Unit 4

Operational Risk: Overview

Analysis of Risk & Uncertainty
It was assumed that those investment proposals did not involve any kind of risk, i.e.,
whatever the proposal is undertaken, there would not be any change in the business
risk which are apprehended by the suppliers of capital. Practically, in real world
situation, this seldom happens.

We know that decisions are taken on the basis of forecast which again depends on
future events whose happenings cannot be anticipated/predicted with absolute cer-
tainly due to some factors, e.g., economic, social, political etc. That is why question
of risk and uncertainty appear before the business world although it varies from one
investment proposal to another.

Therefore, while evaluating investment proposals care should be taken about the
effect that their acceptance may have on the firm’s business risk as apprehended by
the creditors and/or investors. As such, the firm should always prefer a less risky
investment proposal than a more risky one.

The riskiness of an investment proposal may be defined as the variability of its

possible terms, i.e., the variability which may likely be occurred in the future returns
from the project. For example, if a person invests Rs 25,000 to short-term Govern-
ment securities, carrying 12% interest, he may accurately estimate his future return
year after year since it is absolutely risk-free.

On the contrary, instead of investing Rs 25,000 m short-term Government security, if

he wants to purchase the shares of a company, then it is not at all possible for him to
estimate the future returns accurately, since the dividend rates of a company may
widely vary, viz., from 0% to a very high figure.

Therefore, as there is a high degree of variability relating to future returns, it is

relatively risky as compared to his investment in Government securities. Thus, the
risk may be defined as the variability which may likely to accrue in future between
the estimated/expected returns and actual returns. The greater is the variability
between the two, the risker the project and vice-versa.

In short, risk may be defined as the degree of uncertainty about an income. Risk is a
character of the investment opportunity and has nothing to do with the attitude of
investors Consider the following two investment opportunities, viz., X and Y which
have the possible payoffs presented in Table 7.1 below depending on the state of
economy.
(Assume that the three state of economy are equally likely)

From the table 7.1 presented above, it becomes clear that the average expected
return from both the projects are Rs. 1,000 (Rs 3,000 3). But the return from
investment-X will lie between Rs. 990 and R 1,010 as compared to investment-Y
which lies between Rs. 0 and Rs. 2,000, i.e., in other words, more uncertainty arises
about the return from the investment Y.

However, decision situations may be broken down into three types: Certainty, Risk
and Uncertainty.

(i) Certainly:

No Risk

(ii) Risk:

It involves situations in which the probabilities of a particular event which occurs are
known, i.e., chance of future loss can be foreseen.
(iii) Uncertainty:

The probabilities of a particular event which occurs are not known i.e., the future loss
cannot be foreseen. The basic difference between risk and uncertainty is that
variability is less in case of risk whereas it is more in case of uncertainty although
both the terms are used here interchangeably.

Financial Sector, Risk Types

Financial risk is the possibility of losing money on an investment or business
venture. Some more common and distinct financial risks include credit risk, liquidity
risk, and operational risk.

Financial risk is a type of danger that can result in the loss of capital to interested
parties. For governments, this can mean they are unable to control monetary policy
and default on bonds or other debt issues. Corporations also face the possibility of
default on debt they undertake but may also experience failure in an undertaking the
causes a financial burden on the business.
Financial risks are everywhere and come in many shapes and sizes, affecting nearly
everyone. You should be aware of the presence of financial risks. Knowing the
dangers and how to protect yourself will not eliminate the risk, but it can mitigate
their harm and reduce the chances of a negative outcome.

1. Market risk

Among the types of financial risks, one of the most important is market risk. This type
of risk has a very broad scope, as it appears due to the dynamics of supply and
demand.

The same applies for innovations and changes in the market. One example is the
commercial sector. Companies that have managed to adapt to the digital market to
sell their products online have experienced an increase in revenue. Meanwhile,
those that have resisted these transformations show lagging competitiveness.

2. Credit risk

In financial risk management, credit risk is of paramount importance. This risk refers
to the possibility that a creditor will not receive a loan payment or will receive it late.

Credit risk is therefore a way of determining a debtor’s capacity to fulfill its payment
obligations.

There are two types of credit risk: retail and wholesale.

The first refers to the risk involved in financing individuals and small businesses,

Subprime mortgages were high-risk, high-interest loans granted to people who were
unemployed or did not have a stable income.

Banks began to broad profile´s scope of subprime mortgage applicants in order to

increase income. However, since the applicants could not pay, the delinquency of
the debts increased.

3. Liquidity risk

Financial risk management must consider a company’s liquidity, as every

organization must ensure that it has sufficient cash flow to pay off its debts. Failing to
do so may ruin investor confidence.
Liquidity risk is just that. It is the possibility that a company will not be able to fulfill its
commitments. One of the possible causes thereof is poor cash flow management.

Real estate or bonds, for example, are assets that can take a long time to turn into
money. That is why each company must verify whether it has current assets to pay
off short-term commitments.

4. Operational risk

Finally, among the types of financial risks there is also operational risk. There are
different types of operational risk. These risks occur due to lack of internal controls
within the company, technological failures, mismanagement, human error or lack of
employee training.

Eventually, this risk almost always leads to a financial loss for the company.

Operational risk is one of the most difficult to measure objectively. In order to be able
to calculate it accurately, the company must have created a history log with the
failures of this type and recognized the possible connection between them.

