UNIT -4

Analysis of Risk & Uncertainty

It was assumed that those investment proposals did not involve any kind of risk, i.e., whatever
the proposal is undertaken, there would not be any change in the business risk which are
apprehended by the suppliers of capital. Practically, in real world situation, this seldom happens.

We know that decisions are taken on the basis of forecast which again depends on future events
whose happenings cannot be anticipated/predicted with absolute certainly due to some factors,
e.g., economic, social, political etc. That is why question of risk and uncertainty appear before
the business world although it varies from one investment proposal to another.

For example, some proposal may not even involve any risk, e.g., investment in Government
bonds and securities where there is a fixed rate of return exists, some may be less risky, e.g.,
expansion of the existing business, others may be more risky, e.g., setting up a new operation.

That is, different investment proposals have different degrees of risk. It should be remembered
that if there is any change in business risk complexion, there remains also a change in the
apprehension of the creditors and the investors about the firm as well In short, if the acceptance
of any proposal proves the firm more rising, creditors and investors will not be interested or will
not consider it with favour which, in other words, adversely affect the total valuation of the firm.

Therefore, while evaluating investment proposals care should be taken about the effect that their
acceptance may have on the firm’s business risk as apprehended by the creditors and/or
investors. As such, the firm should always prefer a less risky investment proposal than a more
risky one.

Analysis of Risk & Uncertainty

It was assumed that those investment proposals did not involve any kind of risk, i.e., whatever
the proposal is undertaken, there would not be any change in the business risk which are
apprehended by the suppliers of capital. Practically, in real world situation, this seldom happens.

We know that decisions are taken on the basis of forecast which again depends on future events
whose happenings cannot be anticipated/predicted with absolute certainly due to some factors,
e.g., economic, social, political etc. That is why question of risk and uncertainty appear before
the business world although it varies from one investment proposal to another.

For example, some proposal may not even involve any risk, e.g., investment in Government
bonds and securities where there is a fixed rate of return exists, some may be less risky, e.g.,
expansion of the existing business, others may be more risky, e.g., setting up a new operation.
That is, different investment proposals have different degrees of risk. It should be remembered
that if there is any change in business risk complexion, there remains also a change in the
apprehension of the creditors and the investors about the firm as well In short, if the acceptance
of any proposal proves the firm more rising, creditors and investors will not be interested or will
not consider it with favour which, in other words, adversely affect the total valuation of the firm.

Therefore, while evaluating investment proposals care should be taken about the effect that their
acceptance may have on the firm’s business risk as apprehended by the creditors and/or
investors. As such, the firm should always prefer a less risky investment proposal than a more
risky one.

The riskiness of an investment proposal may be defined as the variability of its possible terms,
i.e., the variability which may likely be occurred in the future returns from the project. For
example, if a person invests Rs 25,000 to short-term Government securities, carrying 12%
interest, he may accurately estimate his future return year after year since it is absolutely risk-
free.

On the contrary, instead of investing Rs 25,000 m short-term Government security, if he wants to

purchase the shares of a company, then it is not at all possible for him to estimate the future
returns accurately, since the dividend rates of a company may widely vary, viz., from 0% to a
very high figure.

Therefore, as there is a high degree of variability relating to future returns, it is relatively risky as
compared to his investment in Government securities. Thus, the risk may be defined as the
variability which may likely to accrue in future between the estimated/expected returns and
actual returns. The greater is the variability between the two, the risker the project and vice-
versa.

In short, risk may be defined as the degree of uncertainty about an income. Risk is a character of
the investment opportunity and has nothing to do with the attitude of investors Consider the
following two investment opportunities, viz., X and Y which have the possible payoffs presented
in Table below depending on the state of economy.

(Assume that the three state of economy are equally likely)

From the table presented above, it becomes clear that the average expected return from both the
projects are Rs. 1,000 (Rs 3,000 3). But the return from investment-X will lie between Rs. 990
and R 1,010 as compared to investment-Y which lies between Rs. 0 and Rs. 2,000, i.e., in other
words, more uncertainty arises about the return from the investment Y.

However, decision situations may be broken down into three types: Certainty, Risk and
Uncertainty.

(i) Certainly:

No Risk

(ii) Risk:

It involves situations in which the probabilities of a particular event which occurs are known,
i.e., chance of future loss can be foreseen.

(iii) Uncertainty:

The probabilities of a particular event which occurs are not known i.e., the future loss cannot be
foreseen. The basic difference between risk and uncertainty is that variability is less in case of
risk whereas it is more in case of uncertainty although both the terms are used here
interchangeably.

Financial Sector, Risk Types

Financial risk is the possibility of losing money on an investment or business venture. Some
more common and distinct financial risks include credit risk, liquidity risk, and operational risk.

Financial risk is a type of danger that can result in the loss of capital to interested parties. For
governments, this can mean they are unable to control monetary policy and default on bonds or
other debt issues. Corporations also face the possibility of default on debt they undertake but
may also experience failure in an undertaking the causes a financial burden on the business.

Financial markets face financial risk due to various macroeconomic forces, changes to the
market interest rate, and the possibility of default by sectors or large corporations. Individuals
face financial risk when they make decisions that may jeopardize their income or ability to pay a
debt they have assumed.
Financial risks are everywhere and come in many shapes and sizes, affecting nearly everyone.
You should be aware of the presence of financial risks. Knowing the dangers and how to protect
yourself will not eliminate the risk, but it can mitigate their harm and reduce the chances of a
negative outcome.

1. Market risk

Among the types of financial risks, one of the most important is market risk. This type of risk has
a very broad scope, as it appears due to the dynamics of supply and demand.

Market risk is largely caused by economic uncertainties, which may impact the performance of
all companies and not just one company. Variations in the prices of assets, liabilities and
derivatives are included in these sources of risk.

