© 2021 University of South Africa

All rights reserved

Printed and published by the

University of South Africa
Muckleneuk, Pretoria

RSK2601/1/2021–2022

10021450

InDesign

MNB_Style
 CONTENTS
1  Page

TOPIC 1: ENTERPRISE RISK MANAGEMENT IN CONTEXT 1

LEARNING UNIT 1: Introduction 2

1.1 Introduction 3
1.2 Risk diversity 3
1.3 Approach to risk management 3
1.4 Business growth through risk-taking 4
1.5 Risk and opportunity 4
1.6 The role of the board 4
1.7 Primary business objective (or goal) 5
1.8 What is ERM? 5
1.9 Benefits of ERM 6
1.10 ERM structure 6

LEARNING UNIT 2: Corporate governance 9

2.1 Introduction 10
2.2 Definition of corporate governance 10
2.3 The impact of corporate governance on business 11
2.4 The history of corporate governance in South Africa 11
2.5 The future of corporate governance 16
2.6 Corporate governance: additional information 17

TOPIC 2: ENTERPRISE RISK MANAGEMENT 23

LEARNING UNIT 3: ERM: Establishing the context 25
3.1 Establishing the context: Stage 1 26
3.2 Process mechanisms 26
3.3 Risk study process activities 27
LEARNING UNIT 4: The ERM process 29
4.1 Risk identification: Stage 2 30
4.2 Risk analysis: Stage 3 33
4.3 Risk evaluation: Stage 4 35
4.4 Risk treatment: Stage 5 40
4.5 Monitoring and review: Stage 6 42
4.6 Communication and consultation: Stage 7 44

TOPIC 3: INTERNAL INFLUENCES – MICRO FACTORS 47

LEARNING UNIT 5: Financial risk management 49
5.1 Introduction 50
5.2 Scope of financial risk 50
5.3 Benefits of financial risk management 50
5.4 Implementation of financial risk management 50
5.5 Liquidity risk 51
5.6 Credit risk 51
5.7 Borrowing 52

(iii) RSK2601/1/2021–2022
 5.8 Currency (or foreign exchange) risk 52
5.9 Foreign investment risk 52
5.10 Derivatives 53

LEARNING UNIT 6: Operational risk management 54

6.1 Introduction 55
6.2 Definition and scope of operational risk 55
6.3 Benefits and implementation of operational risk 55
6.4 Strategy 55
6.5 People 56
6.6 Processes and systems 56
6.7 External events 56
6.8 Outsourcing 56
6.9 Measurement 57
6.10 Mitigation 57

LEARNING UNIT 7: Technological risk management 58

7.1 Introduction 59
7.2 Definition and scope of technology risk 59
7.3 Benefits of technology risk management 59
7.4 Implementation of technology risk management 59
7.5 Primary technology types 60
7.6 Responding to technology risk 61

LEARNING UNIT 8: Project risk management 62

8.1 Introduction 63
8.2 Definition of project risk and project risk management 63
8.3 Sources of project risk 63
8.4 Benefits of project risk management 63
8.5 Implementation of PRM 63
8.6 The PRM process 64
8.7 Role of the project director 65
8.8 The project team and the challenges they face 66
8.9 Techniques used to support PRM 66

LEARNING UNIT 9: Business ethics management 67

9.1 Introduction 68
9.2 Definition of business ethical risk 68
9.3 Benefits of ethical risk management 68
9.4 Factors that affect business ethics 68
9.5 Implementation of ethical risk management 69

LEARNING UNIT 10: Health and safety management 71

10.1 Introduction 72
10.2 Definition and scope of health and safety risk 72
10.3 Benefits of health and safety risk management 72
10.4 Implementation of health and safety risk management 72
10.5 Contribution of human error to major disasters 73
10.6 Improving human reliability in the workplace 73
10.7 Risk management best practice 73

(iv)
TOPIC 4: EXTERNAL INFLUENCES – MACRO FACTORS 75
LEARNING UNIT 11: ERM – External factors 77
11.1 Economic risk 78
11.2 Environmental risk 81
11.3 Legal risk 82
11.4 Political risk 85
11.5 Market risk 87
11.6 Social risk 90

BIBLIOGRAPHY 92

(v) RSK2601/1
(vi)
Dear Students
I wish to extend a warm welcome to all of you registered for the module Enterprise Risk Man-
2

agement, RSK2601.

This module is offered online. Your online study material is uploaded under Lessons on the
3

RSK2601 module site on myUnisa.

Please note that this module is designed in such a way that in order to master the con-
4

tent and learning outcomes you will need to devote at least 120 hours per semester to
it. You are likely to find the assignments and examination paper very difficult if you
have not invested the required time in the subject.

Structure of the online course

Tuition will take the form of lessons posted on myUnisa. These lessons cover the following
5

topics:
y ERM in context
y Enterprise risk management
y Internal influences – micro factors
y External influences – macro factors

Each lesson contains sections to study and sections to read in the prescribed textbook. The
6

“study” sections are important for examination purposes, but I would like you to pay atten-
tion to the sections I indicate for you to read, as these will give you context and background
to the content being discussed.

Prescribed book
7The compulsory prescribed textbook for this module is:
Chapman, RJ. 2013. Simple tools and techniques for enterprise risk management. 2nd edition.
John Wiley and Sons (ISBN 9781118742426) (Paperback).

This book is available at any of the official Unisa bookstores. You will find additional contact
8

details under Prescribed Books on the RSK2601 site on myUnisa or in Tutorial Letter 101.

Assignments
Formative assessment in the form of multiple-choice and written assignments is available
9

under Lessons on myUnisa. The assignments are also available in Tutorial Letter 101, up-
loaded on myUnisa.

The suggested solutions for the assignments will be provided in Tutorial Letters 201 and 202
10

under Lessons on myUnisa two weeks after the respective assignment due dates. Please
note that no printed versions of these tutorial letters will be available.

(vii) RSK2601/1
Discussion forums
We will initiate discussions on relevant topics covered in the study guide. The purpose of
11

the discussion forums is to discuss particular subject-related information and make contribu-
tions where possible. Please make every effort to contribute to the discussions, as participating
in them will increase your knowledge and insight into the subject.

Announcements
Special instructions and relevant information will be shared via Announcements on myUnisa.
12

If you have not changed the default Unisa e-mail address to your work or home e-mail ad-
dress, please ensure that you log on at least once a week to read the announcements.

Examination
The examination paper will contain both multiple-choice and written questions. Additional
13

information about the examination and format of the paper will be made available in Tuto-
rial Letter 101.

14 I wish you every success with the module.

15 Regards
16 Your Lecturer

(viii)
 MODULE AIM AND OUTCOMES

AIM OF THIS MODULE

This module deals with the management of risk as it is practised by enterprises in the public,
17

private and non-profit sectors. Historically, risk management has focused on avoiding the
adverse consequences of risk. Today, however, risk management is about something entirely
different – the integrated and coordinated management of all types of risks and effects on
an enterprise-wide basis. This module will equip you to define and classify risks, define and
implement corporate governance and propose and implement enterprise risk management
(ERM) in your organisation. RSK2601 aims to explain risk management as an enterprise-wide
concept and propose a framework for implementing ERM in an enterprise. The module will
also provide a foundation for later courses and modules in risk management.

MODULE OUTCOMES
At the end of this module, you should be able to
18

y define and classify risks, risk management and enterprise risk management.
y define and implement good corporate governance.
y propose and implement an ERM framework/process in the workplace or business.
y identify and understand the macro and micro external influences on a business.

In addition to teaching you technical skills, this module also aims to achieve the following
19

general goals of a broad-based education:

y To encourage critical thinking, including moral and ethical reasoning. (This module examines
numerous logical choices that require critical thinking. A study of risk management and
corporate governance invariably cover a number of moral and ethical issues, including
how an organisation deals with risks and the consequences.)
y To gain a deeper understanding of human behaviour. (There are psychological explanations
for many risk management issues, such as the role human behaviour plays in preventing
and causing losses.)
y To integrate knowledge across various disciplines. (The study of risk management not only
requires an understanding of business management, but also involves the application of
some of the principles of economics, law and mathematics.)

FRAMEWORK AND CONTENT

1. FRAMEWORK OF THE MODULE
This module consists of the following topics:
20

Topic number Topic name

1 Enterprise risk management in context

2 Enterprise risk management

3 Internal influences – micro factors

4 External influences – macro factors

(ix) RSK2601/1
(x)
TOPIC 1
ENTERPRISE RISK MANAGEMENT IN CONTEXT

Topic contents

Lesson 1: Introduction
Lesson 2: Corporate governance

Aim

At the end of this topic, you should be able to demonstrate your knowledge of, discuss
and interpret risk, risk management and ERM in an overall context and assess corporate
governance in a risk-related context.

Learning outcomes

After studying this topic, you should be able to:

• Define ERM and discuss its relevance to businesses.
• Analyse and assess corporate governance in a risk-related context.
• Compile an ERM implementation strategy for an enterprise.

OVERVIEW
Following disasters such as Enron in December 2001, WorldCom in July 2002, the global
21

financial crisis of 2007/2010 and, more recently, the Steinhoff scandal, investors’ trust in com-
panies decreased and company ethics were widely criticised. With the demand for invest-
ment funds in both developed and developing countries increasing and the free flow capital
barriers decreasing, investors and policy-makers have recognised that corporate governance
is necessary to attract both foreign and domestic capital.

The lack of effective risk management and proper corporate governance has often been
22

blamed for the collapse of many international and national corporations. Shortcomings in
traditional risk management approaches have thus driven the evolution of enterprise risk
management, or ERM. Current trends and developments that increased the awareness of
risk compelled enterprises to adopt a more holistic and integrated approach to managing
their risks. In this lesson, the concepts of ERM and corporate governance are defined. The
benefits of ERM and corporate governance are highlighted, and a suggested framework for
their implementation is discussed.

1 RSK2601/1
LESSON 1
INTRODUCTION

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to provide the background to risk, risk manage-
ment and ERM.

Key concepts

• Risk
• Risk management
• ERM
• Risk diversity
• Risk-taking

Learning outcomes

After studying this topic, you should be able to:

• Define and explain the terms risk, risk management, risk diversity and risk-taking.
• Explain the relationship between risk and opportunity.
• Discuss the objectives of the board.
• Discuss the role of the board, taking the integration of risk management into account.
• Define and discuss the benefits of ERM.
• Describe and discuss the generic structure of ERM.

LEARNING MATERIAL
23Lesson 1 deals with chapter 1 of the prescribed book.

2
 1.1 INTRODUCTION
Risk management is an increasingly important business driver, and stakeholders have become
24

much more concerned about risk. Risk may be a driver of strategic decisions, it may be a
cause of uncertainty in the business, or it may simply be embedded in the activities of the
business. An enterprise-wide approach to risk management enables a business to consider
the potential impact of all types of risks on all processes, activities, stakeholders, products
and services. Implementing a comprehensive approach will result in a business benefiting
from what is often referred to as the “upside of risk”.

The global financial crisis in 2008 demonstrated the importance of adequate risk manage-
25

ment. Since then, new risk management standards have been published; these include
ISO 31000, the COSO ERM Framework and the IRMSA risk reports, which draw together all
developments to provide a structured approach to implementing ERM.

Read

Read the introduction in chapter 1 of the prescribed book.

Activity 1.1

Access the LibGuide on myUnisa and download the latest IRMSA risk report. Identify the
top risks South Africa is facing today. Discuss these risks in the discussion forum.

1.2 RISK DIVERSITY

As businesses strive to create value for their shareholders, they need to understand what
26

risks to take and which to avoid. As businesses grow, they are continuously exposed to more
significant, complex, diverse and dynamic risks. Therefore, the range of threats that organisa-
tions need to manage has increased dramatically. Because of the diversity of risk exposures,
risk management requires a broader approach.

Study

Study section 1.1, “Risk diversity”, in chapter 1 of the prescribed book.

1.3 APPROACH TO RISK MANAGEMENT

Traditionally, risk management has been segmented and carried out in silos. However, in view
27

of the dynamic environment and the evolving nature of risk, businesses encounter new types
of risk while pursuing new business objectives. There is, therefore, a need for an integrated
framework for a holistic approach to risk management. Businesses have increasingly become
exposed to a whole range of risks, including operational, strategic, financial, market, compli-
ance and regulatory risks. It is clear that an effective risk management function, based on
a broad and integrated framework, is necessary to ensure that all risks are covered. ERM is,

3 RSK2601/1
therefore, a response to the inadequacy of a silo-based approach to manage increasingly
interdependent risks (Chapman, 2013). With ERM, risks can be managed or controlled in a
coordinated and integrated way across an entire business.

Study

Study the section “Approach to risk management”, par. 1.2 in chapter 1 of the prescribed
book.

1.4 BUSINESS GROWTH THROUGH RISK-TAKING

Risk-taking refers to the tendency to engage in behaviours that could be harmful or danger-
28

ous, yet at the same time provide the opportunity for some outcome that can be perceived
as positive. Driving fast or engaging in substance use would be examples of risk-taking be-
haviour. They may bring about positive feelings in the moment – however, they can also put
you at risk of injury, such as an accident. Likewise, taking and managing risk is the essence
of business survival and growth.

1.5 RISK AND OPPORTUNITY

The effective management of risks and opportunities is increasingly seen as an essential com-
29

petitive differentiator, helping businesses achieve success despite difficult economic times.
Businesses continuously explore and develop opportunities to sustain earnings and drive
long-term increases in shareholder value. It is acknowledged that businesses are exposed to
various risks in their daily activities and that it is necessary to take certain risks to maximise
business opportunities. The board has the overall responsibility to operate an active risk and
opportunity management system that ensures comprehensive and consistent management
of all significant risks and opportunities. The benefits of effective risk and opportunity man-
agement include the following:
y Improved cost certainty
y Higher economic returns
y Sustainable shareholder value
y Increased stakeholder confidence
y Reduction of costly disputes and claims

Study

Study section 1.4, “Risk and opportunity” in chapter 1 of the prescribed book.

1.6 THE ROLE OF THE BOARD

The board’s role is to steer the corporation towards corporate governance policies that sup-
30

port long-term sustainable growth in shareholder value. The board should:

y Eliminate policies that promote excessive risk-taking for the sake of short-term increases
in stock price performance;

4
y Establish compensation plans that align goals to long-term value creation, taking into
consideration incentive risks;
y Ensure that appropriate risk management systems are in place to avoid excessive risk-
taking, and
y Comprise primarily independent, diverse members, as such a composition is helpful in
assessing a business’s risk profile.

Study

Study section 1.5, “The role of the board” in chapter 1 of the prescribed book.

1.7 PRIMARY BUSINESS OBJECTIVE (OR GOAL)

Read

Read the section “Primary business objective (or goal)”, par. 1.6 in chapter 1 of the pre-
scribed book.

1.8 WHAT IS ERM?

ERM is a structured and systematic process that is interwoven with existing management
31

responsibilities. It provides a framework based on analysing risks and opportunities, with the
ultimate objective of creating value for the shareholders. ERM entails the alignment of an
organisation’s strategy, processes, people, technology and knowledge to meet its risk man-
agement purpose and offers a systematic and integrated way of identifying and responding
to all sources of risk. ERM aims to provide a coherent framework to deal with all risks that
result from operating in the ever-changing economic environment. How does the business
for which you work or for which you would like to work define enterprise risk management?
Does the business have an established risk terminology that is understood throughout the
organisation? Here is a definition of enterprise risk management:

The process by which an organisation identifies, assesses, controls, exploits, finances,

and monitors risks from all sources to increase the organisation’s short- and long-term
value to its shareholders.

Study

Study the section “What is enterprise risk management?”, par. 1.7 in chapter 1 of the
prescribed book.

Activity 1.2

Access the Risk Glossary document that you will find under Additional Resources on
myUnisa and refer to the definition of ERM, which you will find in all 11 official South
African languages. Write down your own understanding of the definition and discuss
this with your fellow students on the discussion forum.

5 RSK2601/1
 1.9 BENEFITS OF ERM
It is necessary to understand the risks being taken by all types of organisations when seeking
32

to achieve objectives and attain the desired reward level. Organisations need to understand
the overall level of risk embedded within their processes and activities. They need to recog-
nise and prioritise significant risks and identify the weakest critical controls. When setting out
to improve risk management performance, the expected benefits of the risk management
initiative should be established in advance. The outputs from successful risk management
include compliance, assurance and enhanced decision-making. Such outputs will provide
benefits in the form of improvements in the efficiency of operations, the effectiveness of
tactics (change projects) and the efficacy of the strategy of the business. The benefits of ERM
include the following:
y Greater likelihood of a business realising its objectives
y Greater confidence among stakeholders and the investment community
y Compliance with relevant legal and regulatory requirements
y Alignment of risk appetite and strategy
y Improved organisational resilience
y Enhanced corporate governance
y The risk process will be embedded throughout the organisation
y Minimisation of operational surprises and losses
y Optimisation of resource allocation
y Identification and management of cross-enterprise risks
y Linkage between growth, risk and return
y Rationalisation of capital
y The capacity to seize opportunities
y Improved organisational learning

Study

Study the section “Benefits of enterprise risk management”, par. 1.8 in chapter 1 of the
prescribed book.

1.10 ERM STRUCTURE

ERM is composed of seven elements, namely: corporate governance, internal control, imple-
33

mentation, risk management framework, risk management policy, risk management process
and sources of risk.

1.10.1 Corporate governance (board oversight)

Corporate governance is the framework of rules and practices by which a board of directors
34

ensures accountability, fairness and transparency in a company’s relationship with all its stake-
holders (financiers, customers, management, employees, government and the community).

35 The corporate governance framework consists of:

y Explicit and implicit contracts between the company and the stakeholders for the
distribution of responsibilities, rights, and rewards;
y Procedures for reconciling the conflicting interests of stakeholders in accordance with
their duties, privileges, and roles, and

6
y Procedures for proper supervision, control and information flow to serve as a system of
checks and balances.

1.10.2 Internal control (sound system of internal control)

The report of the Committee of Sponsoring Organizations of the Treadway Commission
36

(COSO), Internal Control–Integrated Framework (2013), explains that internal control is a pro-
cess, effected by an entity’s board of directors, management and other personnel, designed
to provide reasonable assurance regarding the achievement of objectives in the following
categories:
y Effectiveness and efficiency of operations
y Reliability of financial reporting
y Compliance with applicable laws and regulations

The aim is to accomplish this by identifying and assessing risks facing the business and re-
37

sponding to them by either removing them or reducing them or, where it is economical to
do so, transferring them to a third party.

