Posts

Compliance-o-meter: From abstraction to structured granular assessment

– Vinod Kothari and Payal Agarwal | corplaw@vinodkothari.com 

In risk assessment, effectiveness testing, compliance management, or other areas where qualitative assessment is required, one may be making abstract statements like: we have very effective controls; we have strong risk management practices; we have the best of the practices in compliance management, etc. However, very often, these may be pure abstractions. How do we use a structured approach which may allow us to give a more granular, methodical approach to benchmark ourselves?

Unlike quantitative parameters, there are no set methods or approaches to qualitative assessment. However, every qualitative assessment is also backed by identifying the elements that need to be studied, the ingredients or the check points in each of these elements, the weights of the respective elements in the overall assessment framework, assignment of scores based on the weights and observations for each of the checkpoints, eventually coming to an aggregate score. That is, a purely qualitative assessment may be converted into a score sheet.

One may create one’s own methodology; here is a suggested one. Before proceeding with the methodology, one may submit that the same methodology that may be used for effectiveness assessment may also be used for risk assessment. A good score in effectiveness is a positive indicator; a high score in risk assessment is a threat.

The suggested assessment methodology involves:

  1. Identification of elements: Every assessment can be decomposed into the elements underlie it. Take a very easy example of, say, quality of board minutes prepared in a large company. The quality is purely an abstraction, which can be granularly split into, at the least, the timeliness of minuting, the comprehensiveness, ease of understanding, compliance with the law and standards, etc. Similarly, if one refers to the effectiveness of controls on insider trading, one may decompose the overall control into several elements such as identification of UPSI, sharing of UPSI, management of Designated Persons, codes and policies etc. Note that the more granular the elements are, the better is it for the final result.
  2. Weights of the elements: The next point to understand is whether each of the elements are equally weighted, or do they have differential relevance or importance in the overall matter being assessed. For example, if the subject matter of assessment is “quality of minuting”, compliance with law and standards may be perceived as having a higher weight than, say, comprehensiveness or ease of understanding. The task of assigning weights may, once again, become qualitative – therefore, it is necessary to have a methodical approach towards the weights as well. The weights may be determined based on, in descending order, whether the element may result in penal consequence or reputational loss, whether it may undermine controls or the correctness or reliability of the subject matter, whether it is good to have but not must to have, etc.
  3. Ingredients or check points for each element: The check-points for each element need to be an even more granular list of activities, processes, policies, etc that make up the respective element. For instance, in the context of PIT controls, the check points under DP management may include the manner of categorizing DPs, periodicity of updating the list of DPs, maintenance of DP database etc. 
  4. Scores: Once the base work w.r.t. creation of the assessment list is done, actual scores are required to be assigned based on the level of performance of the company on the given check-point. Depending on whether the assessment is a risk assessment, compliance assessment or process review, a scoring parameter may be created, for instance: 
Scoring Parameter
Not compliant/ no practice exists for the same0
Meeting minimum compliance/ practice1
Good Practices (indicates industry practice)2
Gold Practices (indicates leadership practices)3
  1. Weighted score: The scores allotted to each check-point has to be multiplied with the weights assigned to each check point, to arrive at the weighted score of the respective checkpoint. For instance, assume there are five checkpoints in an element, the weighted score can be derived as below:
Check-points Weights ScoresWeighted Score 
A13 (maximum)13
A220 (minimum)0
A333 (maximum)9
A4 326
A51 (minimum)22
Total 1220
  1. Maximum score and actual score: The weighted score obtained against each checkpoint of an assessment element sums up to form the actual score of such element. The same is to be compared against the maximum score for such an element, and expressed as a percentage. For instance, in the aforesaid table, the actual score of the element, let’s say ‘A’, that is made up of ‘A1’ to ‘A5’ sums up to 20. The maximum score that can be obtained for the said element ‘A’ is maximum score for a check-point (3) multiplied by the maximum weight (3), i.e., 9 multiplied by the total number of checkpoints (5), i.e. 45. Based on the aforesaid, the percentage score of the element can be calculated as = (Actual score/ Maximum score)*100. 
  1. Radar chart: Once the scores are assigned, and the percentage score for each element has been calculated, the same can be expressed in the form of a radar chart. Below is an example of a compliance radar: 

In the picture above, (0-25) is the area of non-compliance, depicting lapses in meeting the minimum legal requirements. (26-50) is the area of meeting the minimum compliance with law, (51-75) indicates that the company is moving towards the general industry practices, and a score beyond 75 shows that the company is adopting leadership practices in the respective compliance area. 

