Specimen Coursework Assignment

M67 – Fundamentals of risk management

The following is a specimen coursework assignment including questions and indicative answers.


It provides guidance to the style and format of coursework questions that will be asked and indicates the length and breadth of answers sought by markers. The answers given are not intended to be the definitive answers; well-reasoned alternative answers will also gain marks.

Coursework submission rules and important notes

Before you start your assignment, it is essential that you familiarise yourself with the information in the

Coursework Support Centre available on RevisionMate. This includes the following information:

  • These questions must not be provided to, or discussed with, any other person regardless of whether they are another candidate or If you are found to have breached this rule, disciplinary action may be taken against you.
  • Important rules relating to referencing all sources including the study text, regulations and citing statute and case
  • Penalties for contravention of the rules relating to plagiarism and
  • Coursework marking criteria applied by markers to submitted
  • Deadlines for submission of coursework
  • The total marks available are You need to obtain 120 marks to pass this assignment.
  • Your answer must be submitted on the correct answer template in Arial font, size
  • Answers to a coursework assignment should be between 5,000 and 10,000 words in total depending on your writing style.
  • Do not include your name or CII PIN anywhere in your


Top tips for answering coursework questions


  • Read the Learning Outcome[s] and related study text for each question before answering
  • Ensure your answer reflects the context of the question. Your answer must be based on the figures and/or information used in the
  • Ensure you answer all
  • Address all the issues raised in each
  • Do not group question parts together in your answer. If there are parts [a] and [b], answer them
  • Where a question requires you to address several items, the marks available for each item are equally weighted. For example, if 4 items are required and the question is worth 12 marks, each item is worth 3
  • Ensure that the length and breadth of each answer matches the maximum marks available. For example, a 30 mark question requires more breadth than a 10 or 20 mark

M67 specimen coursework questions and answers


Question 1 – Learning Outcome 1 [10 marks]


You are the newly appointed Risk Manager for DYS plc. DYS plc is a luxury hotel chain with ten hotels in one country. Each hotel has a fine dining restaurant. DYS plc is considering purchasing a hotel in an emerging market country in which they are not operating at present.


You have reviewed DYS plc’s current risk register and found it to be outdated, there is no indication of which risks are the most significant.


Explain, with justification, two significant risk types facing DYS plc. [10]



Answer to question 1 [Learning Outcome 1]


As the new Risk Manager, my view of the top two risk types to consider if locating a DYS hotel in an emerging market could be as follows: [CII study text, M67/P67 Fundamentals of risk management 2018-2019]

  1. Regulatory and legal


This is such a large area to understand and keep up to date with and it impacts across the whole business operations. We will need to become familiar with regulations applying in the new country and the legal framework in our chosen territory. It will be important that we comply with local governance, accepting this is likely to be very different to the territories in which we are currently operating. We will need to understand the business




culture and work within the legal requirements. Emerging markets may have different agendas in terms of competition and sometimes operate a slightly unfavourable system which can be seem as dishonest or even a bribe. The regulations will impact on the way we arrange and administer our insurance programme including any claims and payment of insurance premium tax. We will need to understand all the legislation around employment, contracts workers’ rights, training staff and any issues in deploying managerial staff from other locations to set up the new hotel. Another area of legislation that has a bearing on our business is health and safety both for staff and customers. This will cross over into the food hygiene and having clear procedures and traceability in terms of our suppliers.

  1. Reputational


Although categorized as a luxury hotel, we remain small and can protect our brand. Moving into an emerging market could bring unknown threats which have potential to damage our name. Almost 20 years ago there was an attack in Sri Lanka by the Tamil Tigers which caused extensive damage to the Hilton Hotel and several guests were injured in the attack. Terrorism while not the fault of the business can easily damage a reputation. Were we to suffer a similar attack it could be a reason for guests to find alternatives. It means we must do our research before committing to a new territory. Political unrest is an area to consider and the potential impact on reputation if we do not manage the risk. As service to our guests is paramount to our reputation we must consider any problems in our fine dining title. We need to ensure the high standards that we practise continue in any new location and prevent any hygiene issues or food poisoning class actions which could challenge our professional standing in the luxury hotels.


Question 2 – Learning Outcome 2 [20 marks]


You are the Head of Internal Audit for ABC plc, a multi-national insurance broker. ABC plc has recently acquired a smaller regional insurance broker that specialises in a service where ABC plc has no prior experience. ABC plc’s practice is to undertake an internal audit of the risk management function of any new acquisition.


[a] Identify, with justification, who should be involved in an effective internal audit of the risk management function of the newly acquired smaller regional insurance broker.  



[b] Explain, with justification, two advantages for ABC plc of conducting the internal audit.  


[c] Explain, with justification, two challenges for ABC plc when conducting the internal audit.  




Answer to question 2 [Learning Outcome 2]


  1. This will depend on the organisation, but I would suggest the internal audit team [preferably two auditors] plus a compliance This can be justified as follows:

Internal auditors will carry out their usual function of reporting to the Board on adequate risk management, risk evaluation and effective policies and procedures. Their role does not require them to be accountable for risk management, as such ABC plc’s lack of experience in the new specialist service area has no bearing on the internal auditors performing its function. The compliance officer will add weight to the effectiveness of the report by looking at the adequacy of compliance in risk control procedures. The compliance officer could bring the overlap between audit and risk management.

