Risk Management PDF

# RISK MANAGEMENT ## What is meant by handling of risk? Explain risk retention as a method of handling risk. **Risk can be handled in the following ways:** 1. **Risk Avoidance:** Risk Avoidance means to avoid taking or choosing of less risky business/project. For example one may avoid investing in stock market due to price volatility in stock prices and may prefer to invest in debt instruments. 2. **Risk Retention/absorption:** It is the handling the unavoidable risk internally and the firm bears/absorbs it due to the fact that either because insurance cannot be purchased of such type of risk or it may be of too expensive to cover the risk and much more cost-effective to handle the risk internally. Usually, retained risks occur with greater frequency, but have a lower severity. An insurance deductible is a common example of risk retention to save money, since a deductible is a limited risk that can save. - There are two types of retention methods for containing losses as under: - **Active Risk Retention:** Where the risk is retained as part of deliberate management strategy after conscious evaluation of possible losses and causes. - **Passive Risk Retention:** Where risk retention occurred through negligence. Such type of retaining risk is unknown or because the risk taker either does not know the risk or considers it a lesser risk than it actually is. 3. **Risk Reduction:** In many ways physical risk reduction is the best way of dealing with any risk situation and usually it is possible to take steps to reduce the probability of loss. It is done at the planning stage of any new project when considerable improvement can be achieved at little or no extra cost. 4. **Risk Transfer:** This refers to legal assignment of cost of certain potential losses to another. The insurance of 'risks' is to occupy an important place, as it deals with those risks that could be transferred to an organization that specialises in accepting them, at a price. Usually, there are 3 major means of loss transfer viz., - By Tort - By contract other than insurance - By contract of insurance ## “The rapidly growing global economy has created an expanding array of risks to be managed to ensure the viability and success of an enterprise” Discuss the statement enumerating classes of risk and the ways of risk handling. **Risk may be summarized as hereunder:** 1. Credit Risks 2. Industry and Services Risks 3. Legal Risks 4. Liquidity Risks 5. Disaster Risks 6. System Risks 7. Management and Operation Risks 8. Market Risks 9. Political Risks 10. Non-compliance and related risks **Risk can be handled broadly in four ways:** 1. Risk Avoidance 2. Risk Reduction 3. Risk Retention 4. Risk Transfer ## Describe and differentiate risk reduction and risk retention. **Risk reduction** - Risk reduction means prevention of loss by taking steps to reduce the probability of loss. The ideal time to think of risk reduction measures is at the planning stage of any new project when considerable improvement can be achieved at little or no extra cost. It is the best way of dealing with any risk. Risk prevention should be evaluated in the same way as other investment projects as it will save a lot of cost and energy at a later stage. **Risk retention** - "Risk retention" is the process of handling the unavoidable risk internally. The firm bears/absorbs the risk due to the fact that insurance of such a type of risk cannot be purchased or it may be too expensive to cover the risk and much more cost-effective to handle the risk internally. Retained risks occur with greater frequency, but have a lower severity. - **Methods of risk retention** There are two types of retention methods for containing losses as under: - **Active Risk Retention:** Where the risk is retained as part of deliberate management strategy after conscious evaluation of possible losses and causes. - **Passive Risk Retention:** Where risk retention occurred through negligence. Such type of retaining risk is unknown or because the risk taker either does not know the risk or considers it a lesser risk than it actually is. ## Discuss the roles and responsibilities of the personnel of an entity in enterprise-wide risk oversight. Risk oversight is the responsibility of the entire Board and the same can be achieved through a review mechanism which inter alia could include: 1. Developing policies and procedures around risk that are consistent with the organization's strategy and risk appetite. 2. Taking steps to foster risk awareness. 3. Encourage an organizational culture of risk adjusting awareness. 4. Maintenance of a Risk Register. 5. Acompliance certificate on the identification of risks and establishment of mitigation measures. ## PART III ## RISK MITIGATION STRATEGY ## Discuss in brief the following; Risk management. Risk is an important element of corporate functioning and governance. There should be a clearly established process of identifying, analyzing and treating risks, which could prevent the company from effectively achieving its objectives. It also involves establishing a link between risk return and resourcing priorities. Appropriate control procedures in the form of a risk management plan must be put in place to manage risk throughout the organization. The plan should cover activities as diverse as review of operating performance, effective use of information technology, contracting out and outsourcing. ## Is Risk Management Policy mandatory