In the seemingly mindless pursuit of ambitious targets, and driven by an excessive focus on toplines and bottomlines, managements had often given short shrift to Risk Management. Entrepreneurial fire in the belly has sometimes led to decisions which, in retrospect, were seen to have been driven by unbridled optimism, not moderated by the possibility of downsides or setbacks. Corporate underperformance and, on occasion, terminal failure, has led to Risk Management finally finding its place at the high table of decision making.

The nature of risk varies significantly from business to business. For example, risks in the financial sector can be significantly different from the risks in the manufacturing sector. Resultantly, risk mitigation processes may be materially different, based on the sector in which the company operates.

The standard stereotyped response would appear to be to prepare a risk register, with each risk being categorized on the basis of probability and impact, and identifying owners of the process for risk mitigation. These risks are not revisited often enough to ascertain whether they have continuing relevance, or on occasion, higher probability and/or impact. There is also not enough attention paid to external risks deriving from political or policy uncertainties and discontinuities. While all of this needs continuing attention, the imperatives of business cannot be ignored. How then does a corporate entity reconcile the increasing requirement of Risk Management processes and practices, while growing the business in a sustainable manner consistent with the interests of all stakeholders?

  1. Post the coming into force of the Companies Act, 2013, companies have gone overboard discussing risk and risk management, often at the cost of discussions on business. As a result, in some companies, internal risks, which are operational in nature, are also needlessly being brought to the Board. The company/business should have a perspective on what items should come under risk. Equally important is to identify the items that should be excluded from the risk framework. Repetitive problems confronting a business are not a part of risk since they have already occurred. Similarly, operational risks are not Board level risks and should be addressed driven internally by the concerned persons in management.
  2. Business cannot be run without risks. Instead of merely discussing risks, companies should focus on having a strategy for dealing with them. A balance between business and risk is important.
  3. Risks have two connotations, positive and negative. The positive connotation, which is that risk presents an opportunity, is often ignored. As a part of reviewing risks, Boards should also monitor the opportunities (in monetary terms) lost by the company and hold managements accountable for them, since learning through risks is also important.
  1. The traditional understanding of risk is no longer sufficient in today’s context. It should be broadened to factor in the multiple sources from which a business could have a risk. This approach is important and should be adopted internally. Unless the company knows what has to be seen/done, risk management will not be effective.
  2. Earlier risks were only domestic. Nowadays, many risks confronting businesses are exogenous. While risks associated with industry, technology etc. often get addressed, others like geo-political risks and reputational risks, while being important, are often ignored by companies.
  3. In some businesses, the regulator of the business is also a source of risks, since its future actions, which could have a huge impact on the business, represent an unknown for the company.
  4. For successfully identifying risks, it is also important to go beyond the comfort zone and explore the space where additional risks can be found.
  1. Classification of risks and measures of dealing with them are important so that their impact can be correctly classified. Risk management is a necessary enabler for businesses and should not come at the cost of business. For successful risk management, all risks confronting a business should be identified and classified; these risks should be periodically reviewed to identify any changes in them, including their severity or probability of occurrence; a root cause analysis should be done for any changes to the risk to understand whether the change is normal or not.
  1. Risk agility of a company represents the framework that has been put in place to combat risks. This framework should be flexible. However this alone is not sufficient. Risk resilience is equally important and hence, companies should also focus on capability building that will help business to move forward should the risk occur. This should start at the basic level in each company. Ultimately, risk agility and risk resilience have to move hand in hand for businesses to successfully combat risks.
  2. The risk framework should consider both internal and external risks. The framework should consider inter alia the following
    • Mindset and culture within the company to talk about risk openly.
    • Pressures of short term benefits – businesses are often caught in situations of vulnerability and it is important to identify this vulnerability as a risk.
