Can NBFCs “outsource” internal audit functions to external auditors? 

– Anshika Agarwal (finserv@vinodkothari.com)

The Reserve Bank of India (RBI) has consistently emphasized the significance of robust internal control systems; where gaps are found by the supervisor, it has penalised  regulated entities for non-compliance. Recently, the RBI imposed a penalty on an NBFC for outsourcing one of its core management functions, i.e., internal audit to an external auditor, thereby raising doubts as to whether internal audit for NBFCs can be conducted by external auditors. Does the very fact that internal audit is being conducted not internally but by an external chartered accountancy firm amount to “outsourcing” of core management function?  This article examines outsourcing in the context of internal audit function,  and the conditions subject to which internal audit may be conducted by external agencies. 

Understanding the concept of ‘Outsourcing’

Outsourcing is defined under the Basel 2005 document1 as “a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future.” Similarly, the IOSCO Consultation Paper2 refers to outsourcing as “a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, or activities that could otherwise be undertaken by the regulated entity itself.

NBFCs, especially those with asset-light models or limited resources, opt for outsourcing to manage financial as well as non-financial functions. Outsourcing by NBFCs typically involves delegating tasks such as loan application processing, collection of documents, data processing, IT support, customer service, and back-office operations to third-party providers. While outsourcing boosts operational efficiency, they also carry risks, particularly when core management functions are outsourced. Notably, outsourcing is distinct from availing professional services like legal, audit, consulting, or property management, which are ancillary to the NBFC’s core business. In case of outsourcing of financial functions by regulated entities, there are specific guidelines issued by the RBI to regulate the arrangements. Clear regulatory oversight is crucial to strike a balance between leveraging external expertise and maintaining ethical, efficient practices in the financial services sector.

Regulatory Framework: The RBI’s Perspective

The RBI guidelines are specifically aimed at managing risks related to outsourcing of financial services. Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 (‘SBR Directions’)3, particularly Annexure 13 on Instructions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (‘Outsourcing Guidelines’), Para 2 lays down stringent conditions for outsourcing to ensure compliance, accountability, and effective risk management. While outsourcing can support operational efficiency, core management functions must remain under the direct control of the regulated entity.

Core Management Functions: Non-Negotiable Responsibilities 

The Outsourcing Guidelines explicitly prohibits NBFCs from outsourcing core management functions vital to governance, decision-making, and risk management. The core management functions are those that are vital and crucial for the existence as well as operations of the entity. These have been defined to include:

These functions are critical for ensuring the organization’s stability and operational integrity. For example, internal audit functions identify risks, ensure regulatory compliance, and assess control effectiveness. Entrusting such functions to external entities could compromise decision-making and erode organizational trust.

Contractual Engagement for Internal Audit

While the internal audit function itself is a core management process, the Outsourcing Guidelines in the same lines allows regulated entities to engage internal auditors on a contractual basis. This means external professionals can be brought in to execute internal audits, provided their engagement adheres to regulatory standards, independence is maintained, and the entity retains oversight and control rather than putting all the responsibility on a third party. 

For example, an entity may handle several operational tasks related to an audit, such as preparing documentation, organizing records, or conducting initial reviews. However, the ultimate responsibility for decision-making, oversight, and ensuring compliance with regulations rests with the audit committee or the entity’s senior management. This approach ensures that the internal management retains control over key aspects of the audit process, even while delegating specific tasks or availing expertise support. In contrast, the action of outsourcing shifts the entire responsibility for the audit to a third-party. This means the external firm is accountable for managing and executing all aspects of the audit, from operational tasks to final implementation. Such an outsourcing may reduce the internal workload, however, it also transfers control and accountability to an external entity, which may not align entirely with the entity’s internal objectives and strategic priorities. 

In other words, what is permitted is to avail the expertise services of a third party for carrying out the internal audit function but not the transfer of the entire responsibility of carrying out internal audit to a third party.

ICAI Standards: Expertise and Independence in Internal Audits

The Institute of Chartered Accountants of India (ICAI) Standards on Internal Audit4 states that “Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised”. 

