This article is the transcript of IRM India’s What’s The Risk?® episode telecast on CNBCTV18. The What’s The Risk?® initiative by IRM India Affiliate decodes risks and opportunities across diverse sectors with an objective of elevating the importance of risk intelligence and enterprise risk management as a skill, profession and business enabler.
Voiceover:
Institute of Risk Management India Affiliate presents ERM Standards and Regulations : Navigating from Compliance to Culture.
Hersh Shah:
The harsh lessons of systemic failures and collapses in the real economy have been underscored by the financial crisis and more recently, the COVID-19 pandemic and ongoing wars. As we move forward, it is clear that organisations could be central to many future systemic events that will not only test their resilience but also cause large-scale breakdowns across sectors and economies. Now, with globalization of supply chains, digital transformation, economic volatility, environmental uncertainties, and, for that matter, even business model disruptions, the role of regulators and professional bodies becomes pivotal in not just setting standards or rules but also embedding a robust risk-aware culture that protects investors, customers, and all stakeholders with a confidence that organisations are prepared with responses instead of reactions in their approach to these dynamic risks. In this context, it becomes important to decode the very backbone of risk regulations and frameworks. So, here’s welcoming all of you to the panel discussion on ERM Standards and Regulations : Navigating from Compliance to Culture by the Institute of Risk Management India Affiliate. As the world’s leading certifying body in ERM exams across 140 countries, the What’s the Risk?® initiative underscores our unwavering commitment to driving thought leadership in every sector and discipline. Joining me in the third episode are Mr. Ananth Narayan, whole time member of the Securities and Exchange Board of India, Jason Brown, who was the Chair of the ISO Committee on Risk Management from 2017 to 2023, Jyoti Ruparel, Senior Advisor, Digital Risk Transformation at PwC India and she’s also on the Board of IRM India, Dr. Sajiv Madhavan, Chief Risk and Sustainability Officer at Tata Elxsi. Thank you, lady and gentlemen, for joining me today. Mr. Ananth Narayan (Whole Time Member, Securities and Exchange Board of India (SEBI)), I want to start with you. It is commendable how SEBI has set a global benchmark in risk regulations, exemplifying excellence and leadership in financial market safety and stability. What is SEBI’s perspective on ERM in companies, and what is your regulatory approach to Enterprise Risk Management?
Ananth Narayan:
As a regulator, we see a lot of parallels between our own role and the ideal role of a good risk management framework. The way I would put it is, there are three objectives that a good regulator or a good second line of defence needs to keep in mind, two are about avoiding errors, and one is about doing something positive. The first is to avoid Type I errors, which is, don’t let bad things happen, or, prevent bad things from happening. That’s what a lot of people focus on, and that’s clearly a key part of risk management. The second, equally important, is to avoid Type II errors, which is, don’t come in the way of good things happening, and both Type I and Type II errors have to be minimised simultaneously—and that’s really important. The third positive element is, to the extent possible, try and facilitate good things happening. To me, these three mandates come together to put together a credible regulatory mandate as well as a risk management mandate. Now, when it comes to having a strong second line of defence in the form of a risk management horizontal, in our own regulated entities, market infrastructure institutions like exchanges, clearing corporations, depositories, or, under RBI’s banks and non-bank finance companies, clearly we are very, very interested in ensuring that there is a robust risk management culture. In fact, we need two verticals to be strong, independent, and well-resourced—the operations and technology vertical, as well as the risk management and compliance verticals. They need to be independent of business development and the narrow business perspective, and they need to be strong and robust to ensure that we have financial stability, that the financial services ecosystem is robust. Now, when it comes to other listed companies, we do have requirements under our listing obligations and disclosure requirements regulations, which require the top thousand companies to have a risk management committee of the board. We do specify some broad objectives of this risk management committee, in terms of identification of risks, having systems and frameworks in place, mitigating the known risks, as well as having a system of review to ensure that you’re updated in your risk management framework. I think, the need for a robust risk management framework and investments towards that is absolutely self-evident. Our regulatory approach is to nudge a robust risk management to be in place at a company level, but frankly, a lot of the initiative has to be taken by the board and the company itself, and that’s the way it should be, not through regulatory push but by a self-evident good governance practice.