For example, this is the risk to which an importer company paying its supplies in dollars and then
selling the final product in local currency is exposed. In the event of devaluation, that company
may suffer losses that would prevent it from fulfilling its financial obligations.

The same applies for innovations and changes in the market. One example is the commercial
sector. Companies that have managed to adapt to the digital market to sell their products online
have experienced an increase in revenue. Meanwhile, those that have resisted these
transformations show lagging competitiveness.

2. Credit risk

In financial risk management, credit risk is of paramount importance. This risk refers to the
possibility that a creditor will not receive a loan payment or will receive it late.

Credit risk is therefore a way of determining a debtor’s capacity to fulfill its payment obligations.

There are two types of credit risk: retail and wholesale.

The first refers to the risk involved in financing individuals and small businesses, whether
through mortgages, cards or any other form of credit.

Wholesale credit, on the other hand, arises from the organization’s own investments, whether in
the form of sales of financial assets, mergers or acquisitions of companies.

The case of subprime mortgages in the United States, which led to the economic crisis of 2008,
explains how credit risk materializes when it is not managed properly.

Subprime mortgages were high-risk, high-interest loans granted to people who were unemployed
or did not have a stable income.
Banks began to broad profile´s scope of subprime mortgage applicants in order to increase
income. However, since the applicants could not pay, the delinquency of the debts increased.

3. Liquidity risk

Financial risk management must consider a company’s liquidity, as every organization must
ensure that it has sufficient cash flow to pay off its debts. Failing to do so may ruin investor
confidence.

Liquidity risk is just that. It is the possibility that a company will not be able to fulfill its
commitments. One of the possible causes thereof is poor cash flow management.

A company can have a significant amount of equity, but at the same time a high liquidity risk.
That is because it cannot turn those assets into money to meet its short-term expenses.

Real estate or bonds, for example, are assets that can take a long time to turn into money. That is
why each company must verify whether it has current assets to pay off short-term commitments.

4. Operational risk

Finally, among the types of financial risks there is also operational risk. There are different types
of operational risk. These risks occur due to lack of internal controls within the company,
technological failures, mismanagement, human error or lack of employee training.

Eventually, this risk almost always leads to a financial loss for the company.

Operational risk is one of the most difficult to measure objectively. In order to be able to
calculate it accurately, the company must have created a history log with the failures of this type
and recognized the possible connection between them.

These risks can be avoided if a specific risk is considered to be able to trigger further risks. A
broken-down machine, for example, not only implies the expense to repair it. It also causes
losses for production downtime, which can lead to a delay on product deliveries and even affect
the company’s reputation.

Operational Risk Management: Recruitment & Training, Work flow Design

The term operational risk management (ORM) is defined as a continual cyclic process which
includes risk assessment, risk decision making, and implementation of risk controls, which
results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk,
including the risk of loss resulting from inadequate or failed internal processes and systems;
human factors; or external events. Unlike other type of risks (market risk, credit risk, etc.)
operational risk had rarely been considered strategically significant by senior management.
Levels
Deliberate

Deliberate risk management is used at routine periods through the implementation of a project or
process. Examples include quality assurance, on-the-job training, safety briefs, performance
reviews, and safety checks.

In Depth

In depth risk management is used before a project is implemented, when there is plenty of time
to plan and prepare. Examples of in-depth methods include training, drafting instructions and
requirements, and acquiring personal protective equipment.

Time Critical

Time critical risk management is used during operational exercises or execution of tasks. It is
defined as the effective use of all available resources by individuals, crews, and teams to safely
and effectively accomplish the mission or task using risk management concepts when time and
resources are limited. Examples of tools used includes execution check-lists and change
management. This requires a high degree of situational awareness.

Categories:
People

The people category includes employees, customers, vendors and other stakeholders. Employee
risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include
breach of policy, insufficient guidance, poor training, bed decision making, or fraudulent
behavior. Outside of the organization, there are several operational risks that include people.
Employees, customers, and vendors all pose a risk with social media. Monitoring and controlling
the people aspect of operation risk is one of the broadest areas for coverage.

Technology

Technology risk from an operational standpoint includes hardware, software, privacy, and
security. Technology risk also spans across the entire organization and the people category
described above. Hardware limitations can hinder productivity, especially when in a remote work
environment. Software too can reduce productivity when applications do increase efficiency or
employees lack training. Software can also impact customers as they interact with your
organization. External threats exist as hackers attempt to steal information or hijack networks.
This can lead to leaked customer information and data privacy concerns.

Regulations
Risk for non-compliance to regulation exists in some form in nearly every organization. Some
industries are more highly regulated than others, but all regulations come down to
operationalizing internal controls. Over the past decade, the number and complexity of rules
have increased and the penalties have become more severe.

Flow:
Step 1: Risk Identification

Risks must be identified so these can be controlled. Risk identification starts with understanding
the organization’s objectives. Risks are anything that prevents the organization from attaining its
objectives.

Step 2: Risk Assessment

Risk assessment is a systematic process for rating risks on likelihood and impact. The outcome
from the risk assessment is a prioritized listing of known risks. The risk assessment process may
look similar to the risk assessment done by internal audit.

Step 3: Risk Mitigation

The risk mitigation step involves choosing a path for controlling the specific risks. In the
Operational Risk Management process, there are four options for risk mitigation: transfer, avoid,
accept, and control.

