Since the last decade, legislation in various countries requires listed entities to have a risk management framework within them. By 2003 over 50 countries have implemented legislation in the form of governance codes including India, viz. Clause 49 of the listing agreement. Hence the initial phase defining the requirement & role of risk managers has been well established. Post the global financial meltdown of 2008 affected government and regulators mainly in the developed world have so far got their tax payers to write down roughly $3 trillion in return that their economies get spared, of a collapse in payment systems and credit flows that would probably have caused a depression. Tax payer money comes with strings attached in the form of a heavy dose of regulatory and compliance requirements. The coming years would hence see the next phase where risk management should become established as part of the management of entities covering the methods and processes used by them to identify, evaluate, manage and monitor risks within their business. Hence risk managers should be in great demand and one of the important sources of the talent pool would be India.
Formal risk management is an outcome of corporate disasters and it has gained greater prominence through legislation, and its inclusion in ratings agencies’ credit assessments. Apart from being a matter of compliance, it also offers competitive advantage to entities practicing it by enabling them to manage not just their capital, but their entire business, more effectively.As elsewhere, also in India a structured approach to managing risks, started in early 2000s as a compliance activity of Clause 49 of the listing agreement, but now many organizations including the Navratna PSUs are going in for full blown ERM systems engaging consultants to draw up policy & practice document, defining the organization structure for the risk management department, etc. which is then to be implemented by management.
Proper implementation of ERM initiative within a company can improve performance and produce results from risk elimination, to preparation for possible problems, to preparedness for seizing opportunity. Coordination of efforts concerning risk management will also improve general communication within the organization, help in defining company strategy, align resources, and drive performance. These early movers who have set up ERM systems as Infosys, started off with a well defined organization chart and in this particular case set up the Risk council in the late 1990s. There is a recognition for the role of risk management consultants for advice and assistance in implementing an effective ERM strategy. As a result, risk management consulting is on the growth path over the past three to four years, and in the coming years large consulting revenue is expected to accrue even in the Indian market.
Given this background of the growing importance of ERM within India , and its increasing adoption by various types of industries, it is felt that the product life cycle of ERM & the need for consulting services will be similar to the way ERP consulting services has grown over the last decade both internationally and domestically. While the ERP market in India was slow in the first decade but the subsequent growth took many of us by some surprise There is a growing global demand for ERM professionals who can understand business requirements and actualise the risk management systems to meet company’s needs. These industries range from manufacturing to banking to asset management, and to any firm that is exposed to the vagaries of risk. As mentioned earlier the fall out of the global 2008 financial crisis would boost the requirement of ERM & ERM professionals.
ERM positions are available at all levels of an entity, be it the back office or the middle levels or the senior levels. To occupy these positions, ERM professionals not only need to possess strong functional skills, but they must also possess strong personal, interpersonal and business skills in order to play a value added role in the organization. Towards this end, ERM certification course would help in filling the gap .
For ERM professionals, certification can help provide a clear, motivating path for career growth, as well as equip them with a set of credentials that will be recognized and with the current trend should over time be accepted globally. Certification also provides them with membership in a community of peers that share the same skills and background, values and standards within the profession.
At the outset, let us understand the definition of ERM as this is something which we will keep on referring to through out the course
1.As the word enterprise connotes, ERM is a continuous activity across the entity.
2.This activity is undertaken at all levels, all functions, all processes including in strategy formulation
3. The activity is to identify events which could impact the objectives, assess the risks, address the risks appropriately, so that risk is contained within the risk appetite of the Board
4. By undertaking this activity, the management would be in a position to give a reasonable assurance to the Board that the Business objectives will be met.
The role & participation of the directors especially those on the Audit committee are key to a successful ERM. For e.g. one of the fundamental concept is the risk appetite of the Board, wherein against significant risks the Board is required to express their risk appetite. This is a starting point. In other words the Board is part of the ERM system, both as a user of assurance and also as a provider of key inputs.
Hence, the Audit committee needs to be aware of the process of risk management in their respective organizations and have the ability to evaluate how effective the organization is in managing its risks. As a result, they need sufficient knowledge and skill of this integrated practice of risk management. ERM calls upon organizations to manage their risks on an enteprise-wide basis, rather than by function or organizational unit.
Audit committee directors should understand the ERM principles, framework and process in an integrated way so that they will be able exercise their role in overseeing risk management procedures, including the review and monitoring of key risk policies, risk authorities, and risk tolerances. They will also be able to explore the methods for evaluating risk management’s infrastructure, including personnel competencies, technologies and communications, and ensure that the risk information they receive provides them with appropriate top-down enterprise view of risks.
To perform their role effectively, Audit committee directors need to understand some references of ERM framework and methodology such as the existing widely-known COSO ERM framework.
Time may be right to know and understand a new international standard of risk management called ISO 31000 (still in its draft version), which is being developed to bring a much more integrated perspective, and yet allow high degree of flexibility to the organization.
ISO 31000 suggests eleven principles as the foundation of its framework and process for managing risks across the organization. Although they are not expected to become a risk management practitioner on their own, Audit committee’s full understanding and knowledge of the whole principles, framework, and its process are very crucial. Through ERM process, Audit committee can produce deeper risk insights to the Board by identifying events that might create risk opportunities as well as risk threats to accomplishing organization’s objectives. As a result, the Board can be better informed about areas requiring greater attention and governance oversight, which in turn strengthens their ability to protect and enhance stakeholder value.