  1. Advantages


  1. ABC plc already has a structure in place for undertaking audits of any new acquisition and will therefore have procedures set out to follow. This will include key areas or functions of the new risk management function including the risk manager and team of employees which the Board wants information about and should help to make the task easier. The team is likely to have a tried and tested system for collecting information and an effective way of reporting the findings and making recommendations to the
  2. ABC plc’s internal auditors are aware of the regulations governing the organisation and the legal requirements the business must adhere to for compliance. The audit team will audit policies and procedures in place and how effective they are in terms of the small brokerage and its compliance with the Financial Conduct Authority’s requirements. ABC plc will have a system in place to raise awareness where potential compliance breaches could
  1. Challenges


  1. The risk awareness culture may be different in the smaller brokerage and in addition, as the company has been acquired, the employees may not all co- operate and readily make available the information required by the internal audit The smaller brokerage may have no useful historical information and the audit team may have to start to compile information, making their role harder and more time consuming. A legal requirement that may need to be audited is in terms of customer data and compliance with the Data Protection Act 1998.
  2. The demands placed on the internal audit team are already great in terms of retaining current knowledge to respond to the business in which they operate. An acquisition places increasing demands on the team in that they must evaluate new risks, new contract terms and conditions, third party contracts and relationships, different policies in place and alignment to the corporate



Question 3 – Learning Outcome 3 [30 marks]


You are a risk manager of TBZ plc, a multi-national financial services company. TBZ plc has recently purchased a long-established call centre facility in Asia.


TBZ plc has a robust risk management process in place for its current locations. You have established that the recently purchased call centre has a weaker risk management process than TBZ plc. You have found the following issues regarding the recently purchased call centre:


  • The information gathering systems are
  • The information is stored in paper
  • The reviews of data auditing are not conducted on a regular
  • There is little identification and evaluation of external factors which would impact on the level of
  • The risks are not ranked in the risk register in order of



[a] Explain, with justification, four significant information challenges facing TBZ

plc, following the purchase of the call centre.





[b] Explain, with justification, three actions you would take to improve the risk information gathering process for the call centre.  


[c] Identify with justification, three information reliability issues that TBZ plc may face when taking the three actions you have explained in [b] above.  



Answer to question 3 [Learning Outcome 3]


  1. Four significant information challenges include:


  1. It is difficult to know how reliable the information is and whether the call centre is holding back As it is a paper based system, records may be missing or have been destroyed deliberately or not. The challenge is working with what we have for now, but factoring in what is unlikely to be complete. However, this is made harder as we do not know the extent of missing information.
  2. Without an audit process, there is likely to be discrepancies in the original information which would never have been questioned. Therefore, the inaccuracies will have grown over the length of time the information has existed. It could be the information is historical and has not been updated with any changes in the business being The acquired company is a call centre and the industry is known for rapid staff turnover, so we could find there is very little consistency in employment records and therefore no available people to discuss the reliability of the information.




  1. As the impact of external factors has not been assessed, several risks may remain unidentified or not seen as a priority. For example, the extreme weather conditions can hit Asia in an unfavourable way and prevent business continuity. For the call centre they may not have factored this in as they do not see this as a priority risk. However, a tsunami could prevent employees getting into the office to man the call centre. This will impact on the business profitability, maybe losing customers to competitors and shareholders and have a knock on to business reputation. The lack of assessment of external factors is likely to mean the call centre has no business continuity planning and the information on priority risks is not too
  2. The risk ranking could mean TBZ plc has not sufficiently considered the priority risks of its acquired business and not factored in how this could affect the risk tolerance level. There may be unknown risks or low priority risks in the eyes of the call centre that could involve large risk control measures by TBZ plc. In turn, this could make the call centre a non-profitable acquisition for TBZ The due diligence process may have been insufficient to review the risk ranking process and therefore incomplete information was provided. The challenge will be how TBZ plc turns the available information into a useful starting point.
  1. Three risk information gathering actions: –


  1. There will need to be a solid system for gathering information implemented to ensure that the call centre part of the business has just as a robust risk management system as the rest of the company. This could be in line with the existing system in place for TBZ plc or could be a brand new system for the call All data gathering will now be done online as opposed to on paper and any historical paper records will be filed and input onto an overriding system. There may have to be a specific database built to cater for the call centre that can feed into TBZ plc’s current database. Alternatively, the risk management team could give staff access to the current system and oversee the input of information into it. Databases will make it easier to search for information and will be a continuously updated tool to utilise.
  2. An auditing process must also be implemented and members of staff from either the risk management team or the internal audit team, will need to be tasked with ensuring that this happens on a regular basis and in a consistent manner. There may need to be a translator hired to assist with the auditing process and there will have to be regular reporting requirements on any findings of the
  3. A complete review of external factors must be undertaken – these could include events that countries in Asia may be subject to, rather than the other countries that TBZ plc operates in, such as earthquakes or large storms. There will need to be information gathered as to the frequency and severity of these events and research into local laws and regulations that TBZ plc will be subject to, having purchased this External information may be gathered from the call centre’s staff or existing insurers. It can also be researched on the internet, in the local press and in any historical company reports that the call centre would have issued. There may be communication issues that could pose as a risk, as it may deprive the main company of customer information for a stretch of time whilst the issue is resolved.

Three information reliability issues:


  1. This will only provide information on insured risks and therefore not give a complete risk picture. The surveys may be insufficient in facts as while there may be a health and safety survey, it could be historic and not relevant to current employees or working There will not be information concerning employment recruitment or training which will all need to be collated.
  2. The time taking to achieve this could be great, so somehow, I will need to avoid an information overload. There will be a lot that is irrelevant and the challenge will be finding a way through to get the information I need. Additionally, an acquisition does not always bring with it a happy workplace and the art will be in getting the call centre employees support and gaining their confidence to help the information
  3. Like point 2, there could be an information overload so selecting engine searches and meetings and conferences to attend will prove challenging. While networking is useful it can be very time consuming so it is important to choose well. There is also the chance the information found is not on a like for like basis,

i.e. we could be comparing a risk mature organisation with an operation not so focused on risk management. This all must be considered when dissecting and using the information.


