KPMG this week released a report titled “Risk Management, A Driver of Enterprise Value in the Emerging Environment”. The survey on Enterprise Risk Management (ERM) covered Europe, Middle East, Africa and India. The survey highlights the major issues Indian risk managers are grappling with as 57% of the respondents were from India.
I found the report good as it identifies a number of problems relating to risk management in India. The same ones which I have ranted about on this blog for nearly a year. Spare sometime this weekend to read the report; it will give you a good grasp on the challenges in risk management. Below are some excerpts from the report that I consider crucial for improving risk management within Indian organizations.
1. Meet CEO/Board Risk Management Requirements
The Indian risk managers are perpetually complaining that they have little visibility at board and CEO level. The risk managers’ views are that CEOs do not give attention to their audit reports. My contention is that risk managers are focused on dealing with risks at micro level and do not cater to the risk management requirements of the CEO and Board of Directors. Hence, their work and concerns do not appear on the CEO radar as from a CEO’s perspective they are immaterial.
The KMPG report states that “Both CEOs and Board members consider Risk Management to be equally important. CEOs/business leaders would like to see more focus on reputation risk, political risk and the impact of corporate restructuring and M & A on business performance. CEOs view Risk Management through an opportunity lens whereas others view it with a “keep us out of trouble” lens.” Let me ask a basic question to risk managers – how many have attempted to address strategic business risks of mergers & acquisitions, new product development and competitive disadvantages? If not, do we have a right to complain? Hence, risk managers start focusing on addressing CEO and Board’s concerns on risk management to be effective.
2. Integrate Governance, Risk Management & Compliance (GRC) functions
The other challenge from Indian perspective is that risk management is equated to internal audit. If internal audits are done, the presumption is that all organization risks are managed. It is a ticking the box compliance mentality of risk managers which is killing the organization.
The second issue is that though Indian organizations size and turnover has increased, the GRC departments are still ill equipped to handle the task. Various GRC functions are spread across different departments under different heads. These department heads neither are risk management specialists nor are risk management performance indicators a priority to them. I haven’t seen a patient willing to get a surgery done from a physician instead of a specialized surgeon. However, where organizations are concerned, generalists lead risk management functions. Very few organizations have a Chief Risk Officer (CRO) or Head of Risk Management with all GRC functions reporting to him/her at local and global level. Most Chief Risk Officers are not reporting to the CEO. Hence, the disjointed department structures and disintegrated reporting patterns limit risk managers’ capability in giving relevant information to CEO and Board.
KPMG report states that –“two-thirds of the respondents believe that having a CRO will bring about a perceptible change to the quality of Risk Management practices prevalent in their organizations “ Secondly, the report says – “Nearly two thirds of the respondents in our survey indicated that their organizations developed risk responses at an individual risk/process level rather than at a portfolio level. This is partly fallout of the challenges that organizations are facing in risk aggregation/quantification at the organizational-level.” These two responses clearly bring out a need to integrate GRC functions under one department head, develop processes, and deploy tools to improve the functioning.
3. Focus on Developing a Risk Culture
I have always harped that Indian organizations are not focused on developing a risk culture. The impact on internal controls due to a negative organization culture is significant. If the tone at the top, psychology and attitude is not geared towards risk prevention and mitigation, the organization will face significant reputation, legal and competitive disadvantage. For example, in the last one year Tata group have faced significant reputation damage. Tata first faced Tata Indica fire issue, then the Niira Radia tapes leak and now is under investigation for bribery in 2G-telecom scam. Similarly, ADAG group first dealt with SEBI charges for insider trading and now is under investigation for 2G-telecom scam. Impeccable reputations are destroyed and questions are being raised on integrity of the industrialists.
Due to high-level corruption in the country, the mindset is that risk exposures can be managed by greasing the hands of right people. Thus, the tone at the top contributes to slipshod risk management efforts within the organization. If senior management is not walking the talk all communication from risk managers about risk mitigation and business ethics, become paper policies.
Secondly, there is no proper assessment regarding risk appetite of the organization. KMPG report states – “Only 20 percent of the Indian respondents have suggested that their company has formally articulated a risk appetite that is approved by the CEO and the Board covering all business units and function.” With such a low percentage of organizations focusing on risk at an organization level can one disagree with KPMG’s statement that – “Embedding a strong risk culture is still in its infancy”
The above are my takeaways from the report. Share your opinion here. What are your top concerns about risk management in India?