Getting Audit committee participation is a challenge in India. This will be the first significant risk the Risk Manager will be faced with.
One of the important constituents of any enterprise wide roll out whether ERP is the VISIBILITY and POSITIONING it has within the organisation. In the case of ERM, fortunately it has been an Audit committee agenda. The challenge is the understanding of ERM the benifits that it can bring and the active paticipation by the directors.
The usual way ERM has come up is in phases. In the first phase, the Board of Directors constitute a committee as per clause 49 where key risks are discussed and a system to obtain risk data gets introduced. But this may not by itself give business value.
Take the case of an export oriented textile mill.
1 Around 5 yrs ago, a risk committee of the Board was constituted
2 Key risks as export sale price points, import prices of oil & lubricants, electricity generating costs, cotton prices, interest costs, FE rates, HR issues, etc.were discussed.
3 The risk data was tracked religiously at every meeting. Soon it was found that there was a disconnect as there was no signicant change in the risk profile of the entity.
4 So after a couple of years a steering committee on risk was set up under the CFO, with senior managers from projects, legal & secretarial, materials mgmt, operations, marketing, etc as its members.
5 There was a good cross functional participation. The steering commitee discussed significant risks, but soon discussions on operational problems took precedence as people started taking advantage of the cross functional presence to resolve outstanding issues. So the Risk committee moved in substance to that of a PPC committee where day to day problems were discussed and solutions found. This served everyone’s purpose.
6 Also discussions on risk did not move down to process teams. Nor was risk documentation as risk registers maintained apart from a 4 page note listing the risks and regular minutes of meetings.
7 Now around 2 years ago as the textile industry was not part of the then economic boom and not doing well, finding other sources of revenue became a hot topic of discussion. The bankers were pushing for a newish product viz. FE derivates. These were hotly debated at the Board and Audit committee but not at the two Risk committees. Consultations with the FE experts and bankers took place on continuous basis. Eventually a well considered decison was taken to use FE derivates.
8 As we all know Indian companies have lost heavily in this area. Some put a collective loss in the range of Rs 20 to Rs 40 thousand crores.The entity in question lost half its paid up share capital in these two years.
9 Is this a simple case of business risk going bad? What more could have been done. There were two Risk committee and a collective transparent & well studied decison. It is unfortunate that the foreign currencey chose to behave out of trend for the first time in two decades and that also in a radical way.
10 If you look at this objectively, this is speculation and the management were collectively caught in the greed / fear cycle. Also by being a collector of risk data the Risk committee was only ornamental as it did not execute the remaining steps, viz periodically reviewing the residual exposure and bringing it within the risk exposure as per the risk appetite.This is the end-to-end process of managing risks and when done by all accross the enterprise it is ERM.
11 The Risk committee should have defined the risk appetite of all the significant risks and got periodic assurance on whether the FE derivative risk was within their defined risk appetite. Not doing this step made their management action as speculative grade.
12 The second aspect that management had missed out was the finer points of the business environment. Uncertainity has moved to instability. Since the past couple of years, every six to nine months, the global and local environment is oscillating for most industry segments as if the current has changed from DC to AC. One of the unique aspects of the financial meltdown is not fraudulent corporates, which also happened in the late 1990s ( Asian crisis) and again in early 2000s ( precursor to SOX) but the speed of collapse. This has made the impact of the risk catastrophic and has moved the crisis from corporate disasters to country disasters. Being an export unit tracking all type of commodity prices over three decades, thereby experts on global & local environment, the entity should have had a sophisticated view of the unstable global environment and its possible local impact.
In the globalised age, instability in the business environment is a constant. Some risks which start off as low in impact take no time to assume catastrophic implications with the turn of a few events. Mergers and acquisitions are now a constant. The entities of the future will be risk managing entities.
Any management system when it gains importance is measured regularly for its maturity in the organisation. Just as the IT industy has its CMM level & the BPO industry has its PCMM, the emerging risk managed entities will be measuring themselves against their risk maturity level. Different stakeholders as customers, employees, rating agencies, government may start asking entities, as to how risk matured they are?
Since the time business started, those indivituals who knew which risks & oppurtunities to take created growth entities. These risk intelligent indivituals have existed in all ages and accross all human endeavour and history has chronociled them as leaders and super achievers. Just being smart in managing commodity risks, treasury risks, customer risks,etc. by itself will not be sufficient anymore as these address only one part of the business objectives. Times have changed and the measuring unit has moved from indivituals and given way to proceeses, entities, community, nations, geographies. Being smart in managing entity objectives as a whole is what will bring sustainable business success. Hence Enterprise Risk Managers are a new breed of risk managers who help ensure that risks accross an entitity are being managed within the risk appetite of the Board. While these indivituals may have specific risk domain expertise, but their real value would be seeing that risks are managed accross the enterprise. With an overall unstable environment where risks can change their intensity & move up or down the probabaility & impact scale not in megacycles but in teracycles, a risk management department would be worth its weight in gold and an enterprise, community, nation whatever the entity may be, that would make the the top listings would typically be a risk intelligent one. Welcome to seizing and converting oppurtunities in the future
THANK YOU
Deepak Wadhawan
Mobile: +91 9313701213
New Delhi: June 6, 2009