The changing paradigm of enterprise wide risk management

In discussion with Monish Gaurav Chatrath, Managing Partner of MGC & KNAV Global Risk Advisory LLP and a well-known expert on the topic of risk management.

Risk, rather erroneously at times, is thought to be a subjective thing. Shaped by the old adage of ‘no risk no gain’, we tend to look at the whole concept of risk with a certain amount of cautiousness. Ironically, this approach towards risk management is not merely an individualistic trait but is also visible in how companies and firms deal with risks. In fact, several organisations actively embrace risks as they are supposed to bring disruptions. Considering how good it is to be disruptive, risks can't be that bad, can they? Well, they are not all that bad, till you are hit by them like a Maglev train going at 300mph! Many businesses have lost stakeholder confidence or gone bust, just because they were unable to cope with risks. Risk in companies is like an inevitable force of nature that changes completely within its life span. This is the reason why risk management and mitigation is unavoidable. This is the calling card of EWRM, or what is known as Enterprise Wide Risk Management.

The emergence of EWRM

The concept of EWRM propagates a much more accepting and open attitude towards risks. Companies are encouraged to look at risk from a new and improved perspective. Instead of being daunted and scared by risk, they should rather grade and manage it effectively. The objective of EWRM is simple - to formulate a holistic plan about the various threats (ranging from inconsequential to existential) and then to manage these threats in a way that they no longer pose a threat. Typically, organisations tend to view risks from a singular financial perspective. Anything that poses a threat to the top-line or bottom-line, needs to be tackled. EWRM on the other hand, goes much beyond the financial purview, encompassing within its ambit, almost all that can negatively impact your organisation.

For instance, attrition is a global phenomenon and a threat to almost all organisations and can not be labelled as a risk. But in case, there is a special vulnerability to your company, like it has on its rolls some very highly specialised workforce that are much in demand by the competition, then the two combine (threat and vulnerability) to create a risk (of the people being poached), which then needs to be managed. A threat is an event that could cause a risk, which cannot be completely eliminated and where the likelihood of occurrence can be reduced and/or impact can be mitigated. In contrast, a vulnerability is an error or weakness in the design, implementation or operation of a system that would create a condition, which would allow the threat to materialise, triggering a loss. A risk is the likelihood that a vulnerability will be exploited, or that a threat may become harmful.

Having led over 150 EWRM projects for his corporate clients across a wide variety of industrial sectors over the past 27 years, Chatrath is extremely bullish about the ability of Indian companies to embrace EWRM and leverage on its benefits.

Compliance or more?

The Companies Act, 2013 mandates that companies need to undertake EWRM by setting a specific set of responsibilities for various stakeholders, in the context of internal financial controls and enterprise wide risk management.

Yet there remains some ambiguity on the differences between internal financial controls or IFCs and EWRM.  According to experts, EWRM is a governance tool that is applied in strategy setting and implementation, in enhancing the effectiveness & efficiencies of operations and in monitoring compliances. On the other hand, IFCs relate to the processes and cycles, which contribute to financial reporting. The impact of the measured EWRM is not only viewed on financial parameters, but also on aspects relating to operations (such as the ability to manage people, processes & technology), reputation, regulatory, quality, health, safety, environmental and employees (including their morale and productivity).

The various ports of call for EWRM in India in the Companies Act, 2013 are set out below:

As per section 134 (3) (n), the Directors’ report needs to include a statement on the development and implementation of risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board of directors may pose to be a threat to the existence of the company.

As per section 134 (5) (f), the Directors’ responsibility statement should state whether the directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems are adequate and operating effectively.

Section 177 (4) (iv) & (5), which deals with the role of the audit committee states that the audit committee should act in accordance with the terms of reference specified in writing by the board, which should, inter alia, include evaluation of IFC and risk management systems; &

Schedule IV requires independent directors to inform themselves on the integrity of financial information and ensure that IFCs & systems of risk management are robust and defensible.

Whatever be the impetus, compliance or stratagem, only a company that actively studies and manages risks on a regular basis can do well in this dynamic world that we live in today. EWRM is going mainstream, which in turn, is a good thing for all the stakeholders involved. This is true for all companies, be it small or big.
In the end, managing risks is not merely a checkbox item; it is all about strategy and growth. As the legendary investor and billionaire Warren Buffett says “risk comes from not knowing what you’re doing.”  Companies and organisations that are able to deal with risks proactively through EWRM are most likely to grow and prosper. Managing risk is all about enhancing the bottom-line.  So, there’s little reason to not do so. Isn’t it?