Has the risk landscape of companies changed over the past 2-3 years? This was the subject matter of a recent study, `Board Members on Risk', conducted by Ernst & Young (E&Y). After tabulating the views of 150 independent, non-executive board members from 16 countries, E&Y found the response to be an emphatic yes. Over 70 per cent of the respondents were convinced that levels of operational risks in business have risen, and 40 per cent of directors felt that the risk potential has risen significantly. "There are many reasons for this growing risk awareness, but in large part it is due to new legislation such as the Sarbanes-Oxley (SOX) Act in the US, and the revised Clause 49 of the SEBI (Securities and Exchange Board of India) listing agreement," says Mr Ram Sarvepalli, Partner, Risk & Business Solutions, E&Y.

As you may be aware, the Clause in question prescribes corporate governance guidelines, which require the board to be informed about the effectiveness of risk management in the company apart from requiring the CEO and CFO to certify the effectiveness of the internal control systems in the company.

The Clause seems to be bringing about a change. "Board members have begun to seek and rely on the advice and support of their controllers and financial auditors. Even board members who are not on the audit committees are today well aware of the great importance of the topic of compliance," says Mr Sarvepalli, interacting with Business Line. Here are his answers to a few more questions.

Is compliance a pointer to performance?

Board members remember a fundamental truth that even the most scrupulous recording of corporate data and compliance with all legislation and corporate governance guidelines will not, of themselves, guarantee growth or performance. A company's capacity to create value depends on the risks it is willing to take at the strategic and operational levels and on its ability to manage those risks effectively.

So?

In addition to asking what are the most dangerous risks for their company, boards should also be asking themselves what their company's most profitable risks are. In other words, what type of business risks is the company better placed and equipped to understand and manage than its competitors. Managing these operational risks effectively is then the ideal starting point from which to generate a further increase in shareholder value. Many board members are instinctively aware that this is the case.

Are all forms of risk equally well supervised and monitored?

The answer is negative. Over a third of the board members questioned believe that some types of risk are not being sufficiently well managed by their companies, especially in the areas of business environment, business operations, technology and competition. And it can be no coincidence that these are precisely the areas in which the board members themselves claim to have least involvement and least influence over the executive management of their respective companies.

Who are all involved in risk management?

In most companies ten or more departments are involved in risk management: from legal to quality management, from financial controlling to human resource development, from research to works security.

Are they working in unison?

As a rule, each of these functions work in isolation with regard to risks, and their activities are rarely fully geared to the company's strategic business objectives. As a result, depending on the individual configuration, this leads to either gaps or overlaps in risk monitoring and does not constitute effective risk management.

Is integration key, therefore?

Yes, and fortunately controllers and financial auditors are coming to realise the benefits of working closely with other existing departments and functions such as quality management. Driving this revised approach is the realisation that many of the financial reporting risks have their root causes in the company's operational processes. Our survey found that many board members are well aware of this correlation and are urging closer cooperation between the functions that monitor the various types of risk.

Do we need fresh investments to ensure integration?

Nearly four out of five respondents found that their organisations already have sufficient resources invested in risk management. Risks need to be better managed, they argued, not by increasing levels of investment but by improving the quality of the integration of existing processes.

What's needed, then?

A company that aligns its existing risk management systems more accurately with its corporate goals and strategy, and its existing internal controls will generally not need to introduce new control mechanisms. Current examples of best practice show that traditional quality assurance and techniques such as `statistical process control', `six sigma' and `continuous monitoring' are increasingly introduced into administrative and financial reporting processes and departments, as well.

Are strategy and risk management linked enough?

Despite the logical appeal of such a linkage, many companies have not consistently connected corporate strategy with risk management and internal control. At far too many companies it is still common practice to define and monitor business goals in isolation, instead of networking this process with the identification and monitoring of the related risks.

Any quick suggestions, for those who would like to establish the linkage?

If one takes the trouble to compare the key performance indicators (KPIs) of a company with the risk profile, it often emerges that the KPIs directly reflect the risks. And this is only logical, because while corporate strategy describes the activities in which a company must be successful in order to grow, risk management identifies and monitors the specific risks inherent to these activities. When both of these aspects are brought together in an integrated management system and continuously adapted to one another, corporate risk monitoring moves onto a new level of quality. A decisive part of the responsibility for this integration process lies with the board, as many directors are obviously well aware.

Responsibility for risk management. Is this getting recognised?

More than 80 per cent of respondents have indicated that their role has changed over the past two or three years. Not only have new responsibilities been added, but also the level of accountability and time investment have increased.

Responsibility for risk management. Is this getting recognised?

More than 80 per cent of respondents have indicated that their role has changed over the past two or three years. Not only have new responsibilities been added, but also the level of accountability and time investment have increased. However, with regard to their own roles in respect of risks, opinions among board members differ. Two-thirds of respondents see their role as setting the strategy for risk management or providing guidelines within which executive management could operate, while the remainder consider it sufficient to review and respond to the information provided by senior management.

Who owns the risks within the company?

A tricky question. Asked what group `owns' risks within the company, board members were most likely to name themselves first (40 per cent), followed at some distance by the CEO (20 per cent). In terms of the key factors for successful risk management, the vast majority of board members named clear responsibilities and processes and direct and effective communications.

What is the job of the board, therefore?

The risk-related role of the board has long since expanded well beyond the closely defined remit of the audit and risk committees. While compliance problems can indeed do great harm, a firm command of compliance is today merely par for the course. Nowadays, board members are expected to look beyond compliance and address such forward-looking topics as innovation, growth and performance. Because, as experience has shown, it is the consequences of an ill-judged corporate strategy that ultimately destroy most shareholder value.

D. Murali