A guide to Enterprise Risk Management (ERM) for recently appointed Independent Directors
Deepak Wadhawan
Member, Global Advocacy Advisory Committee, IIA Global; Former CEO, The Institute of Internal Auditors-India (IIA India),
During 2008, I co-authored the "Guide to Implemeting ERM" (ICAI publication) and have been informally tracking its adoption by corporates. Over these last 16 years, ERM systems have moved from a "fad - to- its early adoption by public sector companies -to- the periodic addition of regulatory requirements around ERM -to- currently a business necessity for organisations that want to prosper in this volatile environment.
REGULATORY REQUIREMENTS FOR ERM IN INDIAN COMPANIES
As things stand today, regulations in India around ERM are fairly comprehensive. It is mandaory for every company to discuss in its Director's Report to its Shareholders the development and implementation of a Risk Management Policy & in addition for a public listed company to include in its terms of reference for the Audit Committee the evaluation of Risk Management System. Added to this, the top 1000 listed companies are required to have a Risk Management Committee with at least one independent director who has prescribed responsibilities for development/implementation & keeping an oversight on the efficacy of the ERM system.
WIDELY ACCEPTED ERM FRAMEWORKS
Risk governance, i.e. how the Board of Directors should perform risk oversight activiities is laid down as a principle in ISO 37000:2018. Broadly these activities are around important concepts as defining risk appetite, identification of emerging risks, choice of risk treatment, etc. in other words, key decisions which need to be taken during implementation or updation of the ERM process.
The ERM Process in a company can be created in two ways.
ENSURING PREPAREDNESS OF THE NEW INDEPENDENT DIRECTOR
Some companies have a concise orientation program for independent directors. I presume that the new directors are handed over a document or a training module around what is expected from them, the code-of-ethics, along with introductions to the chair of various committees of the board & management. More transparent companies may have by now started encouraging their discussion with executive management & HODs. On the other hand many companies believe in the principle that if you throw someone in the deep end, they start to learn swimming faster - so dont believe in having an induction program other than the board chair welcoming you. Which type of induction did you have? How well prepared are you after six months of joining?
The regulators are also wanting to see you prepared for your role. Now a days to be a board member you are required to pass an online proficieny test held by the Indian Institute of Corporte Affairs (IICA) within 2 years of being inducted. As per IICA website, majority of the new directors have yet to pass the exam. Have you passed the exam ?
WE INTUITIVELY MANAGE RISK BUT DIFFICULT TO PRACTICE RISK MANAGEMENT
Everyone is intuitively managing risk, but it is only the house wife who is good at risk management. My experience shows that the uptake on business functions (as sales, procurement, HR,etc.) is generally good as the Director's experience and intutive knowledge can help point towards asking relavant questions. When it comes to practicing risk management, the real problem is understanding the future business environment which has many uncertainities with different potentially emerging risks. We can think of risk management as a part of uncertainity management. Also commenting on the sales system or procurement system comes naturally to experienced directors but the ERM system requires some level of exposure to differently performing ERM systems. As many dont have this experience, it would help to study ERM systems, an approach discussed later on. If you follow the text-book style the starting point should be creating an understanding of regulatory requirements & understanding the criteria to evaluate effectiveness of ERM systems
A smart way for a newly appointed independent director would be to start by understanding the mandatory requirements on risk governance, followed by readings of the two technical advisories that provide the criteria to assess the ERM Process. Only when the independent director has a theoretical baseline & clarity on Risk Assessment, Risk Management & Risk Governance should he/she start learning about the company's risk management activities. This is because intuitively we understand risk while as an independent director we need to have a critical understanding of this subject in order to bring value.
UNDERSTANDING THE LANGUAGE OF RISK
Any area of activity done in a formal way has its own language. The risk language hence has to be understood by the independent director in his own way so that the concepts are clear. Understanding technical literature is not easy, the independent director would do well to mentally make out simple meanings as sometimes the language can be quite onerous & stressful. For e.g, an easy way to describe risks are that 'they are those uncertainities that matter.' So only those threats that can de-rail the company's objectives are considered risks for the company.
