Risk Management& Corporate Governance

1

What is Risk?

Risk arises from uncertainty; but all uncertainties do not carry risk.

Possibility of an unfavorable outcome of an uncertainty is risk.

Outcome of an uncertainty may even be favorable. Is that a risk? In certain cases, yes.

2

Why take risks?

Because you have to.

Because it brings rewards.

3

Risk Management Process

Risk Identification

Risk Assessment

Selection of risk management techniques

Implementation

Review

4

Risk Identification

Risk profile of a company

Formal listing of all potential risks.

External professional help

Risk is inevitable; however unfavorable consequences of risk can be controlled.

Degree of risk to be assumed

5

Classification of Risk

Production risk

Price risk of inputs

Price risk of outputs

Project risk

Environmental risk (weather)

Political risk

Economic conditions risk

6

Risk Assessment

Having listed all the potential risks, ask:

How likely is it for any of these risks to actually materialize?

What is the maximum possible loss that can arise from each of the listed situations?

Can you stand that loss?

7

Risk Management Techniques

Risk avoidance

Loss prevention and control

Internal controls

Risk retention

Risk transfer

8

Implementing the Plan

Get quotes, find the best provider and create a contract.

Keep reviewing the situation.

Keep revising your risk profile.

Keep a record of cost of risk transfer against benefits of risk transfer.

Amend plans as necessary.

9

Is risk management a Corporate Governance issue?

Board is responsible for protection of company assets.

Board must work to improve shareholders’ value, which is not possible without taking some risks.

Not taking risks may be the biggest risk.

10

Internal Control

All that a company does internally to protect its assets, ensure the proper conduct of its affairs and accuracy of its records.

Risk management is not just part of “protecting the assets of a company”, it is an essential feature of proper conduct of its affairs.

11

Objectives of Internal Control

That all that is due to the company, comes to the company.

That the company pays only what should be paid out

That all incomes, expenses, assets and liabilities are properly recorded

That the assets of the company are protected and used only for company’s business.

That the company’s records are reliable

12

Tools of Internal Control

Defined Procedures Only one way of doing an action

Segregation of duties (internal check)

Controls Physical (cash in safe, maintenance)

Managerial (e.g. budgets, limits, approvals, etc.)

Supervision

Accounting and auditing checks

Selection of right personnel

13

Setting Internal Controls

Draw internal control policies.

Design internal control systems

Document all procedures

Train the staff

Ensure that the procedures are being followed.

Institute internal audit

Curb exceptions.

14

Monitoring Internal Controls

The system should generate reports. Frequency of reports

Adequacy of reports

Regular review of reports and action there-on. Follow up.

Investigation of major lapses

Internal Audit

Certification at critical stages.

15

Designing Procedures

Nature of work.

Extent of risk.

Cost of procedure.

Facilitate work, not hamper it.

Compliance with laws, regulations

Promote efficiency culture

Immediate notice of exceptions

16

Internal Audit

A control that functions by examining and evaluating the effectiveness of other controls.

Includes checking, analyses, appraisals, recommendations, advice and information.

Regular or Need based.

17

The internal auditor

Part of management; however does not report to management.

Detects errors and frauds

Helps management correct errors and minimize impact of frauds

Helps improve controls.

18

Advantages of Internal Audit

Keeps workers alert

Timely detection of errors & frauds

Enhances reliability of accounting and supporting records

Reduces external audit work

19

Types of Internal Audits

Regular, continuous internal audit

Need based investigation

VFM audit for specific purpose

Pre-disbursement and post-payment audits.

Records audits and Procedure Audits

20

Risk Management Reporting

CC of CG requires:

Audit Committee’s Report

Board’s Statement on Internal Controls

21

Audit Committee’s Report

List significance risks; how they are being identified, assessed and managed.

Report on effectiveness of the systems put in place to manage these risks

List of actions being taken to remedy significant failings or weaknesses

Comment on need for greater monitoring of procedures

22

Board’s Statement onInternal Control

Essentially it is about status of internal controls, e.g.

There is an ongoing process for identifying, evaluating and managing significant risks.

That the process was there during the year under report.

It is being regularly reviewed by the Board.

It is in accordance with Turnbull Guidance

23

Turnbull Report

Risk Assessment

Control Environment

Control Activities

Information and Communication

Monitoring

24

Risk Assessment

Clear objectives, clearly communicated to all concerned.

Significant risks assessed regularly Market risks

Technological risks (H&S, Environment)

Credit and liquidity risks

Reputational risks, legal risks

Clear understanding of risks being retained

25

Control Environmentand Activities

Who controls? Are they independent?

Are controls/ authority/ responsibility/ accountability defined?

Does company culture permit controls?

Demonstration of will to control

Communication to all concerned

How are adjustments made when needed?

26

Information & Communication

Frequency and adequacy of reports generated by internal control system.

Who receives what report at what intervals?

How reliable are these reports?

What checks are in place to ensure reliability of these reports?

27

Monitoring

Are control processes part of the normal operational processes?

Special communication to the Board by management

Monitoring of Management by Board

28

Disaster Recovery Plans

Disasters happen, or are made to happen.

What plans does a company have to ensure that:

Its operations are restored quickly

Its data is not lost

Most important for financial institutions

29