Posts

RISK MANAGEMENT POLICY– A tool of risk management

Ridhima Jain | Executive | corplaw@vinodkothari.com

 

As in case of life, so also in business, risks are unavoidable. However, large organisations cannot afford to have a casual and pro-tem approach to risk management, as severity of some of the risks may cause significant erosion to shareholder value, even to the extent of affecting the solvency and liquidity of companies. Therefore, every company has to methodically identify, analyse, grade, mitigate and manage risks comprehensively. As size and complexity of organisations have increased, so also the need for proper risk management.

Risk management policy may be taken as a perfunctory compliance, and therefore, may be just a document that sits on the website of the company. On the other hand, a proper approach may be to use the risk management policy as the contextual document which assimilates the company’s approach to risk management, and may continuously act as the guide to the executive management.

Risk refers to the uncertainty in transactions undertaken by an organisation, which may be measured in terms of deviation from predetermined targets or probability of loss or inadequate profits. Risk often ranges from financial to non financial risks. Financial risks have an immediate bearing on finances of an organisation and may be in the form of credit risks, liquidity risks, operational risks or obsolescence risk. On the other hand, non-financial risks may be classified as strategic risks, compliance risks, fraud risks and reputation risks. Risk, by its very nature, is an inherent part of every business and its intensity only proliferates with the paced-up globalisation and digitalisation. This becomes evident from the increasing importance of the risk management function at the strategy making table of the concerned entities.

In this article, the author dwells on the importance of risk management framework for any organisation and also discusses the components of an ideal risk management policy.  What goes in a risk management policy holds a fair amount of significance as the entire risk management framework is structured on the basis of the policy formulated in this regard.

In this context, risk management refers to the process followed by an organisation to identify, understand and evaluate the risks faced by it and effectively mitigate the detected risks. It may be construed as a macro process comprising various micro processes like risk identification, risk analysis, risk assessment and risk mitigation.

The rise in importance of risk management may be attributed to the realisation that any transaction may be fruitless if the underlying risk goes unrecognised. Unrecognised risks are more dreadful than recognised risks and any risk for which the organisation is not prepared for, may become unmanageable at the later stage of the process. An efficient risk management framework also facilitates development of a robust contingency plan and helps save costs, which the organisation may have spent on firefighting the risk.

Failures arising out of poor risk management have persistently resulted in downfall of big corporates. Examples may include Nokia, which failed to determine appropriate strategy for their business and surrendered to strategic risks or Satyam Computers which failed to manage fraud risks. Certainly, regulators like the RBI have imposed monetary penalties on NBFCs and banks for their inability to effectively address compliance risks. Such actions are not limited to monetary penalties, as in case of Srei Infrastructure Finance Limited the regulator took the company to the NCLT to initiate a resolution process against it.

Approach towards risk management

It is important to approach risks in a suitable manner as it serves the spirit underlying the risk management framework. The manner of approaching risk is an organisation specific element, driven by numerous factors such as risk faced by the industry in which it operates. Even after determining risks faced by an industry, the risk approach would be influenced by the functioning model of the particular organisation. For instance, a bank’s risk mitigation strategy may be primarily focussed on credit risks whilst a trading company may focus on operational risks. However, a trading company having international operations may give equal weightage to currency and legal risks.

Even though the risk approach of an organisation differs, an ideal approach should determine key risks after considering both external and internal influencing factors. Along with, for efficient management of risk, the approach should undertake a “top-down approach” by which management philosophy is clearly communicated to the grass root level employees as well as a “bottom-up approach” by which risks detected by employees at each level are communicated to the top management. The two-way approach will lead to fostering a risk aware culture throughout the organisation.

The primary responsibility of the risk management function may be reposed on the board of directors or the risk management committee. Apart from the companies mandatorily required to formulate a risk management committee, other companies may also formulate such committee to give undivided attention to the risk management function. Also, companies may formulate sub teams whose main role may be to handle specific risks which may be significant for the company. For instance, an organisation engaged in the FMCG segment may constitute a commodity risk management team for managing volatility in commodity prices. Further, an organisation may constitute a separate policies or separate committee altogether for specific risks. For instance, an organisation may formulate business risk and assurance committees to specifically review business and strategic risks.

All in all, an organisation’s approach towards risk management is primarily influenced by the importance it gives to the risk management function and relevance of the risks to its operations. Accordingly, risk management policy of the organisation should be framed to reflect the approach adopted by  it towards the risks faced by it.

