University of Limpopo

School of Accountancy
Department of Financial Management
CMAB040
MANAGEMENT ACCOUNTING AND FINANCE IV
MODULE
Enterprise Risk Management

© 2022 University of Limpopo, Private Bag X1106, Sovenga, 0727, South Africa
Printed and published by the University of Limpopo
All rights reserved. Apart from any reasonable quotations for the purpose of research, criticism or review as permitted under the Copyright Act, no part of
this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy and recording, without
permission in writing from the publisher.

0
Table of Contents
LINK TO SAICA Competency Framework ....................................................................................... 3
ASSUMED PRIOR KNOWLEDGE .................................................................................................... 4
STRATEGY, RISK MANAGEMENT AND GOVERNANCE ........................................................... 4
LEARNING OBJECTIVES .................................................................................................................. 4
WHAT IS RISK MANAGEMENT?...................................................................................................... 5
Enterprise Risk Management Defined (COSO, 2004)................................................................ 5
Links to other Topics in Finance .................................................................................................... 5
OVERVIEW: RISK MANAGEMENT PROCESS ......................................................................... 7
Risk Categories and Examples ......................................................................................................... 9
Risk Management Roles and Responsibilities ............................................................................... 11
HOW IS RISK MANAGEMENT PROCESS EFFECTED? ........................................................... 12
COMPONENTS OF THE RISK MANAGEMENT PROCESS ................................................. 12
Internal Environment ...................................................................................................................... 12
Objective Setting ............................................................................................................................ 13
Event Identification ......................................................................................................................... 13
Risk Assessment ............................................................................................................................ 13
Risk Response................................................................................................................................ 13
Control Activities ............................................................................................................................. 13
Information and Communication .................................................................................................. 13
Monitoring ........................................................................................................................................ 14
WHY ORGANISATIONS MANAGE RISK? .................................................................................... 15
Examples of the Benefits of Risk Management ......................................................................... 15
EXAMINATION PERSPECTIVE ...................................................................................................... 16
HOMEWORK: QUESTIONS TO ATTEMPT .................................................................................. 16
Additional Question: 2015 EXAM CMAC080: Mandla Mining ................................................. 17
Annexure A: Selected List of Risk Management Terms ........................................................................ 18
Bibliography .......................................................................................................................................... 19

1
List of Tables
Table 1: SAICA Competency Framework (SAICA, 2019) .............................................................. 3
Table 2: Examples of ERM Links to Other Topics in Finance ....................................................... 6
Table 3: RISK MITIGATION: Examples of actions that can be taken: ......................................... 7
Table 4: Risk Categories and Examples .......................................................................................... 9
Table 5: Risk Management Roles and Responsibilities ............................................................... 11

List of Figures
Figure 1: Summarised Risk Management Process ........................................................................ 8
Figure 2: COSO ERM Cube (COSO, 2004) ................................................................................... 12
Figure 3: Risk Management Process Diagram .............................................................................. 14

2
LINK TO SAICA Competency Framework

Table 1: SAICA Competency Framework (SAICA, 2019)

