guide note
TRANSCRIPT
-
8/3/2019 Guide Note
1/34
GUIDANCE NOTE
ON
RISK MANAGEMENT
-
8/3/2019 Guide Note
2/34
B.M.SHARMA THE INSTITUTE OF COST AND WORKS ACCOUNTANTS OF INDIAPRESIDENT (Established by an Act of Parliament)
12, Sudder Street, Kolkata-700016
Phones:91-33-2252-1021/34/35.2252-1602/1492
Fax: 91-33-2252-7993/1026
E-mail: [email protected]: www.icwai.org
Foreword
Across the world, Risk Management has increasingly become integral to the management of
businesses. In our country, while awareness of the need for proactive risk management is
growing steadily, actual progress has been limited. However our country is moving rapidly up a
growth curve in an increasingly borderless and turbulent world. While competitive forces
compel focus on better, faster, lower cost, steering a business in this exciting scenario
requires a thorough understanding of risks and their mitigation.
Members of our Institute have always played an active role in assisting managements to meet
the expectations of their stakeholders. The prime demand from stakeholders is improvement in
returns with minimum volatility. Effective management of risk is a prerequisite to meet this
need. This Guidance Note provides a comprehensive overview of the subject and will enable our
members to play a complimentary role in enabling organizations to meet their stakeholders
expectations.
It is heartening to note that the Professional Development Committee of our Institute hasbrought out this Guidance Note as our Institutes continued contribution towards enabling our
Members to enrich their organizations and remain contemporary with world trends. I place on
record by sincere appreciation to Shri Kunal Banerjee, Chairman of the Professional
Development Committee and to all the members of the Committee for overseeing the
preparation of this publication and to Shri Prodipto Banerjea, our member, who has authored it.
I also thank the PD Directorate and Studies Directorate for their contribution in bringing out this
publication timely. I hope the Regional Councils and Chapters will come forward to conduct
programmes to enable all our members to develop the required competence in this area.
With Best wishes,
B.M.Sharma
President
18th
July, 2011
-
8/3/2019 Guide Note
3/34
KUNAL BANERJEE THE INSTITUTE OF COST AND WORKS ACCOUNTANTS OF INDIAChairman (Established by an Act of Parliament)
12, Sudder Street, Kolkata-700016
Professional Development Committee Phones:91-33-2252-1021/34/35.2252-1602/1492Fax: 91-33-2252-7993/1026
E-mail: [email protected]
Website: www.icwai.org
Preface
The process of Risk Management was formally introduced by SEBI for all listed companies by
revising Clause 49 of the listing agreements with the stock exchanges. As a result, with effect
from December 31, 2005, it became necessary for every listed company to meet the following
requirement - The company shall lay down procedures to inform Board members about the risk
assessment and minimization procedures. These procedures shall be periodically reviewed to
ensure that executive management controls risk through means of a properly defined
framework
While management of business invariably necessitates management of risks, formal processes
were absent and silo based activities was the norm. The SEBI intervention requires a
comprehensive approach which has been delineated in this Guidance Note. A detailed overview
has been provided to members to enable appreciation of the nuances involved and a structured
approach to the risk management process has been suggested. We hope our members emerge as
important resources in the risk management processes of their organization.
I have the pleasure in introducing the title Risk Management. This publication shall act as a
ready reference to assess the risk involved. I express my sincere thanks to Sri Prodipto Banerjea, a
fellow member of our Institute, a pioneer in this field of Risk Management, who has authored the
Guidance Note. I would like to thank my fellow members on the Professional Development
Committee for their enthusiastic participation in the preparation of this Note I appreciate the
timely efforts put in by the officials of the Secretariat in arranging for the release of the material.
I hope that this publication will be a very useful reference to all the concerned.
With Best wishes,
Kunal Banerjee
Chairman,
Professional Development Committee
18th
day of July, 2011
-
8/3/2019 Guide Note
4/34
GUIDANCE NOTE
ON
RISK MANAGEMENT
INDEX
Ch.
No.
Title Page Nos.
I Introduction 1
II Understanding Risk 2
III The Management Process 5
IV Environmental Risks 9
V Strategic Risks 11
VI Operational Risks 13
VII Financial Risks 19
VIII Governance and Risk 22
IX Internal Controls 24
X Driving Stakeholder Value 27
XI Setting up the Risk Management System 29
-
8/3/2019 Guide Note
5/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 1
Chapter I
Introduction
In 1975, Peter Drucker had stated that Economic activity is the commitment of existing
resources to future expectations. It is a commitment, therefore, to risk and uncertainty.
While this recognition of risk was generally accepted, the traditional view was that the
returns from the activity should compensate for the risk and the focus was almost
entirely on return maximization.
The floating of currencies in 1978 created the need for currency management. Within
the next decade, floating interest rates were introduced. In a short time, management of
exchange and interest rates became a specialized area heralding vast opportunities for
risk managers and creating a general awareness of this need. Various theoretical
structures were put forward and thanks to the ubiquitous use of computers, complex
calculations are now completed in moments and are used extensively for such risk
optimization. Developments in computational theory have helped in creating derivatives
and new instruments leading to a phenomenal growth in the financial services sector.
The last decades of the twentieth century also provided an excellent example of risk
mitigation, in the case of the Y2K problem. In the late seventies, early eighties people
started realizing that the use of two digits to denote the year for the date in computer
systems would result in a problem in the year 2000, as the date 01-01-00 would create a
confusion in the computer, since it would not be possible for it to distinguish 01-01-1900
from 01-01-2000. To resolve this problem, extensive reprogramming work was required
and software professionals around the world were involved. To the credit of the
software industry it must be accepted that when D-Day finally arrived, there was not a
single mishap.
