Risk Management Procedure

ISO 31000:2009
Mumbai , Bhopal and USA – Unthinkable risk which matured

2
 Why talk about risk?

• Risk is something that we all face every day.

• As a company, we have to take risks in pursuit of our

BUSINESS objectives.

• To raise awareness that we all have to manage risk as

part of our daily working lives as well as personal.
 What do we know about RISK MANAGEMNT?
• Risk Management(RM) is part of our every day lives:

– Crossing the road - Risk of getting run-over

– Managing our finances – Risk of going broke
– Purchase of insurance– Risk of fire, theft, storm
– Choosing to smoke – Risk of cancer
– Going for a swim – Risk of drowning

• The choices we make in choosing to accept these risks

is part of who we are
Why We Need to Manage Risk
The purpose of managing risk is to increase the
likelihood of an organization achieving its objectives
by being in a position to manage threats and
adverse situations and being ready to take
advantage of opportunities that may arise.

National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
Background…
• Risk management project by Grant Thornton was started
in 2008.
• Control self assessment methodology followed for
deployment by appointing Risk Champions within
functions.
• Qualitative Analysis with 3x3 matrix (High, Medium,
Low).
• Prepared Policy Manual, Polarization Document &
Review Process for consistency in rating the risk.
• Training & Seekh sessions conducted across all
functions to disseminate the concept for Mapping Risk
Statement, As Is Control & Mitigation Plan

6
Current Process…

• To follow ISO 31000: 2009 standard Guidelines.

• Hybrid Model followed for both Quantitative and Qualitative

Analysis –
• Quantitative 5x5 matrix for Significance x Likelihood.
• Qualitative Analysis with 3x3 matrix (High, Medium, Low).

• Review Mechanism – bimonthly

• MIS – Risk Mitigation Index
• Corporate Level Risk Management Committee meeting – Bi-
annually
• Awareness sessions conducted

7
Risk
• Risk as “An event which can
prevent, hinder, fail to further or
otherwise obstruct the enterprise
in achieving its objectives.”
• RISK is any uncertainty which
impede the achievements of
objectives.
• Business risk as “The threat that
an event or action will adversely
affect an enterprise’s ability to
maximize stakeholder value and
to achieve its business
objectives.”

8
How to Identify Risk
• Process flow technique with scenario building
methodology is used for risk mapping .

• One way to check whether we have captured the true

essence of the risk is by asking the question : WHAT
CAN GO WRONG .

• If we compare the answer to the question with the risk

identified (and it highlights the possibility of a loss
irrespective of the controls in place) then we have a
risk on our hand

9
Event identification
Internal and external events affecting achievement of an entity’s objectives must be
identified, distinguishing between risks and opportunities. Opportunities are channelled
back to management’s strategy or objective-setting processes

Assessing Risk from 2 perspectives the Impact

& Likelihood
Inherent Value of
Significance Likelihood
Risk

(Severity) (Probability)
 Mitigating Control Effectiveness / As is
Controls & Residual Risk
• MCE- All the identified risks will be mapped to the existing controls/practices. The control
strength will be assessed for its effectiveness to mitigate the identified risks by carrying
out process walkthroughs, observation, exception monitoring etc. The controls to be
mapped at the likelihood stage to ensure the risk vulnerability is addresses.
• All risks and the existing controls are measured to get a residual risk exposure.

New Action
Consider “As
Inherent Value Residual Value Plans to
Is“ Control
of Risk of Risk mitigate
Strength
remaining risk

11
10/05/2022
 Risk Response
• Terminate: Avoid - disposal, not performing
• Treat: Reduce - diversifying
• Transfer: Share - insuring, JV
• Tolerate: Accept - self insurance

Control Activities
• Policies and procedures that help ensure that the
risk responses, as well as other entity directives, are
carried out. (check for design effectiveness and operating
efficiency)
Linkages With Different Areas
• IMS Process
• BSC Linkage
• Risk Identification & mapped
• Mention in IMS process

13
Risk Valuation Process
Inherent Value or Gross Risk  
• Inherent Value or gross risk is as a result of likelihood X
impact.

“As Is” Control Strength

• Existing controls and practices are mapped to assess for its
effectiveness to mitigate the identified risks .

Residual Risk Value

• Residual Risk exposure is the unmitigated value of Risk after
assessing the “As is Controls” and management action
plans with timelines are developed to address the
unmitigated exposure.
14
 Governance process
Board

Chief Risk Officer

Audit Committee
Mr. Ajay Kapoor

Corporate Level Risk Management Committee

CEO&MD as chairman and RMSC Heads as members

Chief Head Chief PM, PSC,

HoD, Corporate Chief Finance, Projects & Head HR,IR &
Operations, Chief Commercial Information
Communication Legal & Contracts, Administration
System & Technology
& Govt. Affairs Regulatory(CRO) System & Safety
Safety

