Embed Size (px)
DESCRIPTION
RSK4801 assignment 01
Citation preview
RSK4801
Suggested Solutions Operational Risk Management
Year module
Department of Finance, Risk Management
and Banking
RSK4801
2
1. PURPOSE OF THE ASSIGNMENT AND ASSESSMENT ON POSTGRADUATE LEVEL
The purpose of this assignment was to cover the fundamentals of the module and to prepare
students to answer essay questions based on case studies. Assessment plays an important role in
the learning process and there are different types of performance standards that one can use
when assessing performance. This module is based on the mastery of specified learning
outcomes, which, together with the assessment criteria, are included in your study guide and
Tutorial Letter 101. Standards for accrediting qualifications are set by the South African
Qualifications Authority (SAQA), which oversees the National Qualifications Framework (NQF).
The two assignments form part of the formative assessment in this module. They are used to
assess your progress during the year and provide feedback which you can use to improve your
future performance in this module. In addition to being assessed on the learning outcomes of the
module, you will also be assessed on the critical cross- field outcomes (CCFOs) associated with
the module and with postgraduate studies in general. These CCFOs are generic outcomes that
inform all teaching and learning and have been integrated with the formative and summative
assessment in this module. The following table indicates the appropriate CCFOs and the
practical examples for assessment.
CCFO EXAMPLE
Organising and managing oneself and
one’s activities responsibly and
effectively
Submitting your completed assignment on or
before the due date is an indication that you
have mastered this outcome
Collecting, analysing, organizing and
critically evaluating information
Searching for other sources, incorporating
different views and forming a substantiated
opinion is an indication that you have mastered
this outcome
Communicating effectively using
language skills in written presentation
Adhering to the technical requirements for an
essay/case assignment is an indication that
you have mastered this outcome
For more information in the CCFOs, please visit the South African Qualifications
Authority (SAQA) website at http://www.saqa.org.za.
At this early stage of your learning experience we have to sound a warning. Simply memorising
and presenting the content of your prescribed books will definitely lead to poor results. It is our duty
and privilege to give you the guidance and assistance necessary to make your learning experience
RSK4801/201
3
at UNISA worthwhile. However, as a postgraduate student you are responsible to ensure that
you pass this module. This means that you have to work on a regular basis throughout the
year. We will give you all the support that we possibly can but, ultimately, it is up to you to decide
how you are going to master the required skills. We strongly encourage you to either form
study groups with fellow students in your area or to join an online study group via myUnisa.
4
SUGGESTED SOLUTIONS FOR ASSIGNMENT 01
An announcement with general feedback on Assignment 01 will be made during August. The
purpose is to highlight general mistakes and guidelines and areas for improvement.
The assessment has been done by considering the questions as a whole. A mark has been be
allocated on a rubric for every question. Please note that each question was rated in its totality and
not by counting the different ticks. (One tick does not represent one mark).
RSK4801
Question 1 30 Marks
The purpose of this question was to introduce students to learning with case study. You were therefore required to read the Benchmark case
critically with the objective to have an understanding of the facts presented in the case study, and then to compare the facts of the case with a
theoretical framework – in this instance, the requirements of the King III report with regard to risk management and internal audit. Although the
focus of this course is not on the King III report, it provides the context for the operational risk framework, which is important for the module.
Suggested solution
KING III BENCHMARK GAP AND RECOMMENDATIONS
Governance of risk
The board’s responsibility for risk
governance
∙ The board should be responsible for
the governance of risk
∙ The board should determine the
levels of risk tolerance
∙ The risk committee or audit
committee should assist the board in
carrying out its risk responsibilities
The key elements within governance structure
relevant to this matter are:
Board and board committees:
Main Board (the Board).
Board Audit Committee (BAC).
Board Risk Committee.
Benchmark only had an audit committee but not
a risk committee. The risk committee was
established later. The audit committee acted as
the risk committee, but due to the workload,
A bank with such a complex structure and
products should have a Board Risk
Committee (which was established at a later
stage).
Matters reported by internal, external audit
and the regulators should have been tabled
at the main board for notice and discussion.
