Risk Management: Introduction
Risk is inherent in every business, whether it is of financial nature or non-financial nature. Thus, management of the risk is very important. Risk management begins with the risk identification, analyzing the risk factors, making assessment of the risk and mitigation of the risk. Better risk management techniques provide early warning signals so that the same may addressed in time.
In traditional concept the natural calamities like fire, earthquake, flood, etc were only treated as risk and keeping the safe guard equipment etc were assumed to have mitigated the risk. But now in the era of fast changing global economy, the management of various types of risks has gained utmost importance.
Risk as defined in ISO 31000 is”the effect of uncertainty on objectives”. Put simply, once you have set the objectives for your small business – which could be around any business function like production, sales, finance, Logistics, etc., any adverse event, occurrence, development, or situation that hinders the achievement of these objectives is a risk.
“Risk Management” is a term used to describe the processes which aim to assist organisations identify, understand, evaluate and take action on their risks with a view to increasing the probability of their success and reducing the impact and likelihood of failure. Effective risk management gives comfort to shareholders, customers, employees, other stakeholders and society at large that a business is being effectively managed and also helps the company or organisation confirm its compliance with corporate governance requirements.
Risk management is relevant to all organisations large or small. Effective risk management practices support accountability, performance measurement and reward and can enable efficiency at all levels through the organisation. Risk management requires a detailed knowledge and understanding of the organization (both internal and external) and the processes involved in the business.
Advantages of Risk Management:
Risk management plays vital role in strategic planning. It is an integral part of project management. An effective risk management plan focuses on identifying and assessing possible risks.Some of the key advantages of having risk management are as under:
- Risk Management in the long run always results in significant cost savings and prevents wastage of time and effort in firefighting. It develops robust contingency planning.
- It can help plan and prepare for the opportunities that unravel during the course of a project or business.
- Risk Management improves strategic and business planning. It reduces costs by limiting legal action or preventing breakages.
- It establishes improved reliability among the stake holders leading to an enhanced reputation.
- Sound Risk Management practices reassure key stakeholders throughout the organization.
Steps In Risk Management Process:
The process of risk management consists of the following logical and sequential steps:
1. RISK IDENTIFICATION:
Risk identification is the first stage of the risk management strategy. The origin/source of the risk is identified.For example a risk may be due to transport of hazardous raw material to the factory. So the source of the risk origin is utmost important and from this point the journey start to manage the risks.The objective of the risk identification process is to ensure that all potential project risks are identified.
2. RISK ANALYSIS:
After identification of the risk parameters, the second stage is of analyzing the risk which helps to identify and manage potential problems that could undermine key business initiatives or projects.
To carry out a Risk Analysis, first identify the possible threats and then estimate the likelihood that these threats will materialize. The analysis should be objective and should be industry specific. Within the industry, the scenario based analysis may be adopted taking into consideration of possible events that may occur and its alternative ways to achieve the given target.
3. RISK ASSESSMENT AND MANAGEMENT:
Risk assessment is the way in which enterprises get a handle on how significant each risk is to the achievement of their overall goals. To accomplish this, enterprises require a risk assessment process that is practical, sustainable, and easy to understand. The process must proceed in a structured and disciplined fashion.
It must be correctly sized to the enterprise’s size, complexity, and geographic reach. When assessing risks, it’s important to determine whether the risk is – inherent risk, residual risk, or both.Inherent risk as the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.
4.RISK MONITORING AND RISK CONTROL: Main goals to risk monitoring and control is- – To confirm risk responses are implemented as planned
–To determine if risk responses are effective or if new responses are needed
– To determine the validity of the project assumptions
– To determine if risk exposure has changed, evolved, or declined due to trends in the project progression
– To confirm policies and procedures happen as planned
– To monitor the project for new risks
– To monitor risk triggers
The ownership of risk should be allocated. Responsibilities and accountability of the persons handling risks need to be identified and assigned. The persons concerned when the risk arises, should document it and report it to the higher ups in order to have the early measures to get it minimized. Risk may be handled in the following ways:
1) Risk Avoidance: Risk Avoidance means to avoid taking or choosing of less risky business/project. For example one may avoid investing in stock market due to price volatility in stock prices and may prefer to invest in debt instruments.
2) Risk Retention/absorption: It is the handling the unavoidable risk internally and the firm bears/ absorbs it due to the fact that either because insurance cannot be purchased of such type of risk or it may be of too expensive to cover the risk and much more cost-effective to handle the risk internally.Usually, retained risks occur with greater frequency, but have a lower severity. An insurance deductible is a common example of risk retention to save money, since a deductible is a limited risk that can save money on insurance premiums for larger.
