⋆ ⋆ ⋆
]]
RSK2601: Enterprise Risk Management
OCT/NOV Examination 2026 Revision Guide
Covers Past Papers: Oct/Nov 2023 • Oct/Nov 2024 • Oct/Nov 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Risk Management & Corporate Governance
Comprehensive Exam Revision Guide
RSK2601
Module Code:
Enterprise Risk Management
Module Name:
Oct/Nov 2023, Oct/Nov 2024, Oct/Nov
Papers Covered:
2025
Oct/Nov 2026
Exam Target:
6 (Credits: 12)
NQF Level:
Finance, Risk Management & Banking
Department:
Study this guide carefully. Focus on understanding the ERM process, corporate
governance, financial risk and external environmental influences — these are the
core examiner focus areas.
Exam Revision Notes | RSK2601 | 2023–2026
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
SECTION A — Multiple Choice Questions [20 marks]
Exam Tip
RSK2601 Section A typically contains 20 multiple choice questions (1 mark each). Each
question tests conceptual recall from the study guide. Read ALL options carefully —
distractor options are designed to sound plausible. The answer key below is provided
for self-testing.
Question 1 [1 mark]
Question: Enterprise Risk Management (ERM) is best described as:
A. A narrow approach focusing only on financial hazard risks.
B. A comprehensive, proactive, and inclusive approach to managing all categories of risk
across an organisation.
C. A reactive method of responding to risks after they have occurred.
D. A technique exclusively used by the internal audit department.
Answer: B
ERM is characterised by a comprehensive, inclusive, and proactive approach to risk man-
agement. It encompasses all risk categories (financial, operational, reputational, strategic),
integrates with business strategy, and involves the entire organisation, not just one depart-
ment.
Key Concept
ERM moves away from a siloed, functional approach towards an enterprise-wide view.
It is forward-looking (proactive) and considers both threats (downside risks) and
opportunities (upside risks).
Question 2 [1 mark]
Question: Which of the following correctly describes the King IV Report’s approach to
corporate governance?
A. A rules-based, comply-or-explain approach.
Page 2 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
B. An outcomes-based, apply-and-explain approach.
C. A voluntary, best-efforts approach with no disclosure requirements.
D. A legislative, mandatory approach enforced by statute.
Answer: B
King IV shifted from the comply-or-explain approach of King III to an outcomes-based,
apply-and-explain framework. Organisations must apply the principles and explain how
they have been applied, focusing on achieving good governance outcomes.
Question 3 [1 mark]
Question: In the ERM process, Stage 1 — Establishing the Context — involves which of
the following primary activities?
A. Identifying risks and compiling a risk register.
B. Reviewing controls and assessing residual risk.
C. Reviewing the internal and external environment, financial performance, and stake-
holder needs.
D. Selecting risk treatment options and implementing controls.
Answer: C
Stage 1 establishes the context by reviewing: the external environment (PEST/PESTLE anal-
ysis), the internal environment (financial ratios, SWOT analysis), and stakeholder expecta-
tions. This provides the foundation for the entire ERM process.
Question 4 [1 mark]
Question: The output of Stage 2 (Risk Identification) of the ERM process is:
A. A risk matrix.
B. A risk register.
C. A business continuity plan.
D. A control framework.
Answer: B
Page 3 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
The output of Stage 2 is a risk register — a document listing all identified risks, their own-
ers, descriptions, and initial categories. It forms the basis for all subsequent ERM stages.
Question 5 [1 mark]
Question: Inherent risk is best defined as:
A. The risk remaining after controls have been applied.
B. The risk level before any controls or mitigating actions are applied.
C. The risk that management is willing to accept.
D. The risk associated with regulatory non-compliance.
Answer: B
Inherent risk is the gross risk — the level of risk in the absence of any controls or mitigating
actions. It reflects the raw exposure of the organisation to a particular threat.
Watch Out
Do NOT confuse inherent risk (before controls) with residual risk (after controls).
Residual risk = Inherent risk minus the effect of controls.
Question 6 [1 mark]
Question: In risk analysis (Stage 3), risks are assessed in terms of:
A. Likelihood and consequence (impact).
B. Cost and time to implement.
C. Market share and revenue impact only.
D. Regulatory requirements and compliance obligations.
Answer: A
Stage 3 analyses risks using two dimensions: likelihood (probability of occurrence) and con-
sequence (impact or severity). These are combined in a risk matrix to plot the risk level.
