Risk Management

1.3 The current heightened interest and importance of risk
assessment is due to the unique situation that the world is in. Unlike in the
past, in times of the industrial revolution, which had its fair share of risks,
the modern world in the era of Information and Communication technology is a
globalised and networked world where the forces of disintermediation,
virtualisation, convergence, knowledge management and empowerment are at play.
The scope, scale and speed of operations in modern times are far beyond what was
even thought of in the past, the shortened fuse wire of decisions and the
worldwide impact of local actions and reactions are extremely difficult to
predict.

1.4 This transformation has on the one hand magnified
rewards, but on the other hand, has also enhanced risk. Enhanced risk is the
price we pay in this modern globalised world.

2.1 The concept of risk has been attempted to be captured in
many ways, but the basic definition still is relevant.

2.2 Webster’s defines risk as — possibility of loss
or injury (peril), someone or something that creates
or suggests a hazard, the chance of loss or the perils of the subject matter of
an insurance contract, the chance that an investment will lose value.

2.3 The word entered the English Language circa 1661 from the
French word ‘risqué’ and the Italian word ‘risco’.

2.4 Risk is imbedded when there is an event with more than
one possible outcome, that is, resulting in either desirable or undesirable
consequences. Each outcome has a probability of occurrence depending on the
circumstances. It is thus a potential event and not the loss itself.

2.5 In fact what may be perfectly normal and beneficial to
one in a given set of circumstances may be fraught with danger and risk to
another in the same or different setting. Thus we have the probability of early
bird catching the worm, and the possibility of early worm getting caught, but
the decision whether to be early or late depends on whether you are the ‘bird’
or the ‘worm’.

2.6 Risk, hence, is a word of many meanings. It means
different things to different people. This perception of risk as a source of
‘threat or peril’, or as a ‘challenge and an opportunity’, depends on one’s
attitude to life and risk — that of a ‘risk averter’ or a ‘risk taker’. Risk
comes in all sizes and shapes from getting caught in rain without an umbrella
and catching pneumonia, — sickness- facing life-threatening situations like
natural calamities and of course normal and abnormal business risks involving
loss of money and reputation.

3.1 An organisation faces many types of risks. These risks
range from strategy and directional risks at the one end to risks in day-to-day
operations at the other.

3.2 If one were to look at the enterprise as a whole, one is
faced with strategic risks that cover strategic issues, business
decisions and the business environment. Macro issues like political, economic,
social situation and competitor activity often affect and influence these risks.
Operational risks deal with operational issues including manufacturing
and service provision, execution, people issues, administration, communications,
etc. At a different level there are other external risks that exist in
the business environment that relate to markets, availability of finance and
changing value of money – forex. A chart showing an overview of these risks is
given in Appendix 1.

3.3 There are thus many ways of classifying risks — according
to their type or even as Systematic Risk and Unsystematic Risk.

3.4 Systematic risk covers interest rate, reinvestment rate,
purchasing power, market exchange rate and political risk, whereas unsystematic
risk covers business, financial, default, credit, liquidity and event risks.

3.5 Apart from these, risk can be physical, psychological,
social/economic, legal and even risk involving confidentiality.

4. Risk — its importance :

Risk has been with us since the beginning of time. Why is it that addressing, comprehending, analysing and managing it has become so important today? The most important reason for the increased importance of risk is that we have started appreciating the fact that uncertainty and its resultant negative impact on business is increasing with globalisation. Risk is becoming more important than ever before, because changes are rapid and all pervasive that it requires preparedness and quick reflexes to launch pre-emptive moves to counter emerging, altered, scenarios. At the same time both stakes and expectations are increasing. A time has’ come when Gandhiji’s words of wisdom, “there is enough for every man’s need, but not for every man’s greed” are palpable today.

Contributing factors – Some  examples:

5.1  Legislation is  becoming tougher:

Risk assessment is necessary to avert legal liability – esp. in areas of health and safety.

5.2 Insurance is more expensive and difficult to obtain:

5.3 Customer – Attitudes:

5.4  Public awareness:

People and the society at large expect higher standards of probity in corporate behaviour, which means that companies have to manage ‘corruption risk’.

