial levels
(C) Inability of management to meet its process related objectives
(D) Management interference in day-to-day operations.
5.4 Which of the following is not an index for Country Risk Analysis?
(A) Democracy Index
(B) Global Peace Index
(C) Human Perception Index
(D) Gini Coefficient
5.5 ……………… is necessary to evaluate all types of risks impacting all categories of stakeholders and
find solutions to pre-empt the threats before the risk occurs.
(A) Stakeholder Risk Management
(B) Country Risk Management
(C) Shareholder Risk Management
(D) Enterprise Risk Management
Page 366 of 492

5.6 OECD Guidelines for corporate governance does not include …………….
(A) Disclosures and Transparency
(B) Role of shareholders
(C) Responsibilities of the board
(D) Institutional investors, stock markets and other intermediaries
5.7 Opportunities under Risk and Opportunity Disclosure in the Annual Report would not include …………..
(A) Value realization of by-products by exploring new areas
(B) Creating differentiation through acceleration of new product development
(C) Securing raw material supplies
(D) Volatility in financial markets and fluctuations in exchange rates (2 x 5 = 10 Marks)
10
Page 367 of 492

Test Series: April, 2021
MOCK TEST PAPER
Solutions
1.1 A measure that covers the entire following requirement is Altman Z Score.
(i) Quantum of Liquid Assets in relation to the size of the company.
(ii) Profitability of the company reflecting the company’s age and earning power.
(iii) Operating Efficiency apart from tax and leveraging factors.
(iv) Market dimensions that can show up security price fluctuations as a possible red flag.
(v) Total Asset Turnover.
The original Z-score formula was as follows:
Z = 1.2X1 + 1.4X2 + 3.3X3 + 0.6X4 + 1.0X5
X1 = working capital / total assets. Measures liquid assets in relation to the size of the company.
X2 = retained earnings / total assets. Measures profitability that reflects the company's age and
earning power.
X3 = earnings before interest and taxes / total assets. Measures operating efficiency apart fro m tax
and leveraging factors. It recognizes operating earnings as being important to long -term viability.
X4 = market value of equity / book value of total liabilities. Adds market dimension that can show up
security price fluctuation as a possible red flag.
X5 = sales / total assets. Standard measure for total asset turnover (varies greatly from industry to
industry).
For the various figures required in above formula let us reproduce the Balance Sheet as follows:
INR (Rs.) Thousand
Liabilities Amount Assets Amount
Share Capital 222,248 Total Fixed Assets 214,666
Profit & Loss A/c 61,549 Total Current Assets 679,539
Other Reserve 36,303 Total Non-Current Assets 70,838
Less: Intangibles 9,620 310,480
Minorities 62,929
Provision/ Other Long Term 56,445
Loans
Bank O/D and Short Term Loans 1,52,281
Current Liabilities 382,908
9,65,043 9,65,043
Page 368 of 492

Other Data:
Working Capital = 679,539 – 382,908 – 152,281 = 144,350
EBIT = 93,410
Retained Earnings = 65,550
Sales = 1,469,762
Market Value of Equity = 80.70 x 22,224.80 = 1,793,541.36
Altaman Z Score
158,743 65,550 93,410 1,793,541.36 14,69,762
= 1.2× +1.4× +3.3× +0.6× +1.0×
965,043 965,043 965,043 965,043 965,043
= 0.1974 + 0.0951 + 0.3194 + 1.1151 + 1.523 = 3.25
Since the Altman Z Score is 3.25 there is Negligible Risk of bankruptcy.
Note: There may be slight variation in the answer due to difference in considering the items to be
included in the various sums used in the formula.
1.2 (D)
1.3 (C)
1.4 (D)
1.5 (C)
1.6 (B)
2.1 Risk Report of Ms. X has following shortcomings:
(1) All Risks have been categorised as Operational Risks which is wrong.
(2) Bucketing of risk is incorrect and that too not supported by reasons.
Revised Report
To: Board of Directors
From: Chartered Accountant
Date: ------------------
Introduction
This report covers grading/ bucketing of various identified risks.
Although this risk has a high impact but has low probability as investment involved in the Airline
business is very huge. Accordingly, this risk often skips the management’s decision as these type
events cannot be foreseen. Hence, this risk is bucked in the category of ‘High Impact – Low
Probability’.
Since Airline has already ordered 170 aircrafts there is high probability that it will involve financial
commitments and impact will also be high. Hence, this risk is bucked in the category of ‘High
Impact – High Probability’ and it needs immediate and sufficient attention of management.
2
Page 369 of 492

Any crash or dangerous hijacking incidents will create negative publicity, poor image resulting in
a decline in revenue and similar consequences.
Whilst the probability is low, the strong impact ought to force the seeking of appropriate
mitigants. Hence, the impact is high and can be classified as ‘Low Probability – High Impact’. It
is suggested to ensure the adequacy of safety systems, to establish the average age of the
aircraft and if necessary, to seek the help of an external expert.
Oil price fluctuation is a business risk that has serious implications for the profitability of the
airline business. However, since this affects almost all competitors, the impact can be considered
as low and can be categorized as ‘Low Probability – Low Impact’.
Signed/-
Chartered Accountant
2.2 (A)
2.3 (B)
2.4 (A)
2.5 (B)
2.6 (A)
3.1 Report to Board of Directors
To: The Board of Directors, ABC Co. Ltd.
Date: 30 April 2021
This analytical report covers the reply on the various concerns raised by the Board of Directors.
The risk arising from this lapse is ‘Legal Risk’ or ‘Compliance Risk’ as it is resulting from the
failure to comply with statutory or legal requirements.
(ii) Over or Under Statement of Profit Loss in Income Statement of Company leading wrong
decisions by the Company itself and external parties.
(iv) Due to wrong calculation of profit company may have paid wrong dividend in previous years.
(v) Wrong computation of Cash Flows of the previous years and consequently leading to wrong
budgeting figures.
Page 370 of 492

Signed/-
Chief Risk Officer
3.2 (B)
3.3 (B)
3.4 (A)
3.5 (D)
3.6 (C)
4.1 There are several specific aspects that need to be looked into Outsourcing Risk. Hiring of an
outsourced vendor/service provider must cover the following aspects:
 Clearly defined objective of outsourcing; this has to be brought into the scope of work;
 Contractual documentation to be adequate to ensure the service provider does only what is
assigned and to the standard mutually agreed to by all parties involved;
 Legal indemnities to the organisation to be assessed while hiring a service p rovider;
 In agreements where the client and the service provider are in different states or in different
countries, the respective countries’ or states’ laws have to be complied with;
 The BCP of the service provider has to be reviewed.
 The operational risk assessment covering regulatory risks, financial risk, financial reporting risk
and other risks as delivery to end customers of the client in case the service provider fails to
deliver for whatever reason.
 If technology or its disaster recovery itself is outsourced, all the attention is required to ensure
the business operations work as designed and agreed.
4.2 From an auditor’s perspective or the operational risk professional perspective, the main issues that
can surface from technology risk are:
(a) Unscheduled system downtime: Also called system malfunctioning due to which a business
process is disrupted, due to which the necessary work output suffers a setback. This could result
in financial loss, loss of opportunity of business, customer issues and loss of raw material. For
example, a system failure in a financial lending organisation may lead to critical customer
commitments like disbursements not happening due to which customer may suffer losses; or
inability to post incoming payments on account leading to liquidity issues; or inability to service a
customer account leading to customer attrition. Organisations have backup servers, systems,
databases, and disaster recovery procedures to ensure work disruption is minimized in such
circumstances. The operational risk manager is expected to have an overview of the specific
facilities available to the technology department, to service the organisation’s critical needs at
such times of failure.
(b) System failure pertaining to incorrect programming: This is by far the most common cause of
operational risk events in an organisation, since each system can only function in the manner it is
set up. Organisations either build their own systems or buy them from specialised service
providers, and customise them. In either case, depending on the nature of transactions required
to be processed, a very detailed business requirement document is required to be given to the
technology department by the business user groups. Often, either due to incapability or poo r co-
ordination between the business user groups, the requirement document does not capture the
entire detailing and the extremely granular details that are required by the technical teams doing
the coding, customisation or the deployment. The result is a poorly executed system that causes
Page 371 of 492

errors in processing, which may have financial, regulatory, fraud risks, depending on kind of error
in the system.
(c) Master maintenance: All systems, besides the basic coding, need a set of Masters which are
user-defined parameters that enable the processing of the data. Master configuration is in itself a
key risk that technology users face, since the linkages between products or service programs as
defined by the business users can be ambiguous, or at times contradictory instructions go to the
technology team resulting in erroneous set up of Masters.
(d) User access control: This is by far the most key control in driving controls in an automated
controls environment. For example, in a lending institution, a credit officer if allowed to process
operational activities beyond his job role may result in compromise of the segregation of duties
that the process is designed with; or, if an user may have a higher level of access to changing
customer data by one modification, while the process may require an authorisation which was
bypassed due to inadequate user access control maintenance. User access control requires the
user profiles to be set up properly upfront in the initial basic programming, followed by correct
assignment of user profiles upon employee requests as per their permissible authorities basis
their job role. Organisations are required to delete or modify user IDs once employees move out
from their roles or the organisation itself.
(e) Accounting systems: From an audit and accounting perspective, the most intensive focus area
is the technology platform that is used for accounting. There are obvious operational risks of
misstatements in financial reporting if the accounting software is not configured properly. In
complex organisations with several types of transactions that have a financial impact are
performed in various systems, the feed in from other production systems (i.e. outside of the main
accounting system) are very important to check for accuracy since they are used in financial
reporting. The feeds, if manual have their own risk of incorrect manual processing; in automated
feed process also, there are risks of incorrect data inflows that could lead to financial
misstatements. In lending institutions, the loan management systems are different from the main
accounting system; a huge amount of data, at various frequencies, flows into the accounting
system. The linkage of the source system to the correct GLs in accounting system, and
appropriate reconciliations, the exception reports, analysis and ongoing supervisory reviews can
prevent the data from being inconsistent in final reporting. Any regular exceptions in the data in
two systems, need to be analysed to find out the root cause of the technological r eason, and any
incorrect programming. Examples are the data of customers like interest due, principal
outstanding, overdue amounts etc. which flow from loan management systems to accounting
systems.
(f) Change management: It is a key area of Information Technology General Controls (ITGC). It
simply means that any change to the systems can cause a risk of incorrect change being
developed or deployed. This can be a result of multiple causes:
 Change being carried out without approvals of authorised roles,
 Change being wrongly conceived by the user groups, without adequate analysis of pros and
cons for the change, and getting deployed by the technology unit under approvals
 Change, though conceived correctly and communicated correctly under adequate approvals
to the technology team, is wrongly executed
 The preventive control around all these issues, is to ensure only authorised roles, whether
internal or external, have access to making changes in the system; these changes have to
be approved by all the departments that the change impacts so that the impact of change is
well understood before approvals are accorded; and, a proper user acceptance testing is
conceived and conducted before deploying the change. Often the design of the User
Acceptance Testing (UAT) script is found defective, and sufficient combinations of test data
Page 372 of 492

is not put through the system resulting in some functionalities not being adequately tested.
 A database of such changes, such as audit trail reports have to be judiciously maintained as
to what changes were carried out, including the issue tracker related to the changes. This
helps track back any changes, to ensure that appropriate change management control and
review was exercised.
(g) Migration risk: It is a subset of change management ITGC to the extent that the controls over an
end-to-end migration from one system to another, can bring upon significant operational risk if
not carried out perfectly. A significantly high effort is required to ideate before the deployment as
to the exact manner of migration; migration has to cover:
 Data, both dynamic and static
 Functionality mapping from old to new system, and any changes to be adequately
familiarised within user groups
 Exception reports that could help track any incorrect migration points
 User acceptance test scripts to be intelligent enough to enable the usage of the new system
after adequate granular review
 An emergency roll back plan in case some significant unpredictable issue comes up in
migration deployment.
 An auditor or operational risk manager is required to carry out a review of the data integrity
and the functionality of the systems that have an impact on the financials of the
organisation. This risk is not only restricted to financial reporting, but any risk that could
jeopardise the business process, including regulatory, financial and other risks.
(h) Technology outsourcing risk: In many organisations the technology platform, or the servicing /
maintenance of the platform is outsourced. Outsourcing while has its inherent efficiency benefits
comes with operational risks of running a system through a service provider that has no or little
understanding of the actual business process the system supports in the organisation; such
relationships of principal and service provider have to be carefully defined both contractually as
well as from an operational perspective otherwise the seamless functioning of the systems can
be disrupted.
4.3 (A)
4.4 (A)
4.5 (A)
4.6 (D)
4.7 (D)
5.1 RG and other members of the board should:
(i) Avoid conflicts of interest arising between independent directors, non-executive directors and
executive directors.
(ii) Establish a regular and transparent communication mechanism to ensure continuous and robust
dialogue and information sharing between all the board members.
(iii) Ensure tapping of the maximum benefit of expertise, skills, experience and perspectives of lead
independent director.
(iv) Set the tone from the top, and seek to effectively inculcate an appropriate risk culture throughout
the firm.
Page 373 of 492

5.2 The ICAI Guidance note on Internal Financial Controls over financial reporting states that for
financial reporting purposes, the entity’s risk assessment process includes how management identifies
business risks relevant to the preparation of financial statements in accordance with the entity’s
applicable financial reporting framework, estimates their significance, assesses the likelihood of their
occurrence, and decides upon actions to respond to and manage them and the results thereof.
For example, the entity’s risk assessment process may address how the e ntity considers the
possibility of unrecorded transactions or identifies and analyses significant estimates recorded in the
financial statements. Risks relevant to reliable financial reporting include external and internal events,
transactions or circumstances that may occur and adversely affect an entity’s ability to initiate, record,
process, and report financial data consistent with the assertions of management in the financial
statements. Management may initiate plans, programs, or actions to address sp ecific risks or it may
decide to accept a risk because of cost or other considerations.
Risks can arise or change due to the following circumstances:
(a) Changes in operating environment. Changes in the regulatory or operating environment can
result in changes in competitive pressures and significantly different risks.
(b) New personnel. New personnel may have a different focus on or understanding of internal
control.
(c) New or revamped information systems. Significant and rapid changes in information systems
can change the risk relating to internal control.
(d) Rapid growth. Significant and rapid expansion of operations can strain controls and increase the
risk of a breakdown in controls.
(e) New technology. Incorporating new technologies into production processes or information
systems may change the risk associated with internal control.
(f) New business models, products, or activities. Entering into business areas or transactions
with which an entity has little experience may introduce new risks associated with internal control.
(g) Corporate restructurings. Restructurings may be accompanied by staff reductions and changes
in supervision and segregation of duties that may change the risk associated with internal control.
(h) Expanded foreign operations. The expansion or acquisition of foreign operations carries new
and often unique risks that may affect internal control, for example, additional or changed risks
from foreign currency transactions.
(i) New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.
5.3 (B)
5.4 (C)
5.5 (A)
5.6 (B)
5.7 (D)
Page 374 of 492

Updates on Case Study Issues by ICAI_Case Study Digest_By CA Shivam Palan_CA Monk
Case Study No. Details/ Common Links Reference in AIQ Updates or Changes
Case study 1 Same as March 19 Test Series - Case study 1 Page no. 138 March 19 Case study is of 30 Marks; + It has 5 extra MCQs (Skip)
Case study 2 Mock Test Aug 18 - Case Study 1 Page no. 99 Aug 18 has 5 extra Mcqs (Skip)
Case study 3 Oct 19 Mock test paper Case Study -3 Page no. 186 (Skip)
March 19 has 5 extra mcqs and 4 extra descriptive Question
Case study 4 March 19 Mock Test Paper - Case Study 2 Page no. 139
(Skip)
New one has more relevant questions as old one had question on
Case study 5 March 19 Mock Test Paper - Case Study 3 Page no. 142 old chapter 4 (Look New Questions from Case Study 5) {MCQs
are same}
Descriptive questions are drafted in different way in ICAI Digest,
Case study 6 Oct 20 Mock Test Paper- Case study 5 Page no. 268
please check the questions {MCQs are same}
Case study 7 Case study 1 Page no. 1 (Skip)
Case study 10 Oct 2019 Mock Test Paper CS-5 Page no. 189 (Skip)
Case study 11 May 2020 Mock test paper CS-2 Page no. 233 (Skip)
Case study 12 May 2020 Mock Test Paper CS-3 Page no. 237 (Skip)
Case study 15 New NA Solve It
Case study 19 Aug 18 MTP Case study 2 (A) Page no. 101 (Skip)
Case study 20 Aug 18 MTP Case study 2 (B) Page no. 101 (Skip)
Page 375 of 492