These risks can be avoided if a specific risk is considered to be able to trigger further
risks. A broken-down machine, for example, not only implies the expense to repair it.
It also causes losses for production downtime, which can lead to a delay on product
deliveries and even affect the company’s reputation.
Operational Risk Management: Recruitment &
Training, Work flow Design
The term operational risk management (ORM) is defined as a continual cyclic
process which includes risk assessment, risk decision making, and implementation
of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is
the oversight of operational risk, including the risk of loss resulting from inadequate
or failed internal processes and systems; human factors; or external events. Unlike
other type of risks (market risk, credit risk, etc.) operational risk had rarely been
considered strategically significant by senior management.

Levels

Deliberate

Deliberate risk management is used at routine periods through the implementation of

a project or process. Examples include quality assurance, on-the-job training, safety
briefs, performance reviews, and safety checks.

In Depth

In depth risk management is used before a project is implemented, when there is

plenty of time to plan and prepare. Examples of in-depth methods include training,
drafting instructions and requirements, and acquiring personal protective equipment.

Time Critical

Time critical risk management is used during operational exercises or execution of

tasks. It is defined as the effective use of all available resources by individuals,
crews, and teams to safely and effectively accomplish the mission or task using risk
management concepts when time and resources are limited. Examples of tools used
includes execution check-lists and change management. This requires a high degree
of situational awareness.
Categories:

People

The people category includes employees, customers, vendors and other

stakeholders. Employee risk includes human error and intentional wrongdoing, such
as in cases of fraud. Risks include breach of policy, insufficient guidance, poor
training, bed decision making, or fraudulent behavior. Outside of the organization,
there are several operational risks that include people.  Employees, customers, and
vendors all pose a risk with social media. Monitoring and controlling the people
aspect of operation risk is one of the broadest areas for coverage.

Regulations

Risk for non-compliance to regulation exists in some form in nearly every

organization. Some industries are more highly regulated than others, but all
regulations come down to operationalizing internal controls. Over the past decade,
the number and complexity of rules have increased and the penalties have become
more severe.

Flow:

Step 1: Risk Identification

Risks must be identified so these can be controlled. Risk identification starts with
understanding the organization’s objectives. Risks are anything that prevents the
organization from attaining its objectives.

Step 2: Risk Assessment

Risk assessment is a systematic process for rating risks on likelihood and impact.
The outcome from the risk assessment is a prioritized listing of known risks. The risk
assessment process may look similar to the risk assessment done by internal audit.
Step 3: Risk Mitigation

The risk mitigation step involves choosing a path for controlling the specific risks. In
the Operational Risk Management process, there are four options for risk mitigation:
transfer, avoid, accept, and control.

 Transfer: Transferring shifts the risk to another organization. The two most
often means for transferring are outsourcing and insuring. When outsourcing,
management cannot completely transfer the responsibility for controlling risk.
Insuring against the risk ultimately transfers some of the financial impact of
the risk to the insurance company. A good example of transferring risk occurs
with cloud-based software companies. When a company purchases cloud-
based software, the contract usually includes a clause for data breach
insurance. The purchaser is ensuring the vendor can pay for damages in the
event of a data breach. At the same time, the vendor will also have their data
center provide SOC reports that show there are sufficient controls in place to
minimize the likelihood of a data breach.
 Control: Controls are processing the organization puts in place to decrease
the impact of the risk if it occurs or to increase the likelihood of meeting the
objective. For example, installing software behind a firewall reduces the
likelihood of hackers gaining access, while backing up the network decreases
the impact of a compromised network since it can be restored to a safe point.

Step 4: Control Implementation

Once the risk mitigation choice decisions are made, the next step is implementation.
The controls are designed specifically to meet the risk in question. The control
rationale, objective, and activity should be clearly documented so the controls can be
clearly communicated and executed. The controls implemented should focus
preventive control activities over policies

Step 5: Monitoring

Since the controls may be performed by people who make mistakes, or the
environment could change, the controls should be monitored. Control monitoring
involves testing the control for appropriateness of design, implementation, and
operating effectiveness. Any exceptions or issues should be raised to management
with action plans established.

Workflow Documentation
Workflow documentation is the process of storing, tracking, and editing business
documents that shape your workflow.
In other words, workflow documentation outlines your business processes and
workflows.

Document workflow management is a system used to capture, generate, track, edit,

approve, store, retrieve, retain and destroy documents associated with business
processes. Digital document workflow helps organisations to reduce often large
amounts of paperwork that slow down day-to-day operations. Purchase orders,
invoices, holiday requests, proof of delivery, despatch, payroll, vehicle documents,
supply chain information, claim forms, insurances, and more. The majority of
businesses are document-heavy and how documents are managed affects running
costs, staff productivity, profitability and customer satisfaction. Documents get
passed from one department to the next, requiring approval or changes at each stop.

Process:

Define the process

First things first, you need to outline the process of the workflow. It’ll be a top-level
overview of what you envisage the specific workflow to involve.

Review the following information:

 Where the workflow begins

 Where the workflow ends
 Any milestones to hit along the way
 What’s involved at each stage of the workflow

Confirm the output

Now you need to identify what the output should be. Will you have made a sale?
Launched a new product? Hired a new employee? Whatever it is, make sure you’re
clear on what the outcome should be. This will give you the direction you need to
make sure your workflow delivers what you want.

