Module 3 CG 2022

MODULE 3: Risk Management and Corporate Governance
Types of Risks, Risk Analysis, Risk Management Information System, Risk Governance,
and Responsibility of Risk Profiling, Risk Strategy and Risk Policies.
Learning outcomes:
 To understand the various types of risk faced by organizations in governance.

 To understand risk management framework and policies procedures regarding
risk management in Corporate governance.
 To understand risk performance and assessment process
 To understand risk management information system.
Role of Corporate Governance in effective Risk Management

Risk, associated with a business, has a very broad ratio. With the intention of
understanding the aspect of risk in corporations and businesses, it can be categorized
into “three” kinds of risks namely:
 Counterparty risk
 Interest rate risk
 Liquidity risk
 Market risk management
 Operational risk management
Counterparty risk
 This refers to the kind of risk that an organization/person with which a
corporation has a business relationship with, fails to perform its obligations.
 Defaulting by borrowers on their loan agreements with banks.
 Prospective buyers “fail to close” on the purchase of a contract with home
sellers.
 Domino-like effect (must consider counterparties’ counterparty risk)
Interest rate risk
 This refers to the kind of risk where a shift in interest rates will adversely
affect either the company’s assets or its liabilities.
Liquidity risk
This module is strictly for Private circulation only. This is compiled by using the references mentioned. Compiled by
Sunitha.B.K . Do not uploaded on any internet website Page
Page 1
The possibility that the firm will not have sufficient cash on hand or immediately
available credit to pay its bills as they come due.
Market risk management
Market risk management is carried out by ensuring a mutual check and balance system
for business operations through the development of risk management organs and
systems that are independent from profit-making departments.
Operational risk management

With respect to operational risk management, the Group classifies operational risks into
six categories: administrative risk, system risk, human resource risk, tangible asset risk,
reputation risk, and legal and compliance risk.
Other types of risk
1. Product obsolescence risk.
2. Exchange rate risk (mainly for companies doing business internationally).
3. Succession risk: risk that company cannot adequately replace its current
CEO.
What is a Risk Profile?
A major step in appropriate oversight of risk taking by a firm is listing out all of the
risks that a firm is potentially exposed to and categorizing these risks into groups. This
list is called a risk profile.
Risk Management Governance
Appropriate corporate governance for risk management is based on three lines of

defense:
Business line management
Business line management is responsible for the identification, assessment,
management, monitoring, mitigation, and reporting of risks inherent in products,
activities, processes, and systems in their purviews, and for the management of a sound
environment of risk management control. Support functions such as IT management are
part of the first line of defense.
Page 2
Independent risk management function
An independent risk management function is the second line of defense. Its job is to
complement the management activities of the business line. This function has a
reporting structure independent of the risk-generating business lines and is responsible
for the planning, maintenance, and ongoing development of the banking corporation’s
risk management framework. One of its major duties is to challenge the adequacy of the
business lines’ inputs for risk management, risk measurement, the banking
corporation’s reporting systems, and the adequacy of the outputs obtained. Other
compliance, monitoring, and control functions such as the compliance and anti-money
laundering officer, the Chief Accounting Officer, and control of financial reportage are
part of the second line of defense.
Internal audit
Internal audit provides independent review and challenges the corporation’s risk
management controls, processes, and systems.
A strong risk culture and good communication among the three lines of defense are
important characteristics of appropriate risk governance.
Risk Management Framework
Risk Appetite
The Board shall approve the risk profile or appetite of the Company in material risk
areas. The objective of risk appetite statements is to restrict the overall risk levels of the
Company based on pre-defined strategies.
 Risk appetite is communicated through the Company’s strategic plans. The

Board and management monitor the risk appetite of the Company relative to the
Company’s actual results to ensure an appropriate level of risk tolerance
throughout the Company
Page 3
 Risk Manager shall develop the Risk Appetite statements and submit to the
Board for review and approval.
 Risk Appetite statements shall be reviewed annually for necessary changes. Any
breach of the appetite statements shall be reported to the Board at the next
meeting.
Risk identification
 Risk identification forms the core of the Risk Management system. Multiple
approaches for risk identification are applied to ensure a comprehensive Risk
Identification process.
 The company shall identify sources of risk, areas of impacts, events and their
causes with potential consequences. Comprehensive identification is critical,
because a risk that is not identified here will be missed from further analysis.
Risk Assessment and Risk Rating
 For all key risks identified during the Risk Identification process, a qualitative
and quantitative assessment is carried out
 Risk assessment involves different means by which to grade risks in order to
assess the possibility of their occurrence and extent of damage their occurrence
might cause.
 Likelihood rating and impact rating is as per the Rating parameters defined by
the Company.
Risk Prioritization
 After the risk assessment is complete, it is the responsibility of the Risk

