<p>Risk management is one of the top priorities for any CFO. Given the rapid changes in the business environment globally, both the nature and scope of risks is changing. At a recent India CFO Forum session in Hyderabad, Monish Chatrath, Managing Partner of MGC Global, discussed the broad principles of risk management, the imperatives for 2023, and the practices CFOs need to adopt in a post-Covid world.</p><h2>Understanding EWRM</h2><p>In India, enterprise-wide risk management (EWRM) emerged as a concept in 1999, following the publication of the Naresh Chanda Committee Report. Prior to this, risk management was a vague concept and its discourse was limited to financial or liquidity risk management. EWRM was further institutionalised with the 2006 revision of Clause 49 on corporate governance.</p><p>According to the Companies Act 2013, <em>all</em> organisations are required to have EWRM systems in place, with three specific provisions. The first relates to the role of the Board of Directors, the second to the role of the Audit Committee and the third to the role of independent directors. However, Section 134, which lays out the role of the Board, continues to be widely misunderstood. Specifically, the requirement of having ICFR (Internal Control over Financial Reporting) applies only to companies with revenues of more than Rs 50 crores but many have misinterpreted this to mean that the <em>EWRM requirement as a whole</em> only applies to listed firms or those above this revenue threshold. But in fact, it applies to <em>every</em> organisation.</p><h2>Best Practices On ERWM Implementation</h2><p><em><strong>Distinguish between risk, vulnerability and threat</strong></em></p><p>A <em>threat</em> is a macro-level event that cannot be eliminated. A<em> vulnerability</em> is something intrinsic to the organisation or industry and can relate to an error in the design, implementation or operation of a system that <em>may</em> allow a threat to materialise, thus triggering a loss. <em>Risk</em>, on the other hand, is the likelihood that a vulnerability will be exploited and prove harmful to the organisation if not dealt with. For instance, attrition is a threat which may emerge from existing vulnerabilities within an organisation, such as outdated operational or HR processes, cultural issues, low pay, etc. Employees who get frustrated by these issues may leave the organisation, or worse, divulge important information to a competitor that they join.</p><p><em><strong>Identify your risks</strong></em></p><p>A combination of external research and readily available information can help identify key risks. The US SEC (Securities and Exchange Commission) performs a highly interactive role with those filing financial reports. It questions companies on their financial disclosures, including the risks they identify, and invites their comments on the same. This information is then compiled in a database, EDGAR, that is open to the public. SEBI has not yet implemented such processes but companies should consider scanning databases like EDGAR and avail of external reports and data to understand how companies such as theirs have handled enterprise-wide risks. It can also help to engage with external consultants, who might provide an objective view on existing EWRM processes and how to strengthen them.</p><p><em><strong>Identify and collate information from key stakeholders</strong></em></p><p>It is vital to identify all the relevant stakeholders and the most appropriate methods for gathering information from them. These can be divided into three segments: top management (including Board and Audit Committee members as well as CXOs); level-two leaders; and others (including important personnel). One-on-one interviews and focus group meetings are the preferred means for surveying the first two groups, while for the third, questionnaires may work best. One should ask each group about the problems they face and use these inputs to map out the risks.</p><p><em><strong>Identify specific risk units</strong></em></p><p>Typically, individual businesses or business functions (payroll, audit, treasury) should be regarded as risk units. Each risk unit will have a risk register, and each risk register a risk owner. The risk register should ideally contain the information received from the interviews/surveys described above. It then falls upon the risk owner to tackle the risks facing his/her unit.</p><p><em><strong>‘Polarise’ your risks</strong></em></p><p>Polarisation refers to the process of weighing each risk in its relative order of importance to the business, along two scales: probability and impact. Usually, it is inadequate to frame the impact in terms of mere numbers – e.g., revenue, cash-flows, investment values etc. Rather, one should spell out what this might <em>mean </em>for the organisation and its future, such as in terms of operations, reputation, regulatory compliance, health and safety outcomes, the environment, and even the ability to attract and retain talent. Assigning a weightage to each impact area can help define the organisation’s risk appetite.</p><p>For example, a software company might face a 60% risk of a spike in attrition but a lower, (e.g., 30%) risk of system failure. It is natural for the Risk Management Committee to tackle the risk of attrition first, but in fact, the risk-weighted <em>impact</em> of system failure could be much higher, despite its lower probability. In this situation, mitigating the system failure risk should take precedence over attrition.Companies often grapple with whether to polarise on a gross level (i.e., after the probability and impact activity is done) or a residual level (before the polarisation activity is conducted). In such situations, it is advisable to analyse the risks and then see which mitigating steps, at which level, can best minimise them.</p><p><em><strong>Assess your risk-mitigating measures</strong></em></p><p>It is important to analyse whether the implemented risk mitigation measures cause the risks to be ‘under control’, ‘in control’ or ‘over control’. If a risk is over-controlled, it can stifle creativity and operations without improving process efficiency. Ultimately, risk management is not just about <em>mitigating</em> one’s current risks, but also about understanding the polarisation of risk in the foreseeable future. Audit Committees and CXOs often ask about the top 10 or 20 risks that the company faces. It is the RMC's responsibility to supplement such lists with risks that are <em>not</em> currently on the list but are likely to be on it in the future.</p>
