262 Karl Kling Building 3rdFloor, Madiba Street, Pretoria Central

“We do not make excuses but results” DISTINCTIONS ONLY

RSK4801
January/February, 2015
Exam Solutions

Cell; 073 939 5798

Email address; elishatutorials@gmail.com
Question 1

You have recently been appointed as Chief Risk Officer for SPEND Ltd. Your first brief
received from the Chair of the Risk Committee is to review the risk management framework
with regard to the three lines of defence model, the classifications of risks and an appropriate risk
management process.
a. Argue the three lines of defence model and make a recommendation of whether SPEND
Ltd should adopt the model.(10)

Answer:
a. Three lines of defence (Refer to Figure 3.1 in Blunden and Thirlwell, 2013:45 for more
details)

First line of defence: Business line management

Management is responsible for the day-to-day operations of the company. Risk management
should be embedded in the processes and daily activities.

Second line of defence: Oversight (Risk management, HR, Finance, IT, Compliance)
Risk management should be independent of the day-to-day operations and should assist
management with the identification, evaluation, control, financing, monitoring, and reporting of
risk. Responsible for the development of centralised policies and standards, risk management
processes and controls; and monitor and report on risk.

Third line of defence: Independent assurance

The assurance providers should be independent from the business and management functions.
The assurance providers consist of internal audit and external audit (You also need to explain
briefly the role played by internal and external audit in order to score more marks).

One of the benefits of adopting the three lines of defence model is that it is aligned with leading
international risk management practice, complies with codes on corporate governance.

b. Evaluate the classification of risks used by SPEND Ltd and recommend a more
appropriate classification. (5)

Answer:
SPEND LTD classified risks in terms of financial and business risks. Financial risks were
classified as credit, liquidity, and capital risk. The business risk category is too broad and
therefore SPEND Ltd does not have a definition for operational risk. The company does not have
an operational risk taxonomy, policy framework or process which makes it difficult to classify
losses and design appropriate control measures and risk financing techniques.
The benefits of adopting the risk classification as per the definitions used in the banking (Basel
II) and insurance (Solvency II) industries will enable SPEND Ltd to compare events, losses and
potential losses with other firms and industries, and assist with the implementation of an
operational risk management framework.
c. Argue an appropriate risk management process for implementation by SPEND
Ltd. (15)

Answer:
Risk management should start with the analysis of the overall business strategy and objectives of
the organisation and subsequent changes to the strategy should also be considered and made
where necessary. An operational risk management framework also enables the practical
implementation of governance. Corporate governance provides an over-arching organisational
structure within the organisation’s culture and also establishes the three lines of defence i.e. line
management, risk management and the independent assurance providers.

The operational process can take many forms and the frame most often used is:
1. Identify the risks
The first step in the process is to understand the business in order to identify the risks. Methods
that can be used to gain an understanding of the business and to identify risks are inter alia, for
example:
• Workshops and interviews
• Questionnaires
• Risk process follow analyses
• Checklists
• Losses history

The purpose of the identification process should be clearly communicated in order to raise
awareness overall of the business operations, track and assess the financial impact of the risks.
Risk identification is a continuous process as new risks arise every time.
2. Evaluate the risks
Risk evaluation is the assessment and measurement of the identified risk exposures with
the aim to manage and control the risks. In order to do this, the risks should be measured
to enable management to manage it.
Operational risk can be measured in quantitative and qualitative terms. The quantitative
approach aims to quantify risk in numerical terms. The qualitative approach aims to
evaluate the risk exposures that cannot be calculated. The risk exposures are analysed in
terms of rating scales to determine the possible impact and likelihood of the risk events.

3. Control the risks

Once the risks have been evaluated, strategies can be developed to control the risks. Risks
can be preventative, detective or contingent. The objectives of a risk control programme
will be to reduce the potential effect of the loss and to prevent the likelihood of the risk
occurring. The control strategies which can be implemented are either to avoid the risk,
 transfer the potential effect of the loss event, accept the consequences or improve the
internal control measures to manage the risk.

4. Finance

The aim of risk financing is to ensure that the cost of risk and the cost of the risk
management process do not exceed the potential benefits provided to the organisation.
The risk management process can therefore require a pre-financing or post-financing
policy. The pre-financing of operational risk can include methods such as insurance or
self-insurance, while post-financing can include the use of cash resources or debt.

5. Monitoring and reporting

The monitoring of risk includes regular management and supervisory activities and the
other actions employees undertake in their daily activities. It is important that senior
management is involved in the monitoring of risk. Reporting forms an integral part of the
monitoring process.

Reports can be produced for different users e.g. the external stakeholders such as
regulators and the shareholders, internal stakeholders at strategic level such as the board
and EXCO, senior management and line management.

It is important that the risk is managed as close to the source as possible. The different
levels of users will have different objectives e.g. the board and EXCO will need less
frequent reports to enable them to manage trends and evaluate the strategies in contrast to
line management that need more frequent reports to rectify transactions. Line
management requires daily/intra-day reports, senior management monthly, the board
quarterly and shareholders annually.
Question 2

a. Explain the concepts of risk appetite and risk tolerance with examples. (10)

Answer:

Risk appetite is the risk of loss that a firm is willing to accept for a given risk-reward ratio (over
a specified time horizon, at a given level of confidence). A risk appetite statement could consist
of the following financing mechanisms:

• Internal funding to develop and implement control measures.

• Insurance that will cover any losses that the organisation is prepared to pay for in order to
relieve the burden of carrying the total loss by itself.

