This white paper explains the concepts, legal requirements, strategies, and global framework for the implementation of risk management. It also deals with fraud and reputation risk management and how the negative reputation of an entity may harm the operations and profitability.
This white paper may be useful in performing the advisory role in Risk Management and Risk Governance.
“Today’s fast-paced business environment encounters a complex and ever-changing risk landscape that may negatively impact organizational value. The only way to respond to it is by having a dynamic and holistic perspective of the risk management approach to ensure business continuity.”
Enterprise Risk Management
Enterprise risk management (ERM) is the process of planning, organizing, leading, & controlling activities of an organization to minimize the effects of risk on an organization’s capital & earnings with an aim to assist organizations to identify, understand, evaluate & take action on their risks to increase the probability of their success and reducing the impact & likelihood of failure. ERM gives comfort to shareholders, customers, employees & other stakeholders at large that business is being effectively managed & also helps the organization to confirm its compliance with Corporate Governance requirements.
Although in India it is not mandatory/ statutory requirement to have an Enterprise Risk Management (ERM) framework in place. However, as per the Companies Act 2013, there are certain requirements that needs to be complied with respect to Risk Management. In addition, the board and audit committee have been vested with specific responsibilities as per SEBI (LODR) Regulations 2015, in assessing the robustness of Risk Management policy, process and systems.
Section 134(3) – Board: There shall be attached to financial statements laid before a company in general meeting, a report by its Board of Directors, which shall include a statement indicating development & implementation of Risk Management Policy for company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
Schedule IV [Section 149(8)] – Independent Directors: The independent directors shall:
(1) Help in bringing an independent judgement to bear on the Board’s deliberation especially on issues of strategy, performance, risk management, resources, key appointments and standards of conduct;
(4) Satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible.
Section 177(4) – Audit Committee: Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include evaluation of internal financial controls and risk management systems.
Key Compliance Requirements (SEBI (LODR) Regulations, 2015)
Regulation 17(9) – Board of Directors: It provides that –
(a) The listed entity shall lay down procedures to inform member of board about risk assessment & minimization
(b) The board shall be responsible for framing, implementing and monitoring the risk management plan for the listed entity.
Regulation 21 – Risk Management Committee: It requires that every listed company should have a Risk Management Committee comprises of –
(1) The board of directors shall constitute a Risk Management Committee.
(2) The majority of members of Risk Management Committee shall consist of members of the board.
(3) The Chairperson of the Risk management committee shall be a member of the board of directors and senior executives of the listed entity may be members of the committee.
(4) The board shall define role & responsibility of the Risk Management Committee & may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit.
(5) The provisions of this regulation shall be applicable to top 500 listed entities, determined on the basis of market capitalization, as at the end of immediate previous financial year.
Board Disclosures as per Clause 49 of the Listing Agreement – Risk management: The Company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework.
Strategy to implement Enterprise Risk Management (ERM)
ERM is an integrated and continuous process for managing enterprise-wide risks, including strategic, financial, operational, compliance and reputational risks, to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite) risk analytics, risk management, and monitoring and reporting”.
Following are the 5 key steps to develop and implement an effective ERM framework:
Objective & Risk Appetite > Risk Identification > Risk Assessment > Risk Response > Risk Monitoring
Step 1: Setting of objectives & risk appetite
Before an organization can begin to identify risks, a clear set of objectives must exist. When these objectives are set, the company must have a clear philosophy towards ERM. The company’s risk appetite, the environment, the company operates in and its code of ethics will dictate what this philosophy is. Risk appetite is the amount of risk which the company is willing to accept. It is a key enabling structure and active relation among risk management, strategy and target setting. Every organization follows different aims to add value, and should generally recognize the acceptable level of risk in doing so.
Step 2: Risk identification & documentation
By risk identification, an organization can study activities and places where its resources are placed to risk. If risk managers do not succeed in identifying all possible losses or gains that challenge the organization, then these non-identified risks will become non-manageable. Results of risk identification are normally documented in a Risk Register, which includes a list of identified risks along with their sources, potential risk responses & risk categories. This information is used for risk analysis, which in turn will support creating risk responses. An effective risk identification process should include following:
Step 3: Risk assessment
Identifying risks is not enough; the impact of the risk should be understood, as well as probability, within an estimated time-frame. The next task is to assess the documented risk in terms of their likelihood and estimated significance. Risk assessment is how enterprises get a handle on how significant each risk is to the achievement of their overall goals. The assessment process is as follows:
Step 4: Risk response
Risk response is intended to figure out how to respond to the high-priority risks. The responsibility falls to management to carefully review probabilities & estimated impacts of each risk, and to consider all associated costs & benefits in developing an appropriate risk response strategy. Risk response falls into 4 categories:
Step 5: Risk monitoring
Identifying risks isn’t something that’s done once – like continuous improvement, it’s an ongoing process. The context in which certain risks are identified is constantly changing, and as such risks need to be monitored to continually determine the significance they represent. Organizations need proper systems in place to monitor and respond to changes in circumstances and adequately determine if identified risks still pose a threat.
Global framework for Enterprise Risk Management (ERM)
Over the years various ERM frameworks have been developed worldwide. The two most used frameworks are the COSO ERM 2017 Framework and ISO 31000:2018.