Risk management Knowledge
Level
 Enterprise risk management
o Risk Management Philosophy
o Risk Management Strategy 2
o Risk Management Framework (such as COSO II)
 Risk maturity, risk appetite and risk tolerance limits
 Enterprise risk management through the application of a risk
management framework –
o Objectives of a risk management framework 2
o Risk management policy vs risk management plan
o Identification of risk events
o Analysing and assessing risk (probability of occurrence or
likelihood vs impact)
 Risk responses (avoidance, transference, mitigation, acceptance)
 Control procedures in risk reduction
 Risk register 2
 Risks identified
 Measurement thereof
 Response
 Residual risk
 Monitoring of risk (using key risk indicators (KRI’s))
 Risk assurance
 Objectives of risk management
 Values related to risk management
 Accountability for risk management 2
 Authority for risk management
 Principal categories of risk
 Strategic
 Operational 2
 Financial
 Information
 Identification of different risks and appropriate responses thereto
 Implementing and integrating risk management
 Components of a risk management team 2
 Role of management 2
 Infrastructure for risk management
 Objectives of risk management within context of environment
 Role of board of directors
 Role of chief risk officer
 Role of internal auditors
SUMMERISED
 Role SAICA KNOWLEDGE
of external auditorsREFERENCE LEVELS
Level 1 (Basic): Basic Knowledge and Understanding of the core aspects excluding complex calculations and
scenarios.
Level 2 (Intermediate): Detailed Knowledge and Understanding of the central ideas and issues including simple
calculations and scenarios.
Level 3 (Advanced): Thorough Knowledge and Understanding including complexities and unusual aspects
including complex calculations and scenarios.
3
ASSUMED PRIOR KNOWLEDGE
The student should have a firm grasp of the following concepts; the objective of a financial
management (shareholder value maximisation through maximisation of return and
minimisation of risk), the strategic management process, organisational architecture and
leadership, corporate governance and the contemporary business environment.

It is essential to view risk management within the context of a strategic planning,

implementation and evaluation as risk management seeks to identify, assess and manage
risks that emanate from pursuing strategies formulated by an entity in order to maximise
shareholder value through proper management of risks.

STRATEGY, RISK MANAGEMENT AND GOVERNANCE

Enterprise Risk Management is an integral part of strategy. During the strategic planning
stage; the company’s risk appetite (willingness to take risks) and risk tolerance (ability to take
risks) are assessed and determined in order to apply in evaluating possible strategic choices.
The possible risk events emanating from the company’s strategy, internal and external
environments are identified, assessed and mitigated in order to ensure the strategic, financial
and operational objectives are achieved. Thus Risk Management should be studied with that
context in mind. Students should view Strategy, Risk Management and Governance as one
body of knowledge that is used within the context of financial management to maximise
shareholder value. (REFER TO ANNEXURE A for definitions of selected risk terms).

LEARNING OBJECTIVES
After studying this module learners should be able to:

 Understand ERM (enterprise risk management):

o Demonstrate an understanding of risk management philosophy, risk
management strategy and risk management framework.
 Apply ERM Framework to manage risks:
o Set and apply the objectives of a risk management framework
o Differentiate between risk management policy and risk management plan
o Understand risk management components and apply the risk management
process
 Identify risk events
 Analyse and assess risks based on likelihood and impact
 Devise risk responses to identified risks (risk avoidance, risk
transference, risk mitigation or risk acceptance)
 Explain the role of control activities to reduce risks
 Explain risk monitoring activities
 Implementation and integration of risk management:
o Understand key aspects of risk management implementation and integration.
o Identify and explain the roles and role players in risk management
o Understand the link between risk management, strategy and governance within
the context of financial management.
4
WHAT IS RISK MANAGEMENT?
Enterprise Risk Management Defined (COSO, 2004)
Enterprise risk management deals with opportunities and risks affecting value creation or
preservation, defined as follows:
“Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied to strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of an entity’s
objectives.”

The definition reflects certain fundamental concepts. Enterprise risk management is:
√ A process, ongoing and flowing through an entity
√ Effected by people at every level of an organisation
√ Applied in strategy setting
√ Applied across the enterprise, at every level and unit, and includes taking an entity-level
portfolio view of risk
√ Designed to identify potential events that, if they occur, will affect the entity objectives and
to manage risk within its risk appetite
√ Able to provide reasonable assurance to an entity’s management and board of directors
Geared to achievement of objectives in one or more separate but overlapping categories

Source: Committee of Sponsoring Organisations of the Treadway Commission (COSO),

2004. Enterprise Risk Management - an Integrated Framework (Executive Summary). [Online]
Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf

It is essential to note that risk management should be viewed as an integral part of

strategy AND everyday functioning of any organisation.

