RSK4801/201/0/2015

Tutorial letter 201/0/2015

Operational Risk Management
RSK4801

Suggested Solutions
Assignment 01

Department of Finance, Risk Management and

Banking

IMPORTANT INFORMATION:
Please activate your myUnisa and myLife email addresses and ensure you have
regular access to the myUnisa module site RSK4801-2015-Y1.

Note: This is an online module, and therefore your module is available on myUnisa. However, in order to
support you in your learning process, you will also receive some study materials in printed format.
Question 1
You have recently been appointed as Chief Risk Officer for SPEND Ltd. Your first brief received from the
Chair of the Risk Committee is to review the risk management framework with regard to the three lines of
defence model, the classifications of risks and an appropriate risk management process.
a. Argue the three lines of defence model and make a recommendation of whether SPEND Ltd
should adopt the model. (10)

Answer:
a. Three lines of defence (Refer to Figure 3.1 in Blunden and Thirlwell, 2013:45 for more details)

First line of defence: Business line management

Management is responsible for the day-to-day operations of the company. Risk management should be
embedded in the processes and daily activities.

Second line of defence: Oversight (Risk management, HR, Finance, IT, Compliance)
Risk management should be independent of the day-to-day operations and should assist management
with the identification, evaluation, control, financing, monitoring, and reporting of risk. Responsible for the
development of centralised policies and standards, risk management processes and controls; and
monitor and report on risk.

Third line of defence: Independent assurance

The assurance providers should be independent from the business and management functions. The
assurance providers consist of internal audit and external audit (You also need to explain briefly the role
played by internal and external audit in order to score more marks).

One of the benefits of adopting the three lines of defence model is that it is aligned with leading
international risk management practice, complies with codes on corporate governance.

b. Evaluate the classification of risks used by SPEND Ltd and recommend a more appropriate
classification. (5)

Answer:
SPEND LTD classified risks in terms of financial and business risks. Financial risks were classified as
credit, liquidity, and capital risk. The business risk category is too broad and therefore SPEND Ltd does
not have a definition for operational risk. The company does not have an operational risk taxonomy,
policy framework or process which makes it difficult to classify losses and design appropriate control
measures and risk financing techniques.

2
 RSK4802/101

The benefits of adopting the risk classification as per the definitions used in the banking (Basel II) and
insurance (Solvency II) industries will enable SPEND Ltd to compare events, losses and potential losses
with other firms and industries, and assist with the implementation of an operational risk management
framework.

c. Argue an appropriate risk management process for implementation by SPEND Ltd. (15)

Answer:
Risk management should start with the analysis of the overall business strategy and objectives of the
organisation and subsequent changes to the strategy should also be considered and made where
necessary. An operational risk management framework also enables the practical implementation of
governance. Corporate governance provides an over-arching organisational structure within the
organisation’s culture and also establishes the three lines of defence i.e. line management, risk
management and the independent assurance providers.

The operational process can take many forms and the frame most often used is:

1. Identify the risks

The first step in the process is to understand the business in order to identify the risks. Methods that can
be used to gain an understanding of the business and to identify risks are inter alia, for example:
• Workshops and interviews
• Questionnaires
• Risk process follow analyses
• Checklists
• Losses history

The purpose of the identification process should be clearly communicated in order to raise awareness
overall of the business operations, track and assess the financial impact of the risks. Risk identification is
a continuous process as new risks arise every time.

2. Evaluate the risks

Risk evaluation is the assessment and measurement of the identified risk exposures with the aim to
manage and control the risks. In order to do this, the risks should be measured to enable management
to manage it.

Operational risk can be measured in quantitative and qualitative terms. The quantitative approach aims
to quantify risk in numerical terms. The qualitative approach aims to evaluate the risk exposures that

3
cannot be calculated. The risk exposures are analysed in terms of rating scales to determine the
possible impact and likelihood of the risk events.

3. Control the risks

Once the risks have been evaluated, strategies can be developed to control the risks. Risks can be
preventative, detective or contingent. The objectives of a risk control programme will be to reduce the
potential effect of the loss and to prevent the likelihood of the risk occurring. The control strategies which
can be implemented are either to avoid the risk, transfer the potential effect of the loss event, accept the
consequences or improve the internal control measures to manage the risk.

4. Finance
The aim of risk financing is to ensure that the cost of risk and the cost of the risk management process
do not exceed the potential benefits provided to the organisation. The risk management process can
therefore require a pre-financing or post-financing policy. The pre-financing of operational risk can
include methods such as insurance or self-insurance, while post-financing can include the use of cash
resources or debt.

5. Monitoring and reporting

The monitoring of risk includes regular management and supervisory activities and the other actions
employees undertake in their daily activities. It is important that senior management is involved in the
monitoring of risk. Reporting forms an integral part of the monitoring process.