Management Function to prioritize the key risks to determine which risk are
considered key and need to be addressed on a priority basis.
 Prioritization of risks involves using final ratings. The risks are plotted on a 3X 3
matrix, to identify which risks are materials from a corporate perspective.
Page 4
 For this purpose, the materiality scales are used to identify the severity and
likelihood of these risks.
 All risks that fall in the red zone are considered high risk and require immediate
attention in terms of risk management.
 The findings of risk prioritization are presented to Senior Management and
Business Units.
Risk Mitigation Process
Once the top or critical risks are prioritized, appropriate risk mitigation and
management efforts to effectively manage these risks are identified.
 Risk mitigation strategy usually involves identifying a range of options for

treating risk, assessing those options, preparing and implementing risk treatment
plans. The risk mitigation strategies may include managing the risk through
implementation of new internal controls, accepting certain risks, taking
insurance, and finally avoiding certain activities that result in unacceptable risks.
 Proposed actions to eliminate, reduce or manage each material risk will be
considered and agreed as part of the Risk Assessment Workshops or as part of
Management/Risk Committee.
Risk Assessment Process
Risk Assessment and rating methodologies take a systematic approach to determine

the impact of occurrence of a risk and its likelihood of happening.
In brief, the assessment involves following key steps Rating of each risk as per the
probability of the risk event occurring
Rating the risk as per the financial impact of that risk event should the risk event occur.
The two parameters provide the quantitative element to risk assessment.
The process of Risk Assessment shall cover the following:
Page 5
a) Risk Identification and Categorization – the process of identifying the company’s
exposure to uncertainty classified as Strategic / Business / Operational.
b) Risk Description – the method of systematically capturing and recording the

company’s identified risks in a structured format
c) Risk Estimation – the process for estimating the cost of likely impact either by
quantitative, semi-quantitative or qualitative approach.
Risk Monitoring and Risk Reporting
Risk Monitoring
1. The risks are to be monitored and treated by the Risk team under the guidance of
Risk owner on a frequent basis. The risk owner reviews all the risks identified and
profiled on quarterly basis with reference to the risk mitigation plan.
2. A risk mitigation action plan is outlined for all priority risks in the high and medium
categories. Senior Management and Business Heads design an action plan to mitigate
and monitor each of these key risks.
3. An action plan and status reporting is implemented to log actions proposed to

mitigate risks and track status of Evidence, of regular review and monitoring of the
profile and action plan. The action plan and status reporting is circulated quarterly to
stakeholders to update on the status of mitigation efforts.
4. The Company shall also introduce some high level Key Risk Indicators that will
provide leading and lagging indicators on some key risks.
Risk Reporting
1. The Company’s MIS provides the Board and senior management in clear and concise
manner timely and relevant information concerning the risk profile. The MIS is capable
of capturing major policy breaches and effective in promptly reporting such breaches to
senior management, as well as to ensure that appropriate follow-up actions are taken.
2. Most of the internal reporting and day to day interactions between senior
management and Business Functions ensures that senior management is aware of key
risks and unusual incidents or loss events.
Page 6
3. In addition to this, formal risk reporting has been introduced to highlight risk
profiles, trends, key issues and effectiveness of Risk Management Systems.
4. The ongoing business success of the Company depends to a great extent on risk
awareness and the ability to manage risks. This requires transparency of all risk taking
activities and thus an effective risk reporting system.
Risk management policy and procedures
Definition: The development and implementation of proportionate risk management

policy, guidelines, procedures and action plans.
Leadership Senior level Management Support level

level level
Policy Develops a risk Implements plans Explains the Explains the
management and priorities to purpose, role and purpose of risk
policy that is deliver risk benefits of management
consistent with management embedding risk policy and
the risk policy within management procedures and
management agreed timescales policy and its components.
strategy. and budgets. procedures into
organisational
policies and
procedures.
Roles and Defines risk Implements risk Advises on the Explains the
responsibilities management management appropriate use of features of
accountabilities policy ensuring methodologies, methodologies,
and that ownership tools and tools and
methodologies and techniques within techniques and
that meet responsibilities are the context of the their uses.
strategy fulfilled within risk policy.
requirements. authority limits.
Resources Secures Reviews the Uses a range of Provides
commitment effectiveness of resources to management
and resources risk management analyse information to
that will enable policy and management support
the processes and the information to improvements
implementation use of resources support to risk
of the risk and makes recommendations management
Page 7
strategy. recommendations. for improvements policies and
to risk procedures.
management
policies and
procedures.
Risk management strategy and architecture
Definition: The development and implementation of risk management strategy and