Document the step-by-step process

Now you know what the workflow involves and what the outputs are, you can
document the entire workflow step-by-step.
Review your data on where you need to start, where you need to finish, and what
your key milestones will be. You can then focus on filling in the gaps between each
key milestone to get you from start to finish.

Review the workflow process

Once you’ve outlined the entire workflow, it’s time to scrutinize it. Double-check
everything before you roll it out to your team. The last thing you want is to distribute
the business process documentation only to find an error somewhere down the line.

Benefits:

Align your team

When you have a clear process, it’s easy for everyone to follow it. There’s less room
for error, and team members won’t be confused about what actions they need to
take.

Improve your processes

Workflow documentation helps teams improve their business processes. Think about
it. If you’re tracking and documenting your workflow, it’s much easier to identify room
for improvement. Without workflow documentation, you simply won’t have this level
of clarity.

Work more efficiently

Using digital documentation allows you to speed up your day-to-day processes and
focus on tasks that matter.

Delegation: Centralization and

Decentralization of Authority
A manager alone cannot perform all the tasks assigned to him. In order to meet the
targets, the manager should delegate authority. Delegation of Authority means
division of authority and powers downwards to the subordinate. Delegation is about
entrusting someone else to do parts of your job. Delegation of authority can be
defined as subdivision and sub-allocation of powers to the subordinates in order to
achieve effective results.

Elements of Delegation

1. Authority: In context of a business organization, authority can be defined as

the power and right of a person to use and allocate the resources efficiently,
to take decisions and to give orders so as to achieve the organizational
objectives. Authority must be well- defined. All people who have the authority
should know what is the scope of their authority is and they shouldn’t
misutilize it. Authority is the right to give commands, orders and get the things
done. The top level management has greatest authority.

Authority always flows from top to bottom. It explains how a superior gets work done
from his subordinate by clearly explaining what is expected of him and how he
should go about it. Authority should be accompanied with an equal amount of
responsibility. Delegating the authority to someone else doesn’t imply escaping from
accountability. Accountability still rest with the person having the utmost authority.

2. Responsibility: Is the duty of the person to complete the task assigned to

him. A person who is given the responsibility should ensure that he
accomplishes the tasks assigned to him. If the tasks for which he was held
responsible are not completed, then he should not give explanations or
excuses. Responsibility without adequate authority leads to discontent and
dissatisfaction among the person. Responsibility flows from bottom to top. The
middle level and lower level management holds more responsibility. The
person held responsible for a job is answerable for it. If he performs the tasks
assigned as expected, he is bound for praises. While if he doesn’t accomplish
tasks assigned as expected, then also he is answerable for that.
3. Accountability: Means giving explanations for any variance in the actual
performance from the expectations set. Accountability cannot be delegated.
For example, if ’A’ is given a task with sufficient authority, and ’A’ delegates
this task to B and asks him to ensure that task is done well, responsibility rest
with ’B’, but accountability still rest with ’A’. The top level management is most
accountable. Being accountable means being innovative as the person will
think beyond his scope of job. Accountability, in short, means being
answerable for the end result. Accountability can’t be escaped. It arises from
responsibility.

For achieving delegation, a manager has to work in a system and has to perform
following steps:

1. Assignment of tasks and duties

2. Granting of authority
3. Creating responsibility and accountability
Therefore every manager,i.e.,the delegator has to follow a system to finish up the
delegation process. Equally important is the delegatee’s role which means his
responsibility and accountability is attached with the authority over to here.

Relationship between Authority and Responsibility

Authority is the legal right of person or superior to command his subordinates while
accountability is the obligation of individual to carry out his duties as per standards of
performance Authority flows from the superiors to subordinates,in which orders and
instructions are given to subordinates to complete the task. It is only through
authority, a manager exercises control. In a way through exercising the control the
superior is demanding accountability from subordinates. If the marketing manager
directs the sales supervisor for 50 units of sale to be undertaken in a month. If the
above standards are not accomplished, it is the marketing manager who will be
accountable to the chief executive officer. Therefore, we can say that authority flows
from top to bottom and responsibility flows from bottom to top. Accountability is a
result of responsibility and responsibility is result of authority. Therefore, for every
authority an equal accountability is attached.

Centralization is said to be a process where the concentration of decision making is

in a few hands. All the important decision and actions at the lower level, all subjects
and actions at the lower level are subject to the approval of top management.
According to Allen, “Centralization” is the systematic and consistent reservation of
authority at central points in the organization. The implication of centralization can
be:

1. Reservation of decision making power at top level.

2. Reservation of operating authority with the middle level managers.
3. Reservation of operation at lower level at the directions of the top level.

Under centralization, the important and key decisions are taken by the top
management and the other levels are into implementations as per the directions of
top level. For example, in a business concern, the father & son being the owners
decide about the important matters and all the rest of functions like product, finance,
marketing, personnel, are carried out by the department heads and they have to act
as per instruction and orders of the two people. Therefore in this case, decision
making power remain in the hands of father & son.
On the other hand, Decentralization is a systematic delegation of authority at
all levels of management and in all of the organization. In a decentralization concern,
authority in retained by the top management for taking major decisions and framing
policies concerning the whole concern. Rest of the authority may be delegated to the
middle level and lower level of management.

