Crisis Management & Risk and Liability Mitigation – CS Professional Study Material

Chapter 8 Crisis Management & Risk and Liability Mitigation – Resolution of Corporate Disputes Non Compliances & Remedies Notes is designed strictly as per the latest syllabus and exam pattern.

Crisis Management & Risk and Liability Mitigation – Resolution of Corporate Disputes Non Compliances & Remedies Study Material

Question 1.
Distinguish between General Liability Insurance and Professional Liability Insurance. (June 2019, 4 marks)
Answer:
General Liability Insurance covers business from a few “general” lawsuits that any business could face. It triggers when a third party (i.e., anyone who doesn’t work for the company) sues the business over:

• Bodily injuries they incurred on the commercial premises,
• Damage caused to their property,
• Advertising injuries (e.g. slander, libel, misappropriation, and copyright infringement).

General Liability Insurance pays for the legal expenses (lawyers’ fees, court costs, and settlements or judgments). Any small-business owner, no matter their industry or the size of their business, can face these claims. That’s why many consider this policy to be the keystone of a business protection plan. Professional Liability Insurance is also known as “Errors and Omissions Insurance” or “Malpractice Insurance”. Its coverage focuses specifically on the lawsuits that stem from the professional services rendered.
Though this policy is especially important for service providers to carry, most small-business owners can benefit from its coverage. It shields the insured from third-party lawsuits alleging:

• Negligent professional services.
• Failure to uphold contractual promises.
• Incomplete or shoddy work.
• Mistakes or omissions.

These torts are among the most expensive a business owner can face. One need not be at fault to be sued, an unhappy client may name the business in a lawsuit to recoup the “losses” they incurred because of the work carried out.

Question 2.
“Crisis Management is not necessarily the same thing as risk management”. What is Crisis Management and how is it different from risk management. Explain in detail guidelines/recommendations for establishing a good crisis management plan. (June 2019, 8 marks)
Answer:
Crisis management is the identification of threats to an organization and its stakeholders, and the methods used by the Organization to deal with these threats. An organization may face various types of crisis like natural crisis, technological crisis, confrontation crisis, etc.
Crisis management involves dealing with crises in a manner that minimizes damage and allows the affected organization to recover quickly. Dealing properly with a crisis can be especially important for a company’s public relations.
Businesses that effectively put a continuity plan in place in case of unforeseen contingencies can mitigate the effects of any negative event that occurs. The process of having a continuity plan in place in the event of a crisis is known as crisis management.
Crisis management is different from risk management. Unlike risk management, which involves planning for events that might occur in future, crisis management involves reacting to negative events during and after they have occurred. For example, an oil company may have a plan in place to deal with the possibility of an oil spill, but if such a disaster actually occurs, the magnitude of the spill, the backlash, of public opinion, and the cost of clean-up can vary greatly and may exceed expectations.
As Crisis may come in several forms and it is recommended in all cases that a company be prepared ahead of time with a crisis management plan.

The following guidelines are recommended for establishing good crisis management plans:

• Employee a professional crisis manager who can help in planning crisis management processes.
• Initiate frequent training and refresher courses on handling crises. Drills and fake operations must frequently take place to keep refreshing stakeholders on emergency responses to crises.
• Form a crisis team to work under the leadership of a crisis manager.
• Planning responses and crisis management processes for various potential crises is highly recommended. It takes several approaches and processes to address different crises.
• Initiate systems that can effectively monitor or detect foreseeable crises signals early enough in order to tackle the situation before it gets out of hand.
• Provide a list of key persons in case of a crisis and their contacts. The contact information must be displayed where anyone can see and easily access them.
• Identify the ground person to be notified, immediately when a crisis occurs. Apart from a crisis manager, there must be a coordinating person among employees who possess first-hand news on a looming crisis. It should be the same person who can be trusted by his colleagues with vital information on any suspected crisis.
• Identify a central point where the employees can assemble and the exit points to use in case of a crisis. Emergency exit doors with ease of opening them must be labelled well and an emergency central place identified and properly labelled as well.
• Regular testing of the crisis management process and emergency equipment and updating them frequently or as needed.

Question 3.
POR Limited wants to design and implement an effective Enterprise Risk Management (ERM) system. Evaluate the challenges likely to be faced by the Company during implementation of ERM system. (June 2019, 4 marks)
Answer:
Risk management also known as Enterprise Risk Management (‘ERM’), is a systematic and holistic approach for firms to address all their risks, whether operational, strategic or financial, comprehensively. ERM focuses on identifying risks, developing and monitoring risk management system and reacting to risk events, when they occur.
POB Limited may face the following challenges in designing and implementing an effective ERM system, including:
1. Effectively linking risk and strategy: Integrating risk management into the overall corporate strategy is a challenge for many Indian firms. The challenge is to have an ERM system that encompasses a process capable of being applied in strategy setting across the enterprise.

2. Implementing cost-effective risk management for small and medium-sized enterprises: While the costs of risk management failures can be high, designing and implementing efficient ERM can also be quite costly, especially for small and medium-sized firms.

3. Addressing all major areas of risk: ERM requires a firm to take a portfolio view of risk; boards must consider how various risks inter-relate, rather than treating each business and risk individually. This is a significant challenge for many boards.

4. Mitigating new risks: In India, many complex areas of risks have emerged in the last decade or so, which has made risk management particularly challenging. For example, some traditional areas of risk, such as political instability and strikes and unrest, appear tp have subsided while others, such as information and cyber security as well as terrorism and insurgency, have increased in prominence. Companies operating in various industries have experienced the theft of data and sensitive information. For companies in major cities, the threat of terror attacks has become a growing cause for concern, which can be hard to manage by the company itself.

Question 4.
“Several large companies and financial institutions worldwide no longer exist today as they neglected the basic rules of Corporate Governance, Risk Management and Control”.
Comment in the background of today’s business environment. (Dec 2019, 4 marks)
Answer:
The importance of corporate governance in risk management is amply supported by the reasoning of the Kumar Mangalam Birla Committee on Corporate Governance to implement corporate governance in India.

Risk Management is .an integral component of corporate governance and good management. There is a growing realization that corporate governance has an impact on enterprise risk management. Several large companies and financial institutions worldwide no longer exist or have been taken over precisely because they neglected the basic rules of risk management and control. Some common risk management problems in relation to corporate governance that appeared in many financial institutions before and during the crisis according to the OECD (2009) was because of following reasons:

• Risks were frequently not linked to strategy which is a key issue to ensuring that risk management has a focus on the business context;
• Risk definitions are often poorly expressed. Better risk definitions (context, event, consequence) are contrary to a lot of current thinking in risk management which has shorten risk descriptions to the smallest number of words possible;
• Organizations weren’t always in a position to develop intelligent responses to risks;
• Boards didn’t take stakeholders and guardians into account in detailing responses to risk;
• Important parts of the value chain were outsourced to others.

Question 5.
“Anticipating future risks is a key element of avoiding or mitigating those risks before they escalate into crisis.” Explain. (Dec 2019, 4 marks)
Answer:
The company’s risk management structure should include an ongoing effort to assess and analyze the most likely areas of future risk for the company, including how the contours and interrelationships of existing risks may change and how the company’s processes for anticipating future risks are developed. This includes understanding risks inherent in the company’s strategic plans, risks arising from the competitive landscape and the potential for technology and other developments to impact the company’s profitability and prospects for sustainable and long-term value creation. Anticipating future risks is a key element of avoiding or mitigating those risks before they escalate into crises. In reviewing risk management, the board or relevant committees should ask the company’s executives to discuss the most likely sources of material future risks and how the company is addressing any significant potential vulnerability.