Page 4 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
Question 7 [1 mark]
Question: Which risk treatment option involves a business ceasing a particular activity
to eliminate the associated risk?
A. Risk retention
B. Risk transfer
C. Risk avoidance
D. Risk reduction
Answer: C
Risk avoidance means deciding not to engage in or to discontinue an activity that generates
an unacceptable risk. It eliminates the risk entirely but may also eliminate potential opportu-
nity.
Question 8 [1 mark]
Question: Which of the following is a proactive method of risk identification?
A. Loss incident reports.
B. Insurance claims analysis.
C. SWOT analysis and scenario planning.
D. Post-loss investigations.
Answer: C
Proactive methods identify risks before they materialise. SWOT analysis and scenario plan-
ning are forward-looking tools. Options A, B, and D are reactive methods based on historical
losses.
Question 9 [1 mark]
Question: An organisation’s risk appetite is best described as:
A. The maximum amount of risk that can occur before an organisation becomes insol-
vent.
B. The amount and type of risk an organisation is willing to accept in pursuit of its
Page 5 of 36
, RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
strategic objectives.
C. The residual risk remaining after all treatment options have been applied.
D. The total inherent risk of all identified risks in the risk register.
Answer: B
Risk appetite is a strategic concept — it represents the board’s deliberate decision about
how much risk the organisation is prepared to accept while pursuing its goals. It should be
documented in a formal risk appetite statement.
Question 10 [1 mark]
Question: According to the study guide, a Key Risk Indicator (KRI) is:
A. A measure used to track financial performance against budget.
B. A forward-looking metric that signals an increase in risk exposure before a loss event
occurs.
C. A post-event measure of actual losses incurred.
D. A control used to reduce operational risk.
Answer: B
KRIs are early warning indicators that provide advance signals of increasing risk exposure.
They are proactive and help management take corrective action before a risk materialises into
a loss.
Question 11 [1 mark]
Question: The PEST analysis is used in Stage 1 of ERM to assess:
A. Internal financial controls.
B. The external macro-environmental factors affecting the organisation.
C. The solvency ratios of the business.
D. The risk tolerance of individual business units.
Answer: B
PEST (Political, Economic, Social, Technological) analysis examines the external macro-
Page 6 of 36
]]
RSK2601: Enterprise Risk Management
OCT/NOV Examination 2026 Revision Guide
Covers Past Papers: Oct/Nov 2023 • Oct/Nov 2024 • Oct/Nov 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Risk Management & Corporate Governance
Comprehensive Exam Revision Guide
RSK2601
Module Code:
Enterprise Risk Management
Module Name:
Oct/Nov 2023, Oct/Nov 2024, Oct/Nov
Papers Covered:
2025
Oct/Nov 2026
Exam Target:
6 (Credits: 12)
NQF Level:
Finance, Risk Management & Banking
Department:
Study this guide carefully. Focus on understanding the ERM process, corporate
governance, financial risk and external environmental influences — these are the
core examiner focus areas.
Exam Revision Notes | RSK2601 | 2023–2026
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
SECTION A — Multiple Choice Questions [20 marks]
Exam Tip
RSK2601 Section A typically contains 20 multiple choice questions (1 mark each). Each
question tests conceptual recall from the study guide. Read ALL options carefully —
distractor options are designed to sound plausible. The answer key below is provided
for self-testing.
Question 1 [1 mark]
Question: Enterprise Risk Management (ERM) is best described as:
A. A narrow approach focusing only on financial hazard risks.
B. A comprehensive, proactive, and inclusive approach to managing all categories of risk
across an organisation.
C. A reactive method of responding to risks after they have occurred.
D. A technique exclusively used by the internal audit department.
Answer: B
ERM is characterised by a comprehensive, inclusive, and proactive approach to risk man-
agement. It encompasses all risk categories (financial, operational, reputational, strategic),
integrates with business strategy, and involves the entire organisation, not just one depart-
ment.
Key Concept
ERM moves away from a siloed, functional approach towards an enterprise-wide view.
It is forward-looking (proactive) and considers both threats (downside risks) and
opportunities (upside risks).
Question 2 [1 mark]
Question: Which of the following correctly describes the King IV Report’s approach to
corporate governance?
A. A rules-based, comply-or-explain approach.
Page 2 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
B. An outcomes-based, apply-and-explain approach.
C. A voluntary, best-efforts approach with no disclosure requirements.
D. A legislative, mandatory approach enforced by statute.
Answer: B
King IV shifted from the comply-or-explain approach of King III to an outcomes-based,
apply-and-explain framework. Organisations must apply the principles and explain how
they have been applied, focusing on achieving good governance outcomes.