The degree of centralization and decentralization will depend upon the amount of

authority delegated to the lowest level. According to Allen, “Decentralization refers to
the systematic effort to delegate to the lowest level of authority except that which can
be controlled and exercised at central points.

Implications of Decentralization

1. There is less burden on the Chief Executive as in the case of centralization.

2. In decentralization, the subordinates get a chance to decide and act
independently which develops skills and capabilities. This way the
organization is able to process reserve of talents in it.
3. In decentralization, diversification and horizontal can be easily implanted.
4. In decentralization, concern diversification of activities can place effectively
since there is more scope for creating new departments. Therefore,
diversification growth is of a degree.
5. In decentralization structure, operations can be coordinated at divisional level
which is not possible in the centralization set up.

Internal audit and Internal control

Internal Control

Internal control, as defined by accounting and auditing, is a process for assuring of

an organization’s objectives in operational effectiveness and efficiency, reliable
financial reporting, and compliance with laws, regulations and policies. A broad
concept, internal control involves everything that controls risks to an organization.

It is a means by which an organization’s resources are directed, monitored, and

measured. It plays an important role in detecting and preventing fraud and protecting
the organization’s resources, both physical (e.g., machinery and property) and
intangible (e.g., reputation or intellectual property such as trademarks).

At the organizational level, internal control objectives relate to the reliability of

financial reporting, timely feedback on the achievement of operational or strategic
goals, and compliance with laws and regulations. At the specific transaction level,
internal controls refers to the actions taken to achieve a specific objective (e.g., how
to ensure the organization’s payments to third parties are for valid services
rendered.) Internal control procedures reduce process variation, leading to more
predictable outcomes. Internal control is a key element of the Foreign Corrupt
Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required
improvements in internal control in United States public corporations. Internal
controls within business entities are also referred to as operational controls. The
main controls in place are sometimes referred to as “key financial controls” (KFCs).

Under the COSO Internal Control-Integrated Framework, a widely used framework in

not only the United States but around the world, internal control is broadly defined as
a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance.

COSO defines internal control as having five components:

 Control Environment-sets the tone for the organization, influencing the control
consciousness of its people. It is the foundation for all other components of
internal control.
 Risk Assessment-the identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the risks should be
managed
 Monitoring-processes used to assess the quality of internal control
performance over time.

Types and examples of these controls could be:

 Automated preventive control: Having firewalls, system backup features,

etc.
 Manual preventative control: Hiring security guards, identification
verification procedures, etc.
 Manual detective control: Carrying out audits, inspections, etc.
 Manual corrective control: Disciplinary actions, refined policies, etc.
 Automated detective control: Reconciling information from one system to
another, etc.
 Automated corrective control: Installing software patches, maintaining
password secrecy, etc.

Components of Internal Control

Multiple components comprise the framework. The first thing to ensure that the
companies’ controls work perfectly is an appropriate control environment. This is
what sets the conscious levels, making everyone from top management to staff
members follow and keep a check on the policies, procedures, principles, and
technology deployed. In addition, it sets the values, commitment, policies,
responsibilities, operating style, participation, structure, and overall tone of the
company.
  Control over Sale and Purchase: With proper and efficient control system
for transactions regarding purchase and sale of material, handling of material
and accounting for the same is must.
 Cash: Here, internal control is applied over payments and receipts of an
organization. This is to safeguard from misappropriation of cash.
 Financial Control: It deals with the efficient system of accounting, recording
and supervision.
 Capital Expenditure: Internal control system ensures the proper sanction of
capital expenditure and also the use of it for the purpose intended.
 Employee’s Remuneration: Internal control system is applied to preparation
and maintenance of records of employees and the payment methods also. It
is also necessary to safeguard against misappropriation of cash.
 Inventory Control: It covers the proper handling of inventory, minimization of
slow-moving items or dead stock, proper valuation of stock, recording of it,
etc.
 Control over Investments: Internal control system is applied to the proper
recording of transactions be it purchases, additions, sale or redemption,
income on investments, profit or loss on investment.

Limitations:

 There are chances of misuse by a person of authority who is operating on

internal control system.
 Objectives of internal control systems may be defeated by manipulation of
management.
 Since internal control system is involved in routine transactions, irregular
transactions may be overlooked.
 Changes in conditions may affect the effectiveness of internal control system.

Internal Audit

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and
governance processes. Internal auditing might achieve this goal by providing insight
and recommendations based on analyses and assessments of data and business
processes. With commitment to integrity and accountability, internal auditing
provides value to governing bodies and senior management as an objective source
of independent advice. Professionals called internal auditors are employed by
organizations to perform the internal auditing activity.

Internal auditors are not responsible for the execution of company activities; they
advise management and the board of directors (or similar oversight body) regarding
how to better execute their responsibilities. As a result of their broad scope of
involvement, internal auditors may have a variety of higher educational and
professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting
body for the internal audit profession and awards the Certified Internal Auditor
designation internationally through rigorous written examination. Other designations
are available in certain countries. In the United States the professional standards of
the Institute of Internal Auditors have been codified in several states’ statutes
pertaining to the practice of internal auditing in government (New York State, Texas,
and Florida being three examples). There are also a number of other international
standard setting bodies.