A risk assessment chart may be similarly formed, wherein, a higher score indicates a higher level of risk. Also see an article on Compliance Risk Assessment

Other Related Resources –
  1. Compliance Risk Assessment – Guidance for implementation by NBFCs
  2. Risk Management Function of NBFCs – A Need to Integrate Operational Risk Management & Resilience

Risk Management Function of NBFCs – A Need to Integrate Operational Risk Management & Resilience 

An examination of the RBI Guidance Note on Operational Risk Management and Resilience

Subhojit Shome & Archisman Bhattacharjee | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [238.77 KB]

Related articles –

12th Securitisation Summit

The who’s who of structured finance is joining the 12th edition of our flagship event, the Securitisation Summit on May 15, 2024, in Mumbai. Be shoulder-to-shoulder with leading originators, investors, lawyers, rating agencies, consultants, regulators, mediators, market makers, and everyone else who matters.

For details of the event and to book your seat, please visit our Summit page – HERE

IT Governance, Risk, Controls and Assurance Practices Direction, 2023

Analysis of Impact on Financial Sector Entities

Kaushal Shah & Subhojit Shome | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [696.35 KB]

Read our other resources

  1. RBI regulates outsourcing of IT Services by financial entities
  2. Draft Master Direction on IT Governance, Risk, Controls and Assurance Practices
  3. Erstwhile Directions on IT Framework for the NBFC Sector – RBI keen on implementing several operational requirements

Access our resource centre on SBR Framework :

Risk-based Internal Audit for NBFCs – Applicability & Implementation

– Subhojit Shome, Assistant Manager | subhojit@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [1.00 MB]

Read our other resources on RBIA here:

  1. Risk-based Internal Prescription for Audit Function

RISK MANAGEMENT POLICY– A tool of risk management

Ridhima Jain | Executive | corplaw@vinodkothari.com

 

As in case of life, so also in business, risks are unavoidable. However, large organisations cannot afford to have a casual and pro-tem approach to risk management, as severity of some of the risks may cause significant erosion to shareholder value, even to the extent of affecting the solvency and liquidity of companies. Therefore, every company has to methodically identify, analyse, grade, mitigate and manage risks comprehensively. As size and complexity of organisations have increased, so also the need for proper risk management.

Risk management policy may be taken as a perfunctory compliance, and therefore, may be just a document that sits on the website of the company. On the other hand, a proper approach may be to use the risk management policy as the contextual document which assimilates the company’s approach to risk management, and may continuously act as the guide to the executive management.

Risk refers to the uncertainty in transactions undertaken by an organisation, which may be measured in terms of deviation from predetermined targets or probability of loss or inadequate profits. Risk often ranges from financial to non financial risks. Financial risks have an immediate bearing on finances of an organisation and may be in the form of credit risks, liquidity risks, operational risks or obsolescence risk. On the other hand, non-financial risks may be classified as strategic risks, compliance risks, fraud risks and reputation risks. Risk, by its very nature, is an inherent part of every business and its intensity only proliferates with the paced-up globalisation and digitalisation. This becomes evident from the increasing importance of the risk management function at the strategy making table of the concerned entities.

In this article, the author dwells on the importance of risk management framework for any organisation and also discusses the components of an ideal risk management policy.  What goes in a risk management policy holds a fair amount of significance as the entire risk management framework is structured on the basis of the policy formulated in this regard.

In this context, risk management refers to the process followed by an organisation to identify, understand and evaluate the risks faced by it and effectively mitigate the detected risks. It may be construed as a macro process comprising various micro processes like risk identification, risk analysis, risk assessment and risk mitigation.