1.10.3 Implementation
Implementation of risk management can be resourced internally or externally. The parameters
38

of any planned actions need to be mapped, communicated, and agreed upon to understand
the time factor, resources, costs, inputs, and deliverables.

1.10.4 Risk management framework

The risk management framework is a basic conceptual structure used to deal with the risks
39

faced by an organisation. The purpose of the risk management framework is to assist an or-
ganisation in integrating risk management into its management process so that this becomes
a routine activity. The framework consists of the following five steps:
y Mandate and commitment
y Design a framework
y Implement a framework
y Monitor framework
y Improve the framework

1.10.5 Risk management policy

A risk management policy sets out the way in which the risks that the risk assessment procedure
40

has identified will be managed and controlled. The risk management policy assigns responsibil-
ity for performing key tasks, establishes accountability with the appropriate managers, defines
boundaries and limits and formalises reporting structures. The policy should cover specific
responsibilities of the board, internal audit, external audit, the risk committee, the corporate
governance committee, the central risk function, employees and third-party contractors in
implementing risk management. A policy statement defines a general commitment, direc-
tion or intention, and a policy on risk management expresses an organisation’s commitment
to risk management and clarifies its general direction or intention.

7 RSK2601/1
1.10.6 Risk management process
According to ISO (International Risk Standard) 31000 (2009), a risk management process
41

systematically applies management policies, procedures, and practices to a set of activities

intended to establish the context, communicate and consult with stakeholders, and identify,
analyse, evaluate, treat, monitor, and review risk.

1.10.7 Sources of risk

A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk origi-
42

nates – in other words, it is where the risk comes from.

Study

Study the section “Structure” and the diagram showing the ERM structure, par. 1.9 and
figure 1.2 in chapter 1 of the prescribed book.

1Self-assessment

(1) Distinguish between risk and uncertainty. Explain the relationship between
risk and opportunity for an organisation such as South African Airways (SAA).
(2) Discuss the role of the board of directors in terms of risk management.
(3) What is ERM?
(4) Draw a fully labelled diagram showing the ERM structure.
(5) Define and explain the terms risk, risk management, risk diversity and risk-taking.

SUMMARY
The purpose of Lesson 1 was to introduce you to ERM by giving you an overview of the course.
43

It is important to define ERM from a strategic management perspective to ensure that atten-
tion is paid to all risks in an organisation. It should be noted that risk is now more complex,
diverse and dynamic. Whatever strategy boards adopt, they must decide what opportuni-
ties, present and future, they want to pursue and strike a sensible balance between risk and
opportunity. Risk management, therefore, needs to be integrated with the activities of the
board. If applied systematically and methodically, ERM gives rise to a series of clearly recog-
nised benefits, including an increase in shareholder value. The business case for corporate
governance is discussed in Lesson 2.

8
LESSON 2
CORPORATE GOVERNANCE

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you should clearly understand corporate governance in an
enterprise-wide risk-related context.

Key concepts

• Corporate governance
• King III Report
• The Companies Act 71 of 2008
• Basel III regulation accord
• Financial crisis

Learning outcomes

After studying this topic, you should be able to:

• Define corporate governance.
• Discuss the reasons for implementing corporate governance.
• Explain why corporate governance is important in terms of its impact on the business
areas of enterprises.
• Discuss the history of corporate governance in South Africa.
• Discuss in detail the relevance of the King III/IV Report to risk management.
• Discuss the implications of the King III/IV Code of Governance Principles for South Africa.

LEARNING MATERIAL
44 Lesson 2 deals with chapter 2 of the prescribed book.

9 RSK2601/1
 2.1 INTRODUCTION
Although corporate governance is usually unique to each company, it has some universal
45

elements. Corporate governance controls the internal and external actions of managers,
employees and outside business stakeholders. This framework also sets out the duties, privi-
leges and roles of board members or directors to ensure that these individuals do not take
advantage of the company’s resources. Companies may also include information on the role
of shareholders in the organisation and their responsibilities for voting on corporate issues.

Corporate governance usually sets out the goals and objectives of each business contract. The
46

rate of return, length of the contract, individuals who are authorised to approve contracts,
and other obligations are usually included in the corporate governance framework. Corpo-
rate governance also creates a system of checks and balances to govern internal business
departments. The system ensures that no one (in other words, no individual or department)
dominates business decisions or operates outside the company’s mission and values.

Read

Read the introduction in chapter 2 of the prescribed book.

Activity 2.1

Various corporate governance collapses have taken place in South Africa over the past
few years. Identify a corporate scandal and discuss this with your fellow students on
myUnisa. What were the underlying factors that led to the scandal?

2.2 DEFINITION OF CORPORATE GOVERNANCE

Corporate governance refers to the relationships among the management of an organisa-
47

tion, its board, its shareholders and other relevant stakeholders. It also refers to the specific
responsibilities of boards of directors and management to maintain established relationships.

Study

Study the section “Definition of corporate governance”, par. 2.17 in chapter 2 of the
prescribed book.

Activity 2.2

Access the Risk Glossary document on myUnisa under Additional Resources and refer to
the corporate governance definition, which you will find in all 11 official South African
languages. Write down your own understanding of the definition and discuss this with
your fellow students on the discussion forum.

10
 2.3 THE IMPACT OF CORPORATE GOVERNANCE ON
BUSINESS
48 Corporate governance affects various business areas of an enterprise, as discussed below.

2.3.1 Employing assets efficiently

Effective corporate governance promotes the efficient use of resources within a firm and the
49

economy at large. When an efficient corporate governance system is in place, debt, equity
and capital flow to enterprises that are capable of investing these resources effectively to
produce goods and services that are most in demand and have the highest rate of return are
possible. In this context, effective governance helps to grow and protect scarce resources
and to ensure that societal needs are met. Effective governance should make it possible to
replace managers who do not put scarce resources to efficient use or who are incompetent
in what they do.

2.3.2 Attracting lower-cost capital

Effective corporate governance helps enterprises attract lower-cost capital by improving do-
50

mestic and international investor confidence and assuring investors that the assets are used
in the form agreed upon, whether the investment is in the form of debt or equity. This has a
positive impact on both debt and equity. For enterprises to succeed in competitive markets,
corporate managers must innovate relentlessly and efficiently and constantly develop new
strategies to meet changing circumstances.

2.3.3 Meeting social obligations: complying with laws and regulations

To succeed in the long term, enterprises must comply with the laws, regulations and expecta-
51

tions of the societies in which they operate. Most corporations take their corporate citizenship
seriously. Many contribute to alleviating the needs of civil society, although others are oppor-
tunistic and have no regard for social or environmental issues. Good corporate governance is
essential to ensure adherence to legislation as well as corporate social responsibility principles.

2.3.4 Overall performance

If corporate governance is effective, it gives managers a holistic view of the organisation
52

and holds managers and the board accountable for managing corporate assets. Such ac-
countability contributes to the efficient use of resources, the attraction of lower-cost capital
and an increase in the responsiveness of the enterprise to society and will therefore lead to
improved corporate performance. Effective corporate governance may not guarantee im-
proved corporate performance at the individual firm level. However, it should increase the
likelihood of managers focusing on improving the performance of enterprises and of their
being replaced when they fail to do so.

2.4 THE HISTORY OF CORPORATE GOVERNANCE IN SOUTH

AFRICA
Over the past few decades the term “corporate governance” has become a buzzword
53

throughout the world, and it is certainly not new to South Africa. The history of corporate

11 RSK2601/1
governance in South Africa can be found in four bodies of knowledge, namely the Companies
Act 61 of 1973, the King I Report on Corporate Governance of 1994, the King II Report on
Corporate Governance of 2002 and the King Code of Governance in South Africa 2009 (King
III). We need to look at the history of corporate governance in South Africa to understand
the relevance of the King II Report.

2.4.1 The Companies Act 61 of 1973*

54 The Companies Act of 1973 encompassed the following aspects of corporate governance:
y It made provision for the roles, responsibility, accountability, qualification and disqualification
of directors.
y It made provision for the liability of directors and shareholders if a company acts unlawfully
or in bad faith.
y It specified that the enterprise may not supply the directors, the holding company or
subsidiaries with loans.
y It placed limitations on the allocation of share capital to directors.
y It stipulated that directors’ shareholding in an enterprise must be declared.
y It placed limitations on the buying and selling of shares by directors within certain periods.

* The Companies Act of 1973 has been replaced by the Companies Act of 2008. Please
refer to section 2.6 for an explanation of the new Companies Act of 2008.

2.4.2 The King Report on Corporate Governance of 1994 (King I Report)

With increasing recognition of the importance of corporate governance worldwide in the
55

early 1990s, the Institute of Directors (IoD) in Southern Africa appointed Mervyn King, SC, to
head the committee on corporate governance. The wider definition of corporate governance
was institutionalised by the committee’s findings, together with the aim and purpose of the
King I Report, to promote the highest standard of corporate governance in South Africa. The
King I Report was unique compared with its counterparts in other countries in terms of the
guidelines on financial reporting that it provided and its emphasis on good social, ethical
and environmental practices. It advocated an integrated approach that took all stakeholders
(not only the shareholders) into consideration for the greater good of society.

2.4.3 The King Report on Corporate Governance of 2002 (King II Report)

In light of legislative developments both locally and internationally, the 1994 King Report was
56

revised and replaced by the second King Report on Corporate Governance for South Africa
of 2002. The King II Report moved away from the single-bottom-line principle (i.e. profit for
shareholders) to embrace the triple-bottom-line principle, which considers the company’s
environmental, economic, and social activities. Besides reporting on their financial perfor-
mance (single bottom line), corporations must also disclose their social and environmental
performances (triple bottom line). This method places greater emphasis on the non-financial
indicators. Companies are required to report on the nature and extent of their commitment
to social transformation, ethics, and safety, health and environmental management policies
and practices. In a company, this is referred to as the “triple bottom line”.

12
2.4.4 The King Code of Governance in South Africa of 2009 (King III)
King III became necessary because of the anticipated new Companies Act of 2008, which
57

came into effect on 1 May 2011, and changing trends in international governance. The review
also came at a time when business ethics and corporate governance were increasingly under
the spotlight in view of recent corporate failures and the global economic meltdown. As with
King I and II, the King Committee endeavoured to be at the forefront of governance interna-
tionally, and this was again achieved by focusing on the importance of reporting annually on
how a company has made a positive contribution to the economic life of the community in
which it operated during the year under review. In addition, emphasis has been placed on
the requirement to report on how the company intends to enhance those positive aspects
and eradicate or ameliorate any possible negative impacts on the economic life of the com-
munity in which it will operate in the year ahead.

King III recommends that companies generate sustainability reports according to the Global
58

Reporting Initiative’s Sustainability Reporting Guidelines. As of June 2010, companies listed

on the Johannesburg Securities Exchange (JSE) are expected to comply with King III.

y The relevance of the King III report to risk management

– Consequences
Placing corporate governance in the spotlight means an automatic increase in an enterprise’s
59

legal, regulatory and reputational risks. Hence, certain legal mechanisms such as the Com-
panies Act of 2008 and the JSE’s listing requirements are used to enforce the King III Report
and the Code of Corporate Practices and Conduct. King III applies to all listed companies on
the JSE, banks, financial and insurance institutions and some public sector agencies.

The consequences of corporate governance in the King III Report relate closely to how ef-
60

fectively companies enforced the King I Report in 1994. Companies with good corporate
governance will attract more foreign investments to finance their growth and will therefore
be more competitive in the corporate environment. Good corporate governance contributes
to shareholders’ wealth and is a key factor in the investor decision-making process. Investors
are willing to pay a premium for good governance for three reasons.
y They believe that the company will perform better over time, which will mean higher
share prices.
y It is a way of reducing risk by either avoiding it altogether or coping better with adverse
events.
y The focus on corporate governance is a trend, but the reality is that no one wants to be
left behind.

– Code of governance principles

Corporate governance principles and practices are dynamic and evolving. A code of govern-
61

ance, which deals with the principles, should be studied with the report in which recommen-
dations for the best practices for each principle are provided. All entities should apply the
principles in the code and consider the best practice recommendations in the report. By way
of explanation, all entities should make a positive statement about how the principles either
have or have not been applied. Such a level of disclosure will allow stakeholders to comment
on and challenge the board on the quality of its governance. The application will differ for
each entity and is likely to change, as the aspirational nature of the code should drive entities
to constantly improve on governance practices. It is essential to understand that the “apply
or explain” approach requires more consideration and explanation of what has been done
to implement the principles and best practice recommendations of governance.

13 RSK2601/1
Each principle is of equal importance, and together they constitute a holistic approach to
62

governance. Consequently, substantial application of a code of governance principles and a

report recommending best practices do not achieve compliance. The following governance
of risk principles are covered in King III:
y Risk management is inseparable from the company’s strategic business and business
processes.
y Management should be responsible for the risk management process. Management is
accountable to the board for designing, implementing, and monitoring risk management
and integrating it into the company’s day-to-day activities.
y All staff should practise risk management.
y The board should be responsible for the process of risk management.
y The board should approve the company’s chosen risk philosophy.
y The board should adopt a documented risk management plan.
y The board may delegate the responsibility of risk management to a dedicated risk committee.
y Risk assessment should be performed on an ongoing basis.
y The board should approve key risk indicators for each risk, as well as tolerance levels.
y Risk identification should be directed in the context of the company’s purpose.
y The board should ensure that key risks are quantified and are responded to appropriately.
y Internal audit should provide independent assurance on the risk management process.
y The board should report on the effectiveness of risk management.
y The board should ensure that the company’s reputational risk is protected.
y The board should determine the extent to which risks relating to sustainability are dealt
with and reported on.
y The board should ensure that information technology (IT) is aligned with business objectives
and sustainability.
y The board should consider the risk of the unknown as part of the qualitative and quantitative
risk assessment process.
y Compliance should form part of the risk management process.

2.4.5 The King IV Report on Corporate Governance for South Africa of 2016
(King IV)
On 1 November 2016, the IoDSA released the King IV report on Corporate Governance for
63

South Africa. King IV replaces King III in its entirety, and the application of King IV is effec-
tive in respect of financial years starting on or after 1 April 2017 (PwC, 2016:2). King IV builds
on its predecessors’ positioning on sound corporate governance as an essential element of
good corporate citizenship (PwC, 2016:2). According to Deloitte (2016:1), King IV provides a
more practical, outcome-based approach to good corporate governance and incorporates
global public sentiment and global regulatory changes since the incorporation of King III.

64 The objectives of King IV are the following:

y Promote corporate governance as integral to running an organisation and delivering
governance outcomes such as ethical culture, good performance, effective control and
legitimacy.
y Reinforce corporate governance as a holistic and interrelated set of arrangements to be
understood and implemented in an integrated manner.
y Broaden the acceptance of King IV by making it accessible and fit for implementation
across various sectors and organisational types.

14
y Present corporate governance as concerned not only with structure and processes, but
also with an ethical consciousness and conduct.
y Encourage transparent and meaningful reporting to stakeholders.
(IoDSA, 2016:22)
65

As you can see from this, King IV has moved away from an “apply and explain” to a more
66

outcome-based approach. The new code has reduced the 75 principles in King III to 17 basic
principles. For the purpose of this module, our focus will be on principle 11, which explains
the governance of risk. Like King III, King IV focuses on the governance of risk, but the code
now recognises the complexity of risks and the need to strengthen risk oversight (IoDSA,
2016:30). One of the significant changes in the recommendation is that the risk committee
should comprise a majority of non-executive members as part of the governing body. This
recommendation goes beyond what was required in King III (IoDSA, 2016:30).

Principle 11 focuses on the governing body’s process of governing risk to support the or-
67

ganisation in setting and achieving its strategic objectives (IoDSA, 2016:41). The following
are recommended practices for the governance of risks based on King IV:
y The governing body should assume responsibility for the governance of risk by setting
the direction for how risk should be approached and dealt with in the organisation. Risk
governance should encompass both:
– the opportunities and associated risks to be considered when developing strategy; and
– the potential positive and negative effects of the same risks on the achievement of
organisational objectives.

y The governing body should approve a policy that articulates and gives effect to its set
direction on risk.
y The governing body should treat risk as integral to the way it makes decisions and executes
its duties.
y The governing body should evaluate and agree on the nature and extent of the risks that
the organisation should be willing to take in pursuit of its strategic objectives. It should
approve in particular:
– the organisation’s risk appetite, namely its propensity to take on appropriate levels
of risk, and
– the limit of the potential loss that the organisation has the capacity to tolerate.

y The governing body should consider the need to receive periodic independent assurance
on the effectiveness of risk management.
y The governing body should exercise ongoing oversight of risk management and in
particular, ensure that it results in the following:
– An assessment of risks and opportunities emanating from the triple context in which
the organisation operates and the capitals that the organisation uses and effects.
– An assessment of the organisation’s dependence on resources and relationships as
represented by the various forms of capital.
– An assessment of the potential upside, or opportunity, presented by risks with poten-
tially negative effects on achieving organisational objectives.
– The design and implementation of appropriate risk responses.
– The integration and embedding of risk management in the business activities and
culture of the organisation.

15 RSK2601/1
 – The establishment and implementation of business continuity arrangements allow
the organisation to operate under volatile conditions and withstand and recover from
acute shocks.

y The governing body should delegate to management the responsibility for implementing
and executing effective risk management.
y The nature and extent of the risks and opportunities the organisation is willing to take
should be discussed without compromising sensitive information.
y In addition, the following should be disclosed in relation to risk:
– An overview of the arrangements for governing and managing risk.
– Key areas of focus during the reporting period, including objectives, the key risks that
the organisation faces, and undue, unexpected or unusual risks and risks that are taken
outside of risk tolerance levels.
– The actions taken to monitor the effectiveness of risk management and how the
outcomes were dealt with.
– Planned areas of future focus.
68 (IoDSA, 2016:61–62)

Study

Study the following two documents on the RSK2601 LibGuide: “King III at a glance.
Corporate Governance Series” and “A summary of the King IV Report on Corporate
Governance for South Africa, 2016. King IV: An outcomes-based corporate governance
code fit for a changing world”. You will be examined on the content of these documents.

Activity 2.3

Access the IoDSA King IV website on myUnisa, read the web version of the IoDSA King IV
report, and discuss the following questions on the discussion forum: How does King IV
define corporate governance? What are the underpinning philosophies of King IV? Also
discuss principle 11: Risk governance and its recommended practices.

2.5 THE FUTURE OF CORPORATE GOVERNANCE

The effectiveness of corporate governance is a decisive factor in the very survival or demise
69

of enterprises. For South African enterprises to be globally competitive, they must remain
abreast of developments in the rest of the world and take corporate governance and the
King report to heart. Good governance equals good business.

