CIMA

Strategic Case Study

February 2024

Mock Exam J
Answers

To gain maximum benefit, do not refer to these answers

until you have completed the mock questions and
submitted them for marking.
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

© Kaplan Financial Limited, 2024

The text in this material and any others made available by any Kaplan Group company does
not amount to advice on a particular matter and should not be taken as such. No reliance
should be placed on the content as the basis for any investment or other decision or in
connection with any advice given to third parties. Please consult your appropriate
professional adviser as necessary. Kaplan Publishing Limited and all other Kaplan group
companies expressly disclaim all liability to any person in respect of any losses or other
claims, whether direct, indirect, incidental, consequential or otherwise arising in relation to
the use of such materials.
All rights reserved. No part of this examination may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording, or by
any information storage and retrieval system, without prior permission from Kaplan
Publishing.

2 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

Task 1

Email

To: Ewa Durska, CEO

From: Senior Finance Manager
Subject: IT Security alert

The purpose of this email is to address the actions Robobryce could take in response to the
alleged IT hack, to explain any strategic implications that these actions might have, and to
set out objectives for Sally Tang for the next 24 hours.

Strategic options

There are a number of actions that Robobryce could take in response to the alleged IT hack.

Firstly, it could choose to do nothing. We have only just been notified of the alleged hack,
and so it has not yet been proven whether the claims made by Genesys are true or false. It is
possible that Sally Tang’s fears are unfounded, and that both our operations, and those of
our AMR customers, will not be impacted.

This choice of response (i.e. doing nothing) would have the strategic advantage of avoiding
any adverse publicity over Robobryce’s IT security. However, if the claims are later found to
be true, and it were proven that the Board chose to do nothing in response, the negative
impact on our reputation could be considerable. I would therefore advise that this option is
not pursued.

Secondly, Robobryce could choose to contact all of its customers who have been supplied
with AMRs and notify them of the possible disruption to their operations if Genesys
activates its hack. This would have the strategic advantage of demonstrating a proactive
response to the threat and, if the overall impact of the threat is contained, could increase
public confidence in our company and its products. This would be the result of being seen to
act swiftly and responsibly to protect client interests in the face of a potential, but as yet
unproven, threat.

However, there is also the risk to immediate revenues; clients who are considering placing
an order with Robobryce may delay until the issue is fully resolved, or even choose to order
from a competitor. If this goes on for an extended period of time, there could be a negative
impact on the company share price, at a time when the share price is already at a relative
low. This could cause the Robobryce shareholders to demand answers over the Board’s
decisions.

Thirdly, Robobryce could suspend all sales of AMRs until the threat has been fully dealt with.
This would no doubt become a public issue; it would be difficult to keep the story out of the
media, and so there would probably be a fall in the company’s value as a result.
Interestingly, once the issue is resolved, public confidence in Robobryce might have
increased as a result of perceived responsible behaviour; investors might be impressed that
Robobryce is prepared to lose revenue even though the level of threat is unproven. The
downtime would also allow all of the company’s IT resources to be used in identifying the
source of the threat, assessing the extent, and upgrading defences against any possible
repeat incident in the near future.

KA PL AN P U BLI SH IN G 3
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

If Robobryce chooses to announce to the public that it has been the target of a suspected
ransomware attack, it should issue a full press release – with associated announcements on
its website and social media channels – in order to try to control the story. It will want to
give as positive an impression as it can over the matter, so as not to cause uncertainty and
panic amongst those who might be affected.

The final option would be to simply agree to Genesys’ demands immediately, and pay the
T$150 million ransom. This would have the advantage of preventing the issue becoming
public knowledge in the short term, and should result in no negative impact for customers.
However, it would consume almost all of the company’s current cash reserves, and may
even increase the threat of repeat actions in the future (if Genesys sees Robobryce as a soft
target that agrees to threats immediately, it will have every incentive to target us again in
the future). For this reason, this option is not recommended.

