Why the failure to implement sound risk management practices can place your company in a precarious position. By Akhil Prasad
Businesses have been familiar with risk management for a long time, but recent instances of corporate fraud raise the question of whether it merely exists as a theory, or do companies put it into practice. Large corporations tend to have strong risk mitigation practices, including dedicated manpower, consultants and advisers to develop risk-management models. However, when fraud occurs, their managers can still be left wondering why these processes failed to detect and prevent the risk.
Over the years, companies have adopted various risk management measures such as appointing independent directors, setting up vigil mechanisms, tasking committees to decide on executive compensation and investor grievances, and asking audit committees to review financial statements and operations. Yet, the incidence of fraud continues to grow.
For example, last year, Infrastructure Leasing and Financial Services (IL&FS), long recognized as among the country’s most respected non-banking finance companies, was at the centre of a corporate scandal when it was discovered that the company was facing a severe liquidity crisis. It had more than ₹910 billion (US$13.25 billion) in debt and had defaulted on interest payments several times, leading to a government takeover of the company. It was found that its risk management committee had not met even once in the 2017-18 financial year. Meanwhile, the salaries of its senior management had seen multi-fold growth.
In another case that turned out to be India’s biggest bank fraud to date, jewellers Nirav Modi and Mehul Choksi duped India’s second-largest lender, Punjab National Bank (PNB), out of more than US$2 billion and fled the country. A handful of employees at PNB’s Mumbai branch had issued fake bank guarantees for several years to help the jewellers raise billions of dollars in foreign credit – a clear-cut case of failure in risk management.
While the IL&FS and PNB scams are examples of failure in managing conventional risks, an emerging area of risk is that of data breaches. In November last year, hotel operator Marriott International disclosed a breach of its reservation system that exposed the private details of an estimated 500 million customer accounts. And in September, British Airways suffered a data breach in which more than 380,000 accounts were compromised, resulting in the skimming of names, e-mail addresses, and credit card data, including credit card numbers, expiry dates and the three-digit CVV codes on the back of the cards. Due to changes in the General Data Protection Regulation, British Airways potentially faces huge fines because of the fiasco.
Facebook, in the Cambridge Analytica scandal, disclosed that tens of millions of users’ personal data were accessed without their consent and used for political purposes. And Uber, the ride hailing app, is paying US$148 million to settle claims over its cover-up of a data breach in 2016. As corporate fraud cases continure to occur worldwide, the question is not whether law enforcement is effective, but whether companies are serious about identifying risk factors and taking action.
A combination of conventional risks, environmental risks, cyber attacks and data breaches are now among the biggest dangers to businesses. In its Global Risks Report, the World Economic Forum says the gravest risks to businesses across the world this year will be inadequate protection against cyber attacks and potential environmental disasters due to climate change. The report highlights that businesses need to focus on strengthening digital platforms as well as anti-cyber attack technology, and make sure that all employees are trained in best practices for the prevention of data breaches.
The report highlights that “boards and C-suites approach risk analysis as a standalone activity to be ticked off a list, but then fall short on mitigating the risks that their analysis has identified … risk management needs to come out of its silo and become as much an organic part of operations as budgeting and project management.”
BUILDING A FRAMEWORK
In some jurisdictions, every company is legally obliged to set up a risk committee made up of representatives from management and control functions. The board of directors needs to take the lead and set up the risk committee instead of fully delegating the duty to subordinates and absolving themselves of the responsibility. Still, to make risk committees an effective forum, companies should use them as a crystal ball to look into the future and provide the vision to guide the business through turbulence and uncertainty.
Legally, many jurisdictions require companies to have audit committees, compensation and remuneration committees, and shareholder committees. All these committees should be brought under the ambit of the risk committee and more such groups should be created for law, tax, human resources, business operations, projects, expansions, business continuity, fraud prevention and corruption, intellectual property management, IT security and data management, ethics, security, and investigation.
The risk committee’s responsibility should be to identify issues that could pose a material risk to the company’s operations and reputation. Risk committees must be staffed with competent people equipped with the latest tools. Although companies have talented staff in each of their respective functions, the reporting needs to be matrixed with the risk committee so as to make risk mitigation a collective effort, instead of someone else’s responsibility.
Once the board has constituted a risk committee, it should work to identify the key material enterprise risks that could impact the business. Key enterprise risks may vary based on the business – risk for an automobile manufacturing entity is very different from that of a telecom services provider, or an e-commerce company.
For a multinational company, geopolitical risks may be of particular relevance, and would have further sub-sets such as weather events, political stability, corruption, ease of doing business, and changing legal, tax and regulatory environments. Intellectual property management and data protection may also be a huge focus for goods and services associated with strong brands.
Once the material enterprise risks are identified, they should be communicated to the business groups or functions that are responsible for preventing them.
For instance, if a changing legal, tax and regulatory environment is a material risk, then law, finance, tax, and government operations or corporate affairs should be the functions responsible for mapping the risk. These departments should then collaborate to identify respective functional risks, which, if tracked, would mitigate the risks. All risks, whether enterprise or functional, should then have a risk rating – high, medium or low.
Once all key enterprise risks and associated functional risks have been mapped, the result would constitute a risk register.
A risk register would then be one of the most important business tools for a company. The role of the risk committee would then be to keep the risk register updated through periodic meetings, and check whether the rating of a particular risk has shifted (from low to medium or high, or in the reverse order). If there are any new risks, the committee would need to bring them to the attention of the board of directors for inclusion as an enterprise or functional risk.
So, when a jeweller tricks a bank or an airline loses customer data the question is not whether the fraudster was smarter than the company; it is whether such a corporation has devoted enough attention, and whether it is making a proportional investment in risk mitigation. Often a company either does not understand the value of risk management, or looks at it as a cost. No doubt it is a cost, but if it prevents fraud it can save the reputation of a company, and the returns from that are immeasurable and invaluable.
AKHIL PRASAD is India country counsel and company secretary at Boeing International Corporation.