Question 6.
“Errors and Omissions Insurance is a special type of coverage that protects a Company against claims that a professional service provided, caused client to suffer financial harm due to mistakes on the part of professional or because he may have failed to perform some service.” Why should professionals opt for such an insurance ? (Dec 2019, 4 marks)
Answer:
Professional indemnity insurance is also known as professional liability insurance and also as Errors & Omissions (E&O) insurance. It is a type of liability insurance that works to protect businesses and individuals who provide consultation and services with the compensation for full and hefty costs arising from the loss that they have caused to their client. The coverage provided by the insurance company focuses on the alleged failure of the service delivery by the Company, which has led to the financial loss due to errors and omissions in the service or consultation.

Some reasons that might make it necessary to have E&O are as under:

• High risk of lawsuits: Not having professional indemnity insurance may put a person at high risks as many companies may take advantage of the professionals since they are not completely secured. Moreover, it can put the Company/Professional in a financial loss if a case is filed against them.
• Risk of losing business: Many clients prefer those companies which has such insurance for doing business, at times they are keen to know if the Company or any of its employees makes a mistake, whether it will be covered or not.

Question 7.
(a) ‘In today’s environment, directors and officers are exposed to risk of personal financial loss as a result of serving as a Director or Officer of the Companies’ – Discuss the statement and also elaborate on tools available for mitigation of such risks.
(b) ‘Managing Social media is one of the important facets of present Brands’ – Discuss the statement quoting live incident(s) and as a Company Secretary suggest briefly, the ways for managing such crisis. (Dec 2020, 8 marks each)
Answer:
(a) It is true that in today’s environment, directors and officers of companies are exposed to risk of personal financial loss as a result of serving as a Director or Officer of the Companies.
There are risks involved in business decisions they make while discharging their duties.
These risks exposes the Directors & Officers to the risk of liabilities and litigation.
The business environment now a days is uncertain. Therefore it is advisable to use the tool of ‘Director & Officer’ Liability Insurance.
Directors & Officers (D&O) liability insurance is insurance coverage intended to protect individuals from personal losses if they are sued as a result of serving as a director or officer of a business.
It can also cover the legal fees and other costs the organisation may incur as a result of such a suit.
Directors and officers liability insurance can be obtained for who serves as a Director or an Officer of any organisation including Non-profit organisation.
Directors may also face liability under Income tax, Forex laws, SEBI, PF and Shops and Establishment Act etc.
D&O policies can take different forms depending on the nature of the organisation and the risk it faces. Ideally one should choose an Insurance company with deep experience in this specialised field.
The Policies are generally purchased by the organisation to cover a group of individuals rather than individuals themselves.
Policies oan be written to insure against a variety of hazards but they generally make exclusion for Fraud and other criminal activity.

The advantages of having such a policy may be summed up as follows:

• Protects personal assets of Directors and Officers from risk of loss caused by breach of their duties, while acting in good faith
• Saves legal and other expenses incurred in litigation
• If investors believe that they have suffered losses due to mismanagement of the company they could approach the court for compensation.
• Employees may sue directors for their wrong decisions.
• Customer can take legal actions for misrepresentations made in the advertisement materials and deceptive trade practices.
• Enquiries may be initiated by regulatory authorities like SEBI/ Revenue dept., can sue losses to directors
• In case of Bankruptcy or Insolvency creditors may take action against the directors in their personal capacity.
• Having a D&O policy, helps the organization in retaining / attracting talent.
  By having a D&O policy, we can cover losses caused to company on the above mentioned circumstances.

(b) The United Airlines PR Crisis:
The conflict occurred in United Airlines flight number 3411, which departed from Chicago to Louisville on April 9,2017. Before passengers began boarding, it was announced that the flight was overbooked. United needed to put their employees on this plane.
So, they asked for volunteers to give up their seats in exchange for $400 US, a free hotel room and a ticket for a flight the next day. No one volunteered.
When boarding was complete, it was announced that four passengers had to leave the plane. Again, no one volunteered, so the company decided to choose passengers randomly. Two of the passengers left, and one refused.
The one who remained said that he was a doctor and needed to get to his patients. When he refused to leave the plane, he was forcefully dragged from his seat and was struck in the process.
The crisis started when a cell phone video recording of the incident was published on social media.

How the crisis was managed?:
When United realized that they couldn’t get out of the scandal, the CEO Oscar Munoz commented on the situation. He apologized for having to re-accommodate the customer. The statement of CEO Oscar Munoz is as under:
This is an upsetting event to all of us here at United.
I apologize for having to re-accommodate these customers. Our team is moving with a sense of urgency to work with the authorities and conduct our own detailed review of what happened.
‘We are also reaching out to this passenger to talk directly to him and further address and resolve this situation.”
This statement provoked a new wave of crisis. United’s social media audience accused him of being disrespectful and of misidentifying the cause of the problem.
Instead of apologizing for forcing the passenger to deplane, Munoz apologized for his inconvenience. The company’s social media audience was indignant. They satirized the situation, created memes and GIFs, and made jokes.
What’s more, United lost more than $800 Million in revenue. United wasn’t able to manage the crisis by themselves, and they had to hire a professional crisis management team.

Takeaway from the Case:
In United’s case, the CEO apologized, but his words caused even more indignation than before. Why was that? The instance that occurred on the plane was quite traumatic to those that witnessed it personally and those that saw it on video.
It deserved a heartfelt response, but the tweet showed a lack of understanding and accountability. In United’s case, the CEO’s apology sounded as if he didn’t actually care, and their audience immediately felt it.

Suggestion for managing Social media:
Online apologies have to be carefully crafted. Think of the emotions that need to be addressed and consider your words carefully – “how could this be offensive”? An apology should not sound like a press-release. When a brand makes a mistake they need to own up to it and let the public know that they are going to address it and ensure it never happens again.

Question 8.
Discuss the General Liability Insurance Vs Prpfessional Liability Insurance. What are the businesses and individuals benefited by subscribing to a professional indemnity insurance policy? (Aug 2021, 4 marks)
Answer:
General Liability Insurance, like its name suggests, covers business from a few “generar’ lawsuits that any business could face. In a nutshell, it kicks in when a third party (i.e., anyone who doesn’t work for a company) sues business over.

• Bodily injuries they incurred on commercial premises.
• Damage caused to their property.
• Advertising injuries (e.g., slander, libel, misappropriation, and copyright infringement).

General Liability Insurance pays for legal expenses (lawyers’ fees, court costs, and settlements or judgments). Again, any small-business owner, no matter their industry or the size of their business, can face these claims. That’s why many think about this policy to be the keystone of a business protection plan.

Professional Liability Insurance (aka “Errors and Omissions Insurance” or “Malpractice Insurance”) also lives up to its moniker. Its coverage focuses specifically on the lawsuits that stem from professional services.
However, this policy is especially important for service providers to carry, most small business owners can benefit from its coverage. That’s because Professional Liability Insurance shields from third-party lawsuits alleging.
(a) Providing-negligent professional services.
(b) Failing to uphold contractual promises.
(c) Providing incomplete or shoddy work.
(d) Making mistakes or omissions.
These torts are among the most expensive any business owner can face. Professionals don’t have to be at fault to be sued, either. All it takes is one unhappy client to name such business in a lawsuit to try to recoup the “losses” they incurred because of work. The Professional Liability policy ensures that the professional won’t be on the hook for legal expenses, regardless of whether the claim holds water.

