10 Best Practices for Governance, Risk Management & Compliance

Indian economic progress has forever changed the role of risk functions within the organizations. The bespectacled serious-brow-furrowed auditor who goaded and badgered business teams was buried alive. The new-age risk manager took birth who handholds business teams.

The transformation has not been easy. Risk managers have more teeth now though they are still climbing the learning curve. While some have successfully changed the risk function within their organization, others are still struggling. The ten best practices mentioned below ensure risk managers win the race.

1.    Integrate Governance, Risk Management & Compliance (GRC) Departments

In the good old days, risk management entailed conducting financial and internal audits. In auditorville, cash, bank and journal vouching sufficed. With globalization, technology advancement and interdependent economies, the risk landscape has dramatically changed. Now risk managers address financial, strategic, operations, political, legal, reputation, continuity and emerging risks. It requires diverse domain knowledge to mitigate downside risks and leverage upside risks. Hence, breakdown the risk function silos and integrate them under one head.

2.    Appoint Executive Level Chief Risk Officer

The other aspect is that in the organization structure hierarchy, the risk management functional heads frequently have a skip level reporting to the CEO. As the risk function head is not a direct report of the CEO, the risk management issues do not come on the CEO radar. The problem magnifies where GRC department heads are reporting to different direct reports of the CEO. In such scenarios, the probability of risks remaining unaddressed is high as risk management function lacks authority. Thus, organizations benefit when an executive level Chief Risk Officer directly reports to the CEO.

3.    Empower Risk Oversight Committee

Presently, a few listed companies have formed risk oversight committees as only some have realized their importance. Risk oversight committees play a pivotal role in educating board members about risks and steering their thought process towards organizational risks. The committee members’ role is to discuss strategic risks, approve risk appetite, improve corporate governance etc.. The objective of a risk oversight committee is different from audit committee. Audit committees are a mandatory requirement for listed companies and are significantly focused on financial risks and irregularities. Risk oversight committee encompasses all organizational risks. Chief Risk Officers should request their boards to form risk oversight committees to get traction at senior level.

4.    Prepare a Risk Management Strategy

As Sun Tzu said – Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” The problem is just around 50% of the organizations have a formal risk strategy. In quite a few cases, risk functions are conducting reviews, audits and analysis without a strategy. Risk managers navigate without a compass when they attempt to manage organization risks with just tactics

The senior management risk attitude falling in four categories– maximisers, conservators, pragmatists or managers – determines the risk strategy of the organization. Management may adopt a risk strategy of risk trading, loss controlling, diversification or risk steering depending on the risk attitude and economic environment. Therefore, develop a risk management strategy after understanding the management attitude and business strategy.

 5.    Focus on Strategic Risks

The strategic risk discipline is still developing as it gained focus in the last decade. Not surprisingly, in nearly half the organizations, risk managers are not involved in business strategy formulation stage. Hence, the strategic risks of the organization remain unaddressed in the initial stages.

Risk managers fail to understand the different perspectives of senior and middle managers. Middle managers focus on downside risks – on regulatory compliance, operating and tactical risks. Senior management is interested in exploiting upside risks to increase shareholder value – emerging market risks, financial market volatility and market demand. Therefore, risk managers need to assist senior management in addressing strategic risks.

6.    Build a Risk Culture

This is an often-ignored concept, though a risk culture can make or break an organization. Enron case showed that when organization culture is deviant or aggressive, there is significant impact on internal controls. Without a risk culture, risk assessments and audit reports are swept under the carpet.

A risk mindset is developed when each employee understands risks and thinks through them while taking daily business decisions. To make risk culture part of organization DNA, top management must walk the talk. In addition, to build a risk culture risk managers must continuously train, educate and communicate with employees.