6
The board should delegate to
management the responsibility to design,
implement and monitor the risk
management plan
Risk assessment
∙ The board should ensure that risk
assessments are performed on a
continual basis
∙ The board should ensure that
frameworks and methodologies are
implemented to increase the
probability of anticipating
unpredictable risks
The board should ensure that
management considers and implements
appropriate risk responses
The board should ensure continual risk
monitoring by management
The board should receive assurance
regarding the effectiveness of the risk
management process
The board should ensure that there are
processes in place enabling complete,
timely, relevant, accurate and accessible
insufficient attention was given to risk.
Although there was no formal delegation of
market risk monitoring functions to the BAC prior
to the formation of the BRC, it is arguable that
the BAC took on a market risk monitoring role in
the absence of explicit market risk oversight and
monitoring that occurred at Board level. There is
also evidence to suggest that BAC had a
number of opportunities to discuss market risk
management issues in 2011, principally due to
the elevation of issues via the Regulator’s letter
and the external auditor, JAFUA
The audit committee did not escalate the
potential seriousness of limit excesses to the
main board. Management was also effective in
downplaying the potential impact of these
events.
Even though internal concerns about traded
market risk, the integrity of the VaR measures
and the operation of currency options desk were
raised and discussed internally by executive
management within CIB and MR&PC. These
issues and concerns do not appear to have
Management should have be reprimanded
for not rectifying audit findings and concerns
raised by the regulator.
RSK4801/201
7
risk disclosure to stakeholders
Audit committees
The board should ensure that the
company has an effective and
independent audit committee.
Membership and resources of the audit
committee
∙ Audit committee members should be
suitably skilled and experienced
independent non-executive directors
∙ The audit committee should be
chaired by an independent non-
executive director
Responsibilities of the audit committee
The audit committee should oversee
integrated reporting
∙ The audit committee should ensure
that a combined assurance model is
applied to provide a coordinated
approach to all assurance activities
Internal assurance providers
∙ The audit committee should satisfy
been elevated through the available escalation
channels by executive management to the BAC
through the various escalation channels that
existed.
The audit committee was also ineffective with
dealing with adverse reporting by the regulators
as it did not table the report at the main board.
The report included comments on:
lax approach to limit management;
culture of poor adherence to risk
management policies;
inadequate sourcing of revaluation rates;
problems with interfaces to the Infinity risk
engine;
no formal validation or back-testing for the
bank’s approved VaR model; and
inadequate stress testing.
The BRC was created by the Board in August
2011, its charter was approved by the Board in
October and its first meeting was in November.
Under the BRC reporting framework, the risk
and finance functions reporting to the BRC
8
itself of the expertise, resources and
experience of the company’s finance
function
∙ The audit committee should be
responsible for overseeing of internal
audit
∙ The audit committee should be an
integral component of the risk
management process
The audit committee is responsible for
recommending the appointment of the
external auditor and overseeing the
external audit process
The audit committee should report to the
board and shareholders on how it has
discharged its duties
Compliance with laws, rules, codes and
standards
The board should ensure that the
company complies with applicable laws
and considers adherence to nonbinding
rules, codes and standards
The board and each individual director
would report on risk strategy, appetite and
control frameworks. These divisions will then
report the outcomes of control frameworks to
BAC. The BRC would address all elements of
risk including market risk, although it was
acknowledged that credit risk would be a
significant component of the Committee’s
deliberations.
In particular, the BRC’s charter explicitly notes
that it is to “Ensure that the Group has a
comprehensive independent market risk control
framework in operation” and it is to “Review and
set Value at Risk (VaR) limits”.
At the BRC meeting in November 2011, the
BRC received an overview of the market risk
profile of CIB and the risk measurement
framework from the Head of MR&PC. It was
noted that the average usage for 2010/2011 was
approximately R22.4 million, which was well
within the maximum VaR limit for the group of
R80 million. Although the analyses of VaR by
region and product were reviewed, there is no
record of discussion or escalation of VaR sub-
RSK4801/201
9
should have a working understanding of
the effect of the applicable laws, rules,
codes and standards on the company
and its business
Compliance risk should form an integral
part of the company’s risk management
process
The board should delegate to management
the implementation of an effective
compliance framework and processes
Internal Audit
The board should ensure that there is an
effective risk based internal audit
Internal audit should follow a risk based
approach to its plan
Internal audit should provide a written
assessment of the effectiveness of the
company’s system of internal controls
and risk management
The audit committee should be
responsible for overseeing internal audit
Internal audit should be strategically
limit breaches at the BRC even though these
were well known by MR&PC at the time.