Page 376 of 492
Page 377 of 492
Page 378 of 492
Page 379 of 492
Page 380 of 492
Page 381 of 492
Page 382 of 492
Page 383 of 492
Page 384 of 492
Page 385 of 492
Page 386 of 492
Page 387 of 492
Page 388 of 492
Page 389 of 492
Page 390 of 492
Page 391 of 492
Page 392 of 492
Page 393 of 492
Board of Studies
The Institute of Chartered Accountants of India
30th June, 2021
-----------------------------------------------------------------------------------------------
Corrigendum to the Case Study Digest for CA Final Paper 6A Risk Management
(1) In the Case Study 1 on page 1.4 please read the answer of MCQ 1.3 as (d) instead of
(c).
(2) In the Case Study 15 on page No. 15.3 before the Answer please consider the under-
mentioned Exhibits as part of Case Study.
EXHIBIT 1
PICTURE OF START-UP ECO SYSTEM
There is strong evidence to show that the numbers do not give an entirely accurate picture
of the start-up eco system. According to Data Analytics firm, the number of start-up deals,
in fact decreased in 2017 and 2018 from the respective year-ago periods, which read as
follows-
CHART 1-Deal volumes have plummeted, despite the odd high value investment
Year Number of Deals
2016 1764
2017 1621
2018 1366
2019 847 (till date)
CHART 2-Fund infusion has gone up, but VCs are mostly targeting well established firms.
(In $bn)
Year Value
2016 5.5
2017 11*
2018 11
2019 9.5 (till date)
*excludes Flipkart
Deal volume has again dropped sharply this year. What is more, even the number of new
start-ups has decreased sharply in the same period with less than 1000 new internet start-
ups being launched in 2017 as compared to more than 6000 in 2016, and this number
Page 394 of 492

continued to decline in 2018 and 2019.These data point to startling possibility-Internet

entrepreneurship is on the decline in India. It is certainly not mushrooming without fetters,
as is commonly believed.
EXHIBIT 2
REALITY CHECK
The decline in the overall deal volume and in new start-up formation is linked and is caused
by many factors. One obvious reason is the threat posed by large Chinese and American
internet firms. Whenever an established foreign internet firm- Amazon,Uber and Byte-Dance
are the most prominent examples in this decade-enters a sector, the number of local start-
ups shrink. Usually, there are survivors such as Flipkart, Ola and Share Chat that continue to
thrive. The space for others shrinks dramatically. The American and Chinese internet
companies have huge capital, Tech expertise and the knowledge of how to scale-it is very
hard for a local start –up to compete. There are other reasons also, like network effects, as
internet platforms expand and it becomes difficult for a new, comer to beat incumbents as
long as the latter keep innovating and improving their service. It is also believed that the fall
in deal volume shows that the start-up eco system is starting to become more realistic about
the potential of the consumer market.
EXHIBIT 3
THE BRIGHTER SIDE
What have improved significantly in the past 4 years is both the quality of entrepreneurs
and the strength of start-up ideas. The average age of founders has increased. It is no
longer kids out of college who are starting up. There are many second time entrepreneurs,
people who have worked at start-ups before, and, in general, founders as a group are far
more serious. The ideas that are emerging are better thought out. These are very healthy
indicators.
This is corroborated by the fact that as many as 70% of founding teams that go on to
receive Series-A-funding have prior experience of working at an internet start-up. The
deeper knowledge and start-up experience of founding teams has also been complimented
by a similar shift in the venture eco system. In the 2015-16 periods, when deal activity was
at its peek, many inexperienced angel investors had poured cash into early stage internet
companies. Most of these bets turned sour and angel investors fled the scene. Early stage
funding is now dominated by a handful of institutional firms, which invest far more
conservatively, which is the single biggest reason contributing to fall in deal volume,
compounded by the fact that the number of prolific venture funds in India has not increased
substantially in the past 3 years.
EXHIBIT 4
EXITS HOLD THE KEY
While deal volume has dropped sharply over the past 3 years, exits for VCs have, however
touched new highs. In May 2018, Wallmart agreed to pay $16 billion for majority stake in
Flipkart, enriching the latter’s investors such as Tiger Global, Soft Bank, Naspers and Accel.
Page 395 of 492

Secondary share sales between investors, however, have been the main source of start-up
exits ensuring that VCs earned about $2.8 billion in 2017 up from $1.8 billion in 2016,
according to data supplied by Venture Intelligence.
But investors said deal volume may continue declining until Indian start-ups can pull off
successful initial public offerings. That task seems to have become tougher than ever after
the poor market debut in the US of Uber, and the shelved listing of We-Work, Many Indians
unicorns have perceived a growth at all cost strategy, similar to that of Uber and We-Work,
and are nowhere near attaining profitability
(3) In the Case Study 20 on page 20.4 please read the answer of MCQ 20.4 as (b) instead
of (c).
Page 396 of 492

Page 397 of 492
Page 398 of 492
Page 399 of 492
Page 400 of 492
Page 401 of 492
Page 402 of 492
Page 403 of 492
Page 404 of 492
Page 405 of 492
Page 406 of 492
Page 407 of 492
Page 408 of 492
Page 409 of 492
Page 410 of 492
Page 411 of 492
Page 412 of 492
Page 413 of 492
Page 414 of 492
Page 415 of 492
Page 416 of 492
Page 417 of 492
Page 418 of 492
Page 419 of 492
Page 420 of 492
Query Sheet
Case Study 15 of ICAI Digest:
Factors based on which FDI Invests:
1. Wage Rates
2. Labour Skills
3. Tax rates
4. Transport and infrastructure
5. Size of economy/potential for growth
6. Political stability / property rights
7. Commodities
8. Exchange rate
9. Access to free trade areas.
10. Other Factors
In order to ease the flow of foreign investment in Indian startups, the Government of India in
Consolidated FDI Policy 2017 allowed the foreign venture capital investors to contribute up to 100%
of the capital of startups, be it any sector under the automatic route (no approval needed). Equities or
equity-linked instruments or other debt instruments issued by the startups, investments can be made in
these and if the startups are Partnership for LLP, an investment can be made in capital or profit-sharing.
A very small number of fortunate companies grow according to the model described (and with little or
no "outside" help); the large majority of successful startups have engaged in many efforts to raise capital
through rounds of external funding. These funding rounds provide outside investors with the
opportunity to invest cash in a growing company in exchange for equity or partial ownership of that
company. When you hear discussions of Series A, Series B and Series C funding rounds, these terms
refer to this process of growing a business through outside investment.
There are other types of funding rounds available to startups, depending upon the industry and the level
of interest among potential investors. It's not uncommon for startups to engage in what is known as
"seed" funding or angel investor funding at the outset. Next, these funding rounds can be followed by
Series A, B and C funding rounds, as well as additional efforts to earn capital as well, if appropriate.
Series A, B and C are necessary ingredients for a business that decides to bootstrap or merely surviving
off of the generosity of friends, family and the depth of their own pockets, will not suffice.
How does Funding work?
Before exploring how a round of funding works, it's necessary to identify the different participants.
First, the individuals are hoping to gain funding for their company. As the business becomes
increasingly mature, it tends to advance through the funding rounds; it's common for a company to
begin with a seed round and continue with A, B and then C funding rounds.
On the other side are potential investors. While investors wish for businesses to succeed because they
support entrepreneurship and believe in those businesses’ aims and causes, they also hope to gain
something back from their investment. For this reason, nearly all investments made during one or
another stage of developmental funding is arranged such that the investor or investing company retains
Page 421 of 492
partial ownership of the company. If the company grows and earns a profit, the investor will be rewarded
commensurate with the investment made.
Before any round of funding begins, analysts undertake a valuation of the company in question.
Valuations are derived from many different factors, including management, proven track record, market
size and risk. One of the key distinctions between funding rounds is the valuation of the business and
its maturity level and growth prospects. In turn, these factors impact the types of investors likely to get
involved and the reasons why the company may be seeking new capital.
#Startup exit strategies: acquisition, M&A and IPO. Or is it better to ‘milk the cow’?
The main exit strategy for startups is to sell the company to a bigger one for a profit. The same goes
for investors.
15.1. Why ICAI has not written the type of risk in the Risk Scenario?
Whenever it is asked to write the risk scenario, you are supposed to write the type of risk and detail
about that risk.
15.2 to 15.6 All are direct MCQs which is related to the case study.
Page 422 of 492
16.1. Unable to find the type of risk in question?

For this type of question, you need to write the type of risk based on the industry which is given. Do
refer to the Complete Guidance book (Page no. 302) where we have classified the risk based on the
type of industry.
16.2 Read the question carefully it divided into 3 Parts

i) Cyber Crime Prevention
ii) Risk Management for IT enable the operating system (Refer 9.26 ICAI Material)
iii) Governance System (Full batch Notes page no. 152)
16.3 Doubt in Answer have mailed to ICAI
16.4 to 16.7 Direct and Easy Question
Page 423 of 492
17.1 Includes identification of the type of risk which is faced by the company.
17.2 IT is difficult to identify which risk score method ICAI has used to identify the risk:
There are total of 4 type of methods through which we can decide the Measurement of likelihood
scale and consequence scale.
Details of Risk Score Given in Book

• 1.12 ------Open Group Standard
• 1.13 ------Risk-Based Internal Audit
• 2.6 -------Traffic Signal Risk Card
• 2.25 -----No Reference given
However, in the current question, it is difficult to identify which method ICAI has used to decide the
Measurement of Likelihood and Consequence scale.
However, you can use the Likelihood & Consequence method given on Page no. 21 & 22 of the Full
batch.
17.3 Answer to be given based on the understanding of Topic.
17.4 Understanding based
17.5 Refer page no 9.9 of ICAI Material
17.6 & 17.7 Case study based.
17.8 Page no 156 Full Batch Notes + 7.8 of ICAI Material.
18.1 Includes identification of the type of risk which is faced by the company.
18.2
First Understand what is RMF?
A risk management framework (RMF) is the structured process used to identify potential threats to an
organisation and to define the strategy for eliminating or minimising the impact of these risks, as well
as the mechanisms to effectively monitor and evaluate this strategy.
Suggest a Risk management Framework: ICAI has written a summary of Chapter 2 in short.
18.3 to 18.7 all the MCQs are understanding based on Subject.
Page 424 of 492
TAKING YOU CLOSER TO
YOUR DREAM JOB
or Call
Scan This
9022720882
Page 425 of 492
DISCLAIMER
Studies with a view to assist the students in their education. Alternate Answers have been
incorporated, wherever necessary. While due care is taken in preparation of the answers, if any
error or omission is noticed, the same may be brought to the attention of the Director of Board
of Studies. The Council of the Institute is not in anyway responsible for the correctness or
otherwise of the answers published herein.

Page 426 of 492
2 FINAL (NEW) EXAMINATION: JULY 2021

The Question Paper comprises five case study questions. The candidates are required
Answers in respect of Multi Choice Questions are to be marked on the OMR answer sheet
only.
Answer to other questions to be written on the descriptive type answer book .
Answer to MCQs, if written in the descriptive type answer book will not be evaluated.
Please ensure to answer the MCQs relevant to questions attempted in descriptive answer
book.
Candidates may use calculator.
CASE STUDY -1
INTRODUCTION
Alpha Mining Ltd. (AML) is a big player in mining industry in India. Currently there is no formal
risk management process in the company and is more regulatory focused. The Chief Financial
Officer (CFO) is responsible for risk management activities also; The board of AML believes that
in the current environment of mounting economic, regulatory, and marketplace pressures and
constant technological disruption, virtually all industries face increasing strategic risk and so is
the case of AML. The board is concerned that the same is not being managed properly currently
and has asked the CFO to make a presentation in this respect.
OBSERVATIONS BY THE BOARD
1. In fact, in a recently concluded board meeting the chairman of the board wanted to know
whether risks of AML are being managed to a high standard. Further, the rising number of
litigations against AML is cause of concern especially considering the fact that there is no
policy framed by the board in this respect. Such risks are not only increasing operational
risks of AML but also there is potential for misrepresentation in the financial statement.
The board has also expressed its concerned about the manner in which settlements
against litigations are negotiated.
2. Mr. S Lal who has been recently inducted on the board and is a recognised expert in risk
management has suggested that the primary way to receive assurance will be through
confidence that AML has an effective risk appetite framework.
3. During the board meeting, the CFO of AML informed the board that AML has undergone
an extensive performance audit by the regulator and numbers of observations have been
made by them on environmental issues.
4. AML has in place information security policy but the internal auditors have pointed out
number of breaches including breaches by end users.

Page 427 of 492
5. Improving risk management framework is the key agenda for the board and the CFO has
been authorized to take external help in this respect.
ACTIONS TAKEN ON THE DIRECTIONS GIVEN BY THE BOARD
1. Considering the various issues raised by the regulators and the board, the CFO hired a
risk management consulting firm. The risk management consultant has advised for the
development of a risk management framework and Risk Appetite Statement (RAS) in order
to articulate AML's risk position on all key risks including human health and the
environment in contaminated environments. He further advised that by developing a risk
management framework, AML would be able to state its accepted level of risk relating to
managing the environmental audits it conducts and would be conscious when making
decision to either accept or manage risk more effectively and efficiently.
2. The consultant has also advised to express risk appetite into number of key areas to align
with statutory responsibilities and strategic objectives of AML. In addition to this, the
consultant also wants AML to focus on 'soft elements' identified by them that would
influence the risk appetite. In a nutshell, he advised to define risk capacity in order to
ensure that AML is remaining within constraints implied by its regulatory obligations, state
its risk appetite and specific desires to achieve AML's objectives and distinguish limits and
thresholds for its key risk categories and dimensions.
3. The internal auditors have suggested that issues relating to breaches by end users are to
be addressed more appropriately in the information security policy especially covering end
user computing (this refers to computing facilities made available to users based on the
business requirements for accessing and/or processing the information independently),
internet and email usages.
(1.1) Risk appetite, (2) risk capacity, (3) risk target, (4) risk tolerance and (5) risk limits are
closely associated in risk management. Which one of the following arrangement shows the
correct sequence in risk management in practice?
(A) 1-2-3-4-5
(B) 2-1-4-3-5
(C) 3-1-2-5-4
(D) 4-1-3-2-5
(1.2) Which one of the following is incorrect about the strategic risks?
(A) Unique to the organization.
(B) Damaging to the entire organization.

Page 428 of 492
(C) Associated with primary objectives of the organisation.

(D) Easy to address with customary risk management methods.
(1.3) While considering risk and uncertainty, the risk management team must be aware of that:
(A) Risk assessment is the sole method of reducing uncertainty.
(B) Risk can apply to both opportunities and threats.
(C) Uncertainty should always be considered completely separate from risk.
(D) Uncertainty should only be considered when reviewing long-term objectives.
(1.4) The Board of AML has asked your help so as to decide which type of risk framework is
expected to improve efficiency by aligning strategy, processes, technology and people ?
(A) Controls, risk and supervision.
(B) Corporate governance and control.
(C) Governance, risk and compliance.
(D) Supervision, audit and compliance.
(1.5) One of the board members raised the question about potential benefits of the risk
management to AML. Which one the following is not the potential benefits of risk
management ?
(A) Reduced cost of capital.
(B) More effective resource allocations.
(C) Increased understanding of entity objectives.
(D) Decreased inherent risk. (2 x 5 = 10 Marks)
(1.6) Describe any three 'soft elements' that in your opinion influence the risk appetite of an
organization. (6 Marks)
(1.7) What are the advantages of viewing strategic risks as dynamic processes in an
organisation ? (3 Marks)
(1.8) While framing the Policy on Management of Litigation, what are the important factors which
AML should consider for negotiating settlement so that operational risk arising from
litigations can be minimised ? (2 Marks)
(1.9) While assuming ownership of information assets, what are the points relating to end users
that you would consider in the information security policy which the end users in general
and particular for internet and email usages would be required to adhere to ? (4 Marks)

Page 429 of 492
Answer
1.1 (B)
1.2 (D)
1.3 (B)
1.4 (C)
1.5 (D)
1.6 Following are the ‘soft’ elements that influence the risk appetite of an organization:
• Risk attitude – This can be described as an organization's or individual's attitude
towards risk-taking. One's attitude may be described as risk averse, risk-neutral, or
risk-seeking.
• Risk culture – Risk culture as the norms of behaviour for individuals and groups
within an organization that determine the collective ability to identify and understand,
openly discuss and act on the organizations current and future risk.
(Or)
Risk culture means that all levels of the organisation from the junior most to the Chief
Executive understand and appreciate the positive and negative results that a risk
event can bring.
(Or)
Risk culture is “the combined set of individual and corporate values, attitudes,
competencies and behaviour that determine a firm’s commitment to and style of
Operational Risk Management.”
• Risk perception – Belief (whether rational or irrational) held by an individual, group,
or society about the chance of occurrence of a risk or about the extent, magnitude,
and timing of its effect(s).
1.7 Viewing strategic risks as dynamic processes in an organization ensures:
❖ Treatment of root cause analysis rather than use of temporary methods to fix the
symptoms.
❖ Anticipating the emerging risks.
❖ Focusing on areas of high importance.
❖ Converting challenges into opportunities.

Page 430 of 492
1.8 While framing the policy on Management of Litigation, the following factors should be
considered for negotiating settlement by AML so that operational risk arising from litigation
can be minimized:
• Merits of the claims,
• SWOT analysis of the case,
• Costs of litigation
• Opportunity cost of settlement.
• Ensuring proper due diligence before entering into a contract.
• Clearly identifying each and every term of the contract
1.9 General Requirements
(a) Sign a confidentiality agreement for non- disclosure of confidential data.
(b) No use of information assets for personal use and non-job related activities without
authroisation in writing.
(c) Non recording or processing of information that knowingly infringes any patent or
breaches any copyright.
(d) Responsibility for protecting the information assets against unauthorized access and
misuse.
Internet Use
To ensure that while browsing/downloading/uploading/accessing any information through
internet facility available to employees on computing devices the security policy of Alpha
is not violated.
E-mail
To ensure the company provided electronic mail facility is not misused and users owning
the email account will be completely responsible for emails originated from their accounts.
No official data/documents can be sent using public email unless authorization for the
same is taken.
Points to be considered for information security relating to end users in general and
particularly for internet and e-mail usages are as follows:
General usage:
(i) End users are expected to adhere to the organisation’s Code of Conduct that has a
significant section on confidentiality and protection of data, broadly covering
information security aspects.

Page 431 of 492
(ii) End users must undergo the mandatory training depending on their roles and
exposure.
(iii) Installation of software without the proper permission in the computer systems or
laptops of company should be prohibited.
(iv) Frequently changing the passwords.
Internet usage:
(i) Internet should be used responsibly and productively. The use should be for job
related work and use for personal purpose should not be permitted.
(ii) The equipment, services and technology used for internet are property of the firm and
hence the traffic and data accessed should monitored at regular intervals.
(iii) Websites and downloads should be monitoring on regular basis. If required, sites
should be blocked if not meant for useful for company.
Email usage:
(i) E-mail contents should not contain anything which deemed to be offensive. The
language should not also be vulgar or harassing.
(ii) Not to open Spam E-mails.
CASE STUDY - 2
INTRODUCTION
Star Pharma is a leading player in the pharmaceutical industry. It is an integrated global
pharmaceutical company engaged in the development, manufacturing, marketing, sale and
distribution of generic, brand pharmaceutical and over the counter (OTC) products. The
Company competes with different companies depending upon product categories, and within
each product category, upon dosage strengths and drug delivery systems. Such competitors
include the major brand name and generic and OTC manufacturers of pharmaceutical products.
In addition to product development, other competitive factors include product quality and price,
reputation and service and access to proprietary and technical information.
Star Pharma has commercial operations in a number of established international markets with
the opportunity for rapid growth in many emerging markets around the world. The chief operating
officer (COO) believes that a global presence will allow the company to expand revenue base
and manage risk through diversification. The COO and his team is expecting to capitalize on
opportunities for growth within new markets that have opened up after the COVID -19.
The company has set a separate treasury in order to manage the forex risk and is headed by
Chief Financial Officer (CFO). Two employees have been hired to monitor forex positions,
exchange rates and use appropriate hedge products.