7.    Measure Risk Appetite

Risk appetite, a relatively new concept, is defined as the quantity of risk the business owners are willing to take to get the desired rewards. Although it measures risk and reward, just a quarter of the organizations have properly calculated risk appetite.  The result is that sometimes excessive risks are taken while making business decisions, as there is no scale to measure against. On the other hand, sometimes organizations sit on a pile of cash and other assets and do not take the required level of risks for business growth. Secondly, sometimes organizations decide a ballpark figure of risk appetite by doing back of the envelope calculations. A better practice is to use models to calculate risk appetite and continuously monitor the same.

8.    Become a Business Partner

 Risk managers do not like to hear this, but let’s face the truth. The old auditor image is hard to shake off. Sometimes business teams think risk managers are nitpickers, watchdogs, critics etc.  Quite frequently business teams consider risk managers an obstacle to or irrelevant in achieving business goals. The reviews and reports set a negative tone and business teams become averse to risk managers instead of risk per se. Risk managers need to cut down the constant rhetoric and become business enablers. Rebrand risk management functions as transformation agents and business value contributors. Focus on providing competitive advantage to business.

9.    Improve Communication

In most organizations, risk reporting is a weak link. Although, engaging stakeholders is worth its weight in gold risk managers haven’t mastered the art. Senior management demands short and precise reports with material risks and concrete suggestions. Middle managers request risk observations alignment with business and a cost-benefit analysis for recommendations. However, board, senior and middle managers frequently complain that they do not receive sufficient risk information from risk managers.

Risk managers are unable to say it in one line -“The bottom line is…….or here is what is important”. Due to inadequate communication skills, risk managers are failing to demonstrate value. Hence, improve communication for enhancing internal selling.

10. Invest in Tools & Technology

 While technology adoption is high in business users, risk managers still are not leveraging it properly. Except for few who are early adopters of GRC software, most are still relying on excel worksheets for their work. The prevailing mindset is to put more boots on the ground to cover increased scope. Risk managers must invest in tools and technology to proactively and continuously manage risks. This not only improves resource utilization and allocation, it arms the organization to timely address uncertainties.

Use the following scorecard to evaluate your companies status in respect to best practices.

Best Practices Scorecard Sample


In the present business world, a well-developed risk function gives competitive advantage to an organization. Besides improving compliance and governance, it contributes to profitability by enabling management to leverage upside risks. Hence, get the right people, tools and structure in place to develop the risk function. Then formulate a risk management strategy aligned to business strategy, derive risk appetite of the organization and inculcate a risk culture within the organization.  These steps will minimize losses and provide an opportunity for business growth. As risk managers, you will reach the goal post faster.

Business Enterprise Magazine is publishing this article in September 2011 issue.

Implement Anti-Bribery Policies to Stop Supply Side of Corruption

The human chain on Sarjapur-ORR junction

Fashionistas traded their mascaras for a layer of emissions from exhaust pipes. Employees replaced their jackets with white tees imprinted with “India Against Corruption” slogan. On 24 August 2011, Bangroleans formed a 17-kilometer human chain on outer ring road to protest against corruption. Finally, the middle class Indians have discarded their cloak of apathy. Passion, enthusiasm and commitment to change the system is replacing cynicism, skepticism and disillusionment.

Indian public supports Anna Hazare’s fight for a strong Lokpal Bill. The bill when implemented will hopefully reduce demand side of corruption. In the din, we are forgetting that demand and supply are two sides of the same coin in corruption. We need similar efforts to curb supply i.e. stop the bribe givers, specially the corporate world. If organizations are willing to give bribes, there will always be politicians who are willing to take bribes. Hence, we need an equal focus on supply side.

Business world’s greed to grow bigger is feeding the corrupt appetite of politicians and bureaucrats. Management and employees compromise business ethics to climb the ladder of success. Corporate world must remember that materialism is not equal to fame and success. The torch bearers in corporate world ardently support ethics.

This week two corporate icons resigned/retired and they became so without the desire to be the top of the charts of world rich person’s list. Steve Jobs retired as CEO of Apple and in 1993 he had said in an interview –  

“Being the richest man in the cemetery doesn’t matter to me … Going to bed at night saying we’ve done something wonderful… that’s what matters to me.”  

