About Reliance Jio Infocomm Limited: Reliance Jio Infocomm Limited, a subsidiary of Jio Platforms Limited, has built a world-class all-IP data-strong future-proof network with 4G LTE technology. The network is 5G ready with no legacy infrastructure and an indigenous 5G stack. It is the only network conceived as a Mobile Video Network from the ground up. It is future-ready and can be easily upgraded to support even more data, as technologies advance on to 6G and beyond.
Jio has brought transformational changes in the Indian digital services space to enable the vision of Digital India for 1.4 billion Indians and propel India into global leadership in the digital economy. It has created an eco-system comprising of network, devices, applications and content, service experience, and affordable tariffs for everyone to live the Jio Digital Life.
Changes in technology, government regulation, and market conditions continue to transform the telecommunications and digital connectivity industry. It’s a very dynamic, exciting, and complex business landscape, organizations face numerous risks that can potentially impact their operations, reputation, and bottom line. To navigate these challenges successfully, it is crucial for companies to cultivate a strong enterprise risk management (ERM) culture. An effective ERM culture fosters a proactive and holistic approach to identifying, assessing, and mitigating risks across the entire organization.
Jio believes in proactive identification and mitigation of potential risks. These risks need to be managed to protect its customers, employees, shareholders, and other stakeholders in society. Risk and opportunity management is therefore key element of Jio’s Risk Management Strategy
In this article, we will explore the key strategies and best practices for building such a culture and how Jio adopted them.
A) Leadership Commitment: Creating an effective ERM culture starts at the top. Leadership commitment and involvement are essential to establishing a strong risk management framework. Senior executives should champion the importance of risk management, communicate its value, and allocate sufficient resources for its implementation. When leaders actively participate in risk discussions and demonstrate a commitment to risk management, it sets the tone for the entire organization.
The Group leadership acknowledged the need to create a separate Risk Management function to have noticeably clear demarcation for Line of Defense 1,2 and 3. The leadership had requested to establish a risk management organization in the company to build risk management and internal control competence to:
- Improve and sustain risk mitigation and control effectiveness around key business processes.
- Detect and remediate risk mitigation and control weaknesses through self-verification and monitoring processes in the 2nd line of defense rather than through Group Audit activities.
- Create a holistic view of risk to address multiple, “siloed” risk management practices.
- Achieve greater visibility, transparency, and accountability for risk exposures at all levels in the organization, including Board levels.
- Align risk management capabilities to increase response and agility. 6. Enable GRC technology to create a common standard platform to integrate risk processes and drive risk and control monitoring.
B) Risk Awareness and Education: Developing risk awareness and providing comprehensive training to employees as well as functional leadership at all levels is critical. By ensuring that individuals understand the importance of risk management and their role in it, organizations can create a risk-aware culture. Conduct regular training programs, workshops, and awareness campaigns to enhance risk literacy across the organization. The Training included the following:
- Concept of risk management and where we “fit in”
- What is the legal or Statutory placement of risk management?
- Concept of 3 Lines of Defense
- How does the Senior Management review/ assess the ‘big picture’? 5. Management Risk management via the GRC tool
- How to identify risk events & their articulation and categorization
- How to assess risks
- Differentiating Risk Events, Causes and Consequence
- Implementation of risk responses and control environment
- Controls self-assessment and functional testing
Specially curated training and examination plan from the Institute of Risk Management, India affiliate chapter for the Risk champions also helped in creating the awareness, branding and certification.
C) Integrated Risk Framework: An effective ERM culture requires a well-defined and integrated risk framework that aligns with the organization’s objectives and operations. Establish a structured approach that enables the identification, assessment, and prioritization of risks across all business functions. Develop risk registers or matrices to capture and analyze risks comprehensively. This integrated framework facilitates better decision-making, resource allocation, and risk mitigation efforts.
The Group has created a Reliance Management System (RMS) which includes Risk Management at its core strategic framework. Risk Management and Internal Control are integrated into many elements of RMS.
Jio had also embraced at its early state an in-house developed GRC (Governance Risk & Compliance) tool for Risk Management and created a common standard platform to integrate risk processes and drive risk and controls monitoring.
D) Clear Roles and Responsibilities: Establishing clear roles and responsibilities regarding risk management is crucial for accountability and ownership. Assign risk management responsibilities to dedicated individuals or teams within the organization. This includes designating risk officers or champions who are responsible for overseeing the ERM process, coordinating risk assessments, and monitoring risk mitigation activities. Clearly define roles and ensure that employees understand their responsibilities in managing risks effectively.
Risk Management expectations were clearly as defined in the Reliance Management System (RMS). The Businesses and Functions (LoD 1) are responsible for maintaining an integrated multidisciplinary view on key organizational risks across all types of risks, whereas the Functional experts (LoD2) provide Functional Assurance to the Businesses in their area of expertise by providing a view, independent of the line, of risks within their area of functional expertise. LoD2 also sets standards for the management of risks and provides guidance to relevant Businesses in their area of expertise and monitoring or verifying the effectiveness of risk management activities completed by the Business.