Page 432 of 492
ISSUES FACED BY STAR PHARMA

1. Star Pharma has several OTC brands that are hugely popular in the market. In recent time
quality issues have been raised by a significant number of customers. The management
investigation in the matter has revealed that this happened because of weak control over
the raw materials. In fact, audit team identified many more operational risks issues
including the gaps in the procurement system. Frequent rejections in h ighly competitive
OTC products segment have exposed the company to reputational risk.
2. As the Company operates on a global basis with offices or activities in Europe, Africa, Asia,
and North America, it faces several risks inherent in conducting business internationally,
including compliances. These laws and regulations include data privacy requirements,
labor relations laws, tax laws, anti-competition regulations, import and trade restrictions,
export requirements etc. Given the high level of complexity of these laws, however, there
is a risk that some provisions may be inadvertently breached. Violations of these laws and
regulations could result in fines, criminal sanctions against the Company, officers or
employees, and prohibitions on the conduct of our business. Any such violations could
also include prohibitions on products in one or more countries and could materially damage
reputation, brand, international expansion efforts, and ability to attract and retain
employees, business and operating results. The management believes that success
depends, in part, on their ability to anticipate these risks and manage these difficulties.
3. In addition to the foregoing, engaging in international business inherently involves a
number of other difficulties and risks such as longer payment cycle, potentially adverse tax
consequences, tariffs, customs charges, bureaucratic requirements and other trade
barriers, difficulties and costs of staffing and managing foreign operations. These factors
or any, combination of these factors may adversely affect revenue or overall financial
performance of Star Pharma.
4. Star Pharma has now started using extensively online mode of order taking, payment and
delivery. The company has hired number of vendors for this purpose. The operating model
has now been completely revamped. The company has now created data base of
customers which helps in marketing new products. This has started showing results but
has also exposed the Company with new risks including cyber risks. Recently, t he
Company was attacked by Malware which affected the operations of the Company for one
day. Cyber security was not an agenda in the past. But with change in the operating model
this has become one of the key risk of Star Pharma. The Board believes that no w the
Company will have to invest in cyber security to minimize the possibility of a having a
cyber-loss and make the Company cyber resilient. For this reason they want a
comprehensive review of Business Continuity Planning (BCP).
5. Currently Star Pharma has risk management· system in place but it is not integrated. In
other words it is looking for a unifying philosophy that draws together management of all
types of risks. The Board wants that risk management team must look at the risks that
could affect the core process or stakeholder expectation on an enterprise-wide basis. The

Page 433 of 492
Board is fully aware that risk management has become more important because of
increasing stakeholder expectations and the ever-increasing ease of communication. The
Board wants to be confident that risks have been identified and that appropriate steps have
been taken to manage risk to an appropriate level. Also, there is greater emphasis on
accurate reporting of information by organizations, including risk information. In this
backdrop, implementation of enterprise risk management (ERM) is being evaluated. While
the management agrees with the need of ERM they are yet to take decision considering
the cost involved in this decision.
(2.1) Control Risk Self-Assessment (CRSA) is a powerful tool that may be used to support ERM.
Which one of the following is incorrect with respect to ERM and CRSA ?
(A) ERM covers all risks whereas CRSA covers specific risks.
(B) CRSA is driven by risk policy whereas ERM is driven by desire for improved
operations.
(C) ERM is mainly risk concepts for entire operations CRSA is mainly workshops on risk
and controls.
(D) CRSA is based on local risk registers whereas ERM is based on corporate risk
reporting system.
(2.2) As a part of the treasury team of AML, the CFO has asked you to do hedging by borrowing
foreign currency, converting it to domestic currency, and investing the domestic currency.
Which one of the following derivatives is close to the above mentioned activities ?
(A) Forward purchase contract.
(B) Option contract.
(C) Interest rate swap.
(D) Currency swap.
(2.3) During the review of receivables, the CFO found that a bill amounting to GBP 10,00,000
was overdue for payment for more than 30 days. The CFO has asked you to verify whether
the overdue bill has been crystallized by the Authorised Dealer by applying correct
exchange rate. Which one of the following is the correct exchange rate for crystallization
of the overdue export bills ?
(A) Bill selling rate
(B) TT selling rate
(C) FC selling rate

Page 434 of 492
(D) TT buying rate

(2.4) Star Pharma is expecting EUR 5 million in six months' time and the treasury has decided
to carry out cross-hedge. Which one of the following explains the cross-hedge?
(A) It involves the use of forward contracts, a combination of spot and market and money
market transactions, and other techniques to protect from foreign exchange loss.
(B) It is a technique designed to hedge exposure in one currency by the use of futures or
other contracts on another currency that is correlated with the first currency.
(C) It involves an exchange of cash flows in two different currencies between two
companies.
(D) It involves a loan contract and a source of funds to carry out that contract in order to
hedge transaction exposure.
(2.5) The. CFO of Star Pharma has asked the treasury team to negotiate a forex swap with the
bank. In this context, what type of forex-swap is to be negotiated when it is to be done from
tomorrow until the next date ?
(A) Tom-next
(B) Spot-next
(C) Cash-next
(D) Forward-next (2 x 5 = 10 Marks)
(2.6) In the changed business model, the management of Star Pharma has identified vendor
risk management as the key area of cyber security risk management. In the light of this
what would be your suggestions to the Company for vendor risk management ? (4 Marks)
(2.7) What are the two defining characteristics of cyber-resilient organization ?
What is 'Reverse Stress Testing' in case of a cyber-resilient organization? (3 Marks)
(2.8) You are required to prepare a short note for the board explaining what the ERM is and list
its features of so that the board can take a decision about the implementation of the same.
Also, explain how ERM is linked with the BCP? (6 Marks)
(2.9) The treasury team of Star Pharma has been using forward contracts as tool to hedge forex
risks. The CFO is not satisfied with this after the performance review of the treasury
function. Prepare a note for CFO listing advantages of a 'currency option contract' as a
hedging tool compared with the 'forward contract'. (2 Marks)

Page 435 of 492
Answer
2.1 (B)
2.2 (A)
2.3 (B)
2.4 (B)
2.5 (A)
2.6 Suggestions for Vendor Risk Management
(i) Vendor contract should include information security requirements, specific
responsibilities and consequences for unauthorized access to information of the
company.
(ii) Evaluate, assess, approve, review control and monitor the risks and materiality of
vendors and ensure that they are in sync with the information security policy of the
company.
(iii) In the SLA (Service Level Agreement) legal and regulatory requirements including
data protection, intellectual property rights and copyrights should be includ ed.
(iv) SLA shall include confidentiality including background check clause and credentials
of vendor personnel accessing and managing critical data shall be maintained and
monitored.
There are several specific aspects that need to be looked into Vendor Risk Management
are as follows:
❖ Clearly defined objective of outsourcing; this has to be brought into the scope of work;
❖ Contractual documentation to be adequate to ensure the service provider does only
what is assigned and to the standard mutually agreed to by all parties involved;
❖ Legal indemnities to the organisation to be assessed while hiring a service provider;
❖ In agreements where the client and the service provider are in different states or in
different countries, the respective countries’ or states’ laws have to be complied with;
❖ The BCP of the service provider has to be reviewed.
❖ The operational risk assessment covering regulatory risks, financial risk, financial
reporting risk and other risks as delivery to end customers of the client in case the
service provider fails to deliver for whatever reason.

Page 436 of 492
❖ If technology or its disaster recovery itself is outsourced, all the attention is required
to ensure the business operations work as designed and agreed.
❖ Works should be allocated to only authorized and approved vendors only.
❖ Vendors should not be allowed to have unauthorized access to data.
2.7 Both the disruption duration and the operational restoration time are basic defining
characteristics of resilience.
A cyber-resilient organization should know just how bad a cyber-attack would need to be
to threaten its viability, or to have its credit rating downgraded. This is called reverse stress
testing. Through systematic reverse stress testing, measures can be developed to protect
a corporation against such unacceptable outcomes.
Defining characteristics of cyber-resilient organization are as follows:
• Identification of risk areas: whether it is own or outsourced network, internet,
individual computers, mobile devices etc. Prioritization of resources and effort can be
managed accordingly.
• Adequately restricting access to systems is the common way to prevent cyber risk;
• Encryption solutions on individual computers is also done in a manner that if lost, the
unauthorised entity cannot download the data into an external storage device.
• There are several technology solutions that create an adequate firewall of the
• A regular vulnerability testing of the firewall and periodic review to upgrade it is one
incident.
• A response strategy to a cyber-attack incident is also important as part of risk
Like some institutions failed during global financial crises, this period represented stress
to default scenario. It involves extremely unlikely events which force the companies to think
about the firm’s most serious vulnerabilities and design stress to default scenarios
accordingly.

Page 437 of 492
2.8 Enterprise risk management (ERM) is a strategic business discipline that supports the
achievement of an organisation’s objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an inter-related risk portfolio.
❖ Encompasses all areas of organisational exposure to risk (financial, operational,
reporting, compliance, governance, strategic, reputational, etc).
❖ Prioritises and manages those exposures as an inter-related risk portfolio rather than
as individual ‘silos’ of risk.
❖ Evaluates the risk portfolio in the context of all significant internal and external
context, systems, circumstances and stakeholders.
❖ Recognises that individual risks across the organisation are interrelated and can
create a combined exposure that differs from the some of the individual risks.
❖ Provides a structured process for the management of all the risks, whether those risks
are primary quantitative or qualitative in nature.
❖ Seeks to embed risk management as a component in all critical decisions throughout
the organisation.
❖ Provides a means of the organisation to identify the risks that it is willing to take in
order to achieve strategic objectives.
❖ Constructs a means of communicating on risk issues, so that there is a common
understanding of the risks faced by the organisation, and their importance.
❖ Supports the activities of internal audit by providing a structure for the provision of
assurance to the board and audit committee.
❖ Views the effective management of risk as a competitive advantage that contributes
to the achievement of business and strategic objectives.
Alternative Solution for above portion
Enterprise risk management (ERM) is a plan-based business strategy that aims to identify,
assess and prepare for any dangers, hazards and other potentials for disaster – both
physical and figurative – that may interfere with an organization's operations and
objectives.
The various features of ERM are as follows:
• Determining the risk appetite.
• Establishing an appropriate internal environment, including a risk management policy
and framework.
• Identifying potential threats to the achievement of its objectives and assessing the
risk, i.e., the impact and likelihood of the threat occurring.
• Undertaking control and other response activities.

Page 438 of 492
• Communicating information on risks in a consistent manner at all levels in the

organization.
• Centrally monitoring and coordinating the risk management processes and the
outcomes, and
• Providing assurance on the effectiveness with which risks are managed.
Relationship between ERM and BCP
There is an important relationship between ERM and BCP. The risk assessment that is
required as part of the risk management process and the business impact analysis that is
the basis of business continuity planning (BCP) are closely related. The normal approach
to risk management is to evaluate objectives and identify the individual risks that could
impact these objectives. The output from a business impact analysis is the identification of
the critical activities that must be maintained for the organization to continue to function.
It can be seen that the ERM approach and the business impact analysis approach are very
similar, because both approaches are based on the identification of the key dependencies
and functions that must be in place for the continuity and success of the business.
The next activity differs between ERM and BCP, because the former is concerned with the
management of the risks that could impact processes, whereas business continuity is
concerned with actions that should be taken to maintain the continuity of individual
activities.
The business continuity approach, therefore, has the very specific function of identifying
actions that should be taken after the risk has materialized in order to minimize its impact.
BCP relates to the damage-limitation and cost-containment components of the loss control.
BCP as a part of operational risk should always be part of the ERM and should be managed
separately.
2.9 Though the option contract involves upfront payment of premium which is not involved in
Forward Contract but the main advantage of using options contracts for hedging is that the
Star Pharma can decide whether to exercise options after observing the realized future
exchange rate or not.
Contrary to that in Forward Contract Star Pharma has no choice. Option provides a hedge
against ex post regret for taking forward position if not proved in favour. Thus, with option
contract Star Pharma can eliminate the downside risk while retaining the upside potential.
CASE STUDY - 3
INTRODUCTION
Mr. Shyam, an entrepreneur, came across the Taxation Laws (Amendment) Act, 2019 which
offered a low tax rate of 15% (plus surcharge and cess) to new manufacturing companies,
subject to fulfilment of certain conditions. After thinking over, he consulted his like -minded
business colleagues and decided to commence a new manufacturing public limited company.

Page 439 of 492
They also agreed to Mr. Shyam's proposal and agreed to be promoters of the company along
with him. They discussed various modalities and procedures involved in commencement of the
company.
DISCUSSIONS OF THE PROMOTERS
(i) They had two alternatives, i.e., to pursue Project X (manufacturing Product A) or Project Y
(manufacturing Product B). The following are the data for both the Projects with five
possible events:
Possible Event Project X Project Y
Cash Flow Probability Cash Flow Probability
(` 000) (` 000)
L 18,000 0.22 28,000 0.25
M 16,000 0.18 25,000 0.19
N 21,000 0.14 29,000 0.16
O 19,000 0.25. 27,000 0.24
P 22,000 0.21 16,000 0.16
(ii) The promoters are very much aware that the activities, whether financial or non-financial,
would get affected by the external environments. They want to have a comprehensive
understanding of the significant factors arid the aspects underlying the same.
(iii) The above referred Act allowed the import of new machinery which can be used in the
manufacturing of the product.
(iv) The promoters are convinced that the risk management is one of the important pillars of
Governance and arguably the only tool to deal with business uncertainty. Risk
management is recognised as an integral component of good management and
governance. It is an iterative process consisting of steps, which, when undertaken in
sequence, enable continual improvement in decision making.
(v) Right from day one, they wanted to go in for the implementation of Enterprise Risk
Management (ERM) which is a tool that assists an organisation in meeting its business
objectives.
(vi) They want to employ a team of internal auditors i) for the audit of internal controls to ensure
that they are meticulously designed and operate efficiently ii) look into the risk governance
framework established by management to confirm that they operate as intended and iii)
monitor constantly the risk management program for its effectiveness and improvements.
(vii) The promoters are also aware that as public limited company of a particular size, it has to
comply with more number rules and regulations than a private limited company especially
in reporting of internal financial controls over financial reporting.

Page 440 of 492
(viii) Today's business is constantly changing and seems to become more complex every day.
Therefore, the decisions of the management involve the recognition of risk and opportunity.
(ix) They also agreed to consider exporting the products manufactured by the proposed
company, after exploring the market feasibility. Few spare parts for imported machinery
will have to be paid in foreign exchange only. Mr. Shyam is made in-charge to handle the
foreign exchange transactions for the same.
(x) The promoters realised the importance of Information Technology (IT) and its pivotal role
in the business. IT is no longer an enabler, but it has now become the driver of business.
(xi) The proposed company, Shyam Polyfibres Limited (SPL) would have to face challenges
such as, i) finding out enough finances to commence and run the company, ii) proper
planning, iii) employing qualified and dedicated workforce, iv) stiff competition etc. The
promoters are aware of these issues and have decided to boldly face and resolve them by
proper planning.
(xii) SPL would use a Risk Monitoring Tool (RMT) to track progress of risk management using
qualitative assessment of probability and impact of risk.
(xiii) In order to predict the sales of the proposed manufacturing of the new product, SPL would
use a computer software that generates thousands of possible outcomes from the
distribution of inputs which are specified by a user.
(3.1) During the execution of the project of SPL, a new risk was identified, which was not
identified earlier in the Risk Identification exercise. Which of the following would not
potentially enable a new risk to be identified?
(A) Running some trend analysis reports to analyse incidents.
(B) Recording incidents in a register.
(C) Conducting root cause analysis.
(D) Flow-charting the significant business processes.
(3.2) The auditor of SPL is trying to discharge his liability on the company's Inte rnal Financial
Controls over Financial Reporting in an IT environment. He is assessing the strength of
the control environment used in the automated control activities. For ensuring timeliness,
accurate and reliability of the information used in the financial control, the auditor most
likely would focus his attention on the underlying:
(A) Application systems
(B) Operating systems
(C) Financial reports

Page 441 of 492
(D) Database management systems.