Objectives for Sally Tang

Sally Tang should be set a deadline by which she and her team can reach a tentative
conclusion about the cause of this incident, and report accordingly to the Board. This
deadline needs to be late enough that it allows a full assessment, but also soon enough so
that the Board can start to take the appropriate action. It should be made clear that meeting
this deadline is crucial, and should also indicate the questions to which the Board will be
expecting answers. The Board may also want to clarify which is most important in its opinion
– speed of response or accuracy of information.

The Board also needs to be informed of which customers might be affected if the hack were
to be activated. For example, does it relate to all AMR systems that have been delivered
over the years to customers, or might it only be the software systems of the more recent
products? In this way, Robobryce can be selective over which customers it decides to
contact to alert them of this issue, and not have to warn every single one. This would
minimise, to an extent, any negative reaction from customers.

Sally Tang should be asked to produce a report as to the nature of the attack and the
methods used by the perpetrators, with as much accurate detail as possible. Specific criteria
should be set for the standard of evidence that Sally should meet in collating and
interpreting the facts. This is because the report will be used not only for internal purposes
to make the company’s systems more robust in the future, but could also form the basis of a
prosecution in case the perpetrators at Genesys are ever caught and brought to trial.

Finally, Sally Tang should be tasked with preparing a plan for preventing a recurrence of this
ransomware attack that would stand up to scrutiny by an independent expert or consultant.
The quality of the plan would be assessed based on its ability to offer a proportionate and
cost-effective response to each of the weaknesses identified in the current system. Sally
Tang should be prepared to accept responsibility for this plan, even if she delegates
elements of its preparation to members of her IT Security team.

4 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

Marking guide:

a) Actions Robobryce might take with strategic implications = 20 marks

Trait
Identify Level Descriptor Marks
actions
No rewardable material 0
Level 1 Identifies some actions 1-3
Level 2 Explains briefly main strategic actions 4-6
Level 3 Explains fully main strategic actions 7-10
Strategic Level Descriptor Marks
implications
No rewardable material 0
Level 1 Identifies implications 1-3
Level 2 Explains briefly main strategic implications 4-6
Level 3 Explains fully main strategic implications, with justification 7-10

(b) Recommend objectives for Sally Tang for first 24 hours = 13 marks

Trait
Objectives Level Descriptor Marks
No rewardable material 0
Level 1 Identifies possible objectives 1-2
Level 2 Discusses relevant objectives 3-4

Level 3 Discusses a full range of relevant objectives 5-7

Justification Level Descriptor Marks
No rewardable material 0
Level 1 Identifies criteria for selection 1-2
Level 2 Justifies objectives 3-4

Level 3 Offers a clear and full justification for objectives 5-7

KA PL AN P U BLI SH IN G 5
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

Task 2

Email

To: Ewa Durska, CEO

From: Senior Finance Manager
Subject: Data breach

Share price impact

Market efficiency

In an active and well-regulated stock exchange (like the one in Tessland), share prices
generally move in response to information. Good news about a company generally pushes
the share price up, and bad news leads to the share price falling.

In a perfectly (strongly) efficient market the prices would move in response to any
information at all – even private information. Strong form efficiency is a theoretical idea that
doesn’t usually apply in the real world. Most real world stock markets are semi-strongly
efficient, which means that share prices only respond to information that is made public.

Application to Robobryce

The markets have always been aware that Robobryce is exposed to the threat of a breach of
its IT systems, because IT risks appear in the Principal Risks document. Therefore, the
current share price already reflects that threat.

It could be argued that the share price will not be affected in the long term because the
recent events simply confirm that the market’s concerns were valid. The share price will
undoubtedly dip in the short term, but that will not necessarily be a permanent decrease.

The nature and extent of the data breach could reveal some fresh information to the
markets and that could have a permanent impact on the share price.

The markets might have assumed that any serious breach would be countered by IT security
and that the threat was minimal. The fact that all AMRs supplied by Robobryce in the last
two years could be disabled may suggest that the threat to IT systems is more serious than
had been anticipated and that potential hackers are more resourceful than had been
thought. The nature and extent of this attack could undermine the market’s confidence in IT
security and could lead to a significant and long-term decrease in the share price of
Robobryce and all companies that depend on IT in this way.

Paradoxically, the ransomware attack could serve to reassure the markets, depending on
Robobryce’s handling of this potential crisis. If the company takes swift and effective action
and manages to reassure users that everything is under control then the markets may decide
that the threat of a systems hack is less severe than had first been thought. The markets may
decide that IT breaches are specific risks that can be addressed by proper diversification and
that there is no need to seek a higher rate of return because of this potential risk.

The share price is unlikely to rise, but it may recover from initial concerns and return to its
previous equilibrium level.

6 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

The response of Robobryce’s customers to this crisis will also have an impact on the share
price in the long term. The inevitable adverse publicity and expressions of irritation by
customers is not, in itself, a cost to Robobryce because it does not directly affect cash flows.
The share price will only respond if customers decide to stop buying AMRs, affecting future
revenues for Robobryce, or if Robobryce is forced to compensate customers by offering
refunds and / or replacement AMRs.

In the short term, those concerns will create uncertainty and that could depress the share
price, but the share price will hopefully recover in the medium to long term when Robobryce
addresses the concerns and, hopefully, manages to eliminate them.

Criticism of the Board

The responsibility for ensuring the stability and security of a company ultimately lies with the
Board. In the context of the recent cyber-attack at Robobryce, the Board holds a significant
level of accountability for overseeing cybersecurity measures and managing risks related to
cyber threats within the organisation.

The Board holds the primary responsibility for setting strategic direction and ensuring
implementation throughout the company. While it is common to delegate tasks to lower
management levels, these managers operate within the framework established by the Board
and implement the decisions made by the board. Any breach of controls or systems can be
traced back to the Board's oversight, irrespective of the sophistication of the breach.

Stakeholders often possess heightened expectations regarding the effectiveness of control

systems, particularly in the realm of IT security.

The Board have listed IT in the principle risks as number four, it may be that stakeholders
would consider this a higher priority, at present, there is no dedicated IT director at
Robobryce, this may be considered an oversight of the board, and that not enough attention
has been given to the severity of cyber security.

Users affected by the breach may suffer losses and seek compensation, potentially holding
the Board responsible.

In the public eye, blaming the breach on poor governance, particularly in terms of a lax
control environment, might gain traction. Media coverage often focuses on relatable human
aspects, such as the harm caused to victims, rather than delving into complex discussions on
IT security.

There have been weaknesses in Robobryce's control systems that allowed the hackers to
gain access and that could invite criticism toward the Board for not addressing such threats.

The challenge lies in foreseeing and managing risks, even those with uncertain forms, such
as hacking. While it may be argued that precise predictions were challenging, seeking advice
from IT experts could have potentially mitigated these risks.

Robobryce's now needs to communicate with all customers involved as suggested by Sally,
so that they can ensure their own security over their systems and mitigate the losses , any
varied messaging to users regarding the breach intensifies criticism of its governance.
Inconsistencies in the information provided to affected and unaffected users might generate

KA PL AN P U BLI SH IN G 7
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

confusion and frustration among stakeholders and the media, potentially amplifying
pressure on the directors.

If there is no immediate release of information, as suggested by Filiz Yildiz, this risks further
security issues and may exacerbate public distrust regarding the company's governance in
handling the breach.

8 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

Marking guide:

a) Long term impact on share price = 17 marks

Trait
Information Level Descriptor Marks
No rewardable material 0
Level 1 Identifies understanding of data breach as an issue. 1-3
Level 2 Discusses the impact of data breach on future perceptions 4-6
of the company.
Level 3 Offers a clear and comprehensive discussion of the impact 7-9
of data breach on future perceptions of the company.

Uncertainty Level Descriptor Marks

No rewardable material 0
Level 1 Identifies understanding of risk as an issue. 1-3
Level 2 Discusses the impact of data breach on future perceptions 4-6
of risk.
Level 3 Offers a clear and comprehensive discussion of the impact 7-9
of data breach on future perceptions of risk.

