LEARNING UNIT 2 – PART I

RISK MANAGEMENT AND GOVERNANCE

Copy Right Reserved © University of the Free State 2024 1

 LEARNING OUTCOMES:
After completing this learning unit, students should be able to:
 Explain the concept of risk within a business or an organisation (business risk).
 Identify and explain the different types of risks (internal and external risks).
 Explain the risk management process.
 Explain key concepts/components of the risk management process.
 Explain how risks can be identified.
 Explain how risks are assessed and evaluated briefly.
 Identify and explain the different types of risk responses.
 Explain the implications of ineffective risk management (consequences).
 Explain who is responsible for the risk management process.
 Explain the monitoring, documentation and reporting of risks within a business or
organisation.
LU2: Study Guide, Page 5 Copy Right Reserved © University of the Free State 2024 2
 RESIDUAL RISK:
• Residual risk is the risks that remains after taking into consideration the
effectiveness of the entity’s response to risk.
• Risk response might not eliminate the risk but reduce the likelihood of
occurring and/or impact thereof if it occurs.
• Consider whether the remaining risk is acceptable or not.
• Depends on the risk appetite and tolerance levels.
• Example: Risk of Theft

LU2: Study Guide, Page 18 Copy Right Reserved © University of the Free State 2024 22
 RESPONSIBILITY FOR RISK
M A N A G E M E N T:

• The board of directors (those charged with governance) is ultimately

responsible for risk management.
• Assisted by board committees (Risk Committee and Audit Committee)
• Internal audit function evaluates the effectiveness of the risk
management process (design and implementation).
• In line with the recommended practices of the King IV Code on
corporate governance.

LU2: Study Guide, Page 19 Copy Right Reserved © University of the Free State 2024 23
 R I S K D O C U M E N TAT I O N :
• Business risks should be documented in a Risk Register:
• Internal document that is not published
• There will be separate risk registers for each area of the business
• It is a managerial control because it records the risks, the controls
(response to risk) and the persons responsible for managing the risk
• It is a document that will be reviewed by management and by the
Audit Committee and Risk Committee to ensure there is a policy of
risk management in place

LU2: Study Guide, Page 19, 21 Copy Right Reserved © University of the Free State 2024 24
 R I S K D O C U M E N TAT I O N :
• Key aspects should be documented in the risk register:
• Business risks identified
• Likelihood and impact
• Ranking / prioritizing
• Response to risks identified
• Responsibility

• See the next slide for an example of a risk register.

LU2: Study Guide, Page 19, 21 Copy Right Reserved © University of the Free State 2024 25
Risk Register example Copy Right Reserved © University of the Free State 2024 26
 CONSEQUENCE OF AN INEFFECTIVE
RISKS MANAGEMENT SYSTEM:
• An effective risk management system: Proactively anticipate future adverse or positive
events that result in predictable outcomes.
• Consequences of not implementing an effective system:

Not identify all Incorrect evaluation Ineffectively respond

business risks of business risks to business risks

LU2: Study Guide, Page 22 Copy Right Reserved © University of the Free State 2024 27
ANY
QUESTIONS?

Copy Right Reserved © University of the Free State 2024 29