Internal Audit completed a number of reports on
the operation of the currency options desk,
including an assessment of internal controls and
the currency options trading system. For
example, in 2009, internal audit rated and raised
issues defined as “Serious matters for the
attention of the Managing Director and
reportable to BAC”. However, under a revised
rating system for the elevation and escalation of
audit issues to the BAC, these serious issues
were not raised for consideration and discussion
at the BAC.
Among the lessons identified from the other
banks’ failings, the report noted that alarm bells
should ring when the following occur:
“Weaknesses identified by Audit or
Regulators are not quickly and permanently
resolved;
breaches of limits are not quickly and
independently investigated; and
10
positioned to achieve its objectives there is a culture that allows undue influence
or bullying to prevail over due process.”
Even though internal concerns about traded
market risk, the integrity of the VaR measures
and the operation of currency options desk were
well known to internal audit because of its past
reviews of the desk, these issues and concerns
do not appear to have been elevated to BAC
because they were below the internal audit
threshold for issue escalation.
The Head of Internal Audit reported regularly to
the BAC in the form of summaries of internal
audit work completed and the elevation and
presentation of serious audit issues within the
business. In addition to regular attendance at
BAC meetings, the Head of Internal Audit was
able to meet in private sessions with members
of the BAC when necessary to elevate and
escalate concerns about risk management and
internal controls
Regular meetings are scheduled between
internal audit and external audit at both the
highest and senior management level. Between
RSK4801/201
11
February and August 2010, an ADFA partner,
was seconded to take up the position as Acting
Head of CIB Internal Audit. It appears that the
regular scheduled meetings between the ADFA
secondment and their external audit counterpart
did not take place. It is likely that this adversely
impacted on the level of communication
between internal audit and external audit over
this period.
The underlying principle is that the board and even its committees were starved of reliable business intelligence i.e. proper feedback on the
findings of the regulators, external auditors, internal auditors and the risk management function. CIB management was also able to suppress
information and ridicule the assurance providers. Furthermore, no one was prepared to ask the tough questions and proper explanations. The
culture of the bank did not encourage open and frank communication.
The workload of the audit committee was also unacceptable and reports highlighting control weaknesses did not receive sufficient attention.
Another problem is whether all the people on the audit committee had sufficient understanding of the implications of some of the control
weaknesses and regulatory concerns would have been understood even if it did make it to the agenda of the meeting.
Hindsight remains perfect and it is possible to draw parallels to the conduct of Benchmark’s board to events that are currently unfolding in both
the public and private sector in South Africa.
RSK4801
Question 2 20 Marks
The purpose of the question was to give students the opportunity to classify risks in terms of the risk
definitions and to demonstrate how difficult it sometimes is to classify risks, as the consequence of
the event can caused by a number of different factors. In practice, this is known as the boundary
effect.
Although it may appear to be trivial, the impact on the profitability of a department or division can be
impacted significantly due to loss events. Banks and insurers also have to calculate regulatory
capital, and for operational risk and loss experience is one of the factors considered to calculate the
capital. The incorrect classification of risk can therefore have a significant impact on a department or
division, both from a profitability and regulatory capital aspect.
The identification and classification of risk are also important for exam purposes as you will be
required to identify and classify risk. You will not receive marks where the risks are incorrectly
classified.
Below is the suggested solution for the classification of the events. We added an explanation
where there is a boundary effect. Work through the examples and ensure that you
understand the reasoning for the classification. You needed to convert the foreign exchange in
the loss register to South African Rand. To convert American Dollar (USD) to rand, multiply the
dollar amount with the exchange rate e.g. $1000 x 7.11789 = R7 117.89. You can use the same
principle for the other currencies.
RSK4801
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
PEOPLE PROCESS SYSTEMS EXTERNAL
Trader on the FX desk processed the transaction as buy instead of sell
R 151,975.99
AML function took wrong directional view on interest rates. Loss on swap curve.
R 1,573,035.00
Bond options trader captured expiry date wrong
R 604,980.02
SAFEX penalty for late margin calls. Clearing House official did not contact broker for payment.
R 100,000.00
JSE penalty for late bond settlements. Missed settlement window due to offshore counterparty processing transaction late.