The aforesaid guidance from the ICAI emphasizes maintaining expertise and independence. While not explicitly addressing outsourcing, these standards recognize that internal auditors may lack certain specialized skills. In such scenarios, they encourage engaging in-house or external experts while safeguarding independence.

The standards indirectly allow for outsourcing when:

  • Specific expertise is unavailable in-house,
  • Independence remains uncompromised

By availing the services of experts ensures that internal audit teams possess the necessary skills to perform effective reviews, while the entity retains oversight and accountability.

Companies Act, 2013: Flexibility in Internal Audit Assignments

Section 138 of the Companies Act, 2013 (‘CA 2013’)5, specifies the requirement for internal audits for certain classes of companies. It allows the appointment of internal auditors, which may include chartered accountants, cost accountants, or other professionals, as decided by the Board. Explanation of Rule 13 of the Companies (Accounts) Rules, 2014, states that “the internal auditor may or may not be an employee of the company”.

The aforesaid provision also enables companies to engage external auditors to perform internal audits, even if they are not part of the organization. While the CA 2013 does not explicitly prohibit outsourcing of internal audit functions, it places the ultimate responsibility for conducting and reporting on internal audits with the Board. This also clarifies that companies may utilize external expertise while maintaining oversight and control of the audit process.

Conclusion

In conclusion, the RBI’s recent penalties underscore the importance for regulated entities to maintain strict compliance with outsourcing regulations, particularly regarding core management functions. While the Outsourcing Guidelines as well as the provisions of CA 2013 permit engaging external auditors on a contractual basis to perform operational tasks related to audits, accountability and strategic control such as having audit plan approved by the audit committee, regular reporting to the audit committee, discussion of the board and audit committee on the conduct of audit,implementing remedial measure on the oversight of the audit committee or senior management must remain firmly within the organization. Adherence to these principles will help maintain the fine distinction between outsourcing the internal audit function and appointing external auditors as internal auditors, specifically in the context of internal audits.

Read our other related resources –

  1. UNDERSTANDING THE CONCEPT OF OUTSOURCING- ENVISAGING A TOUGH ROAD AHEAD FOR THE SERVICE PROVIDERS
  2. Draft framework for Financial Services Outsourcing

  1.   https://www.bis.org/publ/joint12.pdf (last accessed in November 2024) ↩︎
  2.   https://www.iosco.org/library/pubdocs/pdf/IOSCOPD654.pdf (last accessed in November 2024) ↩︎
  3.  Reserve Bank of India, Master Direction – Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs, October 22, 2021. Available at: https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12550 ↩︎
  4.  Institute of Chartered Accountants of India, Standard on Internal Audit (SIA) 2: Basic Principles Governing Internal Audit. Available at: https://resource.cdn.icai.org/52727iasb-basicprinciples-3.pdf ↩︎
  5.  The Companies Act, 2013, Ministry of Corporate Affairs, Government of India. Available at: https://www.mca.gov.in/. ↩︎

Compliance-o-meter: From abstraction to structured granular assessment

– Vinod Kothari and Payal Agarwal | corplaw@vinodkothari.com 

In risk assessment, effectiveness testing, compliance management, or other areas where qualitative assessment is required, one may be making abstract statements like: we have very effective controls; we have strong risk management practices; we have the best of the practices in compliance management, etc. However, very often, these may be pure abstractions. How do we use a structured approach which may allow us to give a more granular, methodical approach to benchmark ourselves?

Unlike quantitative parameters, there are no set methods or approaches to qualitative assessment. However, every qualitative assessment is also backed by identifying the elements that need to be studied, the ingredients or the check points in each of these elements, the weights of the respective elements in the overall assessment framework, assignment of scores based on the weights and observations for each of the checkpoints, eventually coming to an aggregate score. That is, a purely qualitative assessment may be converted into a score sheet.

One may create one’s own methodology; here is a suggested one. Before proceeding with the methodology, one may submit that the same methodology that may be used for effectiveness assessment may also be used for risk assessment. A good score in effectiveness is a positive indicator; a high score in risk assessment is a threat.