Role in internal control

Internal auditing activity is primarily directed at evaluating internal control. Under the
COSO Internal Control Framework, internal control is broadly defined as a process,
effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of the
following core objectives for which all businesses strive:

 Effectiveness and efficiency of operations.

 Reliability of financial and management reporting.
 Compliance with laws and regulations.
 Safeguarding of Assets

Objectives

 To give suggestions about improvement of internal control system in

organization.
 To comment about effectiveness of internal control system in force.
 To check and ensure whether policies and procedure as laid down by the top
management are being followed or not.
 Whether assets of organization are properly accounted for and safeguarded.
 To ensure whether standard accounting practices are followed by the
organization.
 Earlier detection and prevention of errors and frauds.
 To ensure correctness, accuracy and authenticity of financial accounting.
 To do investigation at the special request of the management.
 To check whether liabilities of organization are valid and legitimate.

Statutory Requirement

As per Section 138 of the Companies Act, 2013:

 The Central Government may, by rules, prescribe the manner and intervals in
which the internal audit shall be conducted and reported to the Board.
 Such class or classes of company as may be prescribed shall be required to
appoint an internal Auditor, who shall either be a Chartered Accountant or
Cost Accountant or such other professional as may be decided by the Board
to conduct internal audit of the functions and activities of the company.
Similarities between internal control and internal audit

People: Both internal control and internal audit need people to deliver on their
objectives.

Reporting format: Both internal audit and internal control do not have a generally
agreed reporting format.

Achievement of objectives: Both internal audit and internal control help

organizations achieve objectives.

Independent Compliance Function

The compliance department ensures that a business adheres to external rules and
internal controls. In the financial services sector, compliance departments work to
meet key regulatory objectives to protect investors and ensure that markets are fair,
efficient and transparent. They also seek to reduce system risk and financial crime.

These objectives are designed to support consumer confidence in the financial

system. Financial services organizations also are subject to regulatory business
rules that govern advertising, customer communications, conflicts of interest,
customer understanding and suitability, customer dealings, client assets, and money
as well as rule-breaking and errors.

Four elements of independence by:

Implementing a written compliance framework that is approved by the governing

body and establishes a distinct and empowered compliance function.

Naming a Chief Compliance Officer (CCO) with a functional reporting line to a

committee of the governing body that is comprised entirely of non-executive
(outside) directors, in order to ensure autonomy.

Ensuring that the CCO and staff members of the compliance function do not perform
business responsibilities.
Allowing the compliance function unfiltered access to information needed to carry out
its oversight role.

Importance:

Without a compliance function, you cannot reliably build or maintain trust with others.
Trust is fostered through three elements: (1) repeated interactions with another
person; (2) honest communication with that person; and (3) following through on
commitments. Organizations cannot ensure that they are meeting element (2) or (3)
unless they have adopted rules about proper communications and proper follow
through. The head of the organization can’t be confident that others are being honest
in their interactions unless the organization has adopted rules about honesty and
trained people about the importance of honesty and candor. The leader cannot be
confident that people are following through on commitments unless there are rules
and norms that have been adopted and emphasized throughout the organization.

Compliance is part of your organization’s duties to its community and stakeholders.

The first reason is most basic. If you run a business (whether for-profit or nonprofit),
you benefit from your community’s basic services. In return, you owe duty to comply
with the law. Furthermore, if you use the resources of others (investors, creditors,
donors), you need to be able to assure them that you are regulating the conduct of
your employees and that you are complying with applicable rules and regulations.

Compliance can serve as a driver of change and innovation. Some people also view
compliance as inherently conservative. They think the purpose of compliance is to
rein in conduct. Again, that’s not true. Compliance instead can serve as a powerful
tool of long-term change. If every day behavior stems from training and codes of
conduct, and codes of conduct stem from values, articulation and modification of
values over time can profoundly influence organizational behavior. In the words of
system theorists, values can be a leverage point, and compliance ultimately focuses
on the driving values of an organization.

Independent Risk Management Function

Independent Risk Management is, in the context of banking regulation, a function
within the financial firm that operates (relatively) independently from the remainder of
the firm (usually denoted the business). Organizationally it falls under the direction of
a Chief Risk Officer (CRO), a senior position with sufficient stature, independence,
resources and access to the management board.

The Risk Management Function should be sufficiently independent of the business

units and should not be involved in revenue generation. Such independence is an
essential component of an effective risk management function, as is having access
to all business lines that have the potential to generate material risk to the bank as
well as to relevant risk-bearing subsidiaries and affiliates.

In the popular Three Lines of Defense paradigm of Risk Management the

independent risk function is a key component of the bank’s second line of defence.
The function is responsible for overseeing risk-taking activities across the enterprise
and should have authority within the organisation to do so.

Effective CROs are concerned with what the institution’s leaders may not know and,
therefore, must occasionally offer a contrarian point of view; otherwise, the decision-
making process may end up flawed with “group think.” In today’s environment,
decision-making processes should be driven by objective assessments of the
risk/reward balance, rather than by the emotional investment, management bias and
short-termism that underlie dangerous organizational blind spots.