In India, Narayan Murthy retired as Infosys Chairman, a company he had created that became a leader in corporate governance. He showed the Indian middle class that one could be successful with ethics. His ideology on business ethics is beautifully articulated in the following lines –

“In the end it is always about ethics and all about personal values. That is why it is very important for every society to create checks and balances. That is why it is very important for every society not to create incentives for people to become greedier. That is why it is very important for all of us in the corporate world to create incentives for long-term performance rather than short-term performance. When you create systems that focus on short-term performance, when you create a system that reveres money rather than decency, honesty and respect, when you make it a fashion for youngsters to revel in the power of their wealth, it is inevitable.”

Escalating corruption is severely damaging India’s growth story. The Corruption Perceptions Index 2010 published by Transparency International rates India at 3.3 level at 87th position from the 178 countries in the population. The financial loss due to corruption is huge. Financial Times reported last year that in 2010, the value of scams (2G Telecom, CWG, IPL, Adarsh etc.) could well be over Rs 200,000 crore (USD 43. 24 billion). As the investigation reports show the private sector was hand-in-glove with the politicians and bureaucrats. Hence, implementing anti-bribery policies is the need of the hour.

Concepts of Anti-bribery Policy

Some of the key concepts and aspects an anti-bribery policy must address are:

a) Competitors: How does the company compete in the market? Does the company give excess hospitality or kickbacks to obtain contracts? Does the organization loan out company assets to officials to get contracts?

b) Suppliers: How does company give contracts and make payments to suppliers?  Does management or employees receive excess hospitality or kickbacks to give contracts and payments to suppliers?

c) Employees:  Has the organization set limits for employees to receive/give gifts and entertainment from customers and suppliers? Are employees allowed to give commissions and discounts to relatives and friends purchasing organization products without disclosing?

d) Senior Management/ Board: Do senior managers and board members disclose conflict of interest when organization enters into contracts with related parties? Does the code of ethics apply to senior management and board members in law and spirit? Are there limits to senior managers’ personal expenses being borne by the organization? Are there checks in place to ensure senior managers expense accounts are within their entitlement levels?

e) Legal Compliance: How does the organization handle law enforcement agencies and regulators? Does it respects the law and follows the spirit of the law? Does the organization give excessive entertainment or facilitation and grease payments to authorities?

 f) Foreign Officials: How does the organization conduct business in other countries? Does it offer grease and facilitation payments to obtain licences, premises and approvals for setting up operations? Do the subsidiary companies follow a strict code of conduct on dealing with foreign officials?

 Implementation of Policies

 Covering the above-mentioned aspects, an organization should prepare an Anti-Bribery Policy. India presently has a Prevention of Corruption Act, which prohibits government officials from receiving bribes. US and UK have Foreign Corrupt Practices Acts (FCPA), which prohibit making payments to foreign officials to obtain business advantage. Hence, if the Indian organization is a subsidiary of a multinational, the policy should cover FCPA requirements.

 Secondly, the organization must implement the policy by establishing procedures, internal control checks and reporting mechanisms. Employee training must be done to educate them about policy and procedures for adherence and report questionable conduct of colleagues. Lastly, establish investigative procedures to investigate violations and take appropriate action.

 Closing thoughts

 In nutshell, address the supply and demand side of corruption to eradicate it from the roots. India’s longer growth and prosperity is dependent on it. Hence, we need commitment at all levels to root out this evil. While Lokpal bill provides a firm foundation for this effort, we need to build the whole structure to fight corruption. Indians have taken the first few steps by supporting Anna Hazare’s efforts to get a Lokpal Bill with teeth. The road ahead is long and tough. Let us join hands and give long-term commitment to this battle.

Last but not the least, congratulations to all Anna Hazare supporters for forcing the government to discuss Hazare’s version of Lokpal bill in the parliamentAs Gandhi ji said – Be the change you wish to see in the world.


