guide note

8/3/2019 Guide Note

1/34

GUIDANCE NOTE

ON

RISK MANAGEMENT

8/3/2019 Guide Note

2/34

B.M.SHARMA THE INSTITUTE OF COST AND WORKS ACCOUNTANTS OF INDIAPRESIDENT (Established by an Act of Parliament)

12, Sudder Street, Kolkata-700016

Phones:91-33-2252-1021/34/35.2252-1602/1492

Fax: 91-33-2252-7993/1026

E-mail: [email protected]: www.icwai.org

Foreword

Across the world, Risk Management has increasingly become integral to the management of

businesses. In our country, while awareness of the need for proactive risk management is

growing steadily, actual progress has been limited. However our country is moving rapidly up a

growth curve in an increasingly borderless and turbulent world. While competitive forces

compel focus on better, faster, lower cost, steering a business in this exciting scenario

requires a thorough understanding of risks and their mitigation.

Members of our Institute have always played an active role in assisting managements to meet

the expectations of their stakeholders. The prime demand from stakeholders is improvement in

returns with minimum volatility. Effective management of risk is a prerequisite to meet this

need. This Guidance Note provides a comprehensive overview of the subject and will enable our

members to play a complimentary role in enabling organizations to meet their stakeholders

expectations.

It is heartening to note that the Professional Development Committee of our Institute hasbrought out this Guidance Note as our Institutes continued contribution towards enabling our

Members to enrich their organizations and remain contemporary with world trends. I place on

record by sincere appreciation to Shri Kunal Banerjee, Chairman of the Professional

Development Committee and to all the members of the Committee for overseeing the

preparation of this publication and to Shri Prodipto Banerjea, our member, who has authored it.

I also thank the PD Directorate and Studies Directorate for their contribution in bringing out this

publication timely. I hope the Regional Councils and Chapters will come forward to conduct

programmes to enable all our members to develop the required competence in this area.

With Best wishes,

B.M.Sharma

President

18th

July, 2011

8/3/2019 Guide Note

3/34

KUNAL BANERJEE THE INSTITUTE OF COST AND WORKS ACCOUNTANTS OF INDIAChairman (Established by an Act of Parliament)

12, Sudder Street, Kolkata-700016

Professional Development Committee Phones:91-33-2252-1021/34/35.2252-1602/1492Fax: 91-33-2252-7993/1026

E-mail: [email protected]

Website: www.icwai.org

Preface

The process of Risk Management was formally introduced by SEBI for all listed companies by

revising Clause 49 of the listing agreements with the stock exchanges. As a result, with effect

from December 31, 2005, it became necessary for every listed company to meet the following

requirement - The company shall lay down procedures to inform Board members about the risk

assessment and minimization procedures. These procedures shall be periodically reviewed to

ensure that executive management controls risk through means of a properly defined

framework

While management of business invariably necessitates management of risks, formal processes

were absent and silo based activities was the norm. The SEBI intervention requires a

comprehensive approach which has been delineated in this Guidance Note. A detailed overview

has been provided to members to enable appreciation of the nuances involved and a structured

approach to the risk management process has been suggested. We hope our members emerge as

important resources in the risk management processes of their organization.

I have the pleasure in introducing the title Risk Management. This publication shall act as a

ready reference to assess the risk involved. I express my sincere thanks to Sri Prodipto Banerjea, a

fellow member of our Institute, a pioneer in this field of Risk Management, who has authored the

Guidance Note. I would like to thank my fellow members on the Professional Development

Committee for their enthusiastic participation in the preparation of this Note I appreciate the

timely efforts put in by the officials of the Secretariat in arranging for the release of the material.

I hope that this publication will be a very useful reference to all the concerned.

With Best wishes,

Kunal Banerjee

Chairman,

Professional Development Committee

18th

day of July, 2011

8/3/2019 Guide Note

4/34

GUIDANCE NOTE

ON

RISK MANAGEMENT

INDEX

Ch.

No.

Title Page Nos.

I Introduction 1

II Understanding Risk 2

III The Management Process 5

IV Environmental Risks 9

V Strategic Risks 11

VI Operational Risks 13

VII Financial Risks 19

VIII Governance and Risk 22

IX Internal Controls 24

X Driving Stakeholder Value 27

XI Setting up the Risk Management System 29

8/3/2019 Guide Note

5/34

Guidance Note on Risk Management

The Institute of Cost and Works Accountants of India Page 1

Chapter I

Introduction

In 1975, Peter Drucker had stated that Economic activity is the commitment of existing

resources to future expectations. It is a commitment, therefore, to risk and uncertainty.

While this recognition of risk was generally accepted, the traditional view was that the

returns from the activity should compensate for the risk and the focus was almost

entirely on return maximization.

The floating of currencies in 1978 created the need for currency management. Within

the next decade, floating interest rates were introduced. In a short time, management of

exchange and interest rates became a specialized area heralding vast opportunities for

risk managers and creating a general awareness of this need. Various theoretical

structures were put forward and thanks to the ubiquitous use of computers, complex

calculations are now completed in moments and are used extensively for such risk

optimization. Developments in computational theory have helped in creating derivatives

and new instruments leading to a phenomenal growth in the financial services sector.

The last decades of the twentieth century also provided an excellent example of risk

mitigation, in the case of the Y2K problem. In the late seventies, early eighties people

started realizing that the use of two digits to denote the year for the date in computer

systems would result in a problem in the year 2000, as the date 01-01-00 would create a

confusion in the computer, since it would not be possible for it to distinguish 01-01-1900

from 01-01-2000. To resolve this problem, extensive reprogramming work was required

and software professionals around the world were involved. To the credit of the

software industry it must be accepted that when D-Day finally arrived, there was not a

single mishap.

