RUAHA CATHOLIC UNIVERSITY

RUC
U
FACULTY OF BUSINESS AND MANAGEMENT SCIENCES

DEPARTMENT OF ACCOUNTING AND FINANCE

BAFIT 2
BAFIT 2 – SECOND SEMESTER - A/Y 2021/2022
TEST I

RAF 233- RISK MANAGEMENT & ASSURANCE

DATE: 25TH APRIL, 2022 DURATION: 2 HOURS

Instructions
1. Marks for each question are indicated. Budget your time accordingly.
2. Borrowing of calculators or use of cell phones in the examination room is
strictly prohibited.
3. You are strongly advised to carefully read ALL the question requirements
before attempting the question concerned (that is all parts and/or sub-
questions).
QUESTION ONE

Identify and explain the four broad classes of risk control available to organizations that can be
deployed to treat risks.

ANSWER
The four broad classes of risk controls are explained below:
Preventive
– Most controls implemented in organizations are preventive controls, which are designed
to reduce the possibility of undesirable outcomes. A common example is separation of
duties. To prevent irregularities in purchasing departments, for example, the person
responsible for placing orders for required goods and services should not be the one who
authorizes the payment of invoices. Similarly, a checkout operator is not the person who
checks till contents at the end of each day.
Another preventive control is to limit specified actions only to authorized personnel. For
example, only suitably qualified and trained people would be permitted to sign off designs,
authorize price quotations or perform certain operations. Unwanted publicity can be
prevented by allowing media to access only trained press officers.
At a higher level, preventive controls could be strategic decisions to avoid certain types of
activity. Examples would be a government deciding not to include nuclear power in its
national energy policy or a property insurer excluding risks from floods.
Corrective
– Corrective controls are designed to correct undesirable outcomes which have already
occurred. They are a means of recovery against loss or damage. An example would be
contract terms that allow a supplier to recover goods that have not yet been paid for from a
customer whose business is in receivership or administration. Continuity planning is
another corrective control. Organizations plan for business continuity and recovery after
events which they could not prevent.
Insurance is a form of corrective control as it facilitates financial recovery when an
insured risk materializes. Insurance transfers the consequences of risk to the insurer. Risks
and/or consequences can be transferred to other organizations by contract, for example
when operations are outsourced. Whether such measures are corrective or preventive will
depend on precise wording of the contract and its interpretation under governing law.
Directive
– Directive controls are instructions or regulations designed to ensure that a particular
outcome is achieved. They are important when people’s behaviour can avoid an
undesirable event. Directive controls are commonly associated with health, safety and
security. Examples are requirements to wear protective clothing while performing
dangerous duties, or that staff are trained to certain skill levels before being allowed to
work unsupervised.
Checklists, worksheets and test schedules are directive controls. They are designed to
ensure all critical aspects of a task have been properly addressed and completed. Such
instructions are particularly important in assembly, maintenance, testing and repairs of
components of systems where utmost reliability is essential. The aviation industry, for
example, relies on correct and thorough engine testing and maintenance to keep its aircraft
flying. Other examples would include nuclear power and oil and gas exploration.
Detective
– Detective controls are designed to identify unwanted occurrences that have already
happened and are, therefore, only appropriate when it is possible to accept the loss or
damage incurred. Stock or other asset checks are examples of detective controls. They
detect theft or similar anomalies. Reconciliation is another technique. Reconciling
authorized payments with bank statements will detect unauthorized transactions.
Audits, inspections and similar quality controls are detective. They look for causes of
defects in products and procedures, with a view to introducing changes in the future.
Accident investigations and ‘black box’ analyses following aviation disasters are other
detective examples.

QUESTION TWO
 (i) Define Enterprise Risk Management (ERM) and explain briefly its role.
(ii) Identify the five main benefits to an organization of implementing a successful ERM
framework.
(iii) Explain briefly the two key elements of a successful ERM system.

Answer
(i) The structure an organization sets up to control risk management across the whole of
their organization is known as enterprise risk management (ERM). As well as
being a framework to control risk management activities, ERM systems allow all the
risks involved in an organization to be looked at together and from different
perspectives. This is known as a holistic approach.
(ii) The benefits of a successful Enterprise Risk Management Framework to an
organization are:
- better informed strategic decisions;
- successful management of change and higher operational efficiency;
- organizations can expect more accurate financial reporting;
- reduced borrowing costs; and
- improved competitive advantage.

(iii) The two key elements of a successful Enterprise Risk Management

System are:
- A workable framework clarifying functional responsibilities and interactions,
and the systems for internal communication, reporting and control.

- A set of terms of reference for key staff applicable to the organization.

This clarifies individual functional responsibilities and individual
requirements for communication, reporting and control.

