RMC – THE NEW KID ON THE BLOCK 23rd June, 2020

Covid-19 came with not much of advance notice, and wrought, and continues to wreak, untold havoc on the lives and health of humankind, across continents, and the economic health of most nations. In the corporate world, managements are waging continuing battles to ensure crisis management of a high order. The complexities in the corporate world have, over time, led to increasing focus on the identification of risks, as well as the risk management and risk mitigation practices in existence. With SEBI having mandated that the RMC would be a Committee appointed by the Board, some issues have got, and are getting, better addressed, while some new issues have surfaced. Even as things now stand, the Audit Committee of the Board is expected to be cognisant of the risks and the manner in which they are addressed. With another Board Committee having risk management as its only remit, the relationship between the Audit Committee and the RMC has assumed importance. Further, internal audit, which is arguably the major instrument of risk management, reports to the Audit Committee, while the Chief Risk Officer and the risk management function, which needs to actively collaborate with the internal audit function, reports to the RMC. Earlier, in the absence of Board-level membership of the RMC, the focus was mostly on operational and commercial risks. Has the setting up of this Committee led to better and more comprehensive identification of risks and better thought-through risk mitigation mechanisms and practices? Also, is there adequate competence within the RMC to address the wide variety and complexity of risks?

  1. Risk management is becoming critical for every Board. Risk function is important, and is evolving in a number of companies.
  2. For some time, financial sector entities have had a dedicated committee addressing risk management. In banking and insurance sectors, risk is at the centre of business, and so they have the most mature risk infrastructures. However, they too face challenges in managing risk.
  3. Business and risk coexist. If understood well, risk can be used to help a business expand, since it may pave the way to an opportunity.
  4. Each organisation has to consciously develop its risk culture. This should be reflected in the operating teams of the company, and should form a part of the DNA of the leadership.
  5. Risk management systems and processes are based on identification of risk, and its management and mitigation.
  1. SEBI has recently expanded the number of companies which are required to have Board-level Risk Management Committees (RMCs). This is a welcome move.
  2. However, at present, most RMCs are not effective. Having an RMC is important, but having a committee by itself does not serve any purpose, unless it functions properly.
  3. As companies grow globally, it is important that the dedicated Board-level committee has in depth discussions on risk, including risks relevant to jurisdictions other than India.
  4. Before the mandating of an RMC, the Audit Committee (AC) was tasked with looking at risks. Even now, in companies that do not have an RMC, AC is the Board-level committee that looks at risk. Even if a company has an RMC, the AC continues to be tasked with an oversight function of risk management, to ensure that there are proper processes in place.
  5. AC and RMC have to work together towards risk management.
  6. Traditionally, only internal risks and internal processes were considered, and so, Internal Audit, which reports to the AC, was considered to be a good enough tool for risk management. However, with more risks being identified, and RMC focusses equally on exogenous and macro risks, and in proactively identifying risks.
  7. RMC acts as a connect between the Board and the management. It helps the Board to focus on some risks, which would otherwise be lost sight of.
  8. Some thought should be given by Boards to the correct composition of RMCs, with persons who have the ability to understand risk. This will help build a stronger RMC, failing which the committee will not be able to contribute productively. It will not be able to assist management if its members themselves do not understand the risks confronting the company.
  9. The number of meetings of the RMC is yet another area that needs focus, and improvement. At present, most companies do not have an adequate number of meetings of the committee.
  1. Each company has endogenous and exogenous risks. While the endogenous risks can be handled by companies, it is not always possible to handle the exogenous ones.
  2. There are so many black swans, that they no longer seem like black swans.
  3. Risks can be longstanding or those that are newly emerging. In a number of companies, even before the impact of a longstanding risk is absorbed, newer risks emerge.
  4. Risks should also be seen as short term and long term risks. There could be two sets of teams within the company, one looking at each of them.
  5. Compliance, technology, cyber, and geographical risks are some of the generic risks that confront every company. However, there are some risks which are specific to each business. Also, the complexity of each risk varies, and companies have a problem getting a grip on all of them.
  6. Most companies focus on financial risks. However, operational risks are as important since they may impact adversely on the business continuity plan (BCP), which itself can be a huge risk. It is important to also analyse whether the business itself is viable.
  7. Increasingly, regulatory risk is also being given a lot of importance. If the burden of regulation is very high, it may adversely impact on business. Regulatory hyperactivity too could be a source of risk.
  8. Environment Health and Safety (EHS) is yet another risk which was earlier not given adequate importance. With companies now increasingly recognising its significance, it is necessary to anticipate and manage associated risks.
  9. In some industries, infrastructure is based on historical data. Climate and weather changes have not been factored into it in the past, but they would have to be given a lot of thought since they would impact design, structures and the like.
  10. Concentration risk is often a major risk, and diversification is necessary.
  11. Reputation risk is yet another very important risk, and should be managed proactively.
  12. Social media is also emerging to be a source of huge risk.
  13. The world is also likely to see increased geo-political risks, and companies will have to find ways to minimise their impact.
  14. It is also important to learn from the past. It would help in anticipating future risks. Early recognition of risks is very important.
  15. Some risks are obvious, some are not. Companies have to find a way to measure them, in order to develop strategies to manage/ mitigate them.