R 150,000.00
customer claim for bad derivatives investment advice
R 150,000.00
Interest on late Citi Bank collateral calls. Incorrect calculation by clerk
R 249,129.30
Duplicate payment to Lloyds Bank
R 231,288.00
Payment to Sumitomo into wrong act loss was ¥156312 due to change in currency
R 14,553.07
Payment fraud by Triad syndicate R 6,500,000.00
14
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
PEOPLE PROCESS SYSTEMS EXTERNAL
JSE penalty for late settlements. Recon outstanding for cleared funds.
R 450,000.00
Goodwill payment to Big Shot Ltd because business online was down over month end
R 600,000.00
Fraud due to sharing of passwords by payment staff
R 300,000.00
Teller difference R 15,687.00
Teller difference R 5,962.00
Teller difference R 1,114.00
Teller difference - new teller R 214,509.00
Polokwane branch R 100,250.00
Staff fraud R 56,000.00
Fraudulent payment by staff member
R 30,000.00
Cash centre R 15,600,000.00
BA 800 submitted incorrectly R 5,000.00
Teller difference R 32,418.00
RSK4801/201
15
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
PEOPLE PROCESS SYSTEMS EXTERNAL
Teller difference R 35,167.00
Stolen cheque book Bob Mugabe R 10,000.00
Loaded incorrect ATM fee increases for July - EXCO decided not to backdate increases for sensitivity to reputational risk
R 235,145.00
Staff fraud R 342,190.00
Lost guarantee P Pompies R 500,000.00
BA 800 submitted incorrectly (Jun)
R 10,000.00
Irrecoverable losses due to not follow up of excess reports
R 753,451.00
Bad debt written off: JMM Construction
R 2,567,000.00
Bad debt written off: BC Construction Supplies
R 654,789.00
Access payment for motor car accident claim
R 5,000.00
Access payment for motor car accident claim
R 5,000.00
Access payment for motor car accident claim
R 5,000.00
Late registration of bonds due to strike - penalties/interest claims
R 105,678.00
16
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
PEOPLE PROCESS SYSTEMS EXTERNAL
to customers
Staff fraud R 10,300.00
Staff fraud R 53,800.00
Teller difference R 23,749.00
Teller difference R 43,671.00
Interest claim by client because of bad service (customer not informed of change in interest rates)
R 73,421.00
Commodities trader captured incorrect amount
R 317,291.08
Write off due to incorrect model parameters on 5 year CDO
R 150,000.00
Embossing fraud - card cloned CR R 15,000.00
Charge back recon differences R 256,896.00
Interest claim due to late SWIFT transfer
R 15,352.00
Processing official used incorrect rate
R 7,829.78
Damage to premises due to ATM bombings (consolidated)
R 7,000,000.00
RSK4801/201
17
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
PEOPLE PROCESS SYSTEMS EXTERNAL
ATM bombings (money stolen) R 11,890,650.00
Branch teller differences R 165,631.00
TOTAL PER CATEGORY R 3,221,789.00 R 1,573,035.00 R 4,470,542.24 R 1,506,896.00 R 600,000.00 R 41,015,650.00
NUMBER OF EVENTS 2 1 35 5 1 6
The purpose of the histograms were to give you the opportunity to graphically illustrate the final classification, frequency and
amounts of the events in the risk register. Few students indicated either the frequency or the amounts. The histograms were also
not discussed and the presentation to EXCO would have been unacceptable.
RSK4801
Question 3 30 Marks
Operational risk definition
Operational risk is the risk of losses due to inadequate or failed internal processes, systems and
people and external events. This can include legal risk, but excludes reputational and strategic
risk. The factors for ops risk are clear in order to make it possible to be measured. As soon as it
can be measured it can be managed effectively. It includes legal risk as legal risk can be
measured in terms of losses suffered in terms of penalties and fines as a result of breaches of
contracts and regulations for example. It usually excludes reputational and strategic risks as
these risks are difficult to measure and thus to manage as a specific risk type.
Benefits of operational risk
The benefits of operational risk management are discussed in Chapter 2 of the prescribed book.