Good corporate governance is largely the responsibility of corporate citizens. For an enter-
70

prise to achieve and aspire to be a good corporate citizen, it has to empower the board of
directors to:
y disclose all practices and understand the importance of a relationship between the board
and the community;
y report annually on social, transformation, safety, ethics, health and environmental
management policies and practices;

16
y report on HIV/AIDS strategic plans and policies;
y disclose its formal procurement policies;
y develop and implement a clearly stated code of ethics, and
y implement the above by complying with the principles of reliability, relevance,
clarity, comparability, timeliness and verifiability.

Risk management is applied by defining a company’s risk tolerance, related strategies and
71

policies and by reviewing their effectiveness on an ongoing basis so that the objectives are
clearly defined. Reviewing processes are essential for identifying opportunity areas where
effective management can be turned into competitive advantages. Risk management goes
far beyond simply controlling financial risks. The reputation and future survival of an enter-
prise are also at stake – that is why enterprises have to ensure that corporate governance
pertaining to risk management is transparent and disclosed to all stakeholders.

2.6 CORPORATE GOVERNANCE: ADDITIONAL

INFORMATION
72 Introduction
Effective corporate governance practices are essential for the achievement and maintenance
73

of public trust and confidence, which is critical to the proper functioning of the economy
as a whole. Poor corporate governance may contribute to organisational failures, which can
give rise to high public costs and consequences due to their potential implications for the
broader macro economy.

There is a number of definitions of corporate governance. For instance, the UK Cadbury Com-
74

mission Report on Corporate Governance of 1992 gives the following definition: “Corporate
governance is concerned with balancing economic and social goals and between individual
and communal goals. The governance framework is there to encourage the efficient use of
resources and equally to require accountability of the stewardship of these resources. The
aim is to align as nearly as possible the interests of individuals, corporations and society.”

The OECD Principles of Corporate Governance (2004) states: “Corporate governance involves a
75

set of relationships between a company’s management, its board, its shareholders and other
stakeholders. Corporate governance also provides the structure through which the company’s
objectives are set, and the means of attaining those objectives and monitoring performance
are determined.”

It is clear from these definitions that corporate governance is the practice by which organisa-
76

tions are managed and controlled.

77 The process includes:

y The creation and ongoing monitoring of a system of checks and balances to ensure a
balanced exercise of power within the organisation.
y The implementation of a system to ensure an organisation’s compliance with its legal and
regulatory obligations.
y The implementation of processes whereby risks to an organisation’s business sustainability
are identified and agreed upon within agreed parameters.
y The development of practices that make and keep the company accountable to the
broader society in which it operates.

17 RSK2601/1
The South African framework
78

Introduction
79

Corporate governance in South Africa was institutionalised by the publication of the King
80

Report on Corporate Governance in 1994. The King Committee on Corporate Governance

was formed in 1992 under the auspices of the Institute of Directors to consider corporate
governance, of increasing interest worldwide, in the context of South Africa. The purpose
of the King Report of 1994 was to promote the highest standards of corporate governance
in South Africa.

The King Report was updated in 2001, and a third report was published in 2009. The new
81

Companies Act and changes in international governance trends necessitated the third report
on corporate governance in South Africa.

Extracts from the code relevant to this course that we will be discussing below are the gov-
82

ernance of risk, the audit committee, compliance with laws and internal audit.

Governance of risk
83

y The board’s responsibility for risk governance

– The board should be responsible for the governance of risk
– The board should determine the levels of risk tolerance
– The risk committee or audit committee should assist the board in carrying out its risk
responsibilities

y The board should delegate to management the responsibility for designing, implementing
and monitoring the risk management plan
y Risk assessment
– The board should ensure that risk assessments are performed continually
– The board should ensure that frameworks and methodologies are implemented to
increase the probability of anticipating unpredictable risks

y The board should ensure that management considers and implements appropriate risk
responses
y The board should ensure continual risk monitoring by management
y The board should receive assurance regarding the effectiveness of the risk management
process
y The board should ensure that there are processes in place making complete, timely,
relevant, accurate and accessible risk disclosure to stakeholders possible

Audit committees
84

y The board should ensure that the company has a practical and independent audit committee.
y Membership and resources of the audit committee
– Audit committee members should be suitably skilled and experienced independent
non-executive directors
– An independent non-executive director should chair the audit committee

y Responsibilities of the audit committee

– The audit committee should oversee integrated reporting
– The audit committee should ensure that a combined assurance model is applied to
provide a coordinated approach to all assurance activities

18
y Internal assurance providers
– The audit committee should satisfy itself regarding the expertise, resources and ex-
perience of the company’s finance function
– The audit committee should be responsible for overseeing internal audit
– The audit committee should be an integral component of the risk management process

y The audit committee is responsible for recommending the appointment of the external
auditor and overseeing the external audit process
y The audit committee should report to the board and shareholders on how it has discharged
its duties

Compliance with laws, rules, codes and standards

85

y The board should ensure that the company complies with applicable laws and considers
adherence to non-binding rules, codes and standards
y The board and each director should have a working understanding of the effect of the
applicable laws, rules, codes and standards on the company and its business
y Compliance risk should form an integral part of the company’s risk management process
y The board should delegate to management the implementation of a practical compliance
framework and processes

Internal audit
86

y The board should ensure that there is an effective risk-based internal audit
y Internal audit should follow a risk-based approach to its plan
y Internal audit should provide a written assessment of the effectiveness of the company’s
system of internal controls and risk management
y The audit committee should be responsible for overseeing internal audit
y Internal audit should be strategically positioned to achieve its objectives

The New Companies Act

87

Governance in companies in South Africa is also a legal requirement as per the Companies
88

Act 71 of 2008. The Act came into effect in May 2011. Relevant aspects of the Act will be
discussed below.

The purpose of the Act is to:

89

y promote compliance with the Bill of Rights, as provided for in the Constitution, in the
application of company law
y promote the development of the South African economy by:
– encouraging entrepreneurship and enterprise efficiency
– creating flexibility and simplicity in the formation and maintenance of companies
– encouraging transparency and high standards of corporate governance as appropriate,
given the significant role of enterprises within the social and economic life of the nation

y promoting innovation and investment in the South African markets

y reaffirming the concept of the company as a means of achieving economic and social
benefits
y continuing to provide for the creation and use of companies in a manner that enhances
the economic welfare of South Africa as a partner within the global economy
y promoting the development of companies within all sectors of the economy, and
encouraging active participation in economic organisation, management and productivity

19 RSK2601/1
y creating optimum conditions for the aggregation of capital for productive purposes, and
for the investment of that capital in enterprises and the spreading of economic risk
y providing for the formation, operation and accountability of non-profit companies in a
manner designed to promote, support and enhance the capacity of such companies to
perform their functions
y balancing the rights and obligations of shareholders and directors within companies
y encouraging the efficient and responsible management of companies
y providing for the efficient rescue and recovery of financially distressed companies in a
manner that balances the rights and interests of all relevant stakeholders
y providing a predictable and effective environment for the efficient regulation of companies

Board of directors
90

The Act provides for the business and affairs of a company to be managed by, or under, the
91

direction of a board of directors. The board has the authority to perform any of the company’s
functions except to the extent that the Companies Act or Memorandum of Incorporation
provides otherwise.

A private company or personal liability company requires at least one director, while a pub-
92

lic company or a non-profit company requires at least three directors. The minimum number
of directors may be increased in a company’s Memorandum of Incorporation.

93 The Memorandum of Incorporation may also provide for:

y the direct appointment or removal of one or more directors by any person who is named
in or determined in terms of the Memorandum of Incorporation
y a person to be an ex officio director, as a consequence of holding an office, title, designation
or similar status
y the appointment or election of alternate directors

Shareholders of profit companies (other than state-owned entities) elect at least 50% of
94

directors and at least 50% of any alternate directors.

Board committees
95

The board of a company may establish any number of committees and delegate to such com-
96

mittees any board function. Unless the Memorandum of Incorporation, or a resolution es-
tablishing a committee, provides otherwise, the committee may include persons who are
not directors of the company. However, such persons are not entitled to vote on a matter to
be decided by the committee.

The board committees may consult with or receive advice from any person and have the
97

board’s full authority in respect of a matter referred to it.

The number of board committees will depend on the complexity and industry of the com-
98

pany. Banks, for example, can have a credit committee, operational risk committee and an
audit committee. Smaller companies can manage the situation differently by including the
risk functions as part of the audit committee or the main board.

Audit committees
99

A public company, state-owned enterprise or other company that has voluntarily determined
100

to have an audit committee must elect an audit committee at each annual meeting.

20
The audit committee must have at least three members unless the company is a subsidiary
101

of another company with an audit committee that will perform the audit committee func-
tions on behalf of that subsidiary.

Each member of the audit committee must be a director of the company. A member of the
102

audit committee must not be:

y involved in the day-to-day management of the company, or have been so involved at any
time during the previous three financial years
y a prescribed officer or full-time executive employee of the company, or have been such
at any time during the previous three financial years
y a material supplier or customer of the company, such that a reasonable and informed third
party would conclude in the circumstances that the integrity, impartiality or objectivity
of that director is compromised in that relationship
y related to any person described above
The duties of the audit committee include:
103

y nominating an auditor that the audit committee regards as independent

y determining the audit fee
y ensuring that the appointment of the auditor complies with the Companies Act and other
relevant legislation
y determining the nature and extent of non-audit services
y pre-approving any proposed agreement with the auditor for the provision of non-audit
services
y preparing a report to be included in the annual financial statements describing how
the committee carried out its functions, stating whether the auditor was independent,
and commenting on the financial statements, accounting practices and internal financial
control measures of the company
y receiving and dealing with relevant complaints
y making submissions to the board regarding the company’s accounting policies, financial
controls, records and reporting
y any other function designated by the board

The Act requires the audit committee to prepare a report for inclusion in the financial state-
104

ments describing how the audit committee carried out its functions, stating its level of sat-
isfaction with the external auditor’s independence and providing comment on the financial
statements, accounting practices, and internal controls of the company. The ambit of the
audit committee also extends to the receipt of and dealing with any complaints relating to the
accounting practices and internal audit of the company, content or auditing of the company’s
financial statements, internal financial controls of the company, or any other related matter.

The board may also delegate other functions to the audit committee, including developing
105

and implementing a policy and plan for a systematic, disciplined approach to evaluating
and improving the effectiveness of risk management, control, and governance processes
within the company.

Study

Study the section “Corporate governance: additional information”.

21 RSK2601/1
 2Self-assessment

(1) Define corporate governance and discuss its impact on businesses.

(2) Discuss, giving examples, why the implementation of corporate governance has become
a requirement for businesses in South Africa and globally.
(3) Briefly discuss the history of corporate governance in South Africa.
(4) Discuss the principles of good corporate governance as identified by the King III Report.
(5) Refer to the King IV Report on the RSK2601 LibGuide and identify the 17 principles of the
King IV Report.

SUMMARY
In Lesson 2 we examined corporate governance and the implications of the principles
106

contained in the King III and King IV Reports. The next topic deals with the seven core risk
management stages in the risk management process to implement ERM in a business.

22
TOPIC 2
ENTERPRISE RISK MANAGEMENT

Topic contents

Lesson 3: ERM – Establishing the context

Lesson 4: The ERM process

Aim

At the end of this topic, you will be able to identify and describe the seven risk manage-
ment stages in the ERM process to implement ERM in a business.

Learning outcomes

After studying this topic, you should be able to:

• Identify and describe the ERM process for all seven stages.
• Identify and discuss the process mechanisms in the ERM process for all seven stages.
• Identify and explain the ERM process activities for all seven stages.
• Explain the concepts of establishing the context, risk identification, risk analysis, risk
evaluation, risk treatment, review and monitor, communications and consultation.

OVERVIEW
In this topic we will discuss the seven stages in the ERM process (see Figure 1 on the next
107

page). According to ISO 31000, as discussed in Topic 1 (1.10.6), ERM systematically applies
management policies, procedures, and practices to a set of activities intended to establish
the context, communicate and consult with stakeholders, and identify, analyse, evaluate,
treat, monitor, and review risk. Each of these stages will be discussed in detail to give you a
clear understanding of how the entire ERM process works in a business context.

23 RSK2601/1
108

FIGURE 1: ERM process

Does the organisation in which you work or in which you would like to work have an enter-
109

prise risk management process? Here is a definition of the risk management process:

A risk management process is one that systematically applies management policies,

procedures, and practices to a set of activities intended to establish the context, com-
municate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor,
and review risk (ISO 31000, 2009).

Activity

Access the Risk Glossary document on myUnisa under Additional Resources and refer to
the risk management process definition, which you will find in all 11 official South African
languages. Write down your own understanding of the ERM process and discuss this with
fellow students on the discussion forum.

24
LESSON 3
ERM: Establishing the context

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to identify and discuss Stage 1 of the ERM pro-
cess. Establishing the context will help you gain an understanding of the background to
the business and business activities, processes or projects.

Key concepts

SWOT analysis1
PEST analysis2
Business plan
Financial statements ratios

Learning outcomes

After studying this topic, you should be able to:

• Identify and explain the business process for establishing the context.
• Discuss the four process mechanisms for establishing the business context.
• Identify and discuss the process activities.

LEARNING MATERIAL
Lesson 3 deals with chapter 8 of the prescribed book. This section will discuss Stage 1 of the
110

ERM process.

1 SWOT is an acronym for strengths, weaknesses, opportunities and threats.

2 PEST is an acronym for political, economic, social and technological.

25 RSK2601/1
111

FIGURE 2: Stage 1

3.1 ESTABLISHING THE CONTEXT: STAGE 1

Stage 1 of the ERM process entails establishing the context. It provides the foundation for all
112

the other stages in the ERM process. Establishing the context involves the entire business as
well as the business activities, processes and projects. This stage is used to acquire accurate
data and information about the entire business. Refer to pars. 8.1 to 8.3 in the prescribed book.

Read

Read the sections “Process inputs” and “Process outputs”, pars. 8.4–8.5 in the prescribed
book.

The ERM process can be either regulated or constrained by the culture of business risk man-
113

agement, resources and plan. A business needs to take note of the factors that can influence
the risk management process.

Study

Study the section “Process controls (constraints)”, par. 8.6 in chapter 8 of the prescribed book.

3.2 PROCESS MECHANISMS

Specific process mechanisms are used during the first stage to obtain information about
114

the business. These process mechanisms are financial analysis tools, the risk management
process diagnostic, SWOT analysis and PEST analysis.

3.2.1 Financial analysis tools (ratios)

Financial ratios are used to examine the financial position and performance of a business.
115

These ratios are used for planning, evaluation, and control purposes to determine a business’s
financial standing and aid in the risk analysis process.

3.2.2 Risk management process diagnostic

Some difficulties may be experienced when risk management processes need to be implemented
116

in a business. A risk management process must be implemented through the support of the
whole business and over an extended period. Risk management processes that have already
been put in place must constantly be reviewed to establish the effectiveness of the business.

26
3.2.3 SWOT analysis
The overall performance of a business must be reviewed by looking at the business strengths,
117

weaknesses, opportunities and threats; this is also known as the SWOT analysis.

3.2.4 PEST analysis

The growth of the business is also an aspect to analyse when looking at the business in its
118

full context. PEST stands for “political, economic, social and technological factors”, and the
PEST analysis can be used to analyse the market in which the business operates.

Study

Study the section “Process mechanisms (enablers)”, par. 8.7 in chapter 8 of the prescribed
book.

3.3 RISK STUDY PROCESS ACTIVITIES

Certain activities need to be undertaken in order to construct a high-level process map of
119

the business activities or risk breakdown structure to aid in the other stages of the risk man-
agement process. These activities are discussed below.

3.3.1 Clarifying and recording the business objectives

The business objectives will be the criteria against which the success of the business strategy
120

will be measured.

3.3.2 Understanding the business plan

The business plan should show how the business would achieve its objectives by looking at
121

all the factors that might have an impact on the business.

3.3.3 Examining the industry in which the business operates

It is essential to understand that a business can operate within a very active competitive
122

market. A business must know its industry and the risks associated with that specific industry.

3.3.4 Establishing the business processes

A process map is used as a communication tool to assist a business in better understanding
123

the processes by which it operates. Refer to the business process definition in par. 8.8.4 of
the prescribed book.

3.3.5 Evaluate the projected financial statements

It is important to understand the business’s financial statements, because these will show the
124

financial position of the business and its future position. They will indicate what resources need
to be used or introduced to achieve an excellent financial position and growth in the business.

27 RSK2601/1
3.3.6 Resources available
A business must use its resources to the most competitive advantage in the market. If re-
125

sources are used effectively, the business can achieve a greater return on its capital employed.

3.3.7 Change management

A business must understand that change is unavoidable and that the business must change
126

processes in the best possible way to achieve the best possible solution.

3.3.8 Marketing plan of the business

One of the dissolving factors in a business is its competitors. Competitor analysis needs to
127

be conducted to determine the business’s competitive advantage in the industry/market.

A business must react to a competitor quickly due to the wide variety of information flows
and technology used in marketing techniques.

3.3.9 The compliance system

The regulatory framework in which a business operates must be embedded in the business
128

operations. The business must also comply with the regulatory framework.

Study

Study the section “Process activities”, par. 8.8 in chapter 8 of the prescribed book.

Activity 3.1
Identify and discuss the context of the organisation for which you work or for which you
would like to work and compare your answer with those of your fellow students on the
discussion forum.

3Self-assessment

(1) Discuss SWOT and PEST analysis.

(2) List the three questions that need to be asked to understand the risks a business is facing
within an industry.
(3) List the elements of competitor analysis.

SUMMARY
The purpose of Lesson 3 was to discuss Stage 1: Establishing the context in the ERM pro-
cess. The lesson provided a high-level overview of the factors that need to be considered
and evaluated in business before embarking on the other stages in the ERM process. Stage
1 will assist in determining the sources of risks and the participants in the risk identifica-
tion process. The second stage: Risk identification in the ERM process, will be discussed in
the next lesson.

28
LESSON 4
THE ERM PROCESS

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to explain stages 2 to 7 of the ERM process.
You will gain a clear understanding of the interrelationships between the stages in the
implementation of the ERM process.

Key concepts

Capital asset pricing model (CAPM) analysis

Communication
Gap analysis
Net present value
Probability
Risk appetite
Risk register
Risk retention
Scenario analysis

Learning outcomes

After studying this topic, you should be able to:

• Identify and describe the ERM process for all six stages.
• Describe and discuss the process mechanisms in the ERM process for all six stages.
• Describe and explain the ERM process activities for all six stages.
• Explain the concepts of risk identification, risk analysis, risk evaluation, review and
monitor, communications and consultation, risk appetite, risk response strategies, and
internal and external communication.
• Distinguish between key risk indicators and key performance indicators.