E) Risk Management Organisation – Design Principles: Jio derived its Risk Management organization design principles on the basis of the following philosophy: “The risk management function needs to be sufficiently close to the business to recommend the business and at the same time sufficiently separate from the business to fulfill its assurance function. The balance between these two aspects of its function is necessary.”
Based on this design principle the risk management organization consists of:
1. A central team with two sets of capabilities:
a) Group Risk Managers who manage the Group’s Risk Management Framework; drive clarity, consistency, and quality in how significant risks are understood, reported (through GRC), and managed in businesses and functions, and support Risk Oversight and Governance activities through common methodologies, frameworks, systems, and processes.
b) Risk Assurance Managers with functional risk and control expertise for areas that cut across multiple businesses/ functions (e.g., order to cash, procure 2 pay, etc).
2. An embedded network of Risk Assurance Managers with functional risk and control expertise for areas specific to certain businesses/ functions where close interaction on a day-to-day basis is required (e.g., IT risk within the IT function, Treasury risk within the Treasury function, etc.).
F) Communication, Collaboration, and Incident reporting: Effective communication and collaboration are fundamental to building an ERM culture. Encourage open dialogue about risks across all levels and departments. Jio has implemented a multilayer Governance mechanism for Risks and mitigation discussion that includes:
- Line of Defence 1,2 and 3 weekly meetings
- Business Risk and Assurance Committee (BRAC) Meeting for major functional groups
- Formal committee meetings depending on the nature of risk such as Financial Risks, Audit and other statutory reporting, Statutory Compliances, and other special purpose agendas.
These meeting helps foster a collaborative environment where employees feel comfortable reporting potential risks, seeking guidance, and sharing lessons learned.
An incident should be utilized as an opportunity to challenge the risk management framework. An incident reporting mechanism should be in place to ensure that incidents occurring across the organization or geographic location, are reported, and reviewed for potential impact organization-wide such that to prevent such happening in other locations. Jio has deployed multiple reporting portals for incidents such as insurable incidents, legal incidents, or HSE incidents for not only tracking the workflow for logical actions on the incidents but also sharing learnings of control weakness across an organization will have a compounding impact but also.
G) Risk Appetite and Tolerance: Establishing a clear risk appetite and tolerance level is crucial to guide decision-making and risk-taking within the organization. Define the acceptable level of risk exposure based on the organization’s objectives, values, and industry standards. Communicate this risk appetite across the organization to ensure that employees understand the boundaries within which they can operate. Regularly review and update the risk appetite statement to align with changing business dynamics.
H) Continuous Monitoring and Improvement: An effective ERM culture requires ongoing monitoring and improvement. Implement a robust monitoring system to track risk mitigation efforts, identify emerging risks, and measure the effectiveness of risk controls. Regularly review risk management processes, policies, and procedures to identify areas for improvement. Foster a culture of continuous learning and adaptability, encouraging employees to share feedback and suggestions for enhancing the risk management framework.
I) Frequently assess risk and controls monitoring for its effectiveness: Enterprise and operational risks should be routinely assessed at least quarterly for the risk commenting meeting. This should be part of regular Business Risks and Assurance meetings and in addition to the annual programs review.
The risk Management Framework should have a clear control monitoring across the 3 Lines of Defense. The monitoring approach should include self-verification by the LoD-1, Functional Testing by the LoD-2, and Independent Assurance by the LoD-3.
J) Use of Automation and Technology: An effective Risk Management environment should include extensive use of IT systems that enable recording, monitoring, and reporting of risks and controls.
The Core GRC functionalities deployed include a system of Records for Risk Management, Process Control, Access Control, Audit Management, Incidents Management, and Delegation of Authority. For the System of Insights i.e., the user Interface layers include data visualization tools for real-time dashboards and issue tracking. The next level of data and process mining logic for exception management is in the advanced development stage which includes fraud analytics, and control testing for failures or gaps analytics. The use of newer technologies such as Generative AI, ML, and OCR has a lot of potential in risk management in the areas of data mining, risk assessment, and control testing articulation and reporting.
K) Reward and Recognition: Recognize and reward individuals and teams that demonstrate exemplary risk management practices. Implement an incentive system that acknowledges and celebrates proactive risk management efforts. By linking risk management to performance evaluation and rewards, organizations reinforce the importance of risk awareness and encourage a culture of responsible risk-taking.
Building an effective enterprise risk management culture requires a proactive and comprehensive approach. By adopting the strategies and best practices outlined in this article, organizations can foster a strong enterprise risk management (ERM) culture.
Blog written by: Sachin Mutha, Head Risk Management, Reliance Jio & Media Companies