 Transfer: Transferring shifts the risk to another organization. The two most often means
for transferring are outsourcing and insuring. When outsourcing, management cannot
completely transfer the responsibility for controlling risk. Insuring against the risk
ultimately transfers some of the financial impact of the risk to the insurance company. A
good example of transferring risk occurs with cloud-based software companies. When a
company purchases cloud-based software, the contract usually includes a clause for data
breach insurance. The purchaser is ensuring the vendor can pay for damages in the event
of a data breach. At the same time, the vendor will also have their data center provide
SOC reports that show there are sufficient controls in place to minimize the likelihood of
a data breach.
 Avoid: Avoidance prevents the organization from entering into the risk situation. For
example, when choosing a vendor for a service, the organization could choose to accept a
vendor with a higher-priced bid if the lower-cost vendor does not have adequate
references.
 Accept: Based on the comparison of the risk to the cost of control, management could
accept the risk and move forward with the risky choice. As an example, there is a risk
that an employee will burn themselves if the company installs new coffee makers in the
breakroom. The benefit of employee satisfaction from new coffee makers outweighs the
risk of an employee accidentally burning themselves on a hot cup of coffee, so
management accepts the risk and installs the new appliance.
  Control: Controls are processing the organization puts in place to decrease the impact of
the risk if it occurs or to increase the likelihood of meeting the objective. For example,
installing software behind a firewall reduces the likelihood of hackers gaining access,
while backing up the network decreases the impact of a compromised network since it
can be restored to a safe point.

Step 4: Control Implementation

Once the risk mitigation choice decisions are made, the next step is implementation. The controls
are designed specifically to meet the risk in question. The control rationale, objective, and
activity should be clearly documented so the controls can be clearly communicated and executed.
The controls implemented should focus preventive control activities over policies

Step 5: Monitoring

Since the controls may be performed by people who make mistakes, or the environment could
change, the controls should be monitored. Control monitoring involves testing the control for
appropriateness of design, implementation, and operating effectiveness. Any exceptions or issues
should be raised to management with action plans established.

Workflow Documentation
Workflow documentation is the process of storing, tracking, and editing business documents
that shape your workflow.

In other words, workflow documentation outlines your business processes and workflows.

Document workflow management is a system used to capture, generate, track, edit, approve,
store, retrieve, retain and destroy documents associated with business processes. Digital
document workflow helps organisations to reduce often large amounts of paperwork that slow
down day-to-day operations. Purchase orders, invoices, holiday requests, proof of delivery,
despatch, payroll, vehicle documents, supply chain information, claim forms, insurances, and
more. The majority of businesses are document-heavy and how documents are managed affects
running costs, staff productivity, profitability and customer satisfaction. Documents get passed
from one department to the next, requiring approval or changes at each stop.

Process:

Define the process

First things first, you need to outline the process of the workflow. It’ll be a top-level overview of
what you envisage the specific workflow to involve.
Review the following information:

 Where the workflow begins

 Where the workflow ends
 Any milestones to hit along the way
 What’s involved at each stage of the workflow

Confirm the output

Now you need to identify what the output should be. Will you have made a sale? Launched a
new product? Hired a new employee? Whatever it is, make sure you’re clear on what the
outcome should be. This will give you the direction you need to make sure your workflow
delivers what you want.

Document the step-by-step process

Now you know what the workflow involves and what the outputs are, you can document the
entire workflow step-by-step.
Review your data on where you need to start, where you need to finish, and what your key
milestones will be. You can then focus on filling in the gaps between each key milestone to get
you from start to finish.

Review the workflow process

Once you’ve outlined the entire workflow, it’s time to scrutinize it. Double-check everything
before you roll it out to your team. The last thing you want is to distribute the business process
documentation only to find an error somewhere down the line.
Benefits:
Align your team
When you have a clear process, it’s easy for everyone to follow it. There’s less room for error,
and team members won’t be confused about what actions they need to take.

Improve your processes

Workflow documentation helps teams improve their business processes. Think about it. If you’re
tracking and documenting your workflow, it’s much easier to identify room for improvement.
Without workflow documentation, you simply won’t have this level of clarity.

Work more efficiently

Using digital documentation allows you to speed up your day-to-day processes and focus on
tasks that matter.
Delegation: Centralization and Decentralization of Authority
A manager alone cannot perform all the tasks assigned to him. In order to meet the targets, the
manager should delegate authority. Delegation of Authority means division of authority and
powers downwards to the subordinate. Delegation is about entrusting someone else to do parts of
your job. Delegation of authority can be defined as subdivision and sub-allocation of powers to
the subordinates in order to achieve effective results.

Elements of Delegation

1. Authority: In context of a business organization, authority can be defined as

the power and right of a person to use and allocate the resources efficiently, to
take decisions and to give orders so as to achieve the organizational objectives.
Authority must be well- defined. All people who have the authority should
know what is the scope of their authority is and they shouldn’t misutilize it.
Authority is the right to give commands, orders and get the things done. The
top level management has greatest authority.

Authority always flows from top to bottom. It explains how a superior gets work done from his
subordinate by clearly explaining what is expected of him and how he should go about it.
Authority should be accompanied with an equal amount of responsibility. Delegating the
authority to someone else doesn’t imply escaping from accountability. Accountability still rest
with the person having the utmost authority.

2. Responsibility: Is the duty of the person to complete the task assigned to him.
A person who is given the responsibility should ensure that he accomplishes the
tasks assigned to him. If the tasks for which he was held responsible are not
completed, then he should not give explanations or excuses. Responsibility
without adequate authority leads to discontent and dissatisfaction among the
person. Responsibility flows from bottom to top. The middle level and lower
level management holds more responsibility. The person held responsible for a
job is answerable for it. If he performs the tasks assigned as expected, he is
bound for praises. While if he doesn’t accomplish tasks assigned as expected,
then also he is answerable for that.
3. Accountability: Means giving explanations for any variance in the actual
performance from the expectations set. Accountability cannot be delegated. For
example, if ’A’ is given a task with sufficient authority, and ’A’ delegates this
task to B and asks him to ensure that task is done well, responsibility rest with
’B’, but accountability still rest with ’A’. The top level management is most
accountable. Being accountable means being innovative as the person will
think beyond his scope of job. Accountability, in short, means being
 answerable for the end result. Accountability can’t be escaped. It arises from
responsibility.