29 RSK2601/1
 LEARNING MATERIAL
Lesson 4 deals with chapters 9 to 14 of the prescribed book. We will discuss the remaining
129

six stages (Stages 2 to 7) in the ERM process.

FIGURE 3: Stage 2 to 7

4.1 RISK IDENTIFICATION: STAGE 2

Risk identification is a crucial step in the ERM process. As we discussed in Lesson 3, a busi-
130

ness needs to understand the business activities and context. During the second stage, it
is crucial to identify the risks in the business and understand how they fit into the overall
business context.

Through risk identification, the business will identify the key risks and risk events. The busi-
131

ness will constantly change and grow, so will the risks associated with it. The business will
need to constantly identify risks and identify the opportunities that may arise to achieve its
objectives and mitigate risks that may reduce the likelihood of the business achieving its ob-
jectives. Risk can also be based on two primary outcomes, namely the upside and downside
of risk. Refer to pars. 9.1 to 9.3 in the prescribed book.

Read

Read the sections “Process inputs” and “Process outputs”, pars. 9.4–9.5 in the prescribed book.

The process inputs will deal with assumptions, business analysis, uncertain events, lessons
132

learnt and issues relating to the risk identification process. The process output will be the
risk register. A risk register is a tool that a business can use to compile a list of all the risks
identified in the business and categorise each one according to impact, probability, risk
owner and countermeasures.

Refer to par. 9.6 in the prescribed book to learn more about the factors that can influence or
133

place constraints on the risk identification process.

30
4.1.1 Process mechanisms for Stage 2: Risk identification
Specific process mechanisms are used in the second stage to identify risks in the business.
134

In this section we will briefly discuss some of these mechanisms so that you will have an
indication of how the risk identification process could be approached.
y Risk checklist
A risk checklist is used to list all the risks identified during previous projects within the
135

business.

y Risk prompt list

A risk prompt list is a list categorising each risk into a type or area. By means of this list,
136

the business will identify the main categories of risks experienced within the business.

y Gap analysis
Gap analysis can be used to identify the main risks linked to a certain activity or project
137

carried out by the business. This method will help the business to establish where the gap
is in the risk associated with the activity or project so that either proactive or reactive risk
measures can be established.

y Risk taxonomy
risk taxonomy can take the form of a structured checklist to break down the risks and op-
138

portunities into manageable components, which then can be aggregated for exposure
measurement, reporting and management. This method is used in the risk taxonomy of
software development. Refer to Table 9.1 in chapter 9 of the prescribed book.

y PEST analysis
The business can also use PEST analysis in the identification stage to quantify the risk ex-
139

posure of the business to its external environment. The business can conduct this analysis
during a workshop or brainstorming session.

y SWOT analysis
A SWOT analysis is an easy and understandable method allowing a business to identify
140

the risks it faces and the opportunities available to it.

y Database
A risk database can be used to capture all the information relating to each risk identified
141

and is an effective way to monitor all the risks and actions taken to manage them.

y Business risk breakdown structure

A breakdown structure for business risk is used to identify all the sources of risk within
142

projects and activities in the business.

y Risk questionnaire
A risk questionnaire is used when a business needs to establish the concerns and risks
143

that arise in a business project/activity through the various stages. The completion of the
questionnaire will show how business employees respond to risk.

y Risk register
A risk register is used to capture information constantly and simplify communication
144

regarding the risks in a business project/activity. Refer to Table 9.2 in chapter 9 of the
prescribed book.

31 RSK2601/1
 Study

Study the section “Process mechanisms (enablers)”, par. 9.7 in chapter 9 of the prescribed
book.

4.1.2 Process activities for Stage 2: Risk identification

In the risk identification process, the activities required are the tasks that are necessary to
145

capture risk or uncertainty, and record the risks in a log, list or risk register. The following
activities need to be carried out:
y Clarifying the business objectives
The objectives of the business must be clear and understandable so that the risk identifi-
146

cation process will make it possible to identify the threats or opportunities that may arise
from the business objectives.

y Reviewing the business analysis

The business activities (as described in Lesson 3) which have been identified in Stage 1:
147

Establishing the context of the risk management process must be reviewed and examined
for sources of risk and opportunities.

y Need for risk and opportunity identification

A business needs to understand the importance of identifying risks. A structured method
148

of risk identification must be implemented so that consistent risk management can take
place.

y Risk and opportunity identification

For the risk and opportunity identification process to be effective, all the stakeholders
149

must support it.

y Facilitation\
It is essential to have techniques that can be applied to identify the risks and opportunities
150

to suit every circumstance. Facilitation needs to take place through interactive workshops
to inform the business about how to identify the risks. The responsibilities of a facilitator
in an interactive workshop are depicted in Figure 4 below.

151

32
 A facilitator can adopt one of the following nine techniques in an interactive workshop:
• Brainstorming
• Structured or Semi-Structured Interviews
• Nominal Group Technique
• Scenario Analysis
• Delphi Technique
• Cross Impact Method
• Systems Dynamics
• Risk Meta-language
• Implementation

FIGURE 4: Facilitator responsibilities

y Gaining consensus on the risks, the opportunities and their interdependencies

Gaining consensus on the risks and opportunities is essential so that the business can
153

assign risks to risk owners and managers in the risk management process.

y Risk register
A risk register will be drafted after all the process activities have been carried out. The risk
154

register can be used as a proactive tool in the risk identification process.

Study

Study the section “Process activities”, par. 9.8 in chapter 9 of the prescribed book.

SUMMARY (STAGE 2)
The risk identification process can be implemented to identify risks and opportunities that
155

may arise in the business. If a business cannot identify risk, it will not be able to manage risk.
As mentioned above, Stage 2 will form the foundation for the remaining five stages. The
next section deals with Stage 3: Risk analysis.

4.2 RISK ANALYSIS: STAGE 3

The risk analysis stage will provide information on the likelihood of risks and opportunities
156

occurring and their impact, in this way assisting in the decision-making process. During the
risk analysis process, all the risks identified in the risk register will be assessed. Ample time
should be allowed for conducting the risk analysis stage. Refer to pars. 10.1 to 10.3 in the
prescribed book.

Read

Read the sections “Process inputs” and “Process outputs”, pars. 10.4–10.5 in the prescribed
book.

33 RSK2601/1
The process inputs in the risk analysis process will consist of risk study parameters, including
157

risk identification, risk recording, profit and loss account assessment, balance sheet assessment
and industry betas.3 The process outputs will be the risk register, including the assessment,
which shows the probability and impact of each risk and opportunity.

Refer to par. 10.6, read in conjunction with par. 8.6 of the prescribed book, regarding all the
158

factors having an impact on or limiting the risk analysis process.

4.2.1 Process mechanisms for Stage 3: Risk analysis

Probability is the main process mechanism used in the risk analysis process. Probability is
159

shown on a scale of 0 to 1. If there is no chance of an event occurring, the probability will be

0, and if there is a chance of the event occurring, the probability will be 1. Refer to Table 1
for an example of probability.
TABLE 1: Probability example

When you flip a coin, it can land either heads up or tails up. Thus, there is a 50% chance of
either of the positions occurring – a 0.5 probability chance of landing heads up and a 0.5
probability chance of landing tails up, because the probability must add up to 1.

A business needs to understand probability. For example, a business can apply to be consid-
160

ered for a contract appointment to render a service to another organisation. This particular
business is one of four businesses that tendered for the contract. Thus, each business has
a probability of 25% of being successful in obtaining the contract. A business will need to
decide which probability distribution method and probability impact matrix to use in the
risk analysis stage. Refer to the example in par. 10.7.1 in the prescribed book.

Study

Study the section “Process mechanisms (enablers)”, par. 10.7 in chapter 10 of the prescribed
book.

4.2.2 Process activities for Stage 3: Risk analysis

In the risk analysis process, the activities that need to take place are the tasks necessary to
161

capture the likelihood of the risk occurring and its impact so that this can be recorded in the
risk register. The following activities need to be carried out:
y Causal analysis
The causes of any risk must be identified. The business need to learn from past events in
162

order to implement risk management measures for future events. Refer to Figure 10.4 in
the prescribed book for the leading causes of the event diagram, identifying the relation-
ships and categories of risks.

3 Beta is used to measure the non-diversifiable risk element for a particular share in
relation to the market as a whole.

34
y Decision analysis and influence diagrams
Decision analysis is used to structure decisions, uncertain/chance events and values of
163

outcomes. The influence diagram can assist in the development and understanding of
the risks and the actions to be taken in the decision-making process. This analysis will
provide a framework for the decisions, events, management of problems, reduction of
large volumes of data and sensitivity analysis in the business. Refer to Figures 10.5 and
10.6 in the prescribed book.

y Pareto analysis
Pareto4 analysis is used to identify those risks that will have a notable impact on business
164

projects/activities and objectives. This analysis will rank and order the risks according to
their impact so that the business can manage the high risks accordingly.

y Capital asset pricing model (CAPM) analysis

The CAPM is used to determine the expected return of an asset in relation to its risk or
165

risk profile. The higher the risk, the higher the return will be for investment. Market risk is
measured by its beta in the model. Refer to the section “Required rates of return” in par.
10.8.4 of the prescribed book.

y Define risk evaluation categories and values

It is essential to conduct qualitative and quantitative assessments in the risk analysis process.
166

Qualitative assessments explain the impact of the risks, whereas quantitative assessment
consists of numeric assessments, including financial and timing risks. It is best to manage
the most severe risks that the business has identified.

Study

Study the section “Process activities”, par. 10.8 in chapter 10 of the prescribed book.

SUMMARY (STAGE 3)
Stage 3 involves risk analysis and the assignment of probabilities and impacts on risks and
167

opportunities. It is essential that all the information obtained in the analysis of all the risks
and opportunities in this stage be recorded in the risk register. In the next section we will
discuss Stage 4: Risk evaluation.

4.3 RISK EVALUATION: STAGE 4

During the risk evaluation stage, the results obtained in the risk analysis stage are evaluated.
168

Stage 4 will focus on both the risk exposure and opportunity that may arise from business
activity. All the information gathered in the risk analysis process is integrated into the risk
evaluation process. The risk evaluation stage will evaluate the financial impact (loss or gain)
of risk in business in numerical terms. Refer to pars. 11.1 to 11.3 in the prescribed book.

4 “Commonly Pareto diagrams reveal that 20% of the risks within an analysis contribute some
80% of the overall risk exposure/impact following the Pareto principle or 80/20 rule, as it is
known” (Chapman, 2013:193).

35 RSK2601/1
 Read

Read the sections “Process inputs” and “Process outputs”, pars. 11.4–11.5 in the prescribed
book.

The process input in the risk evaluation process will consist of the risk register. The risk reg-
169

ister will illustrate all the risks and risk categories in the business and essential information
such as who the relative risk owner/manager is. The risk register will have more background
information, which can be used in the risk evaluation stage. The process outputs will consist
of the following:
y Sensitive analysis
y Quantitative schedule and cost risk analysis results
y Decision tree
y Scenario modelling
y Investment model results
y Revised risk register

Refer to par. 11.6 in the prescribed book for information about all the factors that can either
170

influence or limit the risk evaluation process.

4.3.1 Process mechanisms for Stage 4: Risk evaluation

In this section we will touch briefly on the process mechanisms used in the risk evaluation
171

process.
y Probability trees
A probability tree is a method used by a business to ensure that all possible outcomes
172

of a risk event has been taken into account. A probability distribution is a list of possible
outcomes with associated probabilities. Thus, a probability tree will illustrate all possible
probability distributions for a certain risk event. A probability tree can be used to illustrate
both a dependent event and an independent event. The probability of any event (E) is a
number between 0 and 1. Thus, 0 ≤ P(E) ≤ 15 and is the sum of the probabilities of any set
of mutually exclusive (only one event can occur at a time) and non-mutually exclusive (the
events cover all possible outcomes) events which equals 1. Read par. 11.7.1 to understand
how a probability tree can be used to calculate the probabilities that may arise from an
independent and a dependent event.

y Expected monetary value (EMV)

In some cases, the decision outcome of an event can have more than one outcome. In such
173

an event, the EMV will be calculated using the weighted outcomes, which are calculated
using the probabilities assigned to each outcome, for example, successes/profits and
failures/losses. The theory requires that the probabilities and outcomes be determined.
The EMV will be used to select the decision alternative with the highest monetary value.
Read par. 11.7.2 and understand the examples given to illustrate how the EMV is calculated.

y Utility theory and functions

Utility theory is used when an alternative decision does not necessarily reflect relative at-
174

tractiveness to a decision-maker. In terms of the EMV method, the decision alternative that

5 Prepresents the population of events.

36
 yielded the largest monetary value was selected, but this decision might not be the one
175

that the business prefers. Utility theory was adapted in an effort to explain why people
make different decisions from what is suggested by the EMV criterion. It is possible that
business decision-makers may each have a different attitude towards specific outcomes
– utility theory will thus measure personal attitudes towards risk by decision-makers. The
utility function illustrates how the same monetary payoff/outcome might have different
levels of utility for decision-makers. Decision-makers can be classified according to the
following attitudes towards risks (Refer to Table 2):

TABLE 2: Risk attitudes6

Read

Read par. 11.7.3 in the prescribed book and refer to Figure 11.5 on p. 205 to see an illustra-
tion of the utility function.

y Decision trees
A decision tree is used to illustrate decision problems graphically. A decision tree
consist of a number of decision nodes, with interconnected branches representing the
alternatives for a particular decision. You can see a typical decision tree in Figure 5.

FIGURE 5: Decision tree illustrated graphically

176 The decision tree is used to determine the decision with the largest EMV.

6 Source: Operational Risk Management (Young, 2006:29).

37 RSK2601/1
 Read

Read par. 11.7.4 in the prescribed book to understand the construction and rolling back
of a decision tree.

y Markov chain
The Markov chain method is used to combine the ideas of probability with those of
177

matrix algebra. It assumes that the probabilities remain fixed over time, but the system
being used can change from one position to another. These fixed variables will be used
as transition possibilities.

y Investment appraisal
The investment appraisal method is used when a business needs to decide which project
178

to embark on. These are usually high capital investment projects, and so the business must
decide which of them will be feasible, affordable and successful. The business must consider
the risks as well as the benefits of each project. Four techniques can be used to decide which
project to embark on. These are summarised in Table 3 below.

TABLE 3: Investment appraisal techniques7

Technique Description

Average rate of return The ARR is an average annual return expressed as a percentage
(ARR) of the initial cost of the project.

Payback period (PP) The number of years required to recover the initial investment.
It considers the timing of cash flows and, therefore, the time
value of money. Thus, the payback period should be as short
as possible.

Net present value (NPV)
The difference between the initial investment amount and
the present value of a project’s expected future cash flows,
discounted at the appropriate cost of capital. The NPV is a
direct measure of the value a project creates for a company’s
shareholders. Thus, an investment decision rule states that
an investment should be undertaken if its NPV is positive,
but not undertaken if it is negative.

Internal rate of return The discount rate that makes NPV equal to 0 or the discount
(IRR) rate that makes the present value of investment costs equal
to the present value of the benefits of the investments.
The IRR rule is an investment decision rule that accepts
projects or investments from which the IRR is greater than
the opportunity cost of capital.

7 Source: Principles of Managerial Finance (Gitman, 2010:382–396).

38
 Read

Read par. 11.7.6 in the prescribed book and the examples given to understand how a
business can use specific techniques to decide which project to accept.

Study

Study the section “Process mechanisms (enablers)”, par. 11.7 in chapter 11 of the prescribed
book.

4.3.2 Process activities for Stage 4: Risk evaluation

In the risk evaluation process, the following activities can be carried out:
179

y Basic concepts of probability

Refer to par. 11.8.1 in the prescribed book to understand the basic principles of probability,
180

which can be used by a business to measure expected outcomes for mutually exclusive
and non-mutually exclusive events.

y Sensitivity analysis
A business can use the sensitivity analysis method to assess how sensitive the project
181

outcomes are to changes in the business. The method uses one variable and examines
the effect of that specific variable on the project.

y Scenario analysis
Scenario analysis is a valuable decision-making method for focusing on the consequences
182

of the combinations of events that the business would have ignored – for instance, an
event that has never happened or is very unlikely to happen. The business can draw up
different views (optimistic and pessimistic scenarios) of an event to get a feel for the “up-
side” potential and “downside” risk that could be associated with a project.

y Simulation
Simulation is a method used to analyse financial or time models in instances where the
183

variables, for example, costs, duration, opportunities or risks, may be uncertain. Simula-
tion can be used only when a business has statistical software or commercially available
spreadsheets.

y Monte Carlo simulation

Monte Carlo simulation is a method that a business can use to evaluate the effect of un-
184

certainty on a planned activity in a range of situations. It uses random numbers to sample

from a probability distribution. A business can use this method to evaluate duration, de-
mand or throughput and costs. Refer to par. 11.8.5 in the prescribed book to understand
how Monte Carlo simulation, percentiles and correlations work, and the benefits of the
Monte Carlo simulation method.

y Latin hypercube sampling

This sampling method is used to accurately recreate the probability distributions speci-
185

fied by distribution functions and is a more modern technology method than the Monte
Carlo simulation method.

39 RSK2601/1
y Probability distributions defined from expert opinion
Some risk analysis models involve subjective estimates, and so the business needs to
186

gather further information to gain a better understanding of the analysis.

Study

Study the section “Process activities”, par. 11.8 in chapter 11 of the prescribed book.

SUMMARY (STAGE 4)
The risk evaluation stage is essential, as it helps the business to understand the combined
187

effect of a group of risks and opportunities. This stage will assist the business in its decision-
making process. Risk evaluation is the only option available to the business for assessing its
exposure to risks and opportunities, and it must be properly implemented. This brings us
to Stage 5: Risk treatment.

4.4 RISK TREATMENT: STAGE 5

The risk treatment stage will help the business to design a specific action plan and produce
188

strategic responses to the risks and opportunities that it identifies to secure business objec-
tives. This stage is vital in the risk management process because the risk strategy responses
and action plan must be prepared and implemented effectively in the business. Refer to pars.
12.1 to 12.3 in the prescribed book.

Read
Read the section “Process inputs and outputs”, pars. 12.4–12.5 in the prescribed book.

The process inputs in the risk treatment process will be the risk register, industry betas, a de-
189

scription of the business risk appetite, and details of existing insurance policies. The process
outputs will be the risk response (i.e. remove, reduce or transfer) actions.