Operational risk framework
Risk management should start with the analysis of the overall business strategy and objectives
of the organisation and subsequent changes to the strategy should also be considered and
changes made where necessary. An operational risk management framework also enables the
practical implementation governance. Governance provides an over-arching organisational
structure within the organisation’s culture and also establishes the three lines of defence i.e. line
management, risk management and the independent assurance providers.
The operational framework can take many forms and the frame most often used is:
Identify the risks
The first step in the process is to understand the business in order to identify the risks. Methods
that can be used to gain an understanding of the business and to identify risks are inter alia:
Workshops and interviews
Questionnaires
Risk process follow analyses
Checklists
Losses history
The purpose of the process should also be clear in order to ensure to raise awareness, track the
risks and assess the financial impact of the risks.
RSK4801/201
19
Evaluate the risks
Risk evaluation is the assessment and measurement of the identified risk exposures with the
aim to manage and control the risks. In order to do this, the risks should be measured to enable
management to manage it.
Operational risk can be measured in quantitative and qualitative terms. The quantitative
approach aims to quantify risk in numerical terms. The qualitative approach aims to evaluate the
risk exposures that cannot be calculated. The risk exposure are analysed in terms of rating
scales to determine the possible impact and likelihood of the risk events.
Control the risks
Once the risks have been evaluated, strategies can be developed to control the risks. Risks can
be preventative, detective or contingent. The objectives of a risk control programme will be to
reduce the potential effect of the loss and to prevent the likelihood of the risk occurring.
The control strategies can be to avoid the risk, transfer the potential effect of the loss event,
accept the consequences or improve the internal control measures to manage the risk.
Finance
The aim of risk financing is to ensure that the cost of risk and the cost of the risk management
process do not exceed the potential benefits provided to the organisation. The risk management
process can therefore require a pre-financing or post-financing policy. The pre-financing of
operational risk can include methods such as insurance or self-insurance, while post-financing
can include the use of cash resources or debt.
Monitoring
The monitoring of risk includes regular management and supervisory activities and the other
actions employees undertake in their daily activities. It is important that senior management is
involved in the monitoring of risk. Reporting forms an integral part of the monitoring process.
Reports can be produced for different users e.g. the external stakeholders such as regulators
and the shareholders, internal stakeholders at strategic level such as the board and EXCO,
senior management and line management.
It is important that the risk is managed as close to the source as possible. The different levels of
users will have different objectives e.g. the board and EXCO will need less frequent reports to
enable them to manage trends and evaluate the strategies in contrast to line management that
need more frequent reports to rectify transactions. Line management requires daily/intra-day
reports, senior management monthly, the board quarterly and shareholders annually.
20
The risk strategy should consider various risk functions as it determines aspects such as risk
tolerance limits and capital allocation processes. A strategic planning process for operational
risk management consists of the following five steps:
Collate data
Collate the data with respect to the business strategy and objectives to determine the
operational risk management requirements in terms of resources and risk mitigation tools. The
information will also assist with the operational risk management planning process.
Evaluate data
Assists to determine the current operational risk profile. Quantitative and qualitative data are
used to determine the likelihood and impact of potential events on the business. Control self
assessments, key risk indicators and the loss history (internal and external) can be used to
develop the operational risk profile.
Formulate risk management objectives
It is important to determine the short-, medium and long term objectives of managing operational
risk. The short-term action plans must be formulated for the short-term objectives, including the
tools that will be used to execute the plans. The operational risk policy is also important to
support the organisation in achieving its business objectives. It is therefore important that the
policy is approved by the board. Components of the operational risk policy are:
The operational risk definition
It is important that the organisation should use the same terminology with regard to the definition
and classification of risks, report of direct and indirect losses/cost and near misses and that it is
used consistently through out the organisation.
Statement on the operational risk appetite
It is important to determine the tolerance of the organisation for a potential loss. This will form
the basis for the formulation of operational risk objectives and should be included in the
operational risk policy.
Monitoring and reporting
Purpose is to monitor the execution of risk management action plans. The use of the operational
risk management tools will enable the risk manager to continuously identify and evaluate
operational risk management exposures and determine the adequacy and effectiveness of the
controls and ultimately ensure the success of the business strategy.
This question was the most theoretical question of the assignment. Most of the
information is availably in the prescribed book. what was important is the structure of the
RSK4801/201
21
answer to ensure completeness of the framework, but also to argue or explain why you
recommended a specific framework as there are different frameworks in the prescribed
book.