For achieving delegation, a manager has to work in a system and has to perform following steps:

1. Assignment of tasks and duties

2. Granting of authority
3. Creating responsibility and accountability

Delegation of authority is the base of superior-subordinate relationship, it involves following

steps:-

1. Assignment of Duties: The delegator first tries to define the task and duties to
the subordinate. He also has to define the result expected from the subordinates.
Clarity of duty as well as result expected has to be the first step in delegation.
2. Granting of authority: Subdivision of authority takes place when a superior
divides and shares his authority with the subordinate. It is for this reason, every
subordinate should be given enough independence to carry the task given to
him by his superiors. The managers at all levels delegate authority and power
which is attached to their job positions. The subdivision of powers is very
important to get effective results.
3. Creating Responsibility and Accountability: The delegation process does not
end once powers are granted to the subordinates. They at the same time have to
be obligatory towards the duties assigned to them. Responsibility is said to be
the factor or obligation of an individual to carry out his duties in best of his
ability as per the directions of superior. Responsibility is very important.
Therefore, it is that which gives effectiveness to authority. At the same time,
responsibility is absolute and cannot be shifted. Accountability, on the others
hand, is the obligation of the individual to carry out his duties as per the
standards of performance. Therefore, it is said that authority is delegated,
responsibility is created and accountability is imposed. Accountability arises
out of responsibility and responsibility arises out of authority. Therefore, it
becomes important that with every authority position an equal and opposite
responsibility should be attached.

Therefore every manager,i.e.,the delegator has to follow a system to finish up the delegation
process. Equally important is the delegatee’s role which means his responsibility and
accountability is attached with the authority over to here.

Relationship between Authority and Responsibility

Authority is the legal right of person or superior to command his subordinates while
accountability is the obligation of individual to carry out his duties as per standards of
performance Authority flows from the superiors to subordinates,in which orders and instructions
are given to subordinates to complete the task. It is only through authority, a manager exercises
control. In a way through exercising the control the superior is demanding accountability from
subordinates. If the marketing manager directs the sales supervisor for 50 units of sale to be
undertaken in a month. If the above standards are not accomplished, it is the marketing manager
who will be accountable to the chief executive officer. Therefore, we can say that authority flows
from top to bottom and responsibility flows from bottom to top. Accountability is a result of
responsibility and responsibility is result of authority. Therefore, for every authority an equal
accountability is attached.

Differences between Authority and Responsibility

Authority Responsibility

It is the legal right of a

It is the obligation of subordinate to
person or a superior to
perform the work assigned to him.
command his subordinates.

Responsibility arises out of superior-

Authority is attached to the
subordinate relationship in which
position of a superior in
subordinate agrees to carry out duty given
concern.
to him.

Authority can be delegated

Responsibility cannot be shifted and is
by a superior to a
absolute
subordinate

It flows from top to bottom. It flows from bottom to top.

Centralization is said to be a process where the concentration of decision making is in a few

hands. All the important decision and actions at the lower level, all subjects and actions at the
lower level are subject to the approval of top management. According to Allen, “Centralization”
is the systematic and consistent reservation of authority at central points in the organization. The
implication of centralization can be:

1. Reservation of decision making power at top level.

2. Reservation of operating authority with the middle level managers.
3. Reservation of operation at lower level at the directions of the top level.

Under centralization, the important and key decisions are taken by the top management and the
other levels are into implementations as per the directions of top level. For example, in a
business concern, the father & son being the owners decide about the important matters and all
the rest of functions like product, finance, marketing, personnel, are carried out by the
department heads and they have to act as per instruction and orders of the two people. Therefore
in this case, decision making power remain in the hands of father & son.

On the other hand, Decentralization is a systematic delegation of authority at all levels of

management and in all of the organization. In a decentralization concern, authority in retained by
the top management for taking major decisions and framing policies concerning the whole
concern. Rest of the authority may be delegated to the middle level and lower level of
management.

The degree of centralization and decentralization will depend upon the amount of authority
delegated to the lowest level. According to Allen, “Decentralization refers to the systematic
effort to delegate to the lowest level of authority except that which can be controlled and
exercised at central points.

Decentralization is not the same as delegation. In fact, decentralization is all extension of

delegation. Decentralization pattern is wider is scope and the authorities are diffused to the
lowest most level of management. Delegation of authority is a complete process and takes place
from one person to another. While decentralization is complete only when fullest possible
delegation has taken place. For example, the general manager of a company is responsible for
receiving the leave application for the whole of the concern. The general manager delegates this
work to the personnel manager who is now responsible for receiving the leave applicants. In this
situation delegation of authority has taken place. On the other hand, on the request of the
personnel manager, if the general manager delegates this power to all the departmental heads at
all level, in this situation decentralization has taken place. There is a saying that “Everything that
increasing the role of subordinates is decentralization and that decreases the role is
centralization”. Decentralization is wider in scope and the subordinate’s responsibility increase
in this case. On the other hand, in delegation the managers remain answerable even for the acts
of subordinates to their superiors.

Implications of Decentralization

There is less burden on the Chief Executive as in the case of centralization.

In decentralization, the subordinates get a chance to decide and act independently which
develops skills and capabilities. This way the organization is able to process reserve of talents in
it.

In decentralization, diversification and horizontal can be easily implanted.

In decentralization, concern diversification of activities can place effectively since there is more
scope for creating new departments. Therefore, diversification growth is of a degree.

In decentralization structure, operations can be coordinated at divisional level which is not

possible in the centralization set up.
In the case of decentralization structure, there is greater motivation and morale of the employees
since they get more independence to act and decide.