Links to other Topics in Finance

From the above definition we can see that strategy and risk management is not removed from
other topics in finance and the business as a whole. The finance function must not only support
strategy and risk management, but Finance is getting more directly involved in the formulation,
implementation and evaluation of strategy. In most companies; the risk management function
is housed in finance for administrative purposes, but reports to the risk and audit committee
functionally. Below are a few examples of how the topics (strategy, governance and financial
management topics) relate to risk management:

5
Table 2: Examples of ERM Links to Other Topics in Finance

TOPIC RISK MANAGEMENT EXAMPLE

Strategy Risk management is an integral part of strategy formulation,
implementation and evaluation:
 Determining Risk Appetite and Risk Tolerance levels:
The risk appetite and risk tolerance of an organisation are
assessed and determined for use in evaluating strategic
alternatives or making strategic choices.
 Risk Management Process:
Possible risk events are identified, assessed and mitigated throughout
the strategic management process. The risk levels are reduced to an
acceptable level. The risks identified are monitored to ensure an
organisations risk tolerance levels are not exceeded. Risk and strategic
tools and techniques are applied to reduce risk.
Governance The chosen corporate governance model is used to deploy strategy
and to manage risks within an acceptable risk tolerance level.
Enterprise-wide Risk Management: Identification and proper management of risks across
an entity as a whole. The overall residual risks should be kept at an acceptable level.
INTEGRATED Risk disclosures: Key risks, Key Risk Indicators and risk mitigations
Reporting are disclosed to inform an organisations stakeholders the organisation’s
risk appetite, risk tolerance and risk levels.
FINANCING Obtaining robust risk information to enable effective assessment of
Decision overall capital needs and enhance capital allocation (COSO, 2004).

Risks relating to capital (e.g. interest rate risks, re-financing risk, risk of
financial distress, liquidity risks) are monitored and managed to ensure
the
INVESTING The projects emanating from an organisation’s strategy are evaluated
Decision using appropriate risk analysis tools and techniques in line with the risk
management policy of an organisation. Risks relating to strategic
projects are monitored and managed to enhance shareholder value
through risk reduction/mitigation.
DIVIDEND Appropriate dividend payout policy is selected to reduce the risk of
Decision shareholder value erosions. A balance between retained income re-
invested in strategic capital projects to increase or maintain shareholder
value and the funds redistributed to shareholders should be optimally
maintained.

This table summarises examples of how Risk Management affects various topics in finance.
Kindly use it to enhance your understanding of risk management and as a guide to various
ways through which risk management can be intragrated with other topics in finance for exam
purposes.

6
OVERVIEW: RISK MANAGEMENT PROCESS
Summarised Risk Management Process
Risk management is typically broken into three interlinking stages:
1. Risk Event Identification
The identification of potential risks emanating from an entity’s internal and external environment.
Identify internal and external risk events that can affect a company’s ability to achieve its strategic,
operational and financial objectives.
2. Risk Assessment
a. Determine the likelihood of the risk event occurring:
What is the probability of the risk event occurring? How likely is the risk event
occurring? Very likely or remote? The higher the likelihood, the greater the urgency
to appropriately deal with the risk.

b. Determine the impact if the risk event were to occur:

What will be the strategic, operational and financial impact to the company if the
risk event were to occur? The greater the impact – the greater the need to
appropriately address the risk.
3. Risk Response
What action(s) should be taken to eliminate, transfer or reduce the risk to an acceptable level if the
impact and likelihood are high? Decide what action to take. Decision should be based on the impact
and likelihood of the risk event occurring as well as the cost versus the benefit of actions to
eliminate, reduce, transfer or hedge the risk. Key activities are summarised below:

Table 3: RISK MITIGATION: Examples of actions that can be taken:

Action Reasoning
Ignore Insignificant risks that will not have a material impact on the company’s operations
the risk: and finances.
Accept Insignificant risk that will not have a material impact on the company’s operations
the risk: and finances and whose cost of reducing or transferring far exceeds the benefit of
doing so.
Eliminate Use risk management tools and techniques to avoid, eliminate, reduce or transfer
or the risk. This applies to risks that will have a significant impact on company’s
Reduce strategy, operations and finances and the benefit of eliminating or reducing the risk
the Risk far exceeds the cost of doing so. This risks should be managed and continually
monitored.