  1. Photograph : Courtesy Nandita Sharma
  2. Bribery & Corruption Take Centre Stage: An Overview of Key Laws & Practical Steps to Manage Risk by ELT
  3. Transparency International
  4. 2010 scams: India takes Rs 2,00,000 cr hit

Risk Management Failures

What if I say – “Effective risk management doesn’t provide guarantee against failure”? Doesn’t it raise questions on the premise and use of risk management function? The question is from a research paper by Cornerstone Research titled “Risk Management Failures – What are they and when do they happen?”

The risk management premise is that it mitigates risks thereby reduces losses. Hence, the opinion is that good risk management will ensure success. The fallacy lies in this thinking itself.

For example, everyone questioned the risk management function of banks during the financial crises. The concerns were – Has risk management functions of the financial institutions failed? Is enterprise risk management a useful tool? To look from an Indian perspective, why are risk managers somewhat ineffective in influencing senior management? The questions are worth exploring and here are some insights on reasons of risk management failures.

1.    Impact of Risk Attitude on Risk Management

Risk attitude at the top management determines the success and failure of risk management. The paper – The Full Spectrum of Risk Attitude – By Alice Wonderwood and David Ingram –defines four risk attitudes – maximizer, conservator, pragmatist and manager. Briefly the people perspectives towards risks are:   

a)    Maximizers: They do not consider risk important and are willing to take large risks to increase profits.

b)   Conservators: They consider risks extremely important and focus on avoiding all risks. Profitability opportunities are sacrified if risks are high.

c)    Pragmatist: They do not think that future is predictable; hence assume that risks cannot be forecasted with accuracy. They prefer to keep options open and deal with risks as they occur.

d)   Managers: They balance risks and rewards. Respect expert advice on risk to maintain safety will exploiting upside risks to improve profitability.

The risk management strategy adopted by the four risk attitudes are – risk trading, loss controlling, diversification and risk steering respectively. Hence, in a way risk management will be effective when top management has “Managers” risk attitude.

Table from the paper - The Full Spectrum of Risk Attitude

For example, if economic environment is uncertain and the organization has maximizer attitude towards risks,  probability increases of incurring large losses. The risk management decision rests with top management. Senior management with high risk taking attitude is likely to ignore risk managers advise. Therefore, even the best risk management functions can fail if the right attitude doesn’t exist at senior level.

2.   Inaccurate Risk Assessment and Measurement

In normal course, qualitative risk assessments are assumed to suffice. For example, risk managers identify high risks by likelihood of occurrence and value of loss. They generally group loss under five categories –

  • 0 – $10,000,
  • $10,000- $50,000,
  • $50,000-$100,000,
  • $100000-$500,000  
  • Greater than $500,000.

However, in such cases the selection of estimated loss is not based on either past data or any detailed statistical analysis. The risk assessor’s subjective judgment comes into play. This results in incorrect measurement of known risks.

The Cornerstone Research paper mentions an interesting viewpoint. Normally risk predictions are done at certain confidence level. For example, risk managers take 99%, 95% or 90% confidence level for estimating losses. The value at risk is determined based on confidence level. Thus, if value at risk exceeds the risk appetite of the organization by a small amount, it may not be significant. However, if it exceeds risk appetite by a large amount, then it may destabilize or endanger the organization.

The problem is magnified, as the impact of a risk occurring outside of the confidence level is not calculated. For example, if assessments were done at 95% confidence level, the loss amount for the balance 5% is not known or predicted.

Another often ignored aspect is correlation between risks and the impact of one if another occurs. For example, if a competitor files a patent case, it influences brand reputation. The impact may also be on sales. However, reputation, legal and operation risks are calculated independently, without analyzing their inter-relationships. This results in underestimation of risk loss. A combination of negative events occurring simultaneously may cause a larger loss, though the separate risk calculations indicate smaller losses.

