The Companies Act 1956 did not contain any mandatory provisions relating to Risk Management, whereas the Companies Act 2013 placed specific expectations on important stakeholders in a company, namely, the Board of Directors, Audit Committee and the Independent Directors in relation to Risk Management.
The Companies Act 2013:
Relevant sections are Section 134 (3) n; Section 177 (4) and Schedule IV referred to by Section 149 (8).
Section 134 (3) n: Report by the Board of Directors to Shareholders should include a statement indicating development and implementation of a Risk Management Policy for the company, including therein, identification of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
Contravention of the provisions under this section, could attract penalty ranging from fifty thousand rupees to twenty five lakh rupees for the company and for every officer in default, imprisonment up to three years or fine ranging from fifty thousand rupees to five lakh rupees.
Section 177 (4): Terms of reference to Audit Committee shall include
Vii: evaluation of Internal Financial Controls and Risk Management Systems.
Schedule IV – Code of Independent Directors: Role and Functions:
4. Satisfy themselves on the integrity of financial information, and that financial controls and the system of Risk Management are robust and defensible.
Clause 49 of the Listing Agreement:
SEBI’s guideline for listed companies says under Board Disclosures:
Risk Management: The company shall lay down procedure to inform Board Members about Risk Assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that the executive management controls risk through means of a properly defined framework.
SEBI’s update released in 2014, prescribed constituting a Risk Management Committee, in each of the top 100 companies by market capitalization.
COSO Framework on Internal Controls
Risk management cannot be handled in isolation. It needs to be related to the Control Environment in which the organization operates, risk assessment based on perceived risks, and certain control activities undertaken to manage risks.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) released a Framework in 1992 to help organizations assess and enhance their internal control systems. COSO came up with an update to their Internal Control Framework in 2013, which provides appropriate and adequate guidance on Risk Management. Let us look at its important features.
Components of Internal Control Framework:
Control Environment: Focuses on Risk Management Culture – awareness – understand Risk Profile of the Organization – Board and Management set the tone at the top – Integrity and competence of staff.
Risk Assessment: Identify relevant risks to the Organization’s Objectives.
Control Activities: Internal Control Systems – Policies – Procedures – Authorizations – Security of Assets – SOD (Segregation of Duties)
Information and Communication: Includes Production of Operational and Financial reports.
Monitoring Activities: Not to be confused with Control Activities. Monitoring Internal Control Systems Direct Supervision, Internal Audit.
The above 5 components of Internal Control are a part of the original framework released in 1992. Retaining them, update in 2013 added fundamental concepts underlying the five components, as 17 Principles, to help in management understanding.
These 17 principles have been further elaborated as 79 Points of Focus. To enhance review of understanding each Principle, Points of Focus are provided.
A couple of Components of Internal Control, related Principles and Points of Focus are reproduced here, for appreciating how COSO Framework on Internal Control can serve as a good guide in Risk Management.
Control Environment
Principle (one of the 5 principles under Control Environment): Organization demonstrates a commitment to Integrity and Ethical Values.
Related Points of Focus: (4 out of 21 Points of Focus relating to Control Environment):
1. Sets the tone at the top
2. Establishes Standards of Conduct
3. Evaluates adherence to Standards of Conduct
4. Address deviations in a timely manner.
Risk Assessment
Principle: (one of the 4 Principles under Risk Assessment): The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Points of Focus: (4 out of 27 Points of Focus relating to Risk Assessment):
22a. Reflects Management’s choices
23a. Considers tolerance for risk
24. Includes Operations and Financial Performance goals
25. Forms a basis for committing of resources.
Concluding remarks
COSO’s Internal Control Framework, particularly with elaborations through Principles and Points of Focus as explained above provides good guidance in devising Risk Management Policies, Procedures, Evaluation and Monitoring by any Organization.
Considering the expectations of the Act, and stringent penal provisions associated with non- compliance, Organizations could adopt COSO Framework and strengthen Corporate Governance including Risk Management.
For more articles from me, please read my book “Translating Operations into Money – Cases in Business Management”, available for online purchase through Notionpress, Flipkart, and Amazon.in. You could visit www.operationstomoney.com for a free download of a chapter.
Thank you for your attention.
Tulasi S Sastri
FCA., CISA