Question 9.
Crisis management often requires decisions to be made within a short time frame, and often after an event has already taken place. In light of this statement, explain the meaning of Crisis Management and elaborate the (i) Crisis of Malevolence and (ii) Crisis of Organizational Misdeeds. (Aug 2021, 4 marks)
Answer: ‘
Yes, it is true to say that Crisis management often requires decisions to be made within a short time frame, and often after an event has already taken place.
Crisis management is the identification of threats to an organization and its stakeholders, and the methods used by the organization to deal with these threats.
Due to the unpredictability ef globai events, organizations must be able to cope with the potential for drastic changes in the way they conduct business.
Crisis management is the process by which an organization deals with a disruptive and unexpected event that threatens to harm the organization or its stakeholders.
The study of crisis management originated with large- scale industrial and environmental disasters in the 1980s. It is Considered to be the most important process in public relations.

In order to have a business continuity plan in the aftermath of a crisis, most firms start by conducting risk analysis on their operations.
Risk analysis is the process of identifying any adverse events that may occur and the likelihood of the events occurring. By running simulations and random variables with risk models,, such as scenario tables, a risk manager can assess the probability of a risk occurring in the future, the best- and worst-case outcome of any negative event, and the damage that the company would incur should the risk actually happen.
Once the risk manager knows what’s/he is dealing with in terms of possible risks and the impact to the firm, a plan is developed by the crisis management team to contain any emergency if and when it becomes a reality.
(i) Crisis of Malevolence:
(a) Organizations face crisis of malevolence when some notorious employees take the help of criminal activities and extreme steps to fulfill their demands.
(b) Acts like kidnapping company’s officials, false rumours all lead to crisis of malevolence.

(ii) Crisis of Organizational Misdeeds:
(a) Crisis of organizational misdeeds arise when management takes certain decisions knowing the harmful consequences of the same towards the stakeholders and external parties.
(b) In such cases, superiors ignore the after effects of strategies and implement the same for quick results. Crisis of organizational misdeeds can be further classified into following three types:
(i) Crisis of Skewed Management Values: Crisis of Skewed Management Values arises when management supports short term growth and ignores broader issues.
(ii) Crisis of Deception: Organizations face crisis of deception when management purposely tampers data and information. Management makes fake promises and wrong commitments to the customers. Communicating wrong information about the organization and products lead to crisis of deception.
(iii) Crisis of Management Misconduct: Organizations face crisis of management misconduct when management indulges in deliberate acts of illegality like accepting bribes, passing on confidential information and so on.

Question 10.
You are the Company Secretary of Nice Entertainment Ltd., a listed entity, engaged in the business of producing and trading of video games. The Board of directors have asked you to prepare and submit before the Board a note on Directors and Officers Liability Insurance (D and O Insurance). Prepare a brief note for perusal before the Board narrating the key features of the D and O Insurance Policy. (Aug 2021, 8 marks)
Answer:
Memorandum before the Board of Directors:
Subject: Directors and Officers Liability Insurance policy (D & O Insurance Policy)
This note is being perused before the Board of Directors highlight some key features of the Directors and Officers Liability Insurance Policy

What is Directors and Officers Liability Insurance?
Directors and Officers Liability Insurance (D&O) covers the cost of legal defense of directors, even in their individual capacity, when the company is unable to defend them. The D&O cover applies to former, present, and future members of the board of directors or any employee performing a managerial role.

Generally, the policy covers the following:

• Management Liability I Management indemnification
• Non-Profit Outside Directorship Liability
• Estates and legal representatives of incapacitated or deceased insured individuals covered
• Spousal Liability extension
• Cover for the creation or acquisition of new Subsidiary companies (effective from the date of acquisition or creation)

The D&O policy offers the following coverage:

• It covers any loss or damage that the company may incur because of actions mistakenly taken in the individual capacity as directors and officers under the Memorandum and Articles of Association.
• It includes loss or damage arising from claims made against directors and officers for any wrongful act done in their official capacity I It covers legal expenditure incurred with the written consent of the insurance companies arising out of the prosecution of any director or officer at any investigation, enquiry or other proceedings by the authority empowered to do so.
• It covers expenses incurred by the company’s shareholders in pursuance of a claim against a director/ officer for which the insurance company is legally obliged to pay, as per the court’s direction.
• It provides indemnity to the legal heirs or legal representatives of the director/ officer if the director or officer becomes insolvent.

SEBI (LODR) Regulations, 2015
According to Regulations 25(10) of the SEBI (LODR) Regulations, 2015 states that with effect from October 1,2018, the top 500 listed entities by market capitalization calculated as on March 31 of the preceding financial year, shall undertake. Directors and Officers insurance (‘D and O insurance’) for all their independent directors of such quantum and for such risks as may be determined by its board of directors.

Need of D&O Insurance Policy:
It is essential for every company to have a director & office insurance (D&O), in order to have some peace of mind. If you haven’t purchased the policy, we’ve put together the top reasons to buy a D&O insurance.

1. Personal assets of directors are at risk: If a director has been accused of breaching duties, their personal assets are at risk in case they don’t have any D&O insurance.
2. Defending a legal action is an expensive affair: The legal costs and expenses in litigations involving directors are usually complex and costly.
3. Investors can file a case against you: It may sound unlikely, but things can go downward. If investors believe that they have incurred losses due to mismanagement of the company, they could approach the court to seek compensation.
4. Customers can take legal actions: In some cases, customers also reach the court against misrepresentations made in the advertisement materials and deceptive trade practices.
5. Enquiry initiated by regulatory authorities: Regulatory bodies, like SEBIr Revenue Department, etc.; can initiate enquiry against directors.
6. In case of bankruptcy or insolvency: If faced with bankruptcy, creditors can pursue legal action against directors if they think that they have not acted in their best interest.
7. Helps in attracting/retaining talent: Not having a comprehensive D&O may discourage talented employees from joining the company as they know will not be guarded against any legal case if arise in future.
8. D&O claims are not covered under any other policy: Most of the people believe that D&O claims are also covered under other liability insurance plans like professional indemnity. Looking to benefits attached to the D&O Insurance Policy and the need of the hour to protect our worthy directors and key officers, the Board of Directors is requested to consider the buying of D&O Insurance Policy.
   Submitted for perusal approval Please.

Sd/-
Company Secretary

Question 11.
‘Financial Service Sector is emerging across boundaries.
In this context, explain in brief International Financial Service Centre and its Regulator. (Dec 2021, 4 marks)
Answer:

• Section 18 of the Special Economic Zones Act, 2005 states that the Central Government may approve the setting up of an International Financial Service Centre in a Special Economic Zone and prescribe the requirements for setting up and operation of such Centre, provided that the Central Government shall approve only one International Financial Services Centre in a Special Economic Zone.
• Sec 18(2) of the Act provides that the Central Government may, subject to such guidelines as may be framed by the Reserve Bank of India, the Securities Exchange Board of India, the Insurance Regulatory and Development Authority and such other concerned authorities, as it deems fit, prescribe the requirements for setting up and the terms and conditions of the operation of Units in an International Financial Service Centre for caters to customers outside the jurisdiction of the domestic economy.
• Such centres deal with flows of finance, financial products and services across borders, London, New York and Singapore can be counted as global financial centres.

Services an International Financial Service Centre can provide:

• Fund-raising services for individuals, corporations and governments.
• Asset management and global portfolio diversification undertaken by pension funds, insurance companies and mutual funds.
• Wealth management.
• Global tax management and cross-border tax liability optimization, which provides a business opportunity for financial intermediaries., accountants and law firms.
• Global and regional corporate treasury management operations that involve fundraising, liquidity investment and management and asset-liability matching.
• Risk management operations such as insurance and reinsurance.
• Merger and acquisition activities among trans-national corporations. ‘

IFSCs in India:
The first International Financial Service Centre in India has been set up at the Gujarat International Finance Tec-City in Gandhinagar.