Hersh Shah:
Jason Brown (Chair – ISO Committee on Risk Management (2017-2023) and Advisor, IRM India), actually building on what Mr. Ananth shared, the ISO 31,000 standard lays a lot of emphasis on value creation and protection, and even, leadership and commitment. So, having been a key member in developing the standard, could you share your first-hand experiences during its creation, and what was the underlying rationale, and what are some of the principal attributes and benefits of this standard?
Jason Brown:
What we’ve seen is thinking about objectives. The biggest discussion was what is it that risk management does, and it was all about meeting organization objectives to sustain and create value, and that became a central point about why you need to do things. So, it wasn’t just about protection from potential negative outcomes, it was about ensuring there were those opportunities to seek positive outcomes. I think, it’s really interesting how ISO 31,000, in its framework, provides an opportunity to look at three levels. The important one, I think, is the principles. We might talk a bit more about that later. Then, the framework stage of how you integrate it into the enterprise. And lastly, the process stage that could operate at multiple levels for any risk rated problem. So, I’ll give you a good example. Most recently, in Australia, we’ve had two major changes in our legislation. The critical infrastructure legislation which came through, mandates a critical infrastructure risk management plan co-related directly into the overall enterprise plan for our critical infrastructure entities, and this is a mandatory plan where the boards of directors have to sign off each year that the plan is there, evident, and working, similar as do ASX – Australian Stock Exchange companies. So, I think, there’s a couple of really key issues there, and as we go forward, we’re good to explore some.
Hersh Shah:
Jyoti Ruparel (CMIRM, Senior Advisor – Digital Risk Transformation, PwC India), I’d now like to hear your thoughts on the COSO ERM framework. As an IRM-qualified risk expert, and having led the risk function for years, can you share some insights on the evolution of this framework from 2004 to 2017?
Jyoti Ruparel:
If you ask me, COSO for me has been the fundamental building block for any risk discipline. With just about 5 components and 20 principles, I think, it aligns with the business cycle, and irrespective of the size of the organisation, it actually goes the whole 9 yards from governance to routine daily activities. If I were to look at the 2004 edition, and then the 2017 edition, I think, the essential difference has been with a greater focus on the value ERM brings to the table. Basically, it aims at linking strategy, risk, and performance. There are many critical components but something which I felt were very key to what I saw in 2017 COSO is, first and foremost, using ERM as an aid to decision making. Secondly, a greater emphasis on risk culture, starting with board oversight. Third, making sure that risk management is integrated across levels in an organization. And lastly, the fact that there has to be a process of dynamic risk assessment which helps reindex strategy at various points in the journey of an organization, and I think, the focus on strategy being aligned to purpose, it is the key differentiator in the COSO 2017 framework. If you’re looking for a practitioner’s guide to implementing COSO, IRM also has a pretty good guide, and I would recommend that you go through that, it could help you in the implementation in a very big way.
Hersh Shah:
Dr. Sajiv Madhavan (CMIRM, Chief Risk & Sustainability Officer, Tata Elxsi), let me ask you at this point. How are you seeing the evolution of the IRM risk culture framework and its adaptation in India Inc.? What has been your experience?
Dr. Sajiv Madhavan:
For multiple reasons, I should say thanks to IRM, because it is one thing to say that you need to have a risk culture, but as a practitioner, we are always challenged on how do we go about doing it, and when we look at the body of knowledge of IRM, it shows. Of course, the commitment of IRM for the cause of Enterprise Risk Management. You have the double S model as well as the four-theme, eight-part framework which are very comprehensive and holistic. I would say for a practitioner, it is very easy to now run with the ball than really figure out what is missing, so, it was very helpful. We double clicked on the social aspect of the double S, and we further enhanced it by having mastery of Enterprise Risk Management itself through training and certifications, because again, culture comes with all these parts of co-operation, collaborative work as well as tools that will help with solving problems. So, that’s what I would like to say on the IRM culture and how we built on it.
Hersh Shah:
Definitely, Sajiv. I acknowledge your viewpoint and strongly believe that organisations of all sizes, and across all sectors, need to now foster a robust risk culture ensuring that risk management is not siloed but actually integrated into every decision-making process, like the panelists have spoken. In fact, numerous companies in India have now taken proactive steps in enhancing risk compliance and culture by nominating their business and functional employees for some of the global ERM exams by IRM, and they’re also trying to integrate this into the performance appraisals to ensure that risk ownership actually permeates to the lowest levels. Well, it’s time for a quick break, but we’ll be back shortly with our esteemed panel to continue our in-depth discussion on the practical implementation of the SEBI LODR, COSO, ISO and the IRM risk culture frameworks. Stay tuned.