It thus became evident that, with effective management, risk could be mitigated. Over
the last quarter of the twentieth century this awareness of the scope of risk mitigation
grew in leaps and bounds, and today in the twenty-first century, the management of risk
has become an integral part of business management.
-
8/3/2019 Guide Note
6/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 2
Chapter II
Understanding Risk
I. Risk is the chance that expected objectives will not be achieved. It has beendefined as the effect of uncertainty on objectives (ISO Guide 73: 2009). There are
therefore two dimensions of risk, probability and impact.
The origin of the word is believed to be from the Italian risicare which means to
dare, implying a choice. A risk is a choice made, which would imply that if
successful there would be a gain or a reward. The link with reward is thus implied
in the word risk itself. Although traditionally, the word risk was associated with
adversity, current thinking has focused on the choice aspect, including both threats
and opportunities.
A quote from an ancient treatise provides an interesting perspective on Risk
Management.
Sizing up opponents to determine victory, assessing dangers and distances is the
proper course of action for military generals.
Sun Tzu, The Art of War, Terrain
Since the world of business management has often been compared to wars, these
activities would seem appropriate for managers as well.
Uncertainty refers to the doubts that arise because of lack of knowledge or
changing conditions or even varying attitudes. Uncertainty governs our lives. From
the unknowns of living with terrorism or other law and order issues, or naturaldisasters, even routine problems of traffic add to the uncertainty in our lives,
compelling us to cope. As soon as any risk is recognized, it creates an uncertainty.
However, risk is not just the uncertainty alone, it includes the impact of the
uncertainty on the objectives.
Risk is an uncertainty that can be understood, measured, monitored, mitigated and
ultimately leveraged.
Some other terms that are often used in this context include peril and hazard.
A Peril is the cause of a loss. Fire, earthquakes, tornados, floods are all perils since
each of these cause losses.
A Hazard is a source of potential harm, a condition that may create or increase the
chance of a loss, such as,
i) Physical Hazards These consist of physical attributes that increase thechances of losses such as location, quality of building construction, nature of
electrical connections and the like.
-
8/3/2019 Guide Note
7/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 3
ii) Moral Hazards These comprise issues of integrity and include dishonesty,frauds and the like.
iii) Morale Hazards These relate to relationships between employer-employee,or amongst employees
II Risks can be categorized into two groups viz.,
1) Pure Risks These are cases where there are chances of loss with nopossibilities of gain. Typically these relate to losses from perils such as fire,
earthquake, floods or losses from automobile accidents and the like. Pure
risks can generally be classified as
a) Personal risks comprising possibilities of loss of income or assets as aresult of loss of earning ability. Instances include
i) premature deathii) dependant old ageiii) chronic sickness or disabilityiv) unemployment
b) Property risks comprising direct and indirect losses arising out ofownership of property. While direct losses relate to losses arising directly
from the destruction of the property, indirect losses refer to losses such
as the additional costs an owner would incur living somewhere when the
property is destroyed. This is also referred to as consequential loss and
is very important for businesses
c) Liability Risks These refer to losses incurred by others due to ouractions. The losses could be injury to the persons, or damage to their
assets and may be unintentional, or due to negligence or carelessness
d) Risks arising from the failure of others - These arise when others fail tomeet their agreed obligations, say when a debtor fails to pay debts on
due dates.
2) Speculative Risks - These refer to risks where there are possibilities of gainsas well as losses. Most risks are in this category though the classic case isthat of gambling, where risk is deliberately created in the hope of gain.
Similarly an entrepreneur makes his investment in the hope of gain. The risk
he runs is expected to be met by his reward, or the profit expected from his
venture. His management of risk becomes key to his business success.
-
8/3/2019 Guide Note
8/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 4
III Attitudes to Risk
The existence of Risk is a reality. As a result it becomes necessary to deal with it.
This can be done basically in three ways
a) Avoidance - In this case, the risk-free option is chosen which could imply forinstance in an investment situation, investing in government securities whichyield lower returns, or in considering travel, a refusal to travel. However, this
is a negative attitude, as progress for the individual and the economy
necessitates an element of risk taking.
b) Transfer In this case, the risk is transferred at a cost to an expert who
manages it. The classic case is insurance, where an insurance company takes
over a risk on receipt of a premium, the extent of cover being determined by
the premium.
c) Retention - Here the risk remains and needs to be managed. Such
management may involve
i) Sharing - a part of the risk may be transferredii) Reducing this could be through loss prevention and control
The activity of Risk Management deals with the risks retained and will be discussed
in more details in the subsequent chapters.
-
8/3/2019 Guide Note
9/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 5
Chapter III
The Management Process
The goal of every business is to meet target objectives. Since Risk is a key factor in
achieving the objectives, effective management of Risk is a critical goal for every
business.
Well-managed businesses have historically managed risks successfully, however that has
generally been on a silo-based approach. The production team would manage
technology, treasury would manage currency, legal teams would manage compliance. In
todays complex world it has been found that such a fractured approach often leads to
sub-optimal solutions, impairing the organizations overall returns. Consequently, an
integrated approach is recommended. Risk is an uncertainty that can be understood,
measured, monitored, mitigated and ultimately leveraged.
For every business, the risks involved need to be understood clearly. Specific risks need
to be identified and assessed. Mitigation methods need to be instituted and their
success in controlling the risks monitored. This information needs to be shared across
the organization, as relevant, ensuring a continuous process.
Risk Management Process
1. Understanding the Risks In order to understand the risks for any business it isnecessary to know its purpose or mission, the objectives it has set for itself and the
strategies it has chosen towards achieving those objectives.