It thus became evident that, with effective management, risk could be mitigated. Over

the last quarter of the twentieth century this awareness of the scope of risk mitigation

grew in leaps and bounds, and today in the twenty-first century, the management of risk

has become an integral part of business management.

8/3/2019 Guide Note

6/34



Chapter II

Understanding Risk

I. Risk is the chance that expected objectives will not be achieved. It has beendefined as the effect of uncertainty on objectives (ISO Guide 73: 2009). There are

therefore two dimensions of risk, probability and impact.

The origin of the word is believed to be from the Italian risicare which means to

dare, implying a choice. A risk is a choice made, which would imply that if

successful there would be a gain or a reward. The link with reward is thus implied

in the word risk itself. Although traditionally, the word risk was associated with

adversity, current thinking has focused on the choice aspect, including both threats

and opportunities.

A quote from an ancient treatise provides an interesting perspective on Risk

Management.

Sizing up opponents to determine victory, assessing dangers and distances is the

proper course of action for military generals.

Sun Tzu, The Art of War, Terrain

Since the world of business management has often been compared to wars, these

activities would seem appropriate for managers as well.

Uncertainty refers to the doubts that arise because of lack of knowledge or

changing conditions or even varying attitudes. Uncertainty governs our lives. From

the unknowns of living with terrorism or other law and order issues, or naturaldisasters, even routine problems of traffic add to the uncertainty in our lives,

compelling us to cope. As soon as any risk is recognized, it creates an uncertainty.

However, risk is not just the uncertainty alone, it includes the impact of the

uncertainty on the objectives.

Risk is an uncertainty that can be understood, measured, monitored, mitigated and

ultimately leveraged.

Some other terms that are often used in this context include peril and hazard.

A Peril is the cause of a loss. Fire, earthquakes, tornados, floods are all perils since

each of these cause losses.

A Hazard is a source of potential harm, a condition that may create or increase the

chance of a loss, such as,

i) Physical Hazards These consist of physical attributes that increase thechances of losses such as location, quality of building construction, nature of

electrical connections and the like.

8/3/2019 Guide Note

7/34



ii) Moral Hazards These comprise issues of integrity and include dishonesty,frauds and the like.

iii) Morale Hazards These relate to relationships between employer-employee,or amongst employees

II Risks can be categorized into two groups viz.,

1) Pure Risks These are cases where there are chances of loss with nopossibilities of gain. Typically these relate to losses from perils such as fire,

earthquake, floods or losses from automobile accidents and the like. Pure

risks can generally be classified as

a) Personal risks comprising possibilities of loss of income or assets as aresult of loss of earning ability. Instances include

i) premature deathii) dependant old ageiii) chronic sickness or disabilityiv) unemployment

b) Property risks comprising direct and indirect losses arising out ofownership of property. While direct losses relate to losses arising directly

from the destruction of the property, indirect losses refer to losses such

as the additional costs an owner would incur living somewhere when the

property is destroyed. This is also referred to as consequential loss and

is very important for businesses

c) Liability Risks These refer to losses incurred by others due to ouractions. The losses could be injury to the persons, or damage to their

assets and may be unintentional, or due to negligence or carelessness

d) Risks arising from the failure of others - These arise when others fail tomeet their agreed obligations, say when a debtor fails to pay debts on

due dates.

2) Speculative Risks - These refer to risks where there are possibilities of gainsas well as losses. Most risks are in this category though the classic case isthat of gambling, where risk is deliberately created in the hope of gain.

Similarly an entrepreneur makes his investment in the hope of gain. The risk

he runs is expected to be met by his reward, or the profit expected from his

venture. His management of risk becomes key to his business success.

8/3/2019 Guide Note

8/34



III Attitudes to Risk

The existence of Risk is a reality. As a result it becomes necessary to deal with it.

This can be done basically in three ways

a) Avoidance - In this case, the risk-free option is chosen which could imply forinstance in an investment situation, investing in government securities whichyield lower returns, or in considering travel, a refusal to travel. However, this

is a negative attitude, as progress for the individual and the economy

necessitates an element of risk taking.

b) Transfer In this case, the risk is transferred at a cost to an expert who

manages it. The classic case is insurance, where an insurance company takes

over a risk on receipt of a premium, the extent of cover being determined by

the premium.

c) Retention - Here the risk remains and needs to be managed. Such

management may involve

i) Sharing - a part of the risk may be transferredii) Reducing this could be through loss prevention and control

The activity of Risk Management deals with the risks retained and will be discussed

in more details in the subsequent chapters.

8/3/2019 Guide Note

9/34



Chapter III

The Management Process

The goal of every business is to meet target objectives. Since Risk is a key factor in

achieving the objectives, effective management of Risk is a critical goal for every

business.

Well-managed businesses have historically managed risks successfully, however that has

generally been on a silo-based approach. The production team would manage

technology, treasury would manage currency, legal teams would manage compliance. In

todays complex world it has been found that such a fractured approach often leads to

sub-optimal solutions, impairing the organizations overall returns. Consequently, an

integrated approach is recommended. Risk is an uncertainty that can be understood,

measured, monitored, mitigated and ultimately leveraged.

For every business, the risks involved need to be understood clearly. Specific risks need

to be identified and assessed. Mitigation methods need to be instituted and their

success in controlling the risks monitored. This information needs to be shared across

the organization, as relevant, ensuring a continuous process.

Risk Management Process

1. Understanding the Risks In order to understand the risks for any business it isnecessary to know its purpose or mission, the objectives it has set for itself and the

strategies it has chosen towards achieving those objectives.