The suggested assessment methodology involves:

  1. Identification of elements: Every assessment can be decomposed into the elements underlie it. Take a very easy example of, say, quality of board minutes prepared in a large company. The quality is purely an abstraction, which can be granularly split into, at the least, the timeliness of minuting, the comprehensiveness, ease of understanding, compliance with the law and standards, etc. Similarly, if one refers to the effectiveness of controls on insider trading, one may decompose the overall control into several elements such as identification of UPSI, sharing of UPSI, management of Designated Persons, codes and policies etc. Note that the more granular the elements are, the better is it for the final result.
  2. Weights of the elements: The next point to understand is whether each of the elements are equally weighted, or do they have differential relevance or importance in the overall matter being assessed. For example, if the subject matter of assessment is “quality of minuting”, compliance with law and standards may be perceived as having a higher weight than, say, comprehensiveness or ease of understanding. The task of assigning weights may, once again, become qualitative – therefore, it is necessary to have a methodical approach towards the weights as well. The weights may be determined based on, in descending order, whether the element may result in penal consequence or reputational loss, whether it may undermine controls or the correctness or reliability of the subject matter, whether it is good to have but not must to have, etc.
  3. Ingredients or check points for each element: The check-points for each element need to be an even more granular list of activities, processes, policies, etc that make up the respective element. For instance, in the context of PIT controls, the check points under DP management may include the manner of categorizing DPs, periodicity of updating the list of DPs, maintenance of DP database etc. 
  4. Scores: Once the base work w.r.t. creation of the assessment list is done, actual scores are required to be assigned based on the level of performance of the company on the given check-point. Depending on whether the assessment is a risk assessment, compliance assessment or process review, a scoring parameter may be created, for instance: 
Scoring Parameter
Not compliant/ no practice exists for the same0
Meeting minimum compliance/ practice1
Good Practices (indicates industry practice)2
Gold Practices (indicates leadership practices)3
  1. Weighted score: The scores allotted to each check-point has to be multiplied with the weights assigned to each check point, to arrive at the weighted score of the respective checkpoint. For instance, assume there are five checkpoints in an element, the weighted score can be derived as below:
Check-points Weights ScoresWeighted Score 
A13 (maximum)13
A220 (minimum)0
A333 (maximum)9
A4 326
A51 (minimum)22
Total 1220
  1. Maximum score and actual score: The weighted score obtained against each checkpoint of an assessment element sums up to form the actual score of such element. The same is to be compared against the maximum score for such an element, and expressed as a percentage. For instance, in the aforesaid table, the actual score of the element, let’s say ‘A’, that is made up of ‘A1’ to ‘A5’ sums up to 20. The maximum score that can be obtained for the said element ‘A’ is maximum score for a check-point (3) multiplied by the maximum weight (3), i.e., 9 multiplied by the total number of checkpoints (5), i.e. 45. Based on the aforesaid, the percentage score of the element can be calculated as = (Actual score/ Maximum score)*100. 
  1. Radar chart: Once the scores are assigned, and the percentage score for each element has been calculated, the same can be expressed in the form of a radar chart. Below is an example of a compliance radar: 

In the picture above, (0-25) is the area of non-compliance, depicting lapses in meeting the minimum legal requirements. (26-50) is the area of meeting the minimum compliance with law, (51-75) indicates that the company is moving towards the general industry practices, and a score beyond 75 shows that the company is adopting leadership practices in the respective compliance area. 

A risk assessment chart may be similarly formed, wherein, a higher score indicates a higher level of risk. Also see an article on Compliance Risk Assessment

Other Related Resources –
  1. Compliance Risk Assessment – Guidance for implementation by NBFCs
  2. Risk Management Function of NBFCs – A Need to Integrate Operational Risk Management & Resilience

Risk Management Function of NBFCs – A Need to Integrate Operational Risk Management & Resilience 

An examination of the RBI Guidance Note on Operational Risk Management and Resilience

Subhojit Shome & Archisman Bhattacharjee | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [238.77 KB]

Related articles –

12th Securitisation Summit

The who’s who of structured finance is joining the 12th edition of our flagship event, the Securitisation Summit on May 15, 2024, in Mumbai. Be shoulder-to-shoulder with leading originators, investors, lawyers, rating agencies, consultants, regulators, mediators, market makers, and everyone else who matters.