Understanding Risks
Communicating Results Identifying Risks
Monitoring Control Assessing Risks
Mitigation Methods
-
8/3/2019 Guide Note
10/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 6
The social, political, cultural, regulatory, and competitive environment creates risks
for businesses. The stakeholder profile creates pressures. All these diverse forces
need to be balanced. Similarly, the internal systems, processes and people create
demands. The roles and responsibilities across an organization and the
interactions between the various activities and their relationships are all
components of the risk profile.
2. Identifying the Risks A comprehensive identification of specific risks is anessential requirement of the risk management process. Any event or activity that
may have an impact on the achievement of the business objectives needs to be
tracked. There are a number of ways in which risks can be identified. One method
is to classify them as follows :
a. Environmental : Covering all external risks, outside the business itselfb. Strategic : These would include all risks linked to the business strategies
including competition, new entrants, markets, suppliers and substitutes
c. Operational : These are the day-to-day risks faced by the organization in itsroutine operations and include risks associated with its processes and
systems, people, regulatory compliance and execution and delivery
constraints
d. Financial : While these are also operational risks of a sort, they are classifiedseparately because the nature of these risks is different and need to be
managed by specific subject experts.
3. Assessing the Risks All identified risks need to be assessed since this assessmentwill ultimately determine the priority of management.
One simple qualitative method of such assessment would be to first classify the
risks on the basis on frequency viz.,
a. Frequent : Occurring very often or continuouslyb. Likely : Occurs several times over the considered time periodc. Occasionally : Occurs sporadically during the considered time periodd. Seldom : Possible, but recurs rarelye. Unlikely : As the term signifies, will probably not occurThis is then combined with the financial impact when the risk occurs
- Catastrophic : critical financial loss in terms of severity and magnitude (couldlead to bankruptcy)
- Critical : serious financial loss which would drastically reduce returns
-
8/3/2019 Guide Note
11/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 7
- Marginal : refers to minor financial losses which though affecting current
returns, would have no lasting impact
- Negligible : these are minor and routine for any business
Combining the frequency of each risk with the financial impact, a severity chartof risks can be prepared where risks could be classified into four categories:-
i) Extremely High Risk (E) the enterprise could fail with all the severeconsequences
ii) High Risk (H) The enterprise could be severely impacted and majortargets may not be achieved
iii) Moderate Risk (M) Some objectives will not be met but overall theenterprise should function
iv) Low Risk (L) Should be manageable with all major objectives being metSuch a qualitative basis is useful where no data is available either on the
probability of frequency or the financial impact. However, if such data is
available, then a more quantitative analysis is possible. The risks can be plotted
on a Risk Map as given below :
Risk Map
High
Value of
Impact
Low
High ImpactLow Likelihood High ImpactHigh
Likelihood
Low Impact
Low Likelihood
Low Impact
High
Likelihood
Low High
Frequency of Occurrence
The four quadrants clearly delineate the relative importance of each risk and
provide an immediate basis for action. The management of the organization can
take cognizance of the risks depending on their position on the map and the
resources available.
-
8/3/2019 Guide Note
12/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 8
4. Mitigation Methods Once the risks have been identified and assessed, themitigation methods need to be instituted. There are two approaches that can be
used.
i) The integrated approach When risk factors are common across units, orwhen units are highly inter dependent, the tools and techniques developedfor one unit may be equally effective when applied on the others. In such
situations, a common risk language with shared tools and techniques can be
used across the entire organization.
ii) The dispersed approach Where risk factors vary across units, it becomesnecessary to develop unique tools and techniques by functional or business
unit as the case may be.
In actual practice, a combination of both approaches may be the most effective.
For instance, in a manufacturing company, the profiles of the factories may be
similar enabling the use of an integrated approach. However the marketingactivity would have a different risk profile where the mitigation methods would be
different.
All mitigation methods should include
i) proposed actionsii) resource requirementiii) responsibilities and timing
5.
Monitoring The success of any management process is dependent on the qualityof monitoring and review.
It is essential that the organization monitor the mitigation activities and
i) review the performance of the mitigation methodsii) review the effectiveness of the processes being used for arriving at the
mitigation methods
6. Communication Finally, it is imperative that the progress in the area of riskmanagement get communicated effectively across different levels in the
organization. It is necessary that at each relevant level it should be known that
i) the assessment process was appropriateii) the measures adopted resulted in the intended output
iii) where the performance was below expectations, the fresh assessment and
new measures required have been instituted.
-
8/3/2019 Guide Note
13/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 9
Chapter IV
Environmental Risks
These are the external influences on the business and constitute the environment within
which it operates. Normally this is an ever-changing scenario which provides
opportunities as well as constraints within which the business has to function.
Some major components are
i) Economic Risk - This is the impact of the general economy on the business. Usually,the most critical impact is that of inflation since that affects the purchasing power
of customers. However, in case of a recession there may be a drop in the aggregate
demand which can also have a very adverse impact. An understanding of the
taxation regime is always useful and for some businesses specific policies of theGovernment may be useful for instance where they are affected by subsidies or
grants.
ii) Environmental / Ecological Risk Occasionally the Environmental Risk is taken tomean the Ecological Risk only. While this is a narrow perspective, it does not in any
way reduce the criticality of the Ecological Risk for any business. Every business
needs to understand the impact of its activities, products and services on its
environment. Specific importance needs to be given to energy usage, waste,
effluents, emissions, and sound pollution if any, including the problems of
accidental spills. Prevention of pollution, minimization of global warming and
environmental sustainability are important ecological targets for all businesses.When considering ecological risks, it is advisable for businesses to consider the
impact of natural catastrophe such as earthquakes and floods on their installations
and business cycles.
iii) Shareholder Expectations Risk Any business listed on the stock exchange needsto cognize for this risk. While these expectations exercise a stress on the business
demanding constantly high levels of performance, the rewards for meeting the
expectations or bettering them are generally handsome. This is a good example of
a risk which can lead to gain, if mitigated successfully.
iv) Political Risk These are the risks arising from the power exercised by thegovernment or sometimes even some non-governmental bodies. Political Risk may
also arise due to governmental inaction, say failure to enforce the law. An extreme
example of political risk is when there is a sudden change of government in a
country, with the new government refusing to honour the agreements entered
into by its predecessor. Comparatively less severe, though serious risks in this area
would include risks of sudden changes in governmental policies, taxation laws, or
even just bureaucratic incompetence or corruption.