International Financial Service Centre Authority:
As the dynamic nature of business in the IFSCs requires a high degree of interregulatory coordination within the financial sector, the IFSCA has been established as a unified regulator with a holistic vision in order to promote ease of doing business in IFSC and provide world class regulatory environment.
The main objective of the IFSCA is to develop a strong global connect and focus on the needs of the Indian economy as well as to serve as an international financial platform for the entire region and the global economy as a whole.

Question 12.
‘Risk Management should be tailored to the specific Company, but generally Risk Management system should provide for ways to identification of material risks, implementation of appropriate risk management strategies and transmission of necessary information to the senior executives of the Company for their appropriate Actions’. Explain the actions which a Board and Committee should consider a part of their risk management oversight. (Dec 2021, 8 marks)
Answer:
The board should seek to promote an effective, on-going risk dialogue with management, design the right relationships between the board and its standing committees as to risk oversight and ensure appropriate resources support risk management systems.
Specific types of actions that the board and appropriate board committees may consider as part of their risk management oversight include the following:
1. review with management the company’s risk appetite and risk tolerance and assess whether the company’s strategy is consistent with the agreed-upon risk appetite and tolerance for the company;

2. establish a clear framework for holding the CEO accountable for building and maintaining an effective risk appetite framework and providing the board with regular, periodic reports on the company’s residual risk status,

3. review with management the categories of risk the company faces, including any risk concentrations and risk interrelationships, as well as the likelihood of occurrence, the potential impact of those risks, mitigating measures and action plans to be employed if a given risk materializes,

4. review with management the ways in which risk is measured on an aggregate, company wide basis, the setting of aggregate and individual risk limits (quantitative and qualitative, as appropriate), the policies and procedures in place to hedge against or mitigate risks and the actions to be taken if risk limits are exceeded;

5. review with management the assumptions and analysis underpinning the determination of the company’s principal risks and whether adequate procedures are in place to ensure that new or materially changed risks are properly and promptly identified, understood and accounted for in the actions of the company;

6. review with committees and management the board’s expectations as to each group’s respective responsibilities for risk oversight and management of specific risks to ensure a shared understanding as to accountabilities and roles;

7. review the company’s executive compensation structure to ensure it is appropriate in light of the company’s articulated risk appetite and risk culture and to ensure it is creating proper incentives in light of the risks the company faces;

8. review the risk policies and procedures adopted by management, , including procedures for reporting matters to the board and appropriate
committees and providing updates, to assess whether they are appropriate and comprehensive;

9. review management’s implementation of its risk policies and procedures; to assess whether they are being followed and are effective;

10. review with management the means by which the company’s risk management strategy is communicated to all appropriate groups within the company so that it is properly integrated into the company’s enterprise-wide business strategy;

11. review internal systems of formal and informal communication across divisions and control functions to encourage the prompt and coherent flow of risk-related information within and across business units and, as needed, the prompt escalation of information to senior management (and to the board or board committees as appropriate); and

12 review reports from management, independent auditors, internal auditors, legal counsel, regulators, stock analysts and outside experts as considered appropriate regarding risks the company faces and the company’s risk management function, and consider whether, based on each individual director’s experience, knowledge and expertise, the board or committee primarily tasked with carrying out the board’s risk oversight function is sufficiently equipped to oversee all facets of the company’s risk profile-including specialized areas such as cyber security and determine whether subject-specific risk education is advisable for such directors.

Question 13.
(a) “Crisis management amounts to controlling of an unruly horse which, if not be properly bridled, it carries its rider where he knows not. Even if it is an apology, it has to be carefully crafted.” Explain the statement with the help of any two suitable cases. (June 2022, 8 marks)

Question 14.
The independent directors of Suga Ltd., suggested the management that the Company should take “independent director insurance” policy. However, the executive directors contended that the Company already had a ‘Side A Insurance’ and so no other insurance policy was required. Is the contention of executive directors justified ? (June 2022, 4 marks)

Question 15.
(i) ABC & Co., Chartered Accountants, are the Statutory Auditors, as well as the Internal Auditors of Super Sky Limited. Evaluate whether the same is permitted under the Companies Act, 2013. If not, what are the penal provisions under the Companies Act, 2013?
(ii) “Directors and Officers (D & O) insurance has become closely associated with broader management liabilities insurance, which covers liabilities of the corporate itself as well as the personal liabilities for the directors and officers of the company”. Enumerate the reasons to buy D & O policy. (June 2019, 4 marks each)
Answer:
(i) As per provisions of Section 144 of the Companies Act, 2013, the statutory auditor of a Company shall not provide internal audit services. The internal audit services provided by ABC & Co., Chartered Accountants to Super Sky Limited, is not permissible under the Companies Act, 2013 As per section 147(2) of the Companies Act, 2013, if an auditor of a company contravenes any of the provisions of section 139, section 143, section 144 or section 145, the auditor shall be punishable with fine which shall not be less than twenty-five thousand rupees but which may extend to five lakh rupees or four times the remuneration of the auditor, whichever is less.
Provided that if an auditor has contravened such provisions knowingly or wilfully with the intention to deceive the company or its shareholders or creditors or tax authorities, he shall be punishable with imprisonment for a term which may extend to one year and with fine which shall not be less than one lakh rupees but which may extend to twenty-five lakh rupees.
ABC & Co. is liable to penalties as mentioned above and it cannot file an application for Compounding, as the offence committed under section 144 of the Companies Act, 2013 is a non -compoundable offence, if the auditor has contravened knowingly or wilfully.

(ii) Directors and officers insurance affords protection to directors and officers from liability arising from actions connected to their corporate responsibilities. The policy provides indemnity to the directors and officers in respect of Legal costs in defending proceedings brought against them alleging wrongful acts.
Key reasons to buy D&O insurance are:

• Personal assets of directors are at risk: If a director has been accused of breaching duties, their personal assets are at risk in case they don’t have any D&O insurance.
• Defending a legal action is an expensive affair: The legal costs and expenses in litigations involving directors are usually complex and costly.
• Investors can file a case: If investors believe that they have incurred losses due to mismanagement of the company, they could approach the court to seek compensation.
• Employees can sue: It is not only shareholders who can file a case against the directors as even employees reach the court to challenge the decision of the directors. It is a hard reality that in today’s corporate world, there has been a rise in the number of cases filed by employees, related to sexual harassment or wrongful dismissal.
• Customers can take legal actions: In some cases, customers also reach the court against misrepresentations made in the advertisement materials and deceptive trade practices.
• Enquiry initiated by regulatory authorities: Regulatory bodies like SEBI, Revenue Department, etc, can initiate enquiry against directors.
• In case of bankruptcy or insolvency: If faced with bankruptcy, creditors can pursue legal action against directors if they think that they have not acted in their best interest.
• Helps in attracting/retaining talent: Not having a comprehensive D&O may discourage talented employees from joining the company as they know will not be guarded against any legal case if arise in future.
  D&O claims are not covered under any other policy: Most of the people believe that D&O claims are also covered under other liability insurance plans like professional indemnity.