(b) Criticism over governance = 16 marks

Trait
Responsi Level Descriptor Marks
bility
No rewardable material 0
Level 1 Explains the need to accept responsibility. 1-2
Level 2 Discusses the Board’s responsibilities. 3-5
Level 3 Offers a clear and comprehensive discussion of the Board’s 6-8
responsibilities.
Percepti Level Descriptor Marks
ons
No rewardable material 0
Level 1 Identifies the link between perceptions and reality. 1-2
Level 2 Discusses the link between perceptions and reality. 3-5
Level 3 Offers a clear and comprehensive discussion of the link 6-8
between perceptions and reality.

KA PL AN P U BLI SH IN G 9
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

Task 3

Email

To: Ewa Durska, CEO

From: Senior Finance Manager
Subject: Samson Consultants

Samson Consultants claim of prevention of access

Samson Consultants state they will design and install a security system aiming to prevent
unauthorised access to Robobryce’s data. While they may implement robust security
measures, it is essential to understand that absolute prevention of unauthorised access is
challenging in the ever-evolving landscape of cyber threats. No system can guarantee
complete immunity from breaches and they may have exaggerated this claim as they have
an incentive to sell their service.

While the consultants promise to prevent any further unauthorised access, it is crucial to
approach this claim realistically. Cybersecurity is an ongoing process that requires constant
vigilance and adaptation to emerging threats and new hardware and software is being
developed to assist hackers in breaching systems continuously. The claim of absolute
prevention might be overstated; instead, a commitment to minimising risks and promptly
addressing any breaches might be a more realistic promise.

While their consultants come from military and intelligence service backgrounds, checks are
needed to assess if they have expertise with preventing data breaches in corporate
environments like Robobryce's. Experience dealing with similar incidents and successful
interventions in preventing future breaches is essential for substantiating their claim.

Samson Consultants state that they will conduct penetration tests to identify vulnerabilities
and will remedy any findings. It is important that they not only identify weaknesses but also
efficiently and effectively mitigate them to reduce the risk of future breaches. Penetration
testing is likely to identify weaknesses caused by Robobryce’s employees and some of those
findings will be easier to remedy, ensuring all the users are fully trained for instance. It is
unlikely that this testing will uncover all breaches in the IT security as some are designed to
stay undetected and never be uncovered.

Samson Consultants' claim to prevent any further access to Robobryce’s software. However,
they can only deal with threats that they are aware of, and therefore the consultants will
need to be fully up to date with any specific threats as they develop so that they can protect
the systems. This is unlikely, as often the threats are not discovered until the breach has
happened and are not always publically available. Having said that the consultants may
employ ethical hackers that will be knowledgeable of new developments.
It would be crucial for the consultants to delve deeper into potential cyber issues that may
not be immediately detected and addressed; such as social engineering, a supply chain
attack or employee incompetence, they then need to understand how they will mitigate
these risks. It would be highly unlikely that they will be able to eliminate the risks altogether.

10 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

Conducting an annual review of the security system is unlikely to be sufficient as the only
proactive measure , Cyber threats are rapidly evolving and therefore the threats should be
continuously monitored and a system review may be more effective taking place either
quarterly or every six months.

When considering outsourcing the board need to consider the expertise gained against the
continuous cost and the risks of outsourcing, As Robobryce depend heavily on IT and already
have systems in place to manage the IT risks it may be more appropriate to recruit a suitable
skilled IT director and develop an in house team.

Currency risks

Different types of risk

The three types of currency risk are transaction risk, economic risk and translation risk. If it
enters the contract with Samson Consultants, Robobryce will face transaction risk (the risk
that the exchange rate moves between agreeing to make the payment and the payment
date) and economic risk (a longer-term risk caused by currency movements over a number
of years).

Translation risk relates to foreign assets and liabilities, so would not be relevant here.

Application to the Robobryce / Samson agreement

Robobryce will have to commit to paying:

• a one off amount of S$ 600 million (approximately T$ 200 million if exchange rates
stay constant) in three months, and
• an annual amount of S$ 240 million (approximately T$ 80 million) starting in about
16 months’ time, and
• a monthly amount of S$ 75 million (approximately T$ 25 million) starting in about 4
months’ time.

