A Complete Guide to Risk Management

  • Other Laws|Blog|
  • 12 Min Read
  • By Taxmann
  • |
  • Last Updated on 12 July, 2022

Table of Contents

  1. Risk Evaluation
  2. Differences between Systematic and Unsystematic Risks
  3. Solvency and Liquidity
  4. Types of major Financial Risks
  5. Corporate Governance Principles
  6. Importance of Risk Management
  7. Risk Management Cycle
  8. Steps involved in Risk Management
  9. Risk Analysis
  10. Handling of Risk
  11. Risk Retention and Risk Reduction
  12. Fraud Risk Management Policy

risk management

Check out Taxmann's CRACKER for Governance Risk Management Compliances & Ethics which covers 'topic-wise' past exam questions with a sub-topic wise arrangement of questions in each chapter, chapter-wise marks distribution, trend analysis of past exam questions, ICSI Study Material comparison, etc.

CS Professional | New Syllabus | June 2022 Exams

1. Risk Evaluation

The risk measurement process requires a mathematical approach and considerable data on the past losses. The data available from the concern itself may not be adequate enough to lend itself amenable to analytical exercise. Hence, it becomes necessary to resort to data on industry basis, at national and sometimes even at international level.

Risk evaluation includes the determination of the:

    • Probability or chances that losses will occur.
    • Impact the losses would have upon the financial affairs of the firm should they occur.
    • Ability to predict the losses that will actually occur during the budget period.

There are various statistical methods of quantifying risks. But the statistical methods are too technical and the risk manager then relies on his judgment. Risks are classified as modest, medium, severe etc. In either event, a ‘risk matrix’ can be prepared which essentially classifies the risks according to their frequency and severity.

2. Differences between Systematic and Unsystematic Risks

1. It is not fully uncontrollable by an organisation. It is usually controllable by an organisation.
2. It is not entirely predictable. It is reasonably predictable.
3. It is usually of a macro nature. It is normally micro in nature.
4. It usually affects a large number of organisations operating under a similar stream. If not managed it directly affects the individual organisation first.
5. It cannot be fully assessed and anticipated in advance in terms of timing and gravity. It can be usually assessed well in advance with reasonable efforts and risk mitigation can be planned with proper understanding and risk assessment techniques.
6. The example of such type of risks is Interest Rate Risk, Market Risk, Purchasing Power Risk. The examples of such risk are Compliance risk, Credit Risk, Operational Risk.

3. Solvency and Liquidity

Solvency signifies the capability of the organization to pay its debt and dues. It represents the financial soundness of the organization. Whereas the liquidity risk arises due to mis-matches in the cash flow i.e. absence of adequate funds. Liquidity is altogether different from the word solvency. A firm may be in sound position as per the balance sheet, but if the current assets are not in the form of cash or near cash assets, the firm may not make payment to the creditors which adversely affect the reputation of the firm.

Types of Liquidity Risk

The liquidity risk may be of two types, trading risk and funding risk:

  1. Trading Risk: It may mean the absence of the liquidity or enough products or securities etc. to actually undertake buy and sell activities. e.g. in the context of securities trading inability to enter into derivative transactions with counter parties or make sales or purchase of securities.
  2. b. Funding Risk: It refers to the inability to meet the obligations e.g. inability to manage funds by either borrowing or the sale of assets/securities. It arises where the balance sheet of a firm contains illiquid financial assets which cannot be turned into cash within a very short time.

Therefore, it can be stated that Liquidity and Solvency are two different aspects.

4. Types of major Financial Risks

The risk which has some financial impact on the business entity is treated as financial risk. The major financial risks which may adversely affect an organisation are as follows:

  • Market Risk: This type of risk is associated with market ups and down. The market risks may be Absolute Risk (when it can be measured in rupee/currency term) and Relative Risk (relative to bench mark index). Hence the market risk may be defined as the risk to a firm due to the adverse changes in interest rates, currency rates, equity prices and commodity prices.

a. Interest Rate Risk: The financial assets which are connected with interest factors such as bonds/debentures, faces the interest rate risk. Interest rate risk adversely affects value of fixed income securities. Any increase in the interest reduces the price of bonds and debts instruments in debt market and vice versa.

b. Currency Risk: The volatility in the currency rates is called the currency risk. These risks affect the firms which have international operations of business and the quantum of the risk depends on the nature and extent of transactions with the external market.

c. Equity Risk: It means the depreciation in one’s investment due to the change in market index. Beta of a stock tells us the market risk of that stock and it is associated with the day-to-day fluctuations in the market.

d. Commodity Risk: This type of risk is associated with the absolute changes in the price of the commodity. Since commodities are physical assets, hence the prices are changed on account of the demand and supply factor.

  • Credit Risk: When a counter party is unable or unwilling to fulfil their contractual obligation, the credit risk arises. This type of risk is related to the probability of default and recovery date.

Risk may be summarized as hereunder:

1. Credit Risks 6. System Risks
2. Industry and Services Risks 7. Management and Operation Risks
3. Legal Risks 8. Market Risks
4. Liquidity Risks 9. Political Risks
5. Disaster Risks 10. Non compliance and related risks

5. Corporate Governance Principles

Risk management and corporate governance principles are strongly interrelated. An organization implements strategies in order to reach their goals. Each strategy has related risks that must be managed in order to meet these goals.

  •  Risk

Risk is an important element of corporate functioning and governance. There should be a clearly established process of identifying, analyzing and treating risks, which could prevent the company from effectively achieving its objectives.

The Board has the ultimate responsibility for identifying major risks to the organization, setting acceptable levels of risk and that appropriate risk management systems and procedure are in place to identify and manage risks.

  • Risk governance

        Good risk governance provides clearly defined accountability, authority, and communication/reporting mechanisms. The board shall have to identify the extent and type of risks it faces and the planning necessary to manage and mitigate the same for ensuring growth for the benefit of all the stakeholders.

  • Corporate governance

Corporate governance concerns the relationships among the management, board of directors, controlling shareholders, minority shareholders, and other stakeholders. Good corporate governance contributes to sustainable economic development by enhancing the performance of companies and increasing their access to foreign capital. Incorporating risk management in corporate governance of an organisation is very important.

  • OECD Principles of Corporate Governance

        The sixth principle of OECD Principles of Corporate Governance deals with the responsibilities of the board with respect to Risk Management and provides-

    1. The board should fulfil certain key functions, including reviewing and guiding corporate strategy, major plans of action, risk management policies and procedures, annual budgets and business plans; setting performance objectives; monitoring implementation and corporate performance; and overseeing major capital expenditures, acquisitions and divestitures.
    2. Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.

6. Importance of Risk Management

The key advantages of having risk management are as under:

  • Risk Management in the long run always results in significant cost savings and prevents wastage of time and effort in firefighting. It develops robust contingency planning.
  • It can help plan and prepare for the opportunities that unravel during the course of a project or business.
  • Risk Management improves strategic and business planning. It reduces costs by limiting legal action or preventing breakages.
  • It establishes improved reliability among the stakeholders leading to an enhanced reputation.
  • Sound Risk Management practices reassure key stakeholders throughout the organization

Effective risk management gives comfort to shareholders, customers, employees, other stakeholders and society at large that a business is being effectively managed. It helps the company or organisation confirm its compliance with corporate governance requirements. Risk management is relevant to all organisations large or small. Effective risk management practices support accountability, performance measurement and reward and can enable efficiency at all levels through the organisation.

Effective Risk Management

Risk management requires a detailed knowledge and understanding of the organization (both internal and external) and the processes involved in the business.

To effectively manage risk, and seize the opportunity within every challenge, institutions must manage a variety of business dimensions. In today’s world they must focus on maximizing digital capabilities, building ongoing expertise, driving fluid collaboration, developing top-notch analytics and fostering a risk culture that can withstand disruptive change.

Better risk management techniques provide early warning signals so that the same may addressed in time. In traditional concept the natural calamities like fire, earthquake, flood, etc. were only treated as risk and keeping the safe guard equipments etc. were assumed to have mitigated the risk.

7. Risk Management Cycle

‘Risk’ refers to the variations in the outcomes that could occur over a specified period in a given situation. If only one outcome is possible, the variation and hence the risk is zero. If many outcomes are possible, the risk is not zero. The greater the variation, the greater the risk.

Risk may also be defined as the possibility that an event will occur and adversely affect the achievement of the company’s objective and goals.

‘Business risk’ is the threat that an event of action will adversely affect an organisation’s ability to achieve its business objective/targets. Business risk arises as much from the possibility that opportunities will not be realized as much from the fact that certain threats could well materialise and that errors could well be made.

The risk management cycle is as under:

(i)  Identification

(ii)  Assesses

(a)  Evaluate the risk

(b)  Identify suitable responses to risk and select

(c)  Plan and resources

(d)  Implement, monitor and report

8. Steps involved in Risk Management

Risks, if not managed properly may cause severe damage to the organisations and therefore almost all organisations develop sequential process to deal with risks.

The steps every business should take for the proper management of risk of business are as under:

  1. Identification of risk: It is the first phase of the risk management process. The origin/source of the risk is identified.
  2. Assessment of risk: After identifying the origin of the risk the second step is assessment of the risk. A business organisation faces various threats and vulnerabilities that may affect its operation or the fulfilment of its objectives. Therefore, the quantum and severity of risk involved is assessed.
  3. Analysing and evaluating the risk: It is the third step where the risk is analysed and evaluated. The risk analysis involves thorough examination of the risk sources, its positive and negative consequences, the likelihood of the consequences that may occur and the factors that affect them and assessment of any existing controls or processes that tend to minimize negative risks or enhance positive risks.
  4. Handling of risk: The ownership of risk should be allocated. The persons concerned when the risk arises, should document it and report it to the higher ups in order to have the early measures to get it minimized. Risk may be handled in the following ways:

i. Risk Avoidance

ii. Risk Retention/absorption – it may be active or positive

iii.  Risk Reduction

iv. Risk Transfer

5. Implementations of decision: The last step in the risk management process is the implementation of the decision. It is recommended to the Board or the organization to use various alternatives of tackling the risks. After getting it approved, initiate measures to implement it.

9. Risk Analysis

Risk Analysis

To carry out a Risk Analysis, first the possible threats are identified and then the likelihood that these threats will materialize is estimated. The analysis should be objective and should be industry specific.

The first step in Risk Analysis is to identify risks or threats both existing and possible which may pertain to:

    1. Human: Illness, death, injury, or other loss of a key individual.
    2. Operational: Disruption to supplies and operations, loss of access to essential assets, or failures in distribution.
    3. Reputational: Loss of customer or employee confidence, or damage to market reputation.
    4. Procedural: Failures of accountability, internal systems, or controls, or from fraud.
    5. Project: Going over budget, taking too long on key tasks, or experiencing issues with product or service quality.
    6. Financial: Business failure, stock market fluctuations, interest rate changes, or non-availability of funding.
    7. Technical: Advances in technology, or from technical failure.
    8. Natural: Weather, natural disasters, or disease.
    9. Political: Changes in tax, public opinion, government policy, or foreign influence.
    10. Structural: Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

Risk analysis can be useful in many situations like:

  1. While planning projects, to help in anticipating and neutralizing possible problems.
  2. While deciding whether or not to move forward with a project.
  3. While improving safety and managing potential risks in the workplace.
  4. While preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
  5. While planning for changes in environment, such as new competitors coming into the market, or changes to government policy.

10. Handling of Risk

Risk can be handled in the following ways:

  1. Risk Avoidance: Risk Avoidance means to avoid taking or choosing of less risky business/project. For example one may avoid investing in stock market due to price volatility in stock prices and may prefer to invest in debt instruments.
  2. Risk Retention/absorption: It is the handling the unavoidable risk internally and the firm bears/absorbs it due to the fact that either because insurance cannot be purchased of such type of risk or it may be of too expensive to cover the risk and much more cost-effective to handle the risk internally. Usually, retained risks occur with greater frequency, but have a lower severity. An insurance deductible is a common example of risk retention to save money, since a deductible is a limited risk that can save.

There are two types of retention methods for containing losses as under:

a. Active Risk Retention: Where the risk is retained as part of deliberate management strategy after conscious evaluation of possible losses and causes.

b. Passive Risk Retention: Where risk retention occurred through negligence. Such type of retaining risk is unknown or because the risk taker either does not know the risk or considers it a lesser risk than it actually is.

3. Risk Reduction: In many ways physical risk reduction is the best way of dealing with any risk situation and usually it is possible to take steps to reduce the probability of loss.

It is done at the planning stage of any new project when considerable improvement can be achieved at little or no extra cost.

  1. Risk Transfer: This refers to legal assignment of cost of certain potential losses to another. The insurance of ‘risks’ is to occupy an important place, as it deals with those risks that could be transferred to an organization that specialises in accepting them, at a price. Usually, there are 3 major means of loss transfer viz.,

a. By Tort

b. By contract other than insurance

c. By contract of insurance

11. Risk Retention and Risk Reduction

Risk reduction

Risk reduction means prevention of loss by taking steps to reduce the probability of loss. The ideal time to think of risk reduction measures is at the planning stage of any new project when considerable improvement can be achieved at little or no extra cost. It is the best way of dealing with any risk. Risk prevention should be evaluated in the same way as other investment projects as it will save a lot of cost and energy at a later stage.

