FICCI - GRMI MODEL RISK CODE

Prof Madhu Vij, Academic Council Chair and President at Global Risk Management Institute, Gurugram, Former Professor, Faculty of Management Studies, University of Delhi & Subhashis Nath, Dean and Mentor, Global Risk Management Institute, Gurugram, Former Senior Vice President and Global Leader, Genpact Enterprise Risk Consulting

The multiple economic and financial crisis along with a series of scandals across various sectors have made risk management processes an indispensable part of good corporate governance practices. The changing risk landscape in the last two decades, has made the process of risk management challenging for companies as the focus of risk management has elevated from the tactical to strategic level. High performing organizations need to manage their risks strategically in all areas of operation. Boards have a duty to ensure that risks are being effectively managed and that the internal and external audit function provides regular, objective and independent assessment and compliance of risks in their respective areas. This oversight is essential to create a strong risk landscape and have regular updates on emerging risks so that there is adequate professional expertise to develop best practices.

Realizing a pressing need and that all company Boards need assurance that risks are being managed effectively FICCI and Global Risk Management Institute collaborated and set up an 18-member Risk Task Force comprising Board members, Big 4 Chair/ CEOs, and global risk and academia leaders, to create a Model Risk Code (MRC) for the Indian industry. The Risk Task Force was chaired by Mr. M. Damodaran, Former Chairman, Securities and Exchange Board of India. The objective of the Risk Task Force was to empower the corporates to embrace risk management practices and also to create a climate for risk appreciation, awareness, and drive a risk culture. The MRC is designed as a practical playbook with best practices and guidelines around risk management and is applicable to all companies, Board members, Risk management and Audit committee members, CEO, CXO, CRO and all business heads. Some overarching key messages that the members focussed on and that should align with the industry, regulators and external agencies through the Model Risk Code are:

1. Risk Management should be perceived as a ‘competitive advantage’, not compliance - Companies should perceive risk management as being able to offer innovative opportunities and create significant competitive advantage and also help in reducing costs and disruptions.
2. Risk Management as an ‘enabler’, rather than a ‘detractor’ - A good and well-governed risk management framework should understand the organization’s key goals and objectives to be able to proactively identify emerging risks. Risk management as an enabler will allow businesses to take bolder and risk-informed decisions, adding value to the organization.
3. Risk Management to be understood as a strategy function - As the role and nature of risk management continues to evolve due to technological advances, companies that fail to manage them appropriately and on time will endanger their future sustainability.
4. Tone from the Board – Boards should be at the forefront of a risk management framework and need to commit appropriate resources for enhancing risk management processes including people, technology, external partners, time, attention, training, and communication. Organizations have a key role to play in enabling integration of risk management function and define the scope and frequency of risk reports it expects to receive from executive management.
5. Building KRAs around Risk Management - Amidst the dynamic and heightened risk conscious environment, the focus of risk management needs to be embedded into the DNA of the organisation. Embedding risk considerations and defining responsibilities for various parts of the risk management process to be made part of the KRA definition.
6. Culture of ‘fail fast’ – The fail-fast culture in organizations celebrates learning from early mistakes. Early-stage failures have a lower impact and allows organisations to treat failures as an important learning and valuable feedback. This helps to promote creativity, and build resilience and adaptability.
7. Using scenario planning - evaluation of alternative scenarios beyond the business is a method used by companies to anticipate failures and success by preparing a set of possible scenarios and take decisions under uncertainty. This helps to prepare for multiple potential scenarios beyond the business-as-usual activities and integrate the same into annual strategic reviews.
8. Stakeholder engagement – Regular stakeholder engagement is critical and helps to engage and improve quality of decisions with both internal and external stakeholders ie employees, shareholders, Board, customers, regulators, third parties, investors and communities. Varied and diverse inputs from all stakeholders also lends credibility to decisions and address the various risks emanating from them.
9. Ability to foresee risks / disruptions –Companies need to proactively identify potential disruptions and threats in both internal and external environment to identify signals which could eventually hit as real risks. These models can help in risk mitigation and preparedness and enhance their resilience in today’s ever changing risk landscape.
10. Addressing ‘early warning signals’ – Today’s businesses must be more risk savvy and need to take note of small failures or seemingly insignificant individual risk events that may be causing small losses. These risks may be ‘early warning signals’ that, if not detected and addressed in time, may lead to catastrophic failures.
11. Need for enhancing the Risk organization structure: There is significant merit for organisations to have an independent risk management committee that should make recommendations to the board and be responsible for analysing the emerging upside as well as downside risks. It should also ensure that risk management programs add value and improve financial performance in the long run.
12. Risk Management process as a criterion for external stakeholders – Appreciation and inclusion of Risk Management practices as a key review criterion by external stakeholders may help organisations be in the league of risk intelligent professionals.
13. Risk Management process as a criterion to be applicable to all industry sections - Businesses today are more risk savvy and need to focus on various risks such as supply chain risk, regulatory risk, third- party risks, and business continuity planning risk. Knowing how to deal with risk will enable the transition of these organisations into the league of risk-intelligent enterprises of the future.

Thus, the Model Risk Code will help Boards and organizations have a strong risk culture, play a crucial in bringing out best practices around embedment of Risk Culture, KRA definitions around Risk Management, Risk identification, Risk scale, Risk measurement, Risk treatment, Risk governance structure, Risk reporting and monitoring, Risk resources and engagement with internal /external stakeholders. The focus of the code is to create a strong, healthy risk culture, prevent scandals and treat risk as an enabler for forward -thinking decisions.