A successful risk strategy involves optimising risks, not minimising them. It is true that companies today are more risk averse than they were before 2001 when a large number of corporate scandals rocked the world and led to the collapse of world-class companies. These events led to the enactment of the Sarbanes-Oxley Act of 2002 in the US and also contributed to the birth of our own Clause 49 of the Listing Agreement.

Risk is the uncertainty of an event happening and the consequences if the event happens. Risk lies in every area of a company. While risk need not result in an adverse outcome, it often produces unpleasant surprises. Yet, if few risks are taken not much business would get done. So every company needs to find the optimal balance between risk and control, that is its risk appetite, and draw the boundaries for the business risks it will take to advance the company. A more imaginative, optimised approach to compliance with Clause 49 can unlock the potential business value of the regulations and seek to realise that value while still satisfying the regulator.

Corporate governance may be thought of as the system by which companies are directed and controlled. It encompasses three main things: Compliance, audit and risk management. In India, Enterprise Risk Management (ERM) has been voluntarily embraced mainly by MNCs and financial institutions. Other listed companies are now forced to embrace it to comply with Clause 49; this has brought about renewed focus on ERM and CEO/CFO certification of internal control effectiveness. Indian listed companies have begun to realise that ERM is not a passing fad, but is here to stay as an integral part of the corporate governance process.

One feels uneasy that many Indian companies may go in for a bare minimum compliance solution that follows the letter rather than the spirit of the law. The point they might easily miss is that companies can extract increased operational efficiencies when they undertake compliance constructively, as many of Clause 49 compliance requirements are simply `best practices' turned into regulations.

Regulations will drive compliance in the vast majority of companies listed in India. But isn't it odd that a high-impact regulation on risk management is buried in Part IV of Clause 49 under the heading "Disclosures"? It reads, "The company shall lay down procedures to inform board members about risk assessment and minimisation procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework."

Several board members of Indian companies want the Securities and Exchange Board of India (SEBI) to specify some ERM framework and guiding principles and standards for companies to follow in developing their ERM plans. Other board members feel Corporate India is sufficiently knowledgeable about ERM. They feel it is already an integral part of their companies and SEBI should only provide the broad regulatory framework for companies to function in this area. Whatever be their preference, because Clause 49 provides a short, high-level requirement for risk management, companies will need to turn to `best practices' to fill in the lack of detailed requirements.

What's ERM?

ERM may be defined as "a process by which companies in all industries assess, control, exploit, finance, and monitor risks from all sources for the purposes of increasing the company's short- and long-term value to its shareholders."

In India, since 2001, ERM has evolved steadily in progressive companies. It is developing from being merely a risk identification and assessment process to building a risk portfolio that is continually assessed and monitored. The perception that "risk is not my responsibility" has evolved to a more realistic "risk is everybody's responsibility". These changes have resulted in ERM becoming an integral part of a company's operating philosophy.

A company's success in managing risks comes from its corporate culture. Board members should be alert to changing trends of an industry and should have adequate policies and procedures to embed good corporate culture. Directors and senior management must understand their company's fundamental business and inherent risks. They should understand and communicate the tradeoffs between risk and reward, and have a strong sense of how much is too much. The board and management could simulate different situations and problems that may be faced by the company and suggest how to deal with them. This will enhance awareness and improve the quality of management.

The board should set the tone for integrity within the company and ensure that it permeates to the grassroots level. The board should also ensure that the policies laid down by it are complied with, as shareholders could hold the board accountable as an oversight body that looks after their interests.

Choosing the right management to run the company is an important step to minimise the risk of fraud. Another important element of governance is to ensure the company has an adequately robust system for escalating matters by employees to appropriate levels (a whistle-blower process).

The board should put in place ethics and compliance policies and also suggest procedures for how the company should go about managing and monitoring the risks of fraud within the company. Ensuring that the right people are hired for the right job is a good way to minimise the risk of fraud.

ERM is primarily the management's responsibility. The board and senior management have long sought ways to better control the companies they run. Internal controls are often put in place to keep companies focussed on profitability goals and achievement of their mission, and to minimise unpleasant surprises along the way. Since Clause 49 also requires the management to implement procedures to inform the board about the risk assessment and minimisation processes, these should be periodically reviewed to ensure that the management controls risk through a comprehensively defined, designed and implemented framework.

The board of directors, being the highest body in the corporate governance hierarchy, is primarily responsible for defining the risk management framework and for ensuring that risk management applies to every level within the company. While the implementation of policies and procedures should be entrusted to the management, the board should always consult with the management to determine the key risks that could impact the company and its operations. Because the reputation risk of a company lies with the board, the primary accountability of risk management oversight also lies with the board.

There will be a fine balance between risk and control for a company to function well. The board should understand the key elements of ERM, question the management about risks, and concur on major risk-management decisions. However, they should neither make choices on behalf of the management nor assume the management's role in ERM. The level of risk that a company is willing to accept is the management's decision and generally there can be no right or wrong decision.

There are several ERM frameworks to choose from, of which COSO's Integrated ERM Framework appears to be the gold standard for implementing risk management. This framework describes a direct relationship between objectives (what an entity strives to achieve) and ERM components (what is needed to achieve them). This relationship is portrayed as a three-dimensional cube, with eight interrelated components that fit in well with Clause 49's requirements. COSO's flexible framework allows a company to focus on the entirety of its ERM framework, or by objectives category, components, entity unit, or any combination thereof.

ERM can be used by management as an effective decision-making tool. The key things that ERM does are help drive information and better decisions which, in turn, drive better financial results and improved shareholder value. ERM requires a company to systematically identify and assess the risks throughout its operations, factoring in both external and internal factors. Risk management processes inform senior management about the company's risk profile and likelihood of achieving its long-term goals. ERM also helps in effective reporting and compliance with laws and regulations. It helps avoid damage to the company's reputation and associated business consequences.

In summary, I view ERM as the means, rather than an end in itself, of good corporate governance. With the right perspective and knowledge, sensible Indian boards will be able to leverage the significant effort and technology investments made in the name of compliance with Clause 49 to further their mission to deliver increased shareholder value.

Sammy Medora
(The author is Chairman of KPMG's Audit Committee Institute.)