Risk Management – CS Professional Study Material

Chapter 12 Risk Management – CS Professional Governance, Risk Management, Compliances and Ethics Notes is designed strictly as per the latest syllabus and exam pattern.

Risk Management – Governance, Risk Management, Compliances and Ethics Study Material

Question 1.
Write short note on the following:
Fraud risk management (Dec 2012, 3 marks)
Answer:
Fraud Risks Management
The fraud risk management policy will help to strengthen the existing anti¬fraud controls by raising the awareness across the company and:

• Promote an open and transparent communication culture.
• Promote zero tolerance to fraud/misconduct.
• Encourage employees to report suspicious cases of fraud/misconduct.
• Spread awareness amongst employees and educate them on risks faced by the company.

Question 2.
Write short note on the following:
Importance of risk management in companies. (June 2014, 3 marks)
Answer:
Importance of Risk Management in Companies
Importance of risk management in companies are because of the following points which have been given below:

• Better informed decision making – for example in assessing new opportunities;
• Less chances of major problems in new and ongoing activities; and
• Increased likelihood of achieving corporate objectives.

Question 3.
Write short note on legal provisions on risk management under the SEBI (Listing Obligations & Disclosure Requirements) Regulations, 2015. (Dec 2014, 3 marks)
Answer:
Risk Management under the SEBI (Listing Obligations & Disclosure Requirements) Regulations, 2015. In terms of Regulation 17(9) and 21 of the SEBI (Listing Obligations & Disclosure Requirements) Regulations,
2015 read with Part D of Schedule II:
(1) The board of directors shall constitute a Risk Management Committee.

(2) The Risk Management Committee shall have minimum three members with majority of them being members of the board of directors, including at least one independent director and in case of a listed entity having outstanding SR equity shares, at least two thirds of the Risk Management Committee shall comprise independent directors.

(3) The Chairperson of the Risk management committee shall be a
member of the board of directors and senior executives of the listed entity may be members of the committee. .
(3A) The risk management committee shall meet at least twice in a year.
(3B) The quorum for a meeting of the Risk Management Committee shall be either two members or one third of the members of the committee, whichever is higher, including at least one member of the board of directors in attendance.
(3C) The meetings of the risk management committee shall be conducted in such a manner that on a continuous basis not more than one hundred and eighty days shall elapse between any two consecutive meetings.

(4) The board of directors shall define the role and responsibility of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit such function shall specifically cover cyber security.
Provided that the role and responsibilities of the Risk Management Committee shall mandatorily include the performance of functions specified in Part D of Schedule II.

(5) The provisions of this regulation shall be applicable to top 1000 listed entities, determined on the basis of market capitalisation, as at the end of the immediate previous financial year.

(6) The Risk Management Committee shall have powers to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers necessary.

Question 4.
Answer the following in brief:
Write a note on ISO 31000. (June 2017, 2 marks)
Answer:
ISO 31000 published on the 13th of November, 2009, provides a standard on the implementation of risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes.
ISO 31000 contains 11 key principles that position risk management as a fundamental process in the success of the organization.

Question 5.
Write short notes on ISO 31000. (Aug 2021, 5 marks)
Answer:
ISO 31000 is the international standard for risk management. This standard was published in the year 2009. It helps organisations with their risk analysis and risk assessments. ISO 31000 applies to most business activities including planning, management operations and communication processes. While all organisations manage risk to some extent, this international standard’s best practice recommendations were developed to improve management techniques and ensure safety and security in the workplace at all times.

By implementing the principles and guidelines of ISO 31000 in organisation, the organisation is able to improve operational efficiency, governance and stakeholder confidence, while minimising losses. This international standard also helps to boost health and safety performance, establish a strong foundation for decision making and encourage proactive management in all areas.

Question 6.
Discuss the role of Company Secretary in addressing risk management? (June 2013, 5 marks)
Answer:
Role of Company Secretary in Ensuring Risk Management:
Company Secretary, as a top level officer and board confidante, can play a significant role in ensuring that a sound enterprise wide risk management which is effective throughout the company is in place. The board of directors may have a risk management sub-committee assisted by a Risk Management Officer. As an officer responsible for coordination and communication for effective corporate functioning and governance, a Company Secretary shall ensure that there is an integrated framework on which a strong system of internal control is built. Such a Framework will become a model for discussing and evaluating risk management efforts in the organization. A company secretary can ensure that this happens so that the risk factor will come into consideration at the every stage of formulation of a stage of formulation of a strategy. It will also create awareness about inter-relationships of risks across business units and at every level of the organization.

Question 7.
Discuss briefly the following:
Reputation risk (June 2013, 3 marks)
Answer:
Reputation Risk:
Reputation is the trust that an organization has gained over the years by the products, services, brands it has provided to the society. It is an intangible assets that is broad and far- reaching and includes image, goodwill and brand equity. If ruined can devastate the financial health and welfare of an organization.

Component of Reputation Risk Management:

• Management of Reputation Risk.
• Preparation for Reputation Crises.
• Handling of Reputation Crises.

Question 8.
What is ‘risk’? Discuss various phases of risk management cycle. (Dec 2013, 6 marks)
Answer:
Risk basically refers to the variations in the outcomes that could occur over a specified period in a given situation. If only one outcome is possible, the variation and hence the risk is zero. If many outcomes are possible, the risk is not zero. The greater the variation, the greater the risk.

Risk may also be defined as the possibility that an event will occur and adversely affect the achievement of the company’s objective and goals. A business risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its business objective/targets. Business risk arises as much from the possibility that opportunities will not be realised as much from the fact that certain threats could well materialise and that errors could well be made.

The risk management cycle:
Every project is subject to constant change in its business and wider environment. The risk environment is constantly changing too.
The project’s priorities and relative importance of risks will shift and change. Assumptions about risk have to be regularly revisited and reconsidered, for example, at each of end stage management.
The risk management cycle is as under:
(i) Identification
(ii) Assesses
(a) Evaluate the risk
(b) Identify suitable responses to risk and select
(c) Plan and resources
(d) Implement, monitor and report

Question 9.
Briefly comment on the following:
Role of Company Secretary in evaluating risk management efforts in the organisation is significant. (June 2014, 3 marks)
Answer:
Role of Company Secretary in evaluating risk management efforts in the organisation is significant.

As a top level officer and board confidante, a Company Secretary can pay a role in ensuring that a sound Enterprise wide Risk Management [ERM] which is effective throughout the company is in place. The board of directors may have a risk management sub-committee assisted by a Risk Management Officer. As an officer responsible for coordination and communication for effective corporate functioning and governance, a Company Secretary shall ensure that there is an Integrated Framework on which a strong system of internal control is built. Such a Framework will become a model for discussing and evaluating risk management efforts in the organization. Risk and control consciousness should spread throughout the organization. A Company Secretary can ensure that this happens so that the risk factor will come into consideration at the every stage of formulation of a strategy. It will also create awareness about inter-relationships of risks across business units and at every level of the organization. A Company Secretary can ensure that the following questions [an illustrative list] are effectively addressed at the board level:
(a) What is the organization’s risk management philosophy?
(b) Is that philosophy clearly understood by all personnel?
(c) What are the relationships among ERM, performance and value?
(d) How is ERM integrated within organizational initiatives?
(e) What is the desired risk culture of the organization and at what point has its risk appetite been set?
(f) What strategic objectives have been set for the organization and what strategies have been or will be implemented to achieve those objectives?
(g) What related operational objectives have been se.t to add and preserve value?
(h) What internal and external factors and events might positively or negatively impact the organization’s ability to implement its strategies and achieve its objectives?
(i) What is the organization’s level of risk tolerance?
(j) Is the chosen risk response appropriate for and in line with the risk tolerance level?

Question 10.
Discuss in brief the following:
Risk management and corporate governance are inseparable. [Old Syllabus] (June 2014, 2 marks)
Answer:
Risk management is the culmination of decision taken to improve corporate governance. Organizations that actively manage their risk have a better chance of achieving thejr objectives and preventing major problems happening.
Thus, risk management and corporate governance are inseparable.

Question 11.
Discuss in brief the following:
Risk management. [Old Syllabus] (June 2014, 3 marks)
Answer:
Risk management: Risk is an important element of corporate functioning and governance. There should be a clearly established process of identifying, analyzing and treating risks, which could prevent the company from effectively achieving its objectives. It also involves establishing a link between risk-return and resourcing priorities. Appropriate control procedures in the form of a risk management plan must be put in place to manage risk throughout the organization. The plan should cover activities as diverse as review of operating performance, effective use of information technology, contracting out and outsourcing.

