Framework
Risk Management is a key aspect of the ‘Corporate Governance Principles and Code of Conduct’ which aims to improvise the governance practices across the Company’s activities. Risk Management Policy and processes will enable the Company to proactively manage the uncertainty and changes in the internal and external environment to limit negative impacts and capitalize on opportunities.
Background
In accordance with Section 134(3) of the Companies Act, 2013, a Company is required to include a statement indicating development and implementation of risk management policy for the Company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the Company.
Objective of the policy
The main objective of this policy is to ensure sustainable business growth with stability and to promote a pro-active approach in reporting, evaluating and resolving risks associated with the business. In order to achieve the key objective, the policy establishes a structured and disciplined approach to Risk Management, in order to guide decisions on risk related issues and to create and protect shareholder value by minimizing threats or losses, and identifying and maximizing opportunities. This Risk Management Policy is being applied in order to ensure that effective management of risks is an integral part of every employee’s job. These include:
1. to ensure that all the current and future material risk exposures of the Company are identified, assessed, quantified, appropriately mitigated, minimized and managed i.e. to ensure adequate systems for risk management;
2. to establish a framework for the Company’s risk management process and to ensure its implementation;
3. to enable compliance with appropriate regulations, wherever applicable, through the adoption of best practices;
4. to assure business growth with financial stability;
5. providing a framework that enables future activities to take place in a consistent and controlled manner;
6. improving decision making, planning and prioritization by comprehensive and structured understanding of business activities, volatility and opportunities/threats;
7. contributing towards more efficient use/allocation of the resources within the organization;
8. protecting and enhancing assets and Company’s image;
9. reducing volatility in various areas of the business;
10. developing and supporting people and knowledge base of the organization;
11. optimizing operational efficiency
Risk management
- The Company shall lay down procedures to inform Board members about the risk assessment and minimization procedures.
- The Board shall be responsible for framing, implementing and monitoring the risk management plan for the Company.
Information to be placed before the board of directors
Quarterly details of foreign exchange exposures and the steps taken by the management to limit the risks of adverse exchange rate movement, if material.
Definitions
“Act” means the Companies Act, 2013;
“Board of Directors” or “Board” in relation to a Company, means the collective body of directors of the Company (Section 2(10) of the Companies Act, 2013);
“Policy” means Risk Management Policy of the Company.
Risk management framework
Before proceeding to the policy, attention is drawn to the roles that the Board and Audit Committee are required to play under the above regulations governing Risk Management:
1. The Board’s role under both the regulations is to ensure framing, implementing and monitoring risk management plan, having in place systems for risk management as part of internal controls with duty being cast upon Independent Directors to bring unbiased angle to the Board’s deliberations on making risk management systems more robust.
2. The Audit Committee’s role is to evaluate the risk management systems.
Broad principles
The Board is required to review the business plan at regular intervals and develop the Risk Management Strategy which shall encompass laying down guiding principles on proactive planning for identifying, analyzing and mitigating all the material risks, both external and internal including environmental, business, operational, financial and others. Communication of Risk Management Strategy at various levels of the management for effective implementation is essential.
Role of the board
The Board will undertake the following actions to ensure risk is managed appropriately:
- The Board shall be responsible for framing, implementing and monitoring the risk management plan for the Company;
- The Board shall define the roles and responsibilities of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the Committee and such other functions as it may deem fit;
- Ensure that the appropriate systems of risk management are in place;
- The independent directors shall help in bringing an independent judgement to bear on the Board’s deliberations on issues of risk management and satisfy themselves that the systems of risk management are robust and defensible;
- Participate in major decisions affecting the organization’s risk profile;
- Have an awareness of and continually monitor the management of strategic risks;
- Be satisfied that processes and controls are in place for managing less significant risks;
- Be satisfied that an appropriate accountability framework is working whereby any delegation of risk is documented and performance can be monitored accordingly;
- Ensure risk management is integrated into board reporting and annual reporting mechanisms;
- Convene any Board-committees that are deemed necessary to ensure risk is adequately managed and resolved where possible.
Integration of risk management strategy
The risk management strategy of the Company is to be integrated with the overall business strategies of the organization and its mission statement to ensure that its risk management capabilities aid in establishing competitive advantage and allow management to develop reasonable assurance regarding the achievement of the Company’s objectives.
Identification and risk analysis
Risk Identification is obligatory on all vertical and functional heads who with the inputs from their team members are required to report the material risks to the Chairman and Managing Director and Whole-time directors of the Company along with their considered views and recommendations for risk mitigation.
The following steps to be taken:
Risk Identification: To identify organization’s exposure to uncertainty, risks may be classified in the following:
1. Strategic
2. Operational
3. Financial
4. Hazard
Risk Description:
To display the identified risks in a structured format.
