Section 134(3)(n) of the Companies Act, 2013 mandates every company to include the following in its Board’s Report:-
(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;
A large number of companies are found to be compliant of the aforesaid statutory requirement merely by way of including a small statement in the Board’s Report, without actually identifying the risk or simply considering the financial risk as the only risk for which is not an ideal situation. The biggest reason behind this, which the author understands, is the absence of risk culture. Most of the people avoid talking about risk, although they all are managing the risk whole day right from waking up in the morning until switching off the light at night.
Risk identification and their mitigation is a significant activity and it should not be taken so casually. Even a single adverse event can damage the company and its reputation. Company Secretaries can undertake this domain by way of doing a brainstorming with the concerned functional heads as well as the project heads, in case your company has project(s). The project heads can play a significant role in this regard as most of the risks emanate from the projects only. Any event or condition, which if happens, has adverse impact on your objectives, is a risk, e.g. you want to develop a product within next 3 months but there is a probability that there will be more competitors in this filed in the said three months. Hence, rise of a competitor is identified as a risk here. Your objectives could be to make profit, to deliver the product within the fixed timeline, to eliminate competition, etc. Objectives can differ from person to person and industry to industry. If you are in construction industry, your objective could be to deliver the project within the specified time period at the agreed contract cost, without any harm to the society, workers, environment and to deliver the project of a specified quality. Risk can be of any type – financial, legal, contractual, political, environmental, social, safety related, quality related, etc.
Let us understand – what is risk, how to identify and evaluate the risk and how to mitigate them. Risk management lifecycle is broadly divided into four (4) steps:-
1. Risk Identification
2. Risk Analysis – Qualitative & Quantitative
3. Risk Mitigation
4. Risk Monitoring & Reporting
Risk Identification:-
Risk identification is the first step towards risk management. There are many methods to do this job – brainstorming session with the concerned officials, one-to-one discussion/ interview, risk questionnaire (Annexure-A), documents analysis, project progress status report, etc.
Identification of risk includes describing it properly, else all the further steps taken for its mitigation will fail. The important rule apply here, i.e. a wrong question gets wrong answer. So, a careful description of the risk is necessary. A risk identified should follow its root cause because you cannot cure a disease unless you know its root cause.
Risk Analysis:-
After identification, a risk should be analysed qualitatively and quantitatively. Qualitative analysis includes – what is the probability of the occurrence of the risk and what would be its impact, if occurred. You can use the following (5×5) matrix for this purpose:-
PROBABILITY [Low 1 to High 5]
IMPACT [Low 1 to High 5]
RISK SCORE = [PROBABILITY X IMPACT]
Accordingly, this 5 X 5 matrix will produce a range of potential score from [1 x 1] to [5 x 5] = 1 to 25 and the risks will be classified in the following three bands: –
Table 1: Risk Score Bands
HIGH [score 12 to 25] | |
MEDIUM [score 5 to 10] | |
LOW [score 1 to 4] |
Table 2: Risk Score Rating Matrix
RISK SCORE RATING MATRIX | ||||||
PROBABILITY | Most Likely | 5 | 10 | 15 | 20 | 25 |
Likely | 4 | 8 | 12 | 16 | 20 | |
Possible | 3 | 6 | 9 | 12 | 15 | |
Unlikely | 2 | 4 | 6 | 8 | 10 | |
Rare | 1 | 2 | 3 | 4 | 5 | |
Insignificant | Minor | Moderate | Major | Catastr ophic | ||
IMPACT |
Table 3: Probability Rating Matrix
PROBABILITY RATING MATRIX | |||
Category | Rating | Description of Likelihood | Probability (%) |
Most Likely | 5 | High certainty of occurrence. | >75 |
Likely | 4 | Balance of probability will occur. | >50-75 |
Possible | 3 | May occur shortly but a distinct probability it won’t. | >25 – 50 |
Unlikely | 2 | May occur but not anticipated. | >5 – 25 |
Rare | 1 | Occurrence requires exceptional circumstances. Exceptionally unlikely, even in the long-term future. | 0 – 5 |
Table 4: Impact Rating Matrix
IMPACT RATING MATRIX | ||||
Category | Rating | Description of Impact | Delay (Weeks) | Cost (Lakhs |
Catastrophic | 5 | Death, regional uncontained environmental impact, project halted, huge financial loss | >12 | >100 |
Major | 4 | Extensive injuries, local uncontained environmental impact, major delay & financial loss | >8-12 | >50 – 100 |
Moderate | 3 | medical treatment, contained uncontained environmental impact, moderate delay & financial loss | >4 – 8 | >10 – 50 |
Minor | 2 | 1st aid treatment, immediately uncontained environmental impact, minor delay & financial loss | >2 – 4 | >5 – 10 |
Insignificant | 1 | No injury, insignificant environmental impact, insignificant delay & financial loss | 0 – 2 | 0 – 5 |
Based on the probability and impact rating given to each risk, the probable quantitative impact of the Risk (especially the cost and schedule impact) can be calculated and incorporated in the Risk Register. Specimen of the Risk Register is given in Annexure-B.