The rise in importance of risk management may be attributed to the realisation that any transaction may be fruitless if the underlying risk goes unrecognised. Unrecognised risks are more dreadful than recognised risks and any risk for which the organisation is not prepared for, may become unmanageable at the later stage of the process. An efficient risk management framework also facilitates development of a robust contingency plan and helps save costs, which the organisation may have spent on firefighting the risk.

Failures arising out of poor risk management have persistently resulted in downfall of big corporates. Examples may include Nokia, which failed to determine appropriate strategy for their business and surrendered to strategic risks or Satyam Computers which failed to manage fraud risks. Certainly, regulators like the RBI have imposed monetary penalties on NBFCs and banks for their inability to effectively address compliance risks. Such actions are not limited to monetary penalties, as in case of Srei Infrastructure Finance Limited the regulator took the company to the NCLT to initiate a resolution process against it.

Approach towards risk management

It is important to approach risks in a suitable manner as it serves the spirit underlying the risk management framework. The manner of approaching risk is an organisation specific element, driven by numerous factors such as risk faced by the industry in which it operates. Even after determining risks faced by an industry, the risk approach would be influenced by the functioning model of the particular organisation. For instance, a bank’s risk mitigation strategy may be primarily focussed on credit risks whilst a trading company may focus on operational risks. However, a trading company having international operations may give equal weightage to currency and legal risks.

Even though the risk approach of an organisation differs, an ideal approach should determine key risks after considering both external and internal influencing factors. Along with, for efficient management of risk, the approach should undertake a “top-down approach” by which management philosophy is clearly communicated to the grass root level employees as well as a “bottom-up approach” by which risks detected by employees at each level are communicated to the top management. The two-way approach will lead to fostering a risk aware culture throughout the organisation.

The primary responsibility of the risk management function may be reposed on the board of directors or the risk management committee. Apart from the companies mandatorily required to formulate a risk management committee, other companies may also formulate such committee to give undivided attention to the risk management function. Also, companies may formulate sub teams whose main role may be to handle specific risks which may be significant for the company. For instance, an organisation engaged in the FMCG segment may constitute a commodity risk management team for managing volatility in commodity prices. Further, an organisation may constitute a separate policies or separate committee altogether for specific risks. For instance, an organisation may formulate business risk and assurance committees to specifically review business and strategic risks.

All in all, an organisation’s approach towards risk management is primarily influenced by the importance it gives to the risk management function and relevance of the risks to its operations. Accordingly, risk management policy of the organisation should be framed to reflect the approach adopted by  it towards the risks faced by it.

Risk Management Policy

Risk management policy may be construed as a document regulating risk management function in an organisation. Having discussed the importance of risk management, we understand that the function is imperative and flows through every department in an organisation. Every employee in the organisation should be made aware of the flow of risk management process which is ensured by a well documented risk management policy. In essence, such policy provides a comprehensive guide to the risk philosophy of the organisation. The policy lays down a foundation on which the whole enterprise risk management (‘ERM’) is built. Once the ERM has been set up, the policy facilitates integration and gives direction to efforts of all the personnel in the organisation towards achieving common risk management goals such as minimisation of adverse impacts of a project or exploring unravelling opportunities.

Contents of risk management policy

Considering the contents of risk management policy, the coverage of the policy should be broad to provide an enhanced scope towards the function. That is, the policy should provide for all the foreseeable risks that the organisation may face in its future.

Further, the policy should not  simply be a document, incorporating or rather reiterating the regulatory requirements, but it should also encompass the probable risk areas. An ideal policy would include:

Brief background of the organisationDiscussion of the background of the organisation would provide an enhanced understanding about the source of risks arising in the course of the business.
Objectives and importance of the policyWhilst performing any activity, besides knowing what is to be done, it is equally important to understand why it is being done. Discussion on the objectives of the policy would give a vision to the reader and enhance the meaning to the upcoming contents of the policy.
Applicability and effective datePrior to understanding any framework it is essential to understand the operations it covers and the date from which it is applicable.
Requirements as per the statuteAn insight into the regulator’s expectations regarding risk management policy would significantly influence the policy of the organisation. For instance,  the Companies Act, 2013 prescribes that the audit committee of a company shall evaluate the risk management systems. Similarly, the independent directors, as well, should provide independent judgment on issues like risk management and are responsible for integrity of the risk management system.