CONCLUSION: After the risk mitigation exercise; the residual risks must be kept at an acceptable
risk tolerance level and the Key Risks should be monitored, managed and reported to
management, other personnel and key stakeholders to ensure the risk management function is
effective in maintaining risks at acceptable levels to achieve an organisations strategic, financial
and operational objectives.
7
Risk Management Process Tools1

• Environmental Analysis:
• SWOT Analysis, Value Chain Analysis, Process Analysis, Scenario Analysis, PESTEL
• Research Analysis:
Risk Event Identification • Loss Events Data Analysis, Risk Surveys (Risk Questionnaires), Interviews with
Business Units Executives, Risk Benchmarking
• Other techniques:
• Brainstorming risks, Risk Models, Industry Risk norms, etc.
• Risk Analysis and Assessment
• Risk Mapping (Impact & Likelihood)
Risk Assessment • Risk Ranking (Very High, High, Medium, Low)
• Risk Analysis by Risk Drivers (Identify Objective, Identify Risks, Determine and
Quantify Key Risk Drivers & Key Risk Indicators)

• Risk Mitigation
• Eliminate/Avoid risk: e.g. do not accept project or implement strict controls to
avoid risk.
Risk Response • Reduce risk: e.g. Transfer risk (Buy insurance), Share Risk (through strategic
alliance).
• Accept risk: e.g. the cost of risk response exceeds the benefit.
• Ignore risk: e.g. very low likelihood and significance.
Figure 1: Summarised Risk Management Process

1
Risk assessment process summarised for the purpose of this module. Refer to the Executive Summary on Enterprise Risk Management – Integrated Framework for more
detail: available from: http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf. The tools listed are not exhaustive – these tools are the author’s selection
based on professional judgement.

8
 Risk Categories and Examples
Below is a list of common risk classifications. List of list categories per SAICA Competency Framework (SAICA, 2019) are: Strategic
risks, Operational risks, Financial risks and Information risks). The COSO Framework (COSO, 2004) refers to Strategic risks,
Operations risks, Reporting risks and Compliance risks. Thus categorisations of risks may differ from one organisation to the other; but the
principles are the same. All significant risks should be properly managed.

Table 4: Risk Categories and Examples

Category Explanation Examples of Risks

Strategic Risk of inappropriate strategy, risk of capital insufficient capital to execute strategy,
Risks relating to the
Risks Risk of changes in environmental forces that negatively affect company strategy (Competition
formulation, implementation
risk, change in demographics or social/cultural trends, technological innovations, change in
and evaluation of a strategy of
political or regulatory trends
an organisation.
Operational Risk of interruption of business operations due to:
Risks relating to optimal
Risks
allocation and efficient use of  Stock obsolescence or shortage
resources to ensure  Information Technology risks
uninterrupted and efficient  Loadshedding (electricity)
operations.  Staff incompetence or loss of staff
 Loss of key suppliers
 Logistic failures/disruptions
 Theft, cash embezzlement or failure of accounting controls

Risk of reduction in profits/increase in losses due to:

 Inefficiencies in operations
 Cost increases above inflation/revenue increases
 Wastages in manufacturing process
 Losses due to theft, fraud, or other crimes
 Product recall expenses
 Poor quality suppliers resulting in abnormal production losses