Question 4 20 Marks
Characteristics of risk indicators
Many organisations err in identifying too many indicators and classifying it also as key risk
indicator.
The following can be regarded as characteristics of good risk indicators:
Relevance
The risk indicator must be linked to the organisation’s operational risk exposures and provide
management with a quantum regarding the levels of exposure and degree to which such
exposures are changing over time. It is also important to review indicators periodically for
relevance as it can also change over time from the perspective of the users of the indicator.
Three criteria can be used to determine relevance:
Specific focus indicators: Focused on a single exposure area.
General focus indicators: Cover a specific area of activity and provide a general
impression of current exposure levels or activity.
Common or generic indicators: Can be used anywhere in the business, usually by
adding specific context.
Measurable
Risk indicators must be capable of being measured repeatedly and with certainty. To be
measurable, it should meet the following criteria:
Must be quantifiable as an amount, percentage, ratio, number or count.
Must have values which a reasonably precise and a definite quantity
Must be comparable over time
22
Must be reported with primary values and be meaningful without interpretation or
some subjective measure.
Predictive
Indicators can provide a leading, lagging or current perspective of the operational risk exposures
of the organisation.
Although there is a need for leading indicators, this is the most difficult to develop as a simple
projection of the future based on historical events will most probably sacrifice accuracy and
therefore reliability. For an indicator to be fully predictive requires significantly more context,
which implies that single indicators by themselves are of little use. To overcome this challenge,
practitioners are moving towards the development of composite or index indicators. An
important requirement to develop a composite or index indicators is to understand both the
causal and underlying relationship with specific datasets to ensure the appropriate groupings of
related indicators.
Lagging indicators provide useful information regarding the historical causes of loss or
exposure. It can also be useful where losses are initially hidden or where changes in historical
trends may reflect changes in circumstances that may have some predictive qualities.
Current indicators provide a current view of operational risk exposures and may identify a
situation that requires attention to reduce an exposure or minimise a loss.
Easy to monitor
Organisations often find it difficult to source the data that can be used for risk indicators,
especially where the data architecture of the organisation is complex. The requirements to ease
the monitoring are:
The data should be simple and relatively cost effective to collect, quality assured and
distribute.
The data should be relatively easy to interpret, understand and monitor.
Auditable
Management will place significant reliance on risk indicators and it is therefore important that it is
accurate (sourced and calculated), complete and timely. The operational risk management
department must be satisfied with the quality and as a governance measure, the internal audit
function should include it as part of their audit coverage.
RSK4801/201
23
Comparability
The indicator identification and selection process of an organisation should assess the level of
comparability with benchmarks in and across the industry to ensure that the users for the
indicators have a better understanding of the exposure levels that the indicator relates to.
Establishing KRIs and KCIs
Identifying KRIs and KCIs can be difficult as each organisation is unique and although industry
benchmarks are available, it still needs to be adapted to suit the individual organisation. The
prescribed book discusses a number of ways that can be used to identify indicators.
To make the use of indicators more effective, organisations establish targets or thresholds to
link indicators with the risk appetite of the organisation and to prioritise indicators for
management purposes. This enables management to focus their efforts where necessary.
It is also important to determine the frequency of recording and reporting the indicator. There is
a direct link between the frequency of the event and the recording and reporting thereof.
Few students referred to the GARP Article. The article illustrate the danger in using only
one metric, especially if the metric is not properly defined. Furthermore, too much
emphasis on one component can lead to the wrong behaviour as experienced by
Walmart/SAMS CLUB and even Benchmark Bank.
[TOTAL 100 MARKS]
REFERENCE
Blunden, T. Thirlwell, J. 2010. Mastering Operational Risk. Harlow: Pearson Education Ltd.
Davies, J. Finlay, M. McLenaghen, T. Wilson, D. 2006. Key Risk Indicators – Their Role in
Operational Risk Management and Measurement. Risk Business International.
http://d.yimg.com/kq/groups/12093474/1290864495/name/McLenaghenTara3.pdf
(Accessed 2011/04/20).
24
King Report on Governance for South Africa 2009. Institute of Directors in Southern Africa
Young, J. 2006. Operational Risk Management: The practical application of a qualitative
approach. Pretoria: Van Schaik Publishers.