-
8/3/2019 Guide Note
14/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 10
v) Legal Risk Every business involves a range of activities as a result of which there isa large exposure to legal liabilities. These liabilities arise because of breach of
obligations and may be
a) criminal if in violation of criminal law; prosecution for which is initiated bythe State and if found guilty, punishment is prescribed
b) civil if in breach of contracts or if any harm or loss has been caused to anyperson. Such cases are determined under civil law and if the person initiating
the action is successful, compensation is normally prescribed
c) tort if there has been a breach of duty or negligence resulting in a loss tothird parties. Such cases are also decided under civil law and if successful,
compensation is awarded to the aggrieved parties
vi) Social Risk These are the risks businesses face of challenges to their businesspractices by their stakeholders. These can also be classified as societys impact on
business. A typical example is the popular movement that often arises in many
developed countries on the use of clothes manufactured in third-world
sweatshops. Another case is the move to ban carpets produced in countries where
child labour is endemic or for instance the move to ban the use of paper or board
produced through unsustainable forestry practices. Thanks to the variety and
forms of media prevalent around the world, the notice and broadcast of a
perceived social risk happens very, very quickly creating threats to the reputations
of brands and corporates. Consequently it is very necessary for every business to
a) identify the empowered stakeholders and their key issuesb) work with the stakeholders in determining the appropriate level of
engagement to address their concerns
c) share the necessary information establishing improved accountability.
-
8/3/2019 Guide Note
15/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 11
Chapter V
Strategic Risks
Strategy is the path a business follows to achieve a goal or an objective. When
formulating strategy, alternatives are analysed. At this stage, the risks for each strategy
may be identified, assessed and a risk map prepared. This enables the selection of
strategies in line with the risk appetite of the business. Major topics in Strategic Risks
include
1) Market Risks These reflect the level of uncertainty in the markets the businessdeals in. The markets considered here are not financial as those are discussed
under financial risk. Market risk has to do with market structure, the strategies
adopted for market growth and price behaviour. The social / political / cultural /
economic forces impacting the industry, the legal and regulatory pressures andthe demographic profile of the customers are all critical components of market
risk.
2) Competition Risk In any industry, competition works to drive down the rate ofreturn on invested capital. It is therefore very necessary to actively monitor this
risk and develop effective mitigation methods. There must be a clear
understanding of the number of competitors and their business profiles as these
are intrinsically linked to the business profitability. To any existing firm, new
entrants are threats, as are substitute products since these tend to impact the
industry economics. Similarly if suppliers are too powerful, input costs are
difficult to control. On the other hand, if buyers are too powerful, output pricinggets restricted. Balancing between these opposing forces requires a careful
study of competition, identifying and assessing all risks from this sector.
3) Business Model Risk The business model of the enterprise needs to beunderstood in the context of its industry and competition. A dispersed
manufacturing strategy could create risks of quality, uniformity and
standardization. On the other hand a single manufacturing facility would create
distribution and reach risks. A direct marketing model may result in ease of
customer contact but fragmented distribution may inflate delivery costs.
Similarly in service businesses, centralization may result in greater control, but
the risk would be in higher turnaround times resulting in delays for customers.The strengths and weaknesses of each model need to be evaluated and the
corresponding risks mitigated.
4) Technology - Technology is a critical business requirement in todays world.However, the impact of technology has to be clearly understood in the context of
the quality and volume, demand and price of the product or service, as the case
may be. While technology in services is as important as in the manufacturing
sector, its appropriateness is also essential. This area needs to be managed by
-
8/3/2019 Guide Note
16/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 12
ensuring that investments are optimized to secure the business objectives.
Competition needs to be monitored to avoid being outmaneuvered by cutting
edge technological advancements and new developments need to be adopted
judiciously. While information security has to be assured, the right information
must reach the right persons at the right time. The three primary technology
types viz., information, communication and control technologies present
significant opportunities which need to be appropriately exploited.
5) Investment Evaluation - One critical strategic risk for all businesses is theadequate appraisal of the investments made. The purpose of all investment is
gain, which is normally assessed in some financial terms. However, the impact of
an investment is not just financial and consequently a simple financial analysis
cannot be an adequate appraisal. While the financial aspect for any investment
remains critical, the purpose often includes a variety of factors viz.,
a) Market expansion Projected growth in product volumes may need to bemet through creation of additional capacity
b) New Markets - Existing products may be extended to new markets throughnew investments, or new products may be introduced in existing markets
creating a new demand (and hence a new market) for the business, or both
the product and the market may be new.
c) Command of Resources In a case where there are limitations on theavailability of a particular input, an investment towards that input may help
in controlling the market for the end product
d) Upgradation Where new technologies have surfaced investments may berequired to upgrade the existing products.
In all these cases, although the financial parameters may be met, a
comprehensive evaluation of the investment must include the other factors
since achievement of the financial targets may be possible only when the
other targets are met.
The context of an investment decision needs to be understood for a correct evaluation.
While financial returns remain a key target, these are dependent on a number of
organizational factors, each of which has to be successfully engaged for the investment
to be effective. Consequently a range of factors need to be identified and monitored for
successful mitigation of an investment risk.
-
8/3/2019 Guide Note
17/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 13
Chapter VI
Operational Risks
Operational Risk is the risk associated with business operations. Running a business
requires the employment of people, working through certain processes and systems
towards the pursuit of specific objectives. Consequently Risks associated with these
areas are Operational Risks.
1) People - The people in a business comprise both the supervisors and thesupervised and the processes and systems need to cover both, those managing
and those being managed. This is consequently a complex area requiring careful
attention. People are our greatest asset is a statement regularly heard from
businesses today, but the manifestation of this belief in routine business
operations needs to remain a key focus area. To quote from Peter Drucker infact, organizations have to market membership as much as they market products
and services and perhaps more. They have to attract people, hold people,
recognize and reward people, motivate people, and serve and satisfy people. The
major aspects are
a) Human Resource Management practices viz.,i) recruitmentii) training and developmentiii) job rolesiv) working conditionsv) performance evaluationvi) industrial relations Recruitment - The recruitment process is the first contact a future
employee has with a business. A favourable first impression is always a
good basis for a lasting relationship. A clear job description and a fair
selection process implemented by a personable, enthusiastic and
competent recruiter mitigates the risks in this process.
Training & Development Having recruited the right persons, itbecomes necessary for the organization to ensure proper fitment. Acomprehensive induction programme ensures that the new entrants
get integrated into the working environment and become productive
quickly, with an understanding of the organisations and the specific
business units goals, policies and procedures. Appropriate continued
professional development processes for employees ensure that the
people in the organization remain contemporary.
-
8/3/2019 Guide Note
18/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 14
Job roles After employing good people, the organisation needs toensure that they are provided the opportunity to exhibit their talents.
Assigning the right job to the right person is often a complex task.
Proper job descriptions with a clear job structure are a necessary
criterion for appropriate staffing and an important mitigation method
to manage the people risk.
Working conditions The physical environment at work as well as thecontractual conditions together combine to constitute the working
conditions. The standards change with time, but an unacceptable
environment creates a psychological pressure which is likely to hamper
performance. For instance, an air-conditioned workplace was
considered a luxury in India a few decades ago, but is taken for granted
today. At one time employers would ban trade unions at will, a
completely unacceptable state of affairs today. Similarly health and
safety conditions of employees have become important nowadays and
need to be taken into consideration.
Performance Evaluation Appreciation is a critical human need andevery person needs to feel appropriately appreciated for his
contribution. A proper performance evaluation process is therefore a
critical requirement for managing the people in a business. The process
must be seen to be fair and comprehensive and needs to be
implemented effectively.
Industrial Relations All organizations with organized labour need tohave processes in place to mitigate issues in industrial relations. In
addition to compliance requirements these require negotiation skills to
ensure harmonized business operations.
b) Compensation while remuneration is certainly a key factor for everyemployee, the total compensation may often be structured across a
variety of elements. Many organizations have reduced this area to a
flat cost to Company basis leaving the option of the components to
the individuals while others have structured compensation packages
incorporating factors such as location, age and other parameters. No
standard solution is available to be implemented across all businesses
and each organization needs to determine the options appropriate to
itself.
c) Integrity This is an area often taken for granted, with organizations
assuming that employees will be honest. However, such assumptions
are fallacious and fraud or deceptions, theft or even concealments have
been found to be increasing. It is imperative that every organization be
alert to these problems and institute processes to check these issues.
-
8/3/2019 Guide Note
19/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 15
2) Process and Systems These are the activities that comprise a businesss operatingcycle, end to end. Any failure in a process or a system is a risk, as it creates an
exposure which could lead to a loss. Some major areas are
i) Transaction Processing Every business comprises of a series of transactionsand the ability to process innumerable transactions effectively is often thebest measure of its efficiency. Consequently, the main operational risk of the
business is the transaction risk, which can arise from the
a) Production process Variability in output whether in terms of quality orvolume, is a problem in the production process of any product or
service. The minimization of such variability is a constant endeavour for
most businesses.
b) Documentation process Every transaction needs to be documented,and any error in documentation could be a source of loss.
Consequently, while variability in the production process needs to becontrolled to keep customers happy, documentation variability needs to
be controlled in the interest of the business itself.
c) Product Variation risk Where a business unit has more that oneproduction or service unit, it faces a further risk. While the output at
any one unit may be uniform, the output of another unit may be
different, though labeled the same. This variability between outputs of
different units needs to be removed through the adoption of
appropriate mitigation methods.
ii) Knowledge Management the knowledge an organization possesses is oftenkey to the success of the enterprise, being its major source of competitiveadvantage. However, this knowledge is often restricted to a few key persons
with no structured process for its dissemination and updation. This can
become a major drawback in case for any reason those individuals become
unavailable. Further if the knowledge is unique and can be registered as an
intellectual property, it is imperative that such registration be completed as
soon as possible, failing which registration by another party may limit its use
or even render it unusable.
iii) Information Technology (IT) As information technology becomes more andmore necessary to operate businesses, the risk from IT failure becomes an
increasing concern. The areas to be considered include -
a) Business Alignment The IT in use should be aligned with the businessprocesses, ensuring smooth operations. A typical problem occurs when
the physical process in use is not in line with the IT process, requiring
additional effort for alignment.
b) Data Security Globally, the security of electronic data is recognized asa risk and hacking, or illegal or unauthorised access has been identified
-
8/3/2019 Guide Note
20/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 16
as a major threat world-wide. Independent security processes need to
be installed and kept updated in all IT systems to ensure that the
organizations data is safe.
c) System Capacity and Availability The growth of a business is notnecessarily uniform, with sudden spurts followed by comparativelyleaner periods. Lack of foresight may lead to installation of systems
with inadequate capacities, which are unable to handle growth
resulting in serious limitations to the business. On the other hand,
overcapacity may result in a high cost base which cannot be serviced
adequately at the returns being generated.
d) Disaster Recovery All IT Systems need to be geared for disasterrecovery risk. This refers to the probability that data may suddenly get
corrupted or there may be an unexpected systems failure. Traditionally
back-up procedures have been used to mitigate this risk, but with
greater sophistication of the IT Systems itself, these processes have alsobeen improved.
e) Business Continuity While disruptions in the internal IT processes of abusiness are covered through Disaster Recovery processes, these do not
take into account the impact of disruptive events on the business itself.
Such disruptions could be from natural perils or man-made problems
such as terrorism or even strikes. Contingent plans need to be in place
for activation in case of business disruption to maintain resilience and
safeguard stakeholder interests.
iv) Supply Chain In a manufacturing system, the process of sourcing rawmaterial, its conversion to finished product and delivering to the ultimate
customer is called the supply chain process. Any uncertainty at any step of
this process leads to a supply chain risk impacting the ultimate business
objective of delivery to the customer. Consequently, these risks need to be
identified, assessed and mitigated.
v) Compliance All businesses need to follow laws and regulations, which coverall aspects of an enterprise. This is an area of pure risk since the
mitigation only ensures that there is no downside i.e. no penalty. However,
even though no benefit can accrue to the business, it is absolutely necessary
for its successful existence to ensure that all its operations comply fully with
the laws and regulations in place. One simple method is to have aCompliance Register or a checklist containing all the legal and regulatory
issues that need to be complied with. A regular set of checks with this
register can ensure that this risk is being mitigated on an ongoing basis.
vi) Project Any activity using specific resources towards a set goal is a project.Two specific characteristics of a project are a set schedule or time period
within which it has to be completed and an estimated budget, which limits
-
8/3/2019 Guide Note
21/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 17
the funds to be deployed. Often organizations run many projects
simultaneously, some of which are interdependent on each other. Project
Risk Management is a vast area and depending on the nature of the project
say engineering, or construction, or software, specific guidance is available.
However, generally for all projects successful completion is facilitated with
a) Early identification of all risks present in the projectb) Clear communication of the risks to the project manager and all
relevant persons involved.
c) Awareness of both the threats and the opportunities. While negativerisks need to be minimized, the positive risks are equally important as
they provide the scope to offset the adversities.
d) Clear delineation of risk ownership. The responsibility andaccountability for each risk needs to be clear.
e) Prioritisation of the risks. This is extremely important as themanagement of the risks needs to be linked to the prioritization.
f) Analysis of the Risks. It is necessary to understand the nature of eachrisk to generate a good response. This must cover the impact as well as
the different causes and the circumstances that increase or decrease
their likelihood.
g) The Planning and Implementation of Risk Responses. Implementing aresponse to a risk adds value to a project. This could be either through
the minimization of a threat or the maximization of an opportunity.
h) Maintenance of a Risk Log. This is an excellent control since it enablescommunication between the team members and stakeholders and also
provides a track record of progress. The log should list all the risks with
descriptions and the owners, with a record of the mitigation process.
i) Tracking Risks A one-time assessment of risks and responses is not aneffective mitigation system. It is necessary to track risks regularly
during the continuation of the project.
j) Tracking associated tasks The process of risk mitigation would requirecarrying out various associated tasks. It is necessary to monitor theprogress of these tasks as their successful completion is integral to the
success of the project.
vii) Other Risks The list of operations risks enumerated is illustrative and notcomprehensive. Two further risks relevant in the twenty-first century also
merit special mention viz.,
-
8/3/2019 Guide Note
22/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 18
a) Change management Rapid changes in the environment have made itnecessary for every business to handle change management effectively.
The changes could be in the legal framework or disruptive technologies
or natural disasters or even just customer perceptions. Businesses need
to be able to respond at short notice.
b) Outsourcing in order to be competitive, it has become increasingly
necessary for businesses to re-evaluate their competencies in executing
components of their respective supply chains. Wherever such
efficiencies are higher externally, these need to be tapped. However
this process of outsourcing creates new risks of third-party
management which need to be cognized for an mitigation methods
instituted.
-
8/3/2019 Guide Note
23/34
-
8/3/2019 Guide Note
24/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 20
the transaction nor the date of settlement. While the translation risk will
not affect the cash flows of the business, it can seriously impact its
profitability.
c) Economic Exposure Risk This arises due to structural changes in theeconomies of the countries involved. For instance if one country has hada devaluation, there may be a drastic change in values resulting in an
impact on the business model itself. Another problem could arise if a
competitor from another country experiences a devaluation in its
currency giving it a major advantage in pricing.
3. Credit Risk this is the risk that the counter-party to a transaction may not meetits obligations. In the case of a bank this would mean default by a borrower,
while in a manufacturing business it would be a refusal or inability of a customer
to pay its debts on the due dates. Traditionally, each business was required to
complete its own diligence analysis of customers before dealing with them.
However, nowadays credit rating agencies have come into being providingspecific ratings of the capabilities of each business to pay its debts.
4. Interest Rate Risk Businesses borrow funds from the banks or the financialmarkets, which are intermediaries obtaining the funds from investors. The cost
of the funds to the borrower is a mark up on the returns paid to the investor.
Consequently, if such returns vary, the cost of funds or the interest rates for the
borrowings would vary. It is therefore necessary for each business to ensure that
the mix of funds borrowed is appropriate for its own returns profile ensuring that
this risk is within manageable proportions.
There are three issues that need to be considered in the context of Financial Risks
viz :-
a) Commodity Risk The price behaviour of commodities is similar to that ofcurrencies. Consequently, the mode of risk management of commodities
is similar to the way in which currencies are managed. Quantity or size of
exposure, current price and price volatility are the parameters to be
mapped.
b) Common Denominators The three basic factors of financial risks areprice, volatility and liquidity. Most markets provide a current price and
one into the future. The relationship is linear as the change in value is
equal to the product of the change on price and the number of units held.Volatility is a measure of the changes in price of an item over a given
period of time. Accurate predictions of volatility are required to
determine the degree of risk at a given price level. Liquidity is a measure
of market inefficiency as it provides a constraint on the size of
transactions. It is a typical feature of each market segment. Theoretical
calculations in measurement of risk usually assume
-
8/3/2019 Guide Note
25/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 21
i. A normal distributionii. That the past behaviour of data may be used to predict the futureiii. That estimates taken on day-end positions are adequate and intra-
day variations do not need to be considered.
iv. That no exceptional circumstances will occur.c) Derivatives These are financial products derived from some other
financial instruments. For instance, an interest rate future is derived from
a bond or treasury bill or deposit, while a currency future is derived from
the spot market in that currency. Derivates are used for the re-
distribution of risk and customers fall primarily into two categories viz.,
one group which is guarding against a risk they need to mitigate in the
normal course of business and another seeking a large reward for taking
on a high risk. Some common derivatives are
i. Futures An agreement to give or take delivery of a specificquantity of a currency or a commodity of a particular grade at a
definite location on a future date is called a future. The contracts
are standardized to ensure adequate liquidity. While currency
futures contracts are standardized to quantity, commodity futures
are standardized with respect to quantity, grade, delivery month
and place of delivery.
ii. Options This is a contract in which the buyer has the right but notthe obligation to purchase or sell an underlying asset at a specified
price (strike price). In return, the option seller (writer) receives afee referred to as the option premium. Options are available for
interest-rate exposures as well as currency exposures.
iii. Swaps A swap is when an exposure in one currency is convertedinto an exposure in another currency, or when a loan with a fixed
rate of interest is converted into one with a floating rate of interest.
A large variety of derivative instruments are available, however it is very
necessary to understand each instrument as often the downside risks
may be extremely high. The rules of accounting have also become
stricter as a result of which any mistakes in this area are likely to surface
immediately. Consequently although derivatives are excellent risk
mitigation tools, their adoption needs complete understanding of all
aspects.
-
8/3/2019 Guide Note
26/34
-
8/3/2019 Guide Note
27/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 23
Consequently, these three aspects i.e. Governance, Risk and Compliance (GRC) are
increasingly recognized as a new and integrated approach to management and GRC has
become accepted as a standard business term.
A proper GRC system combines people, processes and technology and enables an
organization to
i) Understand, appreciate and prioritize stakeholder expectationsii) Co-ordinate between risks and values to set realistic business objectivesiii) Optimise its risk profile to protect value while achieving objectivesiv) Ensure that its operations fall within legal, contractual, social and ethical
boundaries
v) Enable comprehensive measurement of its effectiveness and performance.vi) Disclose reliable, relevant and timely information to all its stakeholders.
-
8/3/2019 Guide Note
28/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 24
Chapter IX
Internal Controls
Internal Controls are processes within an organization designed to provide assurance
regarding
i) Efficiency and effectiveness of the operationsii) Reliability of financial reportingiii) Compliance with applicable laws and regulationsThe Internal Controls Process comprises of five components, viz.
i) Control Environment This is the atmosphere within the organization in whichpeople conduct their activities. Integrity, competence and ethical values are the
hallmarks of an effective control environment
ii) Risk Assessment Every organization works towards achieving certain objectives.Risk assessment is the identification and analysis of risks relevant to that
achievement and the determination of the basis for their management. The
organizational goals include
a) Operations Objectives These comprise the mission of the organization i.e.the reasons for its existence including enhancement of the efficacy of its
operations
b) Financial Reporting Objectives These relate to the preparation of reliablefinancial reports
c) Compliance Objectives These relate adherence to the laws and regulationsapplicable to the organization
iii) Control Activities These are the specific policies and procedures in use within theorganization towards achieving its objectives. The principal control activities are -
a) Segregation of Duties This requires that different persons be assignedresponsibilities for different elements of related activities, especiallysanctions, custody and record keeping, thus creating a system of checks and
balances
b) Authorisations This ensures that every activity is carried out by responsiblepersons entrusted for that purpose.
-
8/3/2019 Guide Note
29/34
-
8/3/2019 Guide Note
30/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 26
- Access Security, Data & Program Security- Software Development & Program Changes- Data Centre Operations- Disaster RecoveryThese controls are designed to maintain the integrity and availability
of the information processing systems and networks. The controls
focus on ensuring that correct data files are processed according to
established protocols and relevant diagnostics monitored.
ii) Application Controls include programmed procedures withinapplication software
Input controls ensure the complete and accurate recording of
authorized transactions by only authorized users, ensuringidentification of rejected and suspended items. These may be
resubmitted after due validation, with various checks ensuring
matching and completeness. Complete and accurate processing is
ensured through processing controls, while output controls
generate the audit trail, simultaneously reporting the results to
authorized persons for review. Extensive end-user computing has
necessitated focus on application controls.
-
8/3/2019 Guide Note
31/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 27
Chapter X
Driving Stakeholder Value
The management of risk has been established as a critical component in the operations
of every organization. However, the risk- maturity level can vary across a wide spectrum
ranging from merely complying with regulations, the minimum level of a GRC initiative
as explained in Ch VIII, to a proactive function seeking to enhance the value of the
enterprise.