Understanding Risks

Communicating Results Identifying Risks

Monitoring Control Assessing Risks

Mitigation Methods

8/3/2019 Guide Note

10/34



The social, political, cultural, regulatory, and competitive environment creates risks

for businesses. The stakeholder profile creates pressures. All these diverse forces

need to be balanced. Similarly, the internal systems, processes and people create

demands. The roles and responsibilities across an organization and the

interactions between the various activities and their relationships are all

components of the risk profile.

2. Identifying the Risks A comprehensive identification of specific risks is anessential requirement of the risk management process. Any event or activity that

may have an impact on the achievement of the business objectives needs to be

tracked. There are a number of ways in which risks can be identified. One method

is to classify them as follows :

a. Environmental : Covering all external risks, outside the business itselfb. Strategic : These would include all risks linked to the business strategies

including competition, new entrants, markets, suppliers and substitutes

c. Operational : These are the day-to-day risks faced by the organization in itsroutine operations and include risks associated with its processes and

systems, people, regulatory compliance and execution and delivery

constraints

d. Financial : While these are also operational risks of a sort, they are classifiedseparately because the nature of these risks is different and need to be

managed by specific subject experts.

3. Assessing the Risks All identified risks need to be assessed since this assessmentwill ultimately determine the priority of management.

One simple qualitative method of such assessment would be to first classify the

risks on the basis on frequency viz.,

a. Frequent : Occurring very often or continuouslyb. Likely : Occurs several times over the considered time periodc. Occasionally : Occurs sporadically during the considered time periodd. Seldom : Possible, but recurs rarelye. Unlikely : As the term signifies, will probably not occurThis is then combined with the financial impact when the risk occurs

- Catastrophic : critical financial loss in terms of severity and magnitude (couldlead to bankruptcy)

- Critical : serious financial loss which would drastically reduce returns

8/3/2019 Guide Note

11/34



- Marginal : refers to minor financial losses which though affecting current

returns, would have no lasting impact

- Negligible : these are minor and routine for any business

Combining the frequency of each risk with the financial impact, a severity chartof risks can be prepared where risks could be classified into four categories:-

i) Extremely High Risk (E) the enterprise could fail with all the severeconsequences

ii) High Risk (H) The enterprise could be severely impacted and majortargets may not be achieved

iii) Moderate Risk (M) Some objectives will not be met but overall theenterprise should function

iv) Low Risk (L) Should be manageable with all major objectives being metSuch a qualitative basis is useful where no data is available either on the

probability of frequency or the financial impact. However, if such data is

available, then a more quantitative analysis is possible. The risks can be plotted

on a Risk Map as given below :

Risk Map

High

Value of

Impact

Low

High ImpactLow Likelihood High ImpactHigh

Likelihood

Low Impact

Low Likelihood

Low Impact

High

Likelihood

Low High

Frequency of Occurrence

The four quadrants clearly delineate the relative importance of each risk and

provide an immediate basis for action. The management of the organization can

take cognizance of the risks depending on their position on the map and the

resources available.

8/3/2019 Guide Note

12/34



4. Mitigation Methods Once the risks have been identified and assessed, themitigation methods need to be instituted. There are two approaches that can be

used.

i) The integrated approach When risk factors are common across units, orwhen units are highly inter dependent, the tools and techniques developedfor one unit may be equally effective when applied on the others. In such

situations, a common risk language with shared tools and techniques can be

used across the entire organization.

ii) The dispersed approach Where risk factors vary across units, it becomesnecessary to develop unique tools and techniques by functional or business

unit as the case may be.

In actual practice, a combination of both approaches may be the most effective.

For instance, in a manufacturing company, the profiles of the factories may be

similar enabling the use of an integrated approach. However the marketingactivity would have a different risk profile where the mitigation methods would be

different.

All mitigation methods should include

i) proposed actionsii) resource requirementiii) responsibilities and timing

5.

Monitoring The success of any management process is dependent on the qualityof monitoring and review.

It is essential that the organization monitor the mitigation activities and

i) review the performance of the mitigation methodsii) review the effectiveness of the processes being used for arriving at the

mitigation methods

6. Communication Finally, it is imperative that the progress in the area of riskmanagement get communicated effectively across different levels in the

organization. It is necessary that at each relevant level it should be known that

i) the assessment process was appropriateii) the measures adopted resulted in the intended output

iii) where the performance was below expectations, the fresh assessment and

new measures required have been instituted.

8/3/2019 Guide Note

13/34



Chapter IV

Environmental Risks

These are the external influences on the business and constitute the environment within

which it operates. Normally this is an ever-changing scenario which provides

opportunities as well as constraints within which the business has to function.

Some major components are

i) Economic Risk - This is the impact of the general economy on the business. Usually,the most critical impact is that of inflation since that affects the purchasing power

of customers. However, in case of a recession there may be a drop in the aggregate

demand which can also have a very adverse impact. An understanding of the

taxation regime is always useful and for some businesses specific policies of theGovernment may be useful for instance where they are affected by subsidies or

grants.

ii) Environmental / Ecological Risk Occasionally the Environmental Risk is taken tomean the Ecological Risk only. While this is a narrow perspective, it does not in any

way reduce the criticality of the Ecological Risk for any business. Every business

needs to understand the impact of its activities, products and services on its

environment. Specific importance needs to be given to energy usage, waste,

effluents, emissions, and sound pollution if any, including the problems of

accidental spills. Prevention of pollution, minimization of global warming and

environmental sustainability are important ecological targets for all businesses.When considering ecological risks, it is advisable for businesses to consider the

impact of natural catastrophe such as earthquakes and floods on their installations

and business cycles.

iii) Shareholder Expectations Risk Any business listed on the stock exchange needsto cognize for this risk. While these expectations exercise a stress on the business

demanding constantly high levels of performance, the rewards for meeting the

expectations or bettering them are generally handsome. This is a good example of

a risk which can lead to gain, if mitigated successfully.

iv) Political Risk These are the risks arising from the power exercised by thegovernment or sometimes even some non-governmental bodies. Political Risk may

also arise due to governmental inaction, say failure to enforce the law. An extreme

example of political risk is when there is a sudden change of government in a

country, with the new government refusing to honour the agreements entered

into by its predecessor. Comparatively less severe, though serious risks in this area

would include risks of sudden changes in governmental policies, taxation laws, or

even just bureaucratic incompetence or corruption.