Refer to par. 12.6 in the prescribed book for information about all the factors that can influ-
190

ence or limit the risk treatment process.

4.4.1 Process mechanisms for Stage 5: Risk treatment

In this section we will briefly consider the process mechanisms used in the risk treatment
191

process.
y Resolution strategy
The resolution strategy is a technique used by a business to respond to a particular recur-
192

ring risk.

y Risk response flow chart

A risk response flow chart illustrates the decision options used to arrive at a risk response
193

category. The chart will assist decision-makers in a business in determining whether it is

more appropriate to transfer a risk than to remove it. Refer to par. 12.7 in chapter 12 of
the prescribed book.

40
4.4.2 Process activities for Stage 5: Risk treatment
The process activities in the risk treatment stage assist in transforming the prioritised list
194

of risks in the business into a concrete plan of action for risk resolution. It is essential to un-
derstand the activities that need to be implemented to design an effective risk action plan.

Study

Study the section “Process activities”, par. 12.8 in Chapter 12 of the prescribed book.

4.4.3 Risk appetite

Risk appetite can also be referred to as risk attitude, tolerance, preference or capacity. It is
195

the amount of risk a business is prepared to tolerate (be exposed to) at any particular time. A
business’s risk appetite can vary according to its objectives, culture, environment, perceived
financial exposure to certain risks and risk attitudes (risk-neutral, risk-seeking or risk-averse).
A business needs to determine its risk appetite/tolerance and inform its senior managers
about the business risk culture in which it operates. Senior managers must assist the board
in implementing decisions about projects within business risk tolerance levels.

Study

Study the section “Risk appetite”, par. 12.9 in chapter 12 of the prescribed book.

4.4.4 Risk response strategies

196 A business can use the following risk response strategies in the risk treatment stage:
y Risk reduction
Risk reduction can also be referred to as treatment or mitigation. Risk reduction can be
197

seen as risk diversification (reduction of risks by distribution), for example, where a busi-
ness invests in multiple stocks to reduce risk and the impact of the risk. Two approaches
to reducing risk can be followed, namely:
– reducing the likelihood of a risk occurring, and
– limiting the loss should risk materialise.

Methods that a business can use to reduce the likelihood of occurrence or the impact of
198

risk are protection, controls, maintenance and risk spreading.

y Risk removal
Risk removal can also be referred to as avoidance, elimination, exclusion or termination.
199

Risk removal is used to eliminate a risk when a negative outcome/impact or high-risk ex-
posure is anticipated. For example, doing business with a country experiencing political
uncertainty may be too risky to make the opportunity worthwhile, so the company will
eliminate the potential for loss by not doing business with that country. When a business
wants to remove risk, factors such as opportunity, business objectives, and costs must be
considered. All three of these concepts must be taken into account. This would happen,
for example, when a business decides either not to introduce a new product or else to
end the production of an existing product and ceases operations carried out in the past.

41 RSK2601/1
y Risk reassignment or transfer
Risk reassignment is the strategy used to transfer risk to another entity, business or organi-
200

sation. Businesses can use contracts and financial agreements to transfer risk to a third
party. Risk transfer does not reduce the severity of the risk, it just removes it to another
party. In some cases transfer can significantly increase the impact of the risk, in instances
where the party to whom it is being transferred is unaware that it is being required to
absorb it. The most common method of risk transfer is insurance, as in that case the finan-
cial consequences of the loss are transferred to the insurance company. When a business
transfers risk, it must consider the parties’ objectives, the ability to manage the risk, risk
context and the cost-effectiveness of the transfer.

y Risk-retention
Risk-retention is also referred to as acceptance, absorption or tolerance. A business may
201

find itself in a position where the only option is to accept the risk – for example, risk re-
moval, reduction and transfer are not available as options, or alternatively it may be more
economical for the business to accept the risk. If the risk-retention strategy is adopted, the
options available, timing and the ability to absorb the risk must be considered.

Study

Study the section “Risk response strategies”, par. 12.10 in chapter 12 of the prescribed book.

SUMMARY (STAGE 5)
The business environment is forever changing. A business must therefore have adequate risk
202

response strategies in place to manage the risks within reasonable limits. The next stage that
we will be discussing is Stage 6: Monitoring and review.

4.5 MONITORING AND REVIEW: STAGE 6

The risk monitoring and review stage is a key stage in the ERM process. It may become neces-
203

sary for a business to review all the previous stages in the risk management process because
new information has become available or circumstances in the business have changed. The
monitoring and review stage must be carried out to increase the success of the implementa-
tion of the entire ERM process. Refer to pars. 13.1 to 13.3 in the prescribed book.

Read

Read the sections “Process inputs” and “Process outputs”, pars. 13.4–13.5 in the prescribed
book.

The process input in the risk monitoring and review stages will be the risk register, which
204

allows the business to go back to and review all the risks in the register. The process out-
puts will be regular updates of the risk register and reports on the effectiveness of the risk
response actions.

Refer to par. 13.6 in the prescribed book, which deals with all the factors that can influence
205

or limit the risk monitoring and review process.

42
4.5.1 Process mechanisms for Stage 6: Monitoring and review
Two primary mechanisms can be used during this stage, namely meeting agendas and pro-
206

formas. Refer to par. 13.7 in the prescribed book.

4.5.2 Process activities for Stage 6: Monitoring and review

In the risk monitoring and review process, the activities that need to take place are the tasks
207

that are necessary to ensure that this stage is managed proactively. These process activities
make it possible to execute responses, monitor effectiveness and then intervene to imple-
ment corrective action. The following activities need to be conducted:
y Executing
The business needs to carry out all the actions planned in the risk treatment stage to
208

respond to risks and opportunities effectively.

y Monitoring
When executing action plans, it is vital to monitor progress to differentiate the movement
209

in risk exposure. Monitoring is the collection of information about the risk for later use.
The monitoring process must identify the successes achieved in the planned responses
to the risks and opportunities and identify the changes in the business environment,
which might lead to new emerging risks. Thus, the monitoring and review processes
implemented by the business can improve business knowledge on the lessons learnt to
improve the future ERM process.

y Controlling
The controlling process is based on the information gathered during the monitoring pro-
210

cess to inform decision-making. It means that the business must understand who needs
what information, for what purpose and when. In order for a manager to have control,
the control activities must adhere to the following seven specifications:
– Control is a principle of the economy.
– Controls must be meaningful.
– Controls have to be appropriate to the character and nature of the phenomenon
measured.
– Measurements have to be congruent with the events measured.
– Controls have to be timely.
– Controls need to be simple.
– Controls must be operational.

Study

Study the section “Process activities”, par. 13.8 in chapter 13 of the prescribed book.

SUMMARY (STAGE 6)
Stage 6 will assist a business in managing the implementation of responses to identified
211

risks and opportunities proactively. A business needs to monitor and control the identified
risk response strategies effectively. The risk response strategies must be simple, and the
employees responsible for carrying them out must understand them. In the next section
we will discuss the last stage in the ERM process.

43 RSK2601/1
 4.6 COMMUNICATION AND CONSULTATION: STAGE 7
The risk communication and consultation stage will be used across all the other ERM process
212

stages. A business needs to understand how effectively the process outputs of each stage
are communicated and understood by decision-makers. Refer to pars. 14.1 to 14.3 in the
prescribed book.

Read
Read the sections “Process inputs” and “Process outputs”, pars. 14.4–14.5 in the prescribed
book.

The process inputs in the risk communication and consultation process are the risk register,
213

risk responses, response progress, early warning indicators and key performance indicators
(KPIs). The process outputs will be the risk reports, press releases, internal e-mails, company
internet site, internal newsletters and posters. Refer to par. 14.6 of the prescribed book for
information about all the factors that can influence or limit the risk communication and
consultation process.

4.6.1 Process mechanisms for Stage 7: Communication and consultation

214 Three primary mechanisms can be used during this stage. They are:
y Generic communication and consultation plan
y Templates for posters and newsletters
y Project database

Read
Read par. 14.7 in the prescribed book.

4.6.2 Process activities for Stage 7: Communication and consultation

During the risk communication and consultation process, the activities that need to occur
215

are necessary to ensure that the overall risk management process is effective. Refer to par.
14.8 in the prescribed book.

4.6.3 Internal communication

A business must ensure that it implements an effective internal communication and reporting
216

process/system in order to increase accountability and ownership of risk and opportunity

management. Refer to par. 14.9 in the prescribed book to understand the various commu-
nication processes.

4.6.4 External communication

A business must also ensure that it implements an external communication and reporting
217

process effectively in order to be able to deliver open and honest information on the risks
faced in the business and how the business responds to these risks. Refer to par. 14.10 in the
prescribed book for information about the various processes to implement.

44
 Study

Study the sections “Internal communication” and “External communication”, pars. 14.9–
14.10 in chapter 14 of the prescribed book.

4.6.5 Key risk indicators vs. key performance indicators

A business must distinguish clearly between key risk indicators (KRIs) and key performance
218

indicators (KPIs).
y KRIs
KRIs refer to captured information that provides valuable insight into underlying risk pro-
219

files at various levels to assist decision-makers within a business. The four types of KRIs are:
– Inherent or exposure risk indicators
– Control risk indicators
– Composite indicators
– Model risk factors

y KPIs
KPIs are high-level snapshots of the health and performance of a business based on spe-
220

cific predefined measures, for example, statistical information on the business. The seven
types of KPIs are:
– Statutory KPIs, such as GAAP8 or legal or regulatory requirements
– Profitability per business unit/product/customer
– Exception reporting
– Employee performance, such as assets under management or profit per customer
– Competitiveness, such as market share
– Cost management, such as return on assets (ROA) on IT or new delivery channel
monitoring
– Credit management, such as time to settlement or credit exposure

Activity 4.1

Read the additional information about the four KRIs and the KPIs under Additional Re-
sources on myUnisa. You will not be tested on this document.

SUMMARY (STAGE 7)
Risk communication and consultation form a link with all the other stages in the ERM pro-
221

cess. The business risk management process must be communicated effectively to all levels
of employees in the business. This step is vitally important because all employees may be
involved in an activity that could directly influence the ERM process. If the employee does
not understand the risk management culture in which the business functions, this could
have disastrous consequences.

8 Generally accepted accounting procedures.

45 RSK2601/1
 Activity 4.2

Watch the Lego video on myUnisa, and in the discussion forum discuss with your fellow
students how Lego is using ERM in their organisation. Compare their ERM process with
what you have learnt in this lesson.

4Self-assessment

(1) Discuss the importance of risk identification in the ERM process.

(2) Facilitation is a necessary process during the risk identification stage. Discuss the respon-
sibilities of a facilitator.
(3) Discuss probability as a process mechanism for the risk analysis stage.
(4) Draw a graph that illustrates the utility function within the risk evaluation stage.
(5) Define investment appraisal as a component of the risk evaluation stage.
(6) Discuss risk appetite as a risk treatment strategy in a business.
(7) Discuss the seven specifications according to which a manager will implement a control
process in the monitoring and review stage.
(8) Discuss internal and external communication within the ERM process.
(9) Distinguish between key risk indicators and key performance indicators.

SUMMARY
In topic 2 we discussed the seven stages in the ERM process, namely: establishing the con-
222

text, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review,
and communication and consultation. All the stages are interrelated and must be imple-
mented effectively and communicated within the business if the business is to manage its
risks and opportunities. The next topic will deal with the impact of internal influences – micro
factors – on business.

223

46
TOPIC 3
INTERNAL INFLUENCES – MICRO FACTORS

Topic content

Lesson 5: Financial risk management

Lesson 6: Operational risk management
Lesson 7: Technological risk management
Lesson 8: Project risk management
Lesson 9: Business ethics management
Lesson 10: Health and safety management

Aim

At the end of this topic, you will be able to discuss how internal influences can impact a
business’s performance.

Learning outcomes

After studying this topic, you should be able to:

• Identify and discuss the seven most significant financial risks faced by businesses.
• Discuss the elements, attributes and features of operational risk, and describe an ap-
propriate response strategy.
• Discuss the primary types of technology, sources of risk and possible responses to such
exposure.
• Identify and discuss project risk management and the difficulties associated with em-
bedding risk management within a project.
• Discuss the key aspects of business ethics to aid in the broader risk management context.
• Discuss health and safety as part of ERM.

OVERVIEW
This topic covers financial risk management, operational risk management, technological risk
224

management, project risk management, business ethics management, and health and safety
management. Micro risk factors are primarily generated internally, and so can be controlled
by the business itself. See Figure 6 on the next page.

47 RSK2601/1
225

FIGURE 6: Internal influences – micro factors

Does the business for which you work or for which you would like to work identify specific risks
226

within each primary internal risk class? Does the business consider all of the above micro factors?

Activity

Access the Risk Glossary document on myUnisa under Additional Resources and consult
the definitions of financial, operational, technological, project, business ethics, health,
and safety risks, which you will find in all the official South African languages. Write down
your own understanding of these types of risks and discuss this with fellow students on
the discussion forum.

227

48
LESSON 5
FINANCIAL RISK MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to identify and discuss the seven most significant
financial risks faced by organisations.

Key concepts

• Financial risk
• Liquidity risk
• Credit risk
• Currency risk
• Funding risk
• Foreign investment risk
• Derivatives

Learning outcomes

After studying this topic, you should be able to:

• Define financial risk.
• Discuss the benefits of finoiuhygfsancial risk management.
• Discuss the factors influencing the implementation of financial risk management.
• Identify and discuss the different types of financial risks experienced by any business
of your choice.

LEARNING MATERIAL
228 Lesson 5 is based on chapter 15 of the prescribed book.

49 RSK2601/1
 5.1 INTRODUCTION
Chapter 15 of the prescribed book examines the first of the six internal processes of ERM,
229

which is financial risk management. Financial risk is the exposure of an enterprise to adverse
events that erode profitability and, in extreme situations, result in business collapse. Financial
sources of risk can be fatal in that they can bring about the downfall of a business, and they
therefore require a comprehensive management strategy. Through sound financial manage-
ment, businesses can evaluate business strategies appropriate to their risk appetite, market
and exposure profile (Chapman, 2013). This lesson focuses on the seven most significant
financial risks any business faces.

5.2 SCOPE OF FINANCIAL RISK

230 Financial risk entails a variety of sources of risk, which include:
y liquidity risk
y credit risk
y interest rate risk
y currency risk
y funding risk
y foreign investment risk
y derivatives risk
y systems risk
y outsourcing risk

Study

Study the sections “The definition of financial risk” and “Scope of financial risk”, pars.
15.1–15.2 in chapter 15 of the prescribed book.

5.3 BENEFITS OF FINANCIAL RISK MANAGEMENT

231 Financial risk management affords a business a variety of benefits.

Study

Study the section “Benefits of financial risk management”, par. 15.3 in chapter 15 of the
prescribed book.

5.4 IMPLEMENTATION OF FINANCIAL RISK MANAGEMENT

The development of a sound system of financial risk management will depend on several
232

factors, such as:

y The development of robust financial systems and internal controls;
y The development of concise, lucid reporting tools;
y The preparation of a cash budget plan to reduce the likelihood of liquidity risk;
y Securing credit insurance to cover non-payment of goods or services/bad debt;

50
y Carrying out comprehensive due diligence on counterparties whose default could seriously
harm the business;
y Monitoring predicted changes in interest rates, and;
y Carrying out a robust assessment of planned investments using tried and tested techniques.

Study

Study the section “Implementation of financial risk management”, par. 15.4 in chapter
15 of the prescribed book.

5.5 LIQUIDITY RISK

Liquidity risk is the risk that a business will be unable to obtain the funds necessary to meet
233

its obligations as they fall due either by increasing liabilities or converting assets into money
without loss.

Read

Read the section “Liquidity risk”, par. 15.5 in the prescribed book.

5.5.1 Current ratio and quick ratio

The current ratio is the relationship between current assets and current liabilities. The quick
234

ratio is a liquidity indicator that further refines the current ratio by measuring the amount of
the current liquid assets available to cover current liabilities. The quick ratio is more conserva-
tive than the current ratio because it excludes inventory and other current assets, which are
more difficult to turn into cash. Therefore, a higher ratio means a better liquid current position.

5.5.2 Mitigation of liquidity risk

Mitigation of liquidity risk is the payment of debts when they fall due. This can be achieved
235

by using a cash budget.

5.6 CREDIT RISK

Credit risk is the financial loss suffered as the result of the default of a borrower or counterparty
236

under a contract. Default by a small number of large customers could lead to insolvency. The
three main components of credit risk include default, exposure and recovery.
y Default risk is the probability of default.
y Exposure risk relates to the uncertainty surrounding the payment of future amounts.
y Recovery risk relates to uncertainty regarding the possible recovery.
y Credit insurance is a mitigation action for credit risk.
y Counterparty risk is the risk to each party to a contract that the counterparty will not live
up to its contractual obligations. If A is the counterparty to B and B is the counterparty to
A, both are exposed to this risk. For example, if Tshepiso agrees to lend funds to Tebogo
up to a certain amount, there is an expectation that Tshepiso will provide the cash, and
Tebogo will pay those funds back. There is still the counterparty risk assumed by them

51 RSK2601/1
 both. Tebogo might default on the loan and not pay Tshepiso back, or Tshepiso might
stop providing the agreed-upon funds.
y Due diligence generally refers to the care a reasonable person should take before
entering into an agreement or a transaction with another party. A business considering
an undertaking such as entering into a significant contract, committing to a joint venture,
acquiring a business or lending money to a third party will need to undertake due diligence
as part of the evaluation process.

Read

Read the section “Credit insurance”, par. 15.6.4 in the prescribed book.

Study

Study the section “Credit risk”, par. 15.6 (excluding par. 15.6.4) in chapter 15 of the prescribed
book.

5.7 BORROWING
According to Chapman (2013), when a company borrows money, it needs to know the basis
237

of interest rate determination, the interest rate at commencement of the borrowing, the
nature of interest rate (fixed or variable), and the duration of payment. The rate of interest
paid depends on the following:
y Amount
y Term
y Forecasts
y Inflation
y Risk
y Opportunity cost
y Market

Read

Read the section “Borrowing”, par. 15.7 in the prescribed book.

5.8 CURRENCY (OR FOREIGN EXCHANGE) RISK

Currency risk relates to the possible impact of fluctuations in exchange rates on foreign
238

exchange holdings or the commitments payable in foreign exchange.

5.9 FOREIGN INVESTMENT RISK

Foreign investment risk entails the possible risks that arise when a business pursues opportuni-
239

ties abroad. Examples of foreign investment risks include country risk and environmental risk.