For details of the event and to book your seat, please visit our Summit page – HERE

Credit Underwriting Models: Need for Validation

– Team Finserv, finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [284.12 KB]


Other related resources:

  1. Crowdfunding platforms – risks and concerns in the Indian context
  2. Commercial Real Estate exposures: Lending risks and Regulatory focus
  3. NBFC- Enterprise Risk Assessment
  4. Compliance Risk Assessment
  5. Understanding ICAAP for NBFCs
  6. KYC/AML risk categorisation of customers

IT Governance, Risk, Controls and Assurance Practices Direction, 2023

Analysis of Impact on Financial Sector Entities

Kaushal Shah & Subhojit Shome | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [696.35 KB]

Read our other resources

  1. RBI regulates outsourcing of IT Services by financial entities
  2. Draft Master Direction on IT Governance, Risk, Controls and Assurance Practices
  3. Erstwhile Directions on IT Framework for the NBFC Sector – RBI keen on implementing several operational requirements

Access our resource centre on SBR Framework :

KYC/AML risk categorisation of customers

Key Points as per the RBI’s Directions on Risk Management under the KYC and PML Regime

-Anita Baid | Vice President | anita@vinodkothari.com

In line with the Reserve Bank of India’s (RBI) directions on risk management under the Know Your Customer (KYC) norms and Anti-Money Laundering (AML) standards, Non-Banking Financial Companies (NBFCs) are required to categorize their customers into low, medium, and high-risk categories. This risk categorization plays a crucial role in determining the level of due diligence to be undertaken by the NBFC while establishing and maintaining relationships with customers. Here are some key points to consider regarding the risk categorization process for legal entities (corporate borrowers, LLPs, trust, etc.) as well for individual borrowers:

Read more

NBFC- Enterprise Risk Assessment

-Subhojit Shome, Assistant Manager | finserv@vinodkothari.com

Our Youtube video on the topic can be accessed here – https://www.youtube.com/watch?v=7EFeIdb-Wkc
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [1.02 MB]

RISK MANAGEMENT POLICY– A tool of risk management

Ridhima Jain | Executive | corplaw@vinodkothari.com

 

As in case of life, so also in business, risks are unavoidable. However, large organisations cannot afford to have a casual and pro-tem approach to risk management, as severity of some of the risks may cause significant erosion to shareholder value, even to the extent of affecting the solvency and liquidity of companies. Therefore, every company has to methodically identify, analyse, grade, mitigate and manage risks comprehensively. As size and complexity of organisations have increased, so also the need for proper risk management.

Risk management policy may be taken as a perfunctory compliance, and therefore, may be just a document that sits on the website of the company. On the other hand, a proper approach may be to use the risk management policy as the contextual document which assimilates the company’s approach to risk management, and may continuously act as the guide to the executive management.

Risk refers to the uncertainty in transactions undertaken by an organisation, which may be measured in terms of deviation from predetermined targets or probability of loss or inadequate profits. Risk often ranges from financial to non financial risks. Financial risks have an immediate bearing on finances of an organisation and may be in the form of credit risks, liquidity risks, operational risks or obsolescence risk. On the other hand, non-financial risks may be classified as strategic risks, compliance risks, fraud risks and reputation risks. Risk, by its very nature, is an inherent part of every business and its intensity only proliferates with the paced-up globalisation and digitalisation. This becomes evident from the increasing importance of the risk management function at the strategy making table of the concerned entities.

In this article, the author dwells on the importance of risk management framework for any organisation and also discusses the components of an ideal risk management policy.  What goes in a risk management policy holds a fair amount of significance as the entire risk management framework is structured on the basis of the policy formulated in this regard.

