Introduction to NT/Assessments... · Web viewOther pieces of legislation which contain matters of...

Guide to Formative Assessment Answers

Table of ContentsIntroduction 2

1. Formative Assessment for Unit 1 2







IntroductionThis guide has been developed to give the answers to the formative activities as well as the guidance notes that will be availed to learners as feedback after their responses.

1. Formative Assessment for Unit 1

Activity 1 Indicate which of the following statement/(s) is/are CORRECT:

Statement 1: Contemporary strategies of managing risk require that risk be managed separately by the various directorates or sub-directorates within a Department.

Statement 2: Managing risk effectively requires a strategic, integrated, proactive and systematic approach to managing organisational risks in order to ensure that the objectives of the Institution are met.

A. Statement 1 onlyB. Statement 2 onlyC. Statement 1 and 2D. None of the above

Answer: B

Feedback after learner’s response:

Contemporary strategies of managing risk require that risk be managed in an integrated fashion by all the units within an Institution (Enterprise Risk Management).

Activity 2 Indicate which of the following statements are CORRECT.

Within a Department, such as Department of Education in Limpopo, applying effective integrated risk management activities may yield the following benefits:

(i). Better governance of the Department and therefore aiding in the achievement of organisational objectives.

(ii). Better understanding of the risks that may adversely affect the Department’s operations thus allowing management to effect better strategies to manage such risks

(iii). Strengthening of the internal control environment(iv). Leveraging on opportunities to add value to business processes

A. (i) and (iii) onlyB. (ii) and (iv) onlyC. (i), (ii) and (iii) onlyD. All of the aboveE. None of the above

Answer: D


All of the benefits noted can be extracted from implementing risk management.Activity 3 Indicate which of the following statement(s) is/are TRUE.

Statement 1: The PFMA requires that Departments, such as the Department of Public Works, have and maintain effective, efficient and transparent systems of financial and risk management and internal control.

Statement 2: All other sections of the PFMA give prescriptions to certain requirements

and this addresses certain risks.

A. Statement 1 onlyB. Statement 2 onlyC. Statement 1 and 2D. None of the above

Answer: CFeedback after learner’s response:

Section 38 (a) (i) of the PFMA requires that the Accounting Officer of department, trading entity or constitutional institution have and maintain effective, efficient and transparent systems of financial and risk management and internal control.

All sections of the PFMA give prescriptions to certain requirements and this addresses certain risks.

Activity 4 Indicate which of the following statement/(s) is/are TRUE.

(i)The King III Code of Corporate Governance (2009) is not relevant to public sector even though it passes recommendations relating to risk management which include the need to have risk management policy, plans, risk register and a Chief Risk Officer.

(ii)The long term planning strategy of Government as reflected by the development of strategic plans by Departments require the planning process to embark on a thorough assessment of risks as well as the adoption of risk response strategies.

A. (i) onlyB. (ii) onlyC. (i) and (ii)D. None of the above

Answer: BFeedback after learner’s response:

The King III Code of Corporate Governance (2009) is relevant to public sector.Activity 5 Indicate which of the following statement/(s) is/are TRUE:

(i) Other pieces of legislation which contain matters of risk management include Hazardous Substances Act (No. 15 of 1973), The Occupational Health and Safety Act (No. 85 of 1993) and the Disaster Management Act (No. 57 of 2002).

(ii)The Municipal Systems Act (No. 32 of 2000) as well as the Municipal Structures Act (No. 117 of 1998) both contains prescripts that address some form of risk that the municipalities are exposed to.

A. (i) onlyB. (ii) onlyC. (i) and (ii)D. None of the above

Answer: CFeedback after learner’s response:

Both the statements are correct.Activity 6 Indicate whether the following statement is TRUE or FALSE.

Risk management is key in that it informs the internal audit process and plan as the internal audits are required to be risk based. On the other hand, the Internal audit unit

is a key role player in the assurance process with respect to the effectiveness of risk management as the internal audit function provides an independent assessment of the internal control environment, recommending and reporting to the relevant parties.

A. TRUEB. FALSE

Answer: A


Statement A: It is important to consider the assessment of risk during the strategic planning process as the outcome of the assessment may partially contribute towards the long term plan and strategy of the Department.

Statement B: Risk management being done by middle managers in a Department is a mere bureaucracy and in the majority of times may not yield any positive performance results.

A. Statement A onlyB. Statement B onlyC. Statement A and BD. None of the above

Answer: A


All levels of management and employees must play their respective roles to ensure that the objectives of risk management are met.


Statement A: Risk management models are more effective when used in isolation in a Department.

Statement B: Integrating risk management tools and models with other organisational and environmental analysis tools such as PESTEL, SWOT analysis and Porter Five Forces model has potential to weaken the development of effective strategy.

A. Statement A onlyB. Statement B onlyC. Statement A and BD. None of the above

Answer: D


In order to experience the benefits of an enterprise risk management system, models need to be integrated and these models must be used together with other analysis tools in order to make more informed decisions about risk management.


Activity 2.1 Which of the following statements are CORRECT?

