Corporate Risk Management: An Introduction

Arif Ahmed, Professor and Director,

South Asian Management Technologies Foundation

Risk is universal and non-discriminatory. It does not spare and select

any organisation because of its nature, country of origin, or any other
factor. Ability of an entity to identify and to be ready to face risk is the
ultimate measure of survival potential of the entity. An entity with
conventional strength in the area of finance or market will not
necessarily survive an unforeseen situation unless it can foresee and
prepare for such risk exposures.
Risk Management is now the top most priority of any entity in its quest
to survive and excel. While a good balance sheet is a temporal show of
financial strength; a good risk management system is the cardinal
feature of sustainability. The focus is not only on how much are the
shareholders earning, but is on how long they can continue to earn the
same.
The objective behind focusing on risk management is to develop the
ability of an entity to identify risk, quantify risk, and design a policy on
risk management whereby the entity is ready to face the challenges of
risk.
We can term the following as the objective of the risk management
process.
1. Developing clear understanding of the process of risk management
across the entity
2. The Board of Directors must set the limit of the risk exposure that
the entity is permitted to accept.
3. All risk assumption decisions should be in line with the business
strategy and objectives set by Board of Directors.
4. The expected payoffs must compensate for the risks taken, which
requires an approved risk-return framework to be present.
5. Risk taking decisions must be explicit and clear identifying the
expected risk exposure and pay-off.
6. Sufficient capital matching to the risk exposure must be available
The process of development of a framework for risk management
would have the following steps.
1. Review of the existing operational system: The process of review
will involve interview, process walkthrough, and review of
documents. It will concurrently involve review the system operation
and this will be achieved by reviewing the data input process and
the output generated.
2. Identification of controls that are in place during the process of
input and output.
3. Identification of controls those are non-discretionary.
4. Identification of measures that would monitor the performance of
sensitive parameters. Management of these parameters will
effectively allow management the related risks.
5. Identification of the Key Performance Indicators.
The key performance indicators are to be identified across the entity.
Given below are examples of risk areas and their sub-classifications
that the risk manager needs to focus on.
1. Environmental Related:
a) Statutory Norms
b) Internal Norms
c) Quality Assurance Norms
2. Information Related:
a) Information System Risks: General Controls
b) Information System Risks: Application Controls
3. Market Related:
a) Market Share
b) Client Segmentation
c) Geographical Segmentation
4. Operational Related:
a) System Performance
b) Process Performance
c) People Performance
5. Product / Industry Related:
a) Product Portfolio
b) Product Demand Assessment
c) Price Sensitivity
d) Industry Demand
e) Counterparty Related (including Credit Related):
f) Financial Profile (Key Ratios)
g) Account Outstanding
h) Documentary Letter of Credit
i) Collections
j) Bills of Exchange
k) Guarantees
6. Funding Related:
a) Cash Flow Forecasts
b) Profit/Loss Forecast
c) Equity
d) Borrowings
e) Project Finance
f) Acceptance
g) Derivatives Related:
h) Futures
i) Options
j) Commodity Derivatives
7. Interest Rate Related:
a) Variable rate facilities
b) Fixed rate facilities
c) Forward Rate Agreements
d) Currency Related:
e) Spot Contracts
 f) Forward Contracts
g) Currency Options
Having established the risk KPI, the entity would now be required to
design controls to act in conjunction with the KPI. Risk professionals
need to identify measure for the risk KPI, decide on the tolerance level,
and integrate the same with the reporting system. Controls are then
designed to ensure that a process and risk exposure remains within the
tolerance level. These controls will reflect not only the financial
parameters but will also include such non financial parameters that
reflect the various performance measures of the entity.
The controls that are necessary for monitoring performance can be
functionally grouped as under:
1. Operational Controls: These controls ensure that the data input
in the system is correct, relevant, and follows the maker checker
process. Assessment of the same involves conducting an
Information System Audit specifically to assess application controls
and generally to assess implementation of general controls to
ensure integrity, confidentiality, and availability of information
assets.
2. Performance Controls: These are the controls that support better
performance of the organisation.
3. Management Measures: This group of controls reflect such
measurement parameters that are critical to ensure stability and
sustainability of the performance. These controls have a pro-active
feature that can be useful to ensure sustainable performance.
These controls focus on parameters that influence the performance
of the company. In other words, performance of the organisation is
sensitive to the achieved values of these parameters. Organisations
seek to maintain their performance by monitoring the risks that
causes performances to fluctuate. The measurement measures
focuses on those risk objects.
Design of controls is a critical activity for any risk manager.
Unfortunately we do not have many risk professionals in our country.
Thus the design process often does not follow any standard approach
but resorts to arbitrary selection process. What is more important to
note that with the advent of International Financial Reporting System
(IFRS), there is a mandatory requirement of disclosing the risk
management policies and risk exposure of a reporting entity. Usage of
financial ratios, while is an important participant of risk measurement
activity, the scope of risk management goes far beyond the financial
ratios alone. What is critical for the entity is to keep a focus on where
would they stand in the event of foreseeable risk actually depleting
into the operating substratum of the entity. Preparedness of the entity
will be reflected by its extent of readiness to face such loss exposures
and the discipline of risk management will quantify the preparedness
requirement for the entity.