In this context, risk management refers to the process followed by an organisation to identify, understand and evaluate the risks faced by it and effectively mitigate the detected risks. It may be construed as a macro process comprising various micro processes like risk identification, risk analysis, risk assessment and risk mitigation.

The rise in importance of risk management may be attributed to the realisation that any transaction may be fruitless if the underlying risk goes unrecognised. Unrecognised risks are more dreadful than recognised risks and any risk for which the organisation is not prepared for, may become unmanageable at the later stage of the process. An efficient risk management framework also facilitates development of a robust contingency plan and helps save costs, which the organisation may have spent on firefighting the risk.

Failures arising out of poor risk management have persistently resulted in downfall of big corporates. Examples may include Nokia, which failed to determine appropriate strategy for their business and surrendered to strategic risks or Satyam Computers which failed to manage fraud risks. Certainly, regulators like the RBI have imposed monetary penalties on NBFCs and banks for their inability to effectively address compliance risks. Such actions are not limited to monetary penalties, as in case of Srei Infrastructure Finance Limited the regulator took the company to the NCLT to initiate a resolution process against it.

Approach towards risk management

It is important to approach risks in a suitable manner as it serves the spirit underlying the risk management framework. The manner of approaching risk is an organisation specific element, driven by numerous factors such as risk faced by the industry in which it operates. Even after determining risks faced by an industry, the risk approach would be influenced by the functioning model of the particular organisation. For instance, a bank’s risk mitigation strategy may be primarily focussed on credit risks whilst a trading company may focus on operational risks. However, a trading company having international operations may give equal weightage to currency and legal risks.

Even though the risk approach of an organisation differs, an ideal approach should determine key risks after considering both external and internal influencing factors. Along with, for efficient management of risk, the approach should undertake a “top-down approach” by which management philosophy is clearly communicated to the grass root level employees as well as a “bottom-up approach” by which risks detected by employees at each level are communicated to the top management. The two-way approach will lead to fostering a risk aware culture throughout the organisation.

The primary responsibility of the risk management function may be reposed on the board of directors or the risk management committee. Apart from the companies mandatorily required to formulate a risk management committee, other companies may also formulate such committee to give undivided attention to the risk management function. Also, companies may formulate sub teams whose main role may be to handle specific risks which may be significant for the company. For instance, an organisation engaged in the FMCG segment may constitute a commodity risk management team for managing volatility in commodity prices. Further, an organisation may constitute a separate policies or separate committee altogether for specific risks. For instance, an organisation may formulate business risk and assurance committees to specifically review business and strategic risks.

All in all, an organisation’s approach towards risk management is primarily influenced by the importance it gives to the risk management function and relevance of the risks to its operations. Accordingly, risk management policy of the organisation should be framed to reflect the approach adopted by  it towards the risks faced by it.

Risk Management Policy

Risk management policy may be construed as a document regulating risk management function in an organisation. Having discussed the importance of risk management, we understand that the function is imperative and flows through every department in an organisation. Every employee in the organisation should be made aware of the flow of risk management process which is ensured by a well documented risk management policy. In essence, such policy provides a comprehensive guide to the risk philosophy of the organisation. The policy lays down a foundation on which the whole enterprise risk management (‘ERM’) is built. Once the ERM has been set up, the policy facilitates integration and gives direction to efforts of all the personnel in the organisation towards achieving common risk management goals such as minimisation of adverse impacts of a project or exploring unravelling opportunities.

Contents of risk management policy

Considering the contents of risk management policy, the coverage of the policy should be broad to provide an enhanced scope towards the function. That is, the policy should provide for all the foreseeable risks that the organisation may face in its future.

Further, the policy should not  simply be a document, incorporating or rather reiterating the regulatory requirements, but it should also encompass the probable risk areas. An ideal policy would include:

Brief background of the organisation Discussion of the background of the organisation would provide an enhanced understanding about the source of risks arising in the course of the business.
Objectives and importance of the policy Whilst performing any activity, besides knowing what is to be done, it is equally important to understand why it is being done. Discussion on the objectives of the policy would give a vision to the reader and enhance the meaning to the upcoming contents of the policy.
Applicability and effective date Prior to understanding any framework it is essential to understand the operations it covers and the date from which it is applicable.
Requirements as per the statute An insight into the regulator’s expectations regarding risk management policy would significantly influence the policy of the organisation. For instance,  the Companies Act, 2013 prescribes that the audit committee of a company shall evaluate the risk management systems. Similarly, the independent directors, as well, should provide independent judgment on issues like risk management and are responsible for integrity of the risk management system.