Question 4 – Learning Outcome 4 [10 marks]


You are the Risk Manager for a small UK-based IT company which was independently owned. The IT company has just been bought by TJ Holdings, a large Japanese manufacturer of consumer electronic products.


The Head of Risk for TJ Holdings has arranged a meeting with you to discuss risk categorisation.


[a] Describe, with justification, one significant potential problem relating to the categorisation of risk between the IT company and TJ Holdings.  


[b] Describe, with justification, one method to mitigate the potential problem you have described in [a] above.  



Answer to question 4 [Learning Outcome 4]


Categorisation of risk is defined in accordance with the operations of the business and takes account of size, markets, financial liquidity etc. [CII study text, M67/P67 Fundamentals of risk management 2018-2019]

  1. For the two companies in question the descriptors will be different. The small UK IT company will focus on mitigating short term risk categories which could fall into medium to long term risks for TJ

For example, looking at credit risk, the UK IT company places this as a short-term risk and we have procedures in place for invoices unpaid after 30 days. Lack of payment by our customer or failure to supply can seriously damage our business and even force us to lose orders and subsequently close. We have therefore, always instigated stringent terms and conditions in our contracts. We never fail to act on unpaid invoices. One unpaid invoice can have a knock-on effect for us ordering critical supplies or paying wages.

However, TJ Holdings categorises its credit risk as medium term, as not only does it have a much greater supply and customer source thereby spreading the risk, the company can afford to take a more positive risk appetite in this category as its financial standing is on a far greater scale than ours. They operate 90 day invoice systems and negotiate the same with their own suppliers this gives them a cash flow advantage.

[b] While both organisations categorise credit as a risk, the overlap between other risks is currently very different. A priority in risk management and in the acquisition of the smaller company will be to align both categorisation and risk ranking. The risk category is a similar descriptor for both companies however it will be logical to bring the ranking in line. A way of achieving this for the credit risk, will be to review all the customer and supplier’s profiles of the two businesses. There may be customers and suppliers that appear on both lists and therefore this identifies an aggregation which needs addressing. There could be benefits generated from this so it is likely the new larger company will want to continue relationships here. Once the company has reviewed its customer supplier base it can look at any susceptible areas, i.e. continual late payers or financially weak suppliers and make decisions. It will be beneficial to manage by looking at the probability of any of its customers/suppliers becoming insolvent or those less able to pay. The new operations will then be able to reissue contracts and implement credit terms that fit with the risk tolerance of the larger group. It may be the risk still ranks at medium term but invoice payment terms compromise at 60 days.


Question 5 – Learning Outcome 5 [20 marks]


You are a newly appointed risk manager for PE plc. PE plc is a UK-based petro-chemical company which operates a major refinery. You are reviewing the risk exposures of the refinery which has the following features:


  • It is located near a large
  • It is adjacent to a main railway line and motorway
  • It is a major supplier of aviation
  • 300 people are employed directly plus 100 sub-contractors.


After reviewing the risk exposures, you find that PE plc has comprehensively identified individual risks for each of the above features. However, PE plc has not analysed the potential impact of a major incident involving two or more of the above features.


[a] Explain two potential consequences for PE plc of only analysing risk

exposures on an individual basis.




[b] Explain, with justification, four activities you should undertake to better

understand the overall risk exposure of PE plc.




Answer to question 5 [Learning Outcome 5]


  1. By considering the risks on an individual basis we would fail to understand or measure the full impact should more than one feature become For example, an explosion at the refinery during a production closure for Christmas would be a very different outcome to an explosion at the refinery when the supply of aviation fuel is waiting collection. To fully assess the risk, i.e. quantify maximum possible loss, all features of the risk exposure would have to be considered and the calculation would have to allow for all features being present. By considering all features we can better assess the risk aggregation and the overall impact if all features were present at the time of an event.
  2. Another potential problem, if the risk features are only considered in isolation, is the failure to correctly calculate the probability. For example, a small fire on the premises that can be contained and dealt with by the on-site fire service has a higher probability than a much larger fire which has an increased likelihood of However, add to the spreading fire risk a major rail disaster, which all emergency services are attending to, then the spreading fire risk can easily get totally out of control and become a major disaster. While the probability of the latter is smaller the impact of the disaster would be far greater. Hence all risk features needed to be considered.


  1. Four activities to undertake could be:


  • Use a risk model or develop a technique to establish matrices that will enable you to gauge which risks could aggregate together in each scenario. Use the already comprehensive register of individual risks to identify sources that could have multiple threats to the Most of the work will already be done, it will just be a case of grouping together associated risks and looking at causes and effects of different scenarios.
  • Another action could be to visit the site and look at any inherent dangers that are faced, as there may have been updates since your predecessor undertook the task of reviewing these You can determine whether there are any alternative routes to the refinery, whether there are emergency contingencies in place in the surrounding area, or whether there is sufficient signage and health and safety processes within the location to guide people of various procedures to reduce or mitigate any risks that do come to fruition.
  • Review historical data and collect new data about possible risks. Compare these against public information for similar refineries or research into any major loss events and the proximate cause of these events that subsequently spread to other losses. Talk to employees and sub-contractors to gauge their opinion of the potential risks they see day to day, either on the location or to do with refinery
  • Speak to your current insurers and see whether there is sufficient insurance in place should there be a large-scale event and see whether the policies are on an aggregate basis or are on an each loss/occurrence basis. The policies will need to reflect the exposure faced by PE plc and insurers may have a disaster or emergency recovery programme as an add-on to assist in the event of a major Insurers may also be able to share any risks they have had on similar books of business.


