Module 5 requires you to submit Part 1 of the three-part ongoing project for this course. In this submission, you will apply all of the skills you have learnt related to identifying risks to create a risk matrix for a compliance risk management plan.

This spreadsheet provides you with a format for the compliance risk management plan, which you can either create for your own organisation, or you may use the fictional case study provided on the Online Campus. Remember to only use the fictional case study provided if you have chosen not to use your own organisation (or another organisation you are familiar with).

CASE STUDY

Case study: Lightning Communications and GS Bank initiative

Lightning Communications is a large telecommunications service provider listed on the Johannesburg Stock Exchange. It has many stakeholders across South Africa and caters for both private and corporate services. The total client base consists of approximately 40 million customers, the bulk of which are private persons.

The board and executive committee of Lightning Communications have recently engaged in discussions with one of the large retail banks in the country, GS Bank. GS Bank also has a large client and stakeholder base across the country. GS Bank is one of the Southern African Development Community (SADC) regions largest retail banks, and one of the largest three in South Africa. It has a total client base of approximately 16.5 million clients, with 28 million cards in issue (including debit, credit, and petrol cards).

Discussions between the two organisations have focused on the alignment of several mutual interests. There are three critical points of alignment that the GS Bank executive committee has proposed to implement operationally within the next 12 to 18 months:

Lightning Communications will provide location tracking and GPS data of private persons to GS Bank. The idea is that by using this data set, GS Bank can better track the movement of its customers to offer them a better, more personalised service linked with their accounts. This would include retail specials and petrol discounts at specific filling stations, among other incentives.

GS Bank can use this same data for know your customer purposes. The argument is that the GPS and location data provide a far more accurate, real-time picture of the actual place of residence of their clients.

Lightning Communications can incorporate a secure payment method for accounts and a scan-to-pay function through its app. Both functions would rely on a pay-gate service using the GS Bank's current

Note:

Check that you have populated the columns up until, and including, Column G for at least 12 rows. Do not fill in the blue section called Compliance monitoring plan yet (Columns L to T).

For this part of the ongoing project, you do not need to look at the Control environment and Control design details tabs (Columns H to K of the Compliance risk management plan tab). You also are not yet required to use the Control design considerations tab, as you will only need these sections for the Module 6 submission and the Monitoring rationale tab as you will only need this section for the Module 7 submission.

Questions Below

Part 1 of the ongoing project requires you to create a risk matrix for your risk management plan, for which you will need to complete columns A, B, C, D, E, F, and G of the Compliance risk management plan tab. You will need to use the Risk matrix and Risk rating scales tabs in order to do this. Follow these steps to complete the relevant sections:

Consider the context of the organisation: Before completing the spreadsheet consider the context of the organisation; for example, where the organisation is based, the industry it is in, the size, products and services, frameworks, culture, and regulations that would impact the operations of the organisation.

Identify relevant legislative acts: Conduct your own research and identify one or two acts or regulations that are relevant to the industry and nature of services of the organisation. For example, if you were creating a compliance risk management plan for a mining company, the National Environmental Management Act (NEMA) or the Mineral and Petroleum Resources Development Act (MPRDA) would apply to the organisation.

Decide on relevant chapters or extracts from the chosen legislation: Legislation is separated into chapters, and each chapter is often divided according to the theme it attempts to address. Read the contents page of the legislation carefully to determine which chapter would be relevant to your organisation or the case study. For this ongoing project, you are required to identify at least 12 extracts from the chosen legislation, but you may include more. Each extract should be considered a compliance obligation and included in its own row in the spreadsheet. Add the extracts or chapters from these acts to the tab called Compliance risk management plan under the heading Regulatory provision (Column A).

Highlight areas of concern or compliance obligations: Provide an interpretation of each extract in the Interpretation of section column (Column B). To do this, find phrases or statements that you think could be classified as compliance obligations. Remember that all stakeholders will have an understanding of law text. Therefore, you should provide a simple interpretation of the text you have highlighted, and this interpretation can also be seen as the compliance obligation that needs to be fulfilled. You should be aware of any phrases that are ambiguous or unclear, or phrases that are prescriptive. You may choose to add the legislative shorthand, such as Article 33 of the GDPR; however, inserting the actual extract will make it easier for you to analyse.

