The changing paradigm of enterprise wide risk management
The following article is an initiative of KNAV India and is intended to create awareness among the readers.
In discussion with Monish Gaurav Chatrath, Managing Partner of MGC & KNAV Global Risk Advisory LLP and a well-known expert on the topic of risk management.Risk, rather erroneously at times, is thought to be a subjective thing. Shaped by the old adage of ‘no risk no gain’, we tend to look at the whole concept of risk with a certain amount of cautiousness. Ironically, this approach towards risk management is not merely an individualistic trait but is also visible in how companies and firms deal with risks. In fact, several organisations actively embrace risks as they are supposed to bring disruptions. Considering how good it is to be disruptive, risks can't be that bad, can they? Well, they are not all that bad, till you are hit by them like a Maglev train going at 300mph! Many businesses have lost stakeholder confidence or gone bust, just because they were unable to cope with risks. Risk in companies is like an inevitable force of nature that changes completely within its life span. This is the reason why risk management and mitigation is unavoidable. This is the calling card of EWRM, or what is known as Enterprise Wide Risk Management.
“If you are seeking to strive for competitive advantage, then you also need to know how to retain the same once you have it. And in order to protect your market position, deciding whether or not to embrace a risk management culture, is not an option anymore,” states Monish Gaurav Chatrath, Managing Partner of MGC & KNAV Global Risk Advisory LLP.
The emergence of EWRMThe concept of EWRM propagates a much more accepting and open attitude towards risks. Companies are encouraged to look at risk from a new and improved perspective. Instead of being daunted and scared by risk, they should rather grade and manage it effectively. The objective of EWRM is simple - to formulate a holistic plan about the various threats (ranging from inconsequential to existential) and then to manage these threats in a way that they no longer pose a threat. Typically, organisations tend to view risks from a singular financial perspective. Anything that poses a threat to the top-line or bottom-line, needs to be tackled. EWRM on the other hand, goes much beyond the financial purview, encompassing within its ambit, almost all that can negatively impact your organisation.
According to Chatrath, “Before managing risks, we need to understand the essential difference between a threat, vulnerability and a risk. Not everything that threatens your company is a risk. The hazards need to be classified into threats, vulnerabilities and risks".
For instance, attrition is a global phenomenon and a threat to almost all organisations and can not be labelled as a risk. But in case, there is a special vulnerability to your company, like it has on its rolls some very highly specialised workforce that are much in demand by the competition, then the two combine (threat and vulnerability) to create a risk (of the people being poached), which then needs to be managed. A threat is an event that could cause a risk, which cannot be completely eliminated and where the likelihood of occurrence can be reduced and/or impact can be mitigated. In contrast, a vulnerability is an error or weakness in the design, implementation or operation of a system that would create a condition, which would allow the threat to materialise, triggering a loss. A risk is the likelihood that a vulnerability will be exploited, or that a threat may become harmful.
According to Chatrath, "the classification of risks needs to be followed up by rating them up on a scale, after considering their relative importance to an organisation on a two-dimensional model of probability (of the occurrence) and vulnerability (to the organisation). Forward-looking organisations not only classify and mitigate/manage risks but also keep evaluating the changing polarisation of these on an ongoing basis."Recollecting the times, when he had returned to India in 1999, Chatrath recalls, "The only authoritative guidance to EWRM at that time was in the Naresh Chandra committee report, which was the main point of reference for corporate governance of the listed companies. But this had to change for the better. This took place with clause 49 of the listing agreement undergoing a serious introspection and refinement through a series of careful considerations by various committees such as the Kumarmangalam Birla Committee, the Narayanamurthy Committee and the JJ Irani Committee."
Having led over 150 EWRM projects for his corporate clients across a wide variety of industrial sectors over the past 27 years, Chatrath is extremely bullish about the ability of Indian companies to embrace EWRM and leverage on its benefits.
Compliance or more?
The Companies Act, 2013 mandates that companies need to undertake EWRM by setting a specific set of responsibilities for various stakeholders, in the context of internal financial controls and enterprise wide risk management.Yet there remains some ambiguity on the differences between internal financial controls or IFCs and EWRM. According to experts, EWRM is a governance tool that is applied in strategy setting and implementation, in enhancing the effectiveness & efficiencies of operations and in monitoring compliances. On the other hand, IFCs relate to the processes and cycles, which contribute to financial reporting. The impact of the measured EWRM is not only viewed on financial parameters, but also on aspects relating to operations (such as the ability to manage people, processes & technology), reputation, regulatory, quality, health, safety, environmental and employees (including their morale and productivity).
“In recognition of the merits of risk management, the Companies Act of 2013 has set out specific requirements that a Company needs to comply with in the context of EWRM. The board in all cases, audit committee and independent directors, where applicable, have been vested with specific responsibilities in the context of development, assessment, institutionalisation, monitoring and reporting of an EWRM framework with related policies and procedures”, explains Chatrath.
The various ports of call for EWRM in India in the Companies Act, 2013 are set out below:
As per section 134 (3) (n), the Directors’ report needs to include a statement on the development and implementation of risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board of directors may pose to be a threat to the existence of the company.
As per section 134 (5) (f), the Directors’ responsibility statement should state whether the directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems are adequate and operating effectively.
Section 177 (4) (iv) & (5), which deals with the role of the audit committee states that the audit committee should act in accordance with the terms of reference specified in writing by the board, which should, inter alia, include evaluation of IFC and risk management systems; &Schedule IV requires independent directors to inform themselves on the integrity of financial information and ensure that IFCs & systems of risk management are robust and defensible.
According to Chatrath, “since some of these sections are not restricted only to listed companies; it follows that they are meant to apply to all companies. It, therefore, appears that the preparation of an EWRM framework has been mandated for all companies by the Companies Act 2013.”
Whatever be the impetus, compliance or stratagem, only a company that actively studies and manages risks on a regular basis can do well in this dynamic world that we live in today. EWRM is going mainstream, which in turn, is a good thing for all the stakeholders involved. This is true for all companies, be it small or big.
" A well-designed risk management system will allow for these risks to be fully understood and assessed by both the board and senior management. Amid a climate rife with a corporate blame game at the highest level, it is of immense importance that EWRM receives the attention it deserves. However, in contrast, unheeded warnings and unquestioned momentum often undermine risk mitigation efforts," states Chatrath.In the end, managing risks is not merely a checkbox item; it is all about strategy and growth. As the legendary investor and billionaire Warren Buffett says “risk comes from not knowing what you’re doing.” Companies and organisations that are able to deal with risks proactively through EWRM are most likely to grow and prosper. Managing risk is all about enhancing the bottom-line. So, there’s little reason to not do so. Isn’t it?