8/3/2019 Guide Note

14/34



v) Legal Risk Every business involves a range of activities as a result of which there isa large exposure to legal liabilities. These liabilities arise because of breach of

obligations and may be

a) criminal if in violation of criminal law; prosecution for which is initiated bythe State and if found guilty, punishment is prescribed

b) civil if in breach of contracts or if any harm or loss has been caused to anyperson. Such cases are determined under civil law and if the person initiating

the action is successful, compensation is normally prescribed

c) tort if there has been a breach of duty or negligence resulting in a loss tothird parties. Such cases are also decided under civil law and if successful,

compensation is awarded to the aggrieved parties

vi) Social Risk These are the risks businesses face of challenges to their businesspractices by their stakeholders. These can also be classified as societys impact on

business. A typical example is the popular movement that often arises in many

developed countries on the use of clothes manufactured in third-world

sweatshops. Another case is the move to ban carpets produced in countries where

child labour is endemic or for instance the move to ban the use of paper or board

produced through unsustainable forestry practices. Thanks to the variety and

forms of media prevalent around the world, the notice and broadcast of a

perceived social risk happens very, very quickly creating threats to the reputations

of brands and corporates. Consequently it is very necessary for every business to

a) identify the empowered stakeholders and their key issuesb) work with the stakeholders in determining the appropriate level of

engagement to address their concerns

c) share the necessary information establishing improved accountability.

8/3/2019 Guide Note

15/34



Chapter V

Strategic Risks

Strategy is the path a business follows to achieve a goal or an objective. When

formulating strategy, alternatives are analysed. At this stage, the risks for each strategy

may be identified, assessed and a risk map prepared. This enables the selection of

strategies in line with the risk appetite of the business. Major topics in Strategic Risks

include

1) Market Risks These reflect the level of uncertainty in the markets the businessdeals in. The markets considered here are not financial as those are discussed

under financial risk. Market risk has to do with market structure, the strategies

adopted for market growth and price behaviour. The social / political / cultural /

economic forces impacting the industry, the legal and regulatory pressures andthe demographic profile of the customers are all critical components of market

risk.

2) Competition Risk In any industry, competition works to drive down the rate ofreturn on invested capital. It is therefore very necessary to actively monitor this

risk and develop effective mitigation methods. There must be a clear

understanding of the number of competitors and their business profiles as these

are intrinsically linked to the business profitability. To any existing firm, new

entrants are threats, as are substitute products since these tend to impact the

industry economics. Similarly if suppliers are too powerful, input costs are

difficult to control. On the other hand, if buyers are too powerful, output pricinggets restricted. Balancing between these opposing forces requires a careful

study of competition, identifying and assessing all risks from this sector.

3) Business Model Risk The business model of the enterprise needs to beunderstood in the context of its industry and competition. A dispersed

manufacturing strategy could create risks of quality, uniformity and

standardization. On the other hand a single manufacturing facility would create

distribution and reach risks. A direct marketing model may result in ease of

customer contact but fragmented distribution may inflate delivery costs.

Similarly in service businesses, centralization may result in greater control, but

the risk would be in higher turnaround times resulting in delays for customers.The strengths and weaknesses of each model need to be evaluated and the

corresponding risks mitigated.

4) Technology - Technology is a critical business requirement in todays world.However, the impact of technology has to be clearly understood in the context of

the quality and volume, demand and price of the product or service, as the case

may be. While technology in services is as important as in the manufacturing

sector, its appropriateness is also essential. This area needs to be managed by

8/3/2019 Guide Note

16/34



ensuring that investments are optimized to secure the business objectives.

Competition needs to be monitored to avoid being outmaneuvered by cutting

edge technological advancements and new developments need to be adopted

judiciously. While information security has to be assured, the right information

must reach the right persons at the right time. The three primary technology

types viz., information, communication and control technologies present

significant opportunities which need to be appropriately exploited.

5) Investment Evaluation - One critical strategic risk for all businesses is theadequate appraisal of the investments made. The purpose of all investment is

gain, which is normally assessed in some financial terms. However, the impact of

an investment is not just financial and consequently a simple financial analysis

cannot be an adequate appraisal. While the financial aspect for any investment

remains critical, the purpose often includes a variety of factors viz.,

a) Market expansion Projected growth in product volumes may need to bemet through creation of additional capacity

b) New Markets - Existing products may be extended to new markets throughnew investments, or new products may be introduced in existing markets

creating a new demand (and hence a new market) for the business, or both

the product and the market may be new.

c) Command of Resources In a case where there are limitations on theavailability of a particular input, an investment towards that input may help

in controlling the market for the end product

d) Upgradation Where new technologies have surfaced investments may berequired to upgrade the existing products.

In all these cases, although the financial parameters may be met, a

comprehensive evaluation of the investment must include the other factors

since achievement of the financial targets may be possible only when the

other targets are met.

