Part Two – Chartered Governance Qualifying Programme

Risk Management
November 2021

Wednesday 24 November 2021 Time allowed: 3 hours (plus 15 minutes reading time)

The examination paper contains 6 questions of which you must attempt 4. You must attempt 3
questions in Section A and 1 question in Section B. The questions in Section A are based on the
pre-released case study whereas the questions in Section B are not based on the pre-released case
study.

Each question is allocated 25 marks. There are 100 marks available in total for the paper.

Note: Unless otherwise specified, you should assume that an Act or an organisation referred to in the
questions is a UK Act or organisation.

The case study may refer to the global COVID 19 pandemic and you may refer to this in your
answers. However, we advise you to consider all relevant points in response to the question and not
to focus too heavily on the pandemic.

© The Chartered Governance Institute 2021 Page 1 of 8

Pre-release case study
Background
Windpowerparts (WP) is a manufacturer and distributor of parts for turbines in the wind power
(renewable energy) industry. The organisation was part of the publicly listed, TURBO Organisation,
but in 2010, the then CFO of TURBO, Samuel Fuller, led a separate management buyout of the wind
power business, in part financed by the employees.

After the buyout, WP’s main business was in logistics, including the marketing and distribution of parts
for the wind power industry, but it included two small manufacturing sites, producing wind turbine
parts, near the port of Hull, on the east coast of England and at the site of its head office near
Heathrow airport, west of London.

WP employs 3,500 personnel across its manufacturing and distribution plants and head office, and its
revenue for 2020 to 2021, although reduced by 10% due to the global pandemic, was still considered
healthy by its investors at £479m (GBP), with a net income of £21m (GBP).

WP’s stated value is ‘Working together to deliver the best products to keep the wind power industry
turning’.

In August 2014, WP developed a new manufacturing facility in the Middle East to meet the growing
demand from the home and international market.

In 2018, WP secured a five-year logistics contract with a wind power contractor in Africa and
increased its manufacturing capabilities at its Hull plant to cope with the increase in sales in Eastern
Europe.

Despite the challenges of the global pandemic and the UK’s exit from the European Union (Brexit),
WP has continued to manage the manufacturing and distribution business’ profitably and is currently
considering a merger with a company in Southern Romania which will help WP establish a
manufacturing plant and distribution hub in Eastern Europe.

The merger is being funded by a rights issue to investors who are purchasing additional shares
through a rights issue. This will raise the additional £20m (GBP) required to finance the expansion
plans of the organisation.

Issues have been raised regarding the merger, due to recent stories appearing in the national and
international media over the last year relating to corruption and money laundering in oil and gas
industries in Africa and Eastern Europe. Although these stories are not associated directly with
renewable energy industry or WP, they triggered extra scrutiny from regulators and internal reviews
from the management and the Board.

Governance
Currently, the Board consists of nine Directors:
• The executive directors are: Samuel Fuller – CEO; Christine Singh – CFO; Faizal Al-Hadar
– Director for the Middle East operations; Tracey Birkinshaw – Director for European
operations; Joachim Adebayo – Director for African operations;
• The non-executive directors are: Robin Townsend – Chair of the Board; Vaughn Wilds –
Chair of the Finance, Audit and Risk Committee (FARC); and Aeshia Malik – Chair of the
Nomination and Remuneration Committee.

In addition to this, there are six other members of the Executive Leadership Team (ELT): Head of
Safety, Health, Environment and Quality (SHEQ); Head of Marketing; Head of Human Resources;
Head of Security; and Head of Data and Technology. As noted, there is currently a vacancy for the
Chief Risk Officer (CRO).

© The Chartered Governance Institute 2021 Page 2 of 8

The ELT meet monthly, and the Board meet quarterly, both via the company’s virtual meeting
platform. Face-to-face meetings are being planned for the new year, with the first Executive meeting
of 2022 taking place in Southern Romania, in part to review the potential merger.

Risk and control

You are the new Company Secretary at WP and have been with the company for the last three
months, having held the same role at a large retail bank in the UK.

Since joining, you have found out the CRO role has been vacant for six months. The CEO, Samuel
Fuller, has also announced to the Board that he intends to retire within six months due to ill health of a
family member, although he will retain his shareholding.

As you become familiar with the organisation, you realise that the risk management framework is not
as robust as that implemented in your previous organisation. You understand that this will be in part
due to different regulatory requirements between the Financial Services and Renewable Energy
sectors. However, although not a premium listed company, WP made a voluntary decision to adopt
the UK Corporate Governance Code fully, even though they are not required to. You are also
concerned by the continued vacancy for the role of CRO.

In your first meeting with the Board a month ago, the CRO role was raised by Vaughn Wilds, Chair of
the FARC. Samuel Fuller questioned the need for a CRO, stating that the risk reports seemed to be
comprehensive so far, and that the Company Secretary should be more than capable of using the risk
management software to collate the data and reports needed.

Following this meeting, you were approached separately by both Tracey and Vaughn. They both
raised concerns over Samuel’s dominant opinions regarding risk management, admitting that these
opinions had largely gone unchallenged. In fact, they state that the merger in Southern Romania,
championed by Samuel, is being pushed through quickly to complete before he retires. Due to this,
they believe that the due diligence for the merger has some gaps in key financial aspects, such as
anti-money laundering.

In addition, you were told that the previous CRO had left the company after a confrontation with
Samuel and Faizal during an ELT meeting. Although the details were not confirmed, Tracey heard
that when the CRO raised the corruption and money laundering risks at the ELT meeting, she was
told by Samuel to ‘stick to things she knew about’ and ‘not to bother the Board’ with items that were
insignificant.

Although WP is not listed publicly, risk management and internal control are stated to be key
management processes for the organisation, in its risk management policy and framework. It is clear
that Robin entirely agrees with this, as he tasked you on your arrival with undertaking a high-level
review of the risk management framework to be presented to the Board at the next Board meeting.
This was achieved by commissioning the services of an expert risk management consultant, to
establish the effectiveness of the risk management process and to benchmark it against international
standards and industry best practice.

The findings from this review indicate that, although there is a risk management process in place,
there is a lack of consistency across the organisation, both in the process itself and its application. It
appears that the previous CRO was an expert in chasing and collating relevant risk management data
but was weaker in pursuing the effective management of risks. Since the CRO’s departure, the risk
management process has stopped working effectively and principal risks are not being robustly
reported to the Board.

The report also expresses some concerns regarding the Board’s appetite for taking risks. It has been
noted that there is a divergence between the Board’s risk appetite statement document, which was
developed by the CRO and ratified by the Board six months ago, and some of the decisions being
made by the ELT.

© The Chartered Governance Institute 2021 Page 3 of 8

The current overarching risk appetite statement is that ‘WP is willing to take risk where the reward
supports the organisation’s objectives, and where these principal risks have been challenged and
endorsed fully by the Board’. Clearly, there have been potential breaches of this high-level risk
appetite statement with the merger containing potential money laundering risks and principal risks not
being raised to the Board for challenge, for example corruption and money laundering.

The report has found that some decisions regarding the strategy of the organisation have been
agreed by Samuel, which have not been in line with the risk appetite statements, which aligns with the
comments raised by Tracey and Vaughn.

You know that there needs to be focus on risk management within WP to enable the organisation to
achieve its values and to continue a viable organisation.

© The Chartered Governance Institute 2021 Page 4 of 8

Section A
Answer three questions in this section.

1. Robin has contacted you regarding the agenda for the next FARC meeting, taking place in
January 2022. He is concerned that Samuel and Faizal do not properly appreciate the
regulatory requirements for risk management. Even though WP is not a premium listed
company, it has voluntarily adopted the UK Corporate Governance Code, and may have some
further regulatory requirements through its interests in Europe and the United Arab Emirates.
As such, Robin has asked you to provide a report on the corporate governance requirements in
relation to risk management.

Prepare a report for the FARC, analysing the requirements for risk management as stated in the
UK Corporate Governance Code and compare them with the requirements for Europe and the
United Arab Emirates, highlighting any similarities and differences in requirements between the
codes.
(25 marks)

2. Aeshia and Joachim have asked to meet you to discuss the role of the Chief Risk Officer (CRO).
In the absence of the CRO, recent comments about risks by Samuel, and following the findings
of the external risk management consultant, they want to ascertain the need for a CRO before
approaching Samuel to find a replacement. They are aware of the need for a central risk
management function, or at least having an experienced person with designated responsibility
for risk, but know they will encounter some resistance from members of both the Board and ELT
and want to be prepared for the challenge.