architecture.
Leadership Senior level Management level Support level

level
Mandate Achieves Evaluates the Explains the Explains the
commitment extent to which purpose and role of components of
and ownership individual risk a risk management a risk
from decision strategies are framework, management
makers to a consistent with strategy and framework,
proportionate the overall risk architecture. strategy and
risk strategy and strategy. architecture.
architecture.
Strategy Develops the Assigns Makes Provides
risk ownership and recommendations management
management levels of for improvements information to
strategy and authority that to the risk support risk
approach that comply with the management strategy
optimises risk requirements of strategy. development.
appetite. the strategy.
Structure Establishes a Ensures Communicates the Describes the
coherent, consistency requirements of the features of an
transparent and between an risk governance effective risk
rigorous risk organisation’s structure. governance
governance risk management structure.
structure that strategy,
supports an organisational
Page 8
organisation’s strategies and its
risk strategy. governance
structure.
Risk culture and appetite
Definition: The creation of a risk culture that is intrinsic to an organisation’s culture.

level level
Risk Influences an Fosters an Acts as a role Explains an
culture organisation’s organisation’s model of the organisation’s
design leadership in culture through culture expected risk culture and
determining the the design of through acts accordingly.
desired risk organisational personal
culture. systems, behaviours and
processes and actions.
behaviours.
Risk Influences Nurtures the Explains how an Explains the
appetite decision makers’ balance between organisation factors that
understanding risk taking, risk establishes its influence
of risk appetite management risk appetite and people’s
and its and rewards in tolerance. perceptions of
implications. line with an risk and
organisation’s opportunities
risk appetite. and their impact
on risk appetite
Behaviours Ensures an Embeds risk Carries out Identifies the
and values organisation’s management reviews of the level of risk
approach to risk approaches into extent to which maturity and its
management is organisational risk culture is implications for
aligned with its values. demonstrated risk culture and
risk maturity through appetite.
and values. individuals’
behaviour and
operational
activities.
Risk performance and reporting

Page 9
Definition: The development and implementation of a risk measurement performance
and reporting framework.

level level
Risk Establishes a Reports on the Ensures that Explains the
reporting comprehensive strategic and risk reporting purpose of
systems risk reporting financial impact of systems measuring and
system that is risks. operate reporting risk
aligned with efficiently. performance
other and the use of
organisational technology to
performance support
management effective risk
structures and management.
processes.
Risk Defines Specifies the Uses analytical Complies with
performance organisational design tools and legal, ethical
indicators Key Risk / requirements of techniques to and regulatory
Performance risk performance monitor requirements
Indicators reporting systems. changes to an in the
(KRIs/KPIs) for organisation’s gathering and
evaluating risk risks and recording of
management opportunities risk
performance, and updates information.
strategy, risk
processes and information.
controls.
Risk Ensures that risk Reports Produces risk Explains the
reporting reporting recommendations management uses of risk
protocols systems enable for improvements reports, information
effective based on highlighting and reports
decision making systematic areas of the potential
and are capable analyses of concern, consequences
of identifying information at change, of poor risk
actual and agreed intervals. emerging reporting.
emerging risks. threats and
opportunities.
Page 10
Risk treatment
Definition: The development, selection and implementation of risk treatment strategies

and controls.

level level
Risk Ensures an Monitors the Implements Explains the
treatment organisation’s effectiveness of an controls to suitability of
and risk approach to the organisation’s manage different risk
appetite treatment of approaches to risk identified risks response
risk is aligned treatment and in accordance options and
with its risk makes with risk control types.
appetite and recommendations. treatment
strategy. strategies and
budgets.
Cost- Determines risk Develops, Supervises the Explains the
effective risk treatment prioritises and quality of risk costs and
treatment strategies and resources suitable monitoring benefits of
investment that controls to treat and mitigation risk treatment
align with an identified risks and actions taken, activities.
organisation’s manage challenging
approach to opportunities. and making
risk interventions
management. when issues
arise.
Business Integrates Ensures the Collates and Explains the
continuity business continuing analyses principles
and crisis continuity coordination of management and features
management strategies and business continuity information to of crisis
crisis and crisis support crisis management
management management management and business
within an strategies and plans and business continuity.
organisation’s with risk continuity
risk management. plans and
management activities.
strategies and
plans.
Page 11
Risk assessment
Definition: The identification, analysis and evaluation of the nature and impact of risks
and opportunities.
Leadership Senior level Management Support