WHAT IS THE RISK MATURITY LEVEL OF YOUR ORGANISATION
The upside of a volatile, uncertain, complex & ambiguous (VUCA) environment is that uncertainities can also create opportunities so risk management's meaning has streched to being prepared in seizing these opportunties. Such a maturity level of managing risks that enables the organisation to take advantage of opportunities would be 'risk intelligent entities' What do you think you need to do to get your company to a risk-intelligent maturity level?
FAVOURABLE OUTCOMES USING ERM SYSTEM
Broadly, an effective ERM system should have a favourable effect on the following :
Value as a concept is something everyone understands but remains fuzzy about your in own company. We need to get out of the fuzzy-state to a clarity-state of the value your company brings. Ask these questions from yourself
Were these questions simple to answer or does this require you to do research? Can you think of more questions to understand value?
SPOTTING ERM SYSTEMS TO EMULATE OR IMPROVE
Lets take the IT Industry, where there are hardly 4-5 Tier-1 companies. As the companies are similar and also have similar opportunities on the revenue side, the company's relative performance will largely be attributable to its management of risks. So rating the financial performance should help to identify companies with a better performing ERM system.
There is sufficient information available on listed companies today to be able to do a comparitive review of risk performance by giving certain handicaps to different companies and creating a level-playing field for comparitive risk performance. By this measure, in the IT industry, do you think WIPRO seems to lately have an ERM system that needs to be looked into?
EXERCISING PROFESSIONAL SKEPTICISM ON EVIDENCE THAT YOU RECEIVE
An independent director will do well to exercise 'professional skepticism' on the information he/she receives from management on the subject of risks and not take it at face value. Evidence should be sought along with some corraborating informtion to validate the information.
Its not that you distrust the management, its that validating evidence produced to you is an important part of your job as independent director. As an anology if you were to ask any person responssible for approving AI systems, his/her twin concerns would be whether the data used for training was thoroughly vetted for relavance & quality , secondly whether procedures have been performed vetting AI application for biases.
So are you okay to do the grunt work of vetting data/evidence that is provided by you on risks by management or do you think that confining yourself to give advise and opinions is what you would like to restrict yourself to as independent director? Do you recollect when last you questioned the management on the correctness of data?
领英推荐
CURRENT STRATEGIC RISKS
As a board member, apart from assessing that the Risk Management Process defines & makes the organisation accountable for managing risk within the risk appetite, another area is a review of significant risks that excutive management present during board/RMC discussions e.g. cyber risk, supply chain risk, changes in the competitive landscape, risks due to either growth or changes in the company, changes in regulation, changes in environment, HR challenges, etc. Earlier it was good enough for independent directors to be well read on these areas & familarise themselves on the latest developments in these risks so as to ask pointed questions. Now with digital public infrastucture available to all, everchanging geo-political-economic factors, environmental factors, science & technology are causing inflection points (change in the business fundamentals) all the time & for this the independent director needs to do continuous research to have the requisite depth of knowledge & dimension of expected change.
EMERGING RISKS
What other risks should you discuss on your own initiative? These would be emerging risks. The new elephant in the room in terms of risk that merit board attention relate to risks arising from inter-connected systems & as mentioned earlier inflection points. Both have potential to create '10x' impact or what risk managers call 'beyond significant changes.' Since two decades the subject of inflection points has been discussed & debated upon, so lets discuss briefly on inter-connected systems. For e.g. when you warm up your car's engine in Hyderabad while sitting in Delhi this is possible due to the interconnection of Operational Technology (OT) with Information Technology (IT). Errors & cyberisk attack in this inter-connection can have huge repurcussions. You dont believe that the emerging threats to companies is in inter-connected systems?
Deliberations should be initiated by independent directors on inter-connected systems in two steps:
?1.? Understanding inter-connected systems in the company
2.? Understanding risks in inter-connected systems
THE MOVEMENT OF RISKS IN INTERCONNECTED SYSTEMS
The concept of "risks in interconnected systems" refers to the potential threats or hazards that can arise when multiple systems, networks, or devices are linked together. This can occur in various domains, such as healthcare, finance, transportation, manufacturing, logistics, financial systems, energy, etc.
The interconnectedness can exacerbate the impact of a single failure or attack, leading to cascading effects and increased vulnerability. Understanding the risks in interconnected systems is crucial for developing robust and resilient systems, as well as implementing effective security measures to mitigate potential threats.?
Earlier operational systems were not on the internet. With this ‘air gap’ between IT & OT systems consigned to history, and cyber-criminals looking for ways to breach organisations, new technological advancements need to be embraced to allow the benefits of Industry 4.0 and the modern factory to be realised, securely.
Operational Technology (OT) refers to the hardware and software systems used to monitor and control physical processes, devices, and infrastructure in industrial environments.
Operational Technology (OT) encompasses a broader range of systems and technologies than the traditional instrumental control panels used in plants. While instrumental control panels are a part of OT, OT also includes more advanced and integrated systems like:
These systems not only control and monitor machinery but also provide data analytics, remote monitoring, and enhanced automation capabilities. Think of instrumental control panels (ICP) connected to the internet. Now ICP are but a component of OT, the term OT itself covers a much wider array of technologies and applications. We are already seeing attacks on OT as part of urban warfare.
RESILIENCE
In today's environment which is filled with systematic risks, inflection points & unknown risks maturing with high velocity the chances are really bright to miss out these risks till it crystallises into a negative event with certainity. What to do? Hence 'resilience' has emerged as an important risk concept.
While there are ample literature on Disaster Recovery Planning (DRP) & Business Continuity Planning (BCP), these exercises have become important - along with this the best defense is to keep the performance & financial indicators healthy.
RESEARCH NECESSARY BY INDEPENDENT DIRECTORS
In conclusion, so far, the board was composed of some subject-matter experts who filled in the gaps. Now the independent director has not only to thoroughly understand the subject where significant risks arise for the company, but go beyond that to understand the latest research & developments in that area, as these could have inflection points.
TIME INVESTMENT BY INDEPENDENT DIRECTORS?
During the last decade the board agenda regarding ERM has periodically revised. Broadly speaking :
2013-19 : My observation is that since 2013 when the Companies Act was revised with onerous responsibilities & accountability on board members along with large fines & proscutions, independent directors have been somewhat focussed on compliance of Companies Act. SEBI listing rules, legal & regulatory compliance, fraud assessments, etc. Basically to protect themselves, while the progress in the company can largely be attributable to the management & entrepreneur group.
2020-22 : As covid hit the world, focus moved to disaster recovery planning (DRP) & business continuity (BCP), opertionalising parts of supply chain & redefining the way we work
2022-24: This post-covid phase saw manufacturing & markets coming back to the pre-covid days & full recovery of global economic activity to now at an all time high in cerain countries inspite of over 50 hostilities happening with major wars continuing. The global financial system is fully recovered. Also inequality gap between companies & countries increasing
2024 onwards: Companies are now on either of the two growth trajectories so the inequality gap will only widen. Also there is a new dimension at work, viz the entry of digital labour.
Going forward, time investment per company by an independent director is going to be significant & I estimate an additional 80-100 hrs per year on research alone. Also the attraction of being a solopreneur is going to increase exponentally vis-a- vis independent director. Drawing best talent as an independent director is something companies may need to think about
WATCH YOUR OWN RISK
As an independent director you may have to face court cases when things go wong in the company. You may have retired by then. It may also be that in board room politics you may be on the other side of the CEO.
Having a court case is a traumatic risk in old age & all the conditions mentioned above can make this as to what is commonly known as a 'snowballing risk' At times directors have not even been provided the basic legal assistance. Having a Directors liability insurance is not enough. Then there is the fine print with these insurances. They may not cover negligence. Also can you guess a corporte lawyers daily fees now a days? It can be exhboritant even if you have great resources. Also most insurance models are first you spend and then you recover, This is not a great idea. So before you take on the role of an independent director make sure that you have an enforceable indemnity agreement in place where you have access to cashless legal help for & access to all board records in all situations and for life. There are lawyers who can draft such an agreement for you.
The author is in the practice of improving ERM systems & strategic risk management and can be contacted on [email protected]