Statement 1: The Head of Department and the Deputy Director General are key role players in risk management at the Department

Statement 2: The Municipal Council, Mayoral Committee and the Municipal Manager are key role players in risk management in a municipality

Statement 3: Establishing a Risk Management Unit which is headed by the Chief Risk Officer is a significant contribution towards the development of an effective governance structure

Statement 4:The Internal and External Audit function does not play any role in risk management

A. Statements 1 and 2 onlyB. Statements 2 and 3 onlyC. Statements 1, 2 and 3 onlyD. Statements 1, 2, 3 and 4

Answer: C


Both the Internal Audit and the External Audit play an assurance role on the risk management system of an Institution.

Activity 2.2 All of the below functions are allocated to the Accounting Officer EXCEPT:

A. Establishing an institutional culture that supports risk managementB. Delegating all risk management activities to the Risk Management Committee and

the Chief Risk Officer and not taking responsibility on any of themC. Approving the risk management strategy and plan and ensuring that all identified

controls are implemented in all units of the institutionD. Ensuring that managers reporting to him/her design, implement, monitor and

integrate risk management into their day-to-day activities

Answer: B


In terms of section 79 (3) (a) to (e) of the MFMA, a delegation does not divest the Accounting Officer of the responsibility concerning the exercise of the delegated power or the performance of the delegated duty.

Activity 2.3 All of the below functions are the responsibilities of the Chief Risk Officer EXCEPT:

A. Establishing the institution’s risk management strategy, implementation plan and risk identification methodology in consultation with management

B. Owning all high risks in order to ensure that effective internal controls are established to manage these risks

C. Training various stakeholders within the Department on their risk-related roles and responsibilities

D. Monitoring the implementation of the internal controls targeted at managing risks

Answer: B


Risk owners are persons accountable for managing a particular risk and these are the operational persons where the respective risk is originating.

Activity 2.4 The Risk Champion within a business unit must possess the following attributes EXCEPT:

A. A fair understanding of risk management concepts, principles and processesB. Good communication and coordination skillsC. Possess a risk management qualification at a post degree levelD. Good investigative and diagnostic skills

Answer: C


Risk Champion should possess a good understanding of risk management concepts, principles and processes, good analytical skills as well as leadership and motivational qualities but does not necessarily have to have high qualifications in risk management

Activity 2.5 Which of the following statement/(s) is CORRECT?

Statement 1: If Internal Audit is functioning properly, the unit will evaluate the effectiveness of the entire system of risk management and provide recommendations for improvement where necessary.

Statement 2: Internal Audit must assist Management in establishing or improving risk management processes and they must also assume management responsibilities for risk management if management is not performing efficiently and effectively.

Statement 3: The role of the Internal Audit in risk management is to provide an independent, objective assurance on the effectiveness of the Institution’s system of risk management.

A. Statement 1 and 2 onlyB. Statement 2 and 3 onlyC. Statement 3 onlyD. Statement 1 and 3 onlyE. None of the above

Answer: D


Internal Audit must maintain an assurance role thus must not implement any risk management activity in order not to compromise the independence.

Activity 2.6 Identify the INCORRECT statement:

A. The internal audit play a key role in risk management by assessing and reporting on the internal control environment and recommending actions to strengthen the internal control environment thereby managing risk.

B. The Risk Management Committee can comprise of internal members (selected members of management of the Institution) and external members (those not employed by the Institution) and the Chairperson of the Committee must ideally be external to the Institution.

C. All other officials in an Institution are responsible for implementing risk management activities and processes in their respective areas of work

D. Working in isolation, the Chief Risk Officer and his/her Risk Management Unit are able to achieve better risk management results since they hold relevant qualifications and have expertise in risk management

Answer: D


Since the role of the Chief Risk Officer and the team is more on coordinating risk management activities, the risk management unit need to work closely with other role players such as risk owners, Internal Audit and Risk Management Committee in order meet the risk management objectives.

Activity 2.7 Which of the following statements is INCORRECT regarding the Risk Management Committee?

A. Review the recommendations made by internal audit and external audit on the system of risk management and monitor the implementation of such recommendations

B. Its functions are defined in a charter which covers constitution, objectives, composition, authority, roles and responsibilities, meetings, administrative duties, quorum, performance evaluation and review of the charter.

C. Assumes the role of the Audit Committee in the absence of an functioning Audit Committee

D. Amongst other functions, it review and recommend for the approval of the Accounting Officer / Authority, the risk management policy, risk management strategy, risk management implementation plan and the Institution’s risk appetite

Answer: C


Where there is no separate Risk Management Committee, the Audit Committee should assume the allocated roles and responsibilities of the Risk Management Committee

Activity 2.8 Indicate whether the following statement is TRUE or FALSE:

National Treasury has a legislative mandate to monitor and assess the implementation of the PFMA and MFMA which include the implementation of risk management, including any prescribed norms and standards

A. TRUE

B. FALSE

Answer : A


The National Treasury has specific functions in terms of section 6(2) of the PFMA and sections 5(2) and 34 of the MFMA to monitor and assess the monitor and assess the implementation of the PFMA and MFMA and to do so, the National Treasury should monitor and assess, among other things, the implementation of risk management, including any prescribed norms and standards.

