RMC – THE NEW KID ON THE BLOCK
23rd June, 2020
SUMMARY OF DISCUSSIONS
Covid-19 came with not much of advance notice, and wrought, and continues to wreak, untold havoc on
the lives and health of humankind, across continents, and the economic health of most nations. In the
corporate world, managements are waging continuing battles to ensure crisis management of a high
order. The complexities in the corporate world have, over time, led to increasing focus on the
identification of risks, as well as the risk management and risk mitigation practices in existence. With
SEBI having mandated that the RMC would be a Committee appointed by the Board, some issues have
got, and are getting, better addressed, while some new issues have surfaced. Even as things now stand,
the Audit Committee of the Board is expected to be cognisant of the risks and the manner in which they
are addressed. With another Board Committee having risk management as its only remit, the
relationship between the Audit Committee and the RMC has assumed importance. Further, internal
audit, which is arguably the major instrument of risk management, reports to the Audit Committee,
while the Chief Risk Officer and the risk management function, which needs to actively collaborate with
the internal audit function, reports to the RMC. Earlier, in the absence of Board-level membership of the
RMC, the focus was mostly on operational and commercial risks. Has the setting up of this Committee led
to better and more comprehensive identification of risks and better thought-through risk mitigation
mechanisms and practices? Also, is there adequate competence within the RMC to address the wide
variety and complexity of risks?
- Risk management is becoming critical for every Board. Risk function is important, and is evolving in a
number of companies.
- For some time, financial sector entities have had a dedicated committee addressing risk management.
In banking and insurance sectors, risk is at the centre of business, and so they have the most mature
risk infrastructures. However, they too face challenges in managing risk.
- Business and risk coexist. If understood well, risk can be used to help a business expand, since it may
pave the way to an opportunity.
- Each organisation has to consciously develop its risk culture. This should be reflected in the operating
teams of the company, and should form a part of the DNA of the leadership.
- Risk management systems and processes are based on identification of risk, and its management and
RISK MANAGEMENT COMMITTEE AND AUDIT COMMITTEE
- SEBI has recently expanded the number of companies which are required to have Board-level Risk
Management Committees (RMCs). This is a welcome move.
- However, at present, most RMCs are not effective. Having an RMC is important, but having a committee
by itself does not serve any purpose, unless it functions properly.
- As companies grow globally, it is important that the dedicated Board-level committee has in depth
discussions on risk, including risks relevant to jurisdictions other than India.
- Before the mandating of an RMC, the Audit Committee (AC) was tasked with looking at risks. Even now,
in companies that do not have an RMC, AC is the Board-level committee that looks at risk. Even if a company has an RMC, the AC continues to be tasked with an oversight function of risk management, to
ensure that there are proper processes in place.
- AC and RMC have to work together towards risk management.
- Traditionally, only internal risks and internal processes were considered, and so, Internal Audit, which
reports to the AC, was considered to be a good enough tool for risk management. However, with more
risks being identified, and RMC focusses equally on exogenous and macro risks, and in proactively
- RMC acts as a connect between the Board and the management. It helps the Board to focus on some
risks, which would otherwise be lost sight of.
- Some thought should be given by Boards to the correct composition of RMCs, with persons who have
the ability to understand risk. This will help build a stronger RMC, failing which the committee will not
be able to contribute productively. It will not be able to assist management if its members themselves
do not understand the risks confronting the company.
- The number of meetings of the RMC is yet another area that needs focus, and improvement. At present,
most companies do not have an adequate number of meetings of the committee.
- Each company has endogenous and exogenous risks. While the endogenous risks can be handled by
companies, it is not always possible to handle the exogenous ones.
- There are so many black swans, that they no longer seem like black swans.
- Risks can be longstanding or those that are newly emerging. In a number of companies, even before the
impact of a longstanding risk is absorbed, newer risks emerge.
- Risks should also be seen as short term and long term risks. There could be two sets of teams within the
company, one looking at each of them.
- Compliance, technology, cyber, and geographical risks are some of the generic risks that confront every
company. However, there are some risks which are specific to each business. Also, the complexity of
each risk varies, and companies have a problem getting a grip on all of them.
- Most companies focus on financial risks. However, operational risks are as important since they may
impact adversely on the business continuity plan (BCP), which itself can be a huge risk. It is important
to also analyse whether the business itself is viable.
- Increasingly, regulatory risk is also being given a lot of importance. If the burden of regulation is very
high, it may adversely impact on business. Regulatory hyperactivity too could be a source of risk.
- Environment Health and Safety (EHS) is yet another risk which was earlier not given adequate
importance. With companies now increasingly recognising its significance, it is necessary to anticipate
and manage associated risks.
- In some industries, infrastructure is based on historical data. Climate and weather changes have not
been factored into it in the past, but they would have to be given a lot of thought since they would
impact design, structures and the like.
- Concentration risk is often a major risk, and diversification is necessary.
- Reputation risk is yet another very important risk, and should be managed proactively.
- Social media is also emerging to be a source of huge risk.
- The world is also likely to see increased geo-political risks, and companies will have to find ways to
minimise their impact.
- It is also important to learn from the past. It would help in anticipating future risks. Early recognition of
risks is very important.
