This article has been written by Hemang Mohanlal Doshi, pursuing the Personal Branding Program for Corporate Leaders Course from Skill Arbitrage, and edited by Koushik Chittella.

This article has been edited and published by Shashwat Kaushik.

Introduction

Before we learn what risk management is, let’s try to understand what risk is. Risk is a chance or probability of gaining success in our venture, in simple words! So, it is the positive or negative impact of external or internal factors on the delivery of any commodity or service by a project, a business unit, or a company. Hence, risk management is the process of identifying, evaluating, and planning responses to both positive and negative events that occur during the delivery of a commodity or a service. Through risk management, we try to increase the impact and probability of opportunities (positive events) while decreasing the impact and probability of threats (negative events). Risk identification is an ongoing process that requires commitment from employees at all levels of the company. Though it is not possible to control uncertainty in a business, businesses are expected to be risk-averse to gain the required business agility and profits in the long run.

Risk Management and Corporate Governance

Corporate governance refers to the sets of rules, practices, systems, and processes by which a company is directed, administered, and controlled. The primary objective of corporate governance is to ensure that an organisation’s resources are used efficiently and effectively to achieve its goals while maintaining ethical and legal standards. Promoting transparency, accountability, fairness, and protecting shareholders’ interests is the primary goal of good corporate governance. This primary goal should foster a balance between risk-taking and value creation in the best interest of the company, supporting the short-term and long-term goals of promoters and shareholders.

The interdependence of risk management and corporate governance improves effectiveness by promoting transparency, accountability, and informed decision-making. Here are the ways risk management enhances good corporate governance:

1. Map risks to corporate goals and objectives: By mapping risks identified to a company’s goals and objectives, a more informed decision is supported, reducing stakeholders and promoters conflicting interests. Based on the company’s risk tolerance and appetite, more viable strategic goals can be set.
2. Promotes better transparency and accountability: As risk identification and assessment provide a holistic view of the risk faced by the company, stakeholders are aware of the mitigation plans and roadway ahead. Accountable managers and impact are also well known.
3. Investor Safety: Since effective risk management envisions future dangers and has mitigation plans, the financial stability of the company is guaranteed against all odds. Companies are in a position to perform better in controlled environments.
4. Better Decision Making: All risks, threats, and opportunities are visible forehand, so the board of directors and stakeholders can make better decisions on options to choose from the overall business strategy.
5. Sustainability: With identified risks and changing market conditions, companies can adapt to changing market needs and remain resilient to market dynamics.
6. Opportunities and New Ventures: Identifying positive events or opportunities can provide companies with new business ventures to grow on the drive.

Company law and risk management

As per the Companies Act, 2013, a risk management committee shall be formed by the top 1000 listed companies based on market capitalization. The majority of members shall be from the board of directors. The Companies Act of 2013 doesn’t have any mandatory requirements for the number of meetings or the procedure for the risk management committee.

SEBI and Risk Management

As per the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, the top 1000 listed companies or high-value debt listed companies shall form a risk management committee. The Risk Management Committee is to have a minimum number of 3 directors, including 1 (2 for outstanding SR equity shares) independent director. The chairperson shall be a member of the board of directors, and senior executives are expected to be part of the committee. The committee shall meet at least twice a year, and the gap between two meetings cannot be more than 210 days. Mininum 2, or 1/3rd of the total number of members, shall form the quorum.

Implementing risk management process as per PMI

As per PMI (Project Management Institute), the following are the processes we need to implement for successful risk identification, classification, assessment, and response:

1. Plan risk management
2. Identify risk
3. Perform a qualitative risk analysis
4. Perform a quantitative risk analysis
5. Plan risk response
6. Implement risk responses
7. Monitor risks

To discuss the same in detail:

1. Plan risk management: It answers the question of how much time has to be spent on risk management in a project or delivery cycle.

This process involves:

• Identifying the risk appetite of management.
• Key stakeholders and identifying who will be involved.
• How the team will go about performing risk management.
• Organisational procedures and templates related to risk, probability, and impact matrices are identified and adapted.

2. Identify risk: The entire team contributes to identifying risks related to the delivery of the project. This is when the risk register is created along with the risk category. SWOT and BrainStorm sessions are used as tools for risk identification.
3. Perform a qualitative risk analysis: Once the risks are identified with their probability and impact, the next step is to categorise those risks as high, medium, or low on a scale of 1 to 5 or 1 to 10. After analysis, risks are prioritised based on impact, and a list of highly prioritised risks is created. Assumption logs and issue logs are updated with the necessary information for future use and reference.
4. Perform a quantitative risk analysis: After qualitative risk analysis, we use risk probability and impact to calculate the amount at stake or consequence. Expected Monetary Value (EMV) is used to estimate the impact of a risk by calculating its probability times its estimated cost. 

Example: EMV = P*I = 65% * $40,000 = $26,000, where P = 65% of risk occurrence and I = $40,000 (impact cost). So, $26,000 is at risk or at stake.

Quantitative risk analysis is an optional step and can be used based on time and budget availability.

5. Plan risk response: After qualitative and quantitative risk analysis, the registered risk is evaluated, and a response is planned for each risk. Following are the types of responses for any risk.