  1. A risk register can never list all the risks confronting a company. It would only contain the known/ identified risks, but rarely focus on risks that are yet to be encountered.
  2. The risk register usually focusses disproportionately on operational risks, and could lose sight of some other kinds of risks.
  3. The RMCs need to recognise that the unknown risks are often a cause for greater worry.
  1. It is important for the risk function to be manned by persons who know and understand risk, and whose voice is heard at the top.
  2. The role of HR in bringing the right type of persons to this function is important.
  3. A number of employees who are in the frontline do not want to be a part of the risk function.
  4. Empowerment and independence of the Chief Risk Officer (CRO) is important, failing which she may not be able to give the right kind of information to the RMC and to the Board. In banks, for example, the CRO reports to the RMC, and this helps in giving her functional freedom.
  5. Risk anticipation and management is the role of each leader in the company, and not only of the CRO. Risk is not owned only by the CRO. All the leaders should be able to look around the corner. They should consider short term and long term implications of risks.
  6. There is expertise within the company to understand the business and the sector, and to predict risks. These should be tapped into. Sometimes it is useful to engage an external expert so as to get an outsidein view of the risk landscape.
  1. There are three levels of defence – business operation, risk function and Internal Audit.
  2. Some companies have capabilities in-house to manage risks. But most companies do not have internal competence to manage risk, and should work towards building them.
  3. Most companies are inward looking, and not outward looking. There should be an outside-in view. This would strengthen risk management.
  4. Over time, companies have developed systems to handle endogenous risks, but most of them do not know how to handle exogenous risks.
  5. Companies should focus on building an ability to absorb risks, and proper processes and systems for the risks that they can at least predict and/or plan for. This helps when the unknown happens.
  6. Processes and protocols should be built and followed. Some of these could be based on learnings from other industries too.
  7. Management should identify the risks that it can, measure them and track them. Post this, focus should be on identifying exogenous risks, and having a strategy to deal with these.
  8. Every company should have an Enterprise Risk Management system, which must be built into the business. Each company’s risk appetite should be based on its capabilities. Blindly copying another company can have disastrous effects.
  9. Risk infrastructure should be thought about, and planned proactively.
    • Some companies have already started developing the infrastructure that helps them observe and predict trends, in order to help them plan. However, planning cycles are becoming shorter and shorter, and a number of exogenous factors such as regulations, customer behaviour etc. keep changing. As a result, sometimes it is felt that having a risk infrastructure would not by itself be adequate.
    • Risk infrastructure is in early stages of development in most sectors, other than the financial sector.
    • Data analytics can go a long way in helping predict and analyse risks. Predictive risks will become important. A matrix can be worked out only if some degree of predictability is present.
    • Like every other process, processes related to risk management would take time to mature.
  1. Business risks should be seen in the context of the business. An RMC cannot mitigate all risks completely.
  2. Alignment of the judgement of the RMC and that of the management is very important. RMCs can encourage the management to take more risks, in case the committee feels that the management is playing it too safe, and missing out on business opportunities.
  3. RMCs manage risks that are already known. This committee should also focus on anticipating risks, and not be a prisoner of only the risks that are presented by the management. The committee should try to give a different perspective. It should be a part of the company, but step aside and not see risks through the lens of operational management. Persons running the business may not be able to objectively see risks since they are deeply involved. Who anticipates and assesses the risk is also important.
  4. The RMC should push the management towards examining options, rather than betting on only one scenario.
  5. RMC should give confidence to the management, that with changing circumstances, and newer risks emerging, the committee would support the management in case it needs to change its strategy because of changed circumstances.
  6. It should ensure that the policies relating to risk are sufficiently elaborate, and are being understood and implemented.
  7. RMC should learn from Covid -times to see how prepared the company was when Covid happened. This will help the company to be prepared for unanticipated risks of the future.

Excellence Enablers Private Limited (EEPL) is an initiative that focuses on implementation of better corporate governance practices, improvement of Board performance, including audit and evaluation, training of directors and engagement with stakeholders of governance. It is founded on the firm belief that the gap between performance and potential can, and must, be bridged. Consistent with that belief, all our offerings are tailormade to the specific needs of the organisation or the individuals concerned.

Given that our founder, Mr. M. Damodaran, introduced Clause 49 of the Listing Agreement, dealing with corporate governance in India, and has been a part of both public sector and private sector Boards, as well as performing and underperforming Boards, we offer experience based consultancy and courses on the journey from compliance through governance to performance. Further, given his success in turning around organisations that had been written off, we are uniquely positioned to offer courses on leadership, organisational transformation, and building winning teams.

EEPL has a number of highly experienced and renowned consultants and faculty members who have helped, and continue to help, us deliver programmes that have been well received.

All rights reserved.

No part of this publication may be reproduced, stored in retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of Excellence Enablers Private Limited.

The views expressed in this report are the views of the participants at the roundtable and do not necessarily reflect the views of Excellence Enablers Private Limited.