    • Non-market factors – Risks today come from sources that are not a part of the business. They are no longer confined to social, technological, environmental, economic, political, legal, media etc. Businesses should spend adequate time in identifying non-market risks. With Indian companies expanding internationally, without effective oversight, there could be huge problems for these businesses.
    • Residence of risk management function is important since it determines the seriousness that it is given at an organisational level. Different companies place it under compliance, finance, internal audit or strategy. For it to be effective, ideally it should be under strategy since it aids in value creation. This will ensure that the opportunity that resides in risk is not lost sight of.
    • Where risk management function participates in business is an important criterion. Ideally, it should help with strategy formulation since risk and opportunity are two sides of strategy. Like strategy, risk should also be reviewed, especially at the Board level.
    • It should be flexible to change with changing times and should have a risk-reward function built into it. Also, there should be systems to ensure that the rewards are given after the business has seen how the risk plays out. The experience of 2008 where rewards preceded the emergence of a grave system threatening risks is the best example in recent times.
    • Quality of persons dealing with risk within a company is also important. They should understand the business well. They should be able to see paradigms as well as the historic happenings of relevance.
  3. Quantification of risk would be a good basic building block.
  1. Risk-taking ability of a business depends on the person who is leading/ controlling it. Also, there are some businesses/ industries where being risk averse can lead to the business perishing. Contextualisation is important.
  2. Approach to risk is seen to be different between public sector and private sector; between promoter driven companies and professionally managed companies.
    • Ownership can also be a source of risk if the difference between ownership and management is not understood properly by the owner/ company.
    • Public sector companies usually have risk agility, but lose out on risk resilience and risk mitigation. This is often because they do not have enough authority or power to act.
    • In professionally managed companies, CEOs could be ordinary CEOs or entrepreneurial CEOs. While the former is accountable to the promoter for the risks taken/ her action; in the case of the latter, an increased empowerment is not backed with an increased accountability.
    • Ultimately, risk, and attitude to risk, flows from the leader of the company.
  3. Some companies use their brand name to try to shield themselves when they fail to identify sources of risks.
  1. Boards have an important role in risk management.
  2. Quality and composition of board plays an important role, since Board members need to understand the business of the company in order to successfully assist in risk management.
  3. It is important for Boards to have a sense of proportion while discussing risks so that the discussions on risks are meaningful and fruitful.
  4. Audit Committees alone should not be responsible for addressing risk. It should be a function of the entire Board.
  5. Governance and strategy are two aspects of risks which have to go hand in hand.
  1. Risk management relates to all stakeholders of a company and not only the promoter.
  2. Companies should be prepared for risks and not be averse to them.
  3. Risk management has to be seen from a dynamic perspective –
    • Risks should be reviewed periodically.
    • Probability should be assigned to each risk, including the ones that might seem unlikely.
    • Company should learn from past experience not only of itself but also of other companies.
  4. VUCA (volatility, uncertainty, complexity and ambiguity) times can be positive for those who understand risk and manage it.

Excellence Enablers Private Limited (EEPL) is an initiative that focuses on implementation of better corporate governance practices, improvement of Board performance, including audit and evaluation, training of directors and engagement with stakeholders of governance. It is founded on the firm belief that the gap between performance and potential can, and must, be bridged. Consistent with that belief, all our offerings are tailormade to the specific needs of the organisation or the individuals concerned.

Given that our founder, Mr. M. Damodaran, introduced Clause 49 of the Listing Agreement, dealing with corporate governance in India, and has been a part of both public sector and private sector Boards, as well as performing and underperforming Boards, we offer experience based consultancy and courses on the journey from compliance through governance to performance. Further, given his success in turning around organisations that had been written off, we are uniquely positioned to offer courses on leadership, organisational transformation, and building winning teams.

EEPL has a number of highly experienced and renowned consultants and faculty members who have helped, and continue to help, us deliver programmes that have been well received.

All rights reserved.

No part of this publication may be reproduced, stored in retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of Excellence Enablers Private Limited.

Views expressed do not represent the views of Excellence Enablers Private Limited and are a summary record of the observations made by the participants at the interface.