(3.3) SPL most likely would have employed which of the following in the software referred to in
item (xiii) of the 'outcome of discussion of the promoters' ?
(A) Bootstrap Simulation
(B) Monte Carlo Simulation
(C) Historical Simulation
(D) Linear Simulation
(3.4) In the context of ERM, proposed to be implemented by SPL, which of the following would
best refer to a 'hazard risk'?
(A) Risk associated with the strategic planning of the company.
(B) Risk associated with the operations of the company.
(C) Adverse financial losses of the company those are associated with pure risks.
(D) Adverse financial losses of the company those are associated with diversifiable risks.
(3.5) The RMT employed by SPL is known as:
(A) Risk Event Maps
(B) Risk Scorecards
(C) Risk Heat Maps
(D) Flow Charts with Risk Flags (2 x 5 = 10 Marks)
(3.6) Calculate Coefficient of variation of Project X and Project Y and suggest which Project
should be undertaken by the promoters. Show your workings. (6 Marks)
(3.7) ‘External environment can affect the company directly or indirectly.’ Examine the statement
by discussing various aspects of the significant factors affecting the external environment
which in turn could affect SPL's ability to create value in the short, medium and long term .
(5 Marks)
(3.8) What is foreign exchange exposure and discuss foreign exchange exposures that SPL
might face in its proposed transactions ? (4 Marks)
Answer
3.1 (D)
3.2 (A)

Page 442 of 492
3.3 (B)
3.4 (C)
3.5 (C)
3.6 To calculate CV first we shall compute Variance and Standard Deviation of each project
as follows:
(i) Calculation of Variance and Standard Deviation of Project X
Expected net cash flow
= (0.22 X18000) + (0.18 X 16000) + (0.14 X 21000) + (0.25 X 19000) + (0.21 X 22000)
= 3960 + 2880 + 2940 + 4750 + 4620
= 19150
Variance ( σ 2 ) = 0.22 [18000 – 19150] 2 + 0.18 [16000 – 19150] 2 + 0.14 [21000 –
19150]2 + 0.25 [19000 – 19150]2 + 0.21[22000 – 19150]2
σ 2 = 290950 + 1786050 + 479150 + 5625 + 1705725
σ 2 = 4267500
Standard Deviation ( σ ) = 4267500 = 2065.79

(ii) Calculation of Variance and Standard Deviation of Project Y
Expected net cash flow
= (0.25 X28000) + (0.19 X 25000) + (0.16 X 29000) + (0.24 X 27000) + (0.16 X 16000)
= 7000 + 4750 + 4640 + 6480 + 2560
= 25430
Variance ( σ 2 ) = 0.25[28000 – 25430] 2 + 0.19[25000 – 25430] 2 + 0.16[29000 –
25430] 2 + 0.24 [27000 – 25430] 2 + 0.16[16000 – 25430] 2
σ 2 = 1651225 + 35131 + 2039184 + 591576 + 14227984
σ 2 = 18545100
Standard Deviation ( σ ) = 18545100 = 4306.40
On the basis of Standard Deviation project X should be selected as it has lesser
Standard Deviation.
Coefficient of variation of two projects
CVX = SDX/EVX = 2065.79/19150 = 0.1079

Page 443 of 492
CVY = SDY/EVY = 4306.04/25430 = 0.1693

On the basis of Coefficient of Variation also the Project X should be selected as it is
less riskier.
3.7 External Environment can affect the organization directly or indirectly (e.g., by influencing
the availability, quality and affordability of a capital that the organization uses or affects).
Significant factors affecting the external environment that affects the organization’s ability
to create value in the short, medium or long term include aspects of:
• Legal aspects: The legal compliances are increasing day-by-day to the businesses.
Failure to adhere to the rules and regulations of various acts and rules attract penal
consequences. Lawsuits against company are increasing either because of poor
services are rendered or products sold.
• Commercial aspects: The demand of a product or service depends much on
economic factors like rising interest rates, unemployment and inflation. Business
opportunities may turn into negative with a negative economy, less purchasing power
and savings of people and lesser credit available to customers.
• Social: The culture of the people, their changing lifestyles, customs and values,
tastes and habits are some of the socio-cultural factors which have impact on the
functioning of the business. A product or a business that is succ essful with people
following a particular culture may not be so successful with people following a
different culture.
• Environmental: The environment plays a vital role in running a business. For
example, it may not be feasible to grow apples in cities which have not climatic
conditions. The business depends upon various environmental factors such as dust
and pollution level, availability of water etc. Changes to environment deeply affect not
only the society but also the business as well.
• Political context: The government has policies towards import and export, taxation,
consumer protection etc. and the economy is guided and shaped by such policies.
For example, incentives are given for exports when the country is keen on increasing
the exports than imports. Hence, it is very much important that the business world
has a good relationship with the government which again depends on the political
situation prevailing in the country.
3.8 Foreign Exchange exposure
It can be defined as a contracted, projected or contingent cash flow whose magnitude is
not certain at the moment. The magnitude depends on the values of variables such as
foreign exchange rate and interest rate. In other words, exposure refers to those parts of
a company’s business that would be affected if exchange rate changes.

Page 444 of 492
Types of Exposures
In the case under consideration, SPL might face following type of exposures in its proposed
transactions.
• Transaction Exposure: This exposure is the impact of setting outstanding obligations
entered into before change in exchange rates but to be settled after the change in
exchange rates.
Since, SPL is planning to export, manufactured products and importing machinery
there may be impact on cash flow as the exchange rate may be changed between the
period when the transaction was initiated and when transaction is settled.
• Economic or Operating Exposure: This exposure relates to change in economic value
of firm due to change in exchange rates. This may be due to change in the demand
of product due to change in exchange rates.
In the case under consideration, since SPL will also export goods, then change in
exchange rates can lead to change in demand of product and hence is exposed to
operating risk.
CASE STUDY - 4
INTRODUCTION
Organic Tea Limited (OTL) is a fast growing chain of tea stores that are typically located close
to places like educational institutions, railway stations and bus stations across India. It has
company-operated as well as licensed stores. Licensed stores generally have a lower gross
margin but a higher operating margin than company-operated stores. Under the licensed model,
OTL receives a reduced share of the total store revenues, but this is more than offset by the
reduction in Company's share of operating costs as these are primarily incurred by th e licensee.
In licensed store operations, OTL leverage the expertise of our local partners and share its
operating and store development experience. Licensees provide improved access to retail
space at strategic locations. Most licensees are prominent retailers with in-depth market
knowledge and access. As part of these arrangements, OTL receives royalties and license fees
from the licensees and it also sells certain kitchen equipment to licensees for use in their
operations. Employees working in licensed retail locations follow the detailed store operating
procedures and attend training classes similar to those given to employees in company -
operated stores.
After the success of tea business, OTL has incorporated a wholly owned subsidiary named
Organic Toys Limited. The management has an ambitious target for this business segment.
OBSERVATIONS ON BUSINESS REVIEW BY THE MANGEMENT
1. OTL depends upon relationships with tea producers, outside trading companies and
exporters for supply of quality tea. The management believes that the supply-chain
management. is one of the key reasons why the Company has been able to reduce

Page 445 of 492
operating costs and improve operating margin and the risk of non -delivery on such
purchase commitments is remote.
2. The management believes that customers choose among tea vendors primarily on the
basis of product quality, service and convenience, as well as price. However there is a
direct competition from large competitors in quick-service restaurant (QSR) sector with
restaurants and other retailers for prime retail locations and qualified personnel to operate
both new and existing stores.
3. Many of information technology systems, such as those we use for our point-of-sale (POS),
web and mobile platforms, including online and mobile payment systems, delivery services
and rewards programs, and for administrative functions, including human resources,
payroll, accounting and internal and external communications, as well as the information
technology systems of licensees and other third-party business partners and service
providers, whether cloud-based or hosted in proprietary servers, contain personal, financial
or other information that are critical for business growth. The board is concerned about a
material breach of information technology systems that result in the unauthorized access,
theft, use, destruction or other compromises of customers' or employees' data or
confidential information of the Company stored in such systems, including through cyber-
attacks or other external or internal methods, it could result in a material loss of revenues
from the potential adverse impact to reputation and brand.
4. The management is aware that cyber attacks can result in enormous business losses -
financial, investor confidence, and corporate image. They can also lead to serious legal
issues, especially when more and more private data are being captured, stored, and
transmitted across the public Internet. These losses and legal challenges can have a small,
short-term impact but more often than not, they have a significant, long-term impact.
According some basics of disaster recovery plan (DRP) is in place but there is no focus on
business continuity plan (BCP).
5. Internal auditors have identified serious lapses in information security system and
procedures. Significant capital investments and other expenditures could also be required
to remedy cyber security problems and prevent future breaches, including costs associated
with additional security technologies, personnel, experts and credit monitoring services for
those whose data has been breached.
6. Earlier, risk management was being supervised by the audit committee of the board (ACB).
However, considering the significant risk Company is facing with a growing business a
separate risk management committee (RMC) has been created. There are few common
members in the RMC and ACB. The RMC has been asked by the board to use 'scenario
analysis techniques' in the key risk area to assess the potential risk. In fact one of the
board members remarked that "scenario analysis was more about potential response and
mitigation than exact probability".

Page 446 of 492
FURTHER DEVELOPMENTS
1. OTL has been banking with PQX Bank for last five years and has become an important
client of the bank. The Company has been borrowing heavily in order to finance its growth.
The track record of servicing debt is very good. In addition to the interest income, the
Company provide a significant amount of fee income. The following financial summary has
been presented to the bank:-
INR
Total sales 140,00,000
Total assets 35,00,000
EBIT 4,00,000
Debt as a percentage of total assets 70%
Capital turnover 10 times
Inventory days 30
Receivable days 1
Payable days 13
Annual sales growth (average, last three years) 120%
Dividend pay-out ratio 20%
2. The management of the Company believes that next year sales will grow by 100%.
Currently the company is using its cash credit limit of INR 5,00,000 and expecting an
increase in the cash credit limits. Term lending is no longer an option, as the Company has
reached the bank's limit of total gearing.
3. The Company has a small treasury and it has made investment in 1 S listed equity shares
and few mutual funds. The performance of the portfolio is monitored on a regular basis and
the Company has implemented VaR (Value at Risk) techniques in the portfolio
management.
4. PQX Bank has refused to support working capital facility for Organic Toys Limited as the
performance of the company is not good. The management, however, is still going ahead
with expansion by investing own fund mainly using 'over-trading'.
(4.1) If the working of the company is showing indicators such as (i) reliance on long term debts;
(ii) offering longer credit period, (iii) higher level of inventory, (iv) rapid decreasing sales
and (v) deteriorating current ratio, which of these indicators are reflections of 'overtrading'
in the context of working capital management?

Page 447 of 492
(A) (i), (iii) and (iv) only.

(B) (ii), (iii) and (v) only.
(C) (i), (ii) and (iii) only.
(D) (ii) and (v) only.
(4.2) Which one of the following is incorrect with respect to risk mitigation process?
(A) Recovery requirements are developed after the risk assessment phase and include
data from the business impact analysis.
(B) Recovery options must fit within the constraints of the recovery requirement.
(C) Existing controls and risk mitigation solutions already in place should be reviewed
after requirements and options are reviewed.
(D) Determining the cost, capability, effort to implement, quality, control, safety, and
security of each option under consideration.
(4.3) Which one of the following is not correct with respect to DRP/BCP?
(A) Performing backups of critical data on servers, in and of itself, is a good start but does
not constitute a disaster recovery plan.
(B) BCP is subset of DRP.
(C) BCP/DRP can provide an opportunity for a company to evaluate and improve its
business processes.
(D) When developing a BCP/DRP you need to look at the three core components of
business: people, process, and technology.
(4.4) Which one of the following is not correct with respect to VaR ?
(A) VaR is solely a measure of downside risk.
(B) In delta-normal method of VaR calculation assets assumed to be normal.
(C) If there is sudden spike in volatility, the historical simulation VaR will overstate actual
risk.
(D) Simulation VaR handles non-normality.
(4.5) The CFO of the Company is in the process of evaluating performance of investment in
equity. In this context, he wants to understand how R-squared is related with the risk. In
your opinion, the ratio of diversifiable risk to total risk of a security should be called as
(A) R-squared.
(B) 1 minus R-squared.
(C) Beta.

Page 448 of 492
(D) Sharpe Ratio. (2 x 5 = 10 Marks)

(4.6) How much increase in the cash credit is required in order to fund increased working capital
requirements of OTL ? Give reply through stepwise calculation. (3 Marks)
(4.7) It is common to have overlap between ACB and RMC in terms of common members in a
company like OTL but the overlap in terms of roles should be avoided. What would be your
suggestions about the roles of members of RMC and ACB so that there is no overlap in
terms of their roles? (3 Marks)
(4.8) Would you agree that "scenario analysis is more about potential response and mitigation
than exact probability"? Support your views by giving reasons. (3 Marks)
(4.9) Based on the information given in this case study, what would be your suggestions in a
sequential manner to manage operational risks to the expectations of the board? (6 Marks)
Answer
4.1 (B)
4.2 (A)
4.3 (B)
4.4 (C)
4.5 (B)
4.6 To calculate the increase in Cash Credit we shall compute the value of each constituent of
Working Capital as follows:
COGS = ` 2,80,00,000 – ` 8,00,000 = ` 2,72,00,000
Computation of Working Capital
Inventory = (COGS x 30/365) = (2,72,00,000 x 30/365) ` 22,35,616
Receivable = (Sales x 1/365) = (2,80,00,000 x 1/365) ` 76,712
` 23,12,328
Less: Creditors (COGS x 13/365) = (2,72,00,000 x 13/365) ` 9,68,767
Net Working Capital Requirement ` 13,43,561

Page 449 of 492
Increase in Cash Credit Limit required

Working Capital Requirement ` 13,43,561
Less: Existing Cash Credit Limit ` 5,00,000
` 8,43,561
Alternatively, if 360 days a year are assumed then solution will be as follows:
COGS = ` 2,80,00,000 – ` 8,00,000 = ` 2,72,00,000
Computation of Working Capital
Inventory = (COGS x 30/360) = (2,72,00,000 x 30/360) ` 22,66,667
Receivable = (Sales x 1/360) = (2,80,00,000 x 1/360) ` 77,778
` 23,44,445
Less: Creditors (COGS x 13/360) = (2,72,00,000 x 13/360) ` 9,82,222
Increase in Cash Credit Limit required

Less: Existing Cash Credit Limit ` 5,00,000
` 8,62,223
Step 1 Cash Conversion Period = Inventory days + Receivable days – Payable days
i.e. 30 + 1 - 13 = 18 days.
Step 2 Net working capital to sales ratio = 18/365 = 0.049 (rounded off)
Step 3 The next year additional sales are expected to be ` 1,40,00,000. So the total
expected sales would be ` 2,80,00,000.
Step 4 Taking net working capital to sales ratio computed in step 2 and applying the
same to total expected sales calculated at Step 3, the company will need
` 13,72,000 towards working capital.
Step 5 At present the company is enjoying cash credit limit of INR 5,00,000, the
additional working capital requirement shall be ` 8,72,000 (` 13,72,000 –
` 5,00,000).
4.7 The role of RMC is to lay down risk management policies, procedures and limits while the
role of an ACB is to review their implementation and effectiveness. In this context it is
important to note that the ACB should remain at it supervisory role and that can be

Page 450 of 492
achieved by risk based supervision and they should not act like line function. Simply stated
the responsibility is to identify weak areas and follow it up with the RMC. The ACB also
need to find out if the company has documented identified risk and the related policies and
how it is implemented at ground level.
So that there should be no overlap between the roles of members of Risk Management
Committee (RMC) and Audit Committee of the Board (ACB) it is very important that their
roles are clearly defined which are as follows:
Role of RMC
(a) is required to be a stand-alone committee, distinct from the audit committee;
(b) has a chair who is an independent director and avoids “dual-hatting” with the chair of
the board, or any other committee;
(d) includes members who have experience with regard to risk management issues and
practices;
(e) discusses all risk strategies on both an aggregated basis and by type of risk;
(f) is required to review and approve the firm’s risk policies at least annually;
(g) oversees that management has in place processes to ensure the firm’s adherence to
the approved risk policies.
Alternative Solution for above portion – Role of RMC
1. To assess the company’s risk profile, risk appetite and key areas of risk in particular.
2. To recommend to the board and adoption of risk assessment and rating procedures.
3. To articulate the company’s policy for the oversight and management of busines s
risks.
4. To examine and determine the sufficiency of company’s internal processes for
reporting and managing key risk areas.
5. To assess and recommend board acceptable levels of risk.
6. To facilitate development and implementation of a risk management framework and
internal control system.
7. To review the nature and level of insurance coverage.
8. To have special investigation into the area of corporate risk and break downs in
internal control.
9. To review management response to the company auditor’s recommendations.

Page 451 of 492
10. To report the trends on the company’s risk profile, reports on specific risk and the
status of risk management process.
Role of ACB
(a) is required to be a stand-alone committee, distinct from the risk committee;
(b) has a chair who is an independent director and avoids “dual-hatting” with the chair of
the board, or any other committee;
(d) includes members who have experience with regard to audit practices and financial
literacy at a financial institution;
(e) reviews the audits of internal controls over the risk governance framework established
by management to confirm that they operate as intended;
(f) reviews the third party opinion of the design and effectiveness of the overall risk
governance framework on an annual basis.
4.8 The given statement is correct to some extent because grouping scenarios per types of
consequences for organisation help to focus on impact assessment and mitigation action
because ultimate objective of scenario analysis is risk mitigation.
Further, if scenario analysis reveals the breaches in control or risk level beyond the risk
appetite then scenario analysis to plan for further mitigation.
In case results of scenarios analysis are within range of appetite, then no further acti on is
required. In case of scenario seems unlikely firm must plan reaction and mitigation
accordingly.
4.9 Three lines of defence model can be used by any industry with some customisation on
basis of the organisational structure, the complexity of the business processes and
evolving capability of the control awareness.
(1) The First line of defence is the function/department/role that owns the process. They
are supposed to have sufficient governance on the operational risks pertaining to their
areas of responsibility, such as
• Set up required policies govern the area of work,
• Establish process notes, control-steps in the process notes, and methods to
measure the efficacy of the controls,
• Perform the self-assessments and monitoring of risk indicators, etc.
• Examples are, in a financial organisation, the Operations department often has
a detailed set of process notes that assign control steps to designated
individuals, and also a method of measuring / tracking if the controls were
exercised properly.

