Companies Act 2013: Embedding risk management in the business rhythm

2 | Companies Act

Gearing up for implementing Sections 134 & 177

Call to action

Enable board and audit committee

Align your risk management framework with business objectives

and strategy

Identify and refresh your risk universe, including existing and emerging risks

Assess the adequacy and robustness of your risk

management policy and systems

Use technology to monitor, measure performance and link it to your planning, reviews and decision making process as

part of business rhythm

Assess adequacy/develop

impacting business performance

Evaluate impact and likelihood of mitigation plans for risks risks and integrate quarterly business

performance feedback into risk analysis

Reward and encourage behaviors Prepare board of directors (BOD) to independently evaluate that drive risk management report, detailing elements of

robustness of risk management discipline risk that can impact business processes and systems performance

Background and Context Applicability ► Enterprise risk management was not mandatory according to the Companies ► Every company

Act 1956. However, as per the new law, there are specific requirements thata company needs to comply with. In addition, the board and audit committeehave been vested with specific responsibilities in assessing the robustness ofrisk management policy, process and systems

Key compliance requirements ► Section 134: The board of directors report must include a statement indicating development and implementation of a risk

management policy for the company including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company

► Section 177: The audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall, inter alia, include evaluation of risk management systems

► Schedule IV: Independent directors should satisfy themselves that systems of risk management are robust and defensible

Key considerations

► Board, independent directors, executive management etc., must assess risks arising from external factors (black swan, economic conditions, regulatory, competitive etc.) while evaluating the robustness of risk management systems

► Executive management needs to:

► Embed risk management across all the business units and critical support functions

► Make risk management everyone’s responsibility

► Link risk management to business performance of the company

Questions to be considered by CXOs and Directors

Well Requires prepared consideration

Strategy ► Do we have a risk management framework, which is aligned to business objectives and strategy? ► Is our organization focused on key risks that drive growth and enhance business performance? ► Do we make differential investments in strategic “risks that matter” to better enable business

performance? ► Do we link our risk management efforts with business planning and performance management?

Operations ► Do we have a risk management policy adopted across the company (including subsidiaries, joint

ventures and associates)? ► Do we have an effective risk management process/system to identify the following? ► Emerging risks ► Exposures stemming from operating plans ► Drivers of volatility that could impact business performance and strategic goals ► Country-specific risks ► Fraud vulnerabilities

► Do we consider linkage of risks across business units and critical functions while evaluating the overall risk profile of the company?

► Do we have a process/system in place to detect anomalies using analytics? ► Have we leveraged technology tools to operationalize risk management across the organization?

Risk-adjusted business performance ► Do we have a process of incorporating the quarterly business performance feedback into risk-

trends and analysis? ► Do we perform a risk evaluation of strategic initiatives and risk-adjust capital allocations

accordingly? ► Do we have a process of updating the risk appetite and risk tolerance levels with changes in

a company’s environment (economy, markets, regulation, technology) strategy and business performance?

Governance ► Have we adequately appraised the board members and audit committee on the risk management

related requirements of the Companies Act, 2013 and its impact on their responsibilities? ► Do we have a clear & consistent risk oversight at the board, audit committee & executive

management levels? ► Do we have accountabilities defined throughout the organization? ► Do we independently review the robustness of the risk management process/systems? ► Do we reward/encourage behaviors/actions that drive and support risk management? ► Do we have a mechanism to measure, monitor and report results to executive management and

the board? ► Do we have a program to train our employees on their role in the overall risk management process

and appropriate behavioral responses in a variety of crisis scenarios?

4 | Companies Act

Strategy

Operations

Risk-adjusted business performance

Governance

Notes

How can EY assist you in implementing a robust compliance management program?

Areas of intervention Do I need support?

