Risk Governance and Control 2024

Management Miss Faheema Dawood

 Study material:

• Pre-reading
• Module
• Class note/Slides
• Question Bank
• Objective Test.
Study outcomes:
Risk
• Define and explain risk and related risk
Management items.
• Identify, discuss, interpret, analyse and
assess risks faced by an organisation.
• Recommend and design controls that an
organisation can put in place to mitigate
overall and specific risks present in that
organisation.
• Be able to apply the concepts of risks to
any given scenario.
2
ANNOUNCEMENTS

3
How the topic will be assessed

APPLICATION BASED QUESTION. A SCENARIO WILL BE GIVEN RISK MANAGEMENT

WHERE THE STUDENT WILL BE INTEGRATION WITH BUSINESS
REQUIRED TO IDENTIFY THE CYCLES NB!!!!!
WEAKNESSES, EXPLAIN THE
RISKS RESULTING FROM THE
WEAKNESS AND PROVIDE A
MITIGATING CONTROL/RISK
RESPONSE.

4
Cycles and how they integrate

1.Finance Risk management

2.Bank
and and Cash
Investment

Cycles in a 3.Purchases
business 6.Payroll and
Payments

5.Revenu 4.Production
Computers –
e and and
Receipts Inventory application controls

5
Introduction
Introduction
• It is important to understand the
difference between the following when
attempting a risk management
question:
• Objectives? Something you are
trying to achieve.
• Weakness (Trigger) – What is
wrong.
Example: When I study from home I
am subjected to several hours of load
shedding
• Risk – What is the result of your
weakness.
Example: I will fall behind on my
study schedule and have large
sections to complete just before the
test
7
 • Mitigating control/Risk
response – What are you
going to do to “fix” the
weakness and make sure
there is no risk.
Introduction
• Example: I will make use of
the library on campus as
they are equipped with
generators

8
Definitions
Definitions
• Risk (good vs bad)
Risk is the possibility that an accident
or a loss could occur, or that there is a
threat as a result of an uncertainty.
Risk also exists in respect of
uncertainty regarding something good,
(example, we might not have sufficient
stock on hand)
• Risk Management
The process whereby organisations
methodically address the risks
attaching to their activities with the
goal of achieving sustained benefit
within each activity and across the
portfolio of activities.

10
Definitions
• Risk Assessment
The overall process of risk analysis
and risk evaluation:
• Risk Analysis
Involves risk identification, risk
description, risk estimation, risk
analysis methods and techniques and
risk profiling.
• Risk Evaluation
Risk evaluation is the process of
comparing the estimated risk against
the risk criteria established by the
organisation. This information will then
be used to make decisions about the
significance of risks to the organisation
and whether each specific risk should
be accepted or treated.
11
Definitions
•Risk Treatment
The process of selecting
and implementing
measures to modify the
risk. It includes as its
major element, risk
control and mitigation

12
Types of risks
Types of risks
Risks internal to the
organisation

Risk external to the

organisation

The two risks are not

independent of each
other – external risks can
impact internal risks and
vice versa.
14
Internal
Risks
Internal Risks
• Liquidity and cash flow – the risk
that the organisation is unable to pay
off its debt as they fall due , as a
result of a shortage of cash and
therefore runs the risk of going
insolvent (SAA)
• Accounting controls – risk that the
controls that should be in place to
produce accurate financial statements
are not in place (Steinhoff)
• Information systems – the risk that
the information/computer system
used by an organisation is not
meeting the organisations specific
needs (doctor consults)

16
Internal Risks
• Recruitment– risk that your
organisation is not attracting and
hiring the most competent /
qualified / experienced staff (false
credentials)
• Supply chain – the risk that the
suppliers are not providing
/delivering goods and services
of the highest quality (ESKOM)
• Employees – risks that
employees do not come to work
or they go on strike (mining
sector)
• Products and services – risk
that your products/ services
become obsolete (desktops)
17
External
Risks
External Risks
Financial
• Interest rates – risk of
fluctuation in interest rates
(increase in rate)
• Foreign exchange – risk of
fluctuation in exchange rates
(increase/decrease in rate)
• Credit risk – risk that you
may not recover your money
from a third party you sold
goods to on credit (loan that
is not repaid)

19
External Risks
Strategic
• Competition – risk that more and more
competitors are selling the same products
or offering the same services as you, and
you must compete to stay ahead of the
pack (Nike & Adidas)
• Customer changes – risk that customers
suddenly have a decreased spending
appetite, or they are seasonal spenders or
they are brand loyal and are not willing to
change to your goods and services (Apple
& Samsung)
• Industry changes – risk that your
organisation may not be able to keep up
with changes in the industry/ the market
(newspapers and magazines)
• Customer demand – risk that your
organisation is no longer able to meet
customer demand (online site crash)

20
External Risks
Operational
• Regulations – risk of non-
compliance with regulations
applicable to the industry that
your organisation falls under
(restaurants & health and
safety regulations)
• Board composition – risk of
non-compliance with
Companies Act and King IV
Code regarding composition
of the board and its sub-
committees.