6. Response  Management’s attitude:

The source of risk:

7.1 Risk arises due to imperfect knowledge stemming from lack of complete or perfect information about certain facts and events on the one hand and the uncertainty and unpredictability of results of specific inputs and actions, on the other. Risk is contextual and its impact varies depending on the underlying situation and ground realities obtaining in a given situation. It also increases if you are dealing with third-party assets.

7.2 Risk is also determined by actions and moves of the associate and/or adversary, for example, in a zero sum or similar game. The well-known game Prisoner’s Dilemma is an example.

Prisoners’ dilemma:

The game known as the Prisoner’s Dilemma got its name from the following hypothetical situation : imagine two criminals arrested under the suspicion of having committed a crime together. However, the police do not have sufficient proof in order to have them convicted. The two prisoners are isolated from each other, and the police visit each of them and offer a deal: the one who offers’ evidence against the other one will be freed. If none of them accepts the offer, they are in fact cooperating against the police, and both of them will get only a small punishment because of lack of proof. They both gain. However, if one of them betrays the other one by confessing to the police, the defector will gain more since he is freed; the one who remained silent, on the other hand, will receive the full punishment, since he did not help the police, and there is sufficient proof. If both betray, both will be punished, but less severely than if they had refused to talk. The dilemma resides in the fact that each prisoner has a choice between only two options, but cannot make a good decision without knowing what the other one will do. The problem with the prisoner’s dilemma is that if both decision-makers were purely rational, they would never cooperate. Indeed, rational decision-making means that you make the decision which is best for you whatever the other actor chooses. Suppose the other one would defect, then it is rational to defect yourself: you won’t gain anything, but if you do not defect you will be stuck with a loss by way of being punished when the other goes scot-free. Suppose the other one would cooperate, then you will gain anyway, but you will gain more if you do not cooperate, so here too the rational choice is to defect. The problem is that if both . actors are rational, both will decide to defect, and none of them will gain anything. However, if both would ‘irrationally’ decide to cooperate, both would gain by being let off with minimum penalty. Thus this well-known game representing the Prisoner’s Dilemma – “If both prisoners cooperate (do not blame each other) they both benefit each being let off. However if one blames the other and the other cooperates (does not blame the first), then the blamer is let off and the one who cooperates gets arrested for a long term and vice versa. If both blame each other, both suffer a sentence but for a shorter term. Though logically it is best to cooperate, since the prisoner is not sure if the other one willget greedy, they settle blaming the other, just to be on the safe side and minimise potential risk/loss.

7.3 While risk arising from deficient information can be mitigated and reduced by gaining more information albeit at a cost, the risk arising from uncertain outcomes can only be controlled to some extent either by developing better mechanism at predicting the outcomes or better still by controlling the outcomes as much as possible.

7.4 Risk as we have seen, originates from vulnerabilities and threats and results in an adverse impact when it occurs. It is a function of threats, vulnerabilities and their impact. Vulnerabilities produce weaknesses that increase risk. Threats are external adverse factors that have a chance of occurrence. The Greater the threat, the greater the risk. The impact is adverse consequences and damages that can flow from the materialising of the threat. The greater the impact, the higher the risk. Thus minimising the chance of the threat materialising, reducing vulnerabilities and minimising the damage or impact helps to mitigate risks.

7.5 If one addresses risk with preconceived notions about its probable causes, it can lead to disastrous results as the real threat often lies else-where. What is required is clear perspective, correct approach and quick response.

7.6 Both predictive and responsive courses of action have an associated cost. The manager has to develop a strategy that ensures that the returns always exceed the cost of risk mitigation. The right way to tackle, deal with and manage risk is to adopt strategic risk management. In the absence of satisfactory definition of Risk Management …. for practical purposes, the emphasis of risk management tends to be on risk awareness, assessment and mitigation. However, strategic risk management involves :

7.7 The road map to risk management can be summarised as :

7.8 Requirements for successful risk management?

7.9 Tools used for effective risk management, are:

8.    The Mantra for success in risk management thus seems to be to ‘bear, share and insure’. Bear what you can yourself, given your risk appetite. Share risk within the industry by creating risk sharing, using averting mechanisms and finally insure what cannot be controlled and pass on the risk to insurers. Lastly, ‘monitoring and planning’ for the future involves a continuous process to adopt a ‘Plan, Do, Check and Act cycle’, in order to de-risk your business to the extent possible.