Page 452 of 492
These tracking / measuring tools could be at varying frequency, being built into a
formal RCSA (Risk Control Self-Assessment) where risks and control efficiency are
highlighted. This line functions closely with the Second line in a collaborative method
which could be formalised in any governance process established by the ORM
Committee.
(2) The Second line of defence is the Operational Risk department, which while being
part of the management framework, sets up, oversees the operational risk
management of the first line of defence. The typical roles played by the second line
of defence are:
• Working with the process owners (first line of defence) to set up the risk and
control matrix.
• Advise / recommend the method and frequency of testing of controls to the first
line of defence, thereby setting up a self-assessment process based on the
RCM.
• Perform risk assessment of new products, services and processes, especially in
instances where new technology is being deployed.
• Review and publish results of the RCSAs and risk assessments, and any
exception reports / Key risk indicators set up in the framework.
• Convene, and report to the ORMC, and report to the Board / Risk Committee of
the Board as well with the necessary updates.
(3) The Third line of defence is Internal Audit; it is independent of management control
and reports to the Audit Committee of the Board.
• An effective internal audit would highlight issues and potential gaps in
processes, which were missed by the first two lines of defence as well. As an
independent vertical, their value addition provides a better insight into the
process from a holistic perspective since they are not directly involved in
managing the process.
• Checking on efficacy of controls that mitigate operational risk, is a key
deliverable of Internal Audit.
• Over last few decades, internal audit has evolved into a concept of Risk Based
Auditing. The term itself refers to an approach where the audit function identified
risks and controls in a very similar fashion as the operational risk methodology,
and then choose to focus their attention and deploy resources on checking the
areas of choice.

Page 453 of 492
Based on the information given in the case study under consideration to manage the risks
to the expectations of the Board following are some suggestions:
• The First line of defence is the function/department/role that owns the process. They
are supposed to have sufficient governance on the operational risks pertaining to their
areas of responsibility.
• The Second line of defence is the Operational Risk department, which while being
part of the management framework, sets up, oversees the operational risk
management of the first line of defence.
• The Third line of defence is Internal Audit; it is independent of management control
and reports to the Audit Committee of the Board.
• Identification of risk areas: whether it is own or outsourced network, internet,
individual computers, mobile devices etc. Prioritization of resources and effort can be
managed accordingly.
• Adequately restricting access to systems is the common way to prevent cyber risk;
• Encryption solutions on individual computers is also done in a manner that if lost, the
unauthorised entity cannot download the data into an external storage device.
• There are several technology solutions that create an adequate firewall of the
• A regular vulnerability testing of the firewall and periodic review to upgrade it is one
incident.
• A response strategy to a cyber-attack incident is also important as part of risk

Page 454 of 492
CASE STUDY – 5
INTRODUCTION
Ms. Jamuna is having 10000 sq. feet of vacant land, situated in the heart of Chennai city. She
inherited the above vacant land. She also holds fixed deposits of ` 4 crores in a nationalised
bank.
THE PROJECT
She wanted to construct twelve apartments in the vacant land, keeping one apartment as her
own residence. She is mulling over two options; to let out on rent the eleven apartments for
offices or let out the apartments as "service apartments". There is a famous marriage hall
nearby the vacant land. She expects that there will be demand for the service apartments during
marriage seasons and other functions held in the marriage hall and also, she feels that there
will not be many hassles in the same in (i) collecting rent and (ii) constant attention to the
maintenance of the apartments.
PROJECT FUNDING
She needs a total amount of ` 4.70 crores to construct the apartments. She can utilise the bank
fixed deposits towards construction. For the balance of the amount, she requested her cousin
Mr. Deepak, who is residing in USA, to send a loan which would be repaid to him after 5 years.
She agreed to pay an interest of ` 5 lakhs per annum and the same would be paid to his bank
account maintained in India. Mr. Deepak agreed to send her the amount in US dollars, once she
completes the spending from the closure of fixed deposits.
A month after giving his acceptance, Mr. Deepak told her that as he is tied up urgently with a
financial commitment, he would be requesting his friend Mr. Tony who is a resident of Nigeria
to send Ms. Jamuna 1 lakh US dollars through banking channel. She has to pay an interest
amount every year @ 6% and the repayment of the loan to Mr. De Martin, Mumbai at the end of
five years.
As an alternate to obtaining loan from Mr. Tony, Ms. Jamuna considers the possibility of
obtaining a bank loan. The bank would charge her 9% and she proposes to request the bank to
reduce it to 8%.
REVENUE ESTIMATES
The probability is estimated at 70% occupancy, if let out as apartments and 60% occupancy, if
let out as service apartments. It was expected by Ms. Jamuna that in a worst -case scenario,
she may incur a loss of ` 12 lakhs and ` 10 lakhs in case of letting out as individual apartments
and service apartments respectively.
CONSTRUCTION RELATED ISSUES
For the construction, she approached a qualified engineer-cum-builder and requested him to
provide detailed plans, procedures for getting necessary approval from the concerned
Governmental departments, estimates, stages of project, quality and specification of materials

Page 455 of 492
to be used throughout the construction, details of the supervisors and break -down of payments
to be made by her at various stages. She wanted to have a comprehensive construction
agreement embedding all the details, especially the escalation clause (refers to the provision in
the contract to increase the agreed rates, if the inputs for construction increased beyond a
certain level).
She requested the engineer to periodically appraise her of the situation by holding meetings at
the end of each major activity of the project. She also insisted that the supervisors employed by
the engineer have to report to her about the risky situations and hazards in the construction site
regularly so that precautionary steps could be taken to ensure the safety of the workers.
However, she is sceptical about the skill sets of the workers, as finding and employing skilled
workers has become a tough job.
MAINTENANCE OF RECORDS
Ms. Jamuna is very keen in maintaining meticulous records of the construction. She would also
like to maintain a dairy of events (akin to a risk register), noting down all the events, problems
faced and their corresponding solutions. But she is not fully aware of the risks and vulnerabilities
that she would face during the construction.
She has read somewhere that control risks are often associated with project management. In
these circumstances, it is known that the events will occur, but the precise conse quences of
those events are difficult to predict and control. Therefore, the approach would have to be based
on minimizing the potential consequences of these events. Hence, she wanted to have a list of
specific risks to the project, sorted on their relative importance, and consequences.
(5.1) A risk may still occur that the apartments may lie vacant or there would be no occupancy
of service apartments, even when there is no significant change in the economy of the
country. This risk may be classified as
(A) Static Risks
(B) Country Risks
(C) General Risks
(D) Opportunity Risks
(5.2) Which of the following risk identification techniques that the supervisors would most likely
use for reporting to Ms. Jamuna on the risky situations and hazards in the construction
site?
(A) Surveys
(B) Direct Observations

Page 456 of 492
(C) Incident Analysis

(D) Scenario Analysis
(5.3) If in the near future, the nearby marriage hall is converted to a shopping mall, Ms. Jamuna
most likely would face which of the following risks in case she has decided to let the
building as service apartments?
(A) Credit Risk
(B) Economic Risk
(C) Controllable Risk
(D) Market Risk
(5.4) Which of the following techniques for measurement of interest rate risk, the bank would
not consider, if Ms. Jamuna submits a proposal for a bank loan asking the bankers to
determine the rate of interest ?
(A) Value at Risk
(B) Simulations
(C) Monotonicity
(D) Maturity Gap Analysis
(5.5) Which of the following would least likely be included in the diary of events maintained by
Ms. Jamuna ?
(A) Identify the Risk
(B) Analyse the Risk
(C) Evaluate or Rank the Risk
(D) Treat the Risk (2 x 5 = 10 Marks)
(5.6) Discuss the factors that would create vulnerabilities and associated risks in the
construction of the apartments by Ms. Jamuna, by drawing references from the case study.
(6 Marks)
(5.7) Discuss the risk and uncertainty in letting out the building by Ms. Jamuna either as
individual apartments or service apartments. (5 Marks)
(5.8) Explain how Ms. Jamuna's bank would view the receipt of money from Mr. Tony and what
measures that the bank would employ to check the veracity of the transaction a nd
compliance with applicable laws for foreign loans? (4 Marks)

Page 457 of 492
Answer
5.1 (A)
5.2 (B) or (C)
5.3 (B) or (D)
5.4 (C)
5.5 (D)
5.6 The various factors that can create vulnerabilities and associated risks in the construction
of apartments by Ms. Jamuna are as follows:
(a) Fluctuation of raw material prices: There is always a possibility that the prices of raw
materials may increase. Even though, Ms. Jamuna has to pay only a fixed amount, i f
the prices increase beyond the specified percentage, then she has to pay more as
per the terms of escalation clause in the agreement with the engineer/builder.
(b) Scarcity/quality of materials: Under the proposed contract, the material to be used
should have a high-quality throughout the entire construction. It may so happen that
such material may not be available after a certain stage of the project. The engineer
might use an inferior material, or the construction activity might have to be stopped
till the right material is procured.
(c) Shortage of skilled workers: Finding out the right man for the right job is becoming
difficult. It is not always possible to employ skilled workers as they are very scarce
and also costly to employ. Ms. Jamuna has to choose the engineer/builder with utmost
care, based on the past records which would show that he has not faced shortage of
requisite skilled workers in the past.
(d) Unpredicted weather conditions: Unfavorable or unpredicted weather conditions may
also delay the project. For example, heavy rains during summer months would delay
laying of ceiling concrete. Adequate cushion in the project completion time should be
taken care of.
(e) Changes in laws and regulations: The government may change rules/policy in the
matter of construction industry, including the ongoing constructions in the state. This
may also affect the construction. There might be periodic inspections from the
authorities to ensure that the building construction does not violate the norms.
(f) Safety of workers: Safety of workers is always to be ensured. Safety measures such
as wearing protective helmets, boots, gloves, masks and eye-wear glasses are some
of the examples. In the construction agreement, it must be clearly stated that the
engineer/builder is solely responsible for the safety of the workers.

Page 458 of 492
(g) Environmental pollution: Dust and pollution not only affect the workers but also the
neighbours as well. There might be complaints from the neighbours about the noise,
dust, smoke, etc. Hence sufficient anti-dust and pollution measures are to be taken,
such as, periodic sprinkling of water, avoid using harmful chemicals, controlling the
emission from diesel engines used in the construction sites etc. It is to be made clear
in the agreement that the engineer/builder is responsible for the risk.
The factors that can create vulnerabilities and associated risks in the construction of
apartments are as follows:
(i) Since in India marriages are normally season based hence property may remain
vacant for some time.
(ii) Increase in cost of raw material beyond certain level.
(iii) Health and safety of workers at site.
(iv) Shortage of skilled workers.
(v) In case if loan is taken in US $, then foreign exchange rate risk for payment of interest
and repayment of loan.
(vi) The payment of interest and repayment of loan to DeMartin of Mumbai would result
in money laundering activity.
5.7 1. Uncertainty: The lack of complete certainty, that is, the existence of more than one
possibility. The “true” outcome/state/result/value is not known. In this case, Ms.
Jamuna is facing uncertainty whether to let out the building as individual apartments
or as service apartments.
2. Measurement of uncertainty: A set of probabilities assigned to a set of possibilities.
There is a 70% probability that the apartments will be occupied, if it is let out as
individual apartments and 60% occupancy, if let out as service apartments.
3. Risk: A state of uncertainty where some of the possibilities involve a loss,
catastrophe, or other undesirable outcomes.
Ms. Jamuna might face loss in either of the possibilities.
4. Measurement of risk: A set of possibilities each with quantified probabilities and
quantified losses.
In a worst-case scenario, she may incur a loss of `12 lakhs and `10 lakhs in case of
letting out as individual apartments and service apartments respectively.
5. Chief difference between uncertainty and risk
In this sense, one may have uncertainty without risk but not risk without uncertainty.
The measure of uncertainty refers only to the probabilities assigned to outcomes,

Page 459 of 492
while the measure of risk requires both probabilities or outcomes and losses
quantified for outcomes.
Ms. Jamuna cannot take an insurance policy for the uncertainty in choosing the
alternatives, while insurance can be had for perils such as fire, flood, earthquake, etc.
Another point of difference is that uncertainty cannot be transferred, while the risk
can be transferred to an insurance company.
5.8 The amount of US $ 1 Lakh received by Ms. Jamuna from Mr. Tony may be subject to
scrutiny by the bank under Prevention of Money Laundering Act, 2002.
The bank would like to ensure that such amount received by Ms. Jamuna is not out of any
illicit activities/transactions. The bank would go into the nature of receipt of the money, i.e.,
whether it is a loan or a gift of money, terms and conditions of the receipt and also the
details of how the interest and loan is proposed to be repaid. Bank would analyse whether
any provisions of Foreign Exchange Management Act (FEMA) is violated.
Big data analytics can improve the existing process in Anti-Money Laundering (AML)
operations. Its approaches allow for the advanced statistical analysis of structured data,
and advanced visualisation and statistical text mining of unstructured data. These
approaches can provide a means to quickly draw out hidden links between transactions
and accounts and uncover suspicious transaction patterns. Advanced analytics can
generate real-time actionable insights, stopping potential money laundering in its tracks,
whilst still allowing fund transfers for crucial economic and human aid to troubled regions.
Big data technologies can identify incidents, help draw a wider picture, and allow a bank
to raise the alarm before it’s too late.

Page 460 of 492
Query Sheet – RM July’ 2021_By CA Shivam Palan
Case Study - 1
1.1. Understanding based question
Risk capacity: the amount and type of risk an organization is able to support in pursuit of its
business objectives.
Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its
business objectives.
Risk tolerance: the specific maximum risk that an organization is willing to take regarding
each relevant risk.
Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific
business goal.
Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the
risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits
will typically act as a trigger for management action.
Refer to page no. 28 of Full Batch notes.
1.2 Understanding based Questions
Strategic risks may be:
● Unique to the organization because the strategy, culture, governance structure, and
business and operating models are unique to the organization
● Damaging to the entire organization because a risk involving reputation or the supply chain
in one part of the company may affect other parts.
● Easy to overlook because they often seem irrelevant, unthreatening, or highly unlikely—
and management may believe they are being monitored and managed when they are not.
● Difficult to address with customary risk management methods.
1.3 Understanding based question
Understanding Uncertainty and Risk in detail. Millions of uncertainties exist in this world. And
out of that set of millions, the uncertainties that matter, constitute a risk. So, uncertainty has a
wider scope, and risk has a narrow one- and risk is a subset of uncertainty.
Uncertainty is something that is out there in the open, i.e.; it exists for any and everyone.
However, that uncertainty becomes a risk, when that uncertainty starts affecting the objectives
of any business organisation, entity or person. So, whichever uncertainty affects our objectives,
that becomes our risk -and that uncertainty we’ll have to manage & monitor – and record it in
Page 461 of 492

(Building India’s Largest Mentor Buddy & Interview Preparation Program)
the risk register. Also, uncertainty is a risk for one person because of this objective factor but
not for another.
Similarly, in a business organisation, different things matter to different management

hierarchies, and therefore, different uncertainties affect each of the hierarchies, differently and
hence, become their risks. E.g. Rain, Launch of a new product, fire, etc.
Cross-Linking ICAI Material: (+1.6). Managing risk is simply managing uncertainty.
We all do this every day in our professional and personal lives. All organizations do this,
whether formally or informally.
Full Batch noted Page no. 3
1.4 As AML does not have any formal risk management policy as it faces compliance issues
with regulatory authorities, the best RM framework can be Governance, Risk and compliance;
also, as strategic risk is involved, governance risk comes into play.
1.5 Better the risk management better will be for the company to raise the capital; hence option
A can’t be the answer. Because of risk management in place, we will have a more effective
allocation of resources; hence option B can’t be the answer. Having better risk management
will help the organization to have a better understanding of objective hence option C can’t be
the answer. Decrease inherent risk is purely based on the implementation of controls i.e.,
residual risk hence answer is D.
Refer Page no. 26 of our Full Batch notes for better understanding.
1.6 New Type of question, please note down.
1.7 (Case study Based) Answer needs to be written based on how strategic risk will give the
organization an advantage in a dynamic environment. The same needs to be related to how
strategic risk will help with mounting economic, regulatory, and marketplace pressures and
technology disruption.
Note: For This type of question, you should always see how planning that risk will help the
organization. Also, note that ICAI can ask the same type of question for another risk in the
exam, so be prepared for how you will answer the same.
1.8 In this question, you need to think about how you can minimize the problems that will arise
from the litigation.
1.9 Note: Questions is asking information Security policy for three things a) How the
information can be protected on General level b) Particularly for Internet c) Particularly for
Email usages.
Page 462 of 492
Case Study – 2
2.1
CRSA Provides a framework for businesses to review, assess and design optimal control
frameworks to manage risks. Control risk self-assessment (CRSA) is a powerful tool that may
be used to support ERM. It is about getting managers and the work team to self-assess their
risk and controls, typically in workshops or facilitated meetings. ERM is the big picture, while
CRSA is one of the tools that can be used to promote good ERM.
The point is that CRSA is not ERM; it is just part of it. Just because the auditor feels there is a
sound CRSA program in place, this does not mean there is bound to be a good ERM process
as a result.
2.2
This is Money Market Cover for receivable– Borrow, Sell, Invest, i.e, .selling foreign currency
forward. However, ICAI has considered a forward purchase contract as a forward sale contract.
2.3
According to sir asnwers should be D; however ICAI has given the answer B need to check the
same with ICAI. TT (Telegraphic Transfer) buying rate indicates the rate at which banks
convert foreign inward remittances to INR. TT Selling rate indicates the rate at which the bank
sends an outward remittance through telegraphic transfer.
2.4 B
Same Question asked in Jan 21 Case study 4 (Q 4.4) page no. 342
2.5 A
Ready or cash Next: The transaction is to be settled on the same day.
Tom Next: The delivery of foreign exchange is to be made on the day next (tomorrow) to the
date of transaction.
Spot Next: Delivery of foreign exchange would take place on the 2nd working day from the
trade date.
2.6 A vendor risk management program reduces the frequency and severity of data breaches,
data leaks, and cyber attacks involving third and fourth parties, protecting sensitive data, PII,
PHI, intellectual property, and ensuring business continuity.
Other Suggestion to the company for vendor risk management:
Page 463 of 492
1. Assess third-party risk regularly (annually at a minimum) by the board of directors.