• Capital allocation to a reserve, which can absorb a loss due to a catastrophic event, such as fire
or flood.

Risk Tolerance can be explained by reference to theft of a firm’s assets. There may be no
appetite for theft in a firm but a certain level of theft is expected by senior management. This
level is tolerated even though there is no appetite for allowing theft itself.

Different industries will have different levels of appetite and tolerance (e.g. the banking industry
has different risk appetite and tolerance levels compared to the construction industry). (Students
can earn additional marks if they illustrated with examples from the SPEND case study).

b. You have considered all the available information and decided to present the
information in the following sub-headings per event. (20)

• Event: A description of the event with the consequence or possible consequence.

• Cause: The cause(s) of the event.

• Impact and likelihood: Argue the values allocated for the impact and likelihood of the event.

The purpose of this assignment was to give students the opportunity to classify risks in terms of
the risk definitions and to demonstrate how difficult it sometimes is to classify risks, as the
consequence of the event can be caused by a number of different factors.
Below is the suggested solution for the classification of the events. Work through the
examples and ensure that you understand the reasoning for the classification. Use the given
figures for each event to determine the impact and likelihood.

Answer:
PE Warehouse fire
Total damage to the buildings and stock amounted to R300m (R50m to buildings and R250m
stock loss). Additional loss in trade of R50m was incurred as it took three months to rebuild the
centre and an additional cost of R5m was incurred to supply stores from other distribution
centres.

The fire was caused by packaging material that caught fire. Staff underestimated the severity and
tried to extinguish the fire before reporting it. Fire brigade was only notified after the fire spread
into the warehouse. Fire drills and contingency plans did not prepare for total destruction of the
warehouse.

Impact and likelihood: E.g. Total damage to buildings and stock = R300m (Impact scale = 5) and
the fire occurred once in 12 months (highly unlikely = 1)

Theft
Total theft Incidents spread across all the distribution centres were 285. Losses amounted to
R24.4m. Five trucks were hijacked, with a total loss valued at R6.5m, R5m was claimed from
insurance. The net loss = R1.5m (R6.5m - R5m).

ShutEye security measures were neither adequate nor effective.

Impact (losses R24.4m) and likelihood: 285 incidents

Pilferage
Incidents are spread across all the distribution centres with a total of 36 750. The total losses
amounted to R68.8m. ShutEye security measures are neither adequate nor effective.

Road accidents
Twelve fatal road accidents were recorded and according to insurers, the accidents were caused
by the negligence of the drivers. A warning was received regarding the increase in premiums and
liability claims amounted to R2m.
Question:

The CRO had a meeting with Hotshot Consultants Ltd. The consultant modelled the losses
for presentation to the Risk Committee. [20]

You were requested to explain the graph to the Risk Committee, by covering the following
aspects:
• Interpretation of the graph
• Control strategy
• Risk financing strategy

Suggested answer

Interpretation of the graph (Refer to Young, 2014:99-101)

The loss distribution curve can be divided into three parts.

• The first part of the graph indicates a large number of small losses i.e. expected losses
characterised by low frequency and low severity such as pilferage and theft.

• The second part is where the number of losses reduces and, the value of the losses increases but
are still what can be expected as part of the business, and

• The last part illustrates limited available data i.e. unlikely but plausible events and significant
losses thus, unexpected losses. E.g. the PE warehouse fire.

The control strategy for the first part is:

• If the losses in this category are within the risk tolerance of the business, management can
accept the losses or improve the preventative controls to reduce the likelihood or the detective
controls, should management decide the losses are breaching the risk tolerance levels. The firm
can finance the risk by improving the controls, raising provisions to absorb the losses. Standard
insurance is not necessarily the most optimum option as the premiums may be prohibitive.

• The second part of the diagram also warrants an improvement of the control environment. The
firm can also consider transferring the risk by insuring against the events.

• The last part of the diagram requires contingency controls such as a business continuity plan
should an event occur with a low probability and a significant loss/impact occurrence. Although
insurance against such events can be purchased, the cost can be prohibitive and companies can
consider more advanced risk financing techniques such as captive insurance, finite insurance,
contingency finance such as capital reserves and contingency loans
Question
a) Illustrate the business continuity concept by means of a diagram. (10)

The digram is shown in the last minute exam pack

b) Evaluate SPEND’s actions with regard to the fire at the Port Elizabeth distribution
centre and what you would implement to mitigate the impact. (10)

Suggested answer

The contingency plan for PE relied on a 10 minute response by the PE Fire Brigade and the
sprinkler system of the distribution centre to contain the fire until the Fire Brigade arrives. The
contingency plan did not provide for any action if the distribution centre was destroyed.
Staffs were slow to react when they noticed the fire as they underestimated the severity.
Management was only alerted to the fire after staff was not able to extinguish the fire with a
garden-hose and fire buckets. By that time the fire started to spread into the building,
management was only able to alert the Fire Brigade after the distribution centre was burning out
of control. Total damage to the buildings and stock amounted to R300m. Additional loss in trade
of R50m was incurred as it took three months to rebuild the centre and an additional cost of R5m
was incurred to supply stores from other distribution centres.

The contingency measures need to address the following:

Contain the damage and to continue with normal business as early as possible. The following
should be considered as part of the contingency plan:
• Identification of an event i.e. the fire
• Escalation of the event i.e. staff should have reported the fire immediately
• Notify the fire brigade immediately
• Pre-arranged temporary distributing facilities or if not available consider dual distribution
facilities in the Eastern Cape
• Business interruption insurance