9.1 Managing risks the proactive way thus involves:

»    Setting  standards  from the top

»    Quick adaptation  to change

»    Balance and experience – multitasking employees, and

»    Allocate responsibility for risk management.

9.2 In short, Continuous Risk Management (CRM) is a structured plan. CRM provides a disciplined environment for proactive decision making to:

9.3    For CRM refer Appendix 2

The  effective  use and  implementation of CRM results in a paradigm shift in the way businesses plan, implement and operate.

Risk and the Accountant:

10.1 We have examined risks and risk management as applicable to business and industry in general. Let us now consider the risks that accountants face at the professional, strategic, operational as well as at micro level. Risk has been with the profession since its advent, because accountants certify either ‘correctness’ or ‘true and fair’ state of affairs.

10.2 The accounting profession has passed through turbulent times post Enron and World – Com abroad and our own GTBs and cooperative banking seams in India, and has reached a stage of crossroads. The message is loud and clear, the profession has to improve if the financial system and trust and faith in the profession are to survive. All concerned stakeholders – the government, the key players, the profession itself has moved with alacrity to rectify the situation. New accounting and audit standards have been adopted, the world is moving towards one set of uniform financial reporting standards. A lot has been done; a lot needs to be done. It is in this context we need to look at risk from the perspective of accountants and auditors.

10.3 Accountants play the role of score keeping and reporting. Reporting involves providing information to managements for decision making and to other stakeholders for investment, rewards, taxes, etc. From an accountant’s perspective risk is closely associated with governance, compliance and performance. Every organisation in its attempt to achieve its business objectives needs governance, compliance with laws and measurement of performance – that is profit.

10.4 The issue we will examine is : what is the role and relevance of accounting and the accounting professional, whether as an accountant or as an auditor, in the context of risk and what are the risks an accountant faces.

10.5 The accounting professional’s role in risk is on one side as the person in charge of the accounting and reporting process – the chief financial officer (CFO), and on the other side as a professional, independent auditor or internal auditor who expresses opinion on the financial statements and internal controls, etc. respectively. This is brought out in Fg.1 below.

10.6 The CFO, post SOX in the US and clause 49 and other corporate governance initiatives in India, is responsible for maintaining proper records and accounting for transactions, selection and application of proper accounting standards, computation and extraction of financial statements, true and fair reporting of the profit/loss and the state of affairs and also ensuring safeguarding of assets, control over operations and vouching for the verification and veracity of records. The CFO has thus become ‘owner’ responsible for accounting and reporting function. His liability is thus now two-fold. One of due care to the best of his skill and ability to his employer, and the second of proper service (that is not deficient) to the stakeholders. Failure to do his job using due care, diligence and professional expertise would attract action and liability.

11.    Risk as Score  Keeper:

The accountant as a score keeper maintains records of financial transactions. Books of accounts and accounting and financial records provide the basis for all decision making within the organisation. It is an analysis of this data using various tools and techniques that helps organisations take decisions. Decisions that are strategic like export or not, expand or shut down, diversify or continue, decisions that are operational like working in the second shift, increasing the work force, double the productions, hold stocks, as well as day-to-day decisions like accept an order, increase the price in the local market, etc.

The information provided by the CFO has to be correct, accurate, timely and relevant. In this role as a management accountant providing inputs he is part of the decision-making team.

Risk as reporter:

12.1 Financial statements provide key information to stakeholders. It is the business scorecard that gives vital information about net worth, assets and liabilities, profitability, growth, stability, liquidity, solvency, gearing and turnover.

12.2 The information provided by the accountant – CFO – who is a critical member of the management team is expected to be independent (unbiased), transparent, true and fair – that fairly represents the position of the business from the stakeholders’ perspective. In this role, the accountant faces the risk of application of wrong principles and standards, wrong accounting estimates, errors, mistakes and frauds, inaccurate particulars, window dressing and creative accounting – that is – unfair presentation, off-balance sheet items, unaccounted transactions, unprovided liabilities,watered capital, issues of capital versus revenue, deferment of revenue expenses, under-provisioning or over provisioning for expenses and liabilities, the list is endless.

12.3 Any lapse in the discharge of this responsibility can involve civil, criminal and professional action.

Risk in Audit and Assurance:

13.1 The risk in this role is twofold. The first as an internal auditor having organisational independence and the other as the independent external/ statutory auditor.