For the purposes of Quantitative Analysis of Risks, any of the methods, viz. Expected Value Method, PERT Chart Analysis, Monte Carlo Simulations or Decision Tree Analysis, as may be appropriate, can be used.
The probable quantitative impact so calculated above, can be used for the following purposes: –
- To prioritise the critical Risks and mitigate the same more closely; and
- To create Contingency Reserve (Cost and Schedule) for the Project.
Risk Mitigation
Now is the turn to develop appropriate mitigation plan based on the chosen mitigation strategy chosen for each Risk. The criteria for choosing the appropriate mitigation strategy can be as under: –
Table 5: Mitigation Strategy
Strategy | Situation/ Condition |
Avoid | Having highly negative consequences |
Accept | Low Probability & Low Impact, Risk Score >=4
No control over the Cause |
Mitigate | High Probability and/or High Impact
Risk Score <=5 |
Transfer | Wherever possible but have control over It |
The Company Secretary should capture all the identified risk, their analysis, the mitigation strategy and the mitigation plan into a Risk Register, place it before the Board and take the approval. Every risk should be assigned to the concerned official called “Risk Owner”, who should be made accountable to pursue and monitor the same and keep the Company Secretary posted in this regard.
In case your company is having some project(s), majority of the risks will be generated and raised from the project and the project manager along with the concerned contractor/ vendor can play a significant role in identifying and mitigate such risks.
Risk Review & Reporting
The Company Secretary can convene and conduct a Risk Review Session periodically with the concerned officials for the following purposes: –
- To ensure that the Risks have been identified and described properly with their cause-effect analysis;
- To ensure that the Risks have been assessed, scored and ranked in a manner consistent with this Plan;
- To ensure that the mitigation measures have been correctly identified;
- To check whether the approved mitigation measures are being implemented in a timely manner;
- To check the efficacy of the approved mitigation measures;
- To see whether the Contractor’s evaluation of Risks is in line with the Project objectives and is not biased;
- To change the score and ranking of the Risks and accordingly the probable quantitative impact, if required;
- To identify Top 10 Risk and Issues.
In case a Risk occurs despite employing the approved mitigation measures, the same should be treated as an Issue and shouldbe transferred from Risk Register to the Issue Register. Specimen of the Issue Register is given in Annexure-C.
“A Risk is an uncertainty and a potential problem for tomorrow whereas an Issue is a certainty and a problem for today”.
An Issue may not necessarily arise from a Risk, it can arise otherwise also and the same should also form part of the Issue Register. Immediately upon the occurrence of an Issue, the necessary Issue Resolution Plan should be discussed and implemented.
The Company Secretary should prepare and submit a risk report in the form of Risk Register, Issue Register and such other report as the Board may deem fit.
Annexure A: Risk Questionnaire
S. No. | Information Required | Answer |
1 | What is the risk that should be WORRIED about and why, please describe? | |
2 | Has it ALREADY happened or is YET to happen? | |
3 | If ALREADY happened, please mention the Exact/ Approximate date of its Happening. | |
4 | If ALREADY happened, what IMPACT do you see on the Project? | |
5 | If ALREADY happened (i.e. ISSUE), what should be the priority of its Resolution? | |
6 | If YET to happen (i.e. RISK), what is the Probability of its occurrence (on a scale of 1-5)? | |
7 | If YET to happen (i.e. RISK), how much Impact do you see on the Project if it happens (on a scale of 1-5)? | |
8 | What steps would you recommend to Mitigate the RISK or Resolve the ISSUE? |
Annexure B: Risk Register Template
Risk ID |
Date Raised |
Risk Descr iption |
Cause of the Risk |
Early Warning Sign |
Effect |
Probab ility Rating |
Impact Rating |
Risk Score |
Proba ble Sche dule Impact |
Proba ble Cost Impact |
Mitigat ion Strategy |
Mitig ation Plan |
Risk Owner |
Status |
Annexure C: Issue Register Template
Issue ID |
Risk ID |
Date Logged |
Issue Description |
Contract Package |
Priority/ Severity |
Particulars of the Issue |
Issue Resolution Plan |
Issue owner |
Date Resolved |
……….xx………