The context of an investment decision needs to be understood for a correct evaluation.

While financial returns remain a key target, these are dependent on a number of

organizational factors, each of which has to be successfully engaged for the investment

to be effective. Consequently a range of factors need to be identified and monitored for

successful mitigation of an investment risk.

8/3/2019 Guide Note

17/34



Chapter VI

Operational Risks

Operational Risk is the risk associated with business operations. Running a business

requires the employment of people, working through certain processes and systems

towards the pursuit of specific objectives. Consequently Risks associated with these

areas are Operational Risks.

1) People - The people in a business comprise both the supervisors and thesupervised and the processes and systems need to cover both, those managing

and those being managed. This is consequently a complex area requiring careful

attention. People are our greatest asset is a statement regularly heard from

businesses today, but the manifestation of this belief in routine business

operations needs to remain a key focus area. To quote from Peter Drucker infact, organizations have to market membership as much as they market products

and services and perhaps more. They have to attract people, hold people,

recognize and reward people, motivate people, and serve and satisfy people. The

major aspects are

a) Human Resource Management practices viz.,i) recruitmentii) training and developmentiii) job rolesiv) working conditionsv) performance evaluationvi) industrial relations Recruitment - The recruitment process is the first contact a future

employee has with a business. A favourable first impression is always a

good basis for a lasting relationship. A clear job description and a fair

selection process implemented by a personable, enthusiastic and

competent recruiter mitigates the risks in this process.

Training & Development Having recruited the right persons, itbecomes necessary for the organization to ensure proper fitment. Acomprehensive induction programme ensures that the new entrants

get integrated into the working environment and become productive

quickly, with an understanding of the organisations and the specific

business units goals, policies and procedures. Appropriate continued

professional development processes for employees ensure that the

people in the organization remain contemporary.

8/3/2019 Guide Note

18/34



Job roles After employing good people, the organisation needs toensure that they are provided the opportunity to exhibit their talents.

Assigning the right job to the right person is often a complex task.

Proper job descriptions with a clear job structure are a necessary

criterion for appropriate staffing and an important mitigation method

to manage the people risk.

Working conditions The physical environment at work as well as thecontractual conditions together combine to constitute the working

conditions. The standards change with time, but an unacceptable

environment creates a psychological pressure which is likely to hamper

performance. For instance, an air-conditioned workplace was

considered a luxury in India a few decades ago, but is taken for granted

today. At one time employers would ban trade unions at will, a

completely unacceptable state of affairs today. Similarly health and

safety conditions of employees have become important nowadays and

need to be taken into consideration.

Performance Evaluation Appreciation is a critical human need andevery person needs to feel appropriately appreciated for his

contribution. A proper performance evaluation process is therefore a

critical requirement for managing the people in a business. The process

must be seen to be fair and comprehensive and needs to be

implemented effectively.

Industrial Relations All organizations with organized labour need tohave processes in place to mitigate issues in industrial relations. In

addition to compliance requirements these require negotiation skills to

ensure harmonized business operations.

b) Compensation while remuneration is certainly a key factor for everyemployee, the total compensation may often be structured across a

variety of elements. Many organizations have reduced this area to a

flat cost to Company basis leaving the option of the components to

the individuals while others have structured compensation packages

incorporating factors such as location, age and other parameters. No

standard solution is available to be implemented across all businesses

and each organization needs to determine the options appropriate to

itself.

c) Integrity This is an area often taken for granted, with organizations

assuming that employees will be honest. However, such assumptions

are fallacious and fraud or deceptions, theft or even concealments have

been found to be increasing. It is imperative that every organization be

alert to these problems and institute processes to check these issues.

8/3/2019 Guide Note

19/34



2) Process and Systems These are the activities that comprise a businesss operatingcycle, end to end. Any failure in a process or a system is a risk, as it creates an

exposure which could lead to a loss. Some major areas are

i) Transaction Processing Every business comprises of a series of transactionsand the ability to process innumerable transactions effectively is often thebest measure of its efficiency. Consequently, the main operational risk of the

business is the transaction risk, which can arise from the

a) Production process Variability in output whether in terms of quality orvolume, is a problem in the production process of any product or

service. The minimization of such variability is a constant endeavour for

most businesses.

b) Documentation process Every transaction needs to be documented,and any error in documentation could be a source of loss.

Consequently, while variability in the production process needs to becontrolled to keep customers happy, documentation variability needs to

be controlled in the interest of the business itself.

c) Product Variation risk Where a business unit has more that oneproduction or service unit, it faces a further risk. While the output at

any one unit may be uniform, the output of another unit may be

different, though labeled the same. This variability between outputs of

different units needs to be removed through the adoption of

appropriate mitigation methods.

ii) Knowledge Management the knowledge an organization possesses is oftenkey to the success of the enterprise, being its major source of competitiveadvantage. However, this knowledge is often restricted to a few key persons

with no structured process for its dissemination and updation. This can

become a major drawback in case for any reason those individuals become

unavailable. Further if the knowledge is unique and can be registered as an

intellectual property, it is imperative that such registration be completed as

soon as possible, failing which registration by another party may limit its use

or even render it unusable.

iii) Information Technology (IT) As information technology becomes more andmore necessary to operate businesses, the risk from IT failure becomes an

increasing concern. The areas to be considered include -

a) Business Alignment The IT in use should be aligned with the businessprocesses, ensuring smooth operations. A typical problem occurs when

the physical process in use is not in line with the IT process, requiring

additional effort for alignment.

b) Data Security Globally, the security of electronic data is recognized asa risk and hacking, or illegal or unauthorised access has been identified