Internal Auditor:

13.2 As an internal auditor, the accountant deals with reporting on: existence and effectiveness of controls, adherence to policies and procedures, safeguarding of assets, compliance with laws and regulations, existence of appropriate and adequate documentation and MIS, fraud and error, deviations from established and prescribed procedures and at times on proper utilisation of physical and human resources.

13.3 The risks faced by the accountant as internal auditor arise from the sheer volume and complexity  of transactions and  are:

External Auditor:

13.4 As an external auditor the professional accountant deals with financial statement reporting, fair presentation of the position of its assets and liabilities, and true and fair reporting of its profit and loss for the period. This involves verifying the books of accounts, with supporting evidence, proper application of accounting principles and standards, verifying existence and efficacy of controls and following the set of professional audit and assurance standards developed over the years. All this enables him to express an opinion on the financial statements prepared and submitted by the management.

13.5 The external auditor can do precious little to address risks inherent in a business activity. He is not an insurer of results, but what he can and must do to the best of his professional ability is to address the risk of detection of misreporting.

He needs to display independence and professional competence, use the concepts of materiality, prudence and professional skepticism, whilst dealing with error and fraud to provide sufficient assurance to the users of financial statements that the financial statements are ‘true and fair’.

13.6 The days of the Kingston Cotton Mills’ case where the auditor was not responsible for reporting frauds and other delinquent acts of managements are gone.

13.7 A professional accountant owes a duty of care to the person who has engaged him for the work of auditing and reporting, arising out of the contract and terms of engagement and the governing laws and regulation.

13.8 The liabilities of professionals especially ‘auditors’ who do not discharge their responsibilities are broadly divided into four types. These are:

14.    Auditors were not considered to owe a duty of care to third parties or individuals belonging to a group in the absence of a direct contractual relationship even if these third parties had relied on his report. The decision in the cases of De Savory vis Holden Howard & Co, (TLR) 11-1-60 and Candler vIs Crane Christmas & Co Court of Appeal, 1951 Z. K. B. 164, absolved the auditor from such responsibility. However, the dissenting judgment of Lord Denning in Candler vis Crane Christmas & Co is worth perusing. He observes :

“The accountant, who certifies the accounts of his client, is always called upon to express his personal opinion whether the accounts exhibit true and correct view of his client’s affairs, and he is required to do this not so much for the satisfaction of his own client, but more for the guidance of shareholders, investors, revenue authorities and others who may have to rely on the accounts in serious matters of business. If we should decide this case in favour of the accountants, there will be no reason why accountants should ever verify the word of the one man in a one-man company because there will be no one to complain about it. The one man who gives them wrong information willnot complain if they do not verify it. He wants their backing for the misleading information he gives them and he can only get it if they accept his word without verification. It is just what he wants so as to gain his own ends. And the persons who are misled cannot complain because the accountants owe no duty to them. If such be the law, I think it is to be regretted for it means that the Accountants’ Certificate, which should be a safeguard, becomes a snare for those who rely on it. I do not myself think that it is the law. In my opinion, accountants owe a duty of care not only to their clients, but also to all those whom they know will rely on their accounts in the transactions for which these accounts are prepared.”

This liability of owing a duty to third parties was established by the decision of Hedley Byrne and Co Ltd. vis Heller and Partners. (1964) Act 465.

15.    I would refer to two Indian cases:

1.    The decision of the Bombay High Court in Trisure’s case No. 1377 of 1978, dated 211 24 October 1985 re-emphasised that an auditor need not proceed with suspicions unless the circumstances are such as to arouse suspicions in a professional man of reasonable competence. The judgment also upholds the use of sampling for testing internal controls and use of sampling to complete the audit where controls are found satisfactory .

2.    The observation of Justice P. T. Raman Nair in the decision in the case of “The Official Liquidator, Palai Central Bank Ltd. vis Joseph and Other, (App. No. 247 of 1963 in BCP No. 11 of 1960) are relevant:

“So far as the 8th respondent, the auditor for 1946 onwards is concerned, very lengthy arguments have been addressed regarding the duties of a familiar bloodhound as opposed to watchdog lines. But this much I suppose one would not deny and counsel for the 8th respondent has not been disposed to deny it namely, that even the tamest of watch-dog has duty not to connive with the thief.