9
Category Explanation Examples of Risks
Financial Refinancing risk, liquidity risk, price risk (commodity), credit risk, inflation risk, interest rate
Risk of financial distress,
Risks risk, foreign exchange rate risk, financial distress risk, hedge basis risk (ineffective hedge
liquidity, credit, inflation,
risk), convexity and duration of assets, etc.
interest rate, forex and
refinancing.
Information Inadequate management information systems to aid optimal decision making.
Risk of loss of critical data,
Risks Inappropriate/Inadequate controls over customer data.
theft of data, misuse of
Data fraud and data theft.
customer data in contravention
Inability to use relevant data analysis techniques to aid decision making.
of privacy loss. Also includes
Inappropriate controls over company trade secrets, intellectual property.
risk of management not having
the necessary information to
aid decision making.
Compliance Non-compliance with competition laws, labour laws, corporate laws, industry regulations,
Risk that the company will not
Risks information security laws, municipal by-laws, financial intelligence laws (FICA and RICA),
comply with applicable laws
business license regulations, etc.
and regulations.
Hazard Risk of business interruption Risk of property/stock destruction or damage due to fire, natural disaster, theft or crime.
Risks due to preventable and Risk of business interruption due to the disease, workplace injuries, strike or any of the above
enforceable hazards. events.

Reporting Risks relating to the reliability, Non-compliance with IFRS (International Financial Reporting Standards), Industry Disclosure
Risks timeliness and relevance of requirements (e.g. Bank Basel Accord, Companies Act Disclosures.
internal and external reporting.

The above listing is not exhaustive, but has been included to help enhance your understanding of risk management.
You should be able to:
 Identify risks,
 Explain why they are risks,
 Explain the impact of the risk and
 Device appropriate risk responses to identified risk events.
Study the tools and be able to apply them to strategy, risk management, governance and financial management scenarios. Refer
to Slides, Notes (Strategy, Risk and Return, Treasury Function and Risk Management) and Prescribed Texts for more details on
the risk management tools.

10
Risk Management Roles and Responsibilities
For the risk management function to operate effectively and efficiently, the stakeholders
involved in risk management must play their parts. Below are examples of stakeholders in the
risk management process and their functions.

Table 5: Risk Management Roles and Responsibilities

Player Role Responsibilities

Board of Oversight role.
Setting the tone at the top.
Directors Approving the risk management policy, procedures
and plan.
Ensuring appropriate Risk Management Disclosures
are made.
Determining the risk appetite and risk tolerance level
of an organisation.
Continual discussion of the state of risk management
and the board must be informed of significant risks
affecting an entity.
Risk Implementation, Implementing the risk management plan.
Management Training, Applying the risk management policy and procedures.
Division Monitoring and Carrying out the risk management plan.
Reporting. Preparing Key Risk Disclosures.
Reporting to the Board of Directors on key significant
risks and proposed responses as well as risk
monitoring.
Senior/Executive Implementation, Setting the tone at the top: creating a risk culture and
Management Monitoring and positive attitude towards risk management.
Reporting Implementing the risk management plan.
Applying risk management in strategy formulation and
implementation.
Creating risk awareness
Supporting the risk management division.
Other entity Implementation, Supporting and strengthening the risk management
Personnel Monitoring and function.
Communication. Complying with risk management policies and
procedures.
Participating in information sharing and
communication of relevant risk information (e.g.
Reporting risk events, attending risk management
workshops).
Internal Audit Implementation The internal audit function takes into account the risk
& Monitoring register (a list of risks identified and their proposed
responses) when formulating their annual audit plan.
Internal audit is viewed as part of the control activities
to reduce risk to an acceptable level.

11
HOW IS RISK MANAGEMENT PROCESS EFFECTED?
The COSO Cube (COSO, 2004) is used as an example of a risk management framework that
can be implemented by an organisation:

COMPONENTS OF THE RISK MANAGEMENT PROCESS

Below is the COSO CUBE (COSO, 2004) summarising key activities in enterprise risk
management as well as the risk categories that organisations manage. These components
help us understand the risk management function and processes within risk management.