 
Commercial
Circles, EAG, COS, Information BD, RG committee
Corporate Finance, Legal & Sub Committee
P&T, CEG & Safety Technology   HR, IR & Admin.
Communication Regulatory Sub  
Sub Committee Sub PM, PSC, PE & C Sub-Committee
Sub Committee committee CS Sub
  committee Sub committee
Committee
   
 

15
 Risk Governance
• To address the issues like team efforts & ownership, Risk Management
Sub Committees have been formed.
• Keys duties and responsibilities of Sub Committee:
o Assisting the various functions to identify, assess , analyse and manage risks
o Quantification of risk in value terms
o Developing risk response processes
o Monitoring the relative performance of function
o Identifying the areas, which need insurance or financial cover to protect against
loss
o Ensuring the implementation of risk mitigation plans
o Escalation of issues requiring policy approvals and amendments
o Reviewing and discussing significant risk issues & ensuring horizontal
collaboration in the development of mitigation strategies and the establishment of
corporate priorities in resource allocation
o Reporting new risks or failures of existing control measures with remedial
action
o Keeping the risk portfolio & related action plans updated, along with periodic
confirmation & self assessment signoff
16
To Identify Impact
• It should have Direct impact on Bottom line.
• Examples:
o Power Purchase Cost
o Sales & revenue & profit
o Revenue gap
o Billing efficiency
o Cash flow effect, cost per consumer
o Excess payment
o Loss on interest income
o Loss on rebates on early payments
o Wrong salary disbursement
o Loss on LD charges

Risk Rating will be based on Residual Risk.

17
Leading Indicators of Risk Event

Proactively
take action Chain Of events

Risk Event

Intermediate
Event
(Leading
Indicators of
Event?)
Root Cause
Event
(Leading
Indicators of
Event?) Reduce or eliminate
the impact
Early mitigation
strategies
18
Advantages of ERM
• Problem anticipation –better preparedness &
response to uncertainty

• Improve performance and profitability through

strong operating capability

• Ensure that financial viability and its reporting is

reliable and in line with expectations

• Ensure company is in compliance with all laws,

regulations to avoid pitfalls and surprises

• Greater alignment -Improvement to business

objective achievement.

• Better business understanding -of various inter-

related events and response actions.

19
 Risk Polarisation For Quantitative Approach and Evaluation Approach

The risks are ranked according to their significance & likelihood of occurrence and the residual
exposure is determined by assessing their corresponding mitigating control effectiveness

• Impact in Rupees Crores

1 2 3 4 5
<1 1 to 10 11 to 50 51 to 200 > 201
• Probability scale guide
Frequency

S No Probability Occurrence in future Occurrence in past

1 Less than 5% Not likely, almost impossible to occur Similar instances have never occurred in the
between year 2 (from now) to 5 years past

2 5% to 9% May occur once or twice between year 2 Though not routinely, but there have been
(from now) to 5 years similar instances in last 2 to 5 years

3 10 % to 49% Possible , may arise once or twice within There have been 1 or 2 similar instances in
the immediate next year the past year

High, May arise several times within the Similar instances have occurred several
4 50% to 80% immediate next year times in the past year
Very high, Almost a routine feature
20 every Similar instances have commonly occurred
5 Over 80% month within the immediate next year every month in the past
 Risk Management Format
Tatat Power Delhi Distribution Limited Risk Profile      
Risk No. (AA11)
RMSC Name of Committee Risk Rating Shall  be based on
 
Function Name of Function Primary Risk Owner Name of Function Head
residual risk & to
Process Name Name of Process Risk Sub-Owner(s) Name of Process Owner
be given by TA
Linkage to BSC   Possibleoutcomes/ Risk Champion Name of Risk Champion after consolidation
Risk Description consequence of a risk
Risk Statement

  Inherent Value Details of calculation Residual Value

Risk Impact (in Rs.   
Inherent Value
 
=    
Crs.) Likelihood X
Likelihood (%)     Chances that the Significance    
risk/event is likely to Cumulative of all –
Value of Risk (in Rs.    
Crs.) mature or happen in Cases above the normal With the existing contro l,
prudent norms likely chances is Probability
Risk Indicators future
1   of its occurence would
2  
3  
reduce &/or sometimes
Measures already being taken to mitigate the risk ("As Is" Control) Action proposed impact Action
alsotaken
  Description Target Date Resp. Approx. cost for Actual Date Remarks G - Action Taken
proposed action Y - Action Being Taken
(Rs. crs) R - Action Not Taken
Risk Indicators –
intermediary indicators Existing Controls
1   which may lead to a            
2            
Risk  
Controls & Mitigating Actions Proposed (Management Action Plan)
1            
 
2              
Comments of Sub-  
Committee 1
Comments of Risk
For Every residual risk
 
New Action plan needs to be
Management
Committee
made. Risk response will incur some cost that is
weighted against benefits it creates (reduce residual
Comments of Audit exposure). Further action
  to mitigate residual exposure
Committee
would be taken ONLY IF benefits > cost incurred
21
Thank You