All organizations face different kinds of risks at different points of time – some being extremely pervasive. The reason for putting the risk management process in place is to reduce the cost that comes because of such risks. Risk management has become a very important tool before starting new businesses, starting new ventures, launching new products, entering new markets, changing business strategy etc. and today, each thing has to go through a risk lens. Think of it as a tool similar to a car’s brakes. Inherently, cars have brakes so that they can be driven faster. If companies have good risk management processes in place, they would be able to grow faster as they would have a good evaluation method of understanding what it is and hence would be able to make informed decisions.
Risk management, as we know it, has evolved over the years. A few years back when SEBI came out with a Corporate Governance Code and made it mandatory for listed companies to adhere to the same, risk management became an integral element of it. Before this, risk management was not in a structured form – people were managing their businesses and risks in different ways. Having a process provided a structure to risk management, making it easier and more efficient. The problem with a structured process, however, is that many times organizations start ‘ticking the boxes’, thereby defeating its purpose, that results in further challenges. Hence, it is important to note that when we talk of risk management, it is in spirit and not ticking the boxes.
An important factor for risk management is the overall independence of the process. Good organizations today have a designated person called the Chief Risk Officer – who is an independent person reporting directly to the Board or to the other highest management of the organization. The Chief Risk Officer does not report to the CFO or other similar functionaries in interest of independence. Risk management, at the same time should be a part of the strategy of the company, that is, it should not be seen or considered as something completely different from the organization’s strategy. Thus, when someone is working on formulating the company strategy or growth plan, risk management should be embedded in the same. It also goes without saying that the people who are responsible for formulation of such strategies need to have a good understanding of the business. They should be aware of what can and what will go wrong, how it will go wrong and when. At the same time, should have a sound understanding of the environment in which the organization functions. While there are internal risk factors (aka business risks), external factors such as geopolitical risks, technology, competitors, reputation etc. are extremely significant and have a much wider magnitude and impact. One common phenomenon is to focus entirely on business risks as they are easy to identify and measure, that ends up in the neglect of external risks, eventually leading to severe repercussions. This is best exemplified by a statement from a well-known CEO – on being asked what according to him was a major risk for his business, he commented, “I’m scared of the guy working in the garage next door. I don’t know what he is building”. This is a testament to the fact that the entire start-up and technology community that is coming-up has become a big risk for larger companies. A good risk manager accounts for all the risks, both internal and external.
Risks typically occur at the lowest end of the organization. For example, the person who is doing the final transaction on behalf of the company is the one who is exposing the company to the risk. It is thus imperative that there is adequate risk awareness training for the employees of the organization to ensure that the risks are being managed at all levels, wherever there is an external-internal interface. If the risk management process is strongly embedded within the organization, everybody understands how their actions affect the overall health of the company. In the current scenario of global economic slowdown, risk management has been extremely critical. To explain in as few words, companies that had strong risk management processes in place have bounced back much faster than the ones that didn’t.
Talking about the risk management personnel, there is not just one individual. It has got to be a varied team. This team would comprise business people, regulatory people, managers etc. as there are various kinds of risks to deal with. The team should be ideally a mixture of a variety of people, and at the same time, this team should be constantly changing. All the people who learn from being a part of the team should be sent back into the business. This will keep the organization healthy as more people will keep getting trained.
Today, more than ever before, what our country needs is a Risk Code like we have a Corporate Governance Code. We need the minimum standards of risk management that needs to be followed by the companies. These standards can be set by either the companies act or by SEBI or one of the similar regulators. The Covid-19 pandemic has exposed problems in our supply chain system, health system, education system etc. Hence, the risk management process is not any more a ‘good to have tool’. Today, it has become a basic for survival in today’s post-covid era. While the pandemic has certainly ensured that risks get their due importance, the last mile execution part still rests with the people.