3)Risk Reduction: In many ways physical risk reduction (or loss prevention, as it is often called) is the best way of dealing with any risk situation and usually it is possible to take steps to reduce the probability of loss. The ideal time to think of risk reduction measures is at the planning stage of any new project when considerable improvement can be achieved at little or no extra cost.
The cautionary note regarding risk reduction is that, as far as possible expenditure should be related to potential future savings in losses and other risk costs; in other words, risk prevention generally should be evaluated in the same way as other investment projects.
4) Risk Transfer: This refers to legal assignment of cost of certain potential losses to another. The insurance of ‘risks’ is to occupy an important place, as it deals with those risks that could be transferred to an organization that specialises in accepting them, at a price. Usually, there are 3 major means of loss transfer viz.,
b)By contract other than insurance,
c)By contract of insurance.
The main method of risk transfer is insurance.
Responsibilities In Indian Corporate laws for Risk Management:
- Section 134(3) (n) of the Companies Act, 2013 provides that a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
- SEBI (LODR) Regulations, 2015 also provides that company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. The Board shall be responsible for framing, implementing and monitoring the risk management plan for the company.
- The Risk Management Plan must include all elements of risks. The traditional elements of potential likelihood and potential consequences of an event must be combined with other factors like the timing of the risks, the correlation of the possibility of an event occurring with others, and the confidence in risk estimates.
- Risk management policies should reflect the company’s risk profile and should clearly describe all elements of the risk management and internal control system and any internal audit function. A company’s risk management policies should clearly describe the roles and accountability of the board, audit committee, or other appropriate board committee, management and any internal audit function.
- A company should have identified Chief Risk Officer manned by an individual with the vision and the diplomatic skills to forge a new approach. He may be supported by “risk groups” to oversee the initial assessment work and to continue the work till it is completed.
- Regulation 21 of SEBI (LODR) Regulations, 2015, requires that every listed company should have a Risk Management Committee.
One challenge that organisations face as they prepare for life after COVID-19 is to rethink their business, strategically and operationally, in responding to the changes which have arisen. Many aspects of their operations may have shifted permanently. Outlined below are some of the key areas in which to consider risk going forward:
- Business models: Many organisations will need to rethink their business models to ensure they are aligned with changes in the wider political, business, economic and social environments.
- Financial management: All entities will need accurate information to support cash flow forecasting models, while underlying assumptions should be challenged regularly as new information emerges.
- Re-starting the supply chain: Contract management functions must coordinate with supply chain managers to understand issues and vulnerabilities across the value chain. Disputes may have increased, so it is important to be clear on the contractual position while seeking to collaborate and negotiate with customers and suppliers alike to deliver what is possible, preserve the value chain and strengthen key third party relationships.
- Projects and Change Management:It will be necessary to review projects previously put on hold and re-prioritise those that are most urgent, in line with recovery and business resumption plans. It is important that resources are committed to projects realising benefits and that support any changes to the business model.
- Control design: Changes in ways of working may result in the need to redesign internal controls to ensure these are fit for purpose.
- Fraud: Opportunities to perpetuate fraud increase not only when operating environments are challenging, but also during times of transition. Business leaders need to consider key risks and vulnerabilities. How can these risks be mitigated, and what is the organisation’s risk appetite? Some controls may not have been fully operational during the height of the COVID-19 outbreak, so it may be necessary to undertake a retrospective review to check whether they were applied or that compensating controls were effective.
- Cyber security: With millions of employees working from home, organisations have had to quickly adapt to keep business critical functions running, while also maintaining adequate security. Security considerations must also be taken into account as business processes change and organisations resume more normal operations.
- Health information and data privacy implications: Organisations are collecting and processing new types of information about individuals including health status, household information and the results of any COVID-19 testing. Are associated data privacy risks being addressed?
- Regulatory compliance: In the midst of everything that is happening and the daily challenges organisations face, it is important that eyes are not taken off the regulatory ball. Regulators will not be tolerant. There needs to be an ongoing focus on compliance and the adoption of any regulatory changes that arise, including areas such as Health and Safety.
- Opportunity: There is an upside and downside to risk. Organisations need to be alert to the opportunities that change presents. As part of a rethink strategy, this will include embracing the now tried-and-tested smarter ways of working to drive flexibility and efficiency and to achieve sustainable benefits for the organisation and its people.
The Corona virus (Covid-19) is impacting businesses globally by disrupting supply chains, travel, production and consumption, threatening operations and financial markets. Companies find themselves navigating a new reality, addressing issues from crisis response and cyber threats to valuations and financial stress. Accurate valuation, restructuring, security and risk management can help company assess and manage the risks to provide transparency to key stakeholders. This makes Risk management very crucial.
This article is written by Mahima Rathod and edited by Rupreet Kaur Dhariwal.
ALSO READ: IBC 2020 Amendment: An Overview