• Accept: It is accepted that a risk will occur, and based on the stakeholder’s appetite, proceed with the project or delivery.
• Avoid: Analysis is done, and an alternate or optional path is chosen to avoid the risk completely.
• Mitigate: Analysis is done, and risk is mitigated by reducing probability and impact. The risk no longer remains a risk and is removed from the risk register.
• Transfer: Analysis is done, and risk is transferred to another party by purchasing insurance or assigning tasks to a third-party contractor with a specialised skill set.

6. Implement risk responses: As and when risk occurs, risk response plan is followed as per the planned response in risk register.
7. Monitoring risk: Risks are continuously monitored during the project or delivery, and the risk register is updated accordingly. The above processes are followed repeatedly in a continuous cycle throughout the life cycle of the project or delivery.

Types of risk management models

The following table provides an overview of the top risk management models, comparing their key advantages and disadvantages and the industries where they are most actively used.

Model	Advantage	Disadvantage	Industry
FRM (Financial Risk Manager)	This model provides a comprehensive understanding of financial risk and is recognised globally	This model needs a lot of experience and rigorous study for implementation.	Finance, Banking, and Investment Management
PMI-RMP (PMI Risk Management Professional)	This model is specialised in project risk management and is recognised globally	Requires prior risk management experience and PMP certification	Project Management, Construction, and IT
PRM (Professional Risk Manager)	This model focuses on financial risk management and is globally recognised	Less recognised compared to FRM.	Finance, Investment, and Banking
CRISC (Certified in Risk and Information Systems Control)	This model combines IT risk management with enterprise risk management	Requires continuous education and prior experience	IT, Cybersecurity, and risk management
CERA (Chartered Enterprise Risk Analyst)	This model integrates actuarial principles with enterprise risk management	It is relatively new and is less recognised.	Insurance, Finance, and Risk Management
ISO 31000 (International Standard for Risk Management)	This model provides a broad framework applicable to various industries	Difficult to adapt and use.	Various industries, including manufacturing, finance, and healthcare
COSO ERM (Committee of Sponsoring Organisations of the Treadway Commission)	This model is a comprehensive framework for enterprise risk management	Complex to implement	Corporate Governance, Finance, and Healthcare
RIMS-CRMP (Risk and Insurance Management Society Certified Risk Management Professional)	This model is the most practical and easy-to-use framework.	Less recognised globally.	Insurance, Risk Management, and Corporate

Case study : Hydro One

One of the most successful implementations of enterprise risk management in Canada is Hydro One. Executives wanted to implement ERM when the company split out from Ontario Hydro due to the scheduled deregulation of electricity markets and increased scrutiny of corporate governance. Hydro One wanted to look at risks and opportunities in an integrated way to better allocate corporate resources.

External consultants were initially used to address the ERM implementation, but their efforts were not successful. So, the Corporate Risk Management Group was formed, and two documents, ERM Policy and ERM Framework, were created.

• ERM Policy: Establish governing principles and identify responsible people for the specific aspects of the risk.
• ERM Framework: Set up a procedure for the ERM in a detailed manner.

A small workshop was conducted in a subsidiary with a list of 80 identified risks. Using the Delphi Method, 8 risks were discussed, and it was found that issues that managers had never discussed openly before were addressed, and new risks were identified. After the success of the pilot programme, the Audit and Finance committee approved the documents and laid down the roadmap for implementing ERM at Hydro One.

The overall aim at Hydro One was to maintain an optimal balance between business risks and business returns. The business category of risk at Hydro One included strategic, regulatory, financial, and operational risks.

The Risk Management Group at Hydro One prepares a corporate risk profile twice a year. The main purpose of the corporate risk profile is to share a common understanding of the principal risks the organisation is facing and proper resource allocation to address risks based on priority. All risks were aligned to business goals and objectives in a structured way, providing a holistic view of the challenges faced by the company.

Benefits of ERM

The following are the benefits of ERM at Hydro One:

1. Effective and better coordinated process for capital allocation.
2. The company’s credit rating improved, and capital costs were lowered.

As a result of ERM implementation, management feels that the company is in a better position today to respond to new business development than it was 5 years ago. In the end, risk management is everyone’s responsibility, from the Board of Directors to individual employees.

Suggestions

The Company Act, 2013 & SEBI LODR, 2015 have established guidelines for companies to have a risk management committee to monitor the business for uncertainties that may arise over time. It is recommended that companies have at least the top 10 industry specific risks identified, and companies should position themselves with competitors, the global market, regulation, the industry sector, and changing market dynamics. The risk index should be part of financial statements as part of regulatory requirements from SEBI, indicating the company’s risk performance on a scale of 1 to 5, where 1 is very low risk and 5 is very high risk. This information will help investors and stakeholders understand the company’s risk management and operational resilience.

Conclusion

Overall, this article covers all the aspects of risk management and helps understand that being risk averse helps companies sustain long term success and create value, safeguarding the interests of investors, customers, and promoters. ERM (Enterprise Risk Management) is the only way to align risks and challenges with corporate goals and objectives.

References

1. https://www.linkedin.com/pulse/role-risk-management-corporate-governance-brett-palmer-o2lwc/
2. https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
3. https://ca2013.com/lodr-regulation-21/
4. https://www.sebi.gov.in/legal/regulations/jan-2022/securities-and-exchange-board-of-india-listing-obligations-and-disclosure-requirements-regulations-2015-last-amended-on-january-24-2022-_55993.html
5. https://www.pmi.org/certifications/risk-management-rmp
6. https://www.casehero.com/enterprise-risk-management-hydro-one/
7. Rita Mulcahy’s PMP Exam Prep 10 edition