In this regard, SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (‘SEBI (LODR) Regulations, 2015’) also vests enormous responsibilities on the board of directors of the listed entity. Apart from framing a risk management plan, the board of directors are also responsible for defining roles and responsibilities of the risk management committee.

Some of the mandatory compliances with respect to risk management policy are discussed in the forthcoming paragraphs.

Risks faced by the organisation Categories of risks faced by the organisation along with particular risks and description thereof should be clearly specified in the policy. Such specifications would acquaint the reader about the intent behind the entire risk management framework.
Hierarchy of risk management Establishment of such hierarchy is essential for an efficient risk management culture as it provides for an effective flow of risk information. Along with the structure, roles, responsibilities and accountabilities of the hierarchy elements should be clearly defined. More particularly, composition of risk management committee and particulars of appointment of the chief risk officer should be enunciated in the policy.  A broad idea of an ideal hierarchy is shown in the following diagram.

Risk reporting The policy should clearly specify as to which risks will be reported, how the risks will be reported and to whom the risks will be reported in the risk hierarchy. This may be seen as an important element of the whole framework as it is obvious that every risk arising may not have an impact on the organisation. Thus, reporting of such minor risks may waste time and effort of the personnel involved.
Treatment of different types of risks The organisation may specify treatment of risk on the basis of classifications made by it. For this purpose, risks may be broadly classified as controllable or uncontrollable risks, inherent or residual risks.
Business continuity plan The organisation should indicate development of such plans in its risk management policy. The plan should cover recovery plans after any major disruption faced by the organisation. A mention of such a plan would assure the policy users of the organisation’s preparedness of risks arising in all perceivable circumstances.
Risk management process The central element of the framework typically involves the procedure for risk management in the organisation. Ideally the risk management process should be carried out in the following manner:

For instance, when considering fraud risks, firstly, lacunas in the organisational structure wherein fraud may be perpetrated are identified. The identified areas turn out to be the origin of fraud risk. Secondly, an analysis is made as to what is the probability that the risks will materialise. Any risk with high probabilities should be given due attention. Thirdly, the impact on the organisation when the risk materialises should be assessed. The output from this stage is used to prioritise risks according to their probability of occurrence and their impact. Finally, risks are mitigated by adopting a suitable risk mitigation strategy.

Risk management tools The organisation may provide a description of the tools utilised by it in the process of risk management. Common tools used by the organisations are:

–        Assessment matrix: The matrix highlights velocity of the risks faced by the organisation. It also suggests the impact of the potential risk in various functions of the department which are measured by assignment of specific scores. The criteria for assignment of scores may also be specified in the report.

 

–        Stress tests – Organisations conduct stress tests to study the impact of risks getting materialised. Stress tests are mandated for banks and NBFCs in India.

 

–        Risk registers: These are registers wherein all estimated risks and actual risks faced by the organisation are recorded along with their details such as their risk category, likelihood of occurrence, their impact and mitigation plan is suggested.

 

–        Department-wise risk summary: The organisation may, after identifying risks faced by it as a whole, further bifurcate into risks faced by individual departments.

Review of risk management tools Apart from the regular risk reporting, the results derived from risk management tools may be reviewed periodically to ensure that any risk element does not go undetected. For example, there may be provisions for submission of a report on risk register on a half yearly basis. In this regard, formats for such submissions and a calendar accommodating timelines for all submissions may be incorporated in the policy.
Risk audit Even though the risk management function is a complete function, its efficiency is enhanced when integrated with internal audit. Audit of the risk management framework provides an assurance regarding the framework and brings in light deficiencies in the framework. It also indicates the level of effectiveness of internal controls.
Periodicity of review The intervals at which the policy will be reviewed should be clearly specified as well as a schedule should be attached to describe intricacies of the amendment.
Dissemination of the policy The manner and channels used for disclosing the policy should be expressly mentioned.