8/3/2019 Guide Note

20/34



as a major threat world-wide. Independent security processes need to

be installed and kept updated in all IT systems to ensure that the

organizations data is safe.

c) System Capacity and Availability The growth of a business is notnecessarily uniform, with sudden spurts followed by comparativelyleaner periods. Lack of foresight may lead to installation of systems

with inadequate capacities, which are unable to handle growth

resulting in serious limitations to the business. On the other hand,

overcapacity may result in a high cost base which cannot be serviced

adequately at the returns being generated.

d) Disaster Recovery All IT Systems need to be geared for disasterrecovery risk. This refers to the probability that data may suddenly get

corrupted or there may be an unexpected systems failure. Traditionally

back-up procedures have been used to mitigate this risk, but with

greater sophistication of the IT Systems itself, these processes have alsobeen improved.

e) Business Continuity While disruptions in the internal IT processes of abusiness are covered through Disaster Recovery processes, these do not

take into account the impact of disruptive events on the business itself.

Such disruptions could be from natural perils or man-made problems

such as terrorism or even strikes. Contingent plans need to be in place

for activation in case of business disruption to maintain resilience and

safeguard stakeholder interests.

iv) Supply Chain In a manufacturing system, the process of sourcing rawmaterial, its conversion to finished product and delivering to the ultimate

customer is called the supply chain process. Any uncertainty at any step of

this process leads to a supply chain risk impacting the ultimate business

objective of delivery to the customer. Consequently, these risks need to be

identified, assessed and mitigated.

v) Compliance All businesses need to follow laws and regulations, which coverall aspects of an enterprise. This is an area of pure risk since the

mitigation only ensures that there is no downside i.e. no penalty. However,

even though no benefit can accrue to the business, it is absolutely necessary

for its successful existence to ensure that all its operations comply fully with

the laws and regulations in place. One simple method is to have aCompliance Register or a checklist containing all the legal and regulatory

issues that need to be complied with. A regular set of checks with this

register can ensure that this risk is being mitigated on an ongoing basis.

vi) Project Any activity using specific resources towards a set goal is a project.Two specific characteristics of a project are a set schedule or time period

within which it has to be completed and an estimated budget, which limits

8/3/2019 Guide Note

21/34



the funds to be deployed. Often organizations run many projects

simultaneously, some of which are interdependent on each other. Project

Risk Management is a vast area and depending on the nature of the project

say engineering, or construction, or software, specific guidance is available.

However, generally for all projects successful completion is facilitated with

a) Early identification of all risks present in the projectb) Clear communication of the risks to the project manager and all

relevant persons involved.

c) Awareness of both the threats and the opportunities. While negativerisks need to be minimized, the positive risks are equally important as

they provide the scope to offset the adversities.

d) Clear delineation of risk ownership. The responsibility andaccountability for each risk needs to be clear.

e) Prioritisation of the risks. This is extremely important as themanagement of the risks needs to be linked to the prioritization.

f) Analysis of the Risks. It is necessary to understand the nature of eachrisk to generate a good response. This must cover the impact as well as

the different causes and the circumstances that increase or decrease

their likelihood.

g) The Planning and Implementation of Risk Responses. Implementing aresponse to a risk adds value to a project. This could be either through

the minimization of a threat or the maximization of an opportunity.

h) Maintenance of a Risk Log. This is an excellent control since it enablescommunication between the team members and stakeholders and also

provides a track record of progress. The log should list all the risks with

descriptions and the owners, with a record of the mitigation process.

i) Tracking Risks A one-time assessment of risks and responses is not aneffective mitigation system. It is necessary to track risks regularly

during the continuation of the project.

j) Tracking associated tasks The process of risk mitigation would requirecarrying out various associated tasks. It is necessary to monitor theprogress of these tasks as their successful completion is integral to the

success of the project.

vii) Other Risks The list of operations risks enumerated is illustrative and notcomprehensive. Two further risks relevant in the twenty-first century also

merit special mention viz.,

8/3/2019 Guide Note

22/34



a) Change management Rapid changes in the environment have made itnecessary for every business to handle change management effectively.

The changes could be in the legal framework or disruptive technologies

or natural disasters or even just customer perceptions. Businesses need

to be able to respond at short notice.

b) Outsourcing in order to be competitive, it has become increasingly

necessary for businesses to re-evaluate their competencies in executing

components of their respective supply chains. Wherever such

efficiencies are higher externally, these need to be tapped. However

this process of outsourcing creates new risks of third-party

management which need to be cognized for an mitigation methods

instituted.

8/3/2019 Guide Note

23/34

8/3/2019 Guide Note

24/34



the transaction nor the date of settlement. While the translation risk will

not affect the cash flows of the business, it can seriously impact its

profitability.

c) Economic Exposure Risk This arises due to structural changes in theeconomies of the countries involved. For instance if one country has hada devaluation, there may be a drastic change in values resulting in an

impact on the business model itself. Another problem could arise if a

competitor from another country experiences a devaluation in its

currency giving it a major advantage in pricing.

3. Credit Risk this is the risk that the counter-party to a transaction may not meetits obligations. In the case of a bank this would mean default by a borrower,

while in a manufacturing business it would be a refusal or inability of a customer

to pay its debts on the due dates. Traditionally, each business was required to

complete its own diligence analysis of customers before dealing with them.

However, nowadays credit rating agencies have come into being providingspecific ratings of the capabilities of each business to pay its debts.

4. Interest Rate Risk Businesses borrow funds from the banks or the financialmarkets, which are intermediaries obtaining the funds from investors. The cost

of the funds to the borrower is a mark up on the returns paid to the investor.