QUESTION THREE
Explain the five key steps of the risk management process that must take place.

The five key steps in the risk management process are:

- Establish the context.

Obviously it is necessary to start with a clear understanding of the objectives,
structure and culture of an organization before proceeding to identify risks. This
process results in the development of a risk management philosophy on which all
future risk management decisions will depend. In large organizations this
philosophy will be defined and reflected in a formal risk policy document issued
for the guidance of staff.
- Identify risks.
- Understand what threats there are. What might make it more difficult to achieve
stated objectives, or indeed prevent achieving them altogether?
- Analyze risks.
- Understand the potential within those threats for damage to the organization and
its stakeholders. Assess likely frequency of risk damage from each of those
threats:
 Could it happen?
 How bad would the loss or damage be?
 How often could it happen?

- Evaluate risks.
- Decide what risk levels – both single and cumulative – are acceptable; and thereby
identify those risks that are at a level or frequency that are unacceptable to the
organization.
- Treat risks.
- Steps must be taken to control or limit the impact of those risks deemed unacceptable.
One or more of the following actions may be appropriate.
 reduce likelihood and/or frequency;
 reduce impact, whether it is human, operational or financial;
  transfer the risk to another organization;
 prepare for the incident by continuity planning.

QUESTION FOUR

(i) Define off balance sheet assets.

(ii) Identify four off balance sheet assets and explain briefly why they must be protected.
Answer

(i) Off balance sheet assets are valuable items that are not always included in balance
sheet figures.
(ii) Four examples are:
- Intellectual assets are assets that are information rather than hard material things. This not
only includes information that is documented but the information and knowledge that lies
accumulated within a trained and experienced workforce and is crucial to the product or
service delivery. Intellectual assets embrace such things as licenses, enabling software,
patents, contracts, relationships with workforces and others, audit trails, research outputs,
credit ratings, recipes and current work.
- The reputation of, and confidence in, the organization. Even a non-profit-making
organization can have an equally important dependency on the value of its ‘brand’ or
reputation to maintain good and efficient working relationships with its service users.
- The network of critical suppliers, the relationships and the contracts. Without suppliers
the business would not be able to function.
- The distribution system and its relationships and contracts. The risk here relates to sales,
the lifeblood of organizations.

QUESTION FIVE

Identify three essential elements of a coherent management and procedural framework for risk
management to be effective in an organization:
Answer
The framework must be: organization-wide, an integral part of the organization and its culture;
and organized to allow for both audit and continuous change.

QUESTION SIX

As part of its process of risk management, an organization has identified a risk which is
unacceptable.

(i) Explain the three high level options available to the organization for controlling the
risk.
(ii) Explain how the organization could prepare for an unexpected significant loss
incident which could threaten the survival of the organization.
(iii) Explain how and why the risk management process should be monitored and
reviewed.

Answer

(i) Organizations have a number of choices available when setting out to

control an unacceptable risk. They can retain the risk, reduce the risk
down to acceptable levels or transfer the risk to insurers or other parties.
They can also prepare continuity plans that will enable them to manage
themselves through an incident in a way that will avoid unacceptable
levels of damage.
Retaining the risk:
An organization may consider that if a particular risk incident occurs, ‘worst case
scenario’ damage would not be sufficient to divert the organization from its
objectives and responsibilities. In addition this would not adversely affect
stakeholders’ expectations to an unacceptable level. If this is so, a decision could be
made to accept the consequences if a risk incident were to occur.
In large organizations, a group office may formally advise smaller units and
subsidiaries that losses that would be disproportionate to the size of the unit can be
carried cost effectively by group office. This allows the strength of group office to
be used as a cost-effective risk measure for the division. Care needs to be taken,
however, not to over expose minority shareholders in such a subsidiary.
When accepting exposures we also need to remember that an incident, say a
hurricane, can happen more than once in any accounting period.
Reducing the risk:
Prior to a loss occurring, an organization has plenty of opportunity to reduce the
chance of a risk incident happening.
Physical controls can include fire protection, health and safety measures, security
controls, duplication offsite of computer data etc. Organizations may choose to
move parts of the organization away from the rest and thus create two or more
independent risks. This can avoid a single point of failure concentration of risk that
would be a much more destructive exposure.
Non-physical controls can include effective staff recruitment and other procedures
that remove an unacceptable concentration of people risks. Some large
organizations will have a limit to the number of board members or key managers
travelling in one form of transport. Investors may demand to see succession
planning in an organization where they see an unacceptable dependency on one
senior executive. Manufacturers can decide that they would never source key
ingredients from a single supplier or country.
Throughout all these measures, employee awareness and training are vital risk tools.
As time passes without incident so risk awareness decreases and also the probability
of risk is downgraded. People may discount risks entirely if past management has
been effective and discontinue ongoing precautions. A public health issue illustrates
this point. Do we continue with vaccination programs once a disease has been
eliminated?
Transferring the risk:
Insurance is often the first thought when transferring the risk of financial loss. It is a
valuable tool in transferring to another organization those exposures that cannot
safely be managed internally. There are, however, other ways of transferring risk.
An organization may create and fund a different legal entity, such as a captive
insurance company to carry its risks. Financial instruments such as derivatives can
also be used.
Lawyers will use contract wordings to move the consequences of a risk incident
from one contracting party to another. The directors, however, must still be sensitive
to the fact that the failure of that counterparty may still leave unacceptable
exposures at their own door.

