This white paper explains the concepts, legal requirements, strategies, and global framework for the implementation of risk management. It also deals with fraud and reputation risk management and how the negative reputation of an entity may harm the operations and profitability.
This white paper may be useful in performing the advisory role in Risk Management and Risk Governance.
“Today’s fast-paced business environment encounters a complex and ever-changing risk landscape that may negatively impact organizational value. The only way to respond to it is by having a dynamic and holistic perspective of the risk management approach to ensure business continuity.”
– Jack Zahran, President, Pinkerton
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Erm whitepaper (2)
1. Page1
Enterprise Risk Management
Enterprise risk management (ERM) is the process of planning, organizing, leading, & controlling activities of an
organization to minimize the effects of risk on an organization's capital & earnings with an aim to assist
organizations to identify, understand, evaluate & take action on their risks to increase the probability of their
success and reducing the impact & likelihood of failure. ERM gives comfort to shareholders, customers,
employees & other stakeholders at large that business is being effectively managed & also helps the organization
to confirm its compliance with Corporate Governance requirements.
Legal requirements with respect to risk management
Although in India it is not mandatory/ statutory requirement to have an Enterprise Risk Management (ERM)
framework in place. However, as per the Companies Act 2013, there are certain requirements that needs to be
complied with respect to Risk Management. In addition, the board and audit committee have been vested with
specific responsibilities as per SEBI (LODR) Regulations 2015, in assessing the robustness of Risk Management
policy, process and systems.
Key Compliance Requirements (The Companies Act, 2013)
Section 134(3) – Board: There shall be attached to financial statements laid before a company in general
meeting, a report by its Board of Directors, which shall include a statement indicating development &
implementation of Risk Management Policy for company including identification therein of elements of risk, if
any, which in the opinion of the Board may threaten the existence of the company.
Schedule IV [Section 149(8)] – Independent Directors: The independent directors shall:
(1) Help in bringing an independent judgement to bear on the Board’s deliberation especially on issues of
strategy, performance, risk management, resources, key appointments and standards of conduct;
(4) Satisfy themselves on the integrity of financial information and that financial controls and the systems of
risk management are robust and defensible.
Section 177(4) – Audit Committee: Every Audit Committee shall act in accordance with the terms of
reference specified in writing by the Board which shall, inter alia, include evaluation of internal financial controls
and risk management systems.
Key Compliance Requirements (SEBI (LODR) Regulations, 2015)
Regulation 17(9) – Board of Directors: It provides that -
(a) The listed entity shall lay down procedures to inform member of board about risk assessment & minimization
procedures.
(b) The board shall be responsible for framing, implementing and monitoring the risk management plan for the
listed entity.
Regulation 21 - Risk Management Committee: It requires that every listed company should have a Risk
Management Committee comprises of -
(1) The board of directors shall constitute a Risk Management Committee.
(2) The majority of members of Risk Management Committee shall consist of members of the board.
2. Page2
(3) The Chairperson of the Risk management committee shall be a member of the board of directors and senior
executives of the listed entity may be members of the committee.
(4) The board shall define role & responsibility of the Risk Management Committee & may delegate monitoring
and reviewing of the risk management plan to the committee and such other functions as it may deem fit.
(5) The provisions of this regulation shall be applicable to top 500 listed entities, determined on the basis of
market capitalization, as at the end of immediate previous financial year.
Board Disclosures as per Clause 49 of the Listing Agreement – Risk management: The Company shall
lay down procedures to inform Board members about the risk assessment and minimization procedures. These
procedures shall be periodically reviewed to ensure that executive management controls risk through means of
a properly defined framework.
Strategy to implement Enterprise Risk Management (ERM)
ERM is an integrated and continuous process for managing enterprise-wide risks, including strategic, financial,
operational, compliance and reputational risks, to minimize unexpected performance variance and maximize
intrinsic firm value. This process empowers the board and management to make more informed risk/return
decisions by addressing fundamental requirements with respect to governance and policy (including risk
appetite) risk analytics, risk management, and monitoring and reporting”.
Following are the 5 key steps to develop and implement an effective ERM framework:
Step 1: Setting of objectives & risk appetite
Before an organization can begin to identify risks, a clear set of objectives must exist. When these objectives
are set, the company must have a clear philosophy towards ERM. The company’s risk appetite, the environment,
the company operates in and its code of ethics will dictate what this philosophy is. Risk appetite is the amount
of risk which the company is willing to accept. It is a key enabling structure and active relation among risk
management, strategy and target setting. Every organization follows different aims to add value, and should
generally recognize the acceptable level of risk in doing so.