Voiceover:
Institute of Risk Management India Affiliate presents ERM Standards and Regulations : Navigating from Compliance to Culture.
Hersh Shah:
Welcome back to the third episode of IRM India’s What’s the Risk?® initiative, ERM Standards and Regulations : Navigating from Compliance to Culture. I’ve been in conversation with Mr. Ananth Narayan, Jason Brown, Jyoti Ruparel and Dr. Sajiv Madhavan. Jason, continuing our conversation on the ISO standard, and in light of India’s diverse business landscape, how do you think the standard can be adapted to fit the unique cultural and regional challenges faced by Indian organisations, as they say, every state is a country by itself? Can you discuss any specific case or example where the implementation of the standard has actually improved risk management outcomes?
Jason Brown:
I like the 31,000 standard, it can be applied to an organisation of any size, in any structure. It could be applied by the mayor of a small village in the context of the village’s objectives, to manage water supply better or to manage crops better, or, it could be played against a major international organization that is trying to achieve global aims. It’s a question of, when you address the principles, the principles are general, they’re things that people should be doing in normal life. When you get into the framework component, by going through each step in the framework, it doesn’t matter whether you own a small corner shop, you are operating in an environment where you wish to create value for your family and the community. And finally, when you start to analyze and assess the risks, the risks will be different for nearly every organization, some may be common to everyone in an area or particular business line, some may not be. But if you take it even as an individual, you can work your way through the process, or the degree of certainty that you will get an understanding, the things that may impact on your performance or enhance your performance. I sort of think ISO 31,000 can be used intuitively or formally, but the more complex the situation, the more you need some of the analytical tools that are in another international standard, 30,010, which is analytical methodologies. I have also seen in ISO that you can take the 31,000 and apply it in cyber security standards, as we’re doing in Australia, into critical infrastructure protection standards. So, it’s a very robust system but it doesn’t mean to give specifics. It’s right up front, it gives the opportunity for someone who wants to use the standard to tailor it, and that could include working on micro or macro scales. So, I think, it’s a useful one, and you don’t have to be an expert, you just have to be thoughtful, and I won’t talk about my definitions of the people involved in risk.
Hersh Shah:
And very quickly, if you could also touch upon the small and medium enterprises. As you know, India is home to the largest number of MSMEs, they don’t have resources like larger corporations. So any thoughts on how these organisations can also adapt to the standard?
Jason Brown:
I think, a small organisation will generally not have too big a gap between the Chief Executive, the Owner, and those who are working with them to achieve a result. So those issues around principles, once there’s shared principles, and people have skills, they can work through the process fairly quickly. Let me again give something really simple. If I owned a shop that sold electrical appliances, and I was wanting to create better value, I would be looking at who are the stakeholders that are likely to enhance my operation, and some of those are the people that work there, some of them are the other companies and businesses nearby. The first and really important thing is to understand the concept. So, I think, small and medium enterprises, by stepping through this, it’s not the same as a big corporation with multi-levels and Chief Risk Officers. The Risk Owner is going to be the person that runs the business, and they need to drive the process. So when we talk about integrating it, whatever the culture is, risk has to be an important consideration for that culture to operate effectively in reducing the potential of failure and enhancing the potential for success.
Hersh Shah:
Mr. Ananth, speaking of the diverse business landscape, we’re also seeing a series of catastrophic events, all at the same time, or as WEF (World Economic Forum) calls it, polycrisis. What do you think are some of the challenges that CROs and risk professionals face and how can they be addressed?