for private companies ? What are the advantages of Risk management ? Section 134(3)(n) of the Companies Act, 2013 provides; a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company. Therefore it is a prerequisite for a private company. **Properly implemented risk management policy has many potential advantages to an organization in the form of:** - Better informed decision making - for example in assessing new opportunities; - Less chances of major problems in new and ongoing activities. - Increased likelihood of achieving corporate objectives. Risk management is the culmination of decision taken to improve corporate governance. ## FRAUD RISK MANAGEMENT ## While conducting the Audit, Secretarial Auditor found that by forged signature, accountant had transferred huge amount in dummy account. There was a big financial scam in the organization. Reporting on fraud, Management has desired that a Risk Management Policy to detect and control the Fraud be prepared. Being a Company Secretary, point out the major aspects to be included in Fraud Risk Management Policy. **The management should be pro-active in fraud related matter. A fraud is usually not detected until and unless it is unearthed. A Fraud Risk Management Policy should be incorporated, aligned to its internal control and risk management. The Fraud Risk Management Policy will help to strengthen the existing anti-fraud controls by raising the awareness across the company and promote an open and transparent communication culture. It would also promote zero tolerance to fraud/misconduct and encourage employees to report suspicious cases of fraud/misconduct. The policy would spread awareness amongst employees and educate them on risks faced by the company.** **The major aspects to be included in Fraud Risk Management Policy are** 1. **Defining fraud:** This shall cover activities which the company would consider as fraudulent. 2. **Defining Role & responsibilities:** The policy may define the responsibilities of the officers who shall be involved in effective prevention, detection, monitoring & investigation of fraud. The company may also consider constituting a committee or operational structure that shall ensure an effective implementation of anti-fraud strategy of the company. This shall ensure effective investigation in fraud cases and prompt as well as accurate reporting of fraud cases to appropriate regulatory and law enforcement authorities. 3. **Communication channel:** Encourage employees to report suspicious cases of fraud/misconduct. Any person with knowledge of suspected or confirmed incident of fraud/misconduct must report the case immediately through effective and efficient communication channel or mechanism. 4. **Disciplinary action:** After due investigations disciplinary action against the fraudster may be considered as per the company's policy. 5. **Reviewing the policy:** The employees should educate their team members on the importance of complying with Company's policies & procedures and identifying/reporting of suspicious activity, where a situation arises. Based on the developments, the policy should be reviewed on periodical basis. ## Write short note on the following; Fraud risk management. **The fraud risk management policy will help to:** 1. Strengthen the existing anti-fraud controls by raising the awareness across the company. 2. Promote an open and transparent communication culture. 3. Promote zero tolerance to fraud/misconduct. 4. Encourage employees to report suspicious cases of fraud/misconduct. 5. Spread awareness amongst employees and educate them on risks faced by the company. **Such a policy may include the following:** - Defining fraud - Defining Role & responsibilities - Communication channel - Disciplinary action - Reviewing the policy ## REPORTING OF FRAUD UNDER COMPANIES ACT, 2013 ## Write the relevant provisions of the Companies Act, 2013 relating to the reporting of fraud. **Following are the provisions related to reporting of fraud under Companies Act, 2013:** - **Section 143(12) of the Companies Act, 2013 read with Rule 13 of the Companies (Audit and Auditors) Rules, 2014 provides that if an auditor of a company in the course of the performance of his duties as auditor, has reason to believe that an offence of fraud involving an amount of rupees one crore or above, is being or has been committed in the company by its officers or employees, the auditor shall report the matter to the Central Government.** - **Rule 13(2) of Companies (Audit and Auditors) Rules, 2014 provides that the auditor shall report the matter to the Central Government as under:** - Reporting the matter to the Board/Audit Committee immediately but not later than two days of his knowledge of the fraud, seeking their reply or observations within 45 days. - On receipt of such reply or observations, the auditor shall forward his report and the reply or observations of the Board/Audit Committee along with his comments to the Central Government within 15 days from the date of receipt of such reply or observations. - In case the auditor fails to get any reply or observations from the Board/Audit Committee within the stipulated period of 45 days, he shall forward his report to the Central Government along with a note containing the details of his report. - The report shall be sent to the Secretary, Ministry of Corporate Affairs in a sealed cover by Registered Post with Acknowledgement Due or by Speed Post followed by