Question 6 – Learning Outcome 6 [20 marks]


You are an insurance broker. One of your clients is GL plc, a large manufacturer of car components. The Risk Manager for GL plc is concerned with the escalating costs of GL plc’s insurance premiums. Prior to renewal, the Risk Manager has asked you to conduct a review of the insurance programme, taking into consideration GL plc’s risks. GL plc has the following risk features:


  • Employment of 1,000
  • Hazardous processes including
  • Exporting to the
  • The importation of raw materials from
  • The transaction of a large amount of business on


[a] Explain, with justification, two risks which you advise could continue to be transferred by GL plc to its insurers.  


[b] Explain, with justification, two risks which you advise could be retained by GL plc rather than transferred to its insurers.  



Answer to question 6 [Learning Outcome 6]


  1. Two risks we recommend you transfer to insurers are: –


  1. Employers liability [EL], you have many employees and some areas of the business activities are Your claims experience indicates several employer’s liability claims although the last five years has seen an improvement in the number of claims reported. This is partly due to improved working practices including near miss incident reporting and the historic latent claims, e.g. deafness is reducing. As a compulsory class of insurance, it is often simpler to insure EL as opposed to retaining and funding [CII study text, M67/P67 Fundamentals of risk management 2018-2019]. Also, liability claims can take some time to settle and reserving patterns are complex to meet the liabilities as they develop post initial reporting. It also ensures when the claims are settled the monies are readily available from insurers as opposed to GL plc having to fund the loss. In addition, by transferring the risk to insurers you get the benefit of health and safety specialists who can assist with up to date risk management methods to ensure compliance in the workplace.


  1. Public/Products liability [PL], the nature of the business, e. welding and hazardous processes gives rise to the likelihood of a large claim involving a spreading fire risk which could damage third party premises and result in a large PL claim. Additionally, noting the USA exports of these components which are fitted into cars there again, is the potential for a products claim if a component part fails and the cost of administering claims of this nature in the USA can be huge. Likewise, if you continue insuring product recall we advise it is better to have this via an insurer who can assist with implementing policies and procedures to manage the risk and offer advice if a recall is required.

In our view, it is better to be at ‘arm’s length’ in third party claims rather than retaining the risk. Should a product claim happen in the US, insurers will have experts in location who can administer the claim and will have local knowledge.

  1. Two risks we recommend you consider retaining in-house are:-


  1. Theft, with the large number of employees and small component parts on site there is the potential for theft risks to occur. It is expected insurers would want an excess on any theft claims to avoid paying for claims on the components that ‘go missing’. The likelihood of a single large loss is small, however if not managed, there is the potential for accumulated losses which could impact on the balance However, it is a risk which can easily be managed internally and is more effective if managed within departments.

For example, the stock control should be monitored and audited for any unusual activities. Likewise, there should be spot checks for employees leaving the premises to ensure components are not falling into bags or pockets. Paying premium to insurers for a risk that should be controlled internally is expensive and claims would most likely be small but could be frequent therefore insurers would really be charging premium for claims handling.

  1. Credit risk, this is a risk you should consider retaining and improving your contract terms and conditions to avoid being a victim of bad credit. In conducting much of your business on credit, you must manage both insolvencies of others and loss of payment for goods. In addition, there is possible fraud in that supplies are ordered but not received, or there is a shortfall of supplies but an invoiced amount is added to your ongoing debt and which is paid in line with your credit

Credit insurance premiums can be costly and you must assess the probability and the potential financial loss involved. Insurers will want an excess and it is possible this could remove most of the potential claims. It is likely your risk is sufficiently spread that you would not suffer a large loss and by managing your contracts and payment terms you should become aware of problems before they are escalated. Our advice is that this is a retained risk with risk management of contracts and updates on the various stakeholders and financial positions. Additionally, constant checks on supplies ordered and monitoring of when received are required as well as diligence in checking the deliveries against the orders.


Question 7 – Learning Outcome 7 [10 marks]


You are the Risk Manager for an energy generation company. Given the potential for a major loss event, the company has historically invested heavily in risk management. You have a large team in your department to support risk management activities. The company has robust risk management procedures in place.


However, following poor results and increased competition from its competitors, the company is now looking to cut costs. One of the areas where the Board is considering cost cutting measures is by reducing employee numbers within your risk management department.


Explain, with justification, two potential risk management consequences if your

department is made to reduce its employee numbers.




Answer to question 7 [Learning Outcome 7]


While there will be a short-term gain from reduced employment costs the overall long-term impact in not sufficiently managing our risks could be devastating.

Currently my team identifies and manages risk and we have the reputation of being a progressive team supporting the business objectives, while preventing by risk mitigation methods a major event such as an oil rig blow out. A reduction in my head count would mean we could only manage certain risk areas and would not be able to undertake new projects. This would mean new or emerging risks would come into the business unknowingly and unidentified. As an example, if we were to consider fracking as a way of generating an energy supply, at this moment I would put a team of risk managers onto the project to identify risks and likelihood of such events occurring and the extent of any damage. All considered, within our risk tolerance level, if I have lost several of my team due to redundancies then it would not be possible to undertake this project, unless at the expense of something else. The consequence of this would put the company back several decades, when we did not manage our risks and historically suffered some major events which could have been avoided.

One of the main roles within my team is to instigate sound corporate governance with best practice guidelines. As an increasingly regulated industry we have major compliance standards to meet to protect our licences and reputation. We pride ourselves on good working safety standards and have a very low accident rate compared to our competitors. This has all been achieved by embedding a risk management culture with regular monitoring and reviews of any change in practice, policies or procedures. Our staff training is second to none and we are very clear in terms of safety standards with no breaches being acceptable. My team have good relationships throughout the business and can get results. We also have good relationships with our stakeholders such as regulators, competitors and can use this to our advantage and benchmark. All this will be lost if the team is significantly reduced and the risk awareness culture could be destroyed very quickly. Therefore, we will see our risk management standards deteriorate and our systems will begin to fail. Incidents will happen and in our industry, this is likely to be major. The results could be a large financial loss, much damage and even worse, injury or loss of human life.


Question 8 – Across more than one Learning Outcome 8 [30 marks]


You are the Risk Manager for a food manufacturing company who specialise in baby food. One of the company’s most successful products is a powdered milk product.


Following a fault in the manufacturing process, a harmful ingredient was accidentally added to the powdered milk product. The contaminated powdered product, which could cause injury if consumed, was distributed world-wide before the fault was discovered.


[a] Explain, with justification, three actions you would take to mitigate the consequences of the risk after having discovered that the powdered milk product was contaminated.  



[b] Explain, with justification, three new procedures you could introduce to ensure that the likelihood of this risk occurring in the future is reduced.  



Answer to question 8 [Across more than one Learning Outcome 8]


  1. Three actions we could take to mitigate the consequences of the risk are as follows:


  1. Supply chain traceability


To prevent any further illness from the product the aim is to get the product off the shelves urgently. This involves tracing the product sales, getting warning information out to all distribution channels making them aware of the seriousness of the problem and asking them to remove the items. Again, the product data is important as assuming the damage is only relevant to a certain batch then distributors should be given clear instructions on contaminated products. It is useful to recall or at least record the data for products removed to understand how many contaminated products may have been sold and by which retailer or distributor. With this information, a decision is needed on how to make the buyers aware about the contamination. It is obviously impossible for a retailer to know which customer purchased the powdered milk but it is possible to put warning notices in the supermarkets in the geographical area and extend this within say 30 kms. If several products have been sold it may be worth putting a notice in ‘mother and baby’ magazines or newspapers or even as pop ups on pcs anywhere to raise awareness of the problem. Time is critical and it is hoped a contingency plan is in place for scenarios like this which can immediately be put into place. It should be remembered that this is a world-wide distribution and the recall will vary as distribution channels will differ in sophistication of systems and policies and procedures. A small distribution company in Africa is less likely to have a system in place for tracing product sales.

  1. Protecting the brand


Customer retention and brand loyalty are both features in protecting the reputation. Likewise, the media has the potential to damage reputation with negative press or bad publicity which a contaminated product can cause. However, if managed well the company can turn a negative into a positive. Actions to take include:

  • Giving information via the press on the recall process and how well prepared we were to deal with and ‘boast’ about the success of the recall [in a proactive way but to also be remorseful about the incident]; a well-trained PR spokesperson in the company should be the only person allowed contact with the
  • Apologising for the incident to the family, via the correct communication channels, e. insurers or internal communication/PR department and letting it be known publicly that this has happened.
  • Asking to be kept informed on the child’s health while maintaining the ‘family’ privacy noting this should not be personal contact but
  • Accepting there has been an error and indicating that the company is looking at its processes to ensure it will not happen


  1. Maintain lines of communication and contain the event


A senior manager should assume accountability for all aspects of the event and maintain communication until it has reached a conclusion. This will be when there are no possibilities of further health issues and all product sales are accounted for. It is important to maintain open lines of communication and keep the subject live while it needs to be. It is also sensible to use all available resources while the matter is ongoing. As soon as possible without leaving any loose ends, the event should be closed and business resumed in this product area. It may be wise to subtly introduce different packaging giving the product a new look and attract new customers. Advertising the brand may be required if some customers have been lost, although the product is aimed at a very specific age range so customers will move on quickly. The distribution chain will be helpful in terms of re-launching a slightly changed product so it is wise to communicate with them and see if there are any adverse effects from the event.

  1. Three new procedures that could be introduced are as follows:


An internal enquiry should be carried out to look at the incident with a view to introducing controls to prevent it happening in the future.

  1. Physical control


Review the faulty machine and investigate the likelihood of the problem reoccurring. Check who first became aware of the mechanical problem and whether systems of check were addressed. Implement a new procedure to inspect the machine involved and others on a more regular basis and discuss with engineers if there is an alternative way of doing the process and checking the machine at each stage of mixing the ingredients. Investigate the findings of the mechanical problem and find a solution to ensure it does not happen again.

  1. Product quality control


Investigate why a harmful ingredient was even on the premises and then why it was included in the product. Did a process turn the product into a harmful substance or was it harmful in its raw state? Measures should be implemented to review all ingredients used. Stringent quality control measures will be introduced which will involve testing the product quality at different stages of manufacturing and should notify the team if something is not right before we go to final checking stage. It will also be a precedent that our product identification methods are improved and aligned to our product sales data.