Identify the risk drivers: Remember that risks and risk drivers are a pivotal part of your risk management plan, as they will inform the nature of your risk rating scales. Therefore, it is advised that you populate this section of your compliance risk management plan with as much detail as possible. This section is split into two columns called Risk drivers (Column C) and Consequences (Column D).

Create impact and likelihood scales: Navigate to the second tab in the spreadsheet, the Risk rating scales tab. This sheet contains generic risk impact and risk likelihood scales. Alter the scales in the sheet to better suit the context of your chosen organisation. There is a generic risk matrix in the third sheet called Risk matrix that you should use when editing the scales.

Assign risk ratings: Navigate back to the first tab, the Compliance risk management plan, and assign an impact (Column E) and likelihood (Column F) rating for each extract. If you click on the cell a little arrow will appear and you can choose a risk number and a likelihood letter. The combination you choose will automatically reflect in Column G. You will notice that this automation is linked to the risk matrix

clipboard 5 fx - Information provided by the consumer should be verified with their bank, SARS and DHA. COMPLLANCE RISK MANAGEMENT AND MONITORING PLLN [NAME OF ACT/REGULATION/THEME] \begin{tabular}{l} 2 \\ 3 \\ \hline \end{tabular} Compliance risk management plan Risk rating scales | Risk matrix | Control design considerations Monitoring rati ... Ready if Accessibility: inwestigate suld be verified with their bank, SARS and DHA. RISK MANAGEMENT AND MONITORING PLAN ME OF ACT/REGULATION/THEME] RISK RATING SCALE B C D E F G Impact scale Ratings Complince impact - Fines and penalties exceeding R15,000 - Imprisonment exceeding 30 days - No reputational impact - Fines and penalties exceeding R30,000 - Imprisonment exceeding 60 days - Minor reputational exposure (no major media coverage) - Fines and penalties exceeding R70,000 - Imprisonment exceeding 90 days - Fair reputational damage (local media coverage) Likelihood scale - Fines and penalties exceeding R150,000 - Imprisonment exceeding 6 months - Fair reputational damage (short-term local media coverage) - Fines and penalties. exceeding R250,000 - Imprisonment exceeding 12 months - Severe reputational impact - Executive pressure to resign - Licence implications (national media coverage or long-term local media coverage) \begin{tabular}{|l|l|l|l|} \hline Category & Description & Likelihood (probsbility) & Criteria \\ \hline A & Certain & 90% & - Impact occurs now. - Impact may occur within days. \\ \hline & & & \end{tabular} - The impact is highly likely to occur. - Impact may occur in a few weeks. - There is a large chance that the impact will not occur. - Impact may occur within months. - The impact may occur, but it is difficult to anticipate. - Impact may occur in years. - Unlikely that the impact will ever occur. - Impact will only occur under extreme conditions. 9 Suggested additional controls 10 Timeline 11 Responsible parties 12 Control 2 13 Details from CRMP 14 Regulatory provision 15 Risk drivers 16 Risk level (impact and likelihood rating) 17 Rationale 4 B 16 Risk level (impact and likelihood rating) 17 Rationale 18 Relevant existing controls 19 Suggested additional controls 20 Timeline 21 Responsible parties : 4 A B 1 Monitoring rationale 2 Control 1 3 Details from CRMP 4 Regulatory provision 5 Risk level (impact and likelihood rating) Suggested additional controls Rationale 8. Mionitoring stakeholders 9 Monitor method 9 Monitor method A B 10 Frequency 11 Control 2 12 Details from CRMP 13 Regulatory provision 14 Risk level (impact and likelihood rating) 15 Suggested additional controls 16 Rationale 17 Monitoring stakeholders \begin{tabular}{|c|c|c|c|c|} Ready & & Risk rating scales & Risk matrix & Control design considerations Monitoring rationale \\ \hline \end{tabular} 17 Wonitoring stakeholders 18 Monitor method 19 Frequency 20 Control 3 21 Details from CRMP 22 Regulatory provision 23 Risk level (impact and likelihood rating) 24 Suggested additional controls Rationale 26 Monitoring stakeholders 27 Monitor method 28 Frequency Control 4 Details from CRMP 31 Regulatory provision 32. Risk level (impact and likelihood rating) 33 Suggested additional controls Rationale Format Painter Clipboard A6 fx Suggested additional controls 33 Suggested additinal controls B 34 Rationale 35 Monitoring stakeholders 36 Monitor method 37 Frequency 38 Control 5 39 Details from CRMP 40 Regulatory provision 41 Risk level (impact and likelihood rating) 12 Siropeted additinnal contralc Risk rating scales | Risk matrix | Control design considerations Monitoring rationale Ready L Accessibility: Investigate 2 42 Suggested additional controls 43 Rationale 44 Monitoring stakeholders 45 Monitor method 46 Frequency clipboard 5 fx - Information provided by the consumer should be verified with their bank, SARS and DHA. COMPLLANCE RISK MANAGEMENT AND MONITORING PLLN [NAME OF ACT/REGULATION/THEME] \begin{tabular}{l} 2 \\ 3 \\ \hline \end{tabular} Compliance risk management plan Risk rating scales | Risk matrix | Control design considerations Monitoring rati ... Ready if Accessibility: inwestigate suld be verified with their bank, SARS and DHA. RISK MANAGEMENT AND MONITORING PLAN ME OF ACT/REGULATION/THEME] RISK RATING SCALE B C D E F G Impact scale Ratings Complince impact - Fines and penalties exceeding R15,000 - Imprisonment exceeding 30 days - No reputational impact - Fines and penalties exceeding R30,000 - Imprisonment exceeding 60 days - Minor reputational exposure (no major media coverage) - Fines and penalties exceeding R70,000 - Imprisonment exceeding 90 days - Fair reputational damage (local media coverage) Likelihood scale - Fines and penalties exceeding R150,000 - Imprisonment exceeding 6 months - Fair reputational damage (short-term local media coverage) - Fines and penalties. exceeding R250,000 - Imprisonment exceeding 12 months - Severe reputational impact - Executive pressure to resign - Licence implications (national media coverage or long-term local media coverage) \begin{tabular}{|l|l|l|l|} \hline Category & Description & Likelihood (probsbility) & Criteria \\ \hline A & Certain & 90% & - Impact occurs now. - Impact may occur within days. \\ \hline & & & \end{tabular} - The impact is highly likely to occur. - Impact may occur in a few weeks. - There is a large chance that the impact will not occur. - Impact may occur within months. - The impact may occur, but it is difficult to anticipate. - Impact may occur in years. - Unlikely that the impact will ever occur. - Impact will only occur under extreme conditions. 9 Suggested additional controls 10 Timeline 11 Responsible parties 12 Control 2 13 Details from CRMP 14 Regulatory provision 15 Risk drivers 16 Risk level (impact and likelihood rating) 17 Rationale 4 B 16 Risk level (impact and likelihood rating) 17 Rationale 18 Relevant existing controls 19 Suggested additional controls 20 Timeline 21 Responsible parties : 4 A B 1 Monitoring rationale 2 Control 1 3 Details from CRMP 4 Regulatory provision 5 Risk level (impact and likelihood rating) Suggested additional controls Rationale 8. Mionitoring stakeholders 9 Monitor method 9 Monitor method A B 10 Frequency 11 Control 2 12 Details from CRMP 13 Regulatory provision 14 Risk level (impact and likelihood rating) 15 Suggested additional controls 16 Rationale 17 Monitoring stakeholders \begin{tabular}{|c|c|c|c|c|} Ready & & Risk rating scales & Risk matrix & Control design considerations Monitoring rationale \\ \hline \end{tabular} 17 Wonitoring stakeholders 18 Monitor method 19 Frequency 20 Control 3 21 Details from CRMP 22 Regulatory provision 23 Risk level (impact and likelihood rating) 24 Suggested additional controls Rationale 26 Monitoring stakeholders 27 Monitor method 28 Frequency Control 4 Details from CRMP 31 Regulatory provision 32. Risk level (impact and likelihood rating) 33 Suggested additional controls Rationale Format Painter Clipboard A6 fx Suggested additional controls 33 Suggested additinal controls B 34 Rationale 35 Monitoring stakeholders 36 Monitor method 37 Frequency 38 Control 5 39 Details from CRMP 40 Regulatory provision 41 Risk level (impact and likelihood rating) 12 Siropeted additinnal contralc Risk rating scales | Risk matrix | Control design considerations Monitoring rationale Ready L Accessibility: Investigate 2 42 Suggested additional controls 43 Rationale 44 Monitoring stakeholders 45 Monitor method 46 Frequency