(ii) Continuity plans can be drawn up that will enable them to manage
themselves through an incident in a way that will avoid unacceptable
levels of damage.
Continuity planning is a process where an organisation will anticipate an incident
and prepares a plan to manage the consequences so that the incident does not
threaten the survival of the organisation.
This can be simple but very effective, e.g. backing up computer data frequently and
storing the back-up tapes off-site. Continuity planning can also be sophisticated and
expensive. It can include contracts for stand-by machinery and computers, standby
suppliers, detailed recovery plans and exercises for staff involved.
Continuity plans can prepare for a whole range of incidents, such as computer
failure, product recalls, kidnap, terrorism, fire, weather damage, major fraud,
aggressive media attention. They set out to requisition urgently needed resources,
ensure effective control of the management of the incident, organise recovery, and
ensure that crucial and urgent functions and credibility are maintained throughout.
Continuity plans will also set out procedures to collect costs and other data
necessary for any insurance recovery claim.

(iii) Monitoring and reviewing:

All organizations must adopt some form of quality control. In large organizations,
particularly those in regulated business sectors, this may be an elaborate structure of
audit arrangements, reporting directly to the board on a regular basis. In small
organizations the owner/manager may personally assess the quality of work being
done and product being supplied. Manufacturing organizations invariably adopt
quality procedures, from regular goods inspections, through to quality circles and
continuous improvement initiatives.
Like any other established procedures, risk management procedures can be audited
to see if they are being followed and if they are achieving required objectives. Both
procedures and achievements can be tested against those of similar organizations
and against established standards to see if they can be improved. We will come back
to this process of benchmarking later on in the study text.
Where an organization has dedicated risk professionals, they too will be interested
in quality control to assess risks involved in failing to meet either contractual or
statutory requirements in products and services supplied. There will inevitably be
some overlap of interest as risk professionals seek to manage quality risk, a task that
may have been allocated to others. Whether quality monitoring and control is
allocated to specialist functional groups or embedded in the responsibilities of
operational managers, ultimate responsibility lies with the directors of an
organization, who have to satisfy other stakeholders.
Organizations must establish effective internal controls to satisfy stakeholders of
their ability to properly manage risk. We will see later on that in some cases
controls will be mandatory requirements of regulators, or required by law to
demonstrate the existence of adequate corporate governance. Compliance with
international standard ISO 31000 would be regarded as a suitable benchmark
against which risk control systems could be measured.

Reducing the risk:

Prior to a loss occurring, an organization has plenty of opportunity to reduce the
chance of a risk incident happening.
Physical controls can include fire protection, health and safety measures, security
controls, duplication offsite of computer data etc. Organizations may choose to
move parts of the organization away from the rest and thus create two or more
independent risks. This can avoid a single point of failure concentration of risk that
would be a much more destructive exposure.

Non-physical controls can include effective staff recruitment and other procedures
that remove an unacceptable concentration of people risks. Some large
organizations will have a limit to the number of board members or key managers
travelling in one form of transport. Investors may demand to see succession
planning in an organization where they see an unacceptable dependency on one
senior executive. Manufacturers can decide that they would never source key
ingredients from a single supplier or country.
Throughout all these measures, employee awareness and training are vital risk tools.
As time passes without incident so risk awareness decreases and also the probability
of risk is downgraded. People may discount risks entirely if past management has
been effective and discontinue ongoing precautions. A public health issue illustrates
this point. Do we continue with vaccination programs once a disease has been
eliminated?

Transferring the risk:

Insurance is often the first thought when transferring the risk of financial loss. It is a
valuable tool in transferring to another organization those exposures that cannot
safely be managed internally. There are, however, other ways of transferring risk.
An organization may create and fund a different legal entity, such as a captive
insurance company to carry its risks. Financial instruments such as derivatives can
also be used.
Lawyers will use contract wordings to move the consequences of a risk incident
from one contracting party to another. The directors, however, must still be sensitive
to the fact that the failure of that counterparty may still leave unacceptable
exposures at their own door.