Functions:

 Identifying material individual, aggregate and emerging risks (a process

known as Risk Identification
 Assessing these risks and measuring the bank’s exposure to them (a process
known as Risk Measurement
 Subject to the review and approval of the board, developing and implementing
the enterprise-wide risk governance framework, which includes the bank’s
Risk Culture, Risk Appetite and risk limits;

System Audit
The data and information generated in companies today are endless. The
information that is processed and processed within a company is incalculable.
Companies, increasingly, need technology to work, requiring complex software and
computerized equipment to develop their activity in an optimized and efficient
manner.

The audit of systems involves the review and evaluation of controls and computer
systems, as well as their use, efficiency, and security in the company, which
processes the information. Thanks to the audit of systems as an alternative to
control, follow-up, and review, the computer process and technologies are used
more efficiently and safely, guaranteeing adequate decision-making.

 Verify and judge the information objectively.

 Verification of controls in the processing of information and installation of
systems, in order to evaluate their effectiveness and also present some
recommendation and advice.
  Examination and evaluation of the processes in terms of computerization and
data processing. In addition, the number of resources invested, the
profitability of each process and its effectiveness and efficiency are evaluated.

Objectives of the Systems audit are:

 Improve the cost-benefit ratio of information systems.

 Increase the satisfaction and security of the users of these computerized
systems.
 Guarantee confidentiality and integrity through professional security and
control systems.
 Minimize the existence of risks, such as viruses or hackers, for example
 Optimize and streamline decision making.
 Educate on the control of information systems, since it is a very changing and
relatively new sector, so it is necessary to educate users of these
computerized processes.

Code of Corporate Governance

Corporate governance refers to the accountability of the Board of Directors to all
stakeholders of the corporation i.e. shareholders, employees, suppliers, customers
and society in general; towards giving the corporation a fair, efficient and transparent
administration.

Following are cited a few popular definitions of corporate governance:

(1) “Corporate governance means that company managers its business in a manner
that is accountable and responsible to the shareholders. In a wider interpretation,
corporate governance includes company’s accountability to shareholders and other
stakeholders such as employees, suppliers, customers and local community.” –
Catherwood.

(2) “Corporate governance is the system by which companies are directed and
controlled.” – The Cadbury Committee (U.K.)

Certain useful comments on the concept of corporate governance are given

below:

(i) Corporate governance is more than company administration. It refers to a fair,

efficient and transparent functioning of the corporate management system.

(ii)Corporate governance refers to a code of conduct; the Board of Directors must

abide by; while running the corporate enterprise.

(iii)Corporate governance refers to a set of systems, procedures and practices which

ensure that the company is managed in the best interest of all corporate
stakeholders.
Need for Corporate Governance:

(i) Wide Spread of Shareholders:

Today a company has a very large number of shareholders spread all over the
nation and even the world; and a majority of shareholders being unorganised and
having an indifferent attitude towards corporate affairs. The idea of shareholders’
democracy remains confined only to the law and the Articles of Association; which
requires a practical implementation through a code of conduct of corporate
governance.

(ii) Changing Ownership Structure:

The pattern of corporate ownership has changed considerably, in the present-day-

times; with institutional investors (foreign as well Indian) and mutual funds becoming
largest shareholders in large corporate private sector. These investors have become
the greatest challenge to corporate managements, forcing the latter to abide by
some established code of corporate governance to build up its image in society.

(iii) Corporate Scams or Scandals:

Corporate scams (or frauds) in the recent years of the past have shaken public
confidence in corporate management. The event of Harshad Mehta scandal, which is
perhaps, one biggest scandal, is in the heart and mind of all, connected with
corporate shareholding or otherwise being educated and socially conscious.

The need for corporate governance is, then, imperative for reviving investors’
confidence in the corporate sector towards the economic development of society.

(iv) Greater Expectations of Society of the Corporate Sector:

Society of today holds greater expectations of the corporate sector in terms of

reasonable price, better quality, pollution control, best utilisation of resources etc. To
meet social expectations, there is a need for a code of corporate governance, for the
best management of company in economic and social terms.

(v) Hostile Take-Overs:

Hostile take-overs of corporations witnessed in several countries, put a question

mark on the efficiency of managements of take-over companies. This factors also
points out to the need for corporate governance, in the form of an efficient code of
conduct for corporate managements.
(vi) Huge Increase in Top Management Compensation:

It has been observed in both developing and developed economies that there has
been a great increase in the monetary payments (compensation) packages of top
level corporate executives. There is no justification for exorbitant payments to top
ranking managers, out of corporate funds, which are a property of shareholders and
society.

This factor necessitates corporate governance to contain the ill-practices of top

managements of companies.

(vii) Globalisation:

Desire of more and more Indian companies to get listed on international stock
exchanges also focuses on a need for corporate governance. In fact, corporate
governance has become a buzzword in the corporate sector. There is no doubt that
international capital market recognises only companies well-managed according to
standard codes of corporate governance.

Principles of Corporate Governance:

(or major issues involved in corporate governance)

The fundamental or key principles of corporate governance are described below:

(i) Transparency:

Transparency means the quality of something which enables one to understand the
truth easily. In the context of corporate governance, it implies an accurate, adequate
and timely disclosure of relevant information about the operating results etc. of the
corporate enterprise to the stakeholders.

In fact, transparency is the foundation of corporate governance; which helps to

develop a high level of public confidence in the corporate sector. For ensuring
transparency in corporate administration, a company should publish relevant
information about corporate affairs in leading newspapers, e.g., on a quarterly or half
yearly or annual basis.