  1. Tighter controls of the distribution and supplier chain


In the product recall we found not all distributors had acceptable product tracking data, as such the recall stumbled in certain areas. Going forward it will form part of our terms and conditions that a system of tracking is in place for any distribution channels we use. We will also tighten up our product traceability in our supply chain as it remains unknown whether the harmful ingredient was in a raw product supply from one of our supply chain.


Question 9 – Across more than one Learning Outcome [30 marks]


You are the Risk Manager for a service company which has a contract with a town council. The service company delivers the following for the town council:


  • Road and roadside
  • Refuse
  • The maintenance of public places, such as parks, sports facilities and play
  • The supplying of food for local


A major storm caused damage and extensive disruption to a nearby town which disrupted the delivery of services by another town council. Therefore, you have been asked by your town council to review the management of the risks that arise from the delivery of the services.


Explain, with justification, how you would apply each of the five stages of the ‘risk

management process’ in delivering the town council’s services.




Answer to question 9 [Across more than one Learning Outcome]


The risk management process consists of five stages: [CII study text, M67/P67 Fundamentals of risk management 2018-2019]


  • Establish the
  • Identify the
  • Analyse the
  • Evaluate the
  • Treat the


For the purposes of this answer, the process has been condensed into three steps: identify, analyse and control. The context is quite clear in this question, in that we are contractually bound to deliver four services to the council. In addition, whilst controlling the risks in the third step of the risk management process, I am seeking to evaluate and treat the risk appropriately.


Step 1 – Risk identification


I would look to identify risks within each of the four services we are delivering. Some risks will cross over e.g. maintenance of vehicles, whereas others may be specific to the service,

e.g. food hygiene standards for the supply of food to schools [service D]. For ease, I will refer to each service as ABCD in the order they are presented.

A priority for this task will be to check the validity of our data. Are there changes we have not incorporated, for example, we have recently sold off some park land for housing development and therefore this needs to be captured in our risk management information system. My team will review our organisation charts and identify decision makers and risk ownership and accountability. We will also consider key dependencies in our flow charts. We have flow charts for all our delivery services and some key dependencies can impact on more than service if there is an interruption. For example, our fleet management is carried out in the same workshop, by the same engineers and maintenance team for services A and B, therefore if the workshop is not available due to a fire then the maintenance programme for our heavy vehicles will need to be carried out elsewhere. It follows when we are at the risk control stage within our contingency plans we should consider alternative workshop facilities.

Our risk identification will also look at our checklists for relevance and completeness. We will check the recent property and health and safety surveys for service C. It is important we are aware of all risks in this service role and have all our responsibilities identified. The parks and play facilities can be high risk areas and therefore risk identification and maintenance of any equipment provided, such as climbing frames is critical. I will also request a check on safety notices around the public places and ensure they can be understood, i.e. hazard diagrams as well as written notices, to allow for language variants.

The public’s growing culture of blame means we cannot afford to leave risks unidentified without knowing the extent of damage that can occur if an unwanted ‘event’ happens. Even as a public authority we must work within our strategic and operational objectives and identifying risks which can take us off track is important.

This will be a broad and timely task and we must remember to identify any new or emerging risks. This may include increased flooding risk and identifying areas of potential flood hazards, e.g. service A and drain clearing and regular road maintenance. We may turn to external information sources for help in identifying emerging risks.

Step 2 – Risk assessment


Having identified the risks, it is then logical to move into assessing/quantifying these risks with the aim of prioritising. The risks identified will be input into our database, risk management information system, which includes the risk register. This will enable us to categorize our risks. Assessing our risk will determine the level of risk control that is needed and the financial implications from managing our risks.

Risk appetite and tolerance needs to be considered when assessing our risks as this will determine our risk acceptability levels before pursuing control measures.

Categorising our risk is a starting point and we will include categories such as:-


  1. Employment, g. health & safety in the workplace, employment contracts, anti- discrimination policies.
  2. Compliance with legislation and


  1. IT risks, g. technology risks.




  1. Physical assets, this will include our offices and


Once we have our risk categories in place we will look at probability and frequency of losses occurring, this will also include any risk aggregation. The recent storm incident has caused damage to various buildings and equipment in the open and this will need to be considered in risk aggregation. Likewise, risk aggregation could result from a series of road accidents in any of the four services we deliver or from accidents or injuries caused to our employees. We will also look to understand our risks in terms of the public’s perception. For example, an outbreak of food poisoning due to a lack of hygiene in service D, is likely to cause major public anger as it is school children’s’ health that will be affected. As such risks assessed in service D are most likely to be priorities and should be controlled to a high level. Road maintenance service A, has grown in priority due to a lack of funding in the past. Now members of the public are liable to seek redress for car damage caused by driving over potholes as we have failed to manage this risk.

Our claims history will also be reviewed against our risk categories to help in determining impact and how likely the incident is to re occur.

Our risk register needs to be reviewed and updated to capture risks identified and with an agreed audit and monitoring time included. We then need to assess all the possibilities than can arise from the listed risks. In carrying out various risk assessments we need to be mindful of not over quantifying and penalising our business objectives.

Step 3 – Risk control


Having determined our risks, we need to decide the nature of the risks and how to manage them. We also need to be aware of different methods of control. It is our intention to instigate a preventative system of control such as employee training so employees are equipped to do their job. However, should an incident happen for example service B, where several employees have skin [hand] complaints, we may need to introduce corrective measures, such as extra protective layer gloves to correct the problem being caused by handling waste products.

In terms of our risks from non-compliance which we have assessed as high priority we will use a series of directive controls for example, all employees will be trained in health and safety awareness. Our drivers will be checked for having a valid driving licence, no penalty points and the correct level of qualification, i.e. heavy goods vehicle drivers where required.