2. Categorize and assess each vendor based on their level of access to your systems and
information. This assessment should also review each vendor’s third-party risk based on their
supply chains. Consider working with SMEs (either internal or external) who can help review
third-party cybersecurity and business continuity plans.
3. Outline KPIs for critical risks (such as cybersecurity, data security and operational resilience)
for each vendor. Create strong vendor contracts that clearly set out the metrics your company
can use to terminate a relationship if KPIs are not met.
4. Establish communication with all vendors and set a regular schedule to update vendor
documentation. Documentation for vendors that provide a product or service representing a
more significant risk should be updated more frequently.
5. Create a vendor risk framework that details how to evaluate vendors, enter into agreements with
them, establish standards for communication and manage their performance.
6. Hold vendors accountable to contracts.
7. Reduce spend by identifying redundant third parties.
8. Comply with global regulations and industry requirements.
9. Understand how data flows and who has access.
10. Track security controls and manages risk mitigation efforts.
11. Offboard vendors and maintain records for compliance.
2.7 Jan’21 (5.7); Page no. 348 of Atmanirbhar Book
2.8 Features of ERM page no. 8.3 ICAI Materail + Full Batch Note: 110 😎
2.9 Understanding Based
Case Study - 3
3.1 (Refer ICAI Material Page no. 2.12 - Point 10)
3.2 (Refer ICAI Material Page no. 9.4 - Point 3)
3.3 (Refer ICAI Material Page no. 5.5)
3.4 (General understanding of hazard risk) (ICAI 1.16)
3.5 (Refer ICAI Material Page no 3.12)
3.6 Calculation of Expected Value for Project A and Project B
Page 464 of 492
Ill. 4 (ICAI 8.10 IPCC)
3.7 Refer Page no. 4.11 ICAI, relate the same with a case study.
3.8 Refer page no. 9.18 to 9.21 of SFM for the type of exposure.
Case Study - 4
4.1 Overtrading arises when a business expands beyond the level of funds available. Overtrade
means an attempt to finance a certain volume of production and sales with inadequate working capital.
If the company does not have enough funds of its own to finance stock and debtors, if it wishes to
expand then it is forced to borrow from creditors and from the bank in the form of overdraft.
4.2 Risk mitigation process:
● Recovery requirements are developed during the risk assessment phase and include data from
the business impact analysis. You can begin by delineating the key functional areas of your
company and determining the key business processes in each.
● Recovery options are developed for each critical business process or function. Recovery
options must fit within the constraints of the recovery requirement. Otherwise, they should
not be considered as part of the BC/DR process.
Page 465 of 492
● Existing controls and risk mitigation solutions already in place should be reviewed after
requirements and options are reviewed. In some cases, existing solutions meet BC/DR
requirements; in other cases, existing solutions can be augmented or expanded to meet needs.
In still other cases, no satisfactory controls exist and a solution must be developed.
● Determining the cost, capability, effort to implement, quality, control, safety, and security of
each option under consideration can help you develop a comprehensive risk mitigation strategy
that meets the needs of your company.
4.3 (Full Batch Class notes: Page no. 107) 😎

4.4 Historical VaR is based on historical data. And, if there is spike volatility, it will lead
to a higher risk which post data will not capture. Hence, VaR could understate the actual risk.
4.5 Formulae Based
4.6
Total Sales = 1,40,00,000
Sales After growth = 1,40,00,000 + 100% of 1,40,00,000
= 2,80,00,000
Working Capital Days = Inventory Days + Receivable days - Payable

= 30 + 1- 13
= 18 days
Net Working Capital Turnover Ratio = 18/365

= 0.049
Estimated Avg. working capital = Net sales * Working capital Turnover Ratio
= 2,80,00,000 * 0.049
= 13,72,000
Increased Capital = Estimated - Existing Working Capital

= 13,72,000 -5,00,000
= 8,72,000
4.7 Answer needs to be framed based on: ICAI 2.30 & 7.3
4.8 Answer to be framed based on ICAI p.g. 5.12, Full Batch notes page no. 125
4.9 Page no 9.7 ICAI Material
Page 466 of 492
Case Study - 5
5.1 Refer page no. 1.17 of ICAI Material, check the definition of static risk: Risk which
occur with no change in the economy are classified as Static Risk.
5.2 Refer ICAI Material Page no. 2.12
5.3 If nearby marriage hall is converted into shopping mall it will lead to wrong projection
of cash flows & mainly over estimation of revenues. Economic Risks can be manifested in
lower income or higher expenditures than expected.
5.4 SFM Material Page no. 11.5
5.5 Case Study Based
5.6 Think & write all the factors that can create vulnerabilities & associated risk in the
construction sector. Can refer to page no. 316 of Complete guidance book for understanding of
how the construction industry works.
5.7 In this case ICAI has used Risk & Uncertainty distinction between proposed by Fouglas
Hubbard given in page no. 1.14 of ICAI Material.
5.8 Understanding Based

Join us For:
Mentor Buddy Program:
https://camonk.com/s/pages/mentor-buddy-program
Interview Preparation Program & Get Placed into your Dream

Job:
https://camonk.com/s/store/courses/description/getting-interview-ready-workshop
Page 467 of 492
Test Series: November 2021
MOCK TEST PAPER
Time Allowed – 4 Hours Maximum Marks – 100
CASE STUDY: 1
You have been recently appointed as Chief Risk Officer of a company which is in Steel Castings business.
Name of the Company is ABC Electro Steel Castings Ltd. [in short, ABC].
You have been told that ABC is fully committed to strengthen its risk management capability on continuous
basis in order to protect and enhance shareholder value. You have been told that the risk management
framework ensures compliance with the requirements of amended Clause 49 of the Listing Agreement. The
framework establishes risk management processes across all businesses and functions of the Company.
These processes are periodically reviewed to ensure that the Management controls risks through properly
defined framework.
You are also made aware that the Company has already undertaken an extensive Risk Management effort
that includes introducing Risk Management Manual, compiling a comprehensive profile of the key risks to
the Company, identifying key gaps in managing those risks and developing preliminary action plans to
address those risks. This effort accomplishes the following goals:
• responds to the Board's need for enhanced risk information and improved mitigation plan;
• formalizes the explicit requirements for assessing risks on an ongoing basis, including an effective
internal control and management reporting system.
You are also given information that the Company uses raw materials to manufacture the steel castings. It is
faced with the threat of pressure on margins on sales. To counter the threat, the Company has taken
various steps which include backward integration which comprises coal mines and iron mines, and
brownfield expansions, e.g. sinter plant, sponge iron plant, coke oven plant, power plant from waste head
recovery. It also set up an R & D to expand its manufacturing capacities with a view to control costs.
You came to know that the Company is ISO-140001-2004 certified and is adhering strictly to the emission
norms applicable for industry.
You are also told that with the thrust given by Government of India on water and water related projects and
with the estimated growth in water requirement, the demand of DI Pipes is expected to grow substantially
and the Company is confident of retaining its market share.
Labour relations have been excellent throughout the year in spite of number of unions. It is the result of
such cordial and harmonious relations that not a single man-day has been lost in the last 8 years. The
Company believes that labour relations will continue to remain excellent.
1.1 In India SEBI casts a lot of responsibilities on Directors of a listed companies regarding Risk Reporting
Explain. (5 Marks)
1.2 In case company plans to acquire any iron ore or coal mining company then what type of this merger
will be called. (2 Marks)

Page 468 of 492
1.3 Suppose ABC has received a proposal to acquire an iron ore in Goa at a price of ` 50 Crore. By this
acquisition though there will be small reduction in the cost of raw material but the dependence on the
outsider supplier will be reduced a lot.
The cash flow due to saving in costs and associated probabilities are as follows:
Year 1 Year 2 Year 3
Cash Flow Probability Cash Flow Probability Cash Flow Probability
(` Crore) (` Crore) (` Crore)
14.00 0.10 15.00 0.10 18.00 0.20
18.00 0.20 20.00 0.30 25.00 0.50
25.00 0.40 32.00 0.40 35.00 0.20
40.00 0.30 45.00 0.20 48.00 0.10
You are required to evaluate expected Net Present Value and Standard Deviation of expected savings
assuming cost of capital of ABC as 10%.
PVF at 10%, for 3 years = 0.909, 0.826 and 0.751
Show amounts in ` crore upto 3 decimal points. (8 Marks)
1.4 Economic capital, in relation to a firm, is ……………………
(A) the amount of capital stipulated in the law to commence business.
(B) the amount of capital needed to ensure the solvency for a given risk profile.
(C) the amount of working capital.
1.5 Phishing is ………………..
(A) a fraud technique to get access to the; victim's computer systems.
(B) a technique to create a fraudulent transaction to benefit financially.
(C) a technique to encrypt the entire data on an individual or entity's computer system to ruin the
business.
(D) a financial transaction that an organization performs outside its network
1.6 Risk culture requires………….
(A) continuous efforts of communication
(B) building corporate memory
(C) shaping the right risk actions
(D) All of these
1.7 Risk Management framework must …………….
(A) cover the entire bank and branches through It enabled reporting system.
(B) enable the Bank to map the risk profile of customers and operation of the accounts on real time
basis to enable detection of risk on timely basis.

Page 469 of 492
(C) includes appointment of Risk Management Committee.
(D) All of the above.
1.8 Every unlisted company having a paid up share capital of ` 10 crore or more is not required to
constitute a/an ………………..
(A) Audit committee
(B) Nomination and Remuneration Committee
(C) Risk Management Committee
(D) Suitable policy for training and performance evaluation of directors. (2 x 5 = 10 Marks)
CASE STUDY: 2
About the Company
ABC Limited is a public limited company incorporated in the year 2003. It has the registered head office in
outside states.
Risk Manager
The Company has approached you, being a senior Risk Manager to look into the proposals. The role
performed by you would include:
• Identify the problems and provide possible solutions to the various issues arising in the risk
management.
• To monitor the risk of Anti-Money Laundering (AML).
• Advise and make recommendations to the management in the matters of identifying the risks and
quantifying the same.
• Help the management in designing and implementing various risk management strategies and their
related processes in the banking & investment portfolio and to suggest improvements.
• Have a detailed understanding and knowledge of the credit, operational and market risks of the
portfolio and also the software tools used to assess them.
• Understand and reduce the exposures in financial risks by using strategies such as hedging, credit
default swap, insurance etc.

Page 470 of 492
• Gather various information relating to the operations of NBFC in India including credit risk
management and the underlying Guidelines of RBI with respect to capital adequacy norms,
provisioning etc.
In order to have a better understanding of the risk factors involved thereon, the Risk Manager needs a
better understanding on the following issues:
(i) The purchase order for a script would be authorised by a manager. The risk manager is bothered
about authorising the order for a wrong script, instead of the intended one by the manager. Thus, he is
interested to learn the controls placed and if any weakness is found he wants to strengthen the same.
(ii) A machine learning program dynamically responds to change in data / situation by changing the rules
that govern the behavior and the algorithm "learns" from new data inputs and gets better over time.
The risk manager tries to explore the possibility of employing a new software towards the same.
(iii) Calculation or measuring the loss in the value of the portfolio in a given period of time for a distribution
(iv) The risk manager is interested to find out as to how the portfolio would fare during the period of a
financial crisis. He is also interested to build the stress testing capabilities and to explore the ways of
using them to meet the broader risk management and business objectives.
company.
bank might consider and also the credit scoring model that might be applied by the bank, while
approving such loan to the company. The Company would be offering some of its immovable
properties as collateral to the proposed loan with the bank.
(vii) The certainty equivalence is a guaranteed return that the management would accept rather than
accepting a higher but uncertain return. The risk manager would like to explore the possibility of
"certainty equivalent” technique.
transactions.
2.1 You are required to comment whether Business Continuity is an integral part of Operational Risk
Management. (10 Marks)
2.2 Why Operational Risk originates. Explain. (5 Marks)
2.3 Which is not a drawback of Scenario Analysis?
(A) Assumes that the scenarios are equally probable
(B) Subjective in deciding how serious the risks are
(C) Implausible losses might be considered
(D) Considers the correlations between the risk factors

Page 471 of 492
2.4 Which one of the following helps to related characteristics of an event to the probability and severity of
the operational losses?
(A) Monte Carlo Simulation
(B) EWMA Model
(C) Statistical Analysis
(D) Factor or Casual Analysis
2.5 Standard Operating Procedure is a set of ……………..
(A) documents that guides operation of the hotel.
(B) procedures listing dos and don’ts.
(C) documents laying down policies and procedure to be followed in operation of the hotel.
(D) documents that lay down controls to be instituted.
2.6 The purpose of risk evaluation is to do the following. Which one of the following is not essential?
2.7 Technique involving acceleration of payments of hard currency and delaying payments of soft currency
payables to hedge forex exposure is called …………
(A) Netting
(B) Managing Blocked Funds
(C) Leading and Lagging
(D) None of these (2 x 5 = 10 Marks)
CASE STUDY: 3
ABC Ltd. has an outdated computerized accounting system which does not look out the changes made
after the month end.
5

Page 472 of 492
1 Reconciliation of accounts receivable sub-ledger to general ledger
3. Coding and recording of cheques received for deposit
Pawan advised the management to implement a compensation plan of base salary and bonus instead of
fixed monthly salary. Sales incentive compensation is based on the performance of sales employees. The
performance can be measured by looking at the revenue they generate for the employees. The
management liked the proposal advised by Pawan and the compensation plan is finalized which was as
follows.
above 20,00,000/-
Board of Directors
Managing
director

HR Head
Narayan Marketing
(Fi
Ajay Kothari
(Director) Managers
Jatin
Mohit
(Manager)
Some employees were less willing to provide assistance to struggling co-workers and would prefer to
improve their own productivity. It also promoted an environment of excessive risk – taken by the sales
employees for pursuing short term profits.
6

Page 473 of 492
3.1 Suppose you have been appointed as Risk Consultant and you have been asked to carry out independent
assessment of the Risk Governance Framework. Explain how you will carry out this assessment. (10 Marks)
3.2 Explain the limitation of Value at Risk (VaR). (5 Marks)
3.3 More risk in a project can be incorporated by decreasing …………
(A) estimated future cash inflows from the project
(B) initial investment in the project
(C) required rate of return of the project
(D) internal rate of return of the project
3.4 Bad credit history has the impact on borrower's future. A BCO score is a powerful measure of the
creditworthiness as a lender might refer. If FICO score is 750, the chance of default is ………
(A) 1%
(B) 2%
(C) 8%
(D) 61%
3.5 The following one is not the property for a coherent risk measure of …………..
(A) Subadditivity
(B) Homogeneity
(C) Monotonicity
(D) Monatomicity
3.6 The Delphi technique is a method which involves getting opinion on a process………….
(a) from an individual
(b) from a group of individuals
(c) from Regulator
3.7 Risk based Internal Audit is effective in ………
(a) pointing out the deficiencies in operations.
(b) identifying various risks beforehand and helps in remedying the situation.
(c) better monitoring of the system including review of SOP’s thereby leading to better efficiency in
operation.
(d) All of the above (2 x 5 = 10 Marks)
CASE STUDY: 4
Peoples Co-operative Bank Limited is a leading cooperative Bank headquartered in Bangalore.
The Bank has 39 branches located at various places in the City. It is a well established bank existing since
the year 1925 and is known for its ethical business practice and safeguarding of stakeholders’ interest since
inception. Board of Directors consist of eminent persons in public life and includes nominees from the
Government of Karnataka. The Bank also supervises operations of few other cooperative banks in Semi
7

Page 474 of 492
Urban and rural areas. One of the main portfolios relating to advances is Agricultural Loan and advance to
Sugar Mills. Management of the Bank is headed by Managing Director supported by key executives at
various levels including Branches.
Financial performance of the Bank is summarised in the following table-
(` in lacs)
No. Particulars 2014-15 2015-16 2016-17 2017-18 2018-19
1 Share capital 23901.93 28222.33 41894.33 44511.02 49730.42
2 Reserves 64417.52 67883.01 71233.73 74849.42 82775.63
3 Deposits 711915.40 720147.66 736379.49 915142.35 951116.29
4 Borrowings 643928.70 619369.39 745510.46 643297.50 695172.29
5 Investments 459656.97 434654.68 353338.29 374970.06 341310.22
6 Loans & Advances 930284.53 950687.45 1077472.61 1091733.01 1204189.79
7 Gross Profit 7789.00 7023.08 6784.75 13344.06 18989.96
8 Net Profit 3030.00 3145.00 3300.00 3425.00 5000.00
9 Working Capital 1218827.40 1219020.35 1440603.51 1607606.96 1813067.88
10 Gross NPA 3.77% 3.25% 2.25% 4.39% 4.31%
11 Net NPA 2.37% 1.72% 0.91% 2.66% 2.41%
Deposits of the Bank include Term Deposits, Current account and Savings Bank Account.
Advances include Agricultural Advances, Consortium Advances, Advances to Sugar Mills, Housing Loans,
Advance against securities like Shares/ Gold/ NSC’s/ FDs/ Site advance/ Educational Loans, Personal
Loans, Professional Loans, Retail advances, Self employment loans, cash credit facility etc.
Besides these, the Bank also offers services like Issue of Bank Guarantee, Safe deposit lockers, and allied
services.
The Bank comes under the supervision of RBI and needs to report on various aspects relating to operation
to RBI periodically. Bank is also required to put in IT systems in compliance with RBI Guidelines covering
entire area of operations including monitoring of operations on day to day basis, reconciliation of
transactions and closing each day, interbank reconciliations, inter branch reporting etc.
Reserve Bank of India has issued detailed guidelines on implementation of IT systems dating from 2013 to
2019 covering several areas of operation culminating in a master Notification on Comprehensive Cyber
Security Frame Work for Primary (Urban) Cooperative Banks dated 31st December, 2019 including
appointment of Risk Management Committee. Board must consist of Professionals drawn from Banks,
Accountancy, and Legal etc. Source- RBI
Bank had invested in IT systems to take care of their needs and ensure control over operations at Head
Office and Branch Level on day to day basis. With exponential Growth in size and need to comply with RBI
Circulars and reporting requirements besides the Management desires to expand operations to Mobile
Banking, Net Banking, ATM operations etc. there is a need to put in place a robust IT System in place
which will take care of future requirements and meet the Cyber Security Framework to be in place by 2021.
Bank is also keen to put in sound Corporate Governance Structure.
4.1 How Random Loss is measured in banking transactions and what are the factors that affects the
Credit Risk. (9 Marks)
4.2 What are the ground rules to assess the credit risks of customer. (6 Marks)