Step 2: Risk identification & documentation
By risk identification, an organization can study activities and places where its resources are placed to risk. If
risk managers do not succeed in identifying all possible losses or gains that challenge the organization, then
these non-identified risks will become non-manageable. Results of risk identification are normally documented
in a Risk Register, which includes a list of identified risks along with their sources, potential risk responses &
risk categories. This information is used for risk analysis, which in turn will support creating risk responses. An
effective risk identification process should include following:
Creating a systematic process
Gathering information from various sources
Applying risk identification tools & techniques
Documenting the risks and risk identification process
Objective &
Risk Appetite
Risk
Identification
Risk
Assessment
Risk Response
Risk
Monitoring
3. Page3
Step 3: Risk assessment
Identifying risks is not enough; the impact of the risk should be understood, as well as probability, within an
estimated time-frame. The next task is to assess the documented risk in terms of their likelihood and estimated
significance. Risk assessment is how enterprises get a handle on how significant each risk is to the achievement
of their overall goals. The assessment process is as follows:
Develop assessment criteria
Assess risks and risk interactions
Prioritize risks and response to risks
Effective and sustainable risk assessment process
Step 4: Risk response
Risk response is intended to figure out how to respond to the high-priority risks. The responsibility falls to
management to carefully review probabilities & estimated impacts of each risk, and to consider all associated
costs & benefits in developing an appropriate risk response strategy. Risk response falls into 4 categories:
Risk Avoidance
Risk Retention/ Absorption
Risk Reduction
Risk Transfer
Step 5: Risk monitoring
Identifying risks isn’t something that’s done once – like continuous improvement, it’s an ongoing process. The
context in which certain risks are identified is constantly changing, and as such risks need to be monitored to
continually determine the significance they represent. Organizations need proper systems in place to monitor
and respond to changes in circumstances and adequately determine if identified risks still pose a threat.
Global framework for Enterprise Risk Management (ERM)
Over the years various ERM frameworks have been developed worldwide. The two most used frameworks are
the COSO ERM 2017 Framework and ISO 31000:2018.
COSO ERM 2017 Framework
COSO stands for ‘Committee of Sponsoring Organizations’. It is a framework that is geared towards ensuring
financial data security in your firm. The COSO framework was designed to provide an applied risk management
approach to your firm’s internal controls. It is regularly updated to keep up with the changes in the risk
environments of businesses with the recent update being in 2017.
The framework consists of 20 principles that are grouped to support one of 5 components. These principles
cover everything from governance to monitoring. They’re manageable in size, and they describe practices that
can be applied in different ways for different organizations regardless of size, type, or sector. Adhering to these
principles can provide management and the board with a reasonable expectation that the organization
understands and strives to manage the risks associated with its strategy and business objectives.
COSO ERM 2017 provides a framework for boards & management in entities of all sizes. It builds on the current
level of risk management that exists in the normal course of business. Further, it demonstrates how integrating
ERM practices throughout an entity helps to accelerate growth & enhance performance. It also contains
4. Page4
principles that can be applied - from strategic decision-making through to performance. Below are the details,
why it makes sense for management and boards to use the ERM framework, what organizations have achieved
by applying ERM.
Management’s Guide - Management holds overall responsibility for managing risk to the entity, but it is
important for management to go further: to enhance the conversation with the board and stakeholders about
using ERM to gain a competitive advantage. ERM allows management to feel more confident that they’ve
examined alternative strategies and considered the input of those in their organization who will implement the
strategy selected.
The Board’s Guide - Every board has an oversight role, helping to support the creation of value in an entity
and prevent its decline. Traditionally, ERM has played a strong supporting role at the board level. Framework
supplies important considerations for boards in defining & addressing their risk oversight responsibilities. These
considerations include governance and culture; strategy and objective-setting; performance; information,
communications and reporting; and the review and revision of practices to enhance entity performance.
ISO 31000:2018
The foundation of 31000 standards is the belief that risk management should establish and sustain value. This
makes it necessary for an institution to integrate ERM into their systems for accountability and sustainability.
This integration will help these institutions to evaluate the risks involved in their decisions which is crucial in
addressing various insecurities. To enhance the efficiency of the ERM system, it is necessary that it is designed
into a systematic, timely, and structured process to incorporate crucial information necessary in risk
management. In 2018, ISO re-released the ISO 31000 Standard, with the new version giving streamlined
definitions that focus on 8 principles:
1. Integrated: Risk management is an integral part of all organizational activities.
2. Structured and comprehensive: A structured and comprehensive approach to risk management
contributes to consistent and comparable results.