In determining our risk control, we will obviously need to consider the financial implications versus the effectiveness of the control proportional to the risk level. We may decide to manage some of our risks through insurance, e.g. physical assets. We may also use contractual conditions to reduce some of our risks, e.g. where we subcontract some of our gardening duties.




Another area of risk control will be to establish our business continuity management, to respond should a major incident occur. This could be an incident of an environmental nature, such as a contaminated recycling plant that must be temporarily closed or our road maintenance team drilling through a pipe and causing a major disruption to local businesses and road closures.


Question 10 – Across more than one Learning Outcome [30 marks]


You have recently been appointed as a senior manager of DJ plc, a UK-based insurer, providing commercial and personal insurances.


The price of DJ plc’s shares has been declining steadily. You believe that this fall in shareholder value has been influenced by issues arising in the non-financial perspectives [quadrants] of the balanced scorecard.


These issues are as follows: –


  • Learning and growth perspective
    • Staff training and development is not
    • Some managers do not have time to provide on-the-job training and development for their


  • Internal perspective
    • Planning processes and procedures are not regularly
    • Delivery of plans is not adequately


  • Customer perspective
    • Customers are     mostly            However,      customer      service      level agreements are not always adhered to.
    • Service levels are currently acceptable, but are declining slowly. This could be linked to staff-turnover.


Recommend, with justification, five significant actions you would take to address the

brand and reputation issues identified in your review.




Answer to question 10 [Across more than one Learning Outcome]


  1. Brainstorm strategic risks


With a selected team including Board members, non-executive directors and risk owners, I would plan a series of brainstorming sessions where we can prioritise us strategic risks. If we do not identify strategic risks we will not be able to manage them. Such risks will include:

  • Post-merger integration, staff retention or
  • Retention of
  • Reputational damage due to bad
  • Noncompliance with
  • Unethical


The risk register must cater for all the new risks associated with the expansion of the group. A full risk review must be undertaken. In relation to the online business that has been acquired, you should consider cyber risks and ensure that there are satisfactory insurance/safeguards in place for any such exposure. Cyber risks include release of sensitive data of customers, security issues, potential hacking, security software and lack of staff training on cybercrime. Information from relatively new risks to the company should be stored in a database to track future progress.


  1. Board teach in and implementing controls


As this is a new role for the risk manager there is an opportunity for an away day to introduce the Board to the benefits of risk management. The session will outline the benefits of risk management to and look at implementing improved corporate governance and robust systems of check. The existing standards do not appear effective and no management decisions appear to be challenged in terms of honesty and integrity. The session will include setting out standards and addressing accountabilities. It will include establishing committees, e.g. risk, audit and compliance. Another area to address is the relationship with stakeholders and again ownership of these relationships will be addressed. A monitor and review of the Board activities and accountabilities will be considered with a view to implementing a quarterly review.

Research should be performed into the employment practice risks and data gathered from both internal and external sources to provide a wide scale recommendation in to what should happen going forward. It would beneficial to be able to establish the source of the allegations. Hopefully if it is managed correctly, fewer customers and revenue will be lost, there will not be subsequent litigation from employees and future acquisitions will not pull out of any ongoing negotiations. To conduct a thorough research exercise, it may be necessary to perform internet searches and utilise any information gleaned from employee questionnaires.



  1. Embedding risk culture


Policies and procedures will be put into place to raise risk awareness in the organisation. Guidance and protocols for understanding and working in a risk aware culture will be written. This will need to be supported by the Board with the initial message cascading down from the Chief Executive Officer [CEO]. This may be a difficult task but without the CEO supporting the message it will not work. Communication channels need to be opened with posters in the workplace or messages on the PC when employees log on to do their job. This should include reminders on safe and healthy working practices, e.g. taking breaks, correct seating and PC height. Employees should be encouraged to participate in the raising risk awareness campaign with maybe a suggestion blog or an employee of the month recognition. Communication will be clear and we will be mindful of using simple language to embrace all our employees. We will also establish a risk management information system to capture all data relating to risk management.

The Board does not appear to have a good risk culture, as this position is not at board level there will be a great struggle to embed a suitable culture upwards. You could either make a case that the risk management team should be represented on the board or alternatively, present your results to the Board and make suggestions for any changes you feel are necessary. You could perhaps remind the Board of their duties under the Companies Act 2006, that they must regard the interests of their employees and their responsibilities in line with the UK Corporate Governance Code, that they must look carefully at the nature of the risks that they are prepared to take and that they must maintain sound internal controls. The ultimate responsibility in this area rests with the Board and their specified risk policy. They should be advised to take a different approach to their attitude to risk.


  1. Review of employment policies and procedures


Working closely with our HR team including those with HR responsibilities for personnel in our recent acquisition, we will undertake a review of our employment practices. This is a weak area in the group and should be identified as a priority operational and strategic risk as it has a bearing on our reputation. The review will incorporate employment contracts, employee retention and recruiting and selection policies. Alongside of this we will implement staff training, this will be very important for the induction of new staff. It is paramount that employees are adequately trained to do their job. We will also look at our anti-discrimination policies and communicate throughout the work place that we have zero tolerance to bullying.