Page 475 of 492
4.3 OECD has developed set of principles for better corporate governance. The principle of Disclosures
and Transparency would NOT include ……………..
(A) Overseeing the process of disclosure and communications
(B) Foreseeable risk factors
(C) The financial and operating results of the company
(D) Company Objectives and non-financial information
4.4 Risk measures are expected to correctly reflect diversification effects and facilitate effective decision
making. This is achieved in ………………
(A) Stress testing measures
(B) Coherent risk measures
(C) Full revaluation methods
(D) VaR conversion methods
4.5 Instance of non-payment of income-tax on the due date would be most likely to show that ……
(A) the risk appetite of the firm is lower than its risk capacity.
(B) the firm has taken an internal risk.
(C) the firm has considered it as a residual risk.
(D) the risk appetite of the firm is higher than its risk capacity.
4.6. The following is not one of simplest techniques for country risk assessment to rank the countries:
(A) Numeral Coding Method
(B) Colour Coding Method
(C) Event Driven Method
(D) Taxation Method
4.7 Which of the following is not an Internal risk?
(a) Economic factors as price fluctuations, changes in consumer preferences, inflation, etc.
(b) Technological factors unforeseen changes in the techniques of production or distribution resulting
into technological obsolescence etc.
(c) Physical factors such as fire in the factory, damages to goods in transit, etc.
(d) Human factors as strikes and lock-outs by trade unions; negligence and dishonesty of an
employee; accidents or deaths in the factory etc. (2 x 5 = 10 Marks)
CASE STUDY: 5
TW Ceramics Limited was incorporated under the Indian Companies Act, 2013 to manufacture fine bone
china table ware like dinner sets, tea sets, mugs etc. as Export Oriented Unit. The Company was promoted
by a big industrial house having diverse interests in various areas ranging from power production and
distribution, heavy engineering, hospitality etc. It was a first time venture for the group who had no prior
experience in such area. The group is well established and enjoys tremendous brand image not only in
India but all over the world. Each Company under the Group is headed by professional managers at key
levels and Board of Directors consists of well-known persons with years of experience in their field. MIS
systems were robust and helped in periodical review and decision making. All Group Companies were
governed by a consolidated Company under governing council headed by very well-known professionals.
9

Page 476 of 492
Exhibit-1
TW Ceramics Limited was a subsidiary Company of one of the Group Company and majority of the shares
were held by the holding Company. The company decided to establish its facility in Export Promotion Zone
in close proximity to port to facilitate easy export of products. Besides this, all inputs are allowed to be
procured duty free subject to fulfilment of export volume equal to 75% of production.
Exhibit-2
TW Ceramics Limited decided to seek financial and technical collaboration from well known brands located
abroad since local units did not have the requisite technical expertise and quality required to meet global
standards. Idea of going in for financial collaboration together with technical collaboration was to ensure
interest of the foreign collaborator in the project. Accordingly, holding company (Promoter of TW Ceramics
Limited) held 70% of the equity shares thus retaining controlling interest and balance 30% was allotted to
the foreign entity after obtaining necessary approvals. Brands which enjoyed global reputation for tableware
are Wedgewood and Royaldowton based in UK and Noritaki based in Japan. Products of these Companies
are of Premium quality and commanded high price in global markets and hold close to 70% of global market
among themselves.
After due diligence and discussions collaboration agreement was executed between Wedgewood and the
Holding Company on behalf of TW Ceramics Limited. As per the agreement, holding Company will execute
the project using its resources and manpower with technical input from Wedgewood. Among other things
agreement provided for-
♦ Experts in erecting and commissioning facility to manufacture products for global markets will be
stationed in the factory and they will be responsible for ensuring inspection of equipment imported
including plant and machinery, advice on equipment selection, erection, lay out as per international
standards.
♦ Commissioning of the unit and ensuring quality in production by stationing their technical and
production person.
♦ Training of local managers in production, quality and technical aspects at their facility in UK.
♦ Initial assistance in Marketing of the product in overseas markets till local people can take over.
♦ All expenses in connection with deployment of expats will be the responsibility of TW Ceramics
Limited.
♦ Wedgewood will also provide all drawings and technical support for the project for which they will be
paid technical fee.
♦ In addition, they will assist in procurement of imported China clay till local sourcing is done.
♦ Commission of 5% will be paid on products sold through Wedgewood.
♦ All other aspects including Commercial. Local procurement, finance, legal, import export matters and
all clearances required will be the sole responsibility of TW Ceramics Limited who will execute the
project by deploying its manpower.
♦ Total project cost was pegged at `150 cr including all investments, project expenses and margin for
working capital.
Exhibit-3
Execution of project was undertaken by Managers deputed from Holding Company and required man power
in critical areas was appointed locally. Despite the backing of Group with manpower and money, the project
suffered delays on all fronts and cost overrun was inevitable. The technical team deputed by Wedgwood
10

Page 477 of 492
was found wanting in areas of expertise and it was evident that they did not possess the knowledge or skills
required. Added to this the local team did not have any knowledge about the industry or the product and
relied heavily on the expats.
In anticipation of production commencing, management recruited the core team and manpower. This was
not a wrong move since the company wanted its people to be ready on all aspects of managing the
operations and also get required training to man production, procurement, quality and other aspects since
these cannot be learnt on the job.
The required technical training at the factory of Wedgewood did not take place despite repeated requests.
Since project was already delayed and had to be commissioned to meet norms of Export Processing Zone,
production was started by local team under the guidance of expat manager who had joined the company as
per agreement. It was decided that the technical team will undergo required training under him. Further
delay in commissioning the project would have meant losing all the benefits including duty saved on
imported equipment with attendant consequences. Ultimately, by the time project started operations cost
overrun was 30% over and above the estimate of `150 cr . Initial funding was done as follows-
Rupees in Cr. Rupees in Cr.
Equity - 70% Holding Company 35.00
- 30% Foreign Collaborator 5.00 50.00
Term loan 100.00
Total 150.00
Cost overrun on the project meant that holding Company was required to bring in more money since the
ultimate project cost came to `195 cr and Bank was sceptical in funding and demanded more to be brought
by the promoter whose resources were strained due to funding and meeting interest obligations on the loan
already availed.
Exhibit-4
Wedgewood went back on its commitment on initial marketing citing quality issues to market the products in
overseas markets. This meant that TW Ceramics were required to look for marketing and sales support
from day one which was not anticipated. Group had its own marketing arm which looked after export
markets for various products manufactured by the group. They were roped in to do the marketing of the
product. They did not possess required knowledge about the new product which spelt more problems for
TW Ceramics Limited. TW Ceramics were forced to obtain special permission from Commissioner
Under25% window to sell the product locally. This permission came with riders and. Added to this the first
lot of export of one million mugs were rejected by the consignee due to wrong pasting of decal and
damages amounting to 0ne million dollar was slapped on the Company.
Top Management of the group did not want things to drift anymore and stepped in to stem the rot. They
decided to undertake a thorough investigation into the happenings and fix responsibility before deciding on
further course of action since the reputation of the Group was at stake.
5.1 Explain various internal techniques to manage Foreign Exchange transaction exposure. (10 Marks)
5.2 Can there be a single strategy possible which is appropriate to all businesses to manage the foreign
exchange rate risk. Explain. (5 Marks)
11

Page 478 of 492
5.3 ABN-Amro Bank, Amsterdam, wants to purchase ` 15 million against US$ for funding their Vostro
account with Canara Bank, New Delhi. Assuming the inter-bank, rates of US$ is ` 51.3625/3700, what
would be the rate Canara Bank would quote to ABN-Amro Bank? Further, if the deal is struck, the
equivalent US$ amount would be ………………..
(A) US$ 2,92,041.86
(B) US$ 2,94,041.86
(C) US$ 2,91,999.22
(D) US$ 2,93,999.22
5.4 Which one of the following that a company would LEAST likely choose as a common risk management
objective when framing the risk management approach?
(A) Enhance the level of risk maturity
(B) Allocate capital more efficiently
(C) Build safeguards against earnings-related surprises
(D) Achieve a better understanding of risk for competitive advantage
the Management is ……………..
(D) Low Impact-High Probability
implementation of a risk management policy for a company. This is mandated by ……………..
(A) SEBI through 'Issue of Capital and Disclosure Requirements Regulations
(D) Prevention of Money Laundering Act, 2002
5.7 Governance risks mean significant deficiencies that can impact the reputation, existence and continuity
of the organization. Such deficiencies would NOT occur because of
(D) Collusion of management to override significant internal control mechanism causing financial
losses (2 x 5 = 10 Marks)
12

Page 479 of 492
Test Series: November 2021
MOCK TEST PAPER
CASE STUDY: 1
1.1 Yes, it is correct SEBI casts a lot of responsibilities on Directors of a listed companies regarding Risk
Reporting because as per the SEBI (Listing Obligations and Disclosure Requirements) Regulations
2015: -
(i) Under responsibility of Directors - Ensuring the integrity of the listed entity‘s accounting and
financial reporting systems, including the independent audit, and that appropriate systems of
control are in place, in particular, systems for risk management, financial and operational control,
and compliance with the law and relevant standards.
(ii) The Board of Directors shall ensure that, while rightly encouraging po sitive thinking, these do not
result in over-optimism that either leads to significant risks not being recognised or exposes the
listed entity to excessive risk.
(iii) The Board of Directors shall have ability to “step back” to assist executive management by
challenging the assumptions underlying: strategy, strategic initiatives (such as acquisitions), risk
appetite, exposures and the key areas of the listed entity’s focus.
(iv) The listed entity shall lay down procedures to inform members of board of directors about risk
assessment and minimization procedures.
(v) The Board of Directors shall be responsible for framing, implementing and monitoring the risk
management plan for the listed entity.
(vi) Risk Management Committee: - The board of directors shall constitute a Risk Management
Committee. Majority members of Risk Management Committee shall consist of members of the
board of directors. The Chairperson of the Risk management committee shall be a member of the
board of directors and senior executives of the listed entity may be members of the committee.
The board of directors shall define the role and responsibility of the Risk Management Committee
and may delegate monitoring and reviewing of the risk management plan to the committee and
such other functions as it may deem fit. The provisions of this regulation shall be applicable to
top 100 listed entities, determined based on market capitalisation, as at the end of the
immediately preceding financial year.
(vii) Under minimum information to be placed before the Board on a quarterly basis- Quarterly details
of foreign exchange exposures and the steps taken by management to limit the risks of adverse
exchange rate movement, if material.
(viii) Under disclosures in Annual Reports applicable to all listed entities except banks - Management
Discussion and Analysis: This section shall include discussion on the following matters within the
limits set by the listed entity’s competitive position in respect of various matters. (5 Marks)
1.2 In case company plans to acquire any iron ore or coal mining company then what type of this merger
will be called Vertical Merger. (2 Marks)

Page 480 of 492
1.3 (i) Expected NPV
( ` in Crore)
Year I Year II Year III
CF P CF×P CF P CF×P CF P CF×P
14 0.1 1.4 15 0.1 1.5 18 0.2 3.6
18 0.2 3.6 20 0.3 6.0 25 0.5 12.5
25 0.4 10.0 32 0.4 12.8 35 0.2 7.0
40 0.3 12.0 45 0.2 9 48 0.1 4.8
x or CF 27.0 x or CF 29.3 x or CF 27.9
NPV PV factor @ 6% Total PV

27 0.909 24.543
29.3 0.826 24.202
27.9 0.751 20.953
PV of cash inflow 69.698
Less: Cash outflow 50.000
NPV 19.698
(ii) Possible deviation in the expected value
Year I
X- X X- X (X - X ) 2 P1 (X - X ) 2 P1
14 – 27 -13 169 0.1 16.9
18 – 27 -9 81 0.2 16.2
25 – 27 -2 4 0.4 1.6
40 – 27 13 169 0.3 50.7
85.4
1 = 85.4 = 9.241
Year II
X- X X- X (X - X ) 2 P2 (X - X ) 2 ×P2
15 – 29.3 -14.3 204.49 0.1 20.449
20 – 29.3 -9.3 86.49 0.3 25.947
32 – 29.3 2.7 7.29 0.4 2.916
45 – 29.3 15.7 246.49 0.2 49.298
98.61
 2 = 98.61 = 9.930
Year III
X- X X- X (X - X ) 2 P3 (X - X ) 2 × P 3
18 – 27.9 -9.9 98.01 0.2 19.602
25 – 27.9 -2.9 8.41 0.5 4.205
35 – 27.9 7.1 50.41 0.2 10.082
48 – 27.9 20.1 404.01 0.1 40.401
74.29

Page 481 of 492
σσ = 74.29 = 8.619
3
Standard deviation about the expected value:
σ = 85.40(0.909)2 + 98.61(0.826)4 + 74.29(0.751)6 = 13.407
Or
9.241 x 0.909 + 9.930 x 0.826 + 8.619 x 0.751 = 23.075
(8 Marks)
1.4 (B)
1.5 (A)
1.6 (D)
1.7 (D)
1.8 (C)
(2 x 5 = 10 Marks)
CASE STUDY: 2
2.1 Yes, Business Continuity is now an integral part of Operational Risk Management. Any of the risks we
enumerated above, can be triggered as part of an overall disruption that is caused by any or a
combination of the following reasons:
(a) Natural disaster affecting services of either technology solutions and/or the business process
itself; to elaborate, a situation to invoke BCP may exist in a case of natural disaster like flood,
where staff of a company are unable to go to office; or, it may be a combination of situation
where the technology solutions of the company that is required for daily functioning of the
organisation is also not working;
(b) Civic infrastructural failures like essential services of electricity or transport being brough t down
due to terrorist attacks or natural disasters;
(c) Keyman risk due to death or incapacitation of key decision makers in a company leading to
chaos in management of the company;
(d) Failure of one department or function to do their assigned tasks in a case of disruption may
cause the entire process to delivery of the organisation;
(e) In current business scenario, several organisations concentrate their operational activities in one
major operational hub; these organisations are at a higher BCP risk than the ones with
operations in several hubs if they are geared to support each other in a moment of crisis.
(10 Marks)
2.2 Operational Risk originates because of following reasons:
(a) Inadequately defined products and services which may not be compliant to industry regulations,
and/or may be exposed to risk of misspelling;
(b) Inadequately defined policies and processes which would directly adversely impact quality of
controls like checks and balances, segregation of duties as may be required;
(c) Inadequate technology functionality, or infrastructure that exists in any technology supported
environment, which organisations use in respective business operations;
(d) Internal or external crime that takes advantage of gaps in processes for unl awful gain, i.e. fraud;

Page 482 of 492
(e) External events like terrorist attacks or natural disasters that disrupt business or cause financial
losses;
(f) Change in the environment of the industry sector (including significant regulatory changes) that
impacts the operational risk profile of an organisation. (5 Marks)
2.3 (D)
2.4 (D)
2.5 (C)
2.6 (D)
2.7 (C)
(2 x 5 = 10 Marks)
CASE STUDY: 3
3.1 A Risk Management Framework (RMF) sets the foundations and organisational arrangements for
designing, implementing, monitoring, reviewing and continually improving risk management capability.
Undertaking a periodic review to assess the effectiveness of an entity’s risk management framework is
necessary to ensure that the framework continues to evolve and meet the needs of the entity. The
RMF should define a policy statement on the following matters:-
(i) Determining when to review the RMF and the frequency for undertaking the review.
(ii) Deciding who is responsible for the review. The RMF is generally reviewed by the Audit
Committee or a team of Directors. Once in few years the RMF can be reviewed with external
facilitation this would provide fresh insights and benchmarking information to the Board.
(iii) Selecting the scope and method for a review. The scope and boundary of the RMF review can be
clearly set out along with the most suited method for review.
The Board requires a periodic independent assessment of the firm’s overall risk governance
framework and provides direct oversight to the process.
The Board should assess whether the organisation has the required stature, talent, and character
needed to provide a reliable independent assessment of the firm’s risk governance framework and
internal controls and not be unduly influenced by the CEO and other members of management;
Organisations may develop an entity level control framework on the basis of the Sound Risk
Governance Principles prescribed by the Financial Stability Board for evaluating Governance Risks.
The results and findings from the said entity level control assessment may be submitted to the Board
of the company on an annual basis and suitably disclosed as part of its risk disclosures. (10 Marks)
3.2 VaR has its drawbacks as a risk measure. VaR estimates can be subject to errors, model risk and
implementation risk. However, such problems are common to all risk measurement systems.
(a) VaR uninformative of tail losses – VaR tells us the most we can lose if a tail event does not
occur. It tells us the most we can lose 95% of the time but tells us nothing about what we can
lose on the remaining 5% of the occasions. If a tail event (i.e. loss in excess of VaR) does occur,
we can expect to lose more than the VaR but VaR itself does not give any indication of how much
that might be.
(b) VaR can create perverse Incentives Structures – It is not feasible to use information about VaR
at multiple confidence levels and where it is not, the failure of VaR to take account of losses in
excess of itself can create some perverse outcomes. For example, an investor using a VaR risk
measure can easily end up with perverse positions because a VaR based risk return analysis