Activity 2.9 The Audit Committee is governed by a Charter which contains the following:

1.Purpose of the charter, authority and independence of the committee2.Role of the committee, composition of the committee, meetings3.Responsibilities with respect to financial statements, risk management, internal

control, performance management, internal audit, external audit, compliance, reporting responsibilities as well as other responsibilities

4.Name of Audit Committee members and their qualifications5.Evaluation of committee activities, review of the charter, approval of the charter

Which of the statements above are CORRECT?

A. 1, 2 and 3 only

B. 2 and 3 only

C. 1, 2, 3 and 5 only

D. 2, 3 and 5 only

Answer: C


The Audit Committee Charter is a standard framework which governs the Audit Committee and does not contain any specific names of Audit Committee members or their qualifications


As a manager or supervisor in a directorate or sub-directorate, I am responsible for proactively managing the risks that emanate from the respective business processes and am accountable to my superior for doing so.

A. TRUE

B. FALSE

Answer : A


A risk owner is a person responsible and accountable for managing a particular risk.


Activity 3.1 All of the following statements are correct regarding the adoption of a Risk Management Policy except;

A. The Accounting Officer must devise a strategy to communicate the policy to all employees as well as an induction strategy to communicate the policy to all new recruits

B. All other policies which address certain specific risks must be aligned to the Risk Management Policy

C. In order to present a formal agreed upon statement of the Institution’s positioning regarding risk

D. The risk management policy is to a lesser extent influenced by the Institution's risk profile, appetite for risk, loss tolerance levels and regulatory compliance expectations

E. Before being released to be used by the Institution, this policy must be approved by the Accounting Officer/Authority

Answer : D


The risk management policy is significantly influenced by the Institution's risk profile, appetite for risk, loss tolerance levels and regulatory compliance expectations.

Activity 3.2 The objectives of developing and adopting risk management policies are all of the following except:

(a) To align the behavior of employees and managers to the risk management requirements of the Institution

(b) To strengthen the internal control environment by introducing a standard framework addressing risk

(c) To standardize required practices in relation risk management and assist the Institution in enhancing and protecting those opportunities that represent the greatest service delivery benefits

(d) To establish a platform which promotes a culture of risk management

A. (a), (c) and (d) onlyB. (a) and (c) onlyC. (b), (c) and (d) onlyD. All of the above

Answer: DActivity 3.3 When developing a Risk Management Policy, attention must be given to cover the

following except:

A. The objectives that the Institution intends to achieve with respect to risk management.

B. The anticipated benefits to be derived from risk management.

C. Risk response plans relating to specific identified risks.

D. The role players involved in risk management as well as their roles and responsibilities.

Answer: C


Risk response plans are dynamic action plans in response to an assessment of the status of risk. These plans are periodically detailing the actions to be taken in response to the risks and these do not form part of the risk management policy.

Activity 3.4 All of the following statements in respect of the adoption of a Fraud Prevention Policy are correct EXCEPT;

A.The Fraud Prevention Policy must be specific to the environment in which the Institution is operating and must be developed through consultation with other stakeholders

B.The Fraud Prevention Policy must be communicated to employees and management who are the Finance Department only as Finance is the unit where the fraud risk is prevalent.

C.It is important to ensure that the Fraud Prevention Policy is aligned to the Risk Management Policy of the Institution in order to strengthen the internal control environment

D.The Fraud Prevention Policy must supplement the Risk Management Policy, specifically focusing on risks such a fraud and corruption

Answer : B


The Fraud Prevention Policy must be communicated to all employees and management in order to achieve integration in risk management.

Activity 3.5 Although the contents of the Fraud Prevention Policy may vary from Institution to Institution, it should generally cover the following EXCEPT:

i.Anti-fraud programmes adopted by the Institution and the policy on the reporting of fraud

ii.Mechanisms in place to prevent, detect and investigate fraud as well as the recovery of financial losses

iii.Anti-fraud culture & values of the organisationiv.Key role players and their responsibilities with respect to fraud prevention,

detection, reporting and response

A. (iii) onlyB. (iv) onlyC. (iv) onlyD. None of the above

Answer: D


Activity 4.1 It is vital for an Institution to develop a Risk Management Strategy and an Implementation Plan to guide the risk management activities. The following are benefits of embarking on this process except:

A.It assists with the achievement of the Institution’s overall objectives

B.It enables the Institution to develop strategies to address risks that may have been potentially ignored

C.The development of the strategy and plan guarantees high performance and the achievement of the Institution’s score carded targets

D.It contributes towards the development of an institutional culture which is aware of the need to manage risk

Answer: C

Feedback after learner’s response

The development of a strategy and plan is one of the steps towards achievement of objectives and higher performance. There are many other factors that influence performance such as the culture, attitude of role players, management style, processes and systems in place to support the implementation of the strategy and plans, synergy of the plan with other functions and others.

Activity 4.2 A risk management strategy should include all of the following except:

A.Information relating to communication of risk management activitiesB.A detailed risk management policyC.An action plan aimed at elevating the maturity level of the Institution’s risk

managementD.Information in respect of the review and assurance of the risk management

process.