Question 12.
“A Company Secretary can play a significant role in ensuring that a sound enterprise risk management (ERM), which is effective throughout the company, is in place.” Explain. (Dec 2014, 4 marks)
Answer:
As a top level officer and board confidante, a Company Secretary can play a role in ensuring that a sound Enterprise wide Risk Management [ERM] which is effective throughout the company is in place. The Board of Directors may have a risk management sub-committee assisted by a Risk Management Officer. As an officer responsible for coordination and communication for effective corporate functioning and governance, a Company Secretary shall ensure that there is an Integrated Framework on which a strong system of internal control is built. Such a Framework will become a model for discussing and evaluating risk management efforts in the organization. Risk and control consciousness should spread throughout the organization. A Company Secretary can ensure that this happens so that the risk factor will come into consideration at the every stage of formulation of a strategy. It will also create awareness about inter-relationships of risks across business units and at every level of the organization.

Question 13.
“Risk management is a structured, consistent and continuous process, applied across the organisation for the identification and assessment of risks, control assessment and exposure monitoring.” In the light of the statement, discuss the risk management process and advantages of risk management. [Old Syllabus] (Dec 2014, 6 marks)
Answer:
Risk Management Process
Risk management is a structured, consistent and continuous process, applied across the organisation for the identification and assessment of risks, control assessment and exposure monitoring. The objectives of the Company’s risk management framework comprise the following:

• To identify, assess, prioritise and manage existing as well as new risks in a planned and coordinated manner.
• To increase the effectiveness of internal and external reporting structure.
• To develop a risk culture that encourages employees to identify risks and associated opportunities and respond to them with appropriate actions.

Advantages of Risk Management
Properly implemented risk management has many potential advantages to an organization in the form of:

• Better informed decision making – for example in assessing new opportunities;
• Less chance of major problems in new and ongoing activities; and
• Increased likelihood of achieving corporate objectives.

Question 14.
The risk evaluation process requires a mathematical approach and considerable data on the past losses. Comment. (June 2015, 5 marks)
Answer:
The risk measurement process requires a mathematical approach and considerable data on the past losses. The data available from the concern itself may not be adequate enough to lend itself amenable to analytical exercise. Hence, it becomes necessary to resort to data on industry basis, at national and sometimes even at international level. Risk evaluation includes the determination of:
(a) The probability or chances that losses will occur.
(b) The impact the losses would have upon the financial affairs of the firm should they occur.
(c) The ability to predict the losses that will actually occur during the budget period.
There are various statistical methods of quantifying risks. But the statistical methods are too technical and the risk manager then relies on his judgment. Risks are classified as modest, medium, severe etc. In either event, a ‘risk matrix’ can be prepared which essentially Classifies the risks according to their frequency and severity.

Question 15.
Briefly comment on the following statement:
Well defined and implemented risk management policy has many potential advantages to an organisation. (June 2016, 2 marks)
Answer:
A business is exposed to various kind of risk such as strategic risk, data security risk, fiduciary risk, credit risk, liquidity risk, reputational risk, environmental risk, competition risk, fraud risk, technological risk etc. A risk management committee’s role is to assist the Board in establishing risk management policy, overseeing and monitoring its implementation.

Question 16.
Elucidate the following:
Reputational risk management. (June 2016, 5 marks)
Answer:
Reputational Risk Management:
The Reserve Bank of India in its Master Circular number RBI/2015-16/85 DBR.N0.BP.BC.4./21.06.001/2015-16 July 1, 2015 has defined the Reputation Risk as the risk arising from negative perception on the part of customers, counter parties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships arid continued access to sources of funding (e.g. through the interbank or securitisation markets). Reputational risk is multidimensional and reflects the perception of other market participants. Furthermore, it exists throughout the organisation and exposure to reputational risk is essentially a function of the adequacy of the bank’s internal risk management processes, as well as the manner and efficiency with which management responds to external influences on bank-related transactions.

Question 17.
What are the major financial risks which may adversely affect an organization? (June 2017, 5 marks)
Answer:
The major financial risks which may adversely affect an organization are given below:

• Market Risk: This type of risk is associated with market ups and down.
• Credit Risk: When a counter party is unable or unwilling to fulfil their contractual obligation, the credit risk arises.
• Liquidity Risk: The liquidity risk arises due to mis-matches in the cash flow i.e. absence of adequate funds in the market.
• Operational /System/ Management Risk: It arises due to inadequate systems, system capacities, system failure, obsolescence risk, management failure on account of co-ordination, faulty control or human error.
• Legal Risk: This risk arises when a counter party does not have the legal or regulatory authority to engage in the transactions. It also includes the compliance and regulatory risk like insider trading, market manipulations etc.
• Political/Country Risk: Political risk may be on account of declaration of elections in the territory, area specific risk.

Question 18.
“Until and unless risks are properly managed they may cause severe loss to the business.” In the context of this, discuss what steps you would like to take for the proper management of the risks of your business. (Dec 2017, 5 marks)
Answer:
The process of risk management consists of the following logical and % sequential steps as under:

• Identification of risk
• Assessment of risk
• Analysing and evaluating the risk
• Handling of risk

Risk may be handled in the following ways:

• Risk Avoidance
• Risk Retention/absorption
• Risk Reduction
• Risk Transfer
• Implementation of risk management decision

Question 19.
(a) Whether Risk Management and Corporate Governance Principles have any relations ? Explain. (June 2019, 5 marks)
(b) While conducting the Audit, Secretarial Auditor found that by forged signature, accountant had transferred huge amount in dummy account. There was a big financial scam in the organization. Reporting on fraud, Management has desired that a Risk Management Policy to detect and control the Fraud be prepared.
Being a Company Secretary, point out the major aspects to be included in Fraud Risk Management Policy. (June 2019, 5 marks)
(c) Point out the situations where the Risk Analysis may be useful. (June 2019, 5 marks)
Answer:
(a) Risk management and corporate governance principles are strongly interrelated. An organization implements strategies in order to reach their goals. Each strategy has reiated risks that must be managed in order to meet these goais. Risk is an important element of corporate functioning and governance. There should be a clearly established process of identifying, analyzing and treating risks, which could prevent the company from effectively achieving its objectives. It also involves establishing a link between risk-return and resourcing priorities. The Board has the ultimate responsibility for identifying major risks to the organization, setting acceptable levels of risk and ensuring that senior management takes steps to detect, monitor and control these risks. The Board must satisfy itself that appropriate risk management systems and procedure are in place to identify and manage risks.

Corporate governance concerns the relationships among the management, board of directors, controlling shareholders, minority shareholders, and other stakeholders. Good corporate governance contributes to sustainable economic development by enhancing the performance of companies and increasing their access to foreign capital. Incorporating risk management in corporate governance of an organisation is very important.

Risk governance includes the skills, infrastructure and culture deployed as directors exercise their oversight. Good risk governance provides clearly defined accountability, authority, and communication/reporting mechanisms. A process for risk management cannot be initiated unless there is a perception and knowledge of risk surrounding the business. The board shall have to identify the extent and type of risks it faces and the planning necessary to manage and mitigate the same for ensuring growth for the benefit of all the stakeholders.

The updated G20/OECD Principles of Corporate Governance provides on considering the establishment of specialized board committees in areas such as remuneration, audit and risk management. The sixth principle of OECD Principles of Corporate Governance deals with the responsibilities of the board with respect to Risk Management provides:
The board should fulfill certain key functions, including – reviewing and guiding corporate strategy, major plans of action, risk management policies and procedures, annual budgets and business plans; setting performance objectives; monitoring implementation and corporate performance: and overseeing major capital expenditures, acquisitions and divestitures,

Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.

(b) The management should be pro-active in fraud related matter. A fraud is usually not detected until and unless it is unearthed. A Fraud Risk Management Policy should be incorporated, aligned to its internal control and risk management. The Fraud Risk Management Policy will help to strengthen the existing anti-fraud controls by raising the awareness across the company and promote an open and transparent communication culture. It would also promote zero tolerance to fraud/misconduct and encourage employees to report suspicious cases of fraud/misconduct. The policy would spread awareness amongst employees and educate them on risks faced by the company.
The major aspects to be included in Fraud Risk Management Policy are:

• Defining Fraud:This shall cover activities which the company would consider as fraudulent.
• Defining Role and Responsibilities: The policy may define the responsibilities of the officers who shall be involved in effective prevention, detection, monitoring and investigation of fraud. The company may also consider constituting a committee or operational structure that shall ensure an effective implementation of anti-fraud strategy of the company. This shall ensure effective investigation in fraud cases and prompt as well as accurate reporting of fraud cases to appropriate regulatory and law enforcement authorities.
• Communication Channel: Encourage employees to report suspicious cases of fraud/misconduct. Any person with knowledge of suspected or confirmed incident of fraud/misconduct must report the case immediately through effective and efficient communication channel or mechanism.
• Disciplinary Action: After due investigations disciplinary action against the fraudster may be considered as per the company’s policy.
• Reviewing the Policy: The employees should educate their team members on the importance of complying with Company’s policies and procedures and identifying/ reporting of suspicious activity, where a situation arises. Based on the developments, the policy should be reviewed on periodical basis.