Risk Evaluation:
After risk analysis, comparison of estimated risks against organization risk criteria is required. It is to be used to make decisions about the significance of risks and whether each specific risk is to be accepted or treated.
Risk Estimation:
It can be quantitative, semi quantitative or qualitative in terms of probability of occurrence and possible consequences.
Impact level on performance/profit- Both Threats and Opportunities
Reporting
1. Internal Reporting
a. Risk Management Committee
b. Board of Directors
c. Vertical Heads
d. Individuals
2. External Reporting
a. To communicate to the stakeholders on regular basis as part of Corporate Governance
Disclosure in board’s report
Board of Directors shall include a statement indicating development and implementation of a risk management policy for the Company including identification therein of elements of risks, if any, which in the opinion of the Board may threaten the existence of the Company.
Guidelines to deal with the risks
Business Plan including Capital Expenditure and Fund Flow Statement for each segment together with SWOT analysis, data on Production Planning, Materials Management, Sales & Distribution, Delivery Schedules, Assets, Accounts Receivables and Payables as well as Regulatory Regime applicable shall be reviewed in the light of the material risks identified. Through deliberations of the Committee a comprehensive plan of action to deal with the risks shall be developed and guidelines flowing from such plan shall be communicated to the employees concerned for mitigation of the risks.
Risk treatment
Risk Treatment includes the process of selecting and implementing measures to mitigate risks and to prioritize risk control actions in terms of their potential to benefit the organization. Risk treatment includes risk control/mitigation and extends to risk avoidance, risk transfer (insurance), risk financing, risk absorption etc. for
a. Effective and efficient operations
b. Effective Internal Controls
c. Compliance with laws & regulations
Risk treatment shall be applied at all levels through carefully selected validations at each stage to ensure smooth achievement of the objective.
Risk registers
Risk Registers shall be maintained showing the risks identified, treatment prescribed, persons responsible for applying treatment, status after the treatment etc.
Risk managers and Risk officers to be identified for proper maintenance of the risk registers which will facilitate reporting of the effectiveness of the risk treatment to the Risk management committee, audit committee and the Board.
Enterprise Risk Planning (ERP package) shall play a key role in timely availability of all data/reports required for the Committee to develop the Action Plan as stated above.
The Board shall have the discretion to deal with certain risks (may be called key or highly sensitive risks) in the manner it may deem fit. Mitigation of such highly sensitive/key risks and effectiveness of their mitigation measures and review of the strategy may be directly discussed by the board members with Audit Committee.
Implementation
The Company is prone to inherent business risks. This document is intended to formalize a risk management policy, the objective of which shall be identification, evaluation, monitoring and minimization of identifiable risks.
This policy is in compliance with the Listing Agreement which requires the Company to lay down procedure for risk minimization.
The Board of Directors of the Company and the Audit Committee shall periodically review and evaluate the risk management system of the Company so that the management controls the risks through properly defined network. Head of Departments shall be responsible for implementation of the risk management system as may be applicable to their respective areas of functioning and report to the Board and Audit Committee.
Constitution of risk management committee
Risk Management Committee shall be constituted by the Company consisting of such number of directors (executive or non-executive) as the Company thinks fit. The Board shall define the roles & responsibilities of the Risk Management Committee & may delegate monitoring & reviewing of the risk management plan to the Committee & such other functions as it may deem fit.
Application
This policy applies to all areas of the Company’s operations.
Penalties
The penalties are prescribed under the Companies Act, 2013 under various sections which stipulate having a Risk Management Framework in place and its disclosures.
Section 134(8) (dealing with disclosure by way of attachment to the Board Report): If a Company contravenes the provisions of this section, the Company shall be punishable with fine which shall not be less than fifty thousand rupees but which may extend to twenty-five lakh rupees and every officer of the Company who is in default shall be punishable with imprisonment for a term which may extend to three years or with fine which shall not be less than fifty thousand rupees but which may extend to five lakh rupees, or with both.
There are other provisions of the Companies Act, 2013 as well as Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 which stipulate stiff penalties. Therefore, this Policy prescribes that violation of the provisions applicable to Risk Management Framework is something the Company cannot afford to risk.
Review of the policy
This policy shall evolve by review by the Risk Management Committee and the Board from time to time as may be necessary.
The Policy will be communicated to all vertical/functional heads and other concerned persons of the Company.
The Policy shall be reviewed at a minimum at least every year to ensure it meets the requirements of legislation & the needs of organization.
Compliance responsibility
Compliance of this policy shall be the responsibility of the Officers of the Company who shall have the power to ask for any information or clarifications from the management in this regard.
Author Bio
Does Section 134 3 (n) applies to a Indian private company which is a subsidiary of foreign company. Just to add, as it is an Private company, there is no Audit or Risk Committee.