Risk Management Policy

Risk management policy may be construed as a document regulating risk management function in an organisation. Having discussed the importance of risk management, we understand that the function is imperative and flows through every department in an organisation. Every employee in the organisation should be made aware of the flow of risk management process which is ensured by a well documented risk management policy. In essence, such policy provides a comprehensive guide to the risk philosophy of the organisation. The policy lays down a foundation on which the whole enterprise risk management (‘ERM’) is built. Once the ERM has been set up, the policy facilitates integration and gives direction to efforts of all the personnel in the organisation towards achieving common risk management goals such as minimisation of adverse impacts of a project or exploring unravelling opportunities.

Contents of risk management policy

Considering the contents of risk management policy, the coverage of the policy should be broad to provide an enhanced scope towards the function. That is, the policy should provide for all the foreseeable risks that the organisation may face in its future.

Further, the policy should not  simply be a document, incorporating or rather reiterating the regulatory requirements, but it should also encompass the probable risk areas. An ideal policy would include:

Brief background of the organisationDiscussion of the background of the organisation would provide an enhanced understanding about the source of risks arising in the course of the business.
Objectives and importance of the policyWhilst performing any activity, besides knowing what is to be done, it is equally important to understand why it is being done. Discussion on the objectives of the policy would give a vision to the reader and enhance the meaning to the upcoming contents of the policy.
Applicability and effective datePrior to understanding any framework it is essential to understand the operations it covers and the date from which it is applicable.
Requirements as per the statuteAn insight into the regulator’s expectations regarding risk management policy would significantly influence the policy of the organisation. For instance,  the Companies Act, 2013 prescribes that the audit committee of a company shall evaluate the risk management systems. Similarly, the independent directors, as well, should provide independent judgment on issues like risk management and are responsible for integrity of the risk management system.

In this regard, SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (‘SEBI (LODR) Regulations, 2015’) also vests enormous responsibilities on the board of directors of the listed entity. Apart from framing a risk management plan, the board of directors are also responsible for defining roles and responsibilities of the risk management committee.

Some of the mandatory compliances with respect to risk management policy are discussed in the forthcoming paragraphs.

Risks faced by the organisationCategories of risks faced by the organisation along with particular risks and description thereof should be clearly specified in the policy. Such specifications would acquaint the reader about the intent behind the entire risk management framework.
Hierarchy of risk managementEstablishment of such hierarchy is essential for an efficient risk management culture as it provides for an effective flow of risk information. Along with the structure, roles, responsibilities and accountabilities of the hierarchy elements should be clearly defined. More particularly, composition of risk management committee and particulars of appointment of the chief risk officer should be enunciated in the policy.  A broad idea of an ideal hierarchy is shown in the following diagram.

Risk reportingThe policy should clearly specify as to which risks will be reported, how the risks will be reported and to whom the risks will be reported in the risk hierarchy. This may be seen as an important element of the whole framework as it is obvious that every risk arising may not have an impact on the organisation. Thus, reporting of such minor risks may waste time and effort of the personnel involved.
Treatment of different types of risksThe organisation may specify treatment of risk on the basis of classifications made by it. For this purpose, risks may be broadly classified as controllable or uncontrollable risks, inherent or residual risks.
Business continuity planThe organisation should indicate development of such plans in its risk management policy. The plan should cover recovery plans after any major disruption faced by the organisation. A mention of such a plan would assure the policy users of the organisation’s preparedness of risks arising in all perceivable circumstances.
Risk management processThe central element of the framework typically involves the procedure for risk management in the organisation. Ideally the risk management process should be carried out in the following manner:

For instance, when considering fraud risks, firstly, lacunas in the organisational structure wherein fraud may be perpetrated are identified. The identified areas turn out to be the origin of fraud risk. Secondly, an analysis is made as to what is the probability that the risks will materialise. Any risk with high probabilities should be given due attention. Thirdly, the impact on the organisation when the risk materialises should be assessed. The output from this stage is used to prioritise risks according to their probability of occurrence and their impact. Finally, risks are mitigated by adopting a suitable risk mitigation strategy.

Risk management toolsThe organisation may provide a description of the tools utilised by it in the process of risk management. Common tools used by the organisations are:

–        Assessment matrix: The matrix highlights velocity of the risks faced by the organisation. It also suggests the impact of the potential risk in various functions of the department which are measured by assignment of specific scores. The criteria for assignment of scores may also be specified in the report.

 

–        Stress tests – Organisations conduct stress tests to study the impact of risks getting materialised. Stress tests are mandated for banks and NBFCs in India.

 

–        Risk registers: These are registers wherein all estimated risks and actual risks faced by the organisation are recorded along with their details such as their risk category, likelihood of occurrence, their impact and mitigation plan is suggested.

 

–        Department-wise risk summary: The organisation may, after identifying risks faced by it as a whole, further bifurcate into risks faced by individual departments.