Figure 2: COSO ERM Cube (COSO, 2004)

Risk Management Components explained:

INTERNAL ENVIRONMENT
Internal environment establishes an organisation’s risk management philosophy. It recognises
that expected and unexpected risk events may occur, thus the tone at the top (managements
attitude toward risk/ organisations risk culture) is an essential in setting the basis for how an
organisation views and addresses risks. This will include the setting of the risk appetite and
risk tolerance levels, integrity and ethical values.

12
OBJECTIVE SETTING
Strategic objectives are set to enable the risk event identification process to take place. ERM
ensures that processes are in place to ensure risk strategy is considered in setting strategic
objectives. ERM must also ensure the set objectives support and align with an organisation’s
mission and are consistent with the organisation’s risk appetite.

EVENT IDENTIFICATION
Risk Management Tools and Techniques are used to analyse an organisations internal and
external environment to identify risks and opportunities. Risks are events that will have a
negative impact and are assessed in the stage below. Opportunities are upside risks, which
are referred back to objective setting above.

RISK ASSESSMENT
The extent to which risks may negatively affect the achievement of set objectives is
understood at this stage. Risks are analysed, considering their likelihood and impact, as a
basis for determining how they should be managed. Risks are assessed on both inherent and
residual basis.

RISK RESPONSE
Possible risk responses are evaluated taking into account an organisation’s risk appetite, cost
versus benefit of the potential risk response, and the extent to which the response reduces
the impact and/or likelihood of the risk. Management determines a risk response (e.g. avoiding
or eliminating risk, accepting risk, reducing risk, transferring risk or sharing risk). Management
should develop a set of actions to align risk with an organisation’s risk appetite and risk
tolerance levels.

CONTROL ACTIVITIES
Policies and procedures are established and implemented to help ensure the risk responses
are effectively carried out. Control activities are carried out throughout the organisation and at
all levels. The control activities include systems of internal controls encompassing physical
controls, application controls and general IT controls.

INFORMATION AND COMMUNICATION

Effective communication of relevant information to enable management, employees and the
board of directors to carry out their duties and responsibilities. Relevant information is
identified, captured and communicated in a form and within the timeframe to enable carrying
out of responsibilities by people involved with an organisation’s processes to achieve strategic,
financial and operational objectives. Communication can flow from top to bottom, bottom to
top and sideways across an organisation. Communication includes reports, cases, workshops,
training, policies and procedures, dialogues, etc.
13
MONITORING
For the ERM function to be effective; monitoring must be carried out through ongoing
monitoring activities or separate evaluations, or both. The results of the monitoring process
must be ploughed back into the ERM process to make necessary modifications and
improvements.

Conclusion

Taking this risk components into account; a risk management process can be envisaged as
a continuous process charted as follows:

Strategic
Objectives
Setting

Information & Strategic Risks Risk

Communication Identification
Operational Risks
Financial Risks
Information Risks
Compliance risks

Risks Hazard Risks

Monitoring Risk
and Control Reporting Risks Assessment
Activitiies

Risk Response

Figure 3: Risk Management Process Diagram

14
WHY ORGANISATIONS MANAGE RISK?
Examples of the Benefits of Risk Management
In short, Risk Management helps an organisation to achieve the following:

Maximisation of shareholder value through minimisation of risks to acceptable tolerance levels in line
with an organisations risk appetite and the achievement of strategic, operational and financial
objectives. The selected list of benefits of risk management are listed below:

 Objectives of the COSO Framework (COSO, 2004):

o Aligning risk appetite and strategy – thus management will not pursue strategies that
are above
Management considers an organisation’s risk appetite in evaluating strategic
alternatives, setting related objectives, and developing mechanisms to manage
related risks.

o Enhancing risk response decisions – to reduce the impact of risk events on an

organisations ability to meet its strategic objectives
ERM provides the rigour to identify and select alternative risk responses: risk
avoidance/elimination, risk reduction, risk sharing or risk acceptance.