In a decentralization structure, co-ordination to some extent is difficult to maintain as there are

lot many department divisions and authority is delegated to maximum possible extent, i.e., to the
bottom most level delegation reaches. Centralization and decentralization are the categories by
which the pattern of authority relationships became clear. The degree of centralization and de-
centralization can be affected by many factors like nature of operation, volume of profits,
number of departments, size of a concern, etc. The larger the size of a concern, a decentralization
set up is suitable in it.

Internal audit and Internal control

Internal Control
Internal Control can be understood as a system developed, implemented and maintained by the
company’s management, in order to ensure the achievement of objectives concerning:

 Effectiveness and efficiency of operations,

 Protecting assets,
 Prevention and detection of frauds and errors,
 Accuracy and completeness of financial reporting,
 Adherence to relevant laws.

It comprises of five elements, which are interconnected to each other and apply to all firms, but
their implementation depends on the size of the firm. The elements are control environment, risk
assessment, control activities, information and communication and monitoring.
Objectives of Internal Control

 Examining whether the transactions are executed as per the management’s

authorization.
 Checking prompt recording of transactions, in correct amount and account and
that too in the accounting period, to which it belongs.
 Ascertaining that assets are protected from unauthorized access and use.
 Comparing recorded assets with the existing ones, at various time intervals and
taking actions in case differences are discovered.

Review
The most important part of the internal control system is its review, for which the auditor can use
any of the methods: Narrative Records, Checklist, Questionnaire, and Flowchart.

Internal Audit
Internal audit is defined as an unbiased, rational assurance and consulting function, developed by
the management, to keep a check on the activities of the organization. It involves regular and
critical analysis of the functions of an organization, for the purpose of recommending
improvements. It is aimed at assisting members of the firm in discharging their responsibilities in
an effective manner.

Internal Audit Process

The task is performed by the internal auditor, who is appointed by the company’s management.
He/she reports the management regarding the analysis, appraisal, recommendation and all
relevant information relating to the activities under study.

Objectives of Internal Audit

 To check the accuracy and authenticity of the accounting records, which are
reported to those charged with governance.
 To identify whether the standard accounting practices, which are deemed to be
pursued by the entity, are complied with or not.
 To ensure detection and prevention of fraud.
 To examine that there is an appropriate authority for the procurement and
disposal of assets.
 To verify that the liabilities are incurred only for business causes and not for
any other purpose.
 To review the activities of the internal control system, so as to report
management regarding deviations and non-compliances.

Independent Compliance Function

The compliance department ensures that a business adheres to external rules and internal
controls. In the financial services sector, compliance departments work to meet key regulatory
objectives to protect investors and ensure that markets are fair, efficient and transparent. They
also seek to reduce system risk and financial crime.

These objectives are designed to support consumer confidence in the financial system. Financial
services organizations also are subject to regulatory business rules that govern advertising,
customer communications, conflicts of interest, customer understanding and suitability, customer
dealings, client assets, and money as well as rule-breaking and errors.

Four elements of independence by:

Implementing a written compliance framework that is approved by the governing body and
establishes a distinct and empowered compliance function.

Naming a Chief Compliance Officer (CCO) with a functional reporting line to a committee of
the governing body that is comprised entirely of non-executive (outside) directors, in order to
ensure autonomy.

Ensuring that the CCO and staff members of the compliance function do not perform business
responsibilities.

Allowing the compliance function unfiltered access to information needed to carry out its
oversight role.

Importance:
Without a compliance function, you cannot reliably build or maintain trust with others. Trust is
fostered through three elements: (1) repeated interactions with another person; (2) honest
communication with that person; and (3) following through on commitments. Organizations
cannot ensure that they are meeting element (2) or (3) unless they have adopted rules about
proper communications and proper follow through. The head of the organization can’t be
confident that others are being honest in their interactions unless the organization has adopted
rules about honesty and trained people about the importance of honesty and candor. The leader
cannot be confident that people are following through on commitments unless there are rules and
norms that have been adopted and emphasized throughout the organization.

Compliance is part of your organization’s duties to its community and stakeholders. The first
reason is most basic. If you run a business (whether for-profit or nonprofit), you benefit from
your community’s basic services. In return, you owe duty to comply with the law. Furthermore,
if you use the resources of others (investors, creditors, donors), you need to be able to assure
them that you are regulating the conduct of your employees and that you are complying with
applicable rules and regulations.
If you have no compliance function, you invite reputational damage. I like to note Warren
Buffett’s adage that it takes 20 years to build a reputation and about five minutes to lose one.
Research shows that people want to interact with organizations that have a reputation for honest
dealings. It’s therefore no surprise that leaders consistently rank reputational risk as their number
one worry.

Compliance enhances consistency. Without a compliance function, decisions are ad hoc and
made in a vacuum. Articulated values, ethics policies, and codes of conduct provide reference
points for making decisions a matter of routine. As Peter Drucker explained, “All events but the
truly unique require a generic solution. They require a rule, a policy, a principle.

Compliance can serve as a driver of change and innovation. Some people also view compliance
as inherently conservative. They think the purpose of compliance is to rein in conduct. Again,
that’s not true. Compliance instead can serve as a powerful tool of long-term change. If every
day behavior stems from training and codes of conduct, and codes of conduct stem from values,
articulation and modification of values over time can profoundly influence organizational
behavior. In the words of system theorists, values can be a leverage point, and compliance
ultimately focuses on the driving values of an organization.

Independent Risk Management Function

Independent Risk Management is, in the context of banking regulation, a function within the
financial firm that operates (relatively) independently from the remainder of the firm (usually
denoted the business). Organizationally it falls under the direction of a Chief Risk Officer
(CRO), a senior position with sufficient stature, independence, resources and access to the
management board.

The Risk Management Function should be sufficiently independent of the business units and
should not be involved in revenue generation. Such independence is an essential component of
an effective risk management function, as is having access to all business lines that have the
potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and
affiliates.

In the popular Three Lines of Defense paradigm of Risk Management the independent risk
function is a key component of the bank’s second line of defence. The function is responsible for
overseeing risk-taking activities across the enterprise and should have authority within the
organisation to do so.