Question 16.
One of the plant site location of PS Steel Ltd., is lying idle for some time and the company have no plan to use that site. Earlier on this site, the company was planning to set up a mini steel plant, but due to its non-connectivity with the rail/ road, the economic viability was not feasible, and it was decided by the Board of directors to dispose of such land. However, the sale of land requires the approval of the shareholders.
The Board of director of the PS Steel Ltd., authorized S. Kumar, the Real Estate Agent, to sale the land, knowing the fact that it requires the approval of the shareholders. The land was sold by S. Kumar much below the market price of the land prevailing in that area. The amount was deposited in the company’s bank account which was subsequently withdrawn by the directors through cheques.
Whether the act of directors are justified ? Comment on the basis of decided case law. (Aug 2021, 4 marks)
Answer:
In J.K. Paliwal and Shri B.K. Paliwal v. Paliwal Steel Ltd. and Others. The Principal Bench of the Company Law Board had found that a property of the company had been sold without any authorization by the Board of Directors or shareholders to sell have not been complied with and in addition the consideration was also inadequate.
Further, it was observed that the transaction was sham and the sale consideration was deposited in the bank and was withdrawn on the same day. On these facts, in the above case, the Company Law Board held that the respondents have breached their fiduciary duties as directors.

The Company Law Board held that on the role of Directors, the law is well settled. In some respects, Directors resemble trustees. Equity prohibits a trustee from making any profit by his management, directly or indirectly. It is objectionable to use such power simply or solely for the benefit of directors or merely for an extraneous purpose like maintenance or acquisition of control over the affairs of the company. Directors are required to act on behalf of a company in a fiduciary capacity and their acts and deeds have to be exercised for the benefit of the company.
The fiduciary capacity within which Directors have to act enjoins upon them a duty to act on behalf of a company with utmost good faith, utmost care and skill and due diligence and in the interest of the company they represent. They have duty to make foil and honest disclosure to the shareholders regarding all important matters relating to the company.
In this case without getting the approval of the shareholders as required under the provisions of the Companies Act, the directors sold the properties of the company and shared the proceeds among themselves.
This act is ultra vires and they are bound to return the proceeds to the company failing which they can be penalised under the provisions of the Companies Act.

Question 17.
“D & O policies can take different forms, depending on the nature of the organization and the risks it faces, so it’s best to seek out an insurance company with deep experience in this specialized field. The policies are generally purchased by the organization to cover a group of individuals rather than by the individuals themselves. Even the non-profit organizations may also purchase D&O insurance policy for a better protection”. Comment. (June 2022, 4 marks)

Question 18.
Write short note on crisis management.
Answer;
Crisis Management

• Crisis management is the identification of threats to an organization and its stakeholders, and the methods used by the organization to deal with these threats. Due to the unpredictability of global events, organizations must be able to cope with the potential for drastic changes in the way they conduct business.
• Crisis management often requires decisions to be made within a short time frame, and often after an event has already taken place. In order to reduce uncertainty in the event of a crisis, organizations often create a crisis management plan.
• Any business, large or small, may run into problems that may negatively impact its normal course of operations. Crises such as a fire, death of a CEO, terrorist attack, data breach, or natural disasters can lead to tangible and intangible costs to a company in terms of lost sales, customers, and a decrease in the firm’s net income.
• Businesses that effectively put a business continuity plan in place in case of unforeseen contingencies can mitigate the effects of any negative event that occurs. The process of having a continuity plan in place in the event of a crisis is known as crisis management.
• Crisis management is not necessarily the same thing as risk management. Unlike risk management, which involves planning for events that might occur in the future, crisis management involves reacting to negative events during and after they have occurred.
• An oil company for example, may have a plan in place to deal with the possibility of an oil spill, but if such a disaster actually occurs, the magnitude of the spill, the backlash of public opinion, and the cost of cleanup can vary greatly and may exceed expectations.
• Crisis can either be self-inflicted or caused by external forces.
• Examples of external forces that could affect an organization’s operations include natural disasters, security breaches, or false information about a company that hurts its reputation.
• Self-inflicted crises are caused within the organization, such as when an employee – smokes in an environment with hazardous chemicals, opens or downloads questionable files on an office laptop, offers poor customer service that goes viral online, or an accounting department cooking the books.
• Internal crisis can be managed, mitigated, or avoided if a company enforces strict compliance guidelines and protocols regarding ethics, policies, rules, and regulations among employees.

Question 19.
Write short note on Professional Liability.
Answer:
Professional Liability

• Professional liability insurance protects professionals such as accountants, lawyers and physicians against negligence and other claims initiated by their clients. It is required by professionals who have expertise in a specific area because general liability insurance policies do not offer protection against claims arising out of business or professional practices such as negligence, malpractice or misrepresentation.
• Depending on the profession, professional liability insurance may have different names, such as medical malpractice insurance for the medical profession, and errors & omissions insurance for real estate agents.
• Professional liability insurance is a specialty coverage that is not provided under homeowners’ endorsements, in-home business policies or business- owners’ policies. It only covers claims made during the policy period.

Question 20.
Write short note on Director and Officer Insurance Policy.
Answer:

• Almost 25 years have passed since India ushered in a new era of commercial liberalization and reform.
• This continuous and gradual opening up of the economy, driven by a robust growth in domestic consumer demand, has resulted in an influx of foreign investment, which in turn has strengthened private Indian companies.
• This impressive story of economic growth, however, also has its dark side.
• Like most jurisdictions, India is no stranger to corporate fraud and scams. Because of significant cultural differences in how Indian companies function vis-a-vis their international counterparts, Indian companies are often seen as less professional.
• Though the scenario may be changing, the “family business” outlook of many Indian enterprises and an occasionally lackadaisical approach to various compliance and disclosure requirements continue to prevail. Siphoning of funds through related-party transactions, accounting irregularities, and corruption are just a few of the common, unfortunate trends that are prevalent in Indian companies.
• Directors and officers (D&O) liability insurance is insurance coverage intended to protect individuals from personal losses if they are sued as a result of serving as a director or an officer of a business or other type of organization (see How to Protect Your Assets from a Lawsuit or Creditors).
• It can also cover the legal fees and other costs the organization may incur as a result of such a suit.
• Directors and officers liability insurance applies to anyone who serves as a director or an officer of a for-profit business or non-profit organization. A directors and officers liability policy insures against personal losses, and it can also help reimburse a business or non-profit for the legal fees or other costs incurred in defending such individuals against a lawsuit.
• Directors and officers liability insurance is paid to directors and officers of a company, or to the organization(s) itself, for losses or reimbursement of defense costs if a legal action is brought against them.
• Such coverage can also extend to criminal and regulatory investigations/trials defense costs. Civil and criminal actions are often brought against directors and officers simultaneously.
• D&O insurance has become closely associated with broader management liability insurance, which covers liabilities of the corporation itself as well as the personal liabilities for the directors and officers of the corporation.

Question 21.
Write short note on Cyber Security.
Answer:
Cyber Security

• As mentioned above, the EU’s General Data Protection Regulation (GDPR), which takes effect in May 2018, raises the regulatory bar, and it sweeps more broadly than some non-EU-based companies may realize.
• The GDPR imposes stringent requirements on both data collection and data processing, including increased data security mandates, enhanced obligations to obtain data owner consent, and strict breach notification requirements.
• Importantly, the GDPR is extraterritorial in its reach, and carries severe penalties for noncompliance-up to 4% of worldwide revenue. In the United States, the New York State Department of Financial Services (DFS) has implemented detailed and prescriptive regulations of its own, requiring covered institutions-entities authorized under New York State banking, insurance or financial services laws-to meet strict minimum cyber security standards.
• The revised regulations require, among other things, that covered institutions have in place a cyber security program designed to protect consumers’ private data, approved by boards of directors or senior corporate officers and accompanied by annual compliance certifications, the first of which was required to be filed on February 15, 2018.
• Meanwhile, the SEC has turned its attention to market disclosure and breach notification. Since 2011, when the SEC’s Division of Corporation Finance issued interpretive guidance regarding cyber security disclosures, public companies have been required to “disclose the risk of cyber incidents if they are among the most significant factors that make an investment in the company speculative or risky.”
• In February 2018, the SEC issued new guidance to clarify its expectations on such disclosures.
• The majority of the 2018 guidance focuses on “reinforcing and expanding upon” the 2011 guidance, advising public companies to evaluate the materiality of cyber risks and incidents and make necessary disclosures in a timely fashion, while warning that the SEC is watching closely.