21
External Risks
Hazard
• Contracts – risks that you are
bound in contracts that no longer
apply or are no longer
necessary. For example, you
may be bound by a lease
agreement for property you do
not need because you have
moved to bigger premises.
• Natural events – also known as
“Acts of God”. For example, if it
doesn’t stop raining a mine
cannot operate. Therefore all
operations come to a halt and
profits automatically decline.

22
External Risks
Hazard
• Suppliers – risk that your suppliers
can no longer provide you with the
goods or services that you need
(ESKOM affect on small business)
• Environment – risk that your
organisation’s processes are harmful
to the environment and may result in
fines and penalties (disposing of
waste chemical in nearby river)
• Politics – political instability can
very easily have a negative impact
on the economy (interest and
exchanges rates) and therefore an
indirect impact on your business
(war)

23
Responsibility
of risk
management
 Board of directors
Ultimate responsibility
• Operate at strategic level
(policy setting)
• Develop policy and plan
Who will (document)
• Incorporate in board charter
manage • Report on effectiveness of
system in integrated report /
the risk? distribute in company
• Induction – incorporate risk
governance
• Review implementation
once / year
• Determine risk tolerance /
appetite
• Appoint a risk and
opportunity committee 25
Who will manage
the risk?
•Management
• Design, implement and
monitor risk
management plan.
• Execute risk strategy
• Integrate risk into day-
to-day activities
• Appoint a Chief Risk
Officer

26
How will
risks be
managed
 Risk assessment:
• Ongoing and formal, were
management will prioritise key
risks
• Involve risks affecting:
o Income streams
How to o Critical dependencies of
business
manage o Sustainability
o Legitimate interests of
risks? stakeholders
• Includes Risk Analysis &
Evaluation
• Critically analyze and
evaluate the risks by
considering the following:
• Name of the risk – What can
we call the risk?
28
 • Scope of the risk – What is
the actual risk? Description
on what the risk is.
• Nature of the risk – Type of
risk, was it internal/external
and is it financial, economic,
How to compliance etc.
• Stakeholders – Who are the
manage stakeholders that have been
affected by this risk and
risks? explain why.
• Quantification of risk –
Significance and Probability
of the risk?
• Risk Tolerance or Appetite –
What is the risk tolerance
and the risk appetite?

29
Quantifying
Risk
Likelihood of occurrence for
hazards
Assesment Description Indicators
Probable- likely to occur • Potential of it occurring several
in the next year or more times within the next ten years.
than 25% chance of • Has occurred within the last two
occurrence. years.
High • Typical of operations of this kind
due to external influences.

Possible- Likely to • Could occur more than once

occur in ten years or within the next ten years.
less than 25% chance • Can be difficult to control due to
Medium of occurrence( but some external influences.
greater than 2%) • History of occurrence in the
organisation

Remote- Not likely to • Has not occurred in this country

occur in ten years or • Would be surprising if it
Low less than 2% chance of occurred.
occurrence.
30
Quantifying Risk
Likelihood of occurrence for opportunities
Assessment Description Indicators
Probable- Favourable outcome is likely to • Clear opportunity which can be relied on
be achieved in the next year or better with reasonable certainty to be achieved in
High than 75% chance of occurrence the short term, based on current
management processes.

Possible- Reasonable prospect of • Opportunity which may be achievable, but

favourable outcome in the next year or requires careful management.
Medium 25 to 75% chance of occurrence. • Might be categorised as a stretch goal in
business plan.

Remote-Some chance of favourable • Possible opportunity which has yet to be

outcome in the medium term or less than
25% chance of occurance
Low
fully investigated by management. (Lack
of information)
• The opportunity for which the likelihood
success is low on the basis of
management resources currently being
applied.(Lack of resources)
31
Class example
for Risk
Assessment
Class Example
NH Dlamini Electrical Services is a
wholesaler of electrical equipment. NH
Dlamini offers their clients the option to
buy equipment on credit, however
some of their clients that buy on credit
do not pay on time.

Required:
• Identify and discuss the risks NH
Dlamini Electrical Services are
currently facing, using the following
format:
• Name of risk, scope of risk, nature of
risk, stakeholders, quantification of
risk and risk tolerance and appetite.