Effective CROs are concerned with what the institution’s leaders may not know and, therefore,
must occasionally offer a contrarian point of view; otherwise, the decision-making process may
end up flawed with “group think.” In today’s environment, decision-making processes should be
driven by objective assessments of the risk/reward balance, rather than by the emotional
investment, management bias and short-termism that underlie dangerous organizational blind
spots.

Functions:

Identifying material individual, aggregate and emerging risks (a process known as Risk
Identification

Assessing these risks and measuring the bank’s exposure to them (a process known as Risk
Measurement

Subject to the review and approval of the board, developing and implementing the enterprise-
wide risk governance framework, which includes the bank’s Risk Culture, Risk Appetite and risk
limits;

Ongoing monitoring of the risk-taking activities and risk exposures in line with the board-
approved risk appetite, risk limits and corresponding capital or liquidity needs (ie Capital
Planning);

Establishing an early warning or trigger system for breaches of the bank’s risk appetite or limits;

Influencing and, when necessary, challenging decisions that give rise to Material Risk;
Reporting to senior management and the board or Risk Committee on all these items, including
but not limited to proposing appropriate risk-mitigating actions.

System Audit
The data and information generated in companies today are endless. The information that is
processed and processed within a company is incalculable. Companies, increasingly, need
technology to work, requiring complex software and computerized equipment to develop their
activity in an optimized and efficient manner.

The audit of systems involves the review and evaluation of controls and computer systems, as
well as their use, efficiency, and security in the company, which processes the information.
Thanks to the audit of systems as an alternative to control, follow-up, and review, the computer
process and technologies are used more efficiently and safely, guaranteeing adequate decision-
making.

 Verify and judge the information objectively.

 Verification of controls in the processing of information and installation of systems, in
order to evaluate their effectiveness and also present some recommendation and advice.
 Examination and evaluation of the processes in terms of computerization and data
processing. In addition, the number of resources invested, the profitability of each
process and its effectiveness and efficiency are evaluated.
Objectives of the Systems audit are:

 Improve the cost-benefit ratio of information systems.

 Increase the satisfaction and security of the users of these computerized systems.
 Guarantee confidentiality and integrity through professional security and control systems.
 Minimize the existence of risks, such as viruses or hackers, for example
 Optimize and streamline decision making.
 Educate on the control of information systems, since it is a very changing and relatively
new sector, so it is necessary to educate users of these computerized processes.

Code of Corporate Governance

Corporate governance refers to the accountability of the Board of Directors to all stakeholders of
the corporation i.e. shareholders, employees, suppliers, customers and society in general; towards
giving the corporation a fair, efficient and transparent administration.

Following are cited a few popular definitions of corporate governance:

(1) “Corporate governance means that company managers its business in a manner that is
accountable and responsible to the shareholders. In a wider interpretation, corporate governance
includes company’s accountability to shareholders and other stakeholders such as employees,
suppliers, customers and local community.” – Catherwood.

(2) “Corporate governance is the system by which companies are directed and controlled.” – The
Cadbury Committee (U.K.)

Certain useful comments on the concept of corporate governance are given below:

(i) Corporate governance is more than company administration. It refers to a fair, efficient and
transparent functioning of the corporate management system.

(ii)Corporate governance refers to a code of conduct; the Board of Directors must abide by;
while running the corporate enterprise.

(iii)Corporate governance refers to a set of systems, procedures and practices which ensure that
the company is managed in the best interest of all corporate stakeholders.

Need for Corporate Governance:

(i) Wide Spread of Shareholders:

Today a company has a very large number of shareholders spread all over the nation and even the
world; and a majority of shareholders being unorganised and having an indifferent attitude
towards corporate affairs. The idea of shareholders’ democracy remains confined only to the law
and the Articles of Association; which requires a practical implementation through a code of
conduct of corporate governance.

(ii) Changing Ownership Structure:

The pattern of corporate ownership has changed considerably, in the present-day-times; with
institutional investors (foreign as well Indian) and mutual funds becoming largest shareholders in
large corporate private sector. These investors have become the greatest challenge to corporate
managements, forcing the latter to abide by some established code of corporate governance to
build up its image in society.

(iii) Corporate Scams or Scandals:

Corporate scams (or frauds) in the recent years of the past have shaken public confidence in
corporate management. The event of Harshad Mehta scandal, which is perhaps, one biggest
scandal, is in the heart and mind of all, connected with corporate shareholding or otherwise being
educated and socially conscious.

The need for corporate governance is, then, imperative for reviving investors’ confidence in the
corporate sector towards the economic development of society.

(iv) Greater Expectations of Society of the Corporate Sector:

Society of today holds greater expectations of the corporate sector in terms of reasonable price,
better quality, pollution control, best utilisation of resources etc. To meet social expectations,
there is a need for a code of corporate governance, for the best management of company in
economic and social terms.

(v) Hostile Take-Overs:

Hostile take-overs of corporations witnessed in several countries, put a question mark on the
efficiency of managements of take-over companies. This factors also points out to the need for
corporate governance, in the form of an efficient code of conduct for corporate managements.

(vi) Huge Increase in Top Management Compensation:

It has been observed in both developing and developed economies that there has been a great
increase in the monetary payments (compensation) packages of top level corporate executives.
There is no justification for exorbitant payments to top ranking managers, out of corporate funds,
which are a property of shareholders and society.

This factor necessitates corporate governance to contain the ill-practices of top managements of
companies.
(vii) Globalisation:

Desire of more and more Indian companies to get listed on international stock exchanges also
focuses on a need for corporate governance. In fact, corporate governance has become a
buzzword in the corporate sector. There is no doubt that international capital market recognises
only companies well-managed according to standard codes of corporate governance.