o Reducing operational surprises and losses through the risk management process
Organisations gain enhanced capabilities to identify potential risk events and
establish responses, reducing surprises and associated costs or losses.

o Identifying and managing multiple and cross-enterprise risks

Every organisation faces a myriad of risks affecting different parts of the organisation,
and enterprise risk management facilitates effective response to the interrelated
impacts, and integrated responses to multiples tasks.

o Seizing opportunities
By considering a full range of potential events, management is positioned to identify
and proactively realise opportunities.

o Improving deployment of capital

Obtaining robust risk information allows management to effectively assess overall
capital needs and enhance capital allocation.

 Examples of Benefits of ERM

o ERM lessens the effects of risk events to an organisation’s operations.
 E.g. Risk responses that avoid or reduce the impact/likelihood of risk events.
o ERM helps ensure efficient use of resources
 E.g. Allocation of resources to achieve strategic objectives and management
of risks associated with those strategic objectives.
o ERM helps reduce wastages, fraud and losses
 E.g. through control activities to prevent and detect fraudulent activities to
enable corrective measures to be taken.
o ERM enables management to Focus attention to core business
 E.g. Reduction in management time spend on fire-fighting through control
activities to reduce the risk of fire.
o ERM results in lower the cost of capital
 E.g. Through reduced business risks as a result of effective risk
management.

15
EXAMINATION PERSPECTIVE
This topic is an integral part of strategy and governance portions of this course. It also fits well
within financial management due to the main objective of the discipline which is value
maximisation. Risk management aims to maximise shareholder value through risk reduction
by:

 Determining the appropriate risk appetite for an organisation,

 Help Set and Implement strategic objectives in line with an organisation’s risk appetite,
 Identifying potential risk events
 Assessing the impact and likelihood of those risk events occurring
 Devising an appropriate Risk Response to eliminate, avoid, reduce or ignore the risk
 Putting control activities in place to ensure the risk responses are appropriately carried
out
 Monitoring risks to ensure the residual risk is within the risk tolerance levels
 Communicating with internal and external stakeholders in the risk management
process.

You can be asked to perform the above steps in a standalone or intragrated question (e.g.
identify risks, propose risk response, advise what control activities must be implemented,
review the risk management programme, advise what risk disclosures must be made, etc.)

The topic can be intragrated with other corporate finance topics [e.g. Strategy (Strategic
Risks), Financial Statement Analysis, Capital Investment Appraisal (Capital Budgeting),
Valuation, Liquidity and Working Capital Management, Dividend Decisions, Sources of
Finance, Capital Structure and Cost of Capita]. It is important to understand how the risk
management process fits in within the strategic management process and be able to carry
out the steps in the strategic management process, especially risk identification and
response within the context of the topics mentioned.

HOMEWORK: QUESTIONS TO ATTEMPT

Question Concepts
2015 CMAC080 Question Risk Event Identification and Risk Response
Formulation

16
Home Work Question: 2015 EXAM CMAC080: Mandla Mining
Mandla Mining (Pty) Ltd is a platinum mining company with 4 mining plants in South Africa.
The mines extract and process platinum for sale in the local and international markets. The
local sales amount to 10% and the international sales amount to 90% of the total sales units
in oz (i.e. ounces).

The local sales are mainly purchased by the government, for making catalytic converters to
be used in nuclear power stations, at a fixed Rand price. The international sales are mainly
made to China, Europe, North America and Japan and are transacted in US$ based on the
prevailing market prices. The platinum price during the financial year was US$1 462 per ounce
at the beginning of the financial year and ended at US$979 per ounce at year end.

