In discussion with Monish Gaurav Chatrath, Managing Partner of MGC & KNAV Global Risk Advisory LLP and a well-known expert on the topic of risk management.Risk, rather erroneously at times, is thought to be a subjective thing. Shaped by the old adage of ‘no risk no gain’, we tend to look at the whole concept of risk with a certain amount of cautiousness. Ironically, this approach towards risk management is not merely an individualistic trait but is also visible in how companies and firms deal with risks. In fact, several organisations actively embrace risks as they are supposed to bring disruptions. Considering how good it is to be disruptive, risks can't be that bad, can they? Well, they are not all that bad, till you are hit by them like a Maglev train going at 300mph! Many businesses have lost stakeholder confidence or gone bust, just because they were unable to cope with risks. Risk in companies is like an inevitable force of nature that changes completely within its life span. This is the reason why risk management and mitigation is unavoidable. This is the calling card of EWRM, or what is known as Enterprise Wide Risk Management.
The emergence of EWRMThe concept of EWRM propagates a much more accepting and open attitude towards risks. Companies are encouraged to look at risk from a new and improved perspective. Instead of being daunted and scared by risk, they should rather grade and manage it effectively. The objective of EWRM is simple - to formulate a holistic plan about the various threats (ranging from inconsequential to existential) and then to manage these threats in a way that they no longer pose a threat. Typically, organisations tend to view risks from a singular financial perspective. Anything that poses a threat to the top-line or bottom-line, needs to be tackled. EWRM on the other hand, goes much beyond the financial purview, encompassing within its ambit, almost all that can negatively impact your organisation.
Having led over 150 EWRM projects for his corporate clients across a wide variety of industrial sectors over the past 27 years, Chatrath is extremely bullish about the ability of Indian companies to embrace EWRM and leverage on its benefits.
Compliance or more?
The Companies Act, 2013 mandates that companies need to undertake EWRM by setting a specific set of responsibilities for various stakeholders, in the context of internal financial controls and enterprise wide risk management.Yet there remains some ambiguity on the differences between internal financial controls or IFCs and EWRM. According to experts, EWRM is a governance tool that is applied in strategy setting and implementation, in enhancing the effectiveness & efficiencies of operations and in monitoring compliances. On the other hand, IFCs relate to the processes and cycles, which contribute to financial reporting. The impact of the measured EWRM is not only viewed on financial parameters, but also on aspects relating to operations (such as the ability to manage people, processes & technology), reputation, regulatory, quality, health, safety, environmental and employees (including their morale and productivity).
The various ports of call for EWRM in India in the Companies Act, 2013 are set out below:
As per section 134 (3) (n), the Directors’ report needs to include a statement on the development and implementation of risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board of directors may pose to be a threat to the existence of the company.
As per section 134 (5) (f), the Directors’ responsibility statement should state whether the directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems are adequate and operating effectively.
Section 177 (4) (iv) & (5), which deals with the role of the audit committee states that the audit committee should act in accordance with the terms of reference specified in writing by the board, which should, inter alia, include evaluation of IFC and risk management systems; &Schedule IV requires independent directors to inform themselves on the integrity of financial information and ensure that IFCs & systems of risk management are robust and defensible.