Principles of Corporate Governance:

(or major issues involved in corporate governance)

The fundamental or key principles of corporate governance are described below:

(i) Transparency:

Transparency means the quality of something which enables one to understand the truth easily. In
the context of corporate governance, it implies an accurate, adequate and timely disclosure of
relevant information about the operating results etc. of the corporate enterprise to the
stakeholders.

In fact, transparency is the foundation of corporate governance; which helps to develop a high
level of public confidence in the corporate sector. For ensuring transparency in corporate
administration, a company should publish relevant information about corporate affairs in leading
newspapers, e.g., on a quarterly or half yearly or annual basis.

(ii) Accountability:

Accountability is a liability to explain the results of one’s decisions taken in the interest of
others. In the context of corporate governance, accountability implies the responsibility of the
Chairman, the Board of Directors and the chief executive for the use of company’s resources
(over which they have authority) in the best interest of company and its stakeholders.

(iii) Independence:

Good corporate governance requires independence on the part of the top management of the
corporation i.e. the Board of Directors must be strong non-partisan body; so that it can take all
corporate decisions based on business prudence. Without the top management of the company
being independent; good corporate governance is only a mere dream.

Whistle Blowing and Social Responsibility

Whistle Blowing

Definition: When a former or the existing employee of the organization raise his voice against
the unethical activities being carried out within the organization is called as whistle blowing and
the person who raise his voice is called as a whistle blower.
The misconduct can be in the form of fraud, corruption, violation of company rules and policies,
all done to impose a threat to public interest. The whistle blowing is done to safeguard the
interest of the society and the general public for whom the organization is functioning.

The companies should motivate their employees to raise an alarm in case they find any violation
of rules and procedures and do intimate about any possible harm to the interest of the
organization and the society.

Types of Whistle Blowing

Internal Whistle Blowing: An employee informs about the misconduct to his officers or seniors
holding positions in the same organization.

External Whistle Blowing: Here, the employee informs about the misconduct to any third person
who is not a member of an organization, such as a lawyer or any other legal body.

Most often, the employees fear to raise a voice against the illegal activity being carried out in the
organization because of following reasons:

Threat to life

Lost jobs and careers

Lost friendships

Resentment among workers

Breach of trust and loyalty

Thus, in order to provide protection to the whistle blowers, the Whistle Blower Protection Bill is
passed in 2011 by Lok Sabha.

Now, the question comes in the mind that which offenses are considered valid for whistle
blowing and for which the protection is offered by the law. Following are the acts for which the
voice can be raised and are law protected:

Fraud

Health and safety in danger

Damage to the environment

Violation of company laws

Embezzlement of funds

Breach of law and justice

Social Responsibility

CSR is corporate social responsibility and that is the responsibility of organizations to act in
ways that protect ad improve the welfare of multiple stakeholders. A key word in this definition
is “stakeholder” where that is any group within or outside the organization that is directly
affected by the organization and has a stake in it’s performance. Stakeholders can be customers,
organization members, owners, other organizations that work with them, competitors,
community members, financial investors, any anyone else who would be effected by the
organization’s actions. This means a lot considering how the difference between a company that
considers all stakeholders and a company that considers only shareholders can heavily influence
a company to be more or less socially responsible.

Risk Management Culture

Recommendation #1: Determine Board Risk Oversight Responsibility

Ultimately, it’s management who is responsible for risk management and the board is responsible
for overseeing management’s process of identifying, monitoring and mitigating risks. If there is
no established risk management framework, the board should charge management to develop a
framework that includes the board’s oversight duties. Boards can break down their
responsibilities by establishing certain directors with experience or knowledge in a particular
area to oversee a certain risk management process. For instance, the Public Policy Committee of
ConocoPhillips is responsible for overseeing risks related to health, safety and environmental
issues. However, these committees are still responsible for seeing the big picture and should
come together on a periodic basis to discuss the risks they are overseeing as well as risks the
company is seeing as a whole.

The thought paper offers recommendations for boards to develop and define their oversight
responsibilities. Boards should work with management to assign risk oversight responsibilities
to individual committees; committees should collaborate on risk-related happenings, and have
management brief the entire board on strategic risks facing the company.

Recommendation #2: Enhance Risk Intelligence

Risk intelligence is how the company, at all levels, perceives risk management and conducts
itself with regards to risk. The board should promote risk transparency at all levels of the
organizations so that day-to-day decision-makers are aware of the strategic goals and how their
decisions could impact those goals. Management should communicate and exude a risk
intelligent culture for all employees to follow. To do this, management should:

Clearly communicate responsibilities and hold responsible parties accountable

Develop a process for lower level employees to communicate emerging risks

Encourage employees to challenge new initiatives that could negatively impact the greater
company

To promote an effective risk culture, boards can create a tone that allows employees to voice
their concerns without fear of loosing their jobs. They can also help to develop a process to
measure risk intelligence that management continually monitors and they should support
management with resources, training and data from the company.

Recommendation #3: Determine Risk Appetite

Risk appetite is the amount of risk a company is willing to take. This can be defined in
quantitative or qualitative ways. Management should be the one to develop the risk appetite for
the organization and the board should understand management’s assumptions and approve or
disapprove the company’s overall level of risk appetite. Once an appetite has been defined, the
board should help management monitor emerging risks and opportunities, and evaluate whether
the risk appetite should be changed. The board should also evaluate management’s previous
decisions to see whether the risk appetite was bypassed. And finally, the board should align
management’s incentives with the company’s risk appetite. This will prevent management from
taking on too much risk.

Recommendation #4: Align Risk Management With Strategy

The board is also responsible for helping management develop a strategy that is aligned to the
company’s mission. When the company is developing its strategy, the board should at the same
time discuss the risks to the strategy and the risks of the strategy. This will help the entity
identify risks that could ultimately disrupt its ability to compete. In order to do this, the board
should challenge management on their assumptions by asking the right questions, establishing an
open dialogue, and identifying alternatives.