Value can be measured in a number of ways, not necessarily through financial measures
alone, though economic profit is the parameter generally used. When the benefits
derived from the use of resources are greater than the resources used, sustainable value
creation takes place. Effective management of risk enables protection of value and
creates sustainable value for the enterprise.
A framework for a value creating risk management strategy would include
Step 1 When setting objectives, performance goals and risks need to be optimized.
Strategic alternatives need to be evaluated to determine whether the potential returns
are commensurate with the associated risks. Therefore at the planning stage itself, the
risk impact is incorporated into the objectives.
Step 2 Once risk has been included into the objectives, the metrics and parameters for
measurement need to be determined. These help the business to decide the current
level of risk and the acceptable extent.
Step 3 Then after the overall level has been decided, the granular targets for each risk
are agreed as well as the key performance indicators.
Step 4 All risks are analysed to identify the gaps between the existing state of affairs
and the desired targets. These may arise in methodology, frameworks, tools, people or
just levels of performance.
Step 5 Finally, the implementation programme is made integrating the strategy into
the daily operations resulting in the creation of a road map. The milestones are
identified and strategy execution can commence. In this context it is relevant to refer to
Michael Porters description of Risk in his book Competitive Strategy, where he statesthat Risk is a function of how poorly a strategy will perform if the wrong scenario
occurs.
Since the framework focuses on creation of value, the basic building blocks are the value
drivers i.e. the measures that create sustainable value. For most commercial
organization there are four basic value drivers.
-
8/3/2019 Guide Note
32/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 28
i) Growing Revenue While this is the first level driver, it immediately gives rise totwo options viz., expansion of the scope of the existing business and the creation
of future options. When analyzing expansion in the scope of the existing business,
the operations could grow geographically, or through new products. Creation of
future options would require innovation and flexibility.
ii) Control of Costs This may be achieved through operational efficiency ororganizational effectiveness. Operational efficiency could be achieved through
improved efficiency in existing processes resulting in the lowering of costs of each
process. Organisational effectiveness could be enhanced through improved value
propositions or superior execution of strategy
iii) Allocation of Capital This requires determination of the preferred sources offunds, which need to match the expected deployment. The management of
Human Capital and Intangibles also needs to be considered.
iv)
External Events The impact of the external environment including economic,political, social, cultural, technological, legal and regulatory issues needs to be
analysed and the performance and growth objectives determined accordingly.
Once these value drivers have been identified in detail, the objectives for each value
driver and the concomitant risks are arrived at. For instance geographic expansion may
require knowledge of new regulations, new tax exposures and the like. On the other
hand new products may mean a new customer base and a new competitor profile.
The risks associated with each action plan are linked automatically, in this process to the
performance and growth goals, ensuring continuous focus on value creation.
-
8/3/2019 Guide Note
33/34
Guidance Note on Risk Management
The Institute of Cost and Works Accountants of India Page 29
Chapter XI
Setting up the Risk Management System
A Risk Management Workshop is an effective means of introducing, developing and
promoting the risk management process in an enterprise and setting up the systems.
Such a workshop often starts with a brainstorming session where participants are
encouraged to discuss the various business risks that they perceive. Identified risks need
to be recorded in a Risk Register. There needs to be an understanding of the level of
exposure that the enterprise must manage in order to achieve its objectives. Single
point estimates are generally of little use as the range of the upside and the downside
must be known. The degree of uncertainty at each level of exposure within the agreed
time frame needs to be identified. Where a business plan is being prepared, the
complete environmental scan and the analysis of internal capabilities needs to becompleted and the risks listed. It is important to re-iterate the points that
risks are a fact of life; todays environment requires quick identification of risks with immediate responsesOften when some activities get structured and defined, due to lack of clarity others are
left out, leaving the enterprise vulnerable to unexpected and often unpleasant surprises.
It is therefore necessary for each risk to have an identified owner, responsible for its
mitigation. The risk owner can report the progress in risk management and this
information can then be collated and communicated to the relevant levels, so that the
impact on the organisations performance is understood and remedial action initiated, if
and when necessary.
An important perspective states that all management is essentially risk management.
Sometimes it is useful for known risks to be revisited and re-examined to confirm
relevance. The top risks need to be prioritized and the impacts assessed. Risk maps or
priority lists need to be prepared taking into account significance and impact of each risk
to the organization. Once the risks have been assessed, the mitigation strategies need to
be implemented.
-
8/3/2019 Guide Note
34/34
Guidance Note on Risk Management
A simple management capability chart at this stage may be prepared as a useful
monitoring role for the future:-
Risk No. Assessment Maturity
1 Very capable Fully versed with the risk. Significant focus is spent to
understand and manage.
2 Capable Risk is being managed appropriately
3 Somewhat capable Some resources are in place but further reduction/
mitigation possible
4 Low Capability Few mitigation process in place
5 No Capability No processes in place. Management if any, would be
entirely reactive
Once the maturity levels are clear, a gap analysis may be completed for the key business
risks. Based on this gap analysis, the mitigation strategy may be finalised. At the end of
the workshop, the complete list of priority risks and the agreed mitigation strategies is
available enabling immediate implementation. Performance in this area may be
evaluated against the agreed milestones.
While a detailed workshop may not be necessary ever year, revisiting the basic process
with every business plan becomes an effectively control system for managing risks.
A clearly enunciated Risk Management Policy, a comprehensive Risk Register recording
the identified risks with ownership and regular monitoring and reporting of the progress
in mitigation ensures smooth performance and growth for every organization.