Consequently, if such returns vary, the cost of funds or the interest rates for the

borrowings would vary. It is therefore necessary for each business to ensure that

the mix of funds borrowed is appropriate for its own returns profile ensuring that

this risk is within manageable proportions.

There are three issues that need to be considered in the context of Financial Risks

viz :-

a) Commodity Risk The price behaviour of commodities is similar to that ofcurrencies. Consequently, the mode of risk management of commodities

is similar to the way in which currencies are managed. Quantity or size of

exposure, current price and price volatility are the parameters to be

mapped.

b) Common Denominators The three basic factors of financial risks areprice, volatility and liquidity. Most markets provide a current price and

one into the future. The relationship is linear as the change in value is

equal to the product of the change on price and the number of units held.Volatility is a measure of the changes in price of an item over a given

period of time. Accurate predictions of volatility are required to

determine the degree of risk at a given price level. Liquidity is a measure

of market inefficiency as it provides a constraint on the size of

transactions. It is a typical feature of each market segment. Theoretical

calculations in measurement of risk usually assume

8/3/2019 Guide Note

25/34



i. A normal distributionii. That the past behaviour of data may be used to predict the futureiii. That estimates taken on day-end positions are adequate and intra-

day variations do not need to be considered.

iv. That no exceptional circumstances will occur.c) Derivatives These are financial products derived from some other

financial instruments. For instance, an interest rate future is derived from

a bond or treasury bill or deposit, while a currency future is derived from

the spot market in that currency. Derivates are used for the re-

distribution of risk and customers fall primarily into two categories viz.,

one group which is guarding against a risk they need to mitigate in the

normal course of business and another seeking a large reward for taking

on a high risk. Some common derivatives are

i. Futures An agreement to give or take delivery of a specificquantity of a currency or a commodity of a particular grade at a

definite location on a future date is called a future. The contracts

are standardized to ensure adequate liquidity. While currency

futures contracts are standardized to quantity, commodity futures

are standardized with respect to quantity, grade, delivery month

and place of delivery.

ii. Options This is a contract in which the buyer has the right but notthe obligation to purchase or sell an underlying asset at a specified

price (strike price). In return, the option seller (writer) receives afee referred to as the option premium. Options are available for

interest-rate exposures as well as currency exposures.

iii. Swaps A swap is when an exposure in one currency is convertedinto an exposure in another currency, or when a loan with a fixed

rate of interest is converted into one with a floating rate of interest.

A large variety of derivative instruments are available, however it is very

necessary to understand each instrument as often the downside risks

may be extremely high. The rules of accounting have also become

stricter as a result of which any mistakes in this area are likely to surface

immediately. Consequently although derivatives are excellent risk

mitigation tools, their adoption needs complete understanding of all

aspects.

8/3/2019 Guide Note

26/34

8/3/2019 Guide Note

27/34



Consequently, these three aspects i.e. Governance, Risk and Compliance (GRC) are

increasingly recognized as a new and integrated approach to management and GRC has

become accepted as a standard business term.

A proper GRC system combines people, processes and technology and enables an

organization to

i) Understand, appreciate and prioritize stakeholder expectationsii) Co-ordinate between risks and values to set realistic business objectivesiii) Optimise its risk profile to protect value while achieving objectivesiv) Ensure that its operations fall within legal, contractual, social and ethical

boundaries

v) Enable comprehensive measurement of its effectiveness and performance.vi) Disclose reliable, relevant and timely information to all its stakeholders.

8/3/2019 Guide Note

28/34



Chapter IX

Internal Controls

Internal Controls are processes within an organization designed to provide assurance

regarding

i) Efficiency and effectiveness of the operationsii) Reliability of financial reportingiii) Compliance with applicable laws and regulationsThe Internal Controls Process comprises of five components, viz.

i) Control Environment This is the atmosphere within the organization in whichpeople conduct their activities. Integrity, competence and ethical values are the

hallmarks of an effective control environment

ii) Risk Assessment Every organization works towards achieving certain objectives.Risk assessment is the identification and analysis of risks relevant to that

achievement and the determination of the basis for their management. The

organizational goals include

a) Operations Objectives These comprise the mission of the organization i.e.the reasons for its existence including enhancement of the efficacy of its

operations

b) Financial Reporting Objectives These relate to the preparation of reliablefinancial reports

c) Compliance Objectives These relate adherence to the laws and regulationsapplicable to the organization

iii) Control Activities These are the specific policies and procedures in use within theorganization towards achieving its objectives. The principal control activities are -

a) Segregation of Duties This requires that different persons be assignedresponsibilities for different elements of related activities, especiallysanctions, custody and record keeping, thus creating a system of checks and

balances

b) Authorisations This ensures that every activity is carried out by responsiblepersons entrusted for that purpose.

8/3/2019 Guide Note

29/34

8/3/2019 Guide Note

30/34



- Access Security, Data & Program Security- Software Development & Program Changes- Data Centre Operations- Disaster RecoveryThese controls are designed to maintain the integrity and availability

of the information processing systems and networks. The controls

focus on ensuring that correct data files are processed according to

established protocols and relevant diagnostics monitored.

ii) Application Controls include programmed procedures withinapplication software

Input controls ensure the complete and accurate recording of

authorized transactions by only authorized users, ensuringidentification of rejected and suspended items. These may be

resubmitted after due validation, with various checks ensuring

matching and completeness. Complete and accurate processing is

ensured through processing controls, while output controls

generate the audit trail, simultaneously reporting the results to

authorized persons for review. Extensive end-user computing has

necessitated focus on application controls.

8/3/2019 Guide Note

31/34



Chapter X

Driving Stakeholder Value

The management of risk has been established as a critical component in the operations

of every organization. However, the risk- maturity level can vary across a wide spectrum

ranging from merely complying with regulations, the minimum level of a GRC initiative

as explained in Ch VIII, to a proactive function seeking to enhance the value of the

enterprise.

Value can be measured in a number of ways, not necessarily through financial measures

alone, though economic profit is the parameter generally used. When the benefits

derived from the use of resources are greater than the resources used, sustainable value

creation takes place. Effective management of risk enables protection of value and

creates sustainable value for the enterprise.

A framework for a value creating risk management strategy would include

Step 1 When setting objectives, performance goals and risks need to be optimized.

Strategic alternatives need to be evaluated to determine whether the potential returns

are commensurate with the associated risks. Therefore at the planning stage itself, the

risk impact is incorporated into the objectives.

Step 2 Once risk has been included into the objectives, the metrics and parameters for

measurement need to be determined. These help the business to decide the current

level of risk and the acceptable extent.

Step 3 Then after the overall level has been decided, the granular targets for each risk

are agreed as well as the key performance indicators.

Step 4 All risks are analysed to identify the gaps between the existing state of affairs

and the desired targets. These may arise in methodology, frameworks, tools, people or

just levels of performance.

Step 5 Finally, the implementation programme is made integrating the strategy into

the daily operations resulting in the creation of a road map. The milestones are

identified and strategy execution can commence. In this context it is relevant to refer to

Michael Porters description of Risk in his book Competitive Strategy, where he statesthat Risk is a function of how poorly a strategy will perform if the wrong scenario

occurs.

Since the framework focuses on creation of value, the basic building blocks are the value

drivers i.e. the measures that create sustainable value. For most commercial

organization there are four basic value drivers.

8/3/2019 Guide Note

32/34



i) Growing Revenue While this is the first level driver, it immediately gives rise totwo options viz., expansion of the scope of the existing business and the creation

of future options. When analyzing expansion in the scope of the existing business,

the operations could grow geographically, or through new products. Creation of

future options would require innovation and flexibility.

ii) Control of Costs This may be achieved through operational efficiency ororganizational effectiveness. Operational efficiency could be achieved through

improved efficiency in existing processes resulting in the lowering of costs of each

process. Organisational effectiveness could be enhanced through improved value

propositions or superior execution of strategy

iii) Allocation of Capital This requires determination of the preferred sources offunds, which need to match the expected deployment. The management of

Human Capital and Intangibles also needs to be considered.

iv)

External Events The impact of the external environment including economic,political, social, cultural, technological, legal and regulatory issues needs to be

analysed and the performance and growth objectives determined accordingly.

Once these value drivers have been identified in detail, the objectives for each value

driver and the concomitant risks are arrived at. For instance geographic expansion may

require knowledge of new regulations, new tax exposures and the like. On the other

hand new products may mean a new customer base and a new competitor profile.

The risks associated with each action plan are linked automatically, in this process to the

performance and growth goals, ensuring continuous focus on value creation.

8/3/2019 Guide Note

33/34



Chapter XI

Setting up the Risk Management System

A Risk Management Workshop is an effective means of introducing, developing and

promoting the risk management process in an enterprise and setting up the systems.

Such a workshop often starts with a brainstorming session where participants are

encouraged to discuss the various business risks that they perceive. Identified risks need

to be recorded in a Risk Register. There needs to be an understanding of the level of

exposure that the enterprise must manage in order to achieve its objectives. Single

point estimates are generally of little use as the range of the upside and the downside

must be known. The degree of uncertainty at each level of exposure within the agreed

time frame needs to be identified. Where a business plan is being prepared, the

complete environmental scan and the analysis of internal capabilities needs to becompleted and the risks listed. It is important to re-iterate the points that

risks are a fact of life; todays environment requires quick identification of risks with immediate responsesOften when some activities get structured and defined, due to lack of clarity others are

left out, leaving the enterprise vulnerable to unexpected and often unpleasant surprises.

It is therefore necessary for each risk to have an identified owner, responsible for its

mitigation. The risk owner can report the progress in risk management and this

information can then be collated and communicated to the relevant levels, so that the

impact on the organisations performance is understood and remedial action initiated, if

and when necessary.

An important perspective states that all management is essentially risk management.

Sometimes it is useful for known risks to be revisited and re-examined to confirm

relevance. The top risks need to be prioritized and the impacts assessed. Risk maps or

priority lists need to be prepared taking into account significance and impact of each risk

to the organization. Once the risks have been assessed, the mitigation strategies need to

be implemented.

8/3/2019 Guide Note

34/34


A simple management capability chart at this stage may be prepared as a useful

monitoring role for the future:-

Risk No. Assessment Maturity

1 Very capable Fully versed with the risk. Significant focus is spent to

understand and manage.

2 Capable Risk is being managed appropriately

3 Somewhat capable Some resources are in place but further reduction/

mitigation possible

4 Low Capability Few mitigation process in place

5 No Capability No processes in place. Management if any, would be

entirely reactive

Once the maturity levels are clear, a gap analysis may be completed for the key business

risks. Based on this gap analysis, the mitigation strategy may be finalised. At the end of

the workshop, the complete list of priority risks and the agreed mitigation strategies is

available enabling immediate implementation. Performance in this area may be

evaluated against the agreed milestones.

While a detailed workshop may not be necessary ever year, revisiting the basic process

with every business plan becomes an effectively control system for managing risks.

A clearly enunciated Risk Management Policy, a comprehensive Risk Register recording

the identified risks with ownership and regular monitoring and reporting of the progress

in mitigation ensures smooth performance and growth for every organization.

guide note

Documents