The board should consider whether to provide “active oversight” in these strategic settings. That
may include verifying that management has established key risk indicators and a process for
monitoring these indicators, scanning the horizon for emerging risks, and fostering flexibility at
the management level to avoid risks or seize opportunities.

Recommendation #5: Evaluate Risk Governance “Maturity”

One common measurement boards use to evaluate risk maturity is the amount of experience the
company has with risk management. Boards should dive deeper than this and consider more
criteria, such as:

How often does management communicate to the board concerning risk management?

Are specific risks assigned to their board committees and processes?

Which committee is responsible for which risks?

During strategic planning, are risks identified and analyzed, are assumptions challenged, and are
alternative options evaluated during scenario planning? Is there scenario planning?

How does management monitor key risk indicators and is there agreement when action should be
taken?

Depending on the level of risk governance sophistication the entity needs to effectively manage
its portfolio of risks, the entity’s maturity may fall anywhere between one of the five phases of
risk intelligence.

1.Initial: ad hoc risk management, based on individual actions.

2.Fragmented: risks are managed in isolated departments and are rarely aligned to strategy.

3.Top-down: Enterprise wide risk assessments and dedicated team to manage risks.

4.Integrated: Risk appetite defined, key indicators monitored, escalation procedures

communicated.

5.Risk Intelligent: Risk dialogue is a part of strategy development, linking performance measures
and incentives, risk scenarios evaluated, early warning of risk indicators used.

Recommendation #6: Communicate Risk Process and Issues to Stakeholders

The SEC now requires public companies to disclose how the board oversees risk and how it
works with management to address risks to the company. These rules were established to
provide greater transparency to investors and stakeholders. However, the thought paper states
that meeting this minimum requirement is not enough to make stakeholders comfortable with the
company’s risk management process. By explaining the company’s risk management process
and oversight clearly to stakeholders, companies attract more long-term investors. Over the past
three years, Deloitte has seen an increase in the quality of risk disclosures. Companies can
improve their risk disclosures by explaining the processes in plain English, provide insight to the
board’s oversight role and ensure risk disclosures are accurate, relevant and specific.

Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of
strategic, financial and operational threats, and in determining how to mitigate and manage those
risks.

A comprehensive approach to risk management is important because it helps management

comprehend the true potential of threats and allows organizations to address the cumulative
nature of risk.

The following steps can help your company achieve the ERM objective.
Just Do It!

The process of creating an ERM program is valuable, revealing much about your organization
and the interrelatedness of elements within it. Document your efforts in your board minutes and
share them with any auditors. You will generally find those parties willing to provide
constructive feedback because they have a vested interest in the success of your efforts.

Get a Champion

Your board of directors is accountable to shareholders and the SEC (if your company is public)
—and possibly to other entities by industry—for the adequacy of risk management procedures,
controls and ultimately for the competence of management. A logical champion of your ERM
efforts is the chairperson of your board audit or ERM committee, followed by the chair of the
board and other board members. If these individuals understand that an ERM program can help
them discharge their duties and protect them from personal financial risk, you will likely see top-
level buy-in and a trickle-down effect through senior management.

Merge the Silos

If existing risk committees and sub-committees are functioning as intended and get consistently
high marks from outside auditors, it’s unlikely that fundamental changes are needed. Yet it is
important they understand where they fit in the bigger picture. A board-level champion can help
provide this perspective, and reinforce the role of the ERM committee in setting the
organization-wide level of acceptable risk.

Weight the Risks

Certain areas of risk have the potential to seriously harm your organization. Others, however, are
less critical. When your management team assembles an ERM framework, create a logical
mechanism for assigning relative weights to each area of risk, and to selected components within
those areas.

Create a Dashboard

A dashboard containing a high-level summary of major risk elements supported by “drill-down”

detail enables board members and senior managers to connect all the pieces of the risk
management puzzle.A dashboard need not be complex. Some managers use Microsoft Excel to
create multi-layered risk workbooks, which summarize details provided by the risk sub-
committees into a single page of high-level information.

Understand Risk and Reward

Some risks are worth taking, because the reward is greater than the likelihood and consequences
of failure. In other cases the reward does not outweigh the potential consequences. Then there are
risks not worth considering, when the risk is a “bet-the-farm” proposition, or is illegal or
immoral. Each risk committee and sub-committee should understand the risk-versus-reward
proposition.

Set Limits

One important function of the board ERM committee is to work with management to establish
limits to risk taking. Management should make recommendations to the board, supported by
reasonable data and arguments, which establish the boundaries of the organization’s risk appetite.
Management’s role is to advise and inform, with the ultimate decision resting with the board.

Understand the Cumulative Nature of Risk

An organization that could sustain itself through one or two major weaknesses, or several minor
ones, will succumb under too many. For this reason, the board ERM committee should set limits
for both individual risks and cumulatively.

Make It Easy

In the areas of setting limits and risk weighting, management should make it as easy as possible
for board members to comprehend and participate in the process. Distill complex regulations,
and use accepted business terminology. Implementing an ERM framework should be spread over
several months, if possible. Give the board ERM committee two or three recommendations per
month, in advance, so they can be reviewed, summarized, presented and adopted at the regular
monthly meeting.

Refine, Refine, Refine

New risks emerge every day, and your process must be flexible enough to identify, quantify and
incorporate them. The chief risk officer and other senior managers should devote time to
researching emerging risks, imagining worst case scenarios and creating stress tests to
understand the implications of critical failures.

A Top-To-Bottom Effort

It is possible for ERM practices to become part of your organizational culture. Global awareness
of the process and a rank-and-file understanding of the board’s focus on effective risk
management are critical to obtaining the buy-in of the entire organization. After all, risk
management is everybody’s job—today more than ever.