The company produced and sold 10 000 oz of platinum during the current financial year
compared to 20 000 oz in the previous financial year. During the current financial year; the
demand for platinum decreased substantially internationally as the major purchasers of
platinum faced economic downturns. Many platinum users switched to use palladium, which
costs about 50% to 60% cheaper than platinum, but can almost do the same job. Mandla
Mining had to close down two loss making plants during the financial year to reduce its losses
by running plants that either break-even or make profits.

Operating costs for the current year increased above inflation mainly due to the depreciation
of the Rand against the US$ and increase in salaries and wages. Mandla Mining buys its
machinery and supplies, used in extraction and processing, in US$. The Rand has depreciated
from R10.68 at the beginning of the financial year to R12.96 as at end of the financial year.

The company lost production time due a number of events and factors including a six week
strike in the platinum sector, Eskom load-shedding and reduction of operating plants in the
current financial year. The company had to increase its production staff salaries and wages
by 12.5% on average. The inflation rate for the same period was 4.7% according to StatsSA.

Marks
REQUIRED Sub Total
(A) (i) Identify and briefly describe the business and
15
financial risks that Mandla Mining faces. 31
(ii) Propose solutions to risks identified above (Ai), 15
1
Communication skills – presentation; logical argument
Total 31

17
 Annexure A: Selected List of Risk Management Terms
Concept Definition
Impact The significance or materiality of a risk in an organisation. Impact captures the effect
the risk will have on Critical Success Factors/Key Performance Indicators of strategic
projects, processes or activities.

It can be measured quantitatively (e.g. in terms of financial impact: cost, loss of

revenue) or qualitatively (e.g. loss of reputation, impact on health/environment).
Inherent The level of risk that resides with an event, project or process prior to management
Risk taking mitigating action. It is a risk that exists within a process, project or event.
Likelihood An estimate of the chance or probability of the risk event occurring. It measures how
likely a risk event is to occur (likely or remote?).
Residual The level of risk that remains after management has taken action to mitigate the risk.
Risk The residual risks must be kept at an acceptable level (within an organisations
selected risk tolerance levels).
Risk Any event or action that can keep an organisation from achieving its objectives.
Risk can be categorised into;
Strategic risks,
Operational risks,
Financial risks,
Information risks,
Compliance risks,
Hazard risks and
Reporting risks.
Risk The overall level of risk an organisation is willing to accept given its capabilities and
Appetite the expectations of its stakeholders. The overall amount of risk an entity is willing to
take in pursuit of value.
Risk A year or multi-year plan detailing the identified risk events, their risk assessment
Management and analysis results and the appropriate risk response for each risk. It sets out
Plan timelines for risk response implementation and sets out plans for monitoring and
reporting on risks.

The risk management plan is normally shared with internal audit function to enable
inclusion of key risk areas in the internal audit plan.
Risk A set of rules devised by management on how the risk management function will
Management operate. It sets out key procedures that must be complied with.
Policy
Risk The management attitude towards risk and risk management. It sets out, at a high
Management level, management’s approach to risk management. The risk management
Philosophy philosophy may include the elements of managements’:
Risk governance (e.g. clear assignment of roles and risk responsibilities), Risk
culture (common values around risk management and strategy),
Risk mitigation (acceptable risk responses and their execution) and
Risk appetite (the willingness to take risk) and risk tolerance (ability to take risks).
Risk The process of analysing risks taking into account their impact and likelihood as part
Mapping of risk assessment to enable the determination of appropriate risk responses.
Risk The process of ranking risks in order of their significance to enable prioritisation of
Ranking risk responses and implementation.
Risk The level of risk an organisation is willing to accept around specific objectives. Risk
Tolerance tolerance is a narrower level of risk appetite. It is the level of risk that an entity is able
to take without destroying value or exposing itself excessively.

18
Bibliography
COSO, 2004. Enterprise Risk Management - an Integrated Framework (Executive Summary). [Online]
Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf
[Accessed 13 November 2015].

SAICA, 2019. Competency Framework. Detailed Guidance for the CA(SA) Academic Programme.,
South Africa: SAICA.

19