Prepare a briefing paper assessing key risk management functions for an organisation,
analysing the roles of a CRO, a risk manager and the Company Secretary, and then make a
recommendation on the appropriate level of support for a risk management function within WP.

(25 marks)

3. Risk appetite is top of the agenda for the next Board meeting. Robin is concerned that Samuel’s
risk appetite is becoming increasingly aggressive and outside of the tolerance and capacity
agreed by the Board, as he attempts to complete the merger in Eastern Europe before he
retires. Robin would like to use the risk appetite session to remind Samuel of key risk appetite
concepts and why it is important to ensure the right risks are taken by the organisation.

Write a briefing paper for Robin to use at the Board meeting, examining risk appetite, its
importance in the organisational decision-making process and its role in balancing risk and
reward. Include in your answer the differences between risk capacity, risk tolerance and risk
appetite and an analysis of the factors to be considered when determining risk appetite.

(25 marks)

© The Chartered Governance Institute 2021 Page 5 of 8

4. Following the recent reports regarding criminal activity by some organisations in the energy
sector and the resultant increased regulatory scrutiny, you need to be more aware of the
situation in preparation for planned discussions with the ELT on the merger with the company in
South Romania and the logistics contract with the company in Africa.

Analyse WP’s risks in relation to potential criminal activity in its operating environments. Focus
on financial crime in general, and specifically on money laundering and funding of terrorism in
relation to WP’s work, providing examples of at least five controls that WP should have in place.

(25 marks)

_________________________________________________________________________________
TOTAL FOR SECTION A = 75 MARKS

© The Chartered Governance Institute 2021 Page 6 of 8

Section B
Answer one question only. Questions 5 and 6 do not relate to the pre-released case study.

5. You have been appointed as the Company Secretary of a retail organisation, Home Grown in
the UK (HomeGrown), which specialises in hand-made, natural, organic products for homes and
gardens. From humble beginnings producing organic candles and jams in a garden shed in
2005, the once small start-up has expanded its client base and offering across the UK with the
help of Alternative Investment Market (AIM) investors. It now employs 800 staff and produced
an annual profit of £3.5m in 2019/2020.

As the organisation has grown, there has been an increasing need to ensure robust reporting.
The Board welcomed two new independent non-executive directors (NEDs) in the last two
months, one with a financial services background and one from the construction sector. During
the last Board meeting, concerns were raised about the sheer volume of reporting that was
being carried out and its relevance to the kind of organisation HomeGrown is, both from the
internal management and external regulatory risk reporting perspectives.

(a) Prepare a briefing paper for the Board analysing the need for regulatory reporting. Provide
examples of at least three functions that could be responsible for producing regulatory
reporting within the organisation.
(10 marks)

(b) As part of the briefing paper on reporting, analyse different reporting tools that could be
used for internal management risk reporting. Provide examples of least two different risk
reporting tools that would best support the decision making process at the Board level.
(15 marks)

(Total for Question 5 = 25 marks)

6. You have joined a car dealership organisation from a large nationwide competitor. BuyingMyCar
(BMC), with 14 garages across the South of England, is considered a medium-sized
organisation, but with the increasing demand for car ownership, BMC is looking to expand the
number of garages and, therefore, its market.

As part of its expansion programme, BMC have hired you to support the changes that will be
required in relation to corporate governance and, in particular, risk management as BMC looks
to secure investment.

In the two months you have been with the company, you have found that BMC’s risk
management process is quite immature, implementing a ‘standard’ approach to risk
management, which is implemented separately at each garage.

To support an improvement programme, prepare a report to the Board analysing enterprise risk
management (ERM), including the three essential characteristics of ERM and at least three of
the benefits of taking the risk management process beyond a standard approach. To ensure an
ERM approach is in line with best practice, provide a high level assessment of the three key
components of ISO 31000: 2018.

(25 marks)

© The Chartered Governance Institute 2021 Page 7 of 8

_________________________________________________________________________________
TOTAL FOR SECTION B = 25 MARKS
TOTAL FOR PAPER = 100 MARKS

The scenarios included here are entirely fictional. Any resemblance of the information in the scenarios
to real persons or organisations, actual or perceived, is purely coincidental.

© The Chartered Governance Institute 2021 Page 8 of 8