Reports can be produced for different users e.g. the external stakeholders such as regulators and the
shareholders, internal stakeholders at strategic level such as the board and EXCO, senior management
and line management.

It is important that the risk is managed as close to the source as possible. The different levels of users
will have different objectives e.g. the board and EXCO will need less frequent reports to enable them to
manage trends and evaluate the strategies in contrast to line management that need more frequent
reports to rectify transactions. Line management requires daily/intra-day reports, senior management
monthly, the board quarterly and shareholders annually.

Question 2
a. Explain the concepts of risk appetite and risk tolerance with examples. (10)

Answer:
Risk appetite is the risk of loss that a firm is willing to accept for a given risk-reward ratio (over a
specified time horizon, at a given level of confidence). A risk appetite statement could consist of the
following financing mechanisms:

4
 RSK4802/101

• Internal funding to develop and implement control measures.

• Insurance that will cover any losses that the organisation is prepared to pay for in order to relieve
the burden of carrying the total loss by itself.
• Capital allocation to a reserve, which can absorb a loss due to a catastrophic event, such as fire
or flood.

Risk Tolerance can be explained by reference to theft of a firm’s assets. There may be no appetite for
theft in a firm but a certain level of theft is expected by senior management. This level is tolerated even
though there is no appetite for allowing theft itself.

Different industries will have different levels of appetite and tolerance (e.g. the banking industry has
different risk appetite and tolerance levels compared to the construction industry).
(Students can earn additional marks if they illustrated with examples from the SPEND case study).

b. You have considered all the available information and decided to present the information in
the following sub-headings per event. (20)

• Event: A description of the event with the consequence or possible consequence.

• Cause: The cause(s) of the event.
• Impact and likelihood: Argue the values allocated for the impact and likelihood of the event.

The purpose of this assignment was to give students the opportunity to classify risks in terms of the risk
definitions and to demonstrate how difficult it sometimes is to classify risks, as the consequence of the
event can be caused by a number of different factors.

Below is the suggested solution for the classification of the events. Work through the examples
and ensure that you understand the reasoning for the classification. Use the given figures for
each event to determine the impact and likelihood.

Answer:
PE Warehouse fire
Total damage to the buildings and stock amounted to R300m (R50m to buildings and R250m stock loss).
Additional loss in trade of R50m was incurred as it took three months to rebuild the centre and an
additional cost of R5m was incurred to supply stores from other distribution centres.

The fire was caused by packaging material that caught fire. Staff underestimated the severity and tried to
extinguish the fire before reporting it. Fire brigade was only notified after the fire spread into the
warehouse. Fire drills and contingency plans did not prepare for total destruction of the warehouse.

5
Impact and likelihood: E.g. Total damage to buildings and stock = R300m (Impact scale = 5) and the fire
occurred once in 12 months (highly unlikely = 1)

Theft
Total theft Incidents spread across all the distribution centres were 285. Losses amounted to R24.4m.
Five trucks were hijacked, with a total loss valued at R6.5m, R5m was claimed from insurance. The net
loss = R1.5m (R6.5m - R5m).

ShutEye security measures were neither adequate nor effective.

Impact (losses R24.4m) and likelihood: 285 incidents

Pilferage
Incidents are spread across all the distribution centres with a total of 36 750. The total losses amounted
to R68.8m. ShutEye security measures are neither adequate nor effective.

Road accidents
Twelve fatal road accidents were recorded and according to insurers, the accidents were caused by the
negligence of the drivers. A warning was received regarding the increase in premiums and liability claims
amounted to R2m.

Feedback on the assignment

Based on the results of the assignment, some students seemed to find the assignment challenging. The
marks ranged from 90% to 4%.

The mistakes can be summarised as follows:

• Students did not classify the losses into the main risk types. The main risk types were sometimes
discussed, but the actual losses not classified. You need to know the risk definitions to be able to
identify and classify risks in the following assignments and the examination. Refer to the study guide
or the Basel documents for more clarity if you are uncertain regarding the risk definitions.
• Losses were in some cases not classified into the four operational risk sub-risk types (people,
processes, systems and external events).
• Work was not always referenced.
• Where students did reference work, it was limited to the prescribed book.

This module is offered at a postgraduate level. At a postgraduate level, students have to refer to other
sources than only the prescribed book in the assignments and as part of the preparation for the
examination. The study guide/notes in the Learning Units are your lectures and form the basis for the
course.
6
 RSK4802/101

Conclusion
As you prepare for further assignments and the examination in this module, you are urged to consult
additional academic resources in order to enrich your knowledge, understanding and competence in this
dynamic area of specialisation. Also, please, do not hesitate to contact me should you require any further
support in your studies. Best wishes with your preparations for the second assignment.

Warmest regards

A. Mutezo

Unisa 2015