(ii) Accountability:

Accountability is a liability to explain the results of one’s decisions taken in the

interest of others. In the context of corporate governance, accountability implies the
responsibility of the Chairman, the Board of Directors and the chief executive for the
use of company’s resources (over which they have authority) in the best interest of
company and its stakeholders.
(iii) Independence:

Good corporate governance requires independence on the part of the top

management of the corporation i.e. the Board of Directors must be strong non-
partisan body; so that it can take all corporate decisions based on business
prudence. Without the top management of the company being independent; good
corporate governance is only a mere dream.
Whistle Blowing and Social Responsibility
Whistle Blowing

Definition: When a former or the existing employee of the organization raise his

voice against the unethical activities being carried out within the organization is
called as whistle blowing and the person who raise his voice is called as a whistle
blower.

The misconduct can be in the form of fraud, corruption, violation of company rules
and policies, all done to impose a threat to public interest. The whistle blowing is
done to safeguard the interest of the society and the general public for whom the
organization is functioning.

The companies should motivate their employees to raise an alarm in case they find
any violation of rules and procedures and do intimate about any possible harm to the
interest of the organization and the society.

Types of Whistle Blowing

1. Internal Whistle Blowing:An employee informs about the misconduct to his

officers or seniors holding positions in the same organization.
2. External Whistle Blowing:Here, the employee informs about the misconduct
to any third person who is not a member of an organization, such as a lawyer
or any other legal body.

Most often, the employees fear to raise a voice against the illegal activity being
carried out in the organization because of following reasons:

 Threat to life
 Lost jobs and careers
 Lost friendships
 Resentment among workers
 Breach of trust and loyalty

Thus, in order to provide protection to the whistle blowers, the Whistle Blower
Protection Bill is passed in 2011 by Lok Sabha.

Now, the question comes in the mind that which offenses are considered valid for
whistle blowing and for which the protection is offered by the law. Following are the
acts for which the voice can be raised and are law protected:

1. Fraud
 2. Health and safety in danger
3. Damage to the environment
4. Violation of company laws
5. Embezzlement of funds
6. Breach of law and justice

Social Responsibility

CSR is corporate social responsibility and that is the responsibility of organizations to

act in ways that protect ad improve the welfare of multiple stakeholders. A key word
in this definition is “stakeholder” where that is any group within or outside the
organization that is directly affected by the organization and has a stake in it’s
performance. Stakeholders can be customers, organization members, owners, other
organizations that work with them, competitors, community members, financial
investors, any anyone else who would be effected by the organization’s actions. This
means a lot considering how the difference between a company that considers all
stakeholders and a company that considers only shareholders can heavily influence
a company to be more or less socially responsible.

Enterprise Risk Management

Recommendations
Recommendation #1:  Determine Board Risk Oversight Responsibility

Ultimately, it’s management who is responsible for risk management and the board
is responsible for overseeing management’s process of identifying, monitoring and
mitigating risks.  If there is no established risk management framework, the board
should charge management to develop a framework that includes the board’s
oversight duties. Boards can break down their responsibilities by establishing certain
directors with experience or knowledge in a particular area to oversee a certain risk
management process.  For instance, the Public Policy Committee of ConocoPhillips
is responsible for overseeing risks related to health, safety and environmental
issues.  However, these committees are still responsible for seeing the big picture
and should come together on a periodic basis to discuss the risks they are
overseeing as well as risks the company is seeing as a whole.

The thought paper offers recommendations for boards to develop and define their
oversight responsibilities.  Boards should work with management to assign risk
oversight responsibilities to individual committees; committees should collaborate on
risk-related happenings, and have management brief the entire board on strategic
risks facing the company.

Recommendation #2:  Enhance Risk Intelligence

Risk intelligence is how the company, at all levels, perceives risk management and
conducts itself with regards to risk.  The board should promote risk transparency at
all levels of the organizations so that day-to-day decision-makers are aware of the
strategic goals and how their decisions could impact those goals.  Management
should communicate and exude a risk intelligent culture for all employees to follow.
To do this, management should:

 Clearly communicate responsibilities and hold responsible parties

accountable
 Develop a process for lower level employees to communicate emerging risks
 Encourage employees to challenge new initiatives that could negatively
impact the greater company

To promote an effective risk culture, boards can create a tone that allows employees
to voice their concerns without fear of loosing their jobs.  They can also help to
develop a process to measure risk intelligence that management continually
monitors and they should support management with resources, training and data
from the company.

Recommendation #3:  Determine Risk Appetite

Risk appetite is the amount of risk a company is willing to take.  This can be defined
in quantitative or qualitative ways.  Management should be the one to develop the
risk appetite for the organization and the board should understand management’s
assumptions and approve or disapprove the company’s overall level of risk appetite.
Once an appetite has been defined, the board should help management monitor
emerging risks and opportunities, and evaluate whether the risk appetite should be
changed.  The board should also evaluate management’s previous decisions to see
whether the risk appetite was bypassed.  And finally, the board should align
management’s incentives with the company’s risk appetite.  This will prevent
management from taking on too much risk.

