Each identified risk has to be assessed taking into consideration the likelihood of occurrence and impact on the

achievement of the organisation's objectives overtime horizon. The gross, net and residual risks are assessed in

terms of likelihood and impact. Quantitative and qualitative approaches are combined to assess risks. The

likelihood and impact may be quantified according to different measurement scales.

Adapted: Benabbou, L - Enterprise Risk Management: A Case Study of a Moroccan Financial Institution

1.1. In the context of the extract, describe the typical definitions of likelihood and also the definitions of impact

in risk management. (10)

1.2. Evaluate the efficiency and effectiveness of ANY FOUR (4) techniques of risk assessment that can be used in any organisation. (15)

QUESTION 2 (25)

2.1. With the aid of examples, evaluate the risk description framework as postulated by Hopkins (2015). (15)

2.2. Discuss the FOUR (4) T's of hazard response as applied in your organization and /or any organization of your choice. (10)

QUESTION 3 (25)

Risk mapping classifies net risks as critical, high, medium and low. Depending on the exposure of each risk, a

treatment strategy is chosen: accept, transfer, avoid and reduce. For each risk, the risk owner decides the

appropriate strategy. In view of the fact that the potential returns of some financial risk are attractive in

comparison to the risks faced, some portfolio management department financial risk were accepted, and risk

owners (asset managers) had to manage their risks under appropriate risk tolerance.

Adapted: Benabbou, L - Enterprise Risk Management: A Case Study of a Moroccan Financial Institution

3.1. In this context, discuss the rationale of putting up internal controls in an organization. (15)

3.2. What do you understand by the terms risk architecture and risk management strategy as used in Risk Management. (10)

QUESTION 4 (25)

ISO31000 version 2009 defined risk treatment as a process to modify risk. However, the definition of risk

treatment have been deleted and replaced with risk control in ISO31000 version 2018. Risk control defined as a

measure that maintains and/or modifies risk. Controls include, but are not limited to, any process, policy, device,

practice or other conditions and/or actions which maintain and /or modify risk. The modified risk is considered

residual risk. Residual risk is a risk that remains after all efforts have been made to mitigate or eliminate risks.

Adapted: Ramly, E.F. and Osman, M.S. (2018), Development of Risk Management Framework - Case Studies,

Proceedings of the International Conference on Industrial Engineering and Operations Management Paris,

France, July 26-27, 2018

4.1. In this context define residual risk and discuss the THREE (3) broad categories of risk. (15)

4.2. What do you understand by the term risk control and discuss ANY TWO (2) hazard controls that can be used to mitigate against risk in an organization? (10)