The Board report of a company is an important means of communication with its stakeholders. Like the Companies Act, 1956, the Companies Act, 2013 prescribes minimum matters to be included in the report — disclosures have increased significantly.
Currently, the listing agreement requires all listed companies to lay down procedures for informing Board members about risk assessment and minimisation processes. These have to be reviewed periodically to ensure that the executive management controls risk. The listing agreement also requires discussion on risks and concerns, either in the Board report or as an addendum. No specific discussion is required on risk management policies and procedures. The new Act requires all companies, including non-listed companies, to include in their Board report a statement indicating development and implementation of risk management policy.
The new disclosure is a welcome step — it will bring the risk management practices of each company in greater focus. Non-listed companies that may not have well-documented risk management policies will need to develop and document them now. It is likely to help companies in identifying and capitalising on opportunities to create value and protect established value. It is not possible to develop a “one size fits all” risk management model.
Each company will need to identify the risks that may impact its business and develop an adequate response. It should also look into the following aspects:
Risk management is aligned to business strategy so that the business context is the primary focus.
Risks are so defined that they can be interpreted by a person with the appropriate knowledge and who is willing to go through the risk register carefully.
Risk management plan is carefully drafted and covers aspects such as people responsible for managing risks, specific actions to be taken, and disaster recovery plan.
Risk management approach recognises and covers the perspective of people (such as shareholders) who are not directly involved in risk management, but might be affected.
The report should include meaningful and high-level information, as the Board deems necessary, to assist shareholders’ understanding of the main features of the company’s risk management processes. Particularly, the report should explain the risks that may threaten the existence of the company, and how they are being managed.
Each company’s Board is responsible for ensuring that the organisation has established internal controls, and that they operate effectively. The overall purpose of these controls is to protect shareholders’ investment and the company’s assets. The 2013 Act requires the Boards of listed companies to confirm, as part of the directors’ responsibility statement, that they have laid down internal financial controls, such controls are adequate, and they are operating effectively.
By making such a statement, directors will accept greater responsibility toward ensuring the existence and effectiveness of internal controls. To discharge this responsibility, the Board should consider the following key aspects:
The management should lay down appropriate controls to address all material risks. These controls should be benchmarked against international best practices on a continuous basis.
To withstand regulatory and auditor scrutiny, it is imperative that all controls are documented appropriately. The management, including the chief executive officer and chief financial officer, should review the controls and their effectiveness regularly. From a financial reporting perspective, key controls may include standardised chart of accounts, accounting/ consolidation manual, and standardised group reporting pack.
The Board should spend more time on understanding the business, the risks involved, the controls devised and their effectiveness. Also, the board may consider obtaining a certification from the CEO/ CFO.
The author is Senior Professional in a member firm of Ernst & Young Global.