Each question receives a mark allocation. However, you will only receive a final percentage mark and will not be given individual marks for each question. The mark allocation is there to show you the weighting and length of each question.

SUBMISSION DATE : $21$ November $2023$ @ $1600$hrs

Question $1$: Riskwise Risk Maturity $8$

Question $2$: ISO $3100032$

Question $3$: King IV $10$

TOTAL $50$

$3.$ Assignment questions

Question $1$

Below you will find the risk management processes of Riskwise $($Pty$)$ Ltd$,$ a fictitious company that will be used as case study.

Riskwise

The Board has requested that the Chief Executive Officer $($CEO$)$ develop and implement a risk framework. The CEO has met with her Executive Management Committee $($Exco$)$ and together they have developed a methodology and framework that they have approved amongst themselves, but have not presented to the Board for their final approval.

The General Manager $($GM$)$ of Marketing and Communications has communicated the approved version to middle management, while the Chief Risk Officer $($CRO$)$ has communicated the same to the Risk Officers in each functional area. Differences in interpretation of the methodology and framework between the GM of Marketing & Communications and the Chief Risk Officer exist.

The Risk Officers only operate within their departmental functions and are responsible for identifying the risks and developing mitigating actions for all of them. Conversations are held between the risk officers and their functional middle managers for the purposes of risk analysis, however the middle managers do not always understand how the risk officers have determined the risks or who is responsible for the management actions. The risks identified and mitigating actions are not discussed with the staff, nor is their input asked for.

The functional risks identified are then reported to the Exco and the Board by the Chief Risk Officer without further work being performed. In this way, the Exco and the Board have a full view of all the risks in the organisation, however the meetings take two days to merely discuss the risk agenda. In the discussions about the risks, new risks have been identified, however these are not communicated back to the middle managers.

Internal audit review the risks to see whether they are in agreement and challenge the completeness and validity of the risks and mitigating actions identified, but do not review the effectiveness of the risk management controls and processes in place.

From the above information, you must now determine what is the level of risk maturity of the organisation. Refer to specific examples from the case study, as well as the theory behind levels of maturity found in Section $2$ of Part $1$s notes. You will be assessed on your identification of the risk maturity level, as well as your ability to link information from the case study to Section $2$s theory in your reasoning or substantiation.

Risk maturity level: $\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_$

Explain the reasoning behind your decision. $($Max$.10$ lines$)$

Question $2$

The following questions all relate to the process set out in ISO $31000.$

$2\mathrm{.}1)$ Answer the three short questions below.

a$)$ Name the $7$ high$-$level risk processes contained in ISO $31000?($Max$.7$ lines$)$

Start writing here:

b$)$ Which three high$-$level risk processes fall under the $$Risk Assessment$$ part of the ISO $31000$ process? $($Max$.3$ lines$)$

Start writing here:

c$)$ Which high$-$level risk processes apply throughout the ISO $31000$ process? $($Max$.2$ lines$)$

Start writing here:

$2\mathrm{.}2)$ State the correct ISO $31000$ high$-$level risk process that typically best reflects the following statements:

$1.$ The process of developing the risk management framework, methodology, and risk resourcing requirements. $($Max$.1$ line$)$

High$-$Level risk process:

$2.$ The process of sharing a risk with a $3$rd party. $($Max$.1$ line$)$

High$-$Level risk process:

$3.$ The process of prioritizing risks. $($Max$.1$ line$)$

High$-$Level risk process:

$4.$ The process of obtaining an understanding of risks, controls, mitigating actions, and context from relevant persons in the organization. $($Max$.1$ line$)$

High$-$Level risk process:

$5.$ The process of integrating and analysing risk information, including controls and risk events to better understand the risk environment and any changes to the risk profile. $($Max$.1$ line$)$

High$-$Level risk process:

$6.$ The process of defining the risk evaluation requirements. $($Max$.1$ line$)$

High$-$Level risk process:

$7.$ The process of developing a comprehensive list of risks. $($Max$.1$ line$)$

High$-$Level risk process:

$8.$ The process of sharing information on risks with all relevant people in a timely manner. $($Max$.1$ line$)$

High$-$Level risk process:

$9.$ The process of understanding the risk, including the key drivers and potential outcomes. $($Max$.1$ line$)$

High$-$Level risk process:

$10.$ The process of considering the costs of mitigating a risk with the benefit of reducing the risk.