Recommendation #4:  Align Risk Management With Strategy

The board is also responsible for helping management develop a strategy that is
aligned to the company’s mission.  When the company is developing its strategy, the
board should at the same time discuss the risks to the strategy and the risks of the
strategy.  This will help the entity identify risks that could ultimately disrupt its ability
to compete.  In order to do this, the board should challenge management on their
assumptions by asking the right questions, establishing an open dialogue, and
identifying alternatives.  

The board should consider whether to provide “active oversight” in these strategic
settings.  That may include verifying that management has established key risk
indicators and a process for monitoring these indicators, scanning the horizon for
emerging risks, and fostering flexibility at the management level to avoid risks or
seize opportunities.  

Recommendation #5:  Evaluate Risk Governance “Maturity”

One common measurement boards use to evaluate risk maturity is the amount of
experience the company has with risk management.  Boards should dive deeper
than this and consider more criteria, such as:

 How often does management communicate to the board concerning risk

management?
 Are specific risks assigned to their board committees and processes?
 Which committee is responsible for which risks?
 During strategic planning, are risks identified and analyzed, are assumptions
challenged, and are alternative options evaluated during scenario planning?
Is there scenario planning?
 How does management monitor key risk indicators and is there agreement
when action should be taken?

Depending on the level of risk governance sophistication the entity needs to

effectively manage its portfolio of risks, the entity’s maturity may fall anywhere
between one of the five phases of risk intelligence.

1. Initial: ad hoc risk management, based on individual actions.

2. Fragmented: risks are managed in isolated departments and are rarely
aligned to strategy.  
3. Top-down: Enterprise wide risk assessments and dedicated team to manage
risks.  
4. Integrated: Risk appetite defined, key indicators monitored, escalation
procedures communicated.
5. Risk Intelligent: Risk dialogue is a part of strategy development, linking
performance measures and incentives, risk scenarios evaluated, early
warning of risk indicators used. 

Recommendation #6:  Communicate Risk Process and Issues to Stakeholders

The SEC now requires public companies to disclose how the board oversees risk
and how it works with management to address risks to the company.  These rules
were established to provide greater transparency to investors and stakeholders.
However, the thought paper states that meeting this minimum requirement is not
enough to make stakeholders comfortable with the company’s risk management
process.  By explaining the company’s risk management process and oversight
clearly to stakeholders, companies attract more long-term investors.  Over the past
three years, Deloitte has seen an increase in the quality of risk disclosures.
Companies can improve their risk disclosures by explaining the processes in plain
English, provide insight to the board’s oversight role and ensure risk disclosures are
accurate, relevant and specific.  
Enterprise risk management (ERM) has emerged as a best practice in gaining an
overview of strategic, financial and operational threats, and in determining how to
mitigate and manage those risks.

A comprehensive approach to risk management is important because it helps

management comprehend the true potential of threats and allows organizations to
address the cumulative nature of risk.

The following steps can help your company achieve the ERM objective.

1. Just Do It!
The process of creating an ERM program is valuable, revealing much about
your organization and the interrelatedness of elements within it. Document
your efforts in your board minutes and share them with any auditors. You will
generally find those parties willing to provide constructive feedback because
they have a vested interest in the success of your efforts.

2. Get a Champion
Your board of directors is accountable to shareholders and the SEC (if your
company is public)—and possibly to other entities by industry—for the
adequacy of risk management procedures, controls and ultimately for the
competence of management. A logical champion of your ERM efforts is the
chairperson of your board audit or ERM committee, followed by the chair of
the board and other board members. If these individuals understand that an
ERM program can help them discharge their duties and protect them from
personal financial risk, you will likely see top-level buy-in and a trickle-down
effect through senior management.
3. Merge the Silos
If existing risk committees and sub-committees are functioning as intended
and get consistently high marks from outside auditors, it’s unlikely that
fundamental changes are needed. Yet it is important they understand where
they fit in the bigger picture. A board-level champion can help provide this
perspective, and reinforce the role of the ERM committee in setting the
organization-wide level of acceptable risk.
4. Weight the Risks
Certain areas of risk have the potential to seriously harm your organization.
Others, however, are less critical. When your management team assembles
an ERM framework, create a logical mechanism for assigning relative weights
to each area of risk, and to selected components within those areas.
5. Create a Dashboard
A dashboard containing a high-level summary of major risk elements
supported by “drill-down” detail enables board members and senior managers
to connect all the pieces of the risk management puzzle.A dashboard need
not be complex. Some managers use Microsoft Excel to create multi-layered
risk workbooks, which summarize details provided by the risk sub-committees
into a single page of high-level information.
 6. Understand Risk and Reward
Some risks are worth taking, because the reward is greater than the likelihood
and consequences of failure. In other cases the reward does not outweigh the
potential consequences. Then there are risks not worth considering, when the
risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk
committee and sub-committee should understand the risk-versus-reward
proposition.
7. Set Limits
One important function of the board ERM committee is to work with
management to establish limits to risk taking. Management should make
recommendations to the board, supported by reasonable data and arguments,
which establish the boundaries of the organization’s risk appetite.
Management’s role is to advise and inform, with the ultimate decision resting
with the board.

A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global
awareness of the process and a rank-and-file understanding of the board’s focus on
effective risk management are critical to obtaining the buy-in of the entire
organization. After all, risk management is everybody’s job—today more than ever.