Answer: B


When developing a risk management strategy, the risk management policy informs the strategy but does not necessarily have to be in the strategy. What can be included in the strategy is a summary of the policy stance on risk, only to reinforce the strategy’s positioning.

Activity 4.3 Identify the INCORRECT statement regarding the development and application of Risk Management Implementation Plans:

Statement 1: It is vital for management to consult with various stakeholders (including management and staff) when developing the risk management implementation plans

Statement 2: The Risk Management Implementation Plans must be approved by the Accounting Officer / Authority and must form the yardstick against which performance in risk management is measured

Statement 3: For effective management, the Accounting Officer must ensure that tasks, targets, implementation dates and reporting requirements identified in the Risk Management Implementation Plan form part of the performance requirements of the persons responsible in order to achieve the Institution’s objectives.

A. Statement 2 onlyB. Statement 2 and 3 onlyC. Statement 3 onlyD. None of the above

Answer: DActivity 4.4 Which of the following is INCORRECT in relation to the development and

implementation of a fraud prevention strategy?

(i)Specific prevention, detection, investigation and resolution activities aimed at addressing fraud and corruption must form part of the fraud prevention strategy

(ii)Since fraud and corruption is prevalent and highly problematic in the environment in which the South African public sector Institutions are operating, the Fraud Prevention Strategy must be developed outside of the scope of the Risk Management strategy of the Institution and the identified strategies which form part of this strategy do not need to reflect the overall strategic plan of the Institution.

(iii)The Fraud Prevention Strategy does not need to be in line with the legal framework governing the employer-employee relationship as well as the Constitutional platform with courts and quasi-judicial bodies

(iv)A communication strategy focusing on how the fraud risk is to be communicated throughout the whole institution is a key component of the fraud prevention strategy

A. (ii) onlyB. (iv) onlyC. (ii) and (iii) onlyD. (iii) only

Answer: C


Although fraud and corruption is prevalent and highly problematic in the environment in which the South African public sector Institutions are operating, the Fraud Prevention Strategy must be developed within the circumference of Risk Management strategy of the Institution and the identified strategies which form part of this strategy must be in line with the overall strategic plan of the Institution.

The Fraud Prevention Strategy must be in line with the legal framework of South Africa which governs, amongst others, the employer-employee relationship (such as the Prevention and Combating of Corruption Activities Act (No.12 of 2004) as well as the Constitutional platform comprising of courts and quasi-judicial bodies (such as Criminal Courts and Police) in order to ensure compliance with the constitution as well as the legal intervention of these Constitutional bodies.

Activity 4.5 A Risk Management Plan details the strategy adopted by management to manage risks within the Institution and all of the following EXCEPT:

A. A section covering how risk management information will be disseminated to the various parties

B. Risk activities, person responsible and set timelinesC. Organisational structure showing the governance framework for risk

managementD. Reports to be compiled, formats, timelines and how reporting will be done

Answer: C


The organisational structure showing risk governance framework does not

have to be part of the Risk Management Plan. The specific offices can be in the plan to against certain functions that they need to perform and not necessarily the whole governance framework.

Activity 4.6 Among the factors listed below, which factors need to be taken into consideration when developing a fraud prevention strategy and plan?

Factor 1: The resources of the Institution including human capital and finances

Factor 2: Previous occurrences/incidents of fraud and corruption

Factor 3: The current culture and attitude towards fraud and corruption

Factor 4: The fraud prevention policy, including policy direction and stance

A. Factors 2 and 4 onlyB. Factors 1 and 3 onlyC. Factors 1, 2 and 3 onlyD. All of the above

Answer: D


All the above factors need to be taken into account when developing the fraud prevention strategy and implementation plan of an Institution.

Activity 4.7 Indicate which the following statement/(s) is/are NOT CORRECT.

(i)As part of the strategy development, tools such as tip-offs, whistle blowing and line management can be used as detective measures

(ii)Instituting the South African Public Service Code of Conduct, Code of Conduct for Municipal Staff Members (for municipalities) and Batho Pele principles as well as offering training and awareness programmes on those two instruments can act as a preventative measure on the Fraud Prevention Strategy.

(iii)Internal audit function can present a detective and an investigative control mechanism to the Risk Prevention strategy

A. (i) onlyB. (ii) onlyC. (iii) onlyD. None of the above

Answer: D


All of the above are correct. When internal audit conduct their usual audits, they detect weaknesses in the system and Internal Audit can also be assigned to investigate allegations of adverse occurrences such as fraud, corruption or non-compliance.

Activity 4.8 Indicate whether the following statements are TRUE or FALSE:

a)The Fraud Prevention Plan does not need to be reviewed periodically as fraud and corruption will continue to exist in the environment in which South African public sector is operating.

b)Management need to devise a strategy of communicating the Fraud Prevention Strategy and plan to all staff since everyone in an Institution is responsible for implementing the Fraud Prevention Strategy.

c)Instigating disciplinary actions and recovery of losses in line with Chapter 10 of the PFMA and Chapter 15 (Part 1 and 2) of the MFMA is part of the resolution tactics of fraud prevention strategies.

