Risk is unavoidable, which is true for companies as well. The need for careful identification and assessment of risk cannot be over-emphasised. Having assessed the risks, steps must be taken to mitigate the same. No organisation can afford to have a casual approach to risk management, as the severity of certain risks may result in significant erosion to shareholder value, even to the extent of affecting the solvency and liquidity of companies. Therefore, companies must comprehensively identify, analyse, assess, mitigate, and manage risks associated with business and the continuity of such business.
The risk management framework requires careful consideration and periodical review given the increase in business size, the complexity of the business environment, and the ever-increasing role of technology, particularly information technology.
A robust risk management policy is required to enable a well-crafted risk management framework.
Regulatory prescriptions regarding risk management policy
Risk Management is mandatory under section 134(n) of the Companies Act 20131 ('Act'). Section 134(n)2 of the Act states that "The board of directors report must include a statement indicating development and implementation of a risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company."
Regulation 173 of the SEBI (Listing Obligation and Disclosure Requirements) Regulations, 2015, imposes the responsibility of framing and implementing the risk management plan on the company's board of directors. Further, Schedule II of the Regulations prescribes that the risk management committee is responsible for laying down a detailed risk management policy.
There may be a tendency to view the requirement of a risk management policy as perfunctory compliance and just a document on the company's website. Irrespective of the prepared policy, the need for a risk management framework and the statutory responsibility of directors in this regard cannot be ignored.
Approach towards risk management
It is essential to identify the heads of risk. Heads of risks include:
- Legal Risk (including change in law risk)
- Strategic and Operational Risk
- Financial Risk
- Competition Risk
- Political Risk
- Cyber Security Risk
- Disruptive Technology Risk
Risk management, by and large, involves:
- Review of the organisation's operations
- Identification of potential threats to the organisation and the likelihood of their occurrence. Certain threats would be specific to the industry, while others may be specific to the organisation. For example, an organisation which undertakes an activity for vertical or horizontal integration with its core business would benchmark its risk differently. Possibly, the integration may itself be a mechanism to mitigate risk.
- Take appropriate actions to address the most likely threats.
- Periodic review of the effectiveness of measures adopted to address the risks and, where required, take appropriate corrective action.
- To summarise, risk identification, risk assessment and prioritisation, and risk monitoring and control constitute risk management.
Risk management is not always about protecting or improving the bottom line. For example, an organisation may wish to mitigate 'health' risks for its employees by introducing changes - use of ergonomic furniture, better light and ventilation, encouraging healthy working habits, etc.
The scope and extent of risk management are a function of perspective and, to some extent, the availability of financial resources. The board of directors or risk management committee is tasked with laying down a risk management policy for the company.
Risk Management Policy
There is no argument that an appropriate Risk Management Policy is necessary for a company. The question is, to what extent can the directors be held accountable in this regard?
A risk management policy is a document regulating risk management functions in an organisation. The main objective of the policy is to ensure sustainable business growth with stability and to promote a proactive approach to reporting, evaluating and resolving risks associated with the company's business.
Can it be said that the directors or risk management committee, as the case may be, has failed in discharging its obligations if the risk management policy is found obviously lacking? Arguably the response should be in the affirmative. The directors or risk management committee, as the case may be, should be held responsible if the risk management policy is undertaken in a perfunctory manner.
The risk management policy should at the least serve the following objectives:
- identify and assess various business risks arising out of internal and external factors that affect the business of the company,
- work out a structured methodology for managing and mitigating the risks,
- establish a framework for the company's risk management process and to ensure its implementation,
- enable compliance with appropriate regulations, wherever applicable, through the adoption of best practices, and
- assure business growth with financial stability.
Undoubtedly, risk management plays a crucial role in the functioning of an organisation. Thus, a company needs to have a sound risk management system, and a well-crafted risk management policy is a prerequisite for such a system. A word of caution, merely establishing a risk management policy does not assure a sound risk management framework.
It would be safe to state that 'risk' is certain - how to deal with the risk is a choice left to the organisation. The companies legislation mandates a risk management policy to be prepared by the directors or risk management committee, as the case may be. How effectively the directors undertake, this task is up to the directors. The shareholders must also be vigilant about this aspect when financial accounts and the Board Report (the risk management policy required to be part of the Board Report) are laid before them during the annual general meeting for adoption.
1 The Companies Act, 2013 (Act 18 of 2013).
2 The Companies Act, 2013 (Act 18 of 2013), s.134(n): Financial statement, Board's report, etc.
3 Securities and Exchange Board of India (Listing Obligation and Disclosure Requirements) Regulations, 2015), r.17: Board of Directors
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.