204. The risk management committee should ensure that in addition to the control measures
introduced by “SPAMSOAP labels”(Segregation of duties, Physical controls, Authorisation
and approval, Management controls, Supervisory controls, Organisation as a control,
Arithmetical and accounting controls, Personnel control), and depending on the demands of
the company’s business, additional minimum control measures such as establishing a
whistle-blowing function and an audit committee which operates separately from the risk
committee are implemented.

205. The whistle-blowing procedure must be documented and a copy given to every employee.
The procedure must give examples of the type of misconduct for which employees should use
the procedure and set out the level of proof required to sustain an allegation.
207. The risk management committee and management should identify and consider different
ways in which the company can respond to the risks identified during the risk assessment
process, including –
(a) avoiding the risks by not starting the activity that creates exposure to the risks;
(b) restricting, reducing or mitigating the risks through improvements to the whole
environment, such as contingency and business continuity plans. Risk treatment may
include methods, procedures, applications, management systems and the use of
appropriate resources that reduce the probability or possible severity of the risk;
(c) transferring the risk exposure, usually to a third party better able to manage the risks, for example, through insurance or outsourcing;
(d) tolerating or accepting the risks where the level of exposure is as low as reasonably
practicable or where there are exceptional circumstances;
(e) exploiting the risks, where the risks exposure represent potentially missed or poorly
realized opportunity;
(f) terminating the activity that gives rise to any intolerable risks; and
(g) integrating the risk responses outlined above.

• According to the NATIONAL CODE ON CORPORATE GOVERNANCE ZIMBABWE