an e-mail in confirmation of the same. - The report shall be on the letter-head of the auditor containing postal address, email address and contact telephone number or mobile number and be signed by the auditor with his seal and shall indicate his Membership Number. - The report shall be in the form of a statement as specified in Form ADT-4. - **Fraud value less than one crore:** Rule 13(3) of Companies (Audit and Auditors) Rules, 2014 further states that in case of a fraud involving lesser than one crore rupees, the auditor shall report the matter to Audit Committee/Board immediately but not later than two days of his knowledge of the fraud and he shall report the matter specifying the nature of Fraud with description, approximate amount involved; and Parties involved and the same shall also be disclosed in the Board's Report. - **Penal Provisions** The person guilty of the offence shall be punishable with fine which shall not be less than one lakh rupees but which may extend to twenty-five lakh rupees. ## REPUTATION RISK MANAGEMENT ## Discuss briefly the following: Reputation risk. **The Reserve Bank of India in its Master Circular dated July 1, 2015 has defined the Reputation Risk as:** The risk arising from negative perception on the part of customers, counter parties, shareholders, investors, debt-holders, market analysts; other relevant parties or regulators that can adversely affect a bank's ability to maintain existing, or establish new, business relationships and continued access to sources of funding. **For example: through the interbank or securitisation markets.** **Reputational Risk Management** For managing the reputation risk, the following principles are worth noting: - Integration of risk while formulating business strategy. - Effective board oversight. - Image building through effective communication. - Promoting compliance culture to have good governance. - Persistently following up the Corporate Values. - Due care, interaction and feedback from the stakeholders. - Strong internal checks and control. - Peer review and evaluating the company's performance. - Quality report/newsletter publication. - Cultural alignment. ## RESPONSIBILITY OF RISK MANAGEMENT You are the company secretary of Nodal Power Company Ltd. your board of directors wants to understand its responsibilities for reviewing the company's policies on risk oversight and management in the light of SEBI (Listing Obligations & Disclosure Requirements) Regulations, 2015 and satisfy itself whether the management has developed and implemented a sound system of risk management and control. **Prepare board note discussing the responsibilities of the board on risk management and the relevant provisions on risk management under SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015.** To, The Board of Directors Nodal Power Company Limited Sub: Responsibility of Board of Directors on Risk Management Dear Sir, It is pertinent to note that following are the legal provisions of risk management under SEBI (LODR} Regulations, 2015. - **SEBI (LODR) Regulations, 2015 provides that company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. The Board shall be responsible for framing, implementing and monitoring the risk management plan for the company.** - **The Risk Management Plan must include all elements of risks. The traditional elements of potential likelihood and potential consequences of an event must be combined with other factors like the timing of the risks, the correlation of the possibility of an event occurring with others, and the confidence in risk estimates.** - **Risk management policies should reflect the company's risk profile and should clearly describe all elements of the risk management and internal control system and any internal audit function.** - **A company's risk management policies should clearly describe the roles and accountabilities of the board, audit committee, or other appropriate board committee, management and any internal audit function.** - **A company should have identified Chief Risk Officer manned by an individual with the vision and the diplomatic skills to forge a new approach. He may be supported by "risk groups" to oversee the initial assessment work and to continue the work till it is completed. ** - **Regulation 21 of SEBI (LODR) Regulations, 2015, requires that every listed company should have a Risk Management Committee.** ## RISK MANAGEMENT FRAME WORK & STANDARDS ## As per COSO Framework of Enterprise Risk Management (ERM), there are certain components of Enterprises Risk Management. Explain different components of Enterprise Risk Management in brief. **Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:** - **Internal Environment** - The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. - **Objective Setting** - Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. - **Event Identification** - Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. - **Risk Assessment:** Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. - **Risk Response:** Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite. - **Control Activities:** Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. - **Information and Communication:** Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. - **Monitoring:** The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. ## Limitations of Enterprise Risk Management Limitations of an enterprise risk management preclude a board and management