- Some risks are obvious, some are not. Companies have to find a way to measure them, in order to
develop strategies to manage/ mitigate them.
- A risk register can never list all the risks confronting a company. It would only contain the known/
identified risks, but rarely focus on risks that are yet to be encountered.
- The risk register usually focusses disproportionately on operational risks, and could lose sight of some
other kinds of risks.
- The RMCs need to recognise that the unknown risks are often a cause for greater worry.
PERSONNEL DEALING WITH RISK MANAGEMENT
- It is important for the risk function to be manned by persons who know and understand risk, and
whose voice is heard at the top.
- The role of HR in bringing the right type of persons to this function is important.
- A number of employees who are in the frontline do not want to be a part of the risk function.
- Empowerment and independence of the Chief Risk Officer (CRO) is important, failing which she may
not be able to give the right kind of information to the RMC and to the Board. In banks, for example, the
CRO reports to the RMC, and this helps in giving her functional freedom.
- Risk anticipation and management is the role of each leader in the company, and not only of the CRO.
Risk is not owned only by the CRO. All the leaders should be able to look around the corner. They
should consider short term and long term implications of risks.
- There is expertise within the company to understand the business and the sector, and to predict risks.
These should be tapped into. Sometimes it is useful to engage an external expert so as to get an outsidein
view of the risk landscape.
- There are three levels of defence – business operation, risk function and Internal Audit.
- Some companies have capabilities in-house to manage risks. But most companies do not have internal
competence to manage risk, and should work towards building them.
- Most companies are inward looking, and not outward looking. There should be an outside-in view. This
would strengthen risk management.
- Over time, companies have developed systems to handle endogenous risks, but most of them do not
know how to handle exogenous risks.
- Companies should focus on building an ability to absorb risks, and proper processes and systems for
the risks that they can at least predict and/or plan for. This helps when the unknown happens.
- Processes and protocols should be built and followed. Some of these could be based on learnings from
other industries too.
- Management should identify the risks that it can, measure them and track them. Post this, focus should
be on identifying exogenous risks, and having a strategy to deal with these.
- Every company should have an Enterprise Risk Management system, which must be built into the
business. Each company’s risk appetite should be based on its capabilities. Blindly copying another
company can have disastrous effects.
- Risk infrastructure should be thought about, and planned proactively.
- Some companies have already started developing the infrastructure that helps them observe
and predict trends, in order to help them plan. However, planning cycles are becoming shorter
and shorter, and a number of exogenous factors such as regulations, customer behaviour etc.
keep changing. As a result, sometimes it is felt that having a risk infrastructure would not by
itself be adequate.
- Risk infrastructure is in early stages of development in most sectors, other than the financial
- Data analytics can go a long way in helping predict and analyse risks. Predictive risks will
become important. A matrix can be worked out only if some degree of predictability is present.
- Like every other process, processes related to risk management would take time to mature.
ROLE OF RISK MANAGEMENT COMMITTEE
- Business risks should be seen in the context of the business. An RMC cannot mitigate all risks
- Alignment of the judgement of the RMC and that of the management is very important. RMCs can
encourage the management to take more risks, in case the committee feels that the management is
playing it too safe, and missing out on business opportunities.
- RMCs manage risks that are already known. This committee should also focus on anticipating risks, and
not be a prisoner of only the risks that are presented by the management. The committee should try to
give a different perspective. It should be a part of the company, but step aside and not see risks through
the lens of operational management. Persons running the business may not be able to objectively see
risks since they are deeply involved. Who anticipates and assesses the risk is also important.
- The RMC should push the management towards examining options, rather than betting on only one
- RMC should give confidence to the management, that with changing circumstances, and newer risks
emerging, the committee would support the management in case it needs to change its strategy
because of changed circumstances.
- It should ensure that the policies relating to risk are sufficiently elaborate, and are being understood
- RMC should learn from Covid -times to see how prepared the company was when Covid happened. This
will help the company to be prepared for unanticipated risks of the future.
CORPORATE GOVERNANCE SPECIALISTS
ADDING VALUE, NOT TICKING BOXES
EXCELLENCE ENABLERS PRIVATE LIMITED
Excellence Enablers Private Limited (EEPL) is an initiative that focuses on implementation of better corporate
governance practices, improvement of Board performance, including audit and evaluation, training of directors
and engagement with stakeholders of governance. It is founded on the firm belief that the gap between
performance and potential can, and must, be bridged. Consistent with that belief, all our offerings are tailormade
to the specific needs of the organisation or the individuals concerned.
Given that our founder, Mr. M. Damodaran, introduced Clause 49 of the Listing Agreement, dealing with
corporate governance in India, and has been a part of both public sector and private sector Boards, as well as
performing and underperforming Boards, we offer experience based consultancy and courses on the journey
from compliance through governance to performance. Further, given his success in turning around
organisations that had been written off, we are uniquely positioned to offer courses on leadership,
organisational transformation, and building winning teams.
EEPL has a number of highly experienced and renowned consultants and faculty members who have helped,
and continue to help, us deliver programmes that have been well received.
All rights reserved.
No part of this publication may be reproduced, stored in retrieval system or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior permission of Excellence Enablers Private Limited.
The views expressed in this report are the views of the participants at the roundtable and do not necessarily reflect the views of Excellence Enablers Private Limited.