Risk Management - An essential tool in Corporate Governance PRESENTATION TO MEMBERS OF ICSI BY S. Ravindranath July 2011

RISK AND GOVERNANCE Risk comes from not knowing what you are doing; if you don’t understand, then don’t do it. == Warren Buffet. The governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society. = = Sir Adrian Cadbury, UK, Commission Report: Corporate Governance 1992) 2

From the Turnbull Report – UK CG A company’s objectives, its internal organisation and the environment in which it operates are continually evolving and, as is exposed. Since profits are, in part, the reward for successful risk-taking in business, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company of internal control is to help manage and control risk appropriately rather than to eliminate it. 3

4 What is Risk?  GRC – Governance, Risk and Compliance  Definition of Risk traces its origin historically to Greek mythology -“ to run into danger”  A Greek Latin nautical origin too exists – Homer’s Odyssey – Difficulty to avoid in the sea.  Incidentally the word “governance” also traces its origin to Greek word “kubernao” and passed on to Latin – to steer.  Time immemorial enterprising people dared to venture and conquer. No venture will succeed unless there is an overlay of risk.  But essential element of business is not only to make profits but also steer clear of danger.

5 How is Risk taking to be handled ?  Can neither be passive, nor reckless and “run into danger”  Risk taking as a way of life but manage it with robust controls and systems  Fine balance between risk and reward  Let us not avoid risk but understand and manage risk.

Examples of lack of governance Enron, Orange County, Barings – all went bust Nick Leeson and “The Rogue Trader” Derivative Trading without knowledge and risk management tools or governance Citi Bank, Gurgaon affair 6

Risk Management and Governance Risk and control mechanism without oversight and governance – disaster Risk Management in Indian Banks on the back of RBI and BASEL regulations. Risk factor in banking industry different from others - Risk of Systemic Risk Risks in Global Indian Companies includes currency risk, commodity price risk and market risks 7

8 Risk and Governance in Companies  Are controls and governance different?  “Hands-off” approach of Boards  Role played by Company Secretaries and Department Heads w.r.t. Compliance  Need for robust and transparent risk management framework with proper monitoring and control at a senior level with full disclosure to the Board periodically

Greater role for Board and Audit Committee Board of Directors – to understand the risks taken within the accepted framework and tolerance levels Be satisfied proper systems followed to manage risks. Losses if any, will be acceptable and would be absorbed by the company with their full knowledge. Board should own the responsibility for the same. Audit Committee of the Board, headed by outsider Director to actively involve in examining adequacy of risk management policy, internal control systems. 9

Risk Management in Companies ERM or Enterprise Risk Management to be updated Roles and responsibilities to be clearly defined Board cannot micro manage, but should get abreast of risk profile through proper system and communicate risk tolerance level to senior management. Micro risk management to be owned and managed by the executive top management and the Departmental Heads In some companies the internal as well as external auditors too play significant role of risk management watchdog Understanding of Outside Directors 10

McKinsey Survey Report April 2011 Board Directors are now spending time for: Strategy – 23% of their time Execution – 22% Performance Mgmt – 18% Business Risk Mgmt – 14% Core Governance & Compliance – 14% Talent Management – 10% Respondents on boards in the financial sector indicate that directors’ knowledge is below average on industry dynamics (just 6 percent claim to have complete understanding) but slightly above average on company risk (17 percent). Clearly seen where the focus is lacking. This may be global picture, but there may not be much of change in Indian context. 11

Deloitte Touche Tohmatsu Survey 2010 Survey for IFAC [International Federation of Accountants] Professional Accountants in Business [PAIB] - strengthen risk management and internal control practices globally. 600 participants from around the world from diversified organisations. More awareness of the benefits of implementing risk management and internal control systems should be created, Risk management and internal control systems should be better integrated into organisations’ overall governance, strategy, and operations. Risk management teams formulated policies and guidelines but those responsible for control had their own set of guidelines which they followed. Need for close interaction and integration is essential and help to understand that both risk management and internal control are integral parts of an effective governance system. 12

Another Deloitte Survey 131 financial institutions 90% of the financial institutions had proper risk governance model and approach In 75% of the institutions the Board of Directors approved risk management policy and ERM framework. 86% of the institutions had CRO [Chief Risk Officer] or equivalent post, 51% reported that Board of Directors conducts executive sessions with CRO Linkage between business operations and risk management should continue to be assessed and nurtured. 13

SAS – Fortune 100 Group Survey of 300-odd financial service executives Only 33% believe that the principles of risk management in financial services remain sound. Policy-makers can formulate an effective response to the current economic crisis. Only 40% of the respondents believe that “the importance of risk management is widely understood throughout their company.” Respondents wanted (a) “thorough overhaul” of their risk governance and risk management policies and programs (b) Improving data quality and availability (c) Strengthening risk governance (d) Instituting a more comprehensive company approach to risk management and (e) Integrating effective risk governance and risk management policies throughout the business (f) There should be transparency and more disclosures. 14

To sum up Element of risk has to be taken. Proper systems, controls and governance to understand, measure and mitigate the risks. Board to oversee implementation of risk strategy Close co-ordination between the CS and CRO. Close correlation among risk management, controls and governance. External pressures in the form of market forces, shareholder scrutiny and government intervention can play significant role Incentives for investment in corporate governance Need to strengthen corporate governance framework with regard to risk management and make greater disclosures that will protect interests of all the stakeholders. 15

Last word Is Risk Management a tool in good corporate governance or a good corporate governance is essential through proper controls over risk management? 16

Thank You 17