52
 Read

Read the section “Foreign investment risk”, par. 15.10 in chapter 15 of the prescribed book.

5.10 DERIVATIVES
Derivatives are financial products derived from some other existing product. Examples in-
240

clude options, futures and swaps. Derivates are available to cover many types of exposure,
including interest rates; foreign currency exchange rates; commodities, such as energy (oil or
gas), bullion (e.g. gold and silver), base metals (copper and nickel) and agriculture (e.g. sugar);
and equities. Derivatives can be either exchange-traded or over the counter.

Study

Study the section “Derivatives”, par. 15.11 in chapter 15 of the prescribed book.

5Self-assessment

(1) With the aid of examples, discuss the financial risks faced by South African Airways (SAA).
What are the benefits to SAA of implementing financial risk management?
(2) Discuss the factors that determine the development of a sound system of financial
management by SAA.
(3) Discuss the three main components of credit risk.
(4) Define liquidity risk and discuss why it is essential in financial risk management.
(5) With reference to Box 15.1 in the prescribed book, calculate the quick ratio.

SUMMARY
The purpose of Lesson 5 was to examine various aspects of financial risk, which have to be
241

managed to maintain business continuity. The financial risks covered were liquidity risk, credit
risk, interest risk, foreign currency risk, foreign investment risk and derivatives. The business
case for operational risk is discussed in the next lesson.

242

53 RSK2601/1
LESSON 6
OPERATIONAL RISK MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to point out the elements, attributes and features
of operational risk and describe an appropriate response strategy in the context of ERM.

Key concept

Operational risk
People risk
Risk management culture
External events
Outsourcing
Mitigation

Learning outcomes

After studying this topic, you should be able to:

• Define and explain the importance of operational risk.
• Identify and discuss the benefits of operational risk.
• Discuss the factors influencing a sound operational risk management system.
• Identify and discuss the elements of operational risk.
• Discuss the measurement and mitigation of operational risk.

LEARNING MATERIAL
Lesson 6 is based on chapter 16 of the prescribed book.
243

54
6.1 INTRODUCTION
This chapter examines the second of the internal processes, namely operational risk man-
244

agement. Operational risk is the exposure of an enterprise to losses resulting from people,
processes, systems and external events. Operational risk is present in all organisations and can
affect a firm’s solvency, the fair treatment of its clients and the incidence of financial crime.

Read

Read the introduction in chapter 16 of the prescribed book.

6.2 DEFINITION AND SCOPE OF OPERATIONAL RISK

Peccia, cited in Chapman (2013:268), defines operational risk as “the potential for loss due
245

to failures of people, processes, technology and external dependencies”. The sources of risk
considered to be embraced within operational risk include business risk, crime risk, disaster
risk, information technology risk, legal risk, regulatory risk, reputational risk, systems risk and
outsourcing. Refer to par 16.1 of the prescribed book for more details.

6.3 BENEFITS AND IMPLEMENTATION OF OPERATIONAL

RISK
Operational risk management affords various benefits to a business. The development of a
246

sound system of operational risk depends on numerous issues.

Study

Study the sections “Benefits of operational risk” and “Implementation of operational risk”,
pars. 16.3–16.4 in chapter 16 of the prescribed book.

6.4 STRATEGY
The business strategy is the overall approach to achieving business objectives. According to
247

Chapman (2013), adopting the wrong business strategy, failing to execute a well-thought-out
strategy and not modifying a successful strategy over time are examples of operational risk.

Study

Study the section “Strategy”, par.16.5 in chapter 16 of the prescribed book.

55 RSK2601/1
 6.5 PEOPLE
There is always a human factor to consider in undertaking any business activity. The knowl-
248

edge, experience, capability and reliability of the persons involved in all business processes
are critical risk factors. People risk continues to be the significant contributing factor in many
dramatic failures. Despite the difficulties of measuring this kind of risk, it needs to be targeted
in any programme aimed at improving risk management. Therefore, people risk may be
defined as a combination of the detrimental impact of employee behaviour and employer
behaviour. The following are examples of people risk:
y Absenteeism rates
y Labour turnover
y Accident rates
y Productivity
y Quality of finished goods
y Customer satisfaction

Study

Study the section “People” and Figure 16.3: Taxonomy of people risk in chapter 16 of the
prescribed book.

6.6 PROCESSES AND SYSTEMS

According to Chapman (2013), processes and systems risk is the failure of processes or systems
249

due to their poor design, complexity or non-performance, resulting in operational losses.

Consequently, a business may experience problems such as inability to meet orders, poor
quality control and fraud and information security failure.

Study

Study Figure 16.5: Taxonomy of processes and systems risk in chapter 16 of the prescribed
book.

6.7 EXTERNAL EVENTS

External events occur outside the business, requiring a response in the form of change manage-
250

ment or the establishment of contingency events to cope with events such as natural disasters.

6.8 OUTSOURCING
To reduce operational costs and become more competitive, modern organisations have de-
251

signed and implemented numbers of key strategies. One of these is outsourcing. Outsourc-
ing offers multiple benefits, the most important being reduced costs, reorganisation of the
staff structure, increased level of working capital, improved quality of products and services
and reduced level of business risk. It also eliminates a degree of conflict with workers and
reduces some wasteful activities.

56
 6.9 MEASUREMENT
It is necessary to measure the impact of those issues likely to have the greatest detrimental
252

effect on the operation of the business. Measurement enables businesses to set aside money
to cope with adverse events and to know the extent of insurance required.

6.10 MITIGATION
253 The success of mitigation depends on a number of different factors.

Study

Study the sections on outsourcing, measurement and mitigation, paras. 16.9–16.11 in

chapter 16 of the prescribed book.

6Self-assessment

(1) Define operational risk.

(2) With the aid of examples, identify the operational risks faced by South African Airways
(SAA). What are the benefits to SAA of implementing operational risk management?
(3) What measures can SAA put in place to mitigate operational risks?
(4) Briefly discuss people as one of the main underlying risk factors comprising operational
risk management.

SUMMARY
In Lesson 6 we considered the elements of operational risk, namely strategy, people, pro-
254

cesses and systems, external events, and outsourcing. Operational risk is present in many
different forms, and minor problems can quickly escalate into significant losses if they are
not prevented at the source. Businesses must establish a series of systems and controls to
manage people risks. Processes and systems are a significant area of operational risk, includ-
ing such areas as business continuity, transaction risk, IT and information security. External
events such as flooding, power failure, and terrorism can all disrupt a business. In the next
lesson we will consider technological risk management.

57 RSK2601/1
LESSON 7
TECHNOLOGICAL RISK MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to discuss technology risk management, and
identify the primary types of technology of interest to organisations, sources of risk and
possible responses.

Key concepts

Technology risk
Communications technology
Information technology (IT) governance
Broadband
Electronic (E)-commerce
Control technology.

Learning outcomes

After studying this topic, you should be able to:

• Define technology risk.
• Discuss the scope and benefits of technology risk.
• Discuss the types of technology and the risks associated with each IT tool.
• Discuss how businesses respond to technology risk.

LEARNING MATERIAL
255 Lesson 7 is based on chapter 17 of the prescribed book.

58
 7.1 INTRODUCTION
Chapter 17 of the prescribed book examines the third of the internal processes, namely
256

technological risk. The main technologies today are information, communication and con-
trols. These technologies have the potential to raise productivity, lower costs and drive the
growth of organisations. Therefore, changes in technology can be both an opportunity and
a threat in terms of market share and market development. Although there is a wide range
of technologies, the common ones considered critical to business and discussed in this
chapter are information, communication and control. The chapter deals with the definition
of technology risk management, the primary types of technologies essential to business,
sources of risk and possible responses.

Study

Study the introduction in chapter 17 of the prescribed book.

7.2 DEFINITION AND SCOPE OF TECHNOLOGY RISK

Read

Read the section “Definition and scope of technology risk as a marketing tool” in chapter
17 of the prescribed book.

7.3 BENEFITS OF TECHNOLOGY RISK MANAGEMENT

The benefits of implementing and embedding technology risk management in an organisa-
257

tion are discussed in the prescribed book.

Study

Study the section “Benefits of technology risk management”, par. 17.3 in the prescribed book.

7.4 IMPLEMENTATION OF TECHNOLOGY RISK

MANAGEMENT
The development of a sound management system for technology risk and its practical im-
258

plementation depends on whether attention is paid to a number of issues. These issues are
discussed in the prescribed book.

Study

Study par. 17.4 in the prescribed book.

59 RSK2601/1
 7.5 PRIMARY TECHNOLOGY TYPES
As pointed out in the introduction, risk management can be helpful for identifying opportu-
259

nities for the improvement of processes. Labour-intensive and complicated processes have
a greater potential for error than streamlined and simplified processes.

FIGURE 7: Primary technology types

7.5.1 Information technology

IT is the collection, storage, processing and communication of information by electronic
260

means. There are various types of IT tools, which include the following:
y Software applications
y Management information systems
y Intranets
y Telematics
y Information assets

7.5.2 Communications technology

261 Communications technology includes the following:
y Conference calls
y E-commerce using the internet
y Broadband
y E-mail
y Network systems

7.5.3 Control technology

Control technology consists of computer-based production control systems, which include
262

the following:
y Computer-aided design (CAD)
y Computer-aided manufacture (CAM)

60
y Flexible manufacturing systems (FMSs)
y Mechatronics
y Computer-integrated manufacture (CIM)
y Manufacturing resource planning (MRP)
y Operational research (OR)

Study

Study the section “Primary technology types”, par. 17.5 in chapter 17 of the prescribed book.

7.6 RESPONDING TO TECHNOLOGY RISK

A number of initiatives have been suggested to mitigate technology risk. These include IT
263

governance, investment and projects.

7Self-assessment

(1) Define technology risk and discuss the possible sources of this kind of risk.
(2) Giving examples, discuss the various types of IT tools used by SAA in its endeavour to
manage technology risk.
(3) Discuss the risks associated with the use of e-mails in an organisation.
(4) Giving examples, discuss how an organisation like SAA responds to technology risk.

SUMMARY
In Lesson 7 we examined three primary technology types, namely information, communica-
264

tions and control technologies. The next lesson deals with project risk management.

61 RSK2601/1
LESSON 8
PROJECT RISK MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to discuss project risk management and the
difficulties encountered in embedding risk management within a project.

Key concepts

Project risk management (PRM)

Project personnel
Project team
Project performance

Learning outcomes

After studying this topic, you should be able to:

• Distinguish between project risk and PRM.
• Identify the sources of PRM and discuss the benefits of PRM for a business.
• Discuss the difficulties associated with the implementation of PRM.
• Discuss the project risk management process.
• Discuss the roles of the project director.
• Discuss the difficulties faced by a project team.

LEARNING MATERIAL
Lesson 8 is based on chapter 18 of the prescribed book.
265

62
 8.1 INTRODUCTION
In Lesson 8 we examine the fourth of the internal processes, namely project risk management
266

(PRM), since technology improvements are introduced as projects. A project is defined as a

unique activity with defined objectives, undertaken to achieve beneficial change, typically
constrained by limited resources. Any project has a defined start and finish date. Unless a
project is appropriately managed, it has the potential to damage the organisation’s reputation,
erode stakeholder relationships, diminish the share price and critically undermine financial
performance. Chapter 18 explores some of the difficulties encountered in integrating risk
management with a project.

Read

Read the introduction in chapter 18 of the prescribed book.

8.2 DEFINITION OF PROJECT RISK AND PROJECT RISK

MANAGEMENT
Refer to pars. 18.1 and 18.2 in chapter 18 of the prescribed book for the definition of project
267

risk and project risk management.

8.3 SOURCES OF PROJECT RISK

The term “project risk” covers the sources of project risk. There are numerous sources of
268

project risk, and they are situated in the external business environment, the industry within
which an organisation operates, the sponsor’s organisation and the project itself.

Read

Read the section “Sources of project risk”, par. 18.3 in chapter 18 of the prescribed book.

8.4 BENEFITS OF PROJECT RISK MANAGEMENT

Project risk management (PRM) has the potential to afford a business a series of benefits. You
269

will find a discussion of these benefits in the prescribed book – consult par. 18.4.

8.5 IMPLEMENTATION OF PRM

Risk management can be helpful in identifying opportunities to improve processes. Labour-
270

intensive and complicated processes have greater potential for error than streamlined and
simplified processes. Common difficulties in implementing PRM include the following:
y Lack of clearly defined and disseminated risk management objectives

63 RSK2601/1
y Lack of senior executive and project director commitment and support
y Lack of a risk maturity model
y Lack of a change process to introduce PRM
y No common risk language (terms and definitions)
y Lack of articulation of the project sponsor’s risk appetite
y No definition of roles and responsibilities
y Lack of risk management awareness training to build core competencies
y Lack of integration of risk management with other project disciplines
y The reluctance of project personnel to spend time on risk management
y Risk owners not automatically taking responsibility for assigned risks
y No clear demonstration of how risk management adds value and contributes to project
performance
y Overcomplicated implementation on the basis of an unclear risk policy, strategy, framework,
plan and procedure
y No alignment between the business strategy, the business model and the risk management
objectives
y No integration of risk management activities into the day-to-day activities of project
managers

Study

Study the section “Embedding project risk management”, par. 18.5 in chapter 18 of the
prescribed book.

8.6 THE PRM PROCESS

The PRM process should provide a methodical, efficient and effective way of managing risks
271

to deliver a project. The process includes establishing the context, risk identification, analysis,
evaluation, treatment, monitoring and review, and communication and consultation.

8.6.1 Establish the context

272 The establishment of context involves both external and internal dimensions.
y The external dimension relates to political, legal, regulatory, market, technological and
economic settings. It is vital to establish the legislation that the project will adhere to,
such as health and safety legislation and sustainability goals, and obtaining the necessary
approvals.
y The internal dimension relates to the organisation’s strategic objectives, structure, policies,
processes, stakeholders, culture, reputation, capabilities (including capital and people)
and concurrent projects.

Once a project has been approved and has commenced, progress should be checked against
273

the project’s business case to ascertain whether the project is still viable and planned benefits
are still realisable.

64
8.6.2 Risk identification
Risk identification is the process of determining which risks may affect the project and es-
274

tablishing their characteristics.

8.6.3 Risk analysis

Risk analysis involves the identification of the probability and impact of the identified risks
275

and opportunities. Analysis can be qualitative or quantitative, depending on the requirements

of the risk process and the information available. Qualitative assessments use labels such as
high, medium or low, whereas quantitative measurements provide percentage likelihoods
(e.g. 50%) and an impact in terms of time and cost.

8.6.4 Risk evaluation

Risk evaluation typically looks at the combined net effect of the identified risks and
276

opportunities.

8.6.5 Risk treatment

277 Risk treatment is the act of responding to an identified risk.

8.6.6 Risk monitoring and review

Monitoring and review is an ongoing process of implementing and examining the success or
278

otherwise of the planned responses. It entails evaluating the perceived benefit of the response,
its attendant costs and the likelihood of new risks triggered by the response. If a decision is
taken to implement the response, there must be clarity on who will do so and when.

8.6.7 Communication and consultation

Communication and consultation take place at the beginning of and throughout the risk
279

management process. The communication and consultation process activities are the tasks
undertaken in striving to ensure that the risk management process is effective. Refer to par.
18.6.7 in the prescribed book for details of the activities involved.

Study

Study the section “Project risk management process”, par. 18.6 in chapter 18 of the
prescribed book.

8.7 ROLE OF THE PROJECT DIRECTOR

The director has overall responsibility for the delivery of the project in terms of satisfying the
280

stated objectives. Refer to par. 18.8 in the prescribed book for details of the project director’s role.

65 RSK2601/1
 8.8 THE PROJECT TEAM AND THE CHALLENGES THEY FACE
The composition of the project team and its performance will have a fundamental impact
281

on the realisation of the project’s objectives. Team performance is a significant source of

potential risk. Numbers of issues can undermine the effectiveness of teams, which include
the following:
y Lack of team structure
y Lack of definition of roles
y Lack of responsibility assignment matrix
y Poor leadership
y Poor team communication

282 You will find these discussed in par. 18.9.1 in the prescribed book.

8.9 TECHNIQUES USED TO SUPPORT PRM

Study

Study the section “Techniques used to support project risk management”, par. 18.12 in
chapter 18 of the prescribed book.

8Self-assessment

(1) Distinguish between project risk and project risk management.

(2) You are appointed as the project manager for Group Five Construction (Pty) Ltd. This com-
pany has been awarded a tender to build Reconstruction and Development Programme
(RDP) houses in Gauteng. You have organised a meeting to plan risk management.
(a) List at least four possible attendees at this meeting.
(b) Identify the sources of risk associated with this project and discuss the benefits and
five common problems encountered in the implementation of PRM.\
(3) Briefly discuss the application of the project management process to this low-income
housing construction project.

SUMMARY
In Lesson 8 we covered the definition of project risk management and outlined the po-
tential sources of risk and the benefits and challenges associated with implementing PRM.
We examined the risk management process associated with running a project and issues
related to the project team. A significant source of risk is the project team itself, which is
why it was included as a topic of discussion. We ended the lesson by considering tech-
niques and software tools that enhance the implementation of PRM. In the next lesson we
will turn our attention to business ethics management.

66
LESSON 9
BUSINESS ETHICS MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to identify and discuss the key aspects of busi-
ness ethics to contribute to the broader risk management context.

Key concepts

Business ethical risk

Unethical behaviour
Standards
Compliance

Learning outcomes

After studying this topic, you should be able to:

• Define business ethics management and explain its importance to businesses.
• Identify and discuss sources of ethical risk.
• Discuss the benefits of ethical risk management.
• Discuss the reasons for unethical behaviour.
• Identify and discuss the components of a business ethics programme.

LEARNING MATERIAL
283 Lesson 9 is based on chapter 19 of the prescribed book.

67 RSK2601/1
 9.1 INTRODUCTION
Ethics is inextricably linked with reputation, and a breach of ethics commonly leads to one or
284

more of the following: reduced share price, reduced profitability, unfavourable media cover-
age, fines, additional administration and, in some extreme cases, imprisonment. As with other
aspects of risk management, the management of risks associated with ethical conduct will
determine its performance, position and prolonged existence. This lesson, therefore, explores
the critical aspects of business ethics to aid all-inclusive risk management.

Read

Read the introduction in chapter 19 of the prescribed book.