 

Regulatory prescriptions regarding risk management policy

In addition to the aforesaid, it is mandatory to comply with the broad guidelines laid by the specific regulators governing an organisation which may be read as:

The Companies Act, 2013: Section 134(3)(n) of the Companies Act, 2013 prescribes that the report of the board of directors shall contain a statement regarding the risk management policy of the company. Such policy should contain all the elements of risk more particularly, elements of risk which may threaten the existence of the company.

Securities and Exchange Board of India: Regulation 17 of the SEBI (LODR) Regulations, 2015 reposes responsibility of framing and implementing the risk management plan on the board of directors of the company. Further, Schedule II of the Regulations prescribes that the risk management committee is responsible for laying down a detailed risk management policy which shall mandatorily include:

  • Framework for identification of risk particularly financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks.
  • Business continuity plan of the company.
  • Risk mitigation systems and internal control processes for mitigation of detected risks.

Also, the committee has the responsibility of overseeing implementation of risk management policy and periodic review of the same.

Reserve Bank of India: In the context of NBFCs, the regulator lays specific stress on liquidity risk management framework to be adopted by applicable For the purpose, a liquidity risk management policy is to be laid down by the board of directors of the NBFC which shall provide for:

  • Manner of maintaining liquidity at all times;
  • Entity-level liquidity risk tolerance limits;
  • Funding strategies to be adopted by the NBFC to maintain its liquidity levels;
  • Prudential limits;
  • System for periodic review of liquidity of the NBFC and assumptions used in liquidity projection;
  • Framework for stress testing;
  • Contingent funding plan;
  • Nature and frequency of management reporting;

Further, both banks as well as NBFCs are required to structure an asset liability committee to provide a balance between those two aspects of the organisation. However distinction lies in their framework as liquidity is the most stressed point in NBFCs, but in case of banks, the RBI has laid out a more comprehensive “risk appetite framework” which prescribes risks to be managed at an aggregated level and not to be restricted at a specific risk/function. Apart from other specifications, the framework requires risks to be considered from qualitative as well as the quantitative perspective. The prescribed framework aims to mitigate financial risks, more specifically, interest rate and liquidity risks.

The gravity of the framework can be derived by solely looking at the strict composition and quorum requirements of the risk management committee. In this regard, the RBI has also prescribed an “Internal Capital Adequacy Assessment Process” in line with the Basel norms, to be laid down at individual bank level as well as at the group level to analyse significant risks faced by the banks. This may be considered as the most meticulous prescription by a regulator regarding the risk management framework, the reason being obvious, that the banks play a pivotal role in the capital flow of the economy.

Insurance Regulatory and Development Authority of India: The regulator, vide its corporate governance guidelines for insurers, reposed the responsibility of laying down a risk management framework and a risk policy by the risk management committee of the insurer. Specific stress has been laid down on fraud risk management faced by the insurer.

Conclusion

From the foregoing, we derive that risk management plays a crucial role in an organisation’s functioning. Thus, it is essential to have a sound risk management system. Such a system arises from a well drafted risk management policy. It is safe to say that risk management policy is the first step towards building a risk management framework. However, merely establishing a risk management policy does not assure a sound risk management framework. The execution of the plan so laid down is an equally important aspect to be looked at.

 

Our other resources can be accessed below:

  1. Risk-based Internal Prescription for Audit Function – https://vinodkothari.com/2021/03/risk-based-internal-prescription-for-audit-function/
  2. Liquidity Risk Framework: A snapshot – https://vinodkothari.com/2019/11/liquidity-risk-framework/
  3. Chief Risk Officer: Strengthening risk management practices – https://vinodkothari.com/2019/05/chief-risk-officer-cro/
  4. Clubbing of Committees – https://vinodkothari.com/wp-content/uploads/2017/03/Clubbing_of_Committees-1.pdf