Insufficient statistical analysis, unreliable past data and too much reliance on subjective information may result in inaccurate risk analysis. In such a situation, the risk attitude may be right, however risk management may not be.

3.   Lack of Risk Information and Knowledge

Risk assessments are done based on the knowledge of the assessor. Risk managers use historical precedents to guide them. The probability of a risk event occurring is decided based on past data.

In case of emerging and new risks, there is no information available. The lack of risk information may be due to the following reasons:

a)  Change in market conditions – For example, when internet became a business tool, no information was available on the risks. Most had not predicted the dotcom bubble burst.

b)   Doing business in emerging markets – One cannot predict emerging market countries risks with accuracy, though economists and sociologists attempt to draw a relative picture from experience in other countries. For example, India and China are both emerging markets, but political, social and market dynamics are unique. Future trends cannot be predicted with high confidence levels.

 c)   Internal silos and communication problems – Although it is assumed that with enterprise risk management systems all risks are captured, it is far from the truth. Department heads may not update risk registers properly. Secondly, even identified risks may not be communicated to senior management . In cases where the organization does not have a proper risk culture, failures can occur.

Collecting risk information and taking appropriate action is key to effectiveness in risk management. Without the supporting and governing structure, the best of the functions can fail.

Closing thoughts

Sometimes management has the mindset that setting up the risk management function sufficiently absolves them of responsibility. The thought process is all risks are taken care of and addressed. However, setting up the risk organization structure is the first step. To make it effective there are several other components that need to work together smoothly. A periodic review of the same is useful. The Chinese proverb succinctly portrays the state:

“To be uncertain is to be uncomfortable, but to be certain is to be ridiculous.”


  1. Risk Management Failures – What are they and when do they happen? By Cornerstone Research
  2. The Full Spectrum of Risk Attitude – By Alice Wonderwood and David Ingram

Bangaloreans Against Corruption – Supporting Anna Hazare’s Fight for Lokpal Bill

The Gen X and Gen Y of Bangalore thought as cosseted and pampered employees are out on the streets protesting against corruption. A few days back if anyone would have asked  whether the Bangaloreans working in world’s largest organizations will leave their air-conditioned offices, laptops, ipads and blackberries to fight for corruption, the answer would have been no. The unimagined has occurred. One has to see it to  understand the magnitude. Employees working in multinationals are standing on the main roads with posters and pamphlets educating the public about Anna Hazare’s fight for Lokpal Bill.


Bangloreans Protesting on Outer Ring Road

 Normally, people who wouldn’t think of getting out of their air-conditioned cars in the Bangalore traffic , are braving the pollution and traffic to get their voices heard.  The tech savvy are using personal resources to build the momentum.  Local leaders have created groups and fan pages to build awareness, discuss issues and plan out events. The street protests have a huge turnout. The whole of last week, people started at around 9 a.m and continued late in the evening. I live near Outer Ring Road that has offices of Accenture, Intel, JP Morgan to name a few. Employees are coming out of their offices in lunch hour to support the initiative.. Here are some of my group members India Against Corruption – Bellandur (IAC- Bellandur yahoo group) protesting.


Employes Protesting Outside Offices

 Women are participating in huge numbers. The ever-protective Indian moms have forgotten their fears and the kids are taking part in the movement. Nobody wants to miss out on history being made. The fight against corruption started by Hazare has united India. For once class, creed, religion and caste are forgotten and everyone wants to do their bit.


Bangalore School Children Against Corruption


 Of course, not all are sold on the cause. The cynics are predicting that all will die down soon. The dissenters are saying there isn’t sufficient critical mass to bring about a change, public living in a democratic country shouldn’t protest like this and some more similar statements.  My view is every drop in the ocean counts. Even if 10% of Indian population participates, society can change.

The impact is significant. Delhi police reported a 35% drop in crime rate in last week with no murders. The city has around 6-7 murder reports on a daily basis, and in the last week there have been none. This is when Indian public is at its most vulnerable and are soft targets.  Though many may view the data skeptically, in my view there is hope. Indian youth turns to crime due to high level of poverty and corruption. When there is no ethical way to earn a living, they resort to crime. Maybe, just maybe, the hardcore criminals are also giving the Hazare movement support to succeed. Even their conscience says that it is the right fight. Everybody wants to lead a dignified life and here is a chance for humanity to succeed.

I know as an ethics and risk manager, in India fighting against corruption is a damn though fight. It is very rare that one can win a popularity contest. In most cases, even in organizations the ethics manager is a lone warrior. Frequently, the business executives consider ethics managers as idealistic impractical fools. Ethics managers simply become paper pushers and their viewpoints a few times in life are in majority of one. But maybe it all is changing. We can curb the demand and supply side of corruption. The ethics managers can don the caps of organization change agents and educate staff on anti-bribery policies and practices. This is the right time to build an ethical culture within the organization.

 For me, it is a time to start dreaming again. If a few weeks back someone would have asked me that – can corruption be eradicated from India? I would have responded –not in this lifetime. Now what I thought was a futile dream, may turn into reality.

 I invite you to join us on 24th August 2011 at Outer Ring Road, Bellandur, Bangalore between 11 am to 2 pm to participate in the protest. Let’s make a difference while we have the opportunity.

DNA e-paper published this post under a different title“Tech Talk to Topi Talk” on 29 August 2011 on page 7.

Risk Managers Become Linchpins

Risk managers are under siege. They have to deal with various stakeholder expectations – regulators, investors, shareholders, board, CEO, CXOs and business teams. In most situations, they are outnumbered and overpowered. Most risk managers face some level of resistance. Some are mere cogs in the wheel to ensure organizational compliance to regulations. On the other hand, a few have mastered the art of becoming invaluable to the organization.  Accenture 2011 Global Risk Management Study segregates the best practices of “Risk Masters” from the general practitioners. The top 10% of the 400 respondents constitute risk masters group. The survey shows that the gap between the “best and the rest is increasing”. Check the graph below to understand the huge difference.

Accenture 2011 Global Risk Management Study

The interesting bit is that about 75% of the respondent organizations had revenues above USD 1 billion. That means the analysis of risk management functions is amongst the top performers of the industry. Hence, the question is – in the best of class organizations why there is a difference in focus and perception of risk management functions. What has made a few risk managers linchpins?

Seth Godin describes three categories of people in his book Linchpin – (1) Linchpins, (2) Supporters and (3) Leeches, devils advocates, pessimists and obstructionists. Don’t mind it, but frequently business executives think risk managers belong to the third category. They think risk managers as naysayers, problem creators, critics etc. The point to think is that at least 10% of the organizations consider risk managers as Linchpins. So what are these risk managers doing differently from the rest?

Accenture report highlights some of the best practices Risk Masters adopt.

  1. Be a source of competitive advantage
  2. Participate in key decision-making process and developing strategy
  3. Use sophisticated analytic and modeling tools to predict risks.
  4. Deliver business solution by going beyond compliance mindset
  5. Integrate all GRC functions
  6.  Appoint Chief Risk Officer reporting to CEO
  7. Build risk culture within the organization
  8. Invest in tools, technology and other risk resources.

 Now the above key points are not new to us. The difference is that some risk managers successfully implemented them, and others are still struggling. We can safely assume that most risk managers working in organization with over USD 1 billion turnover have the required domain knowledge and qualifications. If we do not take the victim mentality of blaming senior management and organization culture for lack of support to risk management functions, then we have to acknowledge that some soft aspects are at play.  Question is –what are these soft aspects which make them Linchpins?

According to Seth Godin – “Linchpins are the people who make a difference, the ones that ship, the rare ones that truly have an impact. This group of people, in that moment of time, change everything.” Linchpins are valuable as they are irreplaceable and indispensable. The Linchpin’s attributes are:

 1.    Provide a unique interface between members of the organization

 Seth Godin – Linchpins help lead and connect to people with finesse.