COSO ERM 2017 Framework
COSO stands for ‘Committee of Sponsoring Organizations’. It is a framework that is geared towards ensuring financial data security in your firm. The COSO framework was designed to provide an applied risk management approach to your firm’s internal controls. It is regularly updated to keep up with the changes in the risk environments of businesses with the recent update being in 2017.
The framework consists of 20 principles that are grouped to support one of 5 components. These principles cover everything from governance to monitoring. They’re manageable in size, and they describe practices that can be applied in different ways for different organizations regardless of size, type, or sector. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives.
COSO ERM 2017 provides a framework for boards & management in entities of all sizes. It builds on the current level of risk management that exists in the normal course of business. Further, it demonstrates how integrating ERM practices throughout an entity helps to accelerate growth & enhance performance. It also contains principles that can be applied – from strategic decision-making through to performance. Below are the details, why it makes sense for management and boards to use the ERM framework, what organizations have achieved by applying ERM.
Management’s Guide – Management holds overall responsibility for managing risk to the entity, but it is important for management to go further: to enhance the conversation with the board and stakeholders about using ERM to gain a competitive advantage. ERM allows management to feel more confident that they’ve examined alternative strategies and considered the input of those in their organization who will implement the strategy selected.
The Board’s Guide – Every board has an oversight role, helping to support the creation of value in an entity and prevent its decline. Traditionally, ERM has played a strong supporting role at the board level. Framework supplies important considerations for boards in defining & addressing their risk oversight responsibilities. These considerations include governance and culture; strategy and objective-setting; performance; information, communications and reporting; and the review and revision of practices to enhance entity performance.
The foundation of 31000 standards is the belief that risk management should establish and sustain value. This makes it necessary for an institution to integrate ERM into their systems for accountability and sustainability. This integration will help these institutions to evaluate the risks involved in their decisions which is crucial in addressing various insecurities. To enhance the efficiency of the ERM system, it is necessary that it is designed into a systematic, timely, and structured process to incorporate crucial information necessary in risk management. In 2018, ISO re-released the ISO 31000 Standard, with the new version giving streamlined definitions that focus on 8 principles:
1. Integrated: Risk management is an integral part of all organizational activities.
2. Structured and comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results.
3. Customized: The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
4. Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
5. Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
6. Best available information: The inputs to risk management are based on historical and current information, as well as on future expectations.
7. Human and cultural factors: Human behavior and culture significantly influence all aspects of risk management at each level and stage.
8. Continual improvement: Risk management is continually improved via learning & experience.
The first five principles provide guidance on how a risk management initiative should be designed, and principles six, seven and eight relate to the operation of the risk management initiative. These latter principles confirm that the best information available should be used; human and cultural factors should be considered; and the risk management arrangements should ensure continual improvement. The organization’s risk management process should involve systematic application of policies, procedures & practices to activities of communicating & consulting, establishing the context & assessing, treating, monitoring, reviewing, recording and reporting risk.
How ISO 31000:2018 and COSO ERM Framework 2017 complement each other in implementation of ERM process:
The COSO and ISO framework for ERM, both complement each other. ISO 31000 offers wider directives that enable organizations to fit COSO’s principles of ERM into overarching corporate governance. Below table shows how the process of Enterprise Risk Management explained in these two frameworks is different but still similar:
|#||Steps for Implementing ERM||ISO 31000:2018 Framework (Process)||COSO ERM 2017 Framework (Components & Principles)|
|I||Objectives & Risk Appetite||1. Establishing the context
– Define scope
– External & internal context
– Define risk criteria
2. Communicate & Consult
– Info for oversight & decision- making
– Considering different views
– Bring different areas of expertise
|1. Governance & Culture
– Exercise Board Risk Oversight
– Establish Operation Structures
– Define Desire Culture
– Demonstrate commitment to Values
– Attracts, Develops, & Retains Individuals
2. Strategy & Objective Setting
– Analyze business Context
– Defines Risk Appetite
– Evaluate Alternative Strategies
– Formulate business Objective
|II||Risk Identification & Documentation||3. Risk Assessment
– Risk identification
– Risk analysis
– Risk evaluation
– Identifies Risk
– Assesses Risk Severity
– Prioritizes Risks
– Implements Risk Responses
– Develops Portfolio View
|IV||Risk Response||4. Risk Treatment
– Select treatment options
– Prepare & Implement treatment plans
|V||Risk Monitoring||5. Monitoring & Review
– Planning, Gathering & Analyzing Information
– Recording Results
– Providing Feedback
6. Recording & Reporting
– Communicate Risk Activities
– Provide info for decision-making
– Assist interaction with stakeholders
|4. Review & Revision
– Assesses substantial change
– Reviews Risk Performance
– Pursues improvement in ERM
5. Information, Communication & Reporting
– Leverage Information & Technology
– Communicate Risk Information
– Report on Risk, Culture & Performance
Despite the fact that these two frameworks complement each other there are various similarities and differences between the two as described in below table:
In the wake of dynamic market conditions & regulatory initiatives, protecting shareholders’ interests from various risks is becoming a top priority for managements across various industries. Perceptions of company are affected by the risks it faces and the manner in which these risks are managed. While no business is immune to risks, managing them to create a sustainable shareholder value is the critical challenge. Enterprise Risk Management (ERM) is a systematic & methodical approach to identifying and managing an organization’s risks as it provides a practical and time tested method to align risk appetite. Therefore, effective risk management drives adequate protection against the risk and leverage risk management to convert risks into opportunities.