9.2 DEFINITION OF BUSINESS ETHICAL RISK

Chapman (2013) defines ethics as the branch of business that deals with questions about
285

morality. Morality is behavioural conduct that relates to intentions, decisions and actions
involving choices between good and evil and right and wrong. Business ethics, therefore,
refers to moral rules and regulations governing the business world. Ethical risk refers to
exposure to events resulting in criminal prosecution, civil lawsuits or erosion of reputation.
Examples of ethical risk include bribery, false accounting, child labour, tax evasion, money
laundering and invasion of privacy.

Study

Study the sections “Definition of business ethical risk” and “Scope of business ethical
risk”, pars. 19.1–19.2 in chapter 19 of the prescribed book.

9.3 BENEFITS OF ETHICAL RISK MANAGEMENT

286 You will find a discussion of the benefits of ethical risk management in the prescribed book.

Read

Read the section “Benefits of ethical risk management”, par. 19.3 in the prescribed book.

9.4 FACTORS THAT AFFECT BUSINESS ETHICS

Examples of ethical codes that govern businesses include honesty, objectivity, integrity,
287

carefulness, openness, respect for intellectual property and confidentiality. Refer to par.
19.6, “Factors that affect business ethics”, in chapter 19 of the prescribed book. Examples of
unethical practices by companies and other entities that have been prosecuted or suffered
reputational damage because of the behaviour of employees and that have attracted nega-
tive media attention include the following:

68
y Bribery in the private sector
y Money laundering
y Improper sales and marketing
y Inadequate financial accounting
y Bribery of government contracting officers
y Inadequate internal controls
y Failure to follow quality standards and procedures
y Environmental irresponsibility
y Employee claims of sexual harassment
y Blacklisting of international, national or local organisations
y Insider trading
y The exploitation of developing countries
y Health and safety irresponsibility
y Invasion of privacy

9.5 IMPLEMENTATION OF ETHICAL RISK MANAGEMENT

One approach to dealing with risk exposure arising from a breach of ethics is the development
288

and implementation of an ethics system across the organisation as a means of preventive

action. A business ethics programme aims to achieve specific expected outcomes, such as
increasing awareness of ethics issues, improving decision-making, and reducing misconduct.
The areas of focus for an ethics manual are based on the following four primary orientations:
y A compliance-based approach
y A protecting senior management approach
y Satisfying external stakeholder approach
y A values-based approach

These four primary orientations are not mutually exclusive. However, the degree of application
289

of these focus areas is based on four orientation levels, namely compliance, risk management,
reputation enhancement and benefit. For an organisation to be truly responsible, it must
fully embrace all four levels of identity.

A business ethics system can be composed of seven sequential components, as shown in

290

Figure 19.3, on page 369 of the prescribed book. The components are as follows:
y Vision
y Context
y Establish
y Implement
y Monitor
y Respond
y Evaluate

Study

Study the section “The system”, par. 19.8.3 in chapter 19 of the prescribed book.

69 RSK2601/1
 9Self-assessment

(1) Identify and discuss the sources of ethical risk in an academic institution such as Unisa.
(2) Define business ethics management and discuss the benefits of implementing ethical
risk management in an organisation.
(3) List and discuss the reasons for the emergence of unethical behaviour in an organisation.

SUMMARY
Lesson 9 examined the definition and scope of business ethics and the benefits of ethical
291

risk management. A breach of ethics, depending on its severity, can erode reputation and
share price and lead to lost opportunities. A risk management strategy for business might
involve designing and implementing a business ethics programme that meets emerging
global standards. The focus of the next lesson is health and safety management.

70
LESSON 10
HEALTH AND SAFETY MANAGEMENT

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to discuss health and safety as part of ERM.

Key concepts

Health and safety risk

Management system
Workplace precautions
Human reliability
Best practice.

Learning outcomes

After studying this topic, you should be able to:

• Identify and explain the sources of risk considered to fall within the concept of health
and safety risk in a business context.
• Discuss the benefits of health and safety risk management.
• Discuss the implementation of a health and safety risk management system.
• Discuss the improvement of human reliability in the workplace.
• Discuss the main risk mitigation factors.

LEARNING MATERIAL
Lesson 10 is based on chapter 20 of the prescribed book.
292

71 RSK2601/1
 10.1 INTRODUCTION
Health and safety are no longer seen as peripheral, as enterprises recognise that losses
293

may result from non-compliance with rules and regulations relating to health and safety in
organisations. This lesson covers the definition and scope of health and safety risk, and the
benefits and implementation of health and safety risk management.

Read

Read the introduction in chapter 20 of the prescribed book.

10.2 DEFINITION AND SCOPE OF HEALTH AND SAFETY RISK

Read

Read the sections “Definition of health and safety risk” and “Scope of health and safety
risk”, pars. 20.1 and 20.2 in chapter 20 of the prescribed book.

10.3 BENEFITS OF HEALTH AND SAFETY RISK MANAGEMENT

Irrespective of where in the world the business operates, it is generally agreed that a health
294

and safety risk management system is good business management and improves bottom-
line profitability.

Study

Study the section “Benefits of health and safety risk management”, par. 20.3 in the
prescribed book.

10.4 IMPLEMENTATION OF HEALTH AND SAFETY RISK

MANAGEMENT
Health and safety risk management systems are essential in planning and controlling
295

risk management in an organisation. A system of this kind is made up of the following

three components:
y Management arrangements
y Risk control systems
y Workplace precautions

Study

Study all the sections dealing with the implementation of health and safety risk
management, par. 20.6 in the prescribed book.

72
 10.5 CONTRIBUTION OF HUMAN ERROR TO MAJOR DISASTERS
Read

Read the section “Contribution of human error to major disasters”, par. 20.8 in the pre-
scribed book.

10.6 IMPROVING HUMAN RELIABILITY IN THE WORKPLACE

Commonly recognisable methods to improve human reliability in the workplace include
296

the following:
y Reward schemes
y Job satisfaction
y Appraisal schemes
y Selection
y Training
y Human reliability analysis

10.7 RISK MANAGEMENT BEST PRACTICE

Risk management best practice is implemented throughout the development of a risk man-
297

agement system, policy, and procedures to provide safe work systems. Refer to par. 20.10 in
the prescribed book for details of the principal risk mitigation factors.

Study

Study the sections “Improving human reliability in the workplace” and “Risk management
best practice”, pars. 20.9–20.10 in chapter 20 of the prescribed book.

10Self-assessment

(1) Discuss the benefits of implementing a health and safety risk management system in
a business.
(2) Discuss how companies can improve human reliability in the workplace.
(3) With the aid of a diagram and examples, discuss the components of a health and safety
management system that can be implemented in a business such as South African
Airways (SAA).

SUMMARY
In Lesson 10 we explored the definition and scope of health and safety risk and the benefits
298

of safety risk management. Businesses are expected to have a moral obligation to imple-
ment a health and safety environment legally enforceable by minimum standards of health
and safety practice. The next topic relates to the effect of external influences on businesses.
Individual businesses have no control over external macro factors.

73 RSK2601/1
 Activity 10.1

Access the LibGuide on myUnisa, download the latest IRMSA risk report, and identify the
internal risks faced by organisations in South Africa today. Discuss these with your fellow
students on the discussion forum.

299

74
TOPIC 4
EXTERNAL INFLUENCES – MACRO FACTORS

Topic content

Lesson 11: ERM – External factors

Aim

At the end of this topic, you will be able to explain how external macro influences will
affect businesses. You will also be able to identify the macro factors included in the
economy, the environment, the legal framework, political structure, social factors, and
market conditions.

Learning outcomes

At the end of this topic, you will be able to discuss the six external influences (the macro
factors, namely: economic, environmental, legal, political, market and social risks) and
how they can have an impact on a business.

OVERVIEW
In this topic, we will discuss how external macro factors affect businesses. These external
300

influences occur at both national and international levels, and businesses have no control over
them. Macro factors include the state of the economy, the environment, the legal framework,
political structure, market conditions and social factors. They are shown in Figure 8 below.
A study of these factors allows you to develop an appreciation of how a business is subject
to external constraints and exposed to opportunities.

301

75 RSK2601/1
 FIGURE 8: External influences – macro factors

Does the organisation for which you work or for which you would like to work identify spe-
302

cific risks within each primary external risk class? Does an organisation take all of the above
macro factors into consideration?

Activity

Access the Risk Glossary document on myUnisa under Additional Resources and refer to
the definitions of economic, environmental, legal, political, market and social risks, which
you will find in all the official South African languages. Write down your own understand-
ing of these types of risks and discuss this with fellow students on the discussion forum.

76
LESSON 11
ERM – EXTERNAL FACTORS

Contents

Aim
Key concepts
Learning outcomes
Learning material
Self-assessment
Summary

Aim

At the end of this lesson, you will be able to discuss the six external influences (macro fac-
tors) that may have a national or international impact on a business.

Key concepts

Economic risk
Interest rate risk
Energy sources
Sustainability
Intellectual property
Political risk
Social risk

Learning outcomes

After studying this topic, you should be able to:

• Define economic, environmental, legal, political, market and social risk.
• Discuss the benefits of economic, environmental, legal, political, market and social risk.
• Discuss the implementation of economic, environmental, legal, political, market and
social risk.
• Explain the scope of economic, environmental, legal, political, market and social risk.
• Discuss the factors that affect economic, environmental, legal, political, market and
social risk.

LEARNING MATERIAL
Lesson 11 deals with chapters 21 to 26 of the prescribed book, and in it we will discuss the
303

six external influences (macro factors) in ERM.

77 RSK2601/1
 11.1 ECONOMIC RISK
The first of the six macro factors that affect the business-operating environment is economic
304

risk. Chapman (2013) defines economic risk as the influence of national macroeconomics
on individual business performance. Government policy affects national macroeconomics
through the manipulation of aggregate demand and consumer spending. However, busi-
nesses have no control over national influence on aggregate demand. Refer to par. 21.1 in
the prescribed book for the complete definition of economic risk.

11.1.1 The scope of economic risk

305 The sources of risk considered as falling under economic risk include the following:
y Fall in demand
y Government policies
y Movement in house prices
y Exchange rates
y Inflation

11.1.2 Benefits of implementing economic risk management

306 Benefits derived from economic risk management include:
y Better knowledge of where the government is planning public spending
y An understanding of the impact of inflation and interest on demand
y An understanding of how the short-term behaviour of the gross domestic product (GDP)
influences employment, prices and standard of living
y Promotion of rigorous market research before entering new markets in both the domestic
and international context

The development of a sound system of economic risk management depends on a number

307

of factors, namely:
y An understanding of the drivers and consequences of inflation
y An understanding of the impact of changes in foreign exchange rates on the demand curve
y Tracking planned government spending
y An understanding of government fiscal and monetary policies
y An understanding of the taxation regime

Study

Study the sections “Benefits of economic risk management” and “Implementation of

economic risk management”, pars. 21.3–21.4 in chapter 21 of the prescribed book.

11.1.3 Factors affecting economic risk

y Microeconomics
Microeconomics is driven by households where the members require goods and services.
308

Consumers have resources (income, assets, time and energy) with which to satisfy their wants.
However, the limitation of these resources forces consumers to make choices. Given a set of
prices, each household will make choices that in aggregate affect those prices.

78
y Macroeconomics
Macroeconomics studies the total degree of deployment of each of the significant factors of
309

production, the total volume of output produced and income earned in the whole economy,
the average level of prices in all product markets, and the growth of the economy’s total
output. The three most important concepts are output, income and expenditure. They
are the leading indicators of a nation’s economic performance. The most critical empirical
measure of these variables is called the gross domestic product (GDP). GDP is the value
of total output produced in the whole economy over a particular period.

Read

Read sections 21.5 and 21.6, “Micro and Macroeconomics” in chapter 21 of the prescribed
book.

y Government policy
Macroeconomic policy is influenced by government policy through fiscal policy, monetary
310

policy and competing theories. Fiscal policy aims to influence government revenue (taxa-
tion) and/or expenditure. Governments thus use macroeconomic policy to influence the
level of aggregate demand and supply in the economy. Monetary policy is the attempt by
the government or the central bank (in South Africa the SA Reserve Bank) to manipulate
the money supply, the supply of credit, interest rates and other monetary variables to
achieve the fulfilment of policy goals.

y Aggregate demand
Aggregate demand denotes the spending on goods and services produced in an economy.
311

It is made up of four elements, namely: consumer spending (C), investment expenditure

(I), government spending (G) and net expenditure on exports and imports (X-M). These
elements are used to construct aggregate demand curves in order to determine the GDP.
Dramatic changes in the aggregate demand may arise from changes in the underlying
constituents of aggregate demand. The underlying constituents are as follows:
– Determinants of consumer spending
– Determinants of investment expenditure
– Determinants of government spending
– Determinants of net expenditure on exports and imports

y Aggregate supply
Aggregate supply (AS) is the total output of the economy at a given price level at a given
312

point in time. The AS curve is affected by several factors, namely:

– An increase in the capital stock due to a reduction in interest rates;
– An improvement in the expectations of business executives;
– Continuing technological change;
– Increased investment in education;
– A reduction in unemployment benefits, and
– Schemes to improve the geographical mobility of workers.

y Inflation
Inflation is defined as a sustained general rise in prices. Creeping inflation is the term we
313

use to refer to a situation where prices rise a few cents on average each year. Hyperinflation

79 RSK2601/1
 is the term describing a situation where inflation levels are very high. Inflation is believed
to cause unemployment and lower economic growth.

y Interest rate risk

Changes in interest rates affect business and consumer behaviour in a number of ways,
314

bringing about changes in the exchange rate, discretionary expenditure, savings and
borrowing.

y House prices
House sales are often treated as an economic barometer. Such expenditures are both
315

large and variable, and they exert a significant impact on the economy. Interest rates are
a large part of total mortgage payments. Small changes in interest rates cause a relatively
significant change in annual mortgage payments. Changes in interest rates can have an
enormous effect on the demand for new housing.

y International trade and protection

In order to understand the risks and opportunities associated with the production of
316

goods for export, businesses need to understand the mechanisms of international trade
and protectionism imposed by governments.
• Methods of protection
– Tariff – tax imposed on imported commodities
– Import quotas – limitation on the commodities that may be shipped into the country
– Domestic policies that reduce the demand for imported commodities
• Trade policy – a government may choose to impose or tighten currency controls.

y Currency risk
Currency risk is the risk that the expected cash flow from overseas investments will be
317

adversely affected by fluctuations in exchange rates. There are two types of foreign ex-
change risk, namely accounting or translation exposure and economic exposure. There
are various ways in which hedging9 can be done, namely netting, leading and lagging,
forward market hedging, fuel market hedging, currency futures, currency hedging and
money market risk.

Read

Read the section “Currency risk”, par. 21.15 of the prescribed book.

318 SUMMARY (ECONOMIC RISK)

Economic risk deals with basic macroeconomic theory and fiscal and monetary policies to
319

modify aggregate demand and supply to achieve a government’s objectives of full employ-
ment, low inflation, stable balance of payments, and economic growth. Other economic risk
issues dealt with are interest rate, house prices, international trade and currency risk, all of
which influence ERM. In the next section we talk about environmental risk.

9 “Where a business is engaged in overseas transactions involving large sums, an adverse

movement in exchange rates can be catastrophic and so it will usually adopt some form of
‘hedging’ to minimise the risk” (Chapman, 2013:407–408).

80
 11.2 ENVIRONMENTAL RISK
Environmental risk is the actual or potential threat of adverse effects on living organisms
320

and the environment as a result of effluents, emissions, wastes, resource depletion and so
on arising out of a business’s activities.

11.2.1 Scope of environmental risk

321 The environmental risk for businesses is considered to include:
y pollution of land, water and air;
y increased regulation and higher operational costs;
y prosecution arising from the lack of observance of rules set by a regulatory body;
y the reputational risk arising from adverse publicity as a result of pollution events, resulting
in a reduced customer base;
y destruction of facilities or loss of manufacturing as a result of severe weather conditions;
y loss of oil production, resulting in higher energy costs.

11.2.2 Benefits of implementing environmental risk management

Read

Read par. 22.3, “Benefits of environmental risk management”, in the prescribed book.

322 Implementation
323 The development of a sound system of risk management depends on the following:
y the risk management system not overly constraining risk-taking, slowing down decision-
making processes or limiting the volume of business undertaken;
y the implementers of the risk management framework being distinct from the managers
of the individual business units;
y risks being managed at an appropriate level in the organisation, and
y the development of a culture that rewards the disclosure of risks where they exist, rather
than encouraging managers to hide them.

11.2.3 Energy sources

Businesses today face five known energy problems: the cost, quality, reliability and longevity
324

of supplies, and the control of emissions. Traditional sources of supply are being depleted
across the world, and so renewable energy sources have to be developed to ensure that
future generations have adequate supplies of energy. Such renewable sources include wind
power, solar power, hydroelectric power, tidal power, geothermal energy and biomass.

11.2.4 Pollution
Businesses risk prosecution for pollution and breaching environmental legislation. Prosecu-
325

tions for air, water and land pollution are myriad.

81 RSK2601/1
11.2.5 Global warming
Global warming is the rise in the average temperature of the earth’s atmosphere and oceans,
326

which may have severe consequences for life on the planet. Scientists believe that global
warming is caused primarily by increasing concentrations of greenhouse gases produced by
human activities such as the burning of fossil fuels and deforestation. The greenhouse effect
is the “natural” process by which the atmosphere traps some of the sun’s energy.

11.2.6 Response to global warming

In response to increasing concerns about climate change, numbers of policies and frameworks
327

have been put in place in an effort to reduce the effects of global warming. These initiatives
include the following:
y Earth Summit – the United Nations Framework Convention on Climate Change, 1992
y The Kyoto Protocol, 2004
y Pollution control targets imposed on countries by the Kyoto Protocol
y Sufficiency of emission cuts, in terms of which countries commit themselves to cutting
emissions
y The US Climate Pact, 2005
y The Copenhagen Accord, 2009
y The European Union taking a leading role in governing global action on climate change
y The Cancun Agreements, 2010
y Domestic government response to climate change, in terms of which governments
promulgate legislation on the cutting of carbon emissions
y Levies such as the carbon tax levied on the selling price of new vehicles in South Africa
y Emissions trading, in terms of which countries are allowed to buy and sell their agreed
allowances of greenhouse gas emissions

11.2.7 Environmental sustainability

Environmental sustainability is the maintenance of the factors and practices that contribute
328

to the quality of the environment on a long-term basis. Sustainability is now a buzzword in

business. Companies are expected by the local community, customers, potential customers
and stakeholders in the business to go “green”. A lack of attention to environmental and
sustainability issues will pose a risk to potential growth. Refer to par. 22.11 in the prescribed
book for further details on environmental sustainability.