 Risk managers frequently are unable to connect to business executives’ mission, vision and plans. Although they are in a position to provide a unique interface, they compartmentalize the business problems according to business departments or risk departments. Hence, the business executives become resistant to suggestions of risk managers as they don’t give business solutions.

 2.    Deliver unique creativity

 Seth Godin – Unique creativity requires domain knowledge, a position of trust and the generosity to actually contribute.

 Most risk managers have the domain knowledge, however may lack the other two aspects for unique creativity. Gaining trust of business executives is difficult especially if risk managers are not handholding them through tricky business situations. Secondly, risk managers focus on going by the rulebook, audit programs and manuals. They may hardly indulge in creative thinking to provide competitive advantage.

3.   Manage a situation or organization of great complexity

 Seth Godin – Linchpins make their own maps and thus allow the organization to navigate more quickly.

 With globalization and technological advancement, organization complexity has increased. Risk managers need to address – financial, operational, legal, reputation, political, business, strategic, market, credit, liquidity and emerging risks. Since risks are inter-connected, working in silos results in unaddressed risks. Old approaches are redundant and new maps are needed to address risks in a more holistic, integrated and strategic manner. GRC functions need to be integrated under a Chief Risk Officer.

  4.    Lead customers

 Seth Godin- As markets fragment and audiences spread, consumers are seeking connection more than ever.

 Risk managers stakeholder demands are increasing and they are facing challenges due to lack of internal selling capability. The compliance mindset with tick in the box mentality is restricting them from providing strategic guidance to Board/ CEO/ CXOs. They are waiting to take orders from senior management instead of influencing them by presenting good business cases. Hence, risk managers are failing to connect with senior management.

 5.    Inspire staff

 Seth Godin – Understanding that your job is to make something happen changes what you do all day. If you can cajole, not force, if you can lead, not push, then you make different choices.

 Risk managers are relying on bureaucracy to get their job done. With the old mindset of an auditor, they wish business executives to comply. They don’t realize that business executives cannot comply when they don’t know what to do next. With new products, markets and technology, risks are forever changing and new ones appearing. Risk management is no longer a cut and dried checklist driven task. Hence, risk managers fail to build a risk culture within the organization.  

 6.    Provide deep domain knowledge

 Seth Godin – Mapmakers often have the confidence to draw maps because they understand their subject so deeply.

 The complex economic environment requires a deeper understanding of systemic and emerging risks. The financial crisis has shown that financial institutions failed as they launched products with inadequate understanding of risk components. Domain knowledge coupled with strategic direction gives business team great advantage. The superficial regulatory compliance adds limited business value.   

 7.    Possess unique talent.

 Seth Godin – When you meet someone, you need a superpower. The ‘super” part and ‘power” parts come not from something you’re born with but something you choose to do and, more important, from something you choose to give.

Risk management is a fast changing discipline. Twenty, ten and fiver year old qualifications, procedures and knowledge are passé. Those relying on excel worksheets and out-dated software will fail. It is a world of analytics, data mining, risk business intelligence reporting, software solutions etc. Upgrading skills and domain knowledge is a necessity to address current day risks. Without the talent, knowledge and insight, there are no takers for risk manager’s advice.


 In nutshell, while the best practices for risk management functions are known, quite a few risk managers are failing to meet the required performance level. Hence, take a deeper look to assess the reasons for failure and decide whether different soft strategic approaches will benefit the organization more.

So, can you become a Linchpin risk manager? Up to you.


Reducing Recruitment Costs

I checked out Seth’s Blog global Alexa traffic analysis and it states – “Visitors to the site spend approximately two minutes per visit to the site and 84 seconds per page view.” I checked out my blog’s analysis and it states- Visitors to the site spend roughly two minutes per visit to the site and two minutes per page view.” My readers spend more time per site visit (2 minutes) than Seth Godin’s (84 seconds) do. Yippee!Obviously I am ignoring the traffic ranking, as there is a few hundred thousand difference.  Now you must be wondering how this data relates to reducing recruitment costs. Read on.

I further analyzed the ranking of Tata Consultancy Services, Infosys and Wipro Technologies; the three technology and business process outsourcing  giants of India. Now look at the table below:

Company Website Global Rank Audience Age Total time on site Time per page view
Tcs.com 12,405 Mostly under 25 6 minutes 44 seconds
Infosys.com 17,672 Mostly under 25 5 minutes 41 seconds
Wipro.com 12,706 Mostly under 25 6 minutes 46 seconds

What am I getting at? Most of the site visitors are young males looking for a job. Each site has a career section that allows candidates to register and submit their resume. Look at the table from a recruitment cost lens. If the organization focuses on career webpage, it can reduce recruitment costs.

The Business Case

Overall, recruitment costs include job advertising costs, recruitment company fees, employee referral, interview travel expenses, relocation expenses and human resource recruitment department operating costs.

Let me take the example of IT and BPO sector recruitment costs. According to the NASSCOM Strategic Review 20011 report, the IT and BPO sector will employ 2.5 million employees in 2011. In comparison to 2010, the total employee strength will increase by 240,000 employees. Secondly, the attrition rate is ranging from 20-40% in the sector. This means that approximately one-third of the employees will change jobs. Back of the envelope calculations show that BPO and IT sector organizations will hire roughly one million employees in 2011.

Most of the demand is for employees with 1-3 years of experience. Their monthly salary ranges between Rs. 20,000 – Rs. 50,000 and the recruitment companies’ fees range between 1-2 months of employee monthly salary costs.

Hence, if I take 10% of annual salary cost to company as recruitment fee and Rs 300,000 as annual salary, nearly Rs. 30 billion will be spent on recruitment fee alone by the sector. Definitely, a line item worth looking at for reducing organization recruitment costs. Especially in case of BPO and IT sector as the profit margins are decreasing with the recession in US and Europe economy.

The Solution

Simply put the organizations need to drive traffic to their websites to ensure prospective candidates submit their resumes on the website. Any percentage increase of hire through website will decrease agency recruitment fee costs.

As in the case of BPO and IT sector the audience age is less than 25. The Gen Y is technologically savvy and looks for the same in websites. Hence, some of things that organizations can look into are:

> Post a video message from CEO or other CXOs explaining the vision and mission of the organization.  Gen Y prefers flat structures, access to senior management and enjoys watching videos. This will increase their enthusiasm to submit their resumes.

> Aptitude tests – IT and BPO sector generally request recruitment agencies to do preliminary screening by giving candidates written aptitude tests. The tests can be web-enabled on the career page to enable candidates to complete it while submitting their resumes.

> Voice and language tests – BPO sector in call center business conducts voice and language tests. The organizations can provide a facility for prospective candidates to upload audio and video recordings for voice tests. Secondly, administer written language tests through web.

> Pre-employment background verification – Provide a facility to candidates for uploading relevant certificates required for background screening. In India, roughly 25% of the resumes are fake or inaccurate. The background screening costs are high if done after appointment. Hence, organizations can conduct a preliminary verification before interview by reviewing the scanned certificates.

> Application processing system – Organizations can provide an application  tracking mechanism to the candidates, either to update them through automated emails or showing the application status on the website.

I was amazed that technologically advanced companies that provide technology and business consulting services have not focused aggressively on developing the career page and attracting candidates through them. Maybe the technology costs are higher, though to me it does not seem so. Maybe the thinking is that putting boots on the ground will reduce the recruitment pressure on the human resource teams. In my opinion, since in BPO and IT sector the recruitment numbers and costs are high, the human resource teams should have all technological advantages to do their jobs better. What is your opinion?


NASSCOM: The IT+ BPO Sector in India – A Strategic Review 2011