Ananth Narayan:
Well, I guess, Risk Managers, in general, face several challenges, similar to the kind of challenges that we regulators face. The first I can think of is, staying updated, having market intelligence, being abreast of the many new tools that are being developed and the many new research ideas and intelligence coming through in the ecosystem. The second challenge is earning a seat at the management table, in many ways. What you want is, you don’t want risk management to descend into a necessary evil of a tick the box, and let’s make sure that you’re showing compliance, and let’s move on. You’ve got to convert your role as a risk manager to being a relevant one, where your place at the table is automatic, simply because of the value that you bring in. The last challenge I can think of is that invariably, now look, a risk manager’s job is tough, at some stage you will be required to say no, it’s a tough role, it’s a role where you have to walk a tight rope, what I would suggest is, you have to be very very clear about your red lines, and you should have the confidence and the ability to say no when those red lines are crossed, after all, robust risk management is about ensuring that the short term does not become an excuse for sacrificing the medium-term or the long-term.
Hersh Shah:
Jyoti, if I can bring you at this point to share some of the challenges that Indian companies or even consulting firms are facing in implementing or advising the implementation of the COSO ERM framework, and also tell us how the RMC risk function can improve their effectiveness, and is there anything else that we need to do to enhance the value of Enterprise Risk Management?
Jyoti Ruparel:
See, one of the key challenges in ERM implementation is the lack of the perceived value of ERM, and which is why other initiatives in an organisation take precedence, and related to this is the management buy-in. Apart from that of course, there’s this whole hog of the regulatory compliance complexity, and coupled with the diversity of laws that India is going through, even with the ESG risks coming in, it makes it far too complex for organisations to think about implementing a risk management framework. Also, I think, one of the key things that I’ve seen is where we have the traditional organisational structures, they may actually be resisting shifting to a more risk-aware set-up, and which is why getting buy-in from employees across levels is crucial to building up a good risk culture. Last but not the least is the lack of risk-intelligent professionals. Risk professionals need to go ahead and start getting the right upskilling, and I now do see that a lot of us, a lot of our community is actually going ahead and getting the IRM designation, which really helps elevate the quality of risk discussions. Then of course, institutes like IRM, Hersh, should really continue to promote more risk awareness across the country, from educational institutions to corporates, to boardrooms. I think, Boards and Regulators really need to get to the level of insisting on qualified professionals to take up the CRO role because as you know, we’ve read in COSO or ISO, it’s really the tone at the top that defines the risk culture. If we have these concerted efforts coming from the top, I think that would go a long way in shaping a good risk culture and enhancing the corporate governance across our country.
Hersh Shah:
Okay, Sajiv finally turning to you. Since Jyoti has spoken about the quality of risk leadership, you’ve just passed the IRM exam and earned your certified membership status as a qualified CRO. How do you think that has helped you win the trust of stakeholders within the organisation, and also, for the benefit of your fellow peers, can you explain the process that you had to go through to earn the qualification?
Dr. Sajiv Madhavan:
I would say to my fellow CROs, so one is, being a Designated CRO versus a Qualified CRO. It’s a movement, it’s a significant movement, and both, the journey and the destination are actually really wonderful to be in. As far as I’m concerned, when it comes to a journey, I took almost 3 to 4 months to just fill up the form because it was so profound and deep, the questions were, and it was so insightful. I was reflecting on each and every question, just to respond to those questions itself is bringing out the gaps and blind spots in our process, in our thinking and all of that. So, the journey is very good, and the interview process and the test, whatever we may call it, I actually enjoyed it because that is our chance as CROs to benchmark with the best of the best, so it was like, bring it on. I would probably say to all CROs that please allow yourself to bring it on and undergo this process, and the second part is of course that, the whole company is looking up to us as an expert of Enterprise Risk Management, and what other way of getting recognition more than IRM, where there’s a structure, there’s a process, there’s a body of knowledge, there are so many resources that they have? We are confident in front of our peers, in front of our senior directors, and they also feel that the process is in safe hands.
Hersh Shah:
Well, on that note, thank you, panelists for sharing your expertise and perspectives which have greatly enriched our discussion in decoding ERM standards and regulations. Now, as we navigate an increasingly interconnected global landscape, it is the tireless efforts of the regulators and professional bodies that will not just help businesses adopt a culture for proactively managing uncertainties, but also elevate the ERM profession and the role of the corporate risk manager to a business enabler. Let’s collaborate and work together for a future where we can thrive on resilience and foresight. Thanks once again, and stay tuned for our next episode of What’s the Risk?®.
Voiceover:
Institute of Risk Management India Affiliate presents ERM Standards and Regulations : Navigating from Compliance to Culture.
