According to the new Act, the board and audit committees have been vested with specific responsibilities of developing, implementing and assessing the robustness of risk management policy, processes and systems. Thus, the boards now carry an explicit mandate from stakeholders to oversee and, if necessary, lead the charge in having management identify and explain the most critical risks facing an enterprise and the actions being taken to address them.
As risk management becomes part of the strategy, requiring extensive board deliberation, proportion invested in risk management is expected to rise over the immediate future, suggesting that companies will not be relaxing their guard any time soon. Enterprise Risk Management (ERM), a capability to master and optimise risk management, is propagated as the vehicle for this transformation. Fundamental elements of the ERM frameworkrisk strategy, risk structure, risk portfolio, risk measuring and monitoring, risk optimisingcreate a powerful blend that aims to crystallise and optimise an organisations risk philosophy. These fundamental elements help create a risk portfolio and facilitate in embedding risk management as an integral part of an organisations culture; define a mechanism to monitor and measure risks and controls; create an opportunity to view risks differentlyoptimisation is an approach which recognises that risks are not hazards but can present opportunities to create value; and optimise its risk portfolioan organisation manages risks in a way that balances its risk tolerance with its desire for improved performance.
Clearly, the new governance framework requires companies to understand what good risk management looks like today and how the boards can help foster the culture, communication and mindset to leverage the strategic value of risk management. However, clarity is lacking on how boards are responding to these expectations. Unlike other embedded responsibilities of boards and committees, such as the oversight of financial reporting and disclosure, there are no standards for risk oversight and few, if any, authoritative sources on which boards may rely. This implies that oversight has been somewhat passive and involves significant reliance on management.
Faced with growing legal and business responsibilities, the boards may like to consider the following, as they put together their risk oversight agenda for the next 12 months:
n take a fresh look at the qualifications of board members, how they operate, whether board includes necessary blend of business and industry knowledge and experience to assess risks, role of the full board and its standing committees with regard to risk oversight,
n assess the current oversight processes of the board and do they enable the board to achieve its risk oversight objective,
n have a clearly defined and commonly understood risk philosophy and appetitefor example, what risks are acceptable and how do they align with strategy, what risks are they unwilling to take, no matter how low the probability,
n in depth understanding of companys risks, reflecting the realities of the business and operating environment, and always adapting to changes in the environment, whether its a new technology or macroeconomic conditions,
n clearly allocated managements risk responsibilities and decision rightsobserve how decisions are being made and evaluate the thought process, with the goal of continually refining the decision-making process so the company is intelligently taking profitable risks,
n foster the right risk culture as it is important to have a culture and incentives in place that reward not only the appropriate risk-taking but elevating an issue when something goes wrong;
n be aware of built-in biases as robust risk discussions are based on healthy scepticism and a constant awareness of biases that can skew information and discussionsis the management over confident in its own information and do the management and the board openly acknowledge their biases, etc, and
n compliance should be seen as a competitive advantage. Companies focus on developing a single view of risk, by converging risk and control competencies and by integrating the single view with strategy.
The new Companies Act has laid down the foundation for corporate governance framework in substance rather than form only. Therefore, this is a clear indication that the nature of board oversight has to changethere has to be a greater directness and intensity from the boardswell beyond traditional oversight of typical risk management processes. The boards can bring about this change with greater attention to strategy, change in boards interaction with management with an intense focus on risk management, and an increased discussion at executive sessions. Regulatory changes have tasked boards with the responsibility of ensuring that they are comfortable with the quantum of risks being taken in pursuit of organisational objectives. Against this backdrop, it would not be surprising to see boards today adopt a cautious and conservative approach to risk oversight in the coming years.
The author is head, governance risk & compliance services, and head of sustainability, KPMG in India. Views are personal
Raajeev B Batra