Question 22.
Write short note on Legal Compliance Programme.
Answer:
Legal Compliance Programs

• Senior management should provide the board or committee with an appropriate review of the company’s legal compliance programs and how they are designed to address the company’s risk profile and detect and prevent wrong doing. While compliance programs will need to be tailored to the specific company’s needs, there are a number of principles to consider in reviewing a program.
• As noted earlier, there should be a strong “tone at the top” from the board and senior management emphasizing the company’s commitment to full compliance with legal and regulatory requirements, as well as internal policies.
• This cultural element is taking on increasing importance and receiving heightened attention from regulators as well.
• A compliance program should be designed by persons with relevant expertise and will typically include interactive training as well as written materials. Compliance policies should be reviewed periodically to assess their effectiveness and to make any necessary changes.
• Policies and procedures should fit with business realities. A rule book that looks good on paper but is not followed will end up hurting rather than helping. There should be consistency in enforcing stated policies through appropriate disciplinary measures.
• Finally, there should be clear reporting systems in place both at the employee level and at the management level so that employees understand when and to whom they should report suspected violations and so that management understands the board’s or committee’s informational needs for its oversight purposes.
• A company may choose to appoint a chief compliance officer and/or constitute a compliance committee to administer the compliance program, including facilitating employee education and issuing periodic reminders.
• If there is a specific area of compliance that is critical to the company’s business, the company may consider developing a separate compliance apparatus devoted to that area.

Question 23.
Write short note on Enterprise Risk Management.
Answer:

• Risk management, also known as Enterprise Risk Management (“ERM”), is a systematic and holistic approach for firms to address all their risks, whether operational, strategic or financial, comprehensively.
• ERM focuses on identifying risks, developing and monitoring a risk management system and reacting to risk events, when they occur.
• As ERM is a firm wide effort to manage all the firm’s risks, involvement by the company’s board of directors and senior management is imperative.
• In India, both the Companies Act, 2013 and the Listing Guidelines view risk management practices as one of the fundamental functions of the board of directors.

The COSO approach presents eight interrelated components of ERM:

• internal environment (the tone of the organization),
• setting objectives
• event identification
• risk assessment
• risk response
• control activities
• information and communications, and
• monitoring.

The significance of ERM can be seen in the value it creates when effectively implemented and the value it destroys when there are shortcomings in leadership and implementation.
1. Value creation: ERM is a critical component of value creation. To create value successfully, ERM must play a central role in every substantive business decision. Effective ERM can enable a company to manage potential future events that create uncertainty, and respond to uncertainty in a manner that reduces the likelihood of downside surprises. ERM can also help a company improve the quality of risk taking and thereby, give the company a competitive advantage.

2. Avoiding value destruction. A company cannot preserve its value if its ERM is below standard. This role of preserving corporate value is far more visible when ERM fails than when it succeeds. Failures in risk management have contributed to some of the most significant scandals and losses suffered by companies. Recent significant failures include environmental disasters (e.g. BP), financial fraud (e.g. Enron, WorldCom, Satyam), foreign bribery (e.g. Siemens) and massive trading losses (e.g. JP Morgan).

Question 24.
Distinguish between General Liability Insurance and Professional Liability Insurance.
Answer:
General Liability Insurance Vs. Professional Liability Insurance
General Liability Insurance, like its name suggests, covers your business from a few “general” lawsuits that any business could face. In a nutshell, it kicks in when a third party (i.e., anyone who doesn’t work for your company) sues your business over.
(a) Bodily injuries they incurred on your commercial premises.
(b) Damage you caused their property.
(c) Advertising injuries (e.g., slander, libel, misappropriation, and copyright infringement).
General Liability Insurance pays for your legal expenses (lawyers’ fees, court costs, and settlements or judgments). Again, any small-business owner, no matter their industry or the size of their business, can face these claims. That’s why many consider this policy to be the keystone of a business protection plan.

Professional Liability Insurance: (aka.“Errors and Omissions Insurance” or “Malpractice Insurance”) also lives up to its moniker. Its coverage focuses specifically on the lawsuits that stem from your professional services.
Though this policy is especially important for service providers to carry, most small-business owners can benefit from its coverage. That’s because Professional Liability Insurance shields you from third-party lawsuits alleging you.
(a) Provided negligent professional services.
(b) Failed to uphold contractual promises.
(c) Provided incomplete or shoddy work.
(d) Made mistakes or omissions.

Question 25.
What are the different types of crisis?
Answer:
Types of Crisis
1. Natural Crisis:
Disturbances in the environment and nature lead to natural crisis. Such events are generally beyond the control of human beings. Tornadoes, Earthquakes, Hurricanes, Landslides, Tsunamis, Flood, Drought all result in natural disaster.

2. Technological Crisis:
Technological crisis arises as a result of failure in technology. Problems in the overall systems lead to technological crisis. Breakdown of machine, corrupted software and so on give rise to technological crisis.

3. Confrontation Crisis:
(a) Confrontation crises arise when employees fight amongst themselves. Individuals do not agree to each other and eventually depend on non productive acts like boycotts, strikes for indefinite periods and so on.
(b) In such a type of crisis, employees disobey superiors; give them ultimatums and force them to accept their demands.
(c) Internal disputes, ineffective communication and lack of coordination give rise to confrontation crisis.

4. Crisis of Malevolence:
(a) Organizations face crisis of malevolence when some notorious employees take the help of criminal-activities and extreme steps to fulfill their demands.
(b) Acts like kidnaping company’s officials, false rumours all lead to crisis of malevolence.

5. Crisis of Organizational Misdeeds
(a) Crises of organizational misdeeds arise when management takes certain decisions knowing the harmful consequences of the same towards the stakeholders and external parties.
(b) In such cases, superiors ignore the after effects of strategies and implement the same for quick results. Crisis of organizational misdeeds can be further classified into following three types:
(i) Crisis of Skewed Management Values: Crisis of Skewed Management Values arises when management supports short term growth and ignores broader issues.
(ii) Crisis of Deception: Organizations face crisis of deception when management purposely tampers data and information. Management makes fake promises and wrong commitments to the customers. Communicating wrong information about the organization and products lead to crisis of deception.
(iii) Crisis of Management Misconduct: Organizations face crisis of management misconduct when management indulges in deliberate acts of illegality like accepting bribes, passing on confidential information and so on.

6. Crisis due to Workplace Violence:
Such a type of crisis arises when employees are indulged in violent acts such as beating employees, superiors in the office premises itself.

7. Crisis due to Rumours:
Spreading false rumours about the organization and brand lead to crisis. Employees must not spread anything which would tarnish the image of their organization.

8. Bankruptcy:
A crisis also arises when organizations fail to pay its creditors and other parties. Lack of fund leads to crisis.

9. Crisis Due to Natural Factors:
Disturbances in environment and nature such as hurricanes, volcanoes, storms, flood; droughts, earthquakes etc result in crisis.

10. Sudden Crisis:
As the name suggests, such situations arise all of a sudden and on an extremely short notice. Managers do not get warning signals and such a situation is in most cases beyond any one’s control.