Question 3 [1 mark]
Question: In the ERM process, Stage 1 — Establishing the Context — involves which of
the following primary activities?
A. Identifying risks and compiling a risk register.
B. Reviewing controls and assessing residual risk.
C. Reviewing the internal and external environment, financial performance, and stake-
holder needs.
D. Selecting risk treatment options and implementing controls.
Answer: C
Stage 1 establishes the context by reviewing: the external environment (PEST/PESTLE anal-
ysis), the internal environment (financial ratios, SWOT analysis), and stakeholder expecta-
tions. This provides the foundation for the entire ERM process.
Question 4 [1 mark]
Question: The output of Stage 2 (Risk Identification) of the ERM process is:
A. A risk matrix.
B. A risk register.
C. A business continuity plan.
D. A control framework.
Answer: B
Page 3 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
The output of Stage 2 is a risk register — a document listing all identified risks, their own-
ers, descriptions, and initial categories. It forms the basis for all subsequent ERM stages.
Question 5 [1 mark]
Question: Inherent risk is best defined as:
A. The risk remaining after controls have been applied.
B. The risk level before any controls or mitigating actions are applied.
C. The risk that management is willing to accept.
D. The risk associated with regulatory non-compliance.
Answer: B
Inherent risk is the gross risk — the level of risk in the absence of any controls or mitigating
actions. It reflects the raw exposure of the organisation to a particular threat.
Watch Out
Do NOT confuse inherent risk (before controls) with residual risk (after controls).
Residual risk = Inherent risk minus the effect of controls.
Question 6 [1 mark]
Question: In risk analysis (Stage 3), risks are assessed in terms of:
A. Likelihood and consequence (impact).
B. Cost and time to implement.
C. Market share and revenue impact only.
D. Regulatory requirements and compliance obligations.
Answer: A
Stage 3 analyses risks using two dimensions: likelihood (probability of occurrence) and con-
sequence (impact or severity). These are combined in a risk matrix to plot the risk level.
Page 4 of 36
,RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
Question 7 [1 mark]
Question: Which risk treatment option involves a business ceasing a particular activity
to eliminate the associated risk?
A. Risk retention
B. Risk transfer
C. Risk avoidance
D. Risk reduction
Answer: C
Risk avoidance means deciding not to engage in or to discontinue an activity that generates
an unacceptable risk. It eliminates the risk entirely but may also eliminate potential opportu-
nity.
Question 8 [1 mark]
Question: Which of the following is a proactive method of risk identification?
A. Loss incident reports.
B. Insurance claims analysis.
C. SWOT analysis and scenario planning.
D. Post-loss investigations.
Answer: C
Proactive methods identify risks before they materialise. SWOT analysis and scenario plan-
ning are forward-looking tools. Options A, B, and D are reactive methods based on historical
losses.
Question 9 [1 mark]
Question: An organisation’s risk appetite is best described as:
A. The maximum amount of risk that can occur before an organisation becomes insol-
vent.
B. The amount and type of risk an organisation is willing to accept in pursuit of its
Page 5 of 36
, RSK2601 | Exam Revision 2023–2025 Enterprise Risk Management
strategic objectives.
C. The residual risk remaining after all treatment options have been applied.
D. The total inherent risk of all identified risks in the risk register.
Answer: B
Risk appetite is a strategic concept — it represents the board’s deliberate decision about
how much risk the organisation is prepared to accept while pursuing its goals. It should be
documented in a formal risk appetite statement.
Question 10 [1 mark]
Question: According to the study guide, a Key Risk Indicator (KRI) is:
A. A measure used to track financial performance against budget.
B. A forward-looking metric that signals an increase in risk exposure before a loss event
occurs.
C. A post-event measure of actual losses incurred.
D. A control used to reduce operational risk.
Answer: B
KRIs are early warning indicators that provide advance signals of increasing risk exposure.
They are proactive and help management take corrective action before a risk materialises into
a loss.
Question 11 [1 mark]
Question: The PEST analysis is used in Stage 1 of ERM to assess:
A. Internal financial controls.
B. The external macro-environmental factors affecting the organisation.
C. The solvency ratios of the business.
D. The risk tolerance of individual business units.
Answer: B
PEST (Political, Economic, Social, Technological) analysis examines the external macro-
Page 6 of 36