(c) After identification of the risk parameters, the second stage is of analyzing the risk which helps to identify and manage potential problems that could undermine key business initiatives or projects. To carry out a Risk Analysis, first the possible threats are identified and then estimate the likelihood that these threats will materialize. The analysis should be objective and should be industry specific. Within the industry, the scenario based analysis may be adopted taking into consideration of possible events that may occur and its alternative ways to achieve the given target.

Risk Analysis can be complex, as it requires to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts and other relevant information. However, it’s an essential planning tool, and one that could save time, money, and reputations. Risk analysis can be useful in many situations like:

• While planning projects, to help in anticipating and neutralizing possible problems.
• While deciding whether or not to move forward with a project.
• While improving safety and managing potential risks in the workplace.
• While preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
• While planning for changes in environment, such as new competitors coming into the market, or changes to government policy.

Question 20.
Liquidity and Solvency are altogether different. Do you agree ? Discuss the types of liquidity risk. (Dec 2019, 5 marks)
Answer:
Yes, Liquidity and Solvency are two different aspects.
Solvency signifies the capability of the organization to pay its debt and dues. It represents the financial soundness of the organization. Whereas the liquidity risk arises due to mis-matches in the cash flow i.e. absence of adequate funds. Liquidity is altogether different from the word solvency. A firm may be in sound position as per the balance sheet, but if the current assets are not in the form of cash or near cash assets, the firm may not make payment to the creditors which adversely affect the reputation of the firm.
Types of Liquidity Risk: The liquidity risk may be of two types, trading risk and funding risk.
(a) Trading Risk: It may mean the absence of the liquidity or enough products or securities etc to actually undertake buy and sell activities, e.g. in the context of securities trading inability to enter into derivative transactions with counter parties or make sales or purchase of securities.

(b) Funding Risk: It refers to the inability to meet the obligations e.g. inability to manage funds by either borrowing or the sale of assets/securities. It arises where the balance sheet of a firm contains illiquid financial assets which cannot be turned in to cash within a very short time.

Question 21.
What is Systematic Risk and Unsystematic Risk ? Give examples. (Dec 2019, 5 marks)
Answer:
Risk may be classified according to controllability, i.e Controllable risk and Uncontrollable risk. In other words, the Controllable risk is categorized as Unsystematic Risk and Uncontrollable risk is categorized as Systemic Risk. The concept of Systematic and Unsystematic risk may be further explained as under:

Systematic Risk	Unsystematic Risk
It is not fully uncontrollable by an organisation.	It is usually controllable by an organisation.
It is not entirely predictable	It is reasonably predictable.
It is usually of a macro nature.	It is normally micro in nature.
It usually affects a large number of organisations operating under a similar stream.	If not managed it directly affects the individual organisation first.
It cannot be fully assessed and anticipated in advance in terms of timing and gravity.	It can be usually assessed well in advance with reasonable efforts and risk mitigation can be planned with proper understanding and risk assessment techniques.
The example of such type of risks is Interest Rate Risk, Market Risk, Purchasing Power Risk	The examples of such risk are Compliance risk, Credit Risk, Operational Risk.

Question 22.
Write the relevant provisions of the Companies Act, 2013 relating to the reporting of fraud. (Dec 2019, 5 marks)
Answer:
Section 143(12) of the Companies Act, 2013 read with rule 13 of the Companies (Audit and Auditors) Rules, 2014 provides that if an auditor of a company in the course of the performance of his duties as auditor, has reason to believe that an offence of fraud involving an amount of rupees one crore or above, is being or has been committed in the company by its officers or employees, the auditor shall report the matter to the Central Government. Rule 13(2) of Companies (Audit and Auditors) Rules, 2014 provides that the auditor shall report the matter to the Central Government as under:

• reporting the matter to the Board/ Audit Committee immediately but not later than two days of his knowledge of the fraud, seeking their reply or observations within 45 days.
• on receipt of such reply or observations, the auditor shall forward his report and the reply or observations of the Board / Audit Committee along with his comments to the Central Government within 15 days from the date of receipt of such reply or observations.
• in case the auditor fails to get any reply or observations from the Board/Audit Committee within the stipulated period of 45 days, he shall forward his report to the Central Government along with a note containing the details of his report.
• the report shall be sent to the Secretary, Ministry of Corporate Affairs in a sealed cover by Registered Post with Acknowledgement Due or by Speed Post followed by an e-mail in confirmation of the same.
• the report shall be on the letter-head of the auditor containing postal address, email address and contact telephone number or mobile number and be signed by the auditor with his seal and shall indicate his Membership Number, and
• the report shall be in the form of a statement as specified in Form ADT-4.
  Rule 13(3) of Companies (Audit and Auditors) Rules, 2014 further states that in case of a fraud involving lesser than one crore rupees, the auditor shall report the matter to Audit Committee / Board immediately but not later than two days of his knowledge of the fraud and he shall report the matter specifying the nature of Fraud with description, approximate amount involved; and Parties involved and the same shall also be disclosed in the Board’s Report.

The provisions of Rule 13 of the Companies (Audit and Auditors) Rules, 2014 shall mutatis mutandis apply to a cost auditor conducting cost audit under section 148 and a company secretary in practice conducting Secretarial Audit under section 204 of the Companies Act, 2013.

Penal Provisions:
If any auditor, cost accountant, or company secretary in practice does not comply with the provisions of sub-section (12), he shall,
(a) in case of a listed company, be liable to a penalty of five lakh rupees; and
(b) in case of any other company, be liable to a penalty of one lakh rupees.

Question 23.
Discuss in brief Enterprise Risk Management, its components and limitations. (Dec 2020, 5 marks)
Answer:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Components of Enterprise Risk Management

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

Limitations
While enterprise risk management provides important benefits, limitations exist. In addition to factors discussed above, limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions.
These limitations preclude a board and management from having absolute assurance as to achievement of the entity’s objectives.

Question 24.
“Risk analysis is an essential tool and one that could save time, money and reputations.” Explain the statement and bring out the use of risk analysis. (Dec 2020, 5 marks)
Answer:
After identification of the risk parameters, the second stage is of analyzing thp risk which helps to identify and manage potential problems that could undermine key business initiatives or projects.

To carry out a Risk Analysis, first identify the possible threats and then estimate the likelihood that these threats will materialize. The analysis should be objective and should be industry specific. Within the industry, the scenario based analysis may be adopted taking into consideration of possible events that may occur and its alternative ways to achieve the given target.

Risk Analysis can be complex, as it requires to draw on detailed – information such as project plans, financial data, security protocols, marketing forecasts and other relevant information. However, it’s an essential planning tool, and one that could save time, money, and reputations.

Risk analysis is useful in many situations like:

• While planning projects, to help in anticipating and neutralizing possible problems.
• While deciding whether or not to move forward with a project.
• While improving safety and managing potential risks in the workplace.
• While preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
• While planning for changes in environment, such as new competitors coming into the market, or changes to government policy.
• When all the permutations-combinations of possible events/ threats are listed while analyzing the risk parameters and the steps taken to manage such risks, the risk matrix is designed / popped-up before the decision making and implementing authority.

Question 25.
“Non-financial risks do not have direct and immediate impact on business, but the consequences are very serious and later do have significant financial impact as well if not controlled at the initial stage.” List the non-financial risks encountered during the course of business by a business entity. (Dec 2020, 5 marks)
Answer:
List of Non-financial risks

• Business/ Industry & Services Risk
• Strategic Risk
• Compliance Risk
• Fraud Risk
• Reputation Risk
• Transaction Risk
• Disaster Risk
• Regulatory Risk
• Technology Risk

Question 26.
What is meant by handling of risk? Explain risk retention as a method of handling risk. (Dec 2020, 5 marks)
Answer:
Handling the risk refers to responding to the risk situation when the risk actually materialize. For handling the risk first the ownership of the risk should be allocated and the responsibilities of the persons handling the risk need to be identified and assigned. The persons concerned should document the risk when it arises and report it to the higher ups in order to have early risk mitigation measures and later to minimise the risk.

Risk retention/absorption: It is the handling the unavoidable risk internally and the firm bears/ absorbs it due to the fact that either because insurance cannot be purchased of such type of risk or it may be of too expensive to cover the risk and much more cost effective to handle the risk internally. Usually, retained risks occur with greater frequency, but have a lower severity.
An insurance deductible is a common example of risk retention to save money, since a deductible is a limited risk that can save money on insurance premiums for larger set backs. There are two types of retention methods for containing losses as under:
1. Active Risk Retention: Where the risk is retained as part of deliberate management strategy after conscious evaluation of possible losses and causes.
2. Passive Risk Retention: Where risk retention occurred through negligence. Such type of retaining risk is unknown or because the risk taker either does not know the risk or considers it a lesser risk than it actually is.

Question 27.
What type of risk is the Covid Pandemic? (Aug 2021, 5 marks)
Answer:
Covid Pandemic is a Systemic Risk due to the following reasons:

• It is not fully controllable by any organisation.
• It is not entirely predictable.
• It is of a macro nature.
• It usually affects a large number of organisations operating under a similar stream.
• It cannot be fully assessed and anticipated in advance in terms of timing and gravity.

Question 28.
Is Risk Management Policy mandatory for private companies? What are the advantages of Risk management ? (Aug 2021, 5 marks)
Answer:
The Companies Act, 2013 does not seem to mandate framing of a Risk Management Policy for Private Companies. However, Section 134(3) of the Companies Act, 2013 which provides disclosures to be made in the Board’s Report of company, interalia provides that the Board’s Report must include a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
As per the above statement, it may be inferred that Companies, including Private Companies are required to develop and implement a Risk management Policy.
Advantages of Risk Management:

• Risk management in the long run always results in significant cost savings and prevents wastage of time and effort in firefighting. It develops robust contingency planning.
• It can help plan and prepare for the opportunities that unravel during the course of a project or business.
• Risk management improves strategic and business planning. It reduces cost by limiting legal action or preventing breakages.
• It establishes improved reliability among the stakeholders leading to an enhanced reputation.
• Sound risk management practices reassure key stakeholders throughout the organisation.

Question 29.
What is Reputation Risk? How is it managed? (Aug 2021, 5 marks)
Answer:
Reputation risk is a type of non-financial risk arising from negative perception on the part of customers, counter parties, shareholders, investors, debt holders, market analysts, other relevant parties or regulators that can adversely affect an entity’s ability to maintain existing, or establish new, ‘ business relationships and continued access to sources of funding.

This type of risk is multi-dimensional and reflects the perception of other market participants. Exposure to reputational risk is essentially a function of the adequacy of the entity’s internal risk management processes, as well as the manner and efficiency with which the management responds to external influences on entity’s related transactions.
Reputational risk can be managed based on the following principles:

• Integration of risk while formulating business strategy.
• Effective board oversight.
• Image building through effective communication.
• Promoting compliance culture to have good governance.
• Persistently following up the corporate values.
• Due care, interaction and feedback from the stakeholders.
• Strong internal checks and controls.
• Peer review and evaluating the company’s performance.
• Quality report/ newsletter publications.
• Cultural alignments

Question 30.
“A Company Secretary plays an important role in controlling the risk management.” Discuss. (Dec 2021, 5 marks)
(b) What are the steps involved in risk identification ? (Dec 2021, 5 marks)
(c) Discuss briefly the Enterprise Risk Management (ERM). Explain the components derived from the way management runs an enterprise and are integrated with the management process. (5 marks)
(d) Discuss the roles and responsibilities of the personnel of an entity in enterprise-wide risk oversight. (Dec 2021, 5 marks)
Answer:
(a) In terms of Section 203(1 )(ii) of the Companies Act, 2013, a Company Secretary is a Key Managerial Personnel. Hence being a top level officer and board confidante, a Company Secretary can pay a role in ensuring that a sound Enterprise wide Risk Management (ERM) which is effective throughout the company is in place. The company secretaries are governance professionals whose role is to enforce a compliance framework to safeguard the integrity of the organization and to promote high standards of ethical behavior.
The functions of a Governance Professional include:

• Advising on best practice in governance, risk management and compliance.
• Championing the compliance framework to safeguard organizational integrity.
• Promoting and acting as a ‘sound board’ on standards of ethical and corporate behaviour.
• Balancing the interests of the Board or governing body, management and other stakeholders

(b) The process for risk identification starts by taking inventory of the potential project risks that can affect the project delivery. This step is crucial for efficient risk management throughout the project. The outputs of the risk identification are used as an input for risk analysis, and they reduce a project manager’s uncertainty. It is an iterative process that needs to be continuously repeated throughout the duration of a project. The process needs to be rigorous to make sure’that all possible risks are identified. An effective risk identification process should include the following steps:

1. Creating a systematic process .
2. Gathering information from various sources
3. Applying risk identification tools and techniques
4. Documenting the risks
5. Documenting the risk identification process .6. Assessing the process effectiveness

(c) The Enterprise Risk Management is an integrated Framework which is one of the most widely recognized and applied enterprise risk management frameworks in the world. It provides a principles-based approach to help organizations design and implement enterprise-wide approaches to risk management.

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:
This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.

Components of Enterprise Risk Management
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multi-directional, iterative process in which almost any component can and does influence another.