SUMMARY (ENVIRONMENTAL RISK)

The discussion on environmental risk has examined energy sources, renewable energy and
329

current energy consumption. The world’s traditional energy sources are being depleted, and
there is a need for the development of renewable energy sources to sustain future genera-
tions. In the next section we will discuss legal risk.

11.3 LEGAL RISK

According to Young (2006), legal risk arises from violations of or non-compliance with laws,
330

rules, regulations, prescribed policies and ethical standards. This risk also arises when laws
or rules governing certain products or activities of an organisation’s customers are unclear

82
or untested. Non-compliance can expose the organisation to fines, financial penalties, pay-
ment of damages and the voiding of contracts. It could also lead to a diminished reputation,
reduced franchise value, limited business opportunities, restricted developments and an
inability to enforce contracts.

11.3.1 Scope of legal risk

331 The sources of risk that fall within legal risk are numerous, and may include the following:
y Breach of environmental legislation
y Inaccurate listing of information in terms of misstatements, material omissions or misleading
opinions
y Breach of copyright
y Loss of business because of senior management time being lost through protracted legal
disputes
y Prosecution for breach of the law
y A legal dispute with overseas trading partners (differences between local law and the
legislation of other countries)
y Loss of reputation because of prosecution or a dispute with a customer, partner or supplier
y Legal disputes lost through poor record-keeping

11.3.2 Benefits and implementation of legal risk

Study

Study the sections “Benefits of legal risk management” and “Implementation of legal risk
management”, pars. 23.3–23.4 in chapter 23 of the prescribed book.

11.3.3 Business law

The sources of legal risk emanate from business activities based on the basic features of the
332

legal system. The primary categories of law are public and private law.
y Public law deals with the relationship between the state and its citizens. The three critical
areas are constitutional law, administrative law and criminal law.
y Private law is concerned primarily with the rights and duties of individuals in relation to
each other.

333 Another significant distinction is drawn between civil and criminal law.

11.3.4 Companies
Legal risk also arises in the formation of companies. There are rules and regulations that com-
334

panies have to abide by, for instance regarding the company name, memorandum of asso-
ciation, articles of association, financing of the company, the issue of shares and debentures,
the official listing of securities, the remedy of rescission, the protection of minority interests
and duties of directors.

83 RSK2601/1
11.3.5 Intellectual property
According to Chapman (2013), intellectual property refers to a product or process that is
335

marketable because of its uniqueness. Patent law usually protects this uniqueness. Patent
law gives protection to technological interventions, while copyright law protects rights in
musical and artistic works and works of literature. The law of trademarks and service marks
protects the use of a particular mark if it is used in trade. The law relating to registered designs
protects mass-produced articles that are distinguished from others by a registered design.
y Patents: The issues covered under patents include application, items that can be patented,
exclusions, registration, and infringement.
y Copyright: The issues covered under copyright include ownership, duration and
infringement.
y Designs: A design right looks at the colouring, shape, texture and/or material associated
with a product.

Study

Study “Intellectual property”, par. 23.7 in the prescribed book.

11.3.6 Employment law

Businesses must comply with employment law in their hiring of staff based on the principles
336

of the law of contract. Failure to do so can lead to prosecution. Contracts of employment must
be legal. Other aspects covered by the employment contract include terms of remunera-
tion, holiday pay, sick leave and pay, time for antenatal care, maternity leave and dismissal
procedures. Businesses are at risk if employment law is not understood and adhered to. Refer
to par. 23.8 in the prescribed book.

11.3.7 Contracts
The essential elements of a valid contract include legality, agreement, consideration, inten-
337

tion, capacity, genuineness of consent and formalities.

338 Types of contracts

339 There are two broad categories of contracts, namely speciality contracts and simple contracts.

11.3.8 Criminal liability in business

340 Criminal law affects the supplier of goods and services in terms of:
y Misleading descriptions of goods and services
y Misleading price indications about goods and services
y Safety of consumer goods
y Safety and quality of food

Study

Study “Criminal liability in business”, par. 23.10 in the prescribed book.

84
11.3.9 Computer misuse
There are rules and regulations which protect businesses from computer misuse. Computer
341

misuse is now a global problem, with hacking and virus infection being serious causes for
concern. Common forms of computer misuse include:
y Unauthorised access to computer material
y Unauthorised use of the internet to commit or facilitate further offences
y Unauthorised modification of computer material

SUMMARY (LEGAL RISK)

Our discussion of legal risk examined some of the sources of legal risk that businesses
may experience. Issues such as the division between public and private law, aspects of the
Companies Act, employment law, contracts and the criminal liability of businesses were
covered. We also examined aspects of intellectual property in terms of patents, copyright
and designs. In the next section we discuss political risk.

11.4 POLITICAL RISK

Political risk can be defined as “the uncertainty that stems, in whole or in part, from the exer-
342

cise of power by government actors and the actions of non-government groups” (Chapman,
2013:454). This type of risk can be seen in domestic and international markets and is also as-
sociated with cross-border exposure and developing countries. The political environment of
other countries will always have an effect on the threats and opportunities facing a business
wanting to expand its activities beyond the borders of its own country. Refer to par. 24.1 in
the prescribed book for the complete definition of political risk.

11.4.1 Scope of political risk

343 Political risks can be divided into two categories.
y Macro political risks
Macro political risks can affect all businesses in a country. They may include potential
threats of adverse economic magnitude, terrorism, labour disputes, economic
recession, high inflation, civil war, escalating crime and high taxation.
y Micro political risks
Micro political risks affect only specific businesses or industries. They may include new
regulations, taxations, tariffs and quotas imposed on a specific business/industry, and
politically motivated violence against a specific industry.

Study

Study the section “Micropolitical and macropolitical risks”, par. 24.2 in chapter 24 of the
prescribed book.

85 RSK2601/1
11.4.2 Benefits and implementation of political risk management
Implementing a sound system of political risk management strategies in business will give
344

rise to certain benefits, which are described in the prescribed book.

Study

Study the sections “Benefits of political risk management” and “Implementation of political
risk management”, pars. 24.3–24.4 in chapter 24 of the prescribed book.

11.4.3 Political risk factors a business may be faced with

Businesses that carry out activities in other countries may have to take note of certain factors
345

when identifying the political risks a business may face. The factors for consideration are:
y Contract risk events
y SA government fiscal policy
y Pressure groups
y Terrorism and blackmail

Read

Read the sections “Contracts”, “UK government fiscal policy”, “Pressure groups”, and “Ter-
rorism and blackmail”, pars. 24.6, 24.8, 24.9 and 24.10. You will be required to list the factors.

11.4.4 Mitigation strategies for political risks

y The following response strategies can be applied to minimise political risk in the business:
– Undertake proper planning and exercise due diligence.
– Invest in projects or enter into contracts where the host government has implemented
specific policies that encourage private sector involvement.
– Consider projects that host governments are supporting.
– Obtain insurance against political risks.
– To be protected from interest rate fluctuations, a business can enter into a hedge
contract.
– Establish a good relationship with the workforce to create a risk-friendly environment.
– Incorporate strong arbitration language into contracts to deal with labour disputes.
– Enhance on-site security as a means of protection against terrorist attacks.
– Be attuned to what is happening in the host country.

y A business can also do the following to mitigate political risks:

– Assess political risk factors
– Arrange political risk factors in order of priority
– Improve relative bargaining power

Read

Read par. 24.11 in the prescribed book. You will be required to list the response strategies
and tools used to mitigate political risks.

86
 SUMMARY (POLITICAL RISK)
In the business ERM process, political risk will be considered as a primary source of risk and
346

opportunity. The degree to which a business wants to expand its activities in another country
will indicate the importance of the business to adapt to the political risk factors and imple-
ment mitigation strategies. Below we discuss market risk.

11.5 MARKET RISK

Market risk can be defined as “the exposure to a potential loss arising from diminishing
347

sales or margins due to changes in market conditions, outside of the control of the busi-
ness” (Chapman, 2013:467). A business needs to gain insight into the market structure (size,
barriers to entry, product diversification and number of competitors) in which the business
operates. Market risk policies should consider business activities, objectives, the regulatory
environment, competitiveness and staff and technology capabilities. Proactive market risk
management is vital for a business to adapt to changing markets. Refer to par. 24.2 in the
prescribed book.

11.5.1 Scope of market risk

348 The sources of market risk and opportunity can be seen in Figure 9 below.

FIGURE 9: Macro marketing environment

The marketing environment of a business can form part of the macro industry and task environ-
349

ment. The business must also concentrate on the levels of uncertainty in the marketing envi-
ronment as to monitor, analyse and understand the various influences affecting the industry.

Study

Study the section “Scope of market risk”, par. 25.2 in chapter 25 of the prescribed book.

11.5.2 Benefits and implementation of market risk management

Implementing a sound system of market risk management strategies in a business will give
350

rise to definite benefits.

Study

Study the sections “Benefits of market risk management” and “Implementation of market
risk management”, pars. 25.3–25.4 in chapter 25 of the prescribed book.

87 RSK2601/1
11.5.3 Market structure
A market structure can be seen as characteristics of a market that have the potential to de-
351

termine business behaviour. The following five characteristics have been identified:
1. Number of firms – The number of firms in the market and their relative sizes
2. Barriers to entry – The ease or difficulty with which new entrants might enter the market
3. Product homogeneity, diversity and branding – The extent to which goods are similar
4. Knowledge – The extent to which all businesses in the market share the same knowledge
5. Interrelationships within markets – The extent to which the actions of one business will
affect another business (bargaining power of suppliers and buyers)

Read

Read par. 25.5 in the prescribed book. You must be able to discuss the five characteristics.

11.5.4 Product life cycle stage

A business needs to understand the life cycle stages of a product. A product life cycle con-
352

sists of five stages, as shown in Figure 10 below. Following the decline stage, a product will
be replaced by a new product.

FIGURE 10: Five product life cycle stages

Read

Read par. 25.6 and refer to Figure 25.3 in the prescribed book to understand the progres-
sion of a product life cycle.

11.5.5 Alternative strategic directions

The alternative strategic directions for a business can be either to grow the business, to do
353

nothing, or to withdraw. Thus, a business plan can be developed to expand a business in

four possible directions.
y Market penetration: Sell more of the same to the same market.
y Product development: Sell new products to existing customers.
y Market development: Seek out new markets for existing products.
y Diversification: Sell new products to new groups of customers.

Read

Read par. 25.7 and look at Figure 25.4 in the prescribed book. You must be able to discuss
the alternative strategic directions.

88
11.5.6 Acquisition
Read

Read par. 25.8 in the prescribed book.

11.5.7 Competition
An oligopolistic market can be characterised by price stability, non-price competition (prod-
354

uct, price, promotion and place), branding and specific market strategies.

Read

Read par. 25.9 and refer to Figure 25.5 in the prescribed book.

11.5.8 Price elasticity/sensitivity

Price elasticity can be seen as a sensitivity of demand to changes in price. It is measured by
355

dividing the change in demand by the percentage change in price. If demand is not sensitive
to price, the business will increase revenue because the increase in price leads to a smaller
decrease in quantity demanded.

Read

Read par. 25.10 in the prescribed book.

11.5.9 Market risk measurement: Value at risk

Value at risk can be defined as calculating the worst possible loss that might be expected at
356

a given confidence level over a given period under normal market conditions. In calculating
value at risk, the following methods can be used, as discussed by Chapman (2013):
y Historical simulations method
y Variance – covariance or analytical method
y Monte Carlo method

Read

Read par. 25.12 in the prescribed book. You need to understand the concept of value at risk.

11.5.10 Risk response planning

A business must set out how market risk will be evaluated throughout the business. Clear
357

responsibilities, roles and authority levels must be distinguished within each management
strategy for market risk. Broad strategies must be implemented in the advertising, research
and development, product development and diversification sections. Risk mitigation tech-
niques for market risk will involve risk identification, measurement and reporting. It is also
vital for a business to take out an insurance policy. Refer to par. 25.13 in the prescribed book.
You must be able to explain the risk response strategies for market risk.

89 RSK2601/1
 SUMMARY (MARKET RISK)
A business needs to understand the market structure and the opportunities and threats pre-
358

sented by both existing and potential competitors. Similarly, a business must adapt and under-
stand changes in the market environment. Market risk must be dealt with as a primary source
of opportunities and risks in the ERM process. We will now turn our attention to social risk.

11.6 SOCIAL RISK

Social risk can be defined as “the society’s impact on business, not vice versa” (Chapman,
359

2013:500). Social risks are seen as social elements that affect a business’s performance over
which the business has no control or which it has only minimal capacity to influence. A
business needs to understand the characteristics, lifestyle choices and social attitudes of its
workforce. Workforces are assumed to take on the behaviours, habits and social cultures that
are prevalent where they work, function and live. Refer to par. 26.1 in the prescribed book.

11.6.1 Scope of social risk

360 There are seven identified sources of social risk.

Study

Study the section “Scope of social risk”, par. 26.2 in chapter 26 of the prescribed book.

11.6.2 Benefits and implementation of social risk management

Implementing a sound system of social risk management strategies in business will give rise
361

to certain benefits.

Study

Study the sections “Benefits of social risk management” and “Implementation of social
risk management”, pars. 26.3–26.4 in chapter 26 of the prescribed book.

11.6.3 Factors that may influence social risk within a business

y Education
y Population movements: demographic changes
y Social-cultural patterns and trends
y Crime
y Lifestyles and social attitudes
– Home improvements
– Motherhood, marriage and family formation
– Health
– Less healthy diets
– Smoking and drinking
– Long working hours
– Stress levels
– Recreation and tourism

90
 Read
Read pars. 26.5–26.9 in the prescribed book. You will be required to list the factors.

SUMMARY (SOCIAL RISK)

The lifestyle habits of employees and their priorities reflect the characteristics of the work-
force. A business needs to understand the social threats, opportunities and needs of em-
ployees that may affect the business. Some lifestyle habits of employees, such as smoking,
drinking and unhealthy diet, can have a negative impact on the employee performance
in the form of poor concentration, reduced commitment and low energy, which can also
lead to frequent absence from work. A business must be able to identify and act on the
social needs of its employees.

Activity 11.1
Access the LibGuide on myUnisa and download the latest global risk report. Identify
the external risks facing the global economy today and discuss these with your fellow
students on the discussion forum.

11Self-assessment
(1) With the aid of examples, discuss the factors that determine the successful implementa-
tion of a sound system of economic risk management.
(2) “Climate change is widely recognised as one of the key environmental challenges facing
the world today.” Discuss this statement as it relates to environmental risk management.
(3) Discuss why employment is an essential determinant of legal risk.
(4) Distinguish between macro-political and micro-political risks.
(5) List the eight sources of market risk and opportunity.
(6) Discuss the benefits of market risk management.
(7) Discuss the trends in the implementation of social risk management.

SUMMARY
In Topic 4 we discussed the six macro factors that affect the business operating environment:
362

economic risk, environmental risk, legal risk, political risk, market risk, and social risk. The
scope of external assessment embraces the analysis of opportunities and threats affecting
a business. Economic factors have a direct impact on the potential attractiveness of a busi-
ness. Furthermore, concerns about climate change have led to a widening array of laws and
incentive structures that affect how businesses operate.

Activity 11.2
Access the RSK2601 presentation folder on myUnisa, under Additional Resources. Work
through the presentation, videos and Eskom case study. The presentation is a summary of
the module and indicates how it can be practically applied. Discuss what you have learnt
in the module from the presentation with your fellow students on the discussion forum.

91 RSK2601/1
 BIBLIOGRAPHY
AIRMIC, Alarm & IRM. 2010. A structured approach to ERM (ERM) and the requirements of ISO
31000. Retrieved from: Layout 1 (ferma.eu) (Accessed 27/05/2021).
Cadbury, A. 1992. Report of the Committee on the Financial Aspects of Corporate Governance.
London: Gee & Co.
Chapman, RJ. 2013. Simple tools and techniques for enterprise risk management. 2nd edition.
Hoboken, NJ: John Wiley & Sons (ISBN 9781118742426) (Paperback).
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control–
Integrated Framework. 2013. Retrieved from: https://www.coso.org/Documents/990025P-
Executive-Summary-final-may20.pdf (Accessed 27/05/2021).
Corporate Governance and the Financial Crisis. 2010. OECD Steering Group on Corporate
Governance. Retrieved from: https://www.oecd.org/daf/ca/corporategovernanceprin-
ciples/44679170.pdf (Accessed 27/05/2021).
Deloitte. 2016. King IV bolder than ever. Retrieved from: https://www2.deloitte.com/content/
dam/Deloitte/za/Documents/governance-risk-compliance/ZA_King_IV.pdf (Accessed
02/02/2017).
Gitman, LJ. 2010. Principles of managerial finance: global and South African perspectives. Cape
Town: Pearson.
IoDSA. 2002. The King Report on Corporate Governance (King II). Sandton.
IoDSA. 2009. The King Code of Governance in South Africa (King III). Sandton.
IoDSA. 2016. The King IV Report on Corporate Governance for South Africa (King IV). Sandton.
ISO. 2009. ISO 31000: 2009 Risk management – principles and guidelines. Geneva.
OECD. 2004. Principles of corporate governance. Retrieved from: https://www.oecd.org/
corporate/ca/corporategovernanceprinciples/31557724.pdf (Accessed 27/05/2021).
Peccia, T. 2001. Designing an operational risk framework from a bottom-up perspective.
In C. Alexander (ed.), Mastering risk. Volume 2: Applications. Harlow: Financial Times,
Prentice-Hall.
Principles for enhancing corporate governance. 2010. Basel Committee on Banking Supervi-
sion. Retrieved from: www.bis.org/publ/bcbs176.htm (Accessed 10/04/2013).
PwC. 2009. Kings Council. King III at a glance. Corporate Governance Series. Retrieved from:
http://www.pwc.co.za/en/assets/pdf/steeringpoint-kingiii-03-sept09.pdf (Accessed
04/03/2014).
PwC. 2016. A summary of the King IV Report on Corporate Governance for South Africa,
2016. King IV: An outcomes-based corporate governance code fit for a changing world.
Retrieved from: http://www.pwc.co.za/kingIV (Accessed 01/02/2017).
South Africa. The Companies Act 61 of 1973.
South Africa. The Companies Act 71 of 2008.
363 UK Cadbury Commission Report on Corporate Governance of 1992.

92
Valsamakis, AC, Vivian, RW & du Toit GS. 2010. Risk management. 4th edition. Sandton:
Heinemann.
Young, J. 2006. Operational risk management: the practical application of a qualitative approach.
4th edition. Pretoria: Van Schaik.

93 RSK2601/1