Professional Documents
Culture Documents
RUC
U
FACULTY OF BUSINESS AND MANAGEMENT SCIENCES
Instructions
1. Marks for each question are indicated. Budget your time accordingly.
2. Borrowing of calculators or use of cell phones in the examination room is
strictly prohibited.
3. You are strongly advised to carefully read ALL the question requirements
before attempting the question concerned (that is all parts and/or sub-
questions).
QUESTION ONE
Identify and explain the four broad classes of risk control available to organizations that can be
deployed to treat risks.
ANSWER
The four broad classes of risk controls are explained below:
Preventive
– Most controls implemented in organizations are preventive controls, which are designed
to reduce the possibility of undesirable outcomes. A common example is separation of
duties. To prevent irregularities in purchasing departments, for example, the person
responsible for placing orders for required goods and services should not be the one who
authorizes the payment of invoices. Similarly, a checkout operator is not the person who
checks till contents at the end of each day.
Another preventive control is to limit specified actions only to authorized personnel. For
example, only suitably qualified and trained people would be permitted to sign off designs,
authorize price quotations or perform certain operations. Unwanted publicity can be
prevented by allowing media to access only trained press officers.
At a higher level, preventive controls could be strategic decisions to avoid certain types of
activity. Examples would be a government deciding not to include nuclear power in its
national energy policy or a property insurer excluding risks from floods.
Corrective
– Corrective controls are designed to correct undesirable outcomes which have already
occurred. They are a means of recovery against loss or damage. An example would be
contract terms that allow a supplier to recover goods that have not yet been paid for from a
customer whose business is in receivership or administration. Continuity planning is
another corrective control. Organizations plan for business continuity and recovery after
events which they could not prevent.
Insurance is a form of corrective control as it facilitates financial recovery when an
insured risk materializes. Insurance transfers the consequences of risk to the insurer. Risks
and/or consequences can be transferred to other organizations by contract, for example
when operations are outsourced. Whether such measures are corrective or preventive will
depend on precise wording of the contract and its interpretation under governing law.
Directive
– Directive controls are instructions or regulations designed to ensure that a particular
outcome is achieved. They are important when people’s behaviour can avoid an
undesirable event. Directive controls are commonly associated with health, safety and
security. Examples are requirements to wear protective clothing while performing
dangerous duties, or that staff are trained to certain skill levels before being allowed to
work unsupervised.
Checklists, worksheets and test schedules are directive controls. They are designed to
ensure all critical aspects of a task have been properly addressed and completed. Such
instructions are particularly important in assembly, maintenance, testing and repairs of
components of systems where utmost reliability is essential. The aviation industry, for
example, relies on correct and thorough engine testing and maintenance to keep its aircraft
flying. Other examples would include nuclear power and oil and gas exploration.
Detective
– Detective controls are designed to identify unwanted occurrences that have already
happened and are, therefore, only appropriate when it is possible to accept the loss or
damage incurred. Stock or other asset checks are examples of detective controls. They
detect theft or similar anomalies. Reconciliation is another technique. Reconciling
authorized payments with bank statements will detect unauthorized transactions.
Audits, inspections and similar quality controls are detective. They look for causes of
defects in products and procedures, with a view to introducing changes in the future.
Accident investigations and ‘black box’ analyses following aviation disasters are other
detective examples.
QUESTION TWO
(i) Define Enterprise Risk Management (ERM) and explain briefly its role.
(ii) Identify the five main benefits to an organization of implementing a successful ERM
framework.
(iii) Explain briefly the two key elements of a successful ERM system.
Answer
(i) The structure an organization sets up to control risk management across the whole of
their organization is known as enterprise risk management (ERM). As well as
being a framework to control risk management activities, ERM systems allow all the
risks involved in an organization to be looked at together and from different
perspectives. This is known as a holistic approach.
(ii) The benefits of a successful Enterprise Risk Management Framework to an
organization are:
- better informed strategic decisions;
- successful management of change and higher operational efficiency;
- organizations can expect more accurate financial reporting;
- reduced borrowing costs; and
- improved competitive advantage.
QUESTION THREE
Explain the five key steps of the risk management process that must take place.
- Evaluate risks.
- Decide what risk levels – both single and cumulative – are acceptable; and thereby
identify those risks that are at a level or frequency that are unacceptable to the
organization.
- Treat risks.
- Steps must be taken to control or limit the impact of those risks deemed unacceptable.
One or more of the following actions may be appropriate.
reduce likelihood and/or frequency;
reduce impact, whether it is human, operational or financial;
transfer the risk to another organization;
prepare for the incident by continuity planning.
QUESTION FOUR
(i) Off balance sheet assets are valuable items that are not always included in balance
sheet figures.
(ii) Four examples are:
- Intellectual assets are assets that are information rather than hard material things. This not
only includes information that is documented but the information and knowledge that lies
accumulated within a trained and experienced workforce and is crucial to the product or
service delivery. Intellectual assets embrace such things as licenses, enabling software,
patents, contracts, relationships with workforces and others, audit trails, research outputs,
credit ratings, recipes and current work.
- The reputation of, and confidence in, the organization. Even a non-profit-making
organization can have an equally important dependency on the value of its ‘brand’ or
reputation to maintain good and efficient working relationships with its service users.
- The network of critical suppliers, the relationships and the contracts. Without suppliers
the business would not be able to function.
- The distribution system and its relationships and contracts. The risk here relates to sales,
the lifeblood of organizations.
QUESTION FIVE
Identify three essential elements of a coherent management and procedural framework for risk
management to be effective in an organization:
Answer
The framework must be: organization-wide, an integral part of the organization and its culture;
and organized to allow for both audit and continuous change.
QUESTION SIX
As part of its process of risk management, an organization has identified a risk which is
unacceptable.
(i) Explain the three high level options available to the organization for controlling the
risk.
(ii) Explain how the organization could prepare for an unexpected significant loss
incident which could threaten the survival of the organization.
(iii) Explain how and why the risk management process should be monitored and
reviewed.
Answer
(ii) Continuity plans can be drawn up that will enable them to manage
themselves through an incident in a way that will avoid unacceptable
levels of damage.
Continuity planning is a process where an organisation will anticipate an incident
and prepares a plan to manage the consequences so that the incident does not
threaten the survival of the organisation.
This can be simple but very effective, e.g. backing up computer data frequently and
storing the back-up tapes off-site. Continuity planning can also be sophisticated and
expensive. It can include contracts for stand-by machinery and computers, standby
suppliers, detailed recovery plans and exercises for staff involved.
Continuity plans can prepare for a whole range of incidents, such as computer
failure, product recalls, kidnap, terrorism, fire, weather damage, major fraud,
aggressive media attention. They set out to requisition urgently needed resources,
ensure effective control of the management of the incident, organise recovery, and
ensure that crucial and urgent functions and credibility are maintained throughout.
Continuity plans will also set out procedures to collect costs and other data
necessary for any insurance recovery claim.
Non-physical controls can include effective staff recruitment and other procedures
that remove an unacceptable concentration of people risks. Some large
organizations will have a limit to the number of board members or key managers
travelling in one form of transport. Investors may demand to see succession
planning in an organization where they see an unacceptable dependency on one
senior executive. Manufacturers can decide that they would never source key
ingredients from a single supplier or country.
Throughout all these measures, employee awareness and training are vital risk tools.
As time passes without incident so risk awareness decreases and also the probability
of risk is downgraded. People may discount risks entirely if past management has
been effective and discontinue ongoing precautions. A public health issue illustrates
this point. Do we continue with vaccination programs once a disease has been
eliminated?