In this regard, SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (‘SEBI (LODR) Regulations, 2015’) also vests enormous responsibilities on the board of directors of the listed entity. Apart from framing a risk management plan, the board of directors are also responsible for defining roles and responsibilities of the risk management committee.

Some of the mandatory compliances with respect to risk management policy are discussed in the forthcoming paragraphs.

Risks faced by the organisationCategories of risks faced by the organisation along with particular risks and description thereof should be clearly specified in the policy. Such specifications would acquaint the reader about the intent behind the entire risk management framework.
Hierarchy of risk managementEstablishment of such hierarchy is essential for an efficient risk management culture as it provides for an effective flow of risk information. Along with the structure, roles, responsibilities and accountabilities of the hierarchy elements should be clearly defined. More particularly, composition of risk management committee and particulars of appointment of the chief risk officer should be enunciated in the policy.  A broad idea of an ideal hierarchy is shown in the following diagram.

Risk reportingThe policy should clearly specify as to which risks will be reported, how the risks will be reported and to whom the risks will be reported in the risk hierarchy. This may be seen as an important element of the whole framework as it is obvious that every risk arising may not have an impact on the organisation. Thus, reporting of such minor risks may waste time and effort of the personnel involved.
Treatment of different types of risksThe organisation may specify treatment of risk on the basis of classifications made by it. For this purpose, risks may be broadly classified as controllable or uncontrollable risks, inherent or residual risks.
Business continuity planThe organisation should indicate development of such plans in its risk management policy. The plan should cover recovery plans after any major disruption faced by the organisation. A mention of such a plan would assure the policy users of the organisation’s preparedness of risks arising in all perceivable circumstances.
Risk management processThe central element of the framework typically involves the procedure for risk management in the organisation. Ideally the risk management process should be carried out in the following manner:

For instance, when considering fraud risks, firstly, lacunas in the organisational structure wherein fraud may be perpetrated are identified. The identified areas turn out to be the origin of fraud risk. Secondly, an analysis is made as to what is the probability that the risks will materialise. Any risk with high probabilities should be given due attention. Thirdly, the impact on the organisation when the risk materialises should be assessed. The output from this stage is used to prioritise risks according to their probability of occurrence and their impact. Finally, risks are mitigated by adopting a suitable risk mitigation strategy.

Risk management toolsThe organisation may provide a description of the tools utilised by it in the process of risk management. Common tools used by the organisations are:

–        Assessment matrix: The matrix highlights velocity of the risks faced by the organisation. It also suggests the impact of the potential risk in various functions of the department which are measured by assignment of specific scores. The criteria for assignment of scores may also be specified in the report.

 

–        Stress tests – Organisations conduct stress tests to study the impact of risks getting materialised. Stress tests are mandated for banks and NBFCs in India.

 

–        Risk registers: These are registers wherein all estimated risks and actual risks faced by the organisation are recorded along with their details such as their risk category, likelihood of occurrence, their impact and mitigation plan is suggested.

 

–        Department-wise risk summary: The organisation may, after identifying risks faced by it as a whole, further bifurcate into risks faced by individual departments.

Review of risk management toolsApart from the regular risk reporting, the results derived from risk management tools may be reviewed periodically to ensure that any risk element does not go undetected. For example, there may be provisions for submission of a report on risk register on a half yearly basis. In this regard, formats for such submissions and a calendar accommodating timelines for all submissions may be incorporated in the policy.
Risk auditEven though the risk management function is a complete function, its efficiency is enhanced when integrated with internal audit. Audit of the risk management framework provides an assurance regarding the framework and brings in light deficiencies in the framework. It also indicates the level of effectiveness of internal controls.
Periodicity of reviewThe intervals at which the policy will be reviewed should be clearly specified as well as a schedule should be attached to describe intricacies of the amendment.
Dissemination of the policyThe manner and channels used for disclosing the policy should be expressly mentioned.

 

Regulatory prescriptions regarding risk management policy

In addition to the aforesaid, it is mandatory to comply with the broad guidelines laid by the specific regulators governing an organisation which may be read as:

The Companies Act, 2013: Section 134(3)(n) of the Companies Act, 2013 prescribes that the report of the board of directors shall contain a statement regarding the risk management policy of the company. Such policy should contain all the elements of risk more particularly, elements of risk which may threaten the existence of the company.

Securities and Exchange Board of India: Regulation 17 of the SEBI (LODR) Regulations, 2015 reposes responsibility of framing and implementing the risk management plan on the board of directors of the company. Further, Schedule II of the Regulations prescribes that the risk management committee is responsible for laying down a detailed risk management policy which shall mandatorily include:

  • Framework for identification of risk particularly financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks.
  • Business continuity plan of the company.
  • Risk mitigation systems and internal control processes for mitigation of detected risks.

Also, the committee has the responsibility of overseeing implementation of risk management policy and periodic review of the same.

Reserve Bank of India: In the context of NBFCs, the regulator lays specific stress on liquidity risk management framework to be adopted by applicable For the purpose, a liquidity risk management policy is to be laid down by the board of directors of the NBFC which shall provide for:

  • Manner of maintaining liquidity at all times;
  • Entity-level liquidity risk tolerance limits;
  • Funding strategies to be adopted by the NBFC to maintain its liquidity levels;
  • Prudential limits;
  • System for periodic review of liquidity of the NBFC and assumptions used in liquidity projection;
  • Framework for stress testing;
  • Contingent funding plan;
  • Nature and frequency of management reporting;

Further, both banks as well as NBFCs are required to structure an asset liability committee to provide a balance between those two aspects of the organisation. However distinction lies in their framework as liquidity is the most stressed point in NBFCs, but in case of banks, the RBI has laid out a more comprehensive “risk appetite framework” which prescribes risks to be managed at an aggregated level and not to be restricted at a specific risk/function. Apart from other specifications, the framework requires risks to be considered from qualitative as well as the quantitative perspective. The prescribed framework aims to mitigate financial risks, more specifically, interest rate and liquidity risks.

The gravity of the framework can be derived by solely looking at the strict composition and quorum requirements of the risk management committee. In this regard, the RBI has also prescribed an “Internal Capital Adequacy Assessment Process” in line with the Basel norms, to be laid down at individual bank level as well as at the group level to analyse significant risks faced by the banks. This may be considered as the most meticulous prescription by a regulator regarding the risk management framework, the reason being obvious, that the banks play a pivotal role in the capital flow of the economy.

Insurance Regulatory and Development Authority of India: The regulator, vide its corporate governance guidelines for insurers, reposed the responsibility of laying down a risk management framework and a risk policy by the risk management committee of the insurer. Specific stress has been laid down on fraud risk management faced by the insurer.

Conclusion

From the foregoing, we derive that risk management plays a crucial role in an organisation’s functioning. Thus, it is essential to have a sound risk management system. Such a system arises from a well drafted risk management policy. It is safe to say that risk management policy is the first step towards building a risk management framework. However, merely establishing a risk management policy does not assure a sound risk management framework. The execution of the plan so laid down is an equally important aspect to be looked at.

 

Our other resources can be accessed below:

  1. Risk-based Internal Prescription for Audit Function – https://vinodkothari.com/2021/03/risk-based-internal-prescription-for-audit-function/
  2. Liquidity Risk Framework: A snapshot – https://vinodkothari.com/2019/11/liquidity-risk-framework/
  3. Chief Risk Officer: Strengthening risk management practices – https://vinodkothari.com/2019/05/chief-risk-officer-cro/
  4. Clubbing of Committees – https://vinodkothari.com/wp-content/uploads/2017/03/Clubbing_of_Committees-1.pdf