3. Customized: The risk management framework and process are customized and proportionate to the
organization’s external and internal context related to its objectives.
4. Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk management.
5. Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context
changes. Risk management anticipates, detects, acknowledges and responds to those changes and events
in an appropriate and timely manner.
6. Best available information: The inputs to risk management are based on historical and current
information, as well as on future expectations.
7. Human and cultural factors: Human behavior and culture significantly influence all aspects of risk
management at each level and stage.
8. Continual improvement: Risk management is continually improved via learning & experience.
The first five principles provide guidance on how a risk management initiative should be designed, and principles
six, seven and eight relate to the operation of the risk management initiative. These latter principles confirm
that the best information available should be used; human and cultural factors should be considered; and the
risk management arrangements should ensure continual improvement. The organization’s risk management
process should involve systematic application of policies, procedures & practices to activities of communicating
& consulting, establishing the context & assessing, treating, monitoring, reviewing, recording and reporting risk.
5. Page5
How ISO 31000:2018 and COSO ERM Framework 2017 complement each
other in implementation of ERM process:
The COSO and ISO framework for ERM, both complement each other. ISO 31000 offers wider directives that
enable organizations to fit COSO’s principles of ERM into overarching corporate governance. Below table shows
how the process of Enterprise Risk Management explained in these two frameworks is different but still similar:
# Steps for
Implementing ERM
ISO 31000:2018 Framework
(Process)
COSO ERM 2017 Framework
(Components & Principles)
I Objectives & Risk
Appetite
1. Establishing the context
- Define scope
- External & internal context
- Define risk criteria
2. Communicate & Consult
- Info for oversight & decision-
making
- Considering different views
- Bring different areas of
expertise
1. Governance & Culture
- Exercise Board Risk Oversight
- Establish Operation Structures
- Define Desire Culture
- Demonstrate commitment to
Values
- Attracts, Develops, & Retains
Individuals
2. Strategy & Objective Setting
- Analyze business Context
- Defines Risk Appetite
- Evaluate Alternative Strategies
- Formulate business Objective
II Risk Identification &
Documentation
3. Risk Assessment
- Risk identification
- Risk analysis
- Risk evaluation
3. Performance
- Identifies Risk
- Assesses Risk Severity
- Prioritizes Risks
- Implements Risk Responses
- Develops Portfolio View
III Risk Assessment
IV Risk Response 4. Risk Treatment
- Select treatment options
- Prepare & Implement treatment
plans
V Risk Monitoring 5. Monitoring & Review
- Planning, Gathering & Analyzing
Information
- Recording Results
- Providing Feedback
6. Recording & Reporting
- Communicate Risk Activities
- Provide info for decision-making
- Assist interaction with
stakeholders
4. Review & Revision
- Assesses substantial change
- Reviews Risk Performance
- Pursues improvement in ERM
5. Information, Communication
& Reporting
- Leverage Information &
Technology
- Communicate Risk Information
- Report on Risk, Culture &
Performance
6. Page6
Despite the fact that these two frameworks complement each other there are various similarities and differences
between the two as described in below table:
Similarities Differences
Rather than just limiting negative risks, both
standards help & encourage risk-taking
Both are just guiding standards and not
certifiable
Both standards embed risk management in
decision making process
ISO standard is short & structured, whereas
COSO is long, includes more visuals & don't
follow "structural" standard.
ISO 31000 standard was developed by
participation of member of over 70+ countries
whereas COSO 2017 have most of the
contribution from US.
COSO focuses more on Corporate Governance.
However, ISO focuses almost exclusively on Risk
& incorporating it in strategic planning process.
COSO is targeted more toward people in
accounting & audit. Whereas, ISO 31000 is
written for anyone interested in risk
management.
Conclusion:
In the wake of dynamic market conditions & regulatory initiatives, protecting shareholders’ interests from
various risks is becoming a top priority for managements across various industries. Perceptions of company are
affected by the risks it faces and the manner in which these risks are managed. While no business is immune
to risks, managing them to create a sustainable shareholder value is the critical challenge. Enterprise Risk
Management (ERM) is a systematic & methodical approach to identifying and managing an organization’s risks
as it provides a practical and time tested method to align risk appetite. Therefore, effective risk management
drives adequate protection against the risk and leverage risk management to convert risks into opportunities.