  1. Update of risk register


The current risk register is outdated but rather than discarding it we will work to update and capture other risk categories. Over time this will allow us to prioritise and manage our risks effectively. The strategic risks identified in the brainstorming will be incorporated into the risk register. We can then start the assessment and determine levels of control and cost implications. Our operation risks will need a review as we are likely to have different or additional risks following the acquisition. For example, IT risks will need to be assessed as we now have the on-line business which brings with it diverse risks such as computer hacking, protection of customer data and increased fraud both internal and external. The risk register does allow us to allocate accountability and therefore risk ownership which helps to bring senior management on board and actively participate in the risk management process.

The risk register should have equal focus on both operational and strategic risks. One of the first actions would be to update the risk register to reflect the current risk profile of the whole organisation. Risk controls should be input, marking who in the company is responsible for each aspect. This should also assist with improving the general company risk culture. If the risk register focuses on operational risk, employment practices should, in theory, be fully accounted for, as well as internal processes. However, whatever has been focused on is clearly inadequate given the negative press the company has received. The register must incorporate the element of strategic risk in the long-term objectives of the company. This will be of most importance considering how quickly the company is expanding. All the acquisitions will play a large part in this.


Reference list


Stephen W. Lowe MSc, FIRM, FCII M67/P67 Fundamentals of risk Management, 2018-2019, The Chartered Insurance Institute 2018.




Question deconstruction and answer planning


The following three plans are based on 10, 20 and 30 mark questions respectively.


Question 1 – Learning Outcome 1 [10 marks]


You are the newly appointed Risk Manager for DYS plc. DYS plc is a luxury hotel chain with ten hotels in one country. Each hotel has a fine dining restaurant. DYS plc are considering purchasing a hotel in an emerging market country in which they are not operating at present.


You have reviewed DYS plc’s current risk register and found it to be outdated, in particular there is no indication of which risks are the most significant.



Explain, with                   two significant risk types facing DYS plc.                           [10]



Question deconstruction

  • Review learning outcome 1 in the course material and the relevant information in the study
  • Highlight the instructions within the question [which are circled in red above].
  • What is the context? You are a newly appointed risk manager for a luxury hotel chain looking to expand into new
  • The question asks for an explanation of two significant risk types facing your company in the given You need to provide a justification for your choice.


Answer plan

  • Explain two risk types arising from this Equal marks are awarded for each.
  • Each risk type must be justified as significant in terms of the
  • This is a 10 mark question, your answer should be shorter than the answers to either a 20 or 30 mark




Question 5 – Learning Outcome 5 [20 marks]


You are a newly appointed risk manager for PE plc. PE plc is a UK-based petro-chemical company which operates a major refinery. You are reviewing the risk exposures of the refinery which has the following features:


  • It is located near a large
  • It is adjacent to a main railway line and motorway
  • It is a major supplier of aviation
  • 300 people are employed directly plus 100 sub-contractors.


After reviewing the risk exposures, you find that PE plc has comprehensively identified individual risks for each of the above features. However, PE plc has not analysed the potential impact of a major incident involving two or more of the above features.


[a] Explain two potential consequences for PE plc of only analysing risk exposures on an individual basis.  


[b] Explain, with justification, four activities you should undertake to better understand the overall risk exposure of PE plc.  



Question deconstruction

  • Review learning outcome 5 in the course material and the relevant information in the study
  • Highlight the instructions within the question [which are circled in red above].
  • Consider the context which includes the fact that you are a newly appointed risk manager for a UK-based petro-chemical company, reviewing the company
  • Part [a] requires an explanation of tow consequences of reviewing risk individually. There are 8 marks
  • Part [b] asks for an explanation and justification of four activities, with 12 marks available, two marks are available for each explanation [8 marks total] and 1 for each justification [4 marks total].


Answer plan

Part [a]: You need only identify two consequences – 4 marks for each one. No justification is required.

Part [b]: Requires an explanation and justification of four activities.

As this is a 20 mark question, your answer should be longer than the answer to a 10 mark question but shorter than the answer to a 30 mark question.


Question 9 – Across more than one Learning Outcome [30 marks]


You are the Risk Manager for a service company which has a contract with a town council. The service company delivers the following for the town council:


  • Road and roadside
  • Refuse
  • The maintenance of public places, such as parks, sports facilities and play
  • The supplying of food for local


A major storm caused damage and extensive disruption to a nearby town which disrupted the delivery of services by another town council. Therefore, you have been asked by your town council to review the management of the risks that arise from the delivery of the services.




with justification, how you would apply each of the five stages of the ‘risk management process’ in delivering the town council’s services.





Question deconstruction


  • Review learning outcomes 2, 3 and 4 in the course material and the relevant information in the study
  • Highlight the instructions within the question [which are circled in red above].
  • Consideration of the context, you are the Risk Manager of a service company contracted to deliver certain services to a local


Answer plan


There is only one part and the total marks are 30. Therefore, careful answer planning is required. There are many stages in the risk management process and four services.


The answer should be broken down to achieve all 30 marks.


As this is a 30 mark question, your answer should be longer than the answers to 10 and 20 mark questions.

Glossary of key words




Find the relevant facts and examine these in depth; examine the relationship between various facts and make conclusions or recommendations.



To build or make something; construct a table.



Give an account in words of [someone or something] including all relevant, characteristics, qualities or events.



To plan or create a method, procedure or system.



To consider something in detail; examining the different ideas and opinions about something, for example to weigh up alternative views.



To make something clear and easy to understand with reasoning and/or justification.



Recognise and name.



Support an argument or conclusion. Provide or show reasons for a decision.



Give a general description showing briefly the essential features.


Recommend with reasons Provide reasons in favour.



Express main points in brief, clear form.

Looking for this or a Similar Assignment? Click below to Place your Order Instantly!