33
Solution
Name of Risk Slow paying debtors or clients
Scope of Risk Clients may end up not paying their debt at all, which might
result in a high amount of bad debt. This will result in the
company writing off the debt resulting in cash flow problems
for the company

Nature of Risk Internal and external risk

Liquidity and cash flow risk, Financial risk, credit risk

Stakeholders Suppliers, employees etc.

Quantification of Risk High and probable. The company is already struggling with
slow paying clients

Risk Tolerance and Appetite Risk tolerance should be low as the company needs their
clients to pay on time to ensure they have cash flow.

34
How to manage
risks?
Risk response:
• These are the controls you
are going to implement;
• Consider and implement
appropriate responses;
• The committee of
sponsoring organisations
(COSO) have designed an
internal control framework
to help organisation's
implement “risk
responses”.

35
How to
manage risks?
Risk monitoring:
• Ongoing
• Defined in risk management plan
Risk assurance:
• Assurance over effectiveness of
process given to the BOD’s,
Audit committee and
Stakeholders
• Risk plan is integrated into daily
activities of the company
• Internal audit report on
effectiveness
Risk disclosure:
• To all stakeholders
• Integrated report
36
COSO
Introduction
• COSO is pleased to present the
updated Internal Control –
Integrated Framework.
• COSO believes the Framework will
enable organisations to effectively
and efficiently develop and
maintain systems of internal
control that can enhance the
likelihood of achieving the entity’s
objectives and adapt to changes in
the business and operating
environments.
38
Introduction
The Framework reflects considerations of many
changes in the business and operating
environments over the past several decades,
including:
• Expectations for governance oversight;
• Globalization of markets and operations;
• Changes and greater complexities of business;
• Demands and complexities in laws, rules,
regulations, and standards;
• Expectations for competencies and
accountabilities;
• Use of, and reliance on, evolving technologies;
and
• Expectations relating to preventing and
detecting fraud.

39
 Importance of
COSO
• Internal control helps entities
achieve important objectives and
sustain and improve performance.
• COSO’s Internal Control – Integrated
Framework enables organisations to
effectively and efficiently develop
systems of internal control that adapt
to changing business and operating
environments, mitigate risks to
acceptable levels, and support
sound decision making and
governance of the organisation.

40
Importance of
COSO
• The Framework assists
management, boards of directors,
external stakeholders, and others
interacting with the entity in their
respective duties regarding
internal control without being
overly prescriptive.
• It does so by providing both
understanding of what constitutes
a system of internal control and
insight into when internal control is
being applied effectively.
41
Importance of
COSO
Benefits for management and BOD:
• A means to apply internal control to any type
of entity, regardless of industry or legal
structure, at the levels of entity, operating
unit, or function;
• A principles-based approach that provides
flexibility and allows for judgment in
designing, implementing, and conducting
internal control principles that can be applied
at the entity, operating, and functional levels;
• Requirements for an effective system of
internal control by considering how
components and principles are present and
functioning and how components operate
together;

42
Importance of
COSO
• Benefits for management and BOD
continue:
• A means to identify and analyse risks, and
to develop and manage appropriate
responses to risks within acceptable levels
and with a greater focus on anti-fraud
measures;
• An opportunity to expand the application of
internal control beyond financial reporting
to other forms of reporting, operations, and
compliance objectives; and
• An opportunity to eliminate ineffective,
redundant, or inefficient controls that
provide minimal value in reducing risks to
the achievement of the entity’s objectives.
43
Importance of
COSO
Benefits for external stakeholders:
Greater confidence:
• In the board of directors’ oversight of
internal control systems;
• Regarding the achievement of entity
objectives;
• In the organization’s ability to identify,
analyze, and respond to risk and changes in
the business and operating environments;
Greater understanding:
• Of the requirement of an effective system of
internal control; and
• That through the use of judgment,
management may be able to eliminate
ineffective, redundant, or inefficient controls.

44
Objectives in terms
of COSO
The Framework provides for three categories of
objectives, which allow organisations to focus
on differing aspects of internal control:
• Operations Objectives: These pertain to
effectiveness and efficiency of the entity’s
operations, including operational and
financial performance goals, and
safeguarding assets against loss.
• Reporting Objectives: These pertain to
internal and external financial and non-
financial reporting and may encompass
reliability, timeliness, transparency, or other
terms as set forth by regulators, recognized
standard setters, or the entity’s policies.
• Compliance Objectives: These pertain to
adherence to laws and regulations to which
the entity is subject. 45
Components of
internal controls
• COSO defined five components that
would assist management in achieving
these objectives.
• The Framework sets out seventeen
principles representing the fundamental
concepts associated with each
component.
The five components are:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and communication
5. Monitoring Activities
46
Any
Questions?

47