from having absolute assurance as to achievement of the entity's objectives. Following are these limitations: - Human judgment in decision making can be faulty. - Decisions on responding to risk and establishing controls need to consider the relative costs and benefits. - Breakdowns can occur because of human failures such as simple errors or mistakes. - Controls can be circumvented by collusion of two or more people. - Management has the ability to override enterprise risk management decisions. ## RISK MANAGEMENT & INTERNAL CONTROL ## Explain the term “Risk Register" and give a template of Risk Register in an organization. **Risks can be documented by maintaining a risk register. Identified risks should be documented in a risk register and a risk breakdown structure, along with its causes and consequences. The risk profile of a company may be represented through a Risk Register as shown below:-** |S. No.|Risk Area|Key risks|Root cause|Mitigation measures| |:---:|:---:|:---:|:---:|:---:| |1.|Business Risk|Decreasing market share|Lack of innovation, market survey etc.|Keeping a vigil on latest developments and continuous monitoring| |2.|Financial risk|Leveraging capital structure and the cash flows|Inability to assess the appropriate funding requirements|Adopting a Resource planning policy| |3.|Regulatory and Compliance Risk|Non-compliance of applicable laws|Not keeping abreast of the latest changes in the Regulatory environment|Knowledge updation & maintenance of a robust compliance check list| ## Risk oversight is the responsibility of the entire Board and the same can be achieved through a structured review mechanism. In view of this statement, explain the review mechanism which may be followed by the Board for Risk Oversight. Risk oversight is the responsibility of the entire Board and the same can be achieved through a review mechanism which inter alia could include: 1. Developing policies and procedures around risk that are consistent with the organization's strategy and risk appetite. 2. Taking steps to foster risk awareness. 3. Encourage an organizational culture of risk adjusting awareness. 4. Maintenance of a Risk Register. 5. Acompliance certificate on the identification of risks and establishment of mitigation measures. ## ROLE OF COMPANY SECRETARY IN RISK MANAGEMENT ## A company secretary can play a significant role in ensuring that a sound enterprise risk management (ERM) which is effective throughout the company is in place explain. A Company Secretary plays an important role in controlling the risk management. **The company secretaries are governance professionals whose role is to enforce a compliance framework to safeguard the integrity of the organization and to promote high standards of ethical behaviour. Following are their functions:** - Advising on best practice in governance, risk management and compliance. - Championing the compliance framework to safeguard organizational integrity. - Promoting and acting as a 'sounding board' on standards of ethical and corporate behaviour. - Balancing the interests of the Board or governing body, management and other stakeholders. In terms of section 203(1)(ii) of Companies Act, 2013, a Company Secretary is a Key Managerial Person. Hence being a top level officer and board confidant, a Company Secretary can play a role in ensuring that a sound Enterprise wide Risk Management [ERM] which is effective throughout the company is in place. ## ISO 31000: INTERNATIONAL STANDARD FOR RISK MANAGEMENT ## Answer the following in brief; Write a note on ISO 31000. **ISO 31000 published on the 13th of November, 2009, provides a standard on the implementation of risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes. ISO 31000 contains 11 key principles that position risk management as a fundamental process in the success of the organization.** ## ISO 31000 (International Standards for Risk Management) helps in the success of an organization. Explain. ISO 31000 is designed to help organizations in the following manner: - Increase the likelihood of achieving objectives - Encourage proactive management - Be aware of the need to identify and treat risk throughout the organization - Improve the identification of opportunities and threats - Comply with relevant legal and regulatory requirements and international norms - Improve financial reporting - Improve governance - Improve stakeholder confidence and trust - Establish a reliable basis for decision making and planning # CHAPTER 13 # INTERNAL CONTROL ## INTRODUCTION TO INTERNAL CONTROL ## Write short note on the following; Internal control. **According to Merriam-Webster Internal Control means:** "a system or plan of accounting and financial organization within a business comprising all the methods and measures necessary for safeguarding its assets, checking the accuracy of its accounting data or otherwise substantiating its financial statements, and policing previously adopted rules, procedures, and policies as to compliance and effectiveness". **According to the Standard on Auditing 315 (SA 315) the nature of the internal control depicts the following:** - Internal control is a process designed, implemented and maintained by those charged with the governance, management and other personnel. - It provides reasonable assurance about the achievement of an entity's objectives in the categories of financial reporting, effectiveness and efficiency of operations, safeguarding of assets