Statement (a) Statement (b) Statement (c)A. False True FalseB. True False FalseC. False True TrueD. False False True

Answer: C


The Fraud Prevention Plan needs to be reviewed periodically (recommended period is annually) to capture modernised means of managing fraud and also to align to resources availability and changes in the fraud risk profile

Activity 4.9 Indicate whether the following statements are TRUE or FALSE:

a)Risk management communication campaigns usually in the form of short awareness sessions and presentations to departmental managers or regional management teams are a good mechanism to create awareness of risk.

b)It is the responsibility of the Chief Risk Officer to develop and adopt a plan to support the risk campaigns covering communication, training and awareness.

c)Only the line of managers reporting directly to the Accounting Officer/Authority need to be trained on risk management by the Risk Officers.

d)Risk management training, awareness conferences, performance measurement, incentives, marketing materials, intranet information and the incorporating of risk responsibilities into management activities are some of the ways of preparing for the successful implementation of risk management activities.

Statement (a) Statement (b) Statement (c) Statement (d)A. True True True TrueB. True False False TrueC. True True False TrueD. True True False False

Answer: C


Risk management only thrives to the extent that managers actively use its processes. It is mainly a function that operates at a management level, so it is not usually appropriate to embark upon a mass communication campaign to every employee. However, the campaigns must be rolled out to management, not exclusively senior level managers but also middle to junior level managers.


As part of an effort to gain management commitment to risk management, performance requirements incorporated within the risk management implementation plans can be translated into performance targets within the performance scorecards. This will allow managers to have their performance reviewed for risk management activities. Rolling out such a practice to employees within the organisation will

positively contribute to a successful implementation of risk management activities.

A.TRUE

B.FALSE

Answer: A


Activity 5.1 Indicate whether the following statement/(s) is/are CORRECT:

(i)Risks can be sufficiently identified from management’s perceptions. When managers identify risks through their knowledge of the operations and systems in which the Institutions are operating, this is sufficient to lead into the development of a comprehensive risk register.

(ii)One of the ways of identifying risks within a department is to review the internal audit report issued in the previous financial year to see the findings noted, risks identified as well as the risk rating provided by the Internal Audit.

A. Statement (i) is the only correct oneB. Statement (ii) is the only correct oneC. Statements (i) and (ii) are correctD. Statements (i) and (ii) are not correct

Answer: B

Feedback after Learner’s Response

It is vital to ensure that during the risk identification process, management’s perceptions on risk as well as quantitative sources are used for collecting information about risks. The quantitative sources include external and internal audit reports, financial statements, management accounts, internal reports (such as incidents reports), market and sector information as well as other historic data.

Activity 5.2 While attending one of the group management workshops for risk, two statements were passed during the session and you have been asked to review the accuracy of the statements:

The Municipal Manager said:

“The identification of strategic risk is the only key process since addressing strategic risks will automatically address risks emanating from operations and projects”.

Since the management team were not well acquainted with risk management, no one commented in response to this statement.

A few moments later, the Chief Risk Officer mentioned the following;

“It is important for the strategic risks identification process to be executed at the same time as the strategic planning process in order to allow management to make strategic decision after an identification of the related strategic risks”

Indicate which of the two was correct:

A. Only the Municipal Manager is correctB. Only the Chief Risk Officer is correctC. Both the Municipal Manager and the Chief Risk Officer are correctD. None of them is correct

Answer: B


In addition to the strategic risk identification, the operational and project risk identification processes should also be embarked on as these focus on

different kind of risk, which all have potential to adversely affect the Institution’s service delivery objectives.

Activity 5.3 During the risk identification process, the following is considered applicable and recommended EXCEPT;

(a)As a technique to identify risks, team-based brainstorming through the use of structures such as group workshops is not a recommended approach since it complicates the identification process due to team building dynamics and possibly conflicting backgrounds

(b)Group brainstorming sessions can be intense and gather so much information in a manner that the data gathered does not need to be supplemented by more sophisticated or structured techniques such as quantitative methods

A. (a) only

B. (b) only

C. (a) and (b)

D. None of the above

Answer: D


Team-based brainstorming for example, where facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences.

Since risk workshops are useful only for filtering and screening of possible risks, it is important that the workshops are supplemented by more sophisticated or structured techniques such as flow charting, system design review, systems analysis, etc

Activity 5.4 During the risk identification session which was being facilitated by a Risk Officer at the Department of Home Affairs, questionnaires were distributed to finance officials which were asking a range of questions relating to the risks that the finance officials were faced with as well as the how the occurrences of these risks would possibly affect the accomplishment of finance department’s objectives. A number of other questions relating to finance and other risks were on the questionnaires.

Following the distribution of the questionnaires, the Risk Officer extracted the previous financial year’s Auditor General’s regularity audit report and discussed with the CFO, extracting all the negative findings and risks that were documented in the audit report.

Precisely comment on the risk identification process conducted by the Risk Officer in line with contemporary risk management principles;

A.The Risk Officer was not supposed to use questionnaires as these only collected finance officer’s opinions and line of thought.

B.The Risk Officer was supposed to use questionnaires but not to collect the information about finance risks from finance officers but from the Chief Finance Officer only.

C.The Risk Officer utilised good data collection techniques as the questionnaires and the audit report were able to collect the relevant information relating to perceptions and facts.

D.The Auditor General’s regularity audit report was not a good source to extract some of the finance risks thus the Risk Officer was not supposed to use that source.

Answer: C

Feedback after learner’s Response

The risk identification techniques utilised by the Risk Officer to collect information regarding the risks were good. The questionnaires were able to collect perceptive information from finance officials regarding risks and the audit report provided quantitative facts from the Auditor General’s findings.

Activity 5.5 You have come across the following write-ups in some risk management literature that is not referenced. Review the contents in line with the learnt risk management principles and indicate whether the presentation is CORRECT.

Risk Identification Process

In paragraph 1:While conducting the risk identification, it is crucial to document not only the risks but the risk identification process which include the approach or method used for identifying risks, the scope covered by the identification and the participants in the risk identification and the information sources consulted. This will assist to provide valuable information for future engagements and as well as availing an opportunity to review and learn from the process.

In paragraph 2:

The risks that management are aware that there are present but are well managed through the effective internal controls in place do not need to be captured in the risk register. Only the risks that do not have adequate risk responses to manage the risk to an acceptable level are the ones that must be recorded in the risk register.

A. Statements in paragraphs 1 and 2B. Statement in paragraph 1 onlyC. Statement in paragraph 2 onlyD. None of the above

Answer:

Feedback after learner’s Response

It is important to note that all risks (including well-controlled risks) must be recorded in the risk profile of the Institution. The reason for this logic is that the processes for identifying risks should ignore at that point any mitigating factors that may be in place.

Activity 5.6 Look closely at the list below and indicate whether you agree or not as to whether the list accurately contains the minimum contents of a typical acceptable risk register:

the riskrisk categoryrisk causerisk impact on Institutionthe likelihood of the risk to the Institution;the consequential cost should the risk materialize;the likelihood and consequences of the risk to the Institution;internal controls currently in placea risk level (from impact and likelihood)

risk scoring against the Institution’s risk appetiterisk profileaccountability for risk treatment (may be part of the risk treatment plan); andtimeframe for risk treatment.

A. I agree – the list contains the risk register minimum requirements

B. I do not agree - the list does not contain the risk register minimum requirements

Answer: A


Activity 6.1 Based on what has been covered up to now regarding risk management, identify the statement that is not correct:

A. Understanding legislation as well as other framework in which the public sector Institutions are operating is key in the risk management process in order to ensure that all risk activities are in line with the legislative prescripts and National Government policy direction

B. It is essential to establish the governance structures where roles and responsibilities of key players (such as Accounting Officer, Chief Risk Officer, Internal Audit, Risk Management Committee and others) are clearly laid out and delegation in risk management are set in line with the respective legislation

C. The development of risk management policy sets the platform which define the Institution’s position regarding risk management and the risk management strategy and implementation plans must be developed in line with the policy

D. Risk response strategies can be developed and finalized before completing the risk identification and assessment process

Answer: D


Effective strategies must only be developed and finalized after identifying and assessing the risks that the Institution is facing. The assessment process will be able to review the current risks against the controls in place in order to determine whether the residual risks require additional controls to reduce them to the acceptable tolerance levels within the Institution’s appetite.

Activity 6.2 In a sub-directorate risk management meeting at the Department of Water Affairs, an intern made the following comment about the management controls:

“in preparing for the risk assessment session, let us remember that the management controls reduce both the impact and likelihood of a risk”

To support the comment, the supervisor who was chairing the meeting also made the following comment:

“since all our internal controls in place automatically reduce both the likelihood and consequence of the risks we face, little may need to be done to reduce the residual risks to acceptable levels”

Using the risk assessment principles, comment on intern and the supervisor’s contributions:

A. Both the Intern and the Supervisor are correctB. Only the Intern is correctC. Both the Intern and Supervisor are not correctD. Only the Supervisor is correct

Answer: C


The statement made by the Internal is conclusive; management controls may reduce both the likelihood of occurrence of a potential risk and the impact of such a risk, or both. However it is not automatically the two to be reduced by every internal control. For example, insurance reduces the impact of the risk but not the likelihood.

In light of the above, it follows that the supervisor is not correct as well. In addition, the current controls may not be adequate enough to reduce the inherent risk to a level of the residual risk that is close to the Institution’s

risk appetiteActivity 6.3 Based on your understanding of risk terminology and risk assessment concepts,

indicate whether the following statement(s) is/are TRUE.

(a)The level of inherent risk in a process within a certain department informs management of the actual level of control effectiveness.

(b)When conducting a risk assessment, it is important to assess risk rating for inherent risk (risk before controls) and residual risk (risk after controls).

(a) (b)A. Correct Not correctB. Correct CorrectC. Not correct Not correctD. Not correct Correct

Answer: D


It is the level of residual risk that informs management of the actual level of control effectiveness since residual risk is the balance of risk after the internal controls.