level level level
Risk Defines the Interprets facts, Uses a range of Contributes
assessment approaches to patterns and trends information to the risk
process risk to reach evidence- sources and assessment
identification, based decisions on assessment process.
analysis and the nature of risks tools and
evaluation and and opportunities. techniques to
establishes the identify,
level of analyse and
investment to evaluate risks
be deployed. and
opportunities.
Analysis of Scopes the Prioritises risks and Explains the Explains
risk impact potential opportunities in range of factors how and
impact of terms of that can why to use
aggregated probability, scale, influence the different risk
risks and worst significance, impact perception of assessment
case scenarios and distribution. risk. tools and
quantitatively techniques.
and
qualitatively.
Evaluation of Evaluates the Evaluates Advises on the Explains
risk impact and interdependencies use of risk how to
consequences value of between risks, assessment display the
potential uncertainties and tools and results of risk
strategic risks opportunities, techniques. assessments.
and critical failure
opportunities. points and resource
implications.
Risk Management Information System
Page 12
A risk management information system is technology that enables you to capture,
manage and analyze all your organization’ s risk and insurance data in a single, secure
system. Using risk management software, organizations like yours can improve
departmental efficiencies and generate savings on your total cost of risk. But, a RMIS
and the expert support behind it offers much, much more. A RMIS helps you to
improve data accuracy and reduce administrative burdens.
A risk management information system can help in the following ways:
 Automatically highlighting to users, at the point of entry, values that may contain
errors.
 Ensuring consistent synchronization of data from multiple sources.
 Providing context help for users.
 Building adaptive questionnaires forms, and interfaces that ask users for relevant data
only.
 Specifying field constraints (for example, dropdown options), mandatory fields,
defaults, and other validation logic.
 Post data-entry cleaning and automatic validation against business rules.
Page 13
Why is a RMIS beneficial for organizations?
1. Companies all over the world face strict compliance rules. This is because there
have been several companies in the past where frauds have occurred. Hence,
regulatory authorities want records of important data to be maintained. Risk
management information systems are equipped to collect this data and generate
reports in the formats specified by the government. This is the reason that they
are considered to be valuable by many organizations. Inability to maintain this
data and distribute it in a timely manner can lead to lawsuits and fines.
2. Whenever an organization fails to manage risks, its stakeholders suffer. Also, in
the case of large organizations, the information is often covered in the media.
Hence, the reputation of the company suffers. Companies invest billions of
dollars in creating a brand image. Hence, there is no reason why they would not
want to spend a little more and build an information system that would help
them protect the brand image.
3. Organizations have tried to use the cheaper alternative and manage data
pertaining to risks via a set of spreadsheets. However, these spreadsheets are not
connected to one another. Hence, collating data effectively to facilitate decision-
making becomes a challenge. Over the years, companies have realized that it is
cheaper to spend money on an information system than to suffer the impact of
risks that were not managed appropriately.
4. The risk management profile of some companies can be extremely complex. For
instance, some companies have to deal with documents in a wide variety of
languages and currencies. Similarly, large organizations typically have several
overlapping insurance policies with different carriers. Risk management
information systems help map the insurance or the derivative against the asset
which it is trying to secure. This provides a complete picture of the risk profile of
the company.
5. Risk management information systems bring automation to risk management
practices. They are designed to collect data automatically. Periodic reports are
generated and sent out to the concerned personnel at the required times. In the
absence of an integrated risk management information system, all this will have
to be done by humans and that would cost the organization a lot more as
compared to the cost of the software.
What is the Governance Cloud or Cloud Governance?
 Cloud Governance is a set of rules. It applies specific policies or principles to the

use of cloud computing services.
Page 14
This model aims to secure applications and data even if located distantly.
The best Cloud Governance solutions include People, Processes, and Technology.
It basically refers to the decision making processes, criteria, and policies involved
in the planning, architecture, acquisition, deployment, operation, architecture,
acquisition, implementation, operation, and management of a Cloud computing
capability.
Cloud Governance best practices help to optimize the organization
 Operations: Doing it efficiently

 Risk and compliance: Doing it securely
 Financial: Doing more with less
 Governance Policy in Cloud
Governance policies contain a set of protocols of how things should be regulated on

the cloud. So the Cloud Governance policies should be created and regularly reviewed
by the business executives, managers, and IT experts.
The Cloud Governance policy must include
 Standards for the design of infrastructure

 Monitoring of infrastructure and application
Page 15
 Security Policy
 Programming standards
 Backup recovery services
Reference Questions
2 MARKS
1. Mention any 2 types of risks associated with Corporate Governance.

