June 2011 2 The board of YGT discussed its need for timely risk information.

The consensus of the meeting was that risk consultants should be engaged to review the risks facing the company. One director, Raz Dutta, said that she felt that this would be a waste of money as the company needed to concentrate its resources on improving organizational efficiency rather than on gathering risk information. She said that many risks didnt change much and hardly ever materialised and so can mostly be ignored. The rest of the board, however, believed that a number of risks had recently emerged whilst others had become less important and so the board wanted a current assessment as it believed previous assessments might now be outdated. The team of risk consultants completed the risk audit. They identified and assessed six potential risks (A, B, C, D, E and F) and the following information was discussed when the findings were presented to the YGT board: Risk A was assessed as unlikely and low impact whilst Risk B was assessed as highly likely to occur and with a high impact. The activities giving rise to both A and B, however, are seen as marginal in that whilst the activities do have value and are capable of making good returns, neither is strategically vital. Risk C was assessed as low probability but with a high potential impact and also arises from an activity that must not be discontinued although alternative arrangements for bearing the risks are possible. The activity giving rise to Risk C was recently introduced by YGT as a result of a new product launch. Risk D was assessed as highly likely but with a low potential impact, and arose as a result of a recent change in legislation. It cannot be insured against nor can it be outsourced. It is strategically important that the company continues to engage in the activity that gives rise to Risk D although not necessarily at the same level as is currently the case. In addition, Risks E and F were identified. Risk E was an environmental risk and Risk F was classed as a reputation risk. The risk consultants said that risks E and F could be related risks. In the formal feedback to the board of YGT, the consultants said that the company had to develop a culture of risk awareness and that this should permeate all levels of the company. Required: (a) Criticise Raz Duttas beliefs about the need for risk assessment. Explain why risks are dynamic and therefore need to be assessed regularly. (8 marks) (b) Using the TARA framework, select and explain the appropriate strategy for managing each risk (A, B, C and D). Justify your selection in each case. (6 marks)

(c) Explain what related risks are and describe how Risks E and F might be positively correlated. (5 marks) (d) The risk consultants reported that YGT needed to cultivate a culture of risk awareness and that this should permeate all levels of the company. Required: Explain and assess this advice.

June2010 3 The Committee of Sponsoring Organisations (COSO) of the Treadway Commission is an American voluntary, private sector organisation and is unconnected to government or any other regulatory authority. It was established in 1985 to help companies identify the causes of fraudulent reporting and to create internal control environments able to support full and accurate reporting. It is named after its first chairman, James Treadway, and has issued several guidance reports over the years including important reports in 1987, 1992 and 2006. In 2009, COSO issued new Guidance on monitoring internal control systems to help companies tighten internal controls and thereby enjoy greater internal productivity and produce higher quality reporting. The report, written principally by a leading global professional services firm but adopted by all of the COSO members, noted that unmonitored controls tend to deteriorate over time and encouraged organisations to adopt wide ranging internal controls. It went on to say that, the assessment of internal controls [can] ... involve a significant amount of ... internal audit testing. After its publication, the business journalist, Mark Rogalski, said that the latest report contained yet more guidance from COSO on how to make your company less productive by burdening it even more with non-productive things to do referring to the internal control guidance the 2009 report contains. He said that there was no industry sector-specific advice and that a one-size-fi ts-all approach to internal control was ridiculous. He further argued that there was no link between internal controls and external reporting, and that internal controls are unnecessary for effective external reporting. Another commentator, Claire Mahmood, wrote a reply to Rogalskis column pointing to the views expressed in the 2009 COSO report that, over time effective monitoring can lead to organisational effi ciencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner. She said that these benefits were not industry sector specific and that Rogalski was incorrect in his dismissal of the reports value. She also said that although primarily concerned with governance in the USA, the best practice guidance from COSO could be applied by companies anywhere in the world. She said that although the USA, where COSO is based, is concerned with the rigid rules of compliance, the advice ought to be followed by companies in countries with principles-based approaches to corporate governance because it was best practice. Required: (a) Distinguish between rules-based and principles-based approaches to internal control system compliance as described by Claire Mahmood and discuss the benefits to an organisation of a principles-based approach. (7 marks) (b) Mr Rogalski is sceptical over the value of internal control and believes that controls must be industryspecific to be effective. Required: Describe the advantages of internal control that apply regardless of industry sector and briefly explain the meaning of the statement, unmonitored controls tend to deteriorate over time. Your answer should refer to the case scenario as appropriate. (10 marks) (c) The COSO report explains that assessment of internal controls [can] ... involve a signifi cant amount of ... internal audit testing. Required: Define internal audit testing and explain the roles of internal audit in helping ensure the effectiveness of internal control systems. (8 marks) (25 marks)

June 2009 4 John Pentanol was appointed as risk manager at H&Z Company a year ago and he decided that his first task was to examine the risks that faced the company. He concluded that the company faced three major risks, which he assessed by examining the impact that would occur if the risk were to materialise. He assessed Risk 1 as being of low potential impact as even if it materialised it would have little effect on the companys strategy. Risk 2 was assessed as being of medium potential impact whilst a third risk, Risk 3, was assessed as being of very high potential impact. When John realised the potential impact of Risk 3 materialising, he issued urgent advice to the board to withdraw from the activity that gave rise to Risk 3 being incurred. In the advice he said that the impact of Risk 3 was potentially enormous and it would be irresponsible for H&Z to continue to bear that risk. The company commercial director, Jane Xylene, said that John Pentanol and his job at H&Z were unnecessary and that risk management was very expensive for the benefits achieved. She said that all risk managers do is to tell people what cant be done and that they are pessimists by nature. She said she wanted to see entrepreneurial risk takers in H&Z and not risk managers who, she believed, tended to discourage enterprise. John replied that it was his job to eliminate all of the highest risks at H&Z Company. He said that all risk was bad and needed to be eliminated if possible. If it couldnt be eliminated, he said that it should be minimised. (a) The risk manager has an important role to play in an organisations risk management. Required: (i) Describe the roles of a risk manager. (4 marks) (ii) Assess John Pentanols understanding of his role. (4 marks) (b) With reference to a risk assessment framework as appropriate, criticise Johns advice that H&Z should withdraw from the activity that incurs Risk 3. (6 marks) (c) Jane Xylene expressed a particular view about the value of risk management in H&Z Company. She also said that she wanted to see entrepreneurial risk takers. Required: Define entrepreneurial risk and explain why it is important to accept entrepreneurial risk in b usiness organisations; (4 marks) (ii) Critically evaluate Jane Xylenes view of risk management. (7 marks) (25 marks)

Dec2010 4 During the global economic recession that began in mid 2008, many companies found it difficult to gain enough credit in the form of short-term loans from their banks and other lenders. In some cases, this caused working capital problems as short-term cash flow deficits could not be funded. Ultra-Uber Limited (UU), a large manufacturer based in an economically depressed region, had traditionally operated a voluntary supplier payment policy in which it was announced that all trade payables would be paid at or before 20 days and there would be no late payment. This was operated despite the normal payment terms being 30 days. The company gave the reason for this as a desire to publicly demonstrate our social responsibility and support our valued suppliers, most of whom, like UU, also provide employment in this region. In the 20 years the policy had been in place, the UU website proudly boasted that it had never been broken. Brian Mills, the chief executive often mentioned this as the basis of the companys social responsibility. Rather than trying to delay our payments to suppliers, he often said, we support them and their cash flow. Its the right thing to do. Most of the other directors, however, especially the finance director, think that the voluntary supplier payment policy is a mistake. Some say that it is a means of BrianMills exercising his own ethical beliefs in a way that is not supported by others at UU Limited. When UU itself came under severe cash flow pressure in the summer of 2009 as a result of its banks failure to extend credit, the finance director told Brian Mills that UUs liquidity problems would be greatly relieved if they took an average of 30 rather than the 20 days to pay suppliers. In addition, the manufacturing director said that he could offer another reason why the short-term liquidity at UU was a problem. He said that the credit control department was poor, taking approximately 50 days to receive payment from each customer. He also said that his own inventory control could be improved and he said he would look into that. It was pointed out to the manufacturing director that cost of goods sold was 65% of turnover and this proportion was continuously rising, driving down gross and profit margins. Due to poor inventory controls, excessively high levels of inventory were held in store at all stages of production. The long-serving sales manager wanted to keep high levels of finished goods so that customers could buy from existing inventory and the manufacturing director wanted to keep high levels of raw materials and work-in-progress to give him minimum response times when a new order came in. One of the non-executive directors (NEDs) of UU Limited, Bob Ndumo, said that he could not work out why UU was in such a situation as no other company in which he was a NED was having liquidity problems. Bob Ndumo held a number of other NED positions but these were mainly in service-based companies. Required: (a) Define liquidity risk and explain why it might be a significant risk to UU Limited. (5 marks) (b) Define risk embeddedness and explain the methods by which risk awareness and management can be embedded in organisations. (7 marks) (c) Examine the obstacles to embedding liquidity risk management at UU Limited. (8 marks) (d) Criticise the voluntary supplier payment policy as a means of demonstrating UUs social responsibility.(5 marks) (25 marks)

Dec2009 4 After a major fire had destroyed an office block belonging to Saltoc Company, the fire assessment reported that the most likely cause was an electrical problem. It emerged that the electrical system had suffered from a lack of maintenance in recent years due to cost pressures. Meanwhile in the same week, it was reported that a laptop computer containing confidential details of all of Saltocs customers was stolen from the front seat of a car belonging to one of the companys information technology (IT) midmanagers. This caused outrage and distress to many of the affected customers as the information on the laptop included their bank details and credit card numbers. Some customers wrote to the company to say that they would be withdrawing their business from Saltoc as a result. When the board met to review and consider the two incidents, it was agreed that the company had been lax in its risk management in the past and that systems should be tightened. However, the financial director, Peter Osbida, said that he knew perfectly well where systems should be tightened. He said that the fire was due to the incompetence of Harry Ho the operations manager and that the stolen laptop was because of a lack of security in the IT department led by Laura Hertz. Peter said that both colleagues were useless and should be sacked. Neither Harry nor Laura liked or trusted Peter and they felt that in disputes, chief executive Ken Tonno usually took Peters side. Both Harry and Laura said that their departments had come under severe pressure because of the tight cost budgets imposed by Peter. Ken Tonno said that the last few years had been terrible for Saltoc Company and that it was difficult enough keeping cash flows high enough to pay the wage bill without having to worry about even more administration on risks and controls. Peter said that Harry and Laura both suffered in their roles by not having the respect of their subordinates and pointed to the high staff turnover in both of their departments as evidence of this. Mr Tonno asked whether having a complete risk audit (or risk review) might be a good idea. He shared some of Peters concerns about the management skills of both Harry and Laura, and so proposed that perhaps an external person should perform the risk audit and that would be preferable to one conducted by a colleague from within the company. Required: (a) Describe what embedding risk means with reference to Saltoc Company. (6 marks) (b) Assess the ability of Saltocs management culture to implement embedded risk systems. (8 marks) (c) Explain what external risk auditing contains and construct the case for an external risk audit at Saltoc Company. (11 marks) (25 marks)