N K V Roop Kumar

ERMOnline : PGDM Ex. Chief of Risk, Info & Cyber Security

Management, SBILife
Session 1 : Ice Breaking National Insurance Academy, Pune
Day & Date-
Time- 90 Mins.
 Short Bio
• Roop Kumar N. K. V.
Chairman of RIMS India Chapter.RIMS, USA .
(Ex.) EVP, Chief of Risk, Info & Cyber Sec. Mgmt. SBI Life Insurance India.

• Experience- Over 34 Years of experience (20 Years in LIC of India & 16 Years in SBI Life Insurance) Portfolios
handled- ERM, BCM, Cyber Security, Data Protection, Fraud Monitoring, Insurance & Marketing etc.

• Qualifications- M.Sc.,Fellow of RIMS(RF)., FLMI LOMA- USA, RIMS CRMP., ARM™ by the Institutes., ORM-Cert.
by PRMIA.

• As a Trainer in – National Insurance Academy (NIA, Pune) Insurance Institute of India (III),
Indian Institute of Risk Management (IIRM), Administrative Staff College of India (ASCI),
Birla Institute of Management (BIMTECH), TATA Management Training Center, Pune
& trained wide variety of audience- Regulators, International Delegates, Senior Risk Professionals, MBA Students.

• Speaker in various National/International Conferences/Seminars.

• Now he is devoting his wide experience of Insurance & Risk Management towards Training & Creating a pool of
Skilled Risk Professionals in Asia.
2
Introduction

Introduction by Students

3
Agenda:
➢ ERM

➢ RIMS-CRMP

➢ Case Studies

➢ Simulation Questions

➢ Q&A by Participants

4
 Analyze the Weightage of 5 Domains in RIMS CRMP
business • So that
model you can Exam
(% of 120 Questions)
Design
organization • Collaborate with
15% stakeholders to
risk strategies

Implement
17% risk • Facilitate
process

Develop
35% organizational • throughout the org. and
risk competency
Exam Pattern:120
MCQs across 5 16% Support • holistically in the
Domains & 120 decision organization.
17% making 5
Minutes to answer
Level of Difficulty in Questions:
• Overall Difficulty level of CRMP is – Moderate

• Generally, Questions asked in CRMP are of following types-

✓Easy, One Liner & Direct Conceptual/Definitions Questions

✓Moderate but doable questions involving One or More concepts.

✓Difficult and Case Study questions wherein the best suitable option has to be chosen.

6
Reading/Reference Material (1 of 2) :
• Important resources for your ready reference.

1) ERM Book- ERM Today’s Leading Research & Best Practices for Tomorrow’s Executives, John Fraser & Betty
Simkins

2) Orange Book- The Orange Book Management of Risk - Principles and Concepts October 04, HM Treasurey

3) COSO- COSO ERM 2004 Framework

4) ISO 31000- ISO 31000:2009 Risk Management Guidelines

7
Reading/Reference Material (2 of 2) :
• Important resources for your ready reference.

• 5) RIMS Publications-

a) Risk Assessment Standard 2015,

b) Exploring The Risk Committee Advantage,

c) Managing Reputational Risks,

d) RIMS Risk Maturity Model (RMM) for ERM,

e) RIMS Executive Report on Widely Used Standards and Guidelines March 2010 etc.

8
Is Career in Risk Management a
new boom?

RIMS, Chubb, The Hartford and Willis Towers Watson collaborated to develop the RIMS
Risk Management Talent 2025 Report that explores the profession as it stands today and
where it is headed in the future.

The RIMS Risk Management Talent 2025 Report aims to provide

✓ a better understanding of who comprises the profession today and where skills and
experience can be strengthened

✓ opportunities for building a talented pipeline of risk management professionals who are
ready to deliver exceptional results that support growth and innovation for years to
come.
9
 Is Career in Risk Management a
new boom?
Key findings from the report include:

✓94% agreed that new skills will need to be developed to meet business challenges by 2025;

✓Only 16% agreed that there will be a sufficient number of risk management graduates to
meet 2025 demands;

✓92% agreed that universities must substantially alter their curricula to meet future risk
management challenges;

10
Trending Skills
Some of the Trending Skills in India as per Michael Page Salary Benchmark report 2020

AI and
Risk Information Business Data Privacy
Machine
Management security Continuity & & Data
Learning
Disaster Protection
Management
Career
Opportunities

Risk Management Job Profiles

Career
Opportunities
Profile 1 Profile 2

Security Security Engineer

Analyst

Profile 3 Profile 4
Information Security Job Profiles
IT Risk Manager ISO 27001
Auditor/Implementer

Profile 5

Infosec Consultant
Career
Opportunities
01
Business Continuity Planner

02
Business Continuity Job Profiles Business Continuity Analyst

03
Disaster Recovery Analyst

04
BC & DR Tester

05
BCM Consultant
Career
Opportunities
5. Data Administrator

1. Data Privacy Manager

Data Protection Job Profiles 4. GDPR Compliance Analyst

2. Data Protection Consultant

3. PDP Compliance Analyst

 Career Opportunities in Indian
Market
Some of the other Job Profiles for Risk/Crisis Professional

Operational Risk Manager Risk Consultant

Business Continuity Manager Information Security Analyst
ISO 27001 Infosec, ISO 22301 BCMS, ISO 31000 ERM Enterprise Risk Manager
Auditor
Managers- Fraud Monitoring Site Risk Assessment
Legal Risk & Compliance Management Risk Analytics
Risk Control Unit Incident Response Unit
Operational Risk Modeling Insurance Program Manager
16
Career Opportunities in Indian
Market

Life, General, Health, Reinsurance Company’s Risk Management Departments

Public Sector Banks, Private Sector Banks

Regulators

Consultancy Firms like Big 4 etc.

IT Firms

Almost all types of companies who are having Risk/BCM Dept. as Risk Management
discipline is applicable for all types of Industries.
17
 Regulatory Mandate of Risk
Management Practices
Following Guidelines of various Regulators mandate to have Risk Management practices along
with appointment of Chief Risk Officer (CRO): Another Career Opportunity

• The Companies Act 2013

• SEBI Corporate Governance Guidelines 2000: Clause 49 (Board Disclosure- Risk
Management)
• RBI Risk Management Guidelines for Banks
• RBI Guidelines for NBFCs
• IRDAI Corporate Governance Guidelines 2016 (Amendment is expected in late 2020)
• IRDAI Information Security Guidelines 2017
18
The Companies Act 2013

Director’s Responsibility Statement: As per Sec.134, Board of Directors’ report to

include a statement indicating the development, implementation of risk management
policy, and identification of risks that threaten the existence of the business.

Responsibility of the Independent Director: As per Sch. IV, it requires them to:
➢ Bring an independent judgment to bear on the Board’s deliberations, especially
on issues of risk management, strategy, performance, etc.
➢ Satisfy themselves on the integrity of financial information, that financial controls,
and the systems of risk management are robust and defensible.

19
SEBI CG Guidelines 2000:
Clause 49- Corporate
Governance
Board Disclosures – Risk management

It shall put in place procedures to inform Board members about the risk
assessment and minimization procedures. These procedures shall be periodically
reviewed to ensure that executive management controls risk through means of a
properly defined framework.

Management shall place a report certified by the compliance officer of the

company, before the entire Board of Directors every quarter documenting the
business risks faced by the company, measures to address and minimize such
risks, and any limitations to the risk taking capacity of the corporation. This
document shall be formally approved by the Board.
20
SEBI CG Guidelines 2000:
Clause 49- Corporate
Governance
Board Disclosures – Risk management

Constitute a Risk Management Committee consisting of mostly members of the

Board of Directors. Senior executives of the company may be members but the
chairman of the committee shall be a member of the Board of Directors.

The Board is responsible for-

✓ forming, implementing and monitoring the risk management plan for the
company
✓ defining the roles and responsibilities of the Risk Management Committee
✓ delegating monitoring and reviewing of the risk management plan to the Risk
Management committee, and such other functions as it may deem fit.
21
 6.3 Explain the relevant Risk
Management Regulations

❑Insurance Regulatory and Development Authority of India (IRDAI)

➢ The Insurance Regulatory and Development Authority of India (IRDAI) is an autonomous,

statutory body tasked with regulating and promoting the insurance and re-insurance
industries in India.
➢ It was constituted by the Insurance Regulatory and Development Authority Act, 1999, an Act
of Parliament passed by the Government of India.
Source- Wikipedia
22
IRDAI Corporate Governance
Guidelines 2016

Role and Responsibilities of the Board of Directors:

As an integral part of proper implementation of the business strategy, the

Board should take action as under:

✓ Establish appropriate systems to regulate the risk appetite and risk profile of
the Company.
✓ It will also enable identification and measurement of significant risks to
which the company is exposed in order to develop an effective risk
management system
23
IRDAI Corporate Governance
Guidelines 2016

In pursuit of development of a strong risk management system and mitigation strategies, insurers
shall set up a separate Risk Management Committee to implement the company’s Risk
Management Strategy.

The risk management function should be under the overall guidance and supervision of the Chief
Risk Officer (CRO)

It shall be organized in such a way that it is able to monitor all the risks across the various lines of
business of the company and the operating head has direct access to the Board.

Risk management function should work in close co-ordination with the finance function, but
independently assess and evaluate the capital, finance and other operating decisions.
24
IRDAI Corporate Governance
Guidelines 2016

Establish effective Risk Management framework and recommend to the Board the Risk
Management policy and processes for the organization.

Set the risk tolerance limits and assess the cost and benefits associated with risk exposure.

Review the Company’s Risk - Reward performance to align with overall policy objectives.

Discuss and consider best practices in risk management in the market and advise the
respective functions;

Assist the Board in effective operation of the risk management system by performing
specialized analyses and quality reviews;
25
IRDAI Corporate Governance
Guidelines 2016

Risk Management Committee Responsibilities

To maintain an aggregated view on the risk profile of the Company for all categories of risk
including insurance risk, market risk, credit risk, liquidity risk, operational risk, compliance
risk, legal risk, reputation risk, etc.

To advise the Board with regard to risk management decisions in relation to strategic and
operational matters such as corporate strategy, mergers and acquisitions and related
matters.

To report to the Board, details on the risk exposures and the actions taken to manage the
exposures; review, monitor and challenge where necessary, risks undertaken by the
Company
26
IRDAI Corporate Governance
Guidelines 2016

Risk Management Committee Responsibilities

To review the solvency position of the Company on a regular basis.

To monitor and review regular updates on business continuity.

Formulation of a Fraud monitoring policy and framework for approval by the Board.

To monitor implementation of Anti-fraud policy for effective deterrence, prevention,

detection and mitigation of frauds.

27
 6.3 Explain the relevant Risk
Management Regulations

❑Reserve Bank of India (RBI)

➢ The Reserve Bank of India (RBI) is India's central bank, RBI is the regulator of the entire
Banking in India. RBI was set up in 1935 under the Reserve Bank of India Act,1934.
➢ RBI regulates commercial banks and non-banking finance companies working in India.
➢ It serves as the leader of the banking system and the money market. It regulates money
supply and credit in the country.
➢ The RBI carries out India's monetary policy and exercises supervision and control over banks
and non-banking finance companies in India. Source- Wikipedia
28
RBI’s Risk Management
Guidelines for Banks

Risk Management Structure

➢ Board primarily responsible for identifying & managing risks
➢ Board to approve risk management policies consistent with business strategies,
capital strength, management expertise and overall willingness to assume risk
➢ Overall risk management may be assigned to Risk Management Committee
(RMC)
➢ RMC to evaluate overall risks faced by the bank & determine risk appetite
➢ RMC to hold the line management more accountable for the risks under their control
➢ RMC to design stress scenarios to measure the impact of unusual market conditions
and monitor variance
29
RBI’s Risk Management
Guidelines for Banks

Risks Covered
➢ Credit Risk
➢ Market Risk
➢ Liquidity Risk
➢ Interest Rate Risk
➢ Operational Risk
➢ Foreign Exchange (Forex) Risk
➢ Inter-bank Exposure and Country Risk

30
Appointment of Chief Risk
Officer (CRO) for NBFCs

The Reserve Bank of India directed Non-Banking Finance Companies (NBFCs)

with assets size of over Rs. 5000 crore to appoint a Chief Risk Officer (CRO) to
augment risk-management practices in NBFCs.

The CRO shall be a senior official in the hierarchy of an NBFC and shall possess
adequate professional qualification/ experience in the area of risk management

The CRO may be appointed for a fixed tenure with the approval of the Board.
Any premature transfer / removal of CRO should be approved by Board and
reported to RBI and SEBI (where the NBFC is listed)
31
Appointment of Chief Risk
Officer (CRO) for NBFCs

CRO to have direct reporting to the MD & CEO/ Risk Management Committee
(RMC) of the Board.
Where CRO reports to MD & CEO, RMC/Board should the CRO without the
presence of MD & CEO, at least once every quarter.

The CRO shall be involved in the process of identification, measurement and

mitigation of risks.
All credit products (retail or wholesale) shall be vetted by the CRO from the angle
of Inherent and Control risks.
The CRO’s role in deciding credit proposals will be limited to being an advisor

32
3) Boardroom &
Stakeholder level
concerns on ERM. . .
33
 Boardroom & Stakeholder
level concerns on ERM
The Boardroom & Stakeholder level Concerns on ERM-

1) Strategically prepare for growth amid increased uncertainty

2) Continuity of Business / Survival, Customer Service, Halt in Production

3) Information & Cyber Security Risks

4) Data Privacy/Data Security/ Data Leakage

5) Change in Regulations, & Compliance to GDPR/PDP/ESG

34
 Boardroom & Stakeholder
level concerns on ERM

1) Strategically prepare for growth amid increased uncertainty : Questions for

the board to consider-

➢ Is the board effectively monitoring megatrends, new technologies and economic

signals to gather early insights on potential impacts on the business?

➢ Is the board allocating enough time for discussion of and planning for different
economic scenarios and outcomes in a range of time frames?

➢ Is the board taking steps to continue bringing an outside-in perspective to the

boardroom and keeping a pulse on disruptive technologies and innovation drivers?

35
 Boardroom & Stakeholder
level concerns on ERM
2) Continuity of Business / Survival, Customer Service, Halt in Production :
Questions for the board to consider-

➢ Is the board effectively monitoring the Crisis Situation & advising the
management whenever deemed necessary?

➢ Has the board asked the management to re-assess the risk which will have
impact on the objectives of the company and taken stock of the Risk Assessment
& mitigation strategies?

➢ Has the board considered review of Business Continuity plan comprising various
scenarios, recovery strategies & mitigation?
36
 Boardroom & Stakeholder
level concerns on ERM
3) Information & Cyber Security Risks: Questions for the board to consider-

➢ What resources is the board using to enhance its competency on cybersecurity

and data privacy topics and better understand emerging threats as well as legal
and regulatory developments?

➢ What information has management provided to help the board assess which
critical business assets and partners, including third parties and suppliers, are
most vulnerable to cyber attacks?

➢ Has the board developed Cyber Crisis Management Plan & practiced a cyber-
breach simulation with management?
37
 Boardroom & Stakeholder
level concerns on ERM
4) Data Privacy/Data Security/ Data Leakage: Questions for the board to consider-

➢ How does the board evaluate the company’s culture as it relates to data protection /
privacy? Are employees routinely trained? What security awareness messaging is
regularly conveyed to employees?

➢ Does the board evaluate Data Protection Policy & whether the company has
developed Data Governance Framework which has been approved by the Board? Is
the board reasonably assured on efforts taken to safeguard customer’s PII data?

➢ Has the board devoted required resources & investing in cutting age technologies in
the field of Data Protection & Data Leakage Prevention etc.
38
 Boardroom & Stakeholder
level concerns on ERM
5) Change in Regulations, & compliance to GDPR/PDP: Questions for the board to
consider-

➢ Has the board devoted required resources for compliance to upcoming national &
global regulations like GDPR/PDP etc.?

➢ Does the tone at the top, as communicated by senior management, demonstrate to

every employee that ethics and compliance are vital to continued business success?
Does the organization’s culture support making ethical and compliant choices?

➢ Does the board gives importance to proactive compliance to regulations. i.e.

Identification of upcoming regulations & preparation to comply them
39
Disclaimer :

The views expressed by the trainer(s) are not those of the trainer’(s)
employer, firm, clients, or any other organization.

The opinions expressed do not constitute legal or risk management

advice.

The notes/slides provided, views discussed are for educational

purposes only and provided only for use during this session.

40
41