2. What is Counterparty risk?
3. What is interest rate risk?
4. What is liquidity risk?
5. What is risk profile?
6. What is risk description?
7. What is risk estimation?
Page 16
8. What is risk management policy?
9. What is risk management strategy?
10. Mention any 2 products of governance cloud eco system.
4 MARKS:
1. Write a short note on counter party risk.

2. Write a short note on interest rate risk
3. Write a short note on liquidity risk
4. Briefly explain 3 lines of defense of risk management in corporate governance.
5. Write a short note on risk appetite
6. Write a short note on risk identification and assessment.
7. Write a short note on risk prioritization
8. Briefly explain the process of risk mitigation.
9. Briefly explain the process of risk assessment
10. Write a short note on risk monitoring.
11. Write a short note on risk reporting.
12. Briefly explain risk management policies and procedures.
13. Briefly explain risk management policies and architecture
14. Briefly explain risk culture and appetite
15. Briefly explain risk performance and reporting
16. Write a short note on risk treatment
17. Write a short note on risk assessment
18. Write a short note on risk management information system.
19. Briefly explain the benefits of RMIS.
20. Briefly explain the concept of Governance cloud.
21. Briefly explain the five disciplines of Cloud Governance
References
 https://blog.ipleaders.in/corporate-governance-and-risk-management/
 https://diligent.com/blog/relationship-risk-management-corporate-governance.
 https://www.boi.org.il/en/BankingSupervision/SupervisorsDirectives/ProperCon
ductOfBankingBusinessRegulations/310_et.pdf
 https://www.alkemlabs.com/admin/Photos/Policies/641124928137876Risk_Mana
gement_Policy.pdf
 https://www.theirm.org/about/professional-standards/strategy-and-
performance/risk-management-policy-and-procedures
Page 17
 http://blog.ventivtech.com/blog/bid/286243/What-is-a-risk-management-
information-system-what-can-it-do-for-you
 https://www.ventivtech.com/blog/what-is-an-rmis-risk-management-
information-system
 https://www.managementstudyguide.com/risk-management-information-
system.htm
Questions are reference purpose only- not

necessarily appears in final exams
Page 18

Module 3 CG 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 3 CG 2022

Uploaded by

Copyright:

Available Formats

MODULE 3: Risk Management and Corporate Governance

 To understand the various types of risk faced by organizations in governance.

Role of Corporate Governance in effective Risk Management

Operational risk management

What is a Risk Profile?

Risk Management Governance

Appropriate corporate governance for risk management is based on three lines of

Risk Management Framework

 Risk appetite is communicated through the Company’s strategic plans. The

Risk Assessment and Risk Rating

 After the risk assessment is complete, it is the responsibility of the Risk

Risk Mitigation Process

 Risk mitigation strategy usually involves identifying a range of options for

Risk Assessment Process

Risk Assessment and rating methodologies take a systematic approach to determine

The two parameters provide the quantitative element to risk assessment.

The process of Risk Assessment shall cover the following:

b) Risk Description – the method of systematically capturing and recording the

Risk Monitoring and Risk Reporting

3. An action plan and status reporting is implemented to log actions proposed to

Risk management policy and procedures

Definition: The development and implementation of proportionate risk management

Leadership Senior level Management Support level

Risk management strategy and architecture

Definition: The development and implementation of risk management strategy and

Leadership Senior level Management level Support level

Risk culture and appetite

Definition: The creation of a risk culture that is intrinsic to an organisation’s culture.

Leadership Senior level Management Support level

Risk performance and reporting

Leadership Senior level Management Support level

Definition: The development, selection and implementation of risk treatment strategies

Leadership Senior level Management Support level

Leadership Senior level Management Support

Risk Management Information System

A risk management information system can help in the following ways:

What is the Governance Cloud or Cloud Governance?

 Cloud Governance is a set of rules. It applies specific policies or principles to the

Cloud Governance best practices help to optimize the organization

 Operations: Doing it efficiently

Governance policies contain a set of protocols of how things should be regulated on

The Cloud Governance policy must include

 Standards for the design of infrastructure

1. Mention any 2 types of risks associated with Corporate Governance.

1. Write a short note on counter party risk.

Questions are reference purpose only- not

You might also like