These amounts are payable in S$, so if the exchange rate between the S$ and our currency
the T$ changes, the amounts will be either more or less expensive than we have forecast.
The absolute best way of eliminating the transaction and economic risk related to all these
payments would be to negotiate with Samson and to get them to invoice in T$ instead (thus
eliminating the risk from our point of view by taking the risks on themselves). It is unlikely
that they would agree to this!

Economic risk

The fact that the Southland economy is weak suggests that the S$ currency is likely to
weaken (economic risk). If it does then future payments are likely to decline when converted
into T$ and so there is a greater likelihood of an upside risk than a downside. The weaker
currency may encourage exports and so it could be desirable for Southland’s Government to
allow the exchange rate to remain in Robobryce’s favour. Unfortunately, there could also be
a risk that the Southland Government will act to strengthen its currency in order to promote
confidence and that could lead to a sudden increase in the cost of settling these invoices.
Therefore, it may be reckless for Robobryce to simply accept these risks in the hope that
they are all upside.

KA PL AN P U BLI SH IN G 11
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

Transaction risk

The invoice for S$ 600 million that is due in three months is a significant amount that is
subject to transaction risk. Therefore, it is worth hedging in order to reflect the fact that
even a small percentage strengthening in the S$ could lead to a substantial additional cost in
absolute terms. The cheapest and easiest way to hedge this risk would be to use a forward
contract to commit Robobryce to an agreed payment in T$ for the S$ that it will require in
three months. That would cost Robobryce the opportunity to benefit from any upside in the
event that the S$ weakens during the three months. Robobryce could alternatively purchase
a call option that would give it the right, but not the obligation, to buy S$ at an agreed price.
Options have the disadvantage of being priced according to market expectations of future
movements. The premium paid for the option would be more expensive if Robobryce
expected to benefit from exercising it.

The monthly and annual payments are ongoing commitments and so they are more difficult
to hedge in the longer term. The cost of active hedges using financial instruments is likely to
increase in line with market expectations and so it may not prove cost-effective to manage
the transaction risk on each payment separately.

For the monthly payments, it would probably be best to meet the payments by converting
T$ at spot on a monthly basis, in the hope that any fluctuations cancel over time.

The risks associated with the annual payments should be evaluated on an annual basis and a
decision should be made as to whether to hedge on the basis of expected volatility over, say,
the three months prior to the settlement date.

12 KA PL AN P U BLI SH IN G
 MO C K E X AM J AN SW E R S

Marking guide:
a) Evaluate the claim by Samson = 20 marks

Trait
Consultant Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the consultant’s interest. 1-3
Level 2 Discusses the consultant’s interest in making such a claim. 4-6
Level 3 Offers a clear and full discussion of the consultant’s interest 7-10
in making such a claim.
Emerging Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the residual vulnerabilities and emerging threats. 1-3
Level 2 Discusses the residual vulnerabilities and emerging threats. 4-6
Level 3 Offers a clear and full discussion of the residual 7-10
vulnerabilities and emerging threats.

(b) Currency risks = 13 marks

Trait
Risks Level Descriptor Marks
No rewardable material 0
Level 1 Identifies the payment pattern as an issue. 1-2
Level 2 Discusses the implications of the pattern of payments. 3-5
Level 3 Offers a full discussion of the implications of the pattern of 6-9
payments.
Recomme Level Descriptor Marks
ndation
No rewardable material 0
Level 1 Identifies a response. 1
Level 2 Identifies a relevant response. 2-3
Level 3 Identifies and justifies a relevant response. 4

KA PL AN P U BLI SH IN G 13
CIM A S TR AT E GI C L E V E L CA S E ST U D Y ( F EB R U AR Y 20 24 )

SUMMARY MARKING GUIDE

CORE ACTIVITY
A B C D E TOTAL
TASK 1 20 13 33
TASK 2 17 16 33
TASK 3 13 20 34
TOTAL 20 26 17 20 16 100

Blueprint 15 - 25 15 - 25 15 - 25 15 - 25 15 - 25

14 KA PL AN P U BLI SH IN G