Program set-up/improvement ► Assess the design of my risk management program ► Prepare a road-map for implementation and improvement considering maturity and

leading practices

Governance ► Design my risk management strategy and framework: ► Policy ► Structure ► Risk appetite and risk tolerance levels ► Strategic plan (future-state vision, philosophy, goals and objectives, key

performance, indicators, timelines, resources and performance measurement)► Accountability matrix (board, audit committee and executive management)

Implementation

► Implement risk management process and/or targeted intervention to:

► Identify my risk universe and develop my risk library

► Identify and prioritize “risks that matter”

► Develop mitigation plans for ”risks that matter”

► Develop a risk monitoring process

► Implement risk management technology tools such as SAP GRC, RSA Archer, EY’s proprietary ‘Risk Manager’ to automate risk monitoring process

► Define functional, technical requirements and design specifications

► Implement the future-state design

► Support with anomaly detection/early warning signal enablement through EY’s data analytics lab

► Perform ongoing risk evaluation of strategic initiatives and risk-adjust my capital allocations

Training ► Provide orientation to board members (including audit committee and independent

directors) on Section 134 and their responsibilities

► Train employees on their role in the overall risk management process and on leading practices for managing emerging risks in areas such as treasury, informationtechnology, fraud etc.

6 | Companies Act

Leverage sector-specific centers of excellence (COEs) for challenges, risks and emerging

WhyEY?

Risk business insights

Analytics

Leading practices

Functional insights

Significant experience in auditing

risks

Global view of risk radar

Technology capabilities

trends impacting each sector

Global risk radar report published annually, which includes our view of

environmental risks and sector-specific risks that companies need to consider

Repository of leading practices and lessons learned

Ability to provide analytical support in identifying anoma-lies and outliers through our

analytics lab

Capability to deploy SAP

In-depth experience of auditing risks emanating from functions

across the enterprise

Combined expertise in operations, HR, finance,

treasury, IT, tax and legal

GRC, RSA Archer and EY’s in-house “Risk Manager”

technology tool

Notes

8 | Companies Act

EY officesAhmedabad 2nd floor, Shivalik Ishaan Near C.N. Vidhyalaya Ambawadi Ahmedabad - 380 015 Tel: + 91 79 6608 3800 Fax: + 91 79 6608 3900

Bengaluru 12th & 13th floor “UB City”, Canberra Block No.24 Vittal Mallya Road Bengaluru - 560 001 Tel: + 91 80 4027 5000

+ 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor) Fax: + 91 80 2224 0695 (13th floor)

1st Floor, Prestige Emerald No. 4, Madras Bank Road Lavelle Road Junction Bengaluru - 560 001 Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112

Chandigarh 1st Floor, SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh - 160 009 Tel: + 91 172 671 7800 Fax: + 91 172 671 7888

Chennai Tidel Park, 6th & 7th Floor A Block (Module 601,701-702) No.4, Rajiv Gandhi Salai, Taramani Chennai - 600113 Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120

Hyderabad Oval Office, 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500081 Tel: + 91 40 6736 2000 Fax: + 91 40 6736 2200

Kochi 9th Floor, ABAD Nucleus NH-49, Maradu PO Kochi - 682304 Tel: + 91 484 304 4000 Fax: + 91 484 270 5393

Kolkata 22 Camac Street 3rd floor, Block ‘C’ Kolkata - 700 016 Tel: + 91 33 6615 3400 Fax: + 91 33 2281 7750

Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (W), Mumbai - 400028 Tel: + 91 022 6192 0000 Fax: + 91 022 6192 1000

5th Floor, Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai - 400 063 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 3000

NCR Golf View Corporate Tower B Near DLF Golf Course Sector 42 Gurgaon - 122002 Tel: + 91 124 464 4000 Fax: + 91 124 464 4050

6th floor, HT House 18-20 Kasturba Gandhi Marg New Delhi - 110 001 Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200

4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA 201 304 Gautam Budh Nagar, U.P. India Tel: + 91 120 671 7000 Fax: + 91 120 671 7171

Pune C-401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune - 411 006 Tel: + 91 20 6603 6000 Fax: + 91 20 6601 5900

Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2014 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN1402-015 ED 06012015

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

For any queries on how EY can assist you:

Please contact,

ermsolutions@in.ey.com