Activity 6.4 The following can be the outputs of a risk assessment process except:

A.Heat maps covering a simple graphical representation of each risk according to the two impact and likelihood for certain categories of risk

B.A risk register reflecting the risk ratings for impact and likelihood

C.A risk implementation plan reflecting how the residual risk which falls outside of the Institution’s risk appetite and tolerance will be managed

D.A report documenting the risk assessment process covering the key assumptions, limitations, challenges, strategy as well as the assessment method utilised

Answer: C


A risk implementation plan is born out of this process. Risk response activities and their impact on residual risk versus the risk tolerance levels still have to be considered as well as type of controls preferred.

Activity 6.5 While trying to assess the technical risks (for impact and likelihood) found within the functional processes in a water purification plant at Batho Pele Municipality, the Chief Finance Officer (CFO) proposed that the engineers overseeing the operations of that plant be consulted to give the relevant rating for the likelihood of occurrence as well as the potential impact upon occurrence. This suggestion was highly criticised by the other senior managers who concurred and suggested that the CFO was in a position to do so.

The CFO’s argument was that the engineers were able to use the past record of plant incidences, past experiences as well as their expertise to give a better judgement.

Using your knowledge of risk assessment principles, indicate whether the CFO’s proposal was correct and whether his reasoning was justifiable:

CFO’s proposal to use engineers CFO’s reasons for use of engineers

A. Not Correct Wrong reasonsB. Not Correct Justifiable reasonsC. Correct Wrong reasonsD. Correct Justifiable reasons

Answer: DActivity 6.6 Indicate whether the following is TRUE/FALSE regarding a typical risk rating model.

In summary, a typical risk rating model can have a risk index for inherent risk exposure being impact multiply by likelihood; where impact and likelihood are singly scaled from 1 to 5 with specific definitions of the scales. As such the inherent risk rating will have a minimum of 1 and a maximum of 25 – having specific categories representing risk magnitude of low, medium and high. In such a model, the residual risk exposure will become a function of inherent risk and control effectiveness, also ranging between 1 and 25 and having specific categories representing risk magnitude of low, medium and high classifications.

A.TRUE

B.FALSE

Answer: A

Refer to Annexure 6.1. Risk Rating TablesActivity 6.7 While discussing the assessment of risks, the Deputy Director: Corporate Services

mentioned that during the assessment process risk tolerance defines the total impact of risk an Institution is willing to accept regardless of whether it has the necessary capacity to recover from such impact while risk appetite is the amount of risk the Institution is capable of bearing. This information was to be used in compiling the Department’s register.

In the same meeting, the Assistant Director: Budget mentioned that other managers were not supposed to be concerned about setting risk tolerance as this is an individual function.

In line with your understanding of effective principles of risk management, which manager’s opinion is in line with best practice principles of risk assessment?

A. Deputy Director: Corporate Services only

B. Assistant Director: Budget only

C. Deputy Director: Corporate Services and Assistant Director: Budget

D. Neither Deputy Director: Corporate Services nor Assistant Director: Budget

Answer: C


Risk appetite defines the total impact of risk an Institution is willing to accept regardless of whether it has the necessary capacity to recover from such impact while risk tolerance is the amount of risk the Institution is capable of bearing.

Setting risk tolerance should be a collective senior management responsibility

Activity 6.8 In a management meeting at the Department of Public Works in Pretoria, the Head of Department indicated that it is vital for the Institution to develop risk tolerance levels,

taking into account the size and type of Institution, skills and experience of officials, the current level of an Institution’s performance and maturity and sophistication of risk management processes and control environments.

The HOD also emphasised that it was key for the Institution’s risk appetite to be communicated to all employees. In addition, he mentioned that he was to include in the risk management policy a clause that highlights that the risk tolerance levels shall also be reviewed annually together with the Institution’s targets and the budget to determine the Institution’s risk bearing capacity.

Indicate whether the HOD’s opinions were in line with risk management best practices.

A. HOD’s opinions were in line with risk management best practices.

B. HOD’s opinions were not in line with risk management best practices.

Answer: A


Activities 7.1 to 7.5 are based on the scenario given below:

Scenario

In preparation for the implementation of an effective risk management system, a risk management workshop was organised and facilitated by the Risk Unit at the Department of Education. The attendees were managers from various directorates. During the roll-out of the session, there are a number of issues that sparked disagreements amongst the team and you, being the Chief Risk Officer, were called in to address the issues and lay the principles of best practice risk management aligned to enterprise risk management.

Activity 7.1 The Risk Officer mentioned that there was need to develop effective risk responses partially in the form of internal controls after analysing and evaluating the current status of the risks.

The Risk Officer was opposed by the Deputy Director: Further Education and Training who was of the opinion that the only key processes involve identifying risks and then immediately developing risk responses.

The debate heated up and was referred to you, the Chief Risk Officer.