Risk retention

“Risk retention” is the process of handling the unavoidable risk internally. The firm bears/absorbs the risk due to the fact that insurance of such a type of risk cannot be purchased or it may be too expensive to cover the risk and much more cost-effective to handle the risk internally. Retained risks occur with greater frequency, but have a lower severity.

Methods of risk retention

There are two types of retention methods for containing losses as under:

(iActive Risk Retention: Where the risk is retained as part of deliberate management strategy after conscious evaluation of possible losses and causes.

(iiPassive Risk Retention: Where risk retention occurred through negligence. Such type of retaining risk is unknown or because the risk taker either does not know the risk or considers it a lesser risk than it actually is.

12. Fraud Risk Management Policy

The management should be pro-active in fraud related matter. A fraud is usually not detected until and unless it is unearthed. A Fraud Risk Management Policy should be incorporated, aligned to its internal control and risk management. The Fraud Risk Management Policy will help to strengthen the existing anti-fraud controls by raising the awareness across the company and promote an open and transparent communication culture. It would also promote zero tolerance to fraud/misconduct and encourage employees to report suspicious cases of fraud/misconduct. The policy would spread awareness amongst employees and educate them on risks faced by the company.

The major aspects to be included in Fraud Risk Management Policy are –

  1. Defining fraud: This shall cover activities which the company would consider as fraudulent.
  2. Defining Role & responsibilities: The policy may define the responsibilities of the officers who shall be involved in effective prevention, detection, monitoring & investigation of fraud. The company may also consider constituting a committee or operational structure that shall ensure an effective implementation of anti-fraud strategy of the company. This shall ensure effective investigation in fraud cases and prompt as well as accurate reporting of fraud cases to appropriate regulatory and law enforcement authorities.
  3. Communication channel: Encourage employees to report suspicious cases of fraud/misconduct. Any person with knowledge of suspected or confirmed incident of fraud/misconduct must report the case immediately through effective and efficient communication channel or mechanism.
  4. Disciplinary action: After due investigations disciplinary action against the fraudster may be considered as per the company’s policy.
  5. Reviewing the policy: The employees should educate their team members on the importance of complying with Company’s policies & procedures and identifying/reporting of suspicious activity, where a situation arises. Based on the developments, the policy should be reviewed on periodical basis.

The fraud risk management policy will help to:

  1. Strengthen the existing anti-fraud controls by raising the awareness across the company.
  2. Promote an open and transparent communication culture.
  3. Promote zero tolerance to fraud/misconduct.
  4. Encourage employees to report suspicious cases of fraud/misconduct.
  5. Spread awareness amongst employees and educate them on risks faced by the company.

Such a policy may include the following:

  1. Defining fraud
  2. Defining Role & responsibilities
  3. Communication channel
  4. Disciplinary action
  5. Reviewing the policy

Following are the provisions related to reporting of fraud under Companies Act, 2013:

  • Section 143(12) of the Companies Act, 2013 read with Rule 13 of the Companies (Audit and Auditors) Rules, 2014 provides that if an auditor of a company in the course of the performance of his duties as auditor, has reason to believe that an offence of fraud involving an amount of rupees one crore or above, is being or has been committed in the company by its officers or employees, the auditor shall report the matter to the Central Government.
  • Rule 13(2) of Companies (Audit and Auditors) Rules, 2014 provides that the auditor shall report the matter to the Central Government as under:
  1. Reporting the matter to the Board/Audit Committee immediately but not later than two days of his knowledge of the fraud, seeking their reply or observations within 45 days.
  2. On receipt of such reply or observations, the auditor shall forward his report and the reply or observations of the Board/Audit Committee along with his comments to the Central Government within 15 days from the date of receipt of such reply or observation.
  3. In case the auditor fails to get any reply or observations from the Board/Audit Committee within the stipulated period of 45 days.

Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Leave a Reply

Your email address will not be published. Required fields are marked *

Everything on Tax and Corporate Laws of India

To subscribe to our weekly newsletter please log in/register on Taxmann.com

Author: Taxmann

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that's easy to read and remain consistent across all imprint and digital publications are applied