(d) The ultimate responsibility for enterprise-wide risk management starts at the top. However, everyone in the entity will have some role and responsibility for Enterprise risk management (ERM) as discussed below:
1. Board of directors & CEO – have ultimate accountability for all risks. Risk management practices must be discussed periodically and risk management related policies must be reviewed and approved.
2. Senior management – design, implement and maintain an effective risk framework. This involves developing policies and procedures, promoting a risk aware culture, establishing and monitoring the risk appetite and reporting regularly to the board of directors.
3. Business units – identify, assess, measure, monitor, control, and report risks to senior management. This involves managing relevant risks withir. the framework established by senior management and ensuring Compliance with policies and procedures.
4. Support functions (i.e. Legal, HR, IT etc.) – provide support to business units in developing and enforcing policies and procedures.
5. Internal audit & Compliance – monitor and provide independent assurance of the effectiveness of the risk framework.
6. Risk officer/management – co-ordinate the establishment of the risk framework and provide risk management expertise.

Question 31.
(a) As per COSO Framework of Enterprise Risk Management (ERM), there are certain components of Enterprises Risk Management. Explain different components of Enterprise Risk Management in brief.
(b) Explain the term “Risk Register” and give a template of Risk Register in an organization.
(c) Explain the Fraud Risk and the methodology to manage the Fraud Risk in an organisation.
(d) Risk oversight is the responsibility of the entire Board and the same can be achieved through a structured review mechanism. In view of this statement, explain the review mechanism which may be followed by the Board for Risk Oversight. (June 2022, 5 marks each)

Question 32.
What are the different dimensions of identifying threats in Risk Analysis process? In a company there is a probability of increase of 40% cost of raw material from present level of ? 10 crores. What shall be risk value of cost of production? (June 2019, 5 marks)
Answer:
After identification of the risk parameters, the second stage is of analyzing the risk which helps to identify and manage potential problems that could undermine key business initiatives or projects. To carry out a Risk Analysis, first the possible threats are identified and then the likelihood that these threats will materialize is estimated. The analysis should be objective and should be industry specific. Within the industry, the scenario based analysis may be adopted taking into consideration of possible events that may occur and its alternative ways to achieve the given target. The first step in Risk Analysis is to identify risks or threats both existing and possible which may pertain to:

• Human: Illness, death, injury, or other loss of a key individual.
• Operational: Disruption to supplies and operations, loss of access to essential assets, or failures in distribution.
• Reputational: Loss of customer or employee confidence, or damage to market reputation.
• Procedural: Failures of accountability, internal systems, or controls, or from fraud.
• Project: Going over budget, taking too long on key tasks, or experiencing issues with product or service quality.
• Financial: Business failure, stock market fluctuations, interest rate changes, or non-availability of funding.
• Technical: Advances in technology, or from technical failure.
• Natural: Weather, natural disasters, or disease.
• Political: Changes in tax, public opinion, government policy, or foreign influence.
• Structural: Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

There is a probability of increase of 40% of price rise in the raw material. If this happens, it will increase the cost of production in the next year. So, the risk value of the cost of the production can be derived by the following formula:
Risk value = Probability of event × Cost of event By, putting the values
Risk value = 0.40 (Probability of event) × ₹ 10 Crores (Cost of event) = ₹ 4 Crores

Question 33.
Your company is running its corporate office in a rented business premises. The Landlord of the building has increased the rent of other companies and there are 80% chances of increase in the rent of the office occupied by your company within the next year. If this happens, it will cost your business an extra ₹ 5,00,000 over the next year. Calculate the risk value. (Dec 2019, 5 marks)
Answer:
The formula for calculating the Risk Value is:
Risk Value = Probability of Event × Cost of Event

Risk Management Notes

SWOT Analysis:

• Strengths – Internal organizational characteristics that can help to achieve project objectives.
• Weaknesses – Internal organizational characteristics that can prevent a project from achieving its objectives.
• Opportunities – External conditions that can help to achieve project objectives.
• Threats – External conditions that can prevent a project from achieving its objectives.

Risk Mitigation:
Risk mitigation is defined as taking steps to reduce adverse effects. Risk mitigation is the process by which an organization introduces specific measures to minimize or eliminate unacceptable risks associated with its operations.

Risk Management:
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Fraud Risk:
A fraud risk assessment is a tool used by management to identify and understand risks to its business and weaknesses in controls that present a fraud risk to the organization.

Secretarial Audit:
Secretarial Audit is an audit to check compliance of various legislations including the Companies Act and other corporate and economic laws applicable to the company. It provides necessary comfort to the management, regulators and the stakeholders, as to the statutory compliance, good governance and the existence of proper and adequate systems and processes.

Reputation Risk:
Reputation Risk as the risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding (e.g. through the interbank or securitisation markets).