Page 483 of 492
fails to take account of the magnitude of the losses in excess of VaR. I f a particular investment
has a higher expected return at the expense of the possibility of a higher loss, a VaR based
decision will suggest that we should make that investment if the higher loss does not affect the
VaR regardless of the size of the higher expected return and the size of higher expected loss.
Such acceptance of any investment that increases expected return regardless of the possible
loss and the investor who makes decisions in this way is asking for trouble.
(c) VaR can discourage diversification – Another drawback is that VaR can discourage
diversification. The VaR of the diversified portfolio is much larger than the VaR of the
undiversified one. So, a VaR measure can discourage diversification of risks because it fails to
take into account the magnitude of losses in excess of VaR.
(d) VaR not sub-additive – Sub–additivity means that aggregating individual risks does not increase
overall risk. Sub-additivity matters for a number of reasons. If the risks are sub-additive then
adding risks together would give us an overestimate of combined risk. This facilitates
decentralised decision making within a firm as we can always use the sum of the risks of the
units as a conservative measure. But if the risks are not sub-additive, adding them together gives
us an underestimate of combined risks, and this makes the sum of risks effectively useless as a
risk measure. In risk management, we want our risk estimates to be biased or unbiased
conservatively. (5 Marks)
3.3 (A)
3.4 (B)
3.5 (D)
3.6 (B)
3.7 (D) (2 x 5 = 10 Marks)
CASE STUDY: 4
4.1 To measure random loss, following formula can be used:
D X A X (1 – r)
D = Default %
A = Amount of Exposure
R = Recovery Rate %
This default % can also be computed through probability.
The factors affecting the credit risk of a bank can be divided into following two categories:
(i) Internal Factors: These factors are internal to the bank, some of these are as follows:
(a) Concentration of credit in particular geographical locations or business segments.
(b) Excessive lending to particular industry is subject to cyclical fluctuations.
(c) Ignoring the purpose for which loan was sought by the customer.
(d) Poor Quality or Liberal Credit Appraisal while granting the loan.
(e) Absence of efficient recovery mechanism.
(ii) External Factors: These factors are external to the bank and beyond its controls. These factors
not only impact the profitability of borrower but also effects their repayment capability. Some of
such external factors are as follows:
(a) Fluctuation in Exchange Rate.
(b) Change in Govt. Policies.
(c) Fluctuation in Interest Rates.
5

Page 484 of 492
(d) Change in Political Environment of the own country.
(e) In case of Foreign project change in Country Risk profile. (9 Marks)
4.2 In this section, let’s understand what are the ground rules to assess credit risks of the customer.
(1) Understand the reality: As a lender you need to ensure that you made your customer aware of all
the charges and fees associated with the credit which you are planning to extend to the
customer. This is critical as customer might be at negotiation stance to have maximum benefit
from your line of credit. Longer time he takes to negotiate, there is high possibility that pay off will
be late. So communicate the implicit and non-implicit costs that associated with it. Even
administrative aspects are also important as they sometime drive the business decision to have
line of credit or not.
(2) Check the credibility: It may be possible that customer externally looks reliable to the
organization, but that does not mean that the customer has full ability to pay off appropriately and
regularly. You need to understand the credibility that the customer possesses. And for that
purpose, lender organization should rely on the reports which are available. Or they can consider
going through the credit scoring agencies to ensure the customer has the paying ability. Even
asking for the basic information will provide you a rough idea about the credit history of the
customer. It always better to take the help of professionals during this step. Engage the
professional and rely on their expertise. During this stage, credit evaluation is very critical.
(3) Ask and Check the references: It’s absolutely ok to ask customer for the refere nces, List of
creditable clients are much more reliable source than anything else. It’s important to ask for the
lender organization to understand who all have been given trade credit from in the past and how
old are the relationship with such counterparty. This will establish a pattern to understand if the
customer has a tendency to maintain the business relation or it’s just a pure business. Also,
asking reference from the third party proves to be independent source to verify the commitment
made by the customers.
(4) Due Diligence: When a lender is convince to provide a line of credit to the customer, it is his duty
to have proper due diligence in place to ensure the line of credit is being placed in safe pair of
hands. Irrespective of the professionals involvement in due diligence process, lender still has the
moral responsibility to perform the due diligence on its own. This can be achieved by simply
visiting the website, assessing the market creditability etc. Basically, publically sourced
information is pretty useful in such cases.
(5) Recovery: Lender organization or its employee must understand that every single rupee invested
in the customer has cost involved in it. An effort should be made to ensure that this minimal cost
of capital should be recovered from the customer. This can be achieved by simply asking your
prospect for a deposit or the collateral.
(6) Nature of business: Once should not hesitate to ask for the nature of business in which borrower
is dealing with. This will give a fair bit item on risk exposure and also provide adequate comfort to
the lender. (6 Marks)
4.3 (A)
4.4 (B)
4.5 (D)
4.6. (D)
4.7 (A)
(2 x 5 = 10 Marks)

Page 485 of 492
CASE STUDY: 5
5.1 Internal Techniques explicitly do not involve transaction costs and can be used to completely or
partially offset the exposure.
These techniques can be classified as follows:
(i) Invoicing in Domestic Currency: Sellers will usually wish to sell in their own currency or the
currency in which they incur cost. This avoids foreign exchange exposure but buyers' preferences
may be for other currencies. Many markets, such as oil or aluminum, in effect require that sale s
be made in the same currency as that quoted by major competitors, which may not be the seller's
own currency. In a buyer's market, sellers tend increasingly to invoice in the buyer's ideal
currency. The closer the seller can approximate the buyer's aims, the greater chance he or she
has to make the sale.
Should the seller elect to invoice in foreign currency, perhaps because the prospective customer
prefers it that way or because sellers tend to follow market leader, then the seller should choose
only a major currency in which there is an active forward market for maturities at least as long as
the payment period. Currencies, which are of limited convertibility, chronically weak, or with only
The seller’s ideal currency is either his own, or one which is stable relative to it but often the
seller is forced to choose the market leader’s currency. Whatever the chosen currency, it should
certainly be one with a deep forward market. For the buyer, the ideal currency is usually its own
or one that is stable relative to it, or it may be a currency of which the purchaser has reserves.
(ii) Leading and Lagging: Leading and Lagging refer to adjustments at the time of payments in
foreign currencies. Leading is the payment before due date while lagging is delaying payment
post the due date. These techniques are aimed at taking advantage of expected devaluation
and/or revaluation of relevant currencies. Lead and lag payments are of special importance in the
event that forward contracts remain inconclusive. For example, Subsidiary b in B country owes
money to subsidiary a in country A with payment due in three months’ time and with the debt
denominated in US dollar. On the other side, country B’s currency is expected to devalue within
three months against US dollar, vis-à-vis country A’s currency. Under these circumstances, if
company b leads -pays early - it will have to part with less of country B’s currency to buy US
dollars to make payment to company A. Therefore, lead is attractive for the company. When we
take reverse the example-revaluation expectation- it could be attractive for lagging.
(iii) Netting: Netting involves associated companies, which trade with each other. The technique is
simple. Group companies merely settle inter affiliate indebtedness for the net amount owing.
Gross intra-group trade, receivables and payables are netted out. The simplest scheme is known
as bilateral netting and involves pairs of companies. Each pair of associates nets out their own
individual positions with each other and cash flows are reduced by the lower of each company's
purchases from or sales to its netting partner. Bilateral netting involves no attempt to bring in the
net positions of other group companies.
Netting basically reduces the number of inter company payments and receipts which pass over
the foreign exchanges. Fairly straightforward to operate, the main practical problem in bilateral
netting is usually the decision about which currency to use for settlement.
Netting reduces banking costs and increases central control of inter company settlements. The
reduced number and amount of payments yield savings in terms of buy/sell spreads in the spot
and forward markets and reduced bank charges.
(iv) Matching: Although netting and matching are terms which are frequently used interchangeably,
there are distinctions. Netting is a term applied to potential flows within a group of companies
whereas matching can be applied to both intra-group and to third-party balancing.

Page 486 of 492
Matching is a mechanism whereby a company matches its foreign currency inflows with its
foreign currency outflows in respect of amount and approximate timing. Receipts in a particular
currency are used to make payments in that currency thereby reducing the n eed for a group of
companies to go through the foreign exchange markets to the unmatched portion of foreign
currency cash flows.
The prerequisite for a matching operation is a two-way cash flow in the same foreign currency within a
group of companies; this gives rise to a potential for natural matching. This should be distinguished
from parallel matching, in which the matching is achieved with receipt and payment in different
currencies but these currencies are expected to move closely together, near enough in parallel.
Both Netting and Matching presuppose that there are enabling Exchange Control regulations. For
example, an MNC subsidiary in India cannot net its receivable(s) and payable(s) from/to its
associated entities. Receivables have to be received separately and payables have to be paid
separately.
(v) Price Variation: Price variation involves increasing selling prices to counter the adverse effects of
exchange rate change. This tactic raises the question as to why the company has not already
raised prices if it is able to do so. In some countries, price increases are the only legally available
tactic of exposure management.
Let us now concentrate to price variation on inter company trade. Transfer pricing is the term
used to refer to the pricing of goods and services, which change hands within a group of
companies. As an exposure management technique, transfer price variation refers to the arbitrary
pricing of inter company sales of goods and services at a higher or lower price than the fair price,
arm’s length price. This fair price will be the market price if there is an existing market or, if there
is not, the price which would be charged to a third party customer. Taxation authorities, customs
and excise departments and exchange control regulations in most countries require that the
arm’s length pricing should be used.
(vi) Asset and Liability Management: This technique can be used to manage balance sheet, income
statement or cash flow exposures. Concentration on cash flow exposure makes economi c sense
but emphasis on pure translation exposure is misplaced. Hence our focus here is on asset
liability management as a cash flow exposure management technique.
In essence, asset and liability management can involve aggressive or defensive postures. In the
aggressive attitude, the firm simply increases exposed cash inflows denominated in currencies
expected to be strong or increases exposed cash outflows denominated in weak currencies. By
contrast, the defensive approach involves matching cash inflows and outflows according to their
currency of denomination, irrespective of whether they are in strong or weak currencies.
(10 Marks)
5.2 There can be no single strategy which is appropriate to all businesses. Four separate strategy options
are feasible for exposure management.
Exposure Management Strategies

Page 487 of 492
(1) Low Risk - Low Reward: This option involves automatic hedging of exposures in the forward
market as soon as they arise, irrespective of the attractiveness or otherwise of the forward rate.
The merits of this approach are that yields and costs of the transaction are known and there is
little risk of cash flow destabilization. Again, this option doesn't require any investment of
management time or effort. The negative side is that automatic hedging at whatever rates are
available is hardly likely to result into optimum costs. At least some management seems to prefer
this strategy on the grounds that an active management of exposures is not really their business.
In the floating rate era, currencies outside their home countries, in terms of their exchange rate,
have assumed the characteristics of commodities. And business whose costs depend
significantly on commodity prices can hardly afford not to take views on the price of the
commodity. Hence this does not seem to be an optimum strategy.
(2) Low Risk - Reasonable Reward: This strategy requires selective hedging of exposures whenever
forward rates are attractive but keeping exposures open whenever they are not. Successful
pursuit of this strategy requires quantification of expectations about the future and the rewards
would depend upon the accuracy of the prediction. This option is similar to an investment
strategy of a combination of bonds and equities with the proportion of the two compo nents
depending on the attractiveness of prices. In foreign exchange exposure terms, hedged positions
are similar to bonds (known costs or yields) and unhedged ones to equities (uncertain returns).
(3) High Risk - Low Reward: Perhaps the worst strategy is to leave all exposures unhedged. The risk
of destabilization of cash flows is very high. The merit is zero investment of managerial time or
effort.
(4) High Risk - High Reward: This strategy involves active trading in the currency market through
continuous cancellations and re-bookings of forward contracts. With exchange controls relaxed in
India in recent times, a few of the larger companies are adopting this strategy. In effect, this
requires the trading function to become a profit centre. This strategy, if it has to be adopted,
should be done in full consciousness of the risks. (5 Marks)
5.3 (A)
5.4 (A)
5.5 (A)
5.6 (C)
5.7 (B)
(2 x 5 = 10 Marks)

Page 488 of 492
Query Sheet for Mock Test Paper Nov 21_By CA Shivam Palan_CA Monk_Target80+RM
Case Study No. Question no. Question Type Reference in AIQ Additional Details
1.1 Direct Question NA Refer Page no. 4.17 ICAI Material
Vertical merger is when two or more companies who are in
different stages of a supply chain in the production of common
products or services. For example, Company A is a manufacturer of
handbags and Company B supplies the leather that is used to
Understanding Based make these handbags.
1.2 NA
Question A horizontal merger is a merger or business consolidation that
occurs between firms that operate in the same industry.
Competition tends to be higher among companies operating in the
Case Study 1 same space, meaning synergies and potential gains in market
(Same Case Study share are much greater for merging firms.
with different
Note: Don't forget to discount to SD & there is correction in the
Question Case 1.3 IPCC Question NA
solution, answer will be 23.075
Study 3 May
2018--> Page no (Q 1.7) MTP March 2019 ;
1.4 Repeated Question NA
87 AIQ) Page no 139
(Q 1.9) MTP March 2019 ;
Page no 139
(Q 3.4) MTP May 2020;
Page no 238
Understanding Based
1.7 NA NA
Question
(Q iv) Case Study 1
Page no 2
Page 489 of 492

(Q v) Case Study 2 Aug
Case Study 2 2018 MTP Page no. 103
(Same Case Study (Q vi) Case Study 2 Aug
with Different 2018 MTP Page no. 103
Question Case Understanding Based
Study 3 Page no 2.5 NA Refer page no. 9.9 ICAI Material
Question
142)
(Q 5.4) Case Study 5 Nov
2019 Exam Page no. 223
(Q 6) Case Study 2
Page no 22
(Q v) Case Study 2
Repeated Question NA
3.1 Page no 21
3.2 Direct Question NA Refer page no. 5.7 ICAI Material
(Q 9) Case Study 2
Case Study 3 Repeated Question
3.3 Page no 23 NA
(Same Case Study
(Q 3.3) March 2019 MTP
with different Repeated Question
3.4 Page no 144 NA
Question Case
Study 2 Page no. (Q 3.5) March 2019 MTP
Repeated Question
20) 3.5 Page no 144 NA
(Q 5.3) MTP Oct 2019
Repeated Question
3.6 Page no 191 NA
Understanding Based
3.7 Question NA NA
Page 490 of 492

4.1 Direct Question NA Refer Page no. 6.3 of ICAI Material
4.2 Direct Question NA Refer Page no. 6.8 of ICAI Material
(Q 12) May 2018 Exam
Repeated Question
Case Study 4 4.3 Page no. 70 NA
(Same Case Study (Q ix) May 2018 Exam
Repeated Question
with different 4.4 Page no. 79 NA
Question Case (Q 2.1) Nov 2019
Study 16 Page no. Repeated Question
4.5 Page no 209 NA
397)
(Q 1.4) MTP March 2019
Repeated Question
4.6 Page no. 138 NA
(Q ii) MTP Aug 2018
Repeated Question
4.7 Page no. 103 NA
5.1 Direct Question NA Refer Page no. 9.21 ICAI Material (SFM)
5.2 Direct Question NA Refer Page no. 9.40 ICAI Material (SFM)
(Q ix) Case Study 1
Case Study 5 5.3 Repeated Question Page no. 3 NA
(Same Case Study (Q 19) May 2018
with different 5.4 Repeated Question Page no. 71 NA
Question Case (Q 5) May 2018
Study 18 Page no. 5.5 Repeated Question Page no. 89 NA
413)
(Q 2.11) MTP March 2019
5.6 Repeated Question Page no. 141 NA
(Q 6) MTP May 2018
5.7 Repeated Question Page no. 89 NA
Page 491 of 492

TAKING YOU CLOSER TO
YOUR DREAM JOB
or Call
Scan This
9022720882

Atmanirbhar QNA

Uploaded by

Copyright:

Available Formats

Atmanirbhar QNA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Atmanirbhar QNA

Uploaded by

Copyright:

Available Formats

Analysis of Topic-wise coverage of all Case

Join our India's Largest Mentor

Oct 19 MTP CS-1,

May 20 MTP CS-2

CS-1 Expected Monetary Value NA

Direct Q on CDS,Diff b/w credit insurance and

May 20 MTP CS-3

CS-1 Specific Internal Controls

ZEO Payment Technology is one of promising Financial Technology Start Up

(4 marks for each scenarios)

© The Institute of Chartered Accountants of India 1

© The Institute of Chartered Accountants of India 2

© The Institute of Chartered Accountants of India 3

© The Institute of Chartered Accountants of India 4

© The Institute of Chartered Accountants of India 5

© The Institute of Chartered Accountants of India 6

© The Institute of Chartered Accountants of India 7

© The Institute of Chartered Accountants of India 8

Legal suits, claims by third parties

© The Institute of Chartered Accountants of India 9

Rumors Spark Run On Indian Bank

© The Institute of Chartered Accountants of India 10

© The Institute of Chartered Accountants of India 11

Risk Scenario Title Fraud Risk

Impact of scenario Huge loss to bank if the number of LC transactions is

Some measures must be taken to prevent such

Risk Scenario Title Governance or Reputation Risk

Scenario description Using name of bank to customers for higher returns

© The Institute of Chartered Accountants of India

Risk Scenario Title Reputation Risk

Risk Scenario Title Natural Hazardous Risk

Scenario description Small businesses are generally affected by a

Impact of scenario The business of a bank may also be impacted by

© The Institute of Chartered Accountants of India

Risk Scenario Title Regulatory or Compliance Risk

Scenario description In case payment bank is engaged in the business of P

Since, Indian rupee is not freely convertible and

Impact of scenario Non-compliance of FEMA provisions will attract

Risk Scenario Title Regulatory or Governance Risk

© The Institute of Chartered Accountants of India

Risk Scenario Title Cyber or Technology Risk

Scenario description Breaches of financial data and security of debit

Impact of scenario Penalties and litigations to be faced by bank.

Reissue of debit cards and asking customers to

Risk Scenario Title Fraud or Data Security Risk

Scenario description Non-banks are getting access to the bank’s

Impact of scenario Privacy is the issue here. Customers’ details are

© The Institute of Chartered Accountants of India

Risk Scenario Title Reputation or Business Continuity Risk

Impact of scenario This may leads to people flocking to ATMs and

Risk Scenario Title Finance or Forex and Interest Rate Risk

© The Institute of Chartered Accountants of India

Impact of scenario Loss on account of Forex exchange rate volatility

To: The Board

From: ABC, Risk Consultant

Date: 29 December 2017

Subject: Risk Management

This report covers

(i) Bucketing of above identified risks

(ii) Likelihood Scale