<p>Risk management is one of the top priorities for any CFO. Given the rapid changes in the business environment globally, both the nature and scope of risks is changing. At a recent India CFO Forum session in Hyderabad, Monish Chatrath, Managing Partner of MGC Global, discussed the broad principles of risk management, the imperatives for 2023, and the practices CFOs need to adopt in a post-Covid world.</p><h2>Understanding EWRM</h2><p>In India, enterprise-wide risk management (EWRM) emerged as a concept in 1999, following the publication of the Naresh Chanda Committee Report. Prior to this, risk management was a vague concept and its discourse was limited to financial or liquidity risk management. EWRM was further institutionalised with the 2006 revision of Clause 49 on corporate governance.</p><p>According to the Companies Act 2013, <em>all</em> organisations are required to have EWRM systems in place, with three specific provisions. The first relates to the role of the Board of Directors, the second to the role of the Audit Committee and the third to the role of independent directors. However, Section 134, which lays out the role of the Board, continues to be widely misunderstood. Specifically, the requirement of having ICFR (Internal Control over Financial Reporting) applies only to companies with revenues of more than Rs 50 crores but many have misinterpreted this to mean that the <em>EWRM requirement as a whole</em> only applies to listed firms or those above this revenue threshold. But in fact, it applies to <em>every</em> organisation.</p><h2>Best Practices On ERWM Implementation</h2><p><em><strong>Distinguish between risk, vulnerability and threat</strong></em></p><p>A <em>threat</em> is a macro-level event that cannot be eliminated. A<em> vulnerability</em> is something intrinsic to the organisation or industry and can relate to an error in the design, implementation or operation of a system that <em>may</em> allow a threat to materialise, thus triggering a loss. <em>Risk</em>, on the other hand, is the likelihood that a vulnerability will be exploited and prove harmful to the organisation if not dealt with. For instance, attrition is a threat which may emerge from existing vulnerabilities within an organisation, such as outdated operational or HR processes, cultural issues, low pay, etc. Employees who get frustrated by these issues may leave the organisation, or worse, divulge important information to a competitor that they join.</p><p><em><strong>Identify your risks</strong></em></p><p>A combination of external research and readily available information can help identify key risks. The US SEC (Securities and Exchange Commission) performs a highly interactive role with those filing financial reports. It questions companies on their financial disclosures, including the risks they identify, and invites their comments on the same. This information is then compiled in a database, EDGAR, that is open to the public. SEBI has not yet implemented such processes but companies should consider scanning databases like EDGAR and avail of external reports and data to understand how companies such as theirs have handled enterprise-wide risks. It can also help to engage with external consultants, who might provide an objective view on existing EWRM processes and how to strengthen them.</p><p><em><strong>Identify and collate information from key stakeholders</strong></em></p><p>It is vital to identify all the relevant stakeholders and the most appropriate methods for gathering information from them. These can be divided into three segments: top management (including Board and Audit Committee members as well as CXOs); level-two leaders; and others (including important personnel). One-on-one interviews and focus group meetings are the preferred means for surveying the first two groups, while for the third, questionnaires may work best. One should ask each group about the problems they face and use these inputs to map out the risks.</p><p><em><strong>Identify specific risk units</strong></em></p><p>Typically, individual businesses or business functions (payroll, audit, treasury) should be regarded as risk units. Each risk unit will have a risk register, and each risk register a risk owner. The risk register should ideally contain the information received from the interviews/surveys described above. It then falls upon the risk owner to tackle the risks facing his/her unit.</p><p><em><strong>‘Polarise’ your risks</strong></em></p><p>Polarisation refers to the process of weighing each risk in its relative order of importance to the business, along two scales: probability and impact. Usually, it is inadequate to frame the impact in terms of mere numbers – e.g., revenue, cash-flows, investment values etc. Rather, one should spell out what this might <em>mean </em>for the organisation and its future, such as in terms of operations, reputation, regulatory compliance, health and safety outcomes, the environment, and even the ability to attract and retain talent. Assigning a weightage to each impact area can help define the organisation’s risk appetite.</p><p>For example, a software company might face a 60% risk of a spike in attrition but a lower, (e.g., 30%) risk of system failure. It is natural for the Risk Management Committee to tackle the risk of attrition first, but in fact, the risk-weighted <em>impact</em> of system failure could be much higher, despite its lower probability. In this situation, mitigating the system failure risk should take precedence over attrition.Companies often grapple with whether to polarise on a gross level (i.e., after the probability and impact activity is done) or a residual level (before the polarisation activity is conducted). In such situations, it is advisable to analyse the risks and then see which mitigating steps, at which level, can best minimise them.</p><p><em><strong>Assess your risk-mitigating measures</strong></em></p><p>It is important to analyse whether the implemented risk mitigation measures cause the risks to be ‘under control’, ‘in control’ or ‘over control’. If a risk is over-controlled, it can stifle creativity and operations without improving process efficiency. Ultimately, risk management is not just about <em>mitigating</em> one’s current risks, but also about understanding the polarisation of risk in the foreseeable future. Audit Committees and CXOs often ask about the top 10 or 20 risks that the company faces. It is the RMC's responsibility to supplement such lists with risks that are <em>not</em> currently on the list but are likely to be on it in the future.</p>