What should be your best and most appropriate response in line with effective risk management principles:

A. Either of the processes can start – as long as both processes are embarked on

B. Risk assessment which comprise of the analysis of risks and evaluation against the Institution’s risk appetite and tolerance enable the Institution to identify gaps as well as functional areas that require intervention. This process must be rolled out leading to the development of effective risk responses which respond to the identified gaps and needs. Thus the Risk Officer is correct.

C. Risk responses must be established before the assessment of risks. The assessment process will then determine whether the responses are sufficient and effective to reduce the risk to acceptable levels.

D. The key processes are only the identification of risks and the development of responses to the risk identified. Thus the issue being raised by the Risk Officer of analysing and evaluating the current status of the risks is not pertinent.

Answer: B


Key processes in risk management include risk identification, risk assessment, development of risk responses including the establishment of effective control activities and these are recommended to be rolled out in the respective order. Other processes including risk assurance, monitoring and communication form part of the process.

Activity 7.2 The Risk Officer raised the need to consider risk response strategies such as avoiding the risk and transferring the risk while developing the various effective risk responses.

The Assistant Director: Public Ordinary Schools directorate suggested that the Institution must only focus on treating the risks by improving the internal control system and highlighted that this will reduce all the significant risks to acceptable levels.

What is the best and most appropriate response in line with risk management principles:

A. Avoiding the risk and transferring the risks are the most effective ways of responding to risks within the Institution.

B. The Assistant Director: Public Ordinary Schools directorate is correct to suggest that the Institution must focus on treating the risks since the review and strengthening of the internal control environment is the only mechanism of dealing with risk.

C. Risk responses range from avoiding the risk, treating the risk, transferring the risk, accepting the risk as well as exploiting the risk and the most appropriate response must be selected for specific risks being faced by the Institution.

D. All risks must be treated and the Institution must not find itself in a place where certain risks are accepted as they, to some extent, expose the Institution.

Answer: C


Management should consider risk response strategies which include:

avoiding the risk by, for example, choosing a different strategy or terminating the activity that produces the risk;

treating the risk by, for example, implementing or improving the internal control system;

transferring the risk to another party more competent to manage it by, for example, contracting out services, establishing strategic partnerships and buying insurance;

accepting the risk where cost and strategy considerations rule out alternative strategies; and

exploiting the risk factors by implementing strategies to take advantage of the opportunities presented by such risk factors.

Activity 7.3 The Risk Officer mentioned that in selecting options for response, consideration must be given to costs of the risk response against the budget of the various directorates.

The Chief Finance Officer indicated that while it was important to consider the costs, it was also necessary to consider the benefits that the option can bring and compare the two before deciding on the risk response.

Who, amongst the two, presented the best suggestion:

A. The Risk Officer onlyB. The Chief Finance Officer onlyC. Both the Risk Officer and the Chief Finance OfficerD. Neither the Risk Officer nor the Chief Finance Officer

Answer: B


Consideration should be given to the cost of the response option as compared to the likely risk reduction that will result (benefit).As such a cost-benefit analysis should be conducted possibly covering direct, indirect, financial and social costs and benefits

Activity 7.4 The Director: Corporate Services emphasised that in order to ensure that there is

successful implementation of risk management activities, there is need to identify the various risk response options and select the most ideal response after considering a number of factors. Following that, she indicated that the options selected need to be allocated to certain specific persons who will own the risks and this process will then lead to the preparation of risk response plans which specify who, how, what, when and where the various risk responses should be implemented.

The majority of the team agreed with her.

The Deputy Director: Adult Basic Education and Training also added that the response plans should have specific key performance indicators and monitoring activities lined up which will be used to monitor the implementation of the risk response activities

Indicate which of the two managers is correct:

A. Deputy Director: Adult Basic Education and TrainingB. Neither Deputy Director: Adult Basic Education and Training nor Director: Corporate

ServicesC. Director: Corporate ServicesD. Both of them

Answer: DActivity 7.5 The Assistant Director: Further Education and Training Unit disagreed with the Risk

Officer on the issue of risk ownership.

The Risk Officer was of the opinion that while assigning risks to owners, it is important to ensure that risks are generally assigned to a senior staff member or manager with sufficient technical knowledge about the risk and/or risk area for which a response is required and thus will become accountable for managing that particular risk.

Assistant Director: Further Education and Training unit argued that every employee needs to own some kind of risk in order to ensure that all employees and managers are accountable and responsible for risk management.

In response, the Risk Officer pointed out that to achieve responsibility and accountability around risk ownership and management, the risk owner who would be a manager can then delegate responsibility to his / her direct reports for implementation.

Who, between the two, is more aligned to best practice risk management principles:

A. Assistant Director: Further Education and TrainingB. Risk OfficerC. Both the Assistant Director: Further Education and Training and Risk OfficerD. Neither Risk Officer nor Assistant Director: Further Education and Training

Answer: B


Allocating risk to managers promote better management of the risk since the manager is assumed to be holding some level of operational capacity to manage the risk and remains accountable. Delegation will allow him/her to monitor and manage the risk better

Introduction to NT/Assessments... · Web viewOther pieces of legislation which contain matters of...

Documents

Transcript of Introduction to NT/Assessments... · Web viewOther pieces of legislation which contain matters of...