and compliance with applicable laws and regulations. **Internal control at the organizational level** Internal control objectives at the organizational level relate to the following: - Reliability of financial reporting - Timely feedback on the achievement of operational or strategic goals - Compliance with laws and regulations **Internal control at the specific transaction level** Internal control at the specific transaction level refers to the following: - The actions taken to achieve a specific objective - Reduction in process variation, leading to more predictable outcomes. ## Define compliance. What is the difference between compliance and conformance ? **Compliance means the complete alliance of various parts of the business, whether commercial, financial, or regulatory. It necessitates following the rules, both external and internal. “Conformity" came from the Latin word "conformare" which means “to form”. It is a type of social influence by changing one's belief or behaviour to match the majority's expectation.** **The fundamental difference between conformity and compliance is that compliance involves people going along with an explicit request, whereas conformity involves people adhering to 'unspoken rules'.** ## Internal control is a way for management to run a business and is integrated within the management process. Comment. **According to Investopedia, Internal controls are:** "The mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud. Besides complying with laws and regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting". **Objectives of Internal Control** Objective behind the establishment of the internal control are as under: - Internal Control is a policy matter, designed and implemented by the company concerned. - It describes the rules and procedures to ensure the integrity of the financial statements. - It provides the mechanism of work flow in such a manner that no single person may carry out the process from the beginning to end. - It ensures that work is segregated in small parts and is checked and processed by an independent person. - It improves operational efficiency by improving the accuracy and timeliness of financial reporting. - It gives a reasonable assurance about the achievement of an entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. - It aids in detecting and preventing fraud and protecting the organization's resources. - It reduces the process variations and arbitrary intervention in the work flow process. Therefore, it can be stated that internal control is a way for management to run a business and is integrated within the management process. ## “Internal control can help an entity in achieving its objectives but it is not a panacea.” Discuss. Internal control can help an entity achieve its objectives; however it is not a panacea due to its following limitations: - Internal control cannot change an inherently poor manager into a good one. - Internal control cannot ensure success, or even survival in case of shifts in government policy or programs, competitors' actions or economic conditions, since these are beyond the management's control. - An internal control system, no matter how well conceived and operated, can provide only reasonable--not absolute--assurance to management and the board regarding achievement of an entity's objectives. - The likelihood of achievement is affected by limitations inherent in all internal control systems. - Controls can be circumvented by the collusion of two or more people, and management has the ability to override the system. - Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. ## CLASSIFICATION OF INTERNAL CONTROL ## Explain the scope of “Administrative Control”. Administrative Controls have an indirect relationship with financial records. Do you agree with this statement? Administrative controls include all managerial controls concerned with decision making process. Administrative controls have an indirect relationship with financial records. **For example:** Quality control, works standards, periodic reporting, policy appraisal etc. Administrative controls are very wide in their scope. They include all managerial controls concerned with decision-making process. They are concerned with the authorisation of transactions and include: - Anything from plan of organisation to procedures - Record keeping - Distribution of authority and the process of decision-making. - Controls such as quality control through inspection - Performance budgeting - Responsibility accounting - Performance evaluation, etc. Thus, administrative controls are those which help in improving the efficiency, productivity and not necessarily recorded under the accounting systems. Works standards, quality control, methods study and motion study are examples of administrative control. ## COMPONENTS OF INTERNAL CONTROL ## Why the Information System is the most essential component of Internal Control? An information system consists of infrastructure (physical and hardware components), software, people, procedures and data. Many information systems make extensive use of information technology (IT). The information system relevant to financial reporting objectives, which includes the financial reporting system, encompasses methods and does the following: - Identify and record all valid transactions. - Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.

Risk Management PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue