The Evolution of Risk Management Oversight by Indian Boards
Across the globe, the focus on effective risk management has intensified over the past two decades as major corporations have experienced risk management failures due to excessive financial risk taking, environmental catastrophes, accounting and corruption scandals, and the like. The monitoring of risks is a significant priority for corporate managers and boards, as well as for regulators and investors. As the OECD states, “while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated. . . . Corporate governance should therefore ensure that risks are understood, managed, and, when appropriate, communicated.”
The board of directors lies at the core of effective risk management. Directors are not responsible for the everyday management of risk. However, the board plays a critical role in overseeing and guiding the risk policy of a company, and in ensuring that appropriate systems of control are in place. Since the 2008 financial crisis, expectations around the board’s risk oversight responsibilities have become heightened as companies face increasingly complex business, regulatory and political environments. Thus, national legislation and corporate governance guidelines and codes by leading international organizations have evolved to stress the role of the board of directors in risk oversight.
In our article, forthcoming in the National Law School of India Review, we analyze India’s evolving framework for board oversight of risk management. With the transformation of corporate governance practices in India, the legal and regulatory regimes governing risk management have progressed to largely resemble international standards, with an emphasis on the risk oversight function of boards. The Companies Act, 2013 addresses the board’s risk oversight responsibilities. For listed companies, the Securities and Exchange Board of India (SEBI) has issued regulations that require the largest listed companies to form a risk management committee. The emphasis on the board’s oversight of risk management is in line with the corporate governance transformations that have taken place in India which increasingly stress a monitoring role for directors.
Despite the shift in the regulation of risk management, studies and surveys suggest that risk management has yet to become a priority at many Indian companies. Furthermore, recent high profile risk management crises highlight the importance, and challenges, of board oversight of corporate risk. While India’s legal framework for board oversight of risk has evolved, two recent crises — the collapse of IL&FS and management failures at ICICI Bank — demonstrate the barriers that directors of Indian companies continue to face in overseeing increasingly complex risks. Our article uses both crises as case studies to reflect on risk management lessons for boards of Indian firms more generally.
In addition to corporate crises, the COVID-19 pandemic has brought the issue of board oversight of risk management to the forefront. India as a nation was underprepared to prevent, detect and respond to a pandemic, and the crisis has been a significant one for nearly every board of directors in India. In such a crisis, companies with good governance and risk management systems may be better able to address stakeholder concerns than companies whose boards have not prepared for such calamities.
As companies face increasing risk complexity, boards must continually assess the structure of a company’s risk management policies and procedures. Not only are boards charged with overseeing an increasingly complex set of risks, but directors of Indian firms, particularly independent directors, face a variety of barriers in effectively overseeing risk management. Most Indian firms are controlled companies, with board members beholden to controllers and management for access to information. Limited access to independent external advisors such as lawyers, consultants, accountants, and the like, as well as significant dependence on management for obtaining information on business plans, strategies and risk preparedness of the company, can hamper the ability of boards to adequately monitor the company’s risk management policies and procedures. These issues intensify in boards with many outside independent directors.
Nevertheless, the barriers faced by directors of Indian firms are not insurmountable. The article’s case study of how the board of Infosys, one of India’s leading technology companies, addressed red flags raised by whistleblowers, illustrates how an empowered board can respond to risk management issues effectively. Actions by the Infosys board provides lessons on how transparent processes and clarity regarding the company’s investigation process allowed the board to assess, identify and manage risks raised by serious allegations. Furthermore, following the crisis, the Infosys board undertook additional steps to strengthen and revise its applicable policies. By responding and taking charge of the governance challenge facing the company, the Infosys board was able to prevent further harm to stakeholder interests as well as its own reputation.
Drawing lessons from these case studies, the article concludes with suggestions on how to further enhance the board’s risk oversight function. Stronger governance, more robust risk management strategies and capable board leadership and oversight will make priceless contributions to both Indian companies and to the Indian economy.
[Afra Afsharipour is Senior Associate Dean for Academic Affairs & Professor of Law at UC Davis School of Law and Manali Paranjpe a Research Associate at The Conference Board, India]