11. Smouldering Crisis:
Neglecting minor issues in the beginning lead to smouldering crisis later. Managers often can foresee crisis but they should not ignore the same and wait for someone else to take action. Warn the employees immediately to avoid such a situation.

Question 26.
How Professional Liability Insurance work?
Answer:
How Professional Liability Insurance Works

• Professional liability insurance policies are usually arranged on a claims-made basis, which means coverage is good only for claims made during the policy period.
• Typical professional liability policies will indemnify the insured against loss arising from any claim or ciaims made during the policy period by reason of any covered error, omission or negligent act committed in the conduct of the insured’s professional business during the policy period.
• Incidents occurring before the coverage was activated may not be covered, although some policies may include retroactive date.
• Coverage does not include criminal prosecution, nor all forms of legal liability under civil law, only those listed in the policy.
• Cyber liability, covering data breach and other technology issues, may not necessarily be included in core policies.
• However, insurance that covers data security and other technology security-related issues is available as a separate policy.
• Some professional liability policies are worded more tightly than others. While a number of policy wordings are designed to satisfy a stated minimum approved wording, which makes them easier to compare, others differ dramatically in the coverages they provide.
• For example, breach of duty may be included if the incident occurred and was reported by the policy holder to the insurer during the policy period. Wordings with major legal differences can be confusingly similar to non-lawyers.

Question 27.
What are the challenges facing Board of Director in developing E.R.M.?
Answer:
Challenges facing Boards of Directors in developing ERM
Over the past severed years, corporate India has become much more engaged with and sensitized to ERM. Leading companies have formed risk management and compliance teams that are integrated within the firm and that provide valuable information to the board. Nevertheless, there is room for improvement. Indian boards face significant challenges in designing and implementing an effective ERM system, including:
(a) Effectively linking risk and strategy:

• Integrating risk management into the overall corporate strategy is a challenge for many India firms.
• The challenge is to have an ERM system that encompasses a process capable of being applied in strategy setting across the enterprise. “Effective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship.”
• In other words, taking appropriate risk needs to be at the heart of corporate strategy.
• For this to happen, the board must understand and guide the company’s appetite and ability to take risk, and communicate the same to the company’s risk management team.

(b) Implementing cost-effective risk management for small and medium-sized enterprises:

• While the costs of risk management failures can be high, designing and implementing efficient ERM can also be quite costly, especially for small and medium-sized firms.
• For example, hiring consultants or the necessary staff to develop stress-testing and early warning systems to alert the board regarding significant risks can be difficult to do in smaller companies.
• In addition, while large firms can establish a ‘chief risk officer’ function with direct report to the board, doing so is much harder for smaller companies.

(c) Addressing ail major areas of risk: ERM requires a firm to take a portfolio view of risk; boards must consider how various risks inter-relate, rather than treating each business and risk individually. This is a significant challenge for many boards.

(d) Mitigating new risks:

• In India, many complex areas of risks have emerged in the last decade or so, which has made risk management particularly challenging.
• For example, some traditional areas of risk, such as political instability and strikes and unrest, appear to have subsided while others, such as information and cyber security as well as terrorism and insurgency, have increased in prominence. Companies in a wide variety of industries, have experienced the theft of data and sensitive information. For companies in major cities, the threat of terror attacks has become a growing cause for concern, which can be hard to manage by the company itself. According to a 2015 survey, the top five risks for Indian firms include:
  1. corruption, bribery and corporate fraud
  2. information and cyber security
  3. terrorism and insurgency
  4. business espionage; and
  5. crime.

Question 28.
What are the special considerations regarding Cyber Security Risk?
Answer:

• The ever-increasing dependence on technological advances that characterizes all aspects of business and modern life has been accompanied by a rapidly growing threat of cybercrime, the cost of which, according to a 2017 report by Herjavec Group, is expected to grow to more than $6 trillion annually by 2021.
• As recent examples (e.g., the hacking of computer networks belonging to the SEC and to Equifax) have highlighted, network security breaches, damage to IT infrastructure and theft of personal data, trade secrets and commercially sensitive information are omnipresent risks that pose a significant financial and reputational threat to companies of all kinds.
• With computing devices increasingly embedded in everyday items and connected to the “Internet of Things,” virtually all company functions across all industries are exposed to cybersecurity risk.
• In light of the growing number of successful cyber attacks on even the most technologically sophisticated entities, lawmakers and regulators in the United States and abroad have increased their attention to cybersecurity risk.
• In the United States, regulatory and enforcement activity relating to cybersecurity has continued to ramp up at the state level.
• Internationally, the European Union’s General Data Protection Regulation (GDPR) will take effect in May 2018, significantiy increasing data handling requirements for companies with even a minimal European nexus. Companies are thus facing a two-front storm, with regulatory risks compounding the security threat.
• in response, engaged corporate leaders should impiement comprehensive cyber security risk mitigation programs, deploying the latest defensive technologies without losing focus on core security procedures like patch installation and employee training, executing data and system testing procedures, implementing effective and regularly exercised cyber incident response plans, and ensuring that the board is engaged in cyber risk oversight.
• As cyber security risk continues to rise in prominence, so too has the number of companies that have begun to specifically situate cyber security and cyber risk within their internal audit function.
• A recent Internal Audit Capabilities and Needs Survey, conducted by Protiviti, found that 73% of the companies surveyed now include cyber security risk as part of their internal audit function, up from 53% in 2015.
• Directors should assure themselves that their company’s internal audit function is performed by individuals who have appropriate technical expertise and sufficient time and resources to devote to cyber security risk.
• Further, the internal audit team should understand and periodically test the company’s risk mitigation strategy, and provide timely reports on cyber security risk to the Board’s audit committee.

Crisis Management & Risk and Liability Mitigation Notes

Crisis Management
Crisis management is the identification of threats to an organization and its stakeholders, and the methods used by the organization to deal with these threats. Due to the unpredictability of global events, organizations must be able to cope with the potential for drastic changes in the way they conduct business. Crisis management often requires decisions to be made within a short time frame, and often after an event has already taken place. In order to reduce uncertainty in the event of a crisis, organizations often create a crisis management plan.

Types of Crisis
1. Natural Crisis: Disturbances in the environment and nature lead to natural crisis. Such events are generally beyond the control of human beings. Tornadoes, Earthquakes, Hurricanes, Landslides, Tsunamis, Flood, Drought all result in natural disaster.

2. Technological Crisis: Technological crisis arises as a result of failure in technology. Problems in the overall systems lead to technological crisis. Breakdown of machine, corrupted software and so on give rise to technological crisis.

3. Confrontation Crisis:
(a) Confrontation crises arise when employees fight amongst themselves. Individuals do not agree to each other and eventually depend on non productive acts like boycotts, strikes for indefinite periods and so on.
(b) In such a type of crisis, employees disobey superiors; give them ultimatums and force them to accept their demands.
(c) Internal disputes, ineffective communication and lack of coordination give rise to confrontation crisis.

4. Crisis of Malevolence:
(a) Organizations face crisis of malevolence when some notorious employees take the help of criminal activities and extreme steps to fulfill their demands.
(b) Acts like kidnaping company’s officials, false rumours all lead to crisis of malevolence.

5. Crisis of Organizational Misdeeds
(a) Crises of organizational misdeeds arise when management takes certain decisions knowing the harmful consequences of the same towards the stakeholders and external parties.
(b) In such cases, superiors ignore the after effects of strategies and implement the same for quick results.

6. Crisis due to Workplace Violence:
Such a type of crisis arises when employees are indulged in violent acts such as beating employees, superiors in the office premises itself.