16.1 Let us consider the present situation in which chartered accountants and auditors are viewed by the public and stakeholders as service providers. Service provided includes accounting, audit & assurance, taxation, consultancy, investment advisory, valuation and/or many other services including at times opinions and management consultancy. The issue is: Is there any exposure under the consumer protection laws for other similarly-placed professional service providers – for example – doctors and lawyers who have been recently exposed? The decision of the National Consumer Disputes Redressal Commission and later the Supreme Court of India in the case of Indian Medical Association v. V.P. Shantha, (AIR 1996 SC 550) has held that the services rendered by the medical practitioner is included and covered under the definition of ‘services’ in S. 2(1)(0) of the Consumer Protection Act, 1986. This covers not only the treating doctors but also the consultants.

This reflects the view that the watchdog bodies of the profession are not perceived to be adequate to provide justice to consumers. In its judgment dated August 6, 2007, in the case of D. K. Gandhi v. M. Mathias, the National Consumer Redressal Commission made it clear that all professionals, including lawyers, should come under the ambit of the Consumer Protection Act. If doctors can come under the fold of the Act, lawyers and all other providers of services like chartered accountants, architects and property dealers will come under the Consumer Protection Act too. This case marks a departure from the established law that professionals can be penalised only by the established Discipline procedures under the law governing the profession. Thus in the changed environment claims for deficient services will not be restricted to be dealt with by the disciplinary committee or an in-house forum of the Institute, but could be agitated before and decided upon in other fora like the consumer forum and Civil and Criminal Courts.

16.2 The accounting is changing and facing challenges like fair value accounting, inflation, intangibles, growing dependence on information systems, ERP, and last but not the least, convergence with International Financial Reporting Standards – IFRS. All these challenges are areas of risk.

The  current  financial  crisis :

17.1 The current financial crisis beginning with the sub-prime crises in US, followed by economic meltdown, reckless investment and products, right up to the recent string of bankruptcies, near-collapse situation in the United States and the last minute bail-out has brought to fore immense risks in the world of finance.

17.2 What has caused this current crisis? Is it bad economics? Bad mathematics? Bad logic? Poor judgment? Is it a failure of rating agencies, failure of merchant bankers, investment analysts and consultants, failure of banks and financial institutions in their due diligence and homework and failure of auditors in expressing their opinion ? Failure of monitoring and regulatory bodies and government agencies, failure of Boards in their oversight? Failure in record keeping and reporting . . .. probably it is all of this in some measure. I suspect all have failed.

17.3 What would be the fallout and impact of the ongoing crises like the turbulence in the forex market and where derivative products have been sold by leading banks to mature corporates and investors with neither displaying the maturity, the seriousness, the understanding and the capacity of going through such transactions? Can this be called ‘risk’ management? The conclusion is in the negative.

18.    A person can always be wiser in hindsight. But one fact that comes out glaringly out of this is that every situation, every strategy, every move, every operation, every action, every transaction, every receipt and payment, every contract, every assurance, every deal, every agreement, every statement, every acceptance …. has a financial footprint that the accountant captures, records and reports and the auditor verifies, vets, vouches, audits, comments and expresses an opinion on. Does that mean that all this is too onerous and that accountants should hide behind disclaimers, subject tos, not withstandings, ifs and buts, and the law as it stands? Professional accountants, be they CFOs, accountants or auditors, need to understand the situation and the task before them, and equip themselves to go forth and discharge their role. To quote William Shedd

“A ship in harbour is safe, but that is not what ships are built for.”

This is the challenge.

19.    I repeat the way forward for accountants to counter this risk is to equip themselves with knowledge through continuing professional education, improve assurance function supported by peer review, and above all maintain independence coupled with professional skepticism and adherence to ethical standards. The need of the hour then is to convert vulnerabilities and weakness into strengths and threats into opportunities to manage change. Let us accept the challenges of change.

Appendix    1

Overview of different  types  of risks faced by an Enterprise :

(A) Strategic risks:

(B)    Operational risks: Manufacturing/Service Risks

Risks in  Operations

Risks in  Human Resources

Risks in Communications

(C)    Market Risks:

(D)    Credit Risks:

(E)    Finance Risks

 Liquidity Risk

Interest Rate Risk

Forex  Risk

Appendix    2

Continuous Risk Management (CRM)

1.    CRM requires formulation of :

2. Implementation  of CRM plan requires: