Sponsored
    Follow Us:
Sponsored

Section 134(3)(n) of the Companies Act, 2013 mandates every company to include the following in its Board’s Report:-

(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;

A large number of companies are found to be compliant of the aforesaid statutory requirement merely by way of including a small statement in the Board’s Report, without actually identifying the risk or simply considering the financial risk as the only risk for which is not an ideal situation. The biggest reason behind this, which the author understands, is the absence of risk culture. Most of the people avoid talking about risk, although they all are managing the risk whole day right from waking up in the morning until switching off the light at night.

Risk identification and their mitigation is a significant activity and it should not be taken so casually. Even a single adverse event can damage the company and its reputation. Company Secretaries can undertake this domain by way of doing a brainstorming with the concerned functional heads as well as the project heads, in case your company has project(s). The project heads can play a significant role in this regard as most of the risks emanate from the projects only. Any event or condition, which if happens, has adverse impact on your objectives, is a risk, e.g. you want to develop a product within next 3 months but there is a probability that there will be more competitors in this filed in the said three months. Hence, rise of a competitor is identified as a risk here. Your objectives could be to make profit, to deliver the product within the fixed timeline, to eliminate competition, etc. Objectives can differ from person to person and industry to industry. If you are in construction industry, your objective could be to deliver the project within the specified time period at the agreed contract cost, without any harm to the society, workers, environment and to deliver the project of a specified quality. Risk can be of any type – financial, legal, contractual, political, environmental, social, safety related, quality related, etc.

Let us understand – what is risk, how to identify and evaluate the risk and how to mitigate them. Risk management lifecycle is broadly divided into four (4) steps:-

1. Risk Identification

2. Risk Analysis – Qualitative & Quantitative

3. Risk Mitigation

4. Risk Monitoring & Reporting

Risk Identification:-

Risk identification is the first step towards risk management. There are many methods to do this job – brainstorming session with the concerned officials, one-to-one discussion/ interview, risk questionnaire (Annexure-A), documents analysis, project progress status report, etc.

Identification of risk includes describing it properly, else all the further steps taken for its mitigation will fail. The important rule apply here, i.e. a wrong question gets wrong answer. So, a careful description of the risk is necessary. A risk identified should follow its root cause because you cannot cure a disease unless you know its root cause.

Risk Analysis:-

After identification, a risk should be analysed qualitatively and quantitatively. Qualitative analysis includes – what is the probability of the occurrence of the risk and what would be its impact, if occurred. You can use the following (5×5) matrix for this purpose:-

PROBABILITY [Low 1 to High 5]

IMPACT [Low 1 to High 5]

RISK SCORE = [PROBABILITY X IMPACT]

Accordingly, this 5 X 5 matrix will produce a range of potential score from [1 x 1] to [5 x 5] = 1 to 25 and the risks will be classified in the following three bands: –

Table 1: Risk Score Bands

HIGH [score 12 to 25]
MEDIUM [score 5 to 10]
LOW [score 1 to 4]

Table 2: Risk Score Rating Matrix

RISK SCORE RATING MATRIX
PROBABILITY Most Likely 5 10 15 20 25
Likely 4 8 12 16 20
Possible 3 6 9 12 15
Unlikely 2 4 6 8 10
Rare 1 2 3 4 5
  Insignificant Minor Moderate Major Catastr ophic
IMPACT

Table 3: Probability Rating Matrix

PROBABILITY RATING MATRIX
Category Rating Description of Likelihood Probability (%)
Most Likely 5 High certainty of occurrence. >75
Likely 4 Balance of probability will occur. >50-75
Possible 3 May occur shortly but a distinct probability it won’t. >25 – 50
Unlikely 2 May occur but not anticipated. >5 – 25
Rare 1 Occurrence requires exceptional circumstances. Exceptionally unlikely, even in the long-term future. 0 – 5

Table 4: Impact Rating Matrix

IMPACT RATING MATRIX
Category Rating Description of Impact Delay (Weeks) Cost (Lakhs
Catastrophic 5 Death, regional uncontained environmental impact, project halted, huge financial loss >12 >100
Major 4 Extensive injuries, local uncontained environmental impact, major delay & financial loss >8-12 >50 – 100
Moderate 3 medical treatment, contained uncontained environmental impact, moderate delay & financial loss >4 – 8 >10 – 50
Minor 2 1st aid treatment, immediately uncontained environmental impact, minor delay & financial loss >2 – 4 >5 – 10
Insignificant 1 No injury, insignificant environmental impact, insignificant delay & financial loss 0 – 2 0 – 5

Based on the probability and impact rating given to each risk, the probable quantitative impact of the Risk (especially the cost and schedule impact) can be calculated and incorporated in the Risk Register. Specimen of the Risk Register is given in Annexure-B.

For the purposes of Quantitative Analysis of Risks, any of the methods, viz. Expected Value Method, PERT Chart Analysis, Monte Carlo Simulations or Decision Tree Analysis, as may be appropriate, can be used.

The probable quantitative impact so calculated above, can be used for the following purposes: –

  • To prioritise the critical Risks and mitigate the same more closely; and
  • To create Contingency Reserve (Cost and Schedule) for the Project.

Risk Mitigation

Now is the turn to develop appropriate mitigation plan based on the chosen mitigation strategy chosen for each Risk. The criteria for choosing the appropriate mitigation strategy can be as under: –

Table 5: Mitigation Strategy

Strategy Situation/ Condition
Avoid Having highly negative consequences
Accept Low Probability & Low Impact, Risk Score >=4

No control over the Cause

Mitigate High Probability and/or High Impact

Risk Score <=5

Transfer Wherever possible but have control over It

The Company Secretary should capture all the identified risk, their analysis, the mitigation strategy and the mitigation plan into a Risk Register, place it before the Board and take the approval. Every risk should be assigned to the concerned official called “Risk Owner”, who should be made accountable to pursue and monitor the same and keep the Company Secretary posted in this regard.

In case your company is having some project(s), majority of the risks will be generated and raised from the project and the project manager along with the concerned contractor/ vendor can play a significant role in identifying and mitigate such risks.

Risk Review & Reporting

The Company Secretary can convene and conduct a Risk Review Session periodically with the concerned officials for the following purposes: –

  • To ensure that the Risks have been identified and described properly with their cause-effect analysis;
  • To ensure that the Risks have been assessed, scored and ranked in a manner consistent with this Plan;
  • To ensure that the mitigation measures have been correctly identified;
  • To check whether the approved mitigation measures are being implemented in a timely manner;
  • To check the efficacy of the approved mitigation measures;
  • To see whether the Contractor’s evaluation of Risks is in line with the Project objectives and is not biased;
  • To change the score and ranking of the Risks and accordingly the probable quantitative impact, if required;
  • To identify Top 10 Risk and Issues.

In case a Risk occurs despite employing the approved mitigation measures, the same should be treated as an Issue and shouldbe transferred from Risk Register to the Issue Register. Specimen of the Issue Register is given in Annexure-C.

A Risk is an uncertainty and a potential problem for tomorrow whereas an Issue is a certainty and a problem for today.

 An Issue may not necessarily arise from a Risk, it can arise otherwise also and the same should also form part of the Issue Register. Immediately upon the occurrence of an Issue, the necessary Issue Resolution Plan should be discussed and implemented.

The Company Secretary should prepare and submit a risk report in the form of Risk Register, Issue Register and such other report as the Board may deem fit.

Annexure A: Risk Questionnaire

S. No. Information Required Answer
1 What is the risk that should be WORRIED about and why, please describe?
2 Has it ALREADY happened or is YET to happen?
3 If ALREADY happened, please mention the Exact/ Approximate date of its Happening.
4 If ALREADY happened, what IMPACT do you see on the Project?
5 If ALREADY happened (i.e. ISSUE), what should be the priority of its Resolution?
6 If YET to happen (i.e. RISK), what is the Probability of its occurrence (on a scale of 1-5)?
7 If YET to happen (i.e. RISK), how much Impact do you see on the Project if it happens (on a scale of 1-5)?
8 What steps would you recommend to Mitigate the RISK or Resolve the ISSUE?

Annexure B: Risk Register Template

Risk ID
Date Raised
Risk Descr iption
Cause of the Risk
Early Warning Sign
Effect
Probab ility Rating
Impact Rating
Risk Score
Proba ble Sche dule Impact
Proba ble Cost Impact
Mitigat ion Strategy
Mitig ation Plan
Risk Owner
Status

Annexure C: Issue Register Template

Issue ID
Risk ID
Date Logged
Issue Description
Contract Package
Priority/ Severity
Particulars of the Issue
Issue Resolution Plan
Issue owner
Date Resolved

……….xx………

Sponsored

Author Bio

A Company Secretary, Law Graduate, Governance, Risk & Compliance (GRC) professional having more than 15 years of experience in company secretarial, legal, contracts, compliance, governance, ethics and risk management. View Full Profile

My Published Posts

Political Risks on Public Infrastructure Projects in India: Navigating Unpredictable Terrain Significance of Business Responsibility & Sustainability Reporting Legal Framework for Conflict of Interest (COI) at Workplace Understanding Foreign Corrupt Practices Act (FCPA) and Its Global Implications What is Governance, Risk & Compliance (GRC)? View More Published Posts

Join Taxguru’s Network for Latest updates on Income Tax, GST, Company Law, Corporate Laws and other related subjects.

Leave a Comment

Your email address will not be published. Required fields are marked *

Sponsored
Sponsored
Sponsored
Search Post by Date
October 2024
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031