Review of risk management toolsApart from the regular risk reporting, the results derived from risk management tools may be reviewed periodically to ensure that any risk element does not go undetected. For example, there may be provisions for submission of a report on risk register on a half yearly basis. In this regard, formats for such submissions and a calendar accommodating timelines for all submissions may be incorporated in the policy.
Risk auditEven though the risk management function is a complete function, its efficiency is enhanced when integrated with internal audit. Audit of the risk management framework provides an assurance regarding the framework and brings in light deficiencies in the framework. It also indicates the level of effectiveness of internal controls.
Periodicity of reviewThe intervals at which the policy will be reviewed should be clearly specified as well as a schedule should be attached to describe intricacies of the amendment.
Dissemination of the policyThe manner and channels used for disclosing the policy should be expressly mentioned.

 

Regulatory prescriptions regarding risk management policy

In addition to the aforesaid, it is mandatory to comply with the broad guidelines laid by the specific regulators governing an organisation which may be read as:

The Companies Act, 2013: Section 134(3)(n) of the Companies Act, 2013 prescribes that the report of the board of directors shall contain a statement regarding the risk management policy of the company. Such policy should contain all the elements of risk more particularly, elements of risk which may threaten the existence of the company.

Securities and Exchange Board of India: Regulation 17 of the SEBI (LODR) Regulations, 2015 reposes responsibility of framing and implementing the risk management plan on the board of directors of the company. Further, Schedule II of the Regulations prescribes that the risk management committee is responsible for laying down a detailed risk management policy which shall mandatorily include:

  • Framework for identification of risk particularly financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks.
  • Business continuity plan of the company.
  • Risk mitigation systems and internal control processes for mitigation of detected risks.

Also, the committee has the responsibility of overseeing implementation of risk management policy and periodic review of the same.

Reserve Bank of India: In the context of NBFCs, the regulator lays specific stress on liquidity risk management framework to be adopted by applicable For the purpose, a liquidity risk management policy is to be laid down by the board of directors of the NBFC which shall provide for:

  • Manner of maintaining liquidity at all times;
  • Entity-level liquidity risk tolerance limits;
  • Funding strategies to be adopted by the NBFC to maintain its liquidity levels;
  • Prudential limits;
  • System for periodic review of liquidity of the NBFC and assumptions used in liquidity projection;
  • Framework for stress testing;
  • Contingent funding plan;
  • Nature and frequency of management reporting;

Further, both banks as well as NBFCs are required to structure an asset liability committee to provide a balance between those two aspects of the organisation. However distinction lies in their framework as liquidity is the most stressed point in NBFCs, but in case of banks, the RBI has laid out a more comprehensive “risk appetite framework” which prescribes risks to be managed at an aggregated level and not to be restricted at a specific risk/function. Apart from other specifications, the framework requires risks to be considered from qualitative as well as the quantitative perspective. The prescribed framework aims to mitigate financial risks, more specifically, interest rate and liquidity risks.

The gravity of the framework can be derived by solely looking at the strict composition and quorum requirements of the risk management committee. In this regard, the RBI has also prescribed an “Internal Capital Adequacy Assessment Process” in line with the Basel norms, to be laid down at individual bank level as well as at the group level to analyse significant risks faced by the banks. This may be considered as the most meticulous prescription by a regulator regarding the risk management framework, the reason being obvious, that the banks play a pivotal role in the capital flow of the economy.

Insurance Regulatory and Development Authority of India: The regulator, vide its corporate governance guidelines for insurers, reposed the responsibility of laying down a risk management framework and a risk policy by the risk management committee of the insurer. Specific stress has been laid down on fraud risk management faced by the insurer.

Conclusion

From the foregoing, we derive that risk management plays a crucial role in an organisation’s functioning. Thus, it is essential to have a sound risk management system. Such a system arises from a well drafted risk management policy. It is safe to say that risk management policy is the first step towards building a risk management framework. However, merely establishing a risk management policy does not assure a sound risk management framework. The execution of the plan so laid down is an equally important aspect to be looked at.

 

Our other resources can be accessed below:

  1. Risk-based Internal Prescription for Audit Function – https://vinodkothari.com/2021/03/risk-based-internal-prescription-for-audit-function/
  2. Liquidity Risk Framework: A snapshot – https://vinodkothari.com/2019/11/liquidity-risk-framework/
  3. Chief Risk Officer: Strengthening risk management practices – https://vinodkothari.com/2019/05/chief-risk-officer-cro/
  4. Clubbing of Committees – https://vinodkothari.com/wp-content/uploads/2017/03/Clubbing_of_Committees-1.pdf