7. Crisis due to Rumours:
Spreading false rumours about the organization and brand lead to crisis. Employees must not spread anything which would tarnish the image of their organization.

8. Bankruptcy:
A crisis also arises when organizations fail to pay its creditors and other parties. Lack of fund leads to crisis.

9. Crisis Due to Natural Factors:
Disturbances in environment and nature such as hurricanes, volcanoes, storms, flood; droughts, earthquakes etc result in crisis.

10. Sudden Crisis:
As the name suggests, such situations arise all of a sudden and on an extremely short notice. Managers do not get warning signals and such a situation is in most cases beyond any one’s control.

11. Smouldering Crisis:
Neglecting minor issues in the beginning lead to smouldering crisis later. Managers often can foresee crisis but they should not Ignore the same and wait for someone else to take action. Warn the employees immediately to avoid such a situation.

Professional Liability:

• Professional liability insurance protects professionals such ds accountants, lawyers and physicians against negligence and other claims initiated by their clients.
• It is required by professionals who have expertise in a specific area because general liability insurance policies do not offer protection against claims arising out of business or professional practices such as negligence, malpractice or misrepresentation.
• Professional liability insurance is a specialty coverage that is not provided under homeowners’ endorsements, in-home business policies or business-owners’ policies. It only covers claims made during the policy period.

How Professional Liability Insurance Works:

• Professional liability insurance policies are usually arranged on a claims-made basis, which means coverage is good only for claims made during the policy period.
• Typical professional liability policies will indemnify the insured against loss arising from any claim or claims made during the policy period by reason of any covered error, omission or negligent act committed in the conduct of the insured’s professional business during the policy period.
• Incidents occurring before the coverage was activated may not be covered, although some policies may include retroactive date.

Professional Indemnity Insurance:

• Professional Indemnity Insurance is a type of business insurance, typically for organizations that provide consultation or any professional services to its clients.
• Professional indemnity insurance covers claims made by the businesses in case their clients have sued them for making them endure any significant financial loss due to their advices and services.
• The insurance company handles the confidential data of its clients and their intellectual property to analyze before it provides consultation and required services.
• Keeping in mind the confidentiality of such information, it becomes very important for a business to take up professional indemnity insurance or professional liability insurance.

D&O Policy:

• Almost 25 years have passed since India ushered in a new era of commercial liberalization and reform.
• This continuous and gradual opening up of the economy, driven by a robust growth in domestic consumer demand, has resulted in an influx of foreign investment, which in turn has strengthened private Indian companies.
• This impressive story of economic growth, however, also has its dark side. Like most jurisdictions, India is no stranger to corporate fraud and scams.
• Because of significant cultural differences in how Indian companies function vis-a-vis their international counterparts, Indian companies are often seen as less professional.

Trigger for buying D&O Cover in India:

• Several Indian companies are getting themselves listed on foreign stock exchanges, acquiring or merging with non-Indian companies.
• This creates a religious environment in overseas jurisdictions; also the high legal costs are making getting D&O insurance imperative for the companies.
• With more Indian companies becoming globalized; it is highly likely that the risk of claims and litigation for the directors and officers of a company will continue to see a major increase, both in the present as well as in the future.
• Stricter Regulations is also one of the strongest reasons behind firms increasing their requirement for purchasing insurance for the company.
• Moreover the purchase of getting D&O liability cover seems to be driven more by regulatory requirements rather than due to a risk management approach.

D&O Insurance for Non-Profit Organisations:

• It’s a misnomer to believe that only large nonprofit organizations need D&O insurance. Directors and officers of every-sized nonprofit organization have meaningful exposure to personal liability.
• About 20% of all U.S. corporations are non-profits. The liability for, directors and officers of small corporations is at least as high as that of for-profit corporations.
• D&O insurance will not prevent claims from occurring; however, it does mitigate the High costs associated with defending claims.
• Lawsuits and potential claims may originate with vendors, donors, competitors, employees, government regulators or others.
• D&O insurance policies are common and necessary to cover the actions and decisions of board directors and officers. D&O insurance policies offer coverage for defense costs, settlements, judgments arising from lawsuits and wrongful allegations brought against the nonprofit. Board directors should take care to understand their D&O insurance policies.
• Specifically, they need to be familiar with policy wording for directors and officers, as well as any additions, conditions and exclusions listed within the policy wording.

Dodd-Frank:

• The Dodd-Frank Act created new federally mandated risk management procedures principally for financial institutions.
• Dodd-Frank requires bank holding companies with total assets of $10 billion or more, and certain other non-bank financial companies as well, to have a separate risk committee which includes at least one risk management expert with experience- managing risk of large companies.

Foreign Corrupt Practices Act:

• In November 2017, the Department of Justice announced a new FCPA enforcement policy that codified and enhanced a pilot program launched in April 2016.
• Under the pilot program, companies were eligible for a range of mitigation credit if they voluntarily self-reported FCPA misconduct; fully cooperated with the DOJ’s investigation, including disclosing all relevant facts and identifying culpable individuals; and implemented timely and appropriate remedial measures.
• The pilot program, as intended, appears to have sparked an increase in the number of companies voluntarily disclosing FCPA-related misconduct to the DOJ, with seven companies receiving DOJ decisions not to prosecute due to their participation in the pilot program.

Cyber Security:

• As mentioned above, the EU’s General Data Protection Regulation (GDPR), which takes effect in May 2018, raises the regulatory bar, and it sweeps more broadly than some non-EU-based companies may realize.
• The GDPR imposes stringent requirements on both data collection and data processing, including increased data security mandates, enhanced obligations to obtain data owner consent, and strict breach notification requirements.
• Importantly, the GDPR is extraterritorial in its reach, and carries severe penalties for non compliance-up to 4% of worldwide revenue.

Legal Compliance Programs:

• Senior management should provide the board or committee with an appropriate review of the company’s legal compliance programs and how they are designed to address the company’s risk profile and detect and prevent wrongdoing.
• While compliance programs will need to be tailored to the specific company’s needs, there are a number of principles to consider in reviewing a program.
• As noted earlier, there should be a strong “tone at the top” from the board and senior management emphasizing the company’s commitment to full compliance with legal and regulatory requirements, as well as internal policies.
  This cultural element is taking on increasing importance and receiving heightened attention from regulators as well.

Special Considerations Regarding Cyber Security Risk:

• The ever-increasing dependence on technological advances that characterizes all aspects of business and modern life has been accompanied by a rapidly growing threat of cybercrime, the cost of which, according to a 2017 report by Herjavec Group, is expected to grow to more than $6 trillion annually by 2021.
• As recent examples (e.g., the hacking of computer networks belonging to the SEC and to Equifax) have highlighted, network security breaches, damage to IT infrastructure and theft of personal data, trade secrets and commercially sensitive information are omnipresent risks that pose a significant financial and reputational threat to companies of all kinds.
• With computing devices increasingly embedded in everyday items and connected to the “Internet of Things,” virtually all company functions across all industries are exposed to cybersecurity risk.

Special Considerations Regarding ESG Risks:

• ESG risks represent a specific subset of general risks that a company must manage where relevant, by identifying and mitigating company-specific risks, such as environmental liabilities, labor standards, consumer and product safety and leadership succession, and contingency planning for macro-level risks, including by identifying supply chain and energy alternatives and developing backup recovery.
• Plans for climate change and other natural disaster scenarios. While boards have been overseeing management of such material risks for as long as they have existed, increasing scrutiny in 2017 to ESG issues by the public and some of the largest institutional investors in the world now call for special attention to be paid to ensuring that the board is satisfied as to how ESG-related risks specifically are being evaluated, disclosed and managed.