The Evolution of Risk Management Oversight by Indian Boards

Across the world, the focus on effective risk management has increased over the past two decades as major corporations have experienced risk management failures due to a variety of factors, including excessive financial risk-taking, environmental catastrophes and accounting and corruption scandals. Risk monitoring is a significant priority for corporate managers and boards, as well as for regulators and investors. As the OECD states: ‘while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated […] Corporate governance should therefore ensure that risks are understood, managed, and, when appropriate, communicated.’

The board of directors lies at the core of effective risk management. Directors are not responsible for the everyday management of risk. However, the board plays a critical role in overseeing and guiding the risk policy of a company, and in ensuring that appropriate systems of control are in place. Since the 2008 financial crisis, more is expected of the board’s risk oversight responsibilities as companies face increasingly complex business, regulatory and political environments. Thus, national legislation and corporate governance guidelines and codes by leading international organizations have evolved to stress the role of the board of directors in risk oversight.

In our article, forthcoming in the National Law School of India Review, we analyze India’s evolving framework for board oversight of risk management. With the transformation of corporate governance practices in India, the legal and regulatory regimes encompassing enterprise risk management (ERM) have progressed to largely resemble international standards, with an emphasis on the risk oversight function of boards. The Companies Act, 2013 addresses the board’s risk oversight responsibilities. Furthermore, the Securities and Exchange Board of India (SEBI) requires the largest listed companies to form a risk management committee. The emphasis on the board’s oversight of risk management is in line with the corporate governance transformations that have taken place in India which increasingly stress a monitoring role for the board of directors.

Despite the shift in the regulation of risk management, studies and surveys suggest that risk management is not yet prioritized at many Indian companies. Recent high profile risk management crises at certain Indian firms highlight the importance, and challenges, of board oversight of corporate risk. While India’s legal framework for board oversight of risk has evolved, two recent crises—the collapse of IL&FS and management failures at ICICI Bank—demonstrate the barriers that directors of Indian companies continue to face in overseeing increasingly complex risks. Our article uses both crises as case studies to reflect on risk management lessons for boards of Indian firms more generally.

Additionally, the COVID-19 pandemic has brought the issue of board oversight of risk management to the forefront. India as a nation was underprepared to prevent, detect and respond to the pandemic, and the crisis has been a significant one for nearly every board of directors in India. In such a crisis, companies with good governance and risk management systems may be better able to address stakeholder concerns than others whose boards are not prepared for such calamities.

As companies face increasing risk complexity, boards must continually assess the structure of companies’ risk management policies and procedures. Directors of Indian firms, particularly independent directors, face a variety of barriers in effectively overseeing risk management. Most Indian firms are controlled companies, resulting in independent directors being dependent on promoters and management for access to information. Limited access to independent external advisors such as lawyers, consultants, accountants, and the like, as well as significant dependence on management for obtaining information on business plans, strategies and risk preparedness of the company, can hamper the ability of boards to adequately monitor the company’s risk management policies and procedures. These issues intensify in boards with a higher number of outside independent directors.

Nevertheless, the barriers faced by directors of Indian firms are not insurmountable. This article’s case study of how the board of Infosys, one of India’s leading technology companies, addressed red flags raised by whistleblowers, illustrates how an empowered board can respond to risk management issues effectively. Actions by the Infosys board provide lessons on how transparent processes and clarity regarding the company’s investigation process allowed the board to assess, identify and manage risks raised by serious allegations. Furthermore, following the crisis, the Infosys board undertook additional steps to strengthen and revise its applicable policies. By responding and taking charge of the governance challenge facing the company, the Infosys board was able to prevent further harm to stakeholder interests as well as to its own reputation. The Infosys example demonstrates how boards can prepare for challenges that they may face in times of adversity, by investing time and effort in outlining response strategies and investing in improvement of risk management processes.

Drawing lessons from these case studies, our article concludes with suggestions on how to further enhance the board’s risk oversight function. It discusses the need to establish the ‘tone at the top’ and how companies should encourage a dialogue at the board level among the board, management, and risk owners (the operational managers/entity responsible for the day-to-day assessment and mitigation of risks), in order to benefit from the risk strategy in place. Companies must also broaden their outlook toward the newer types of risks that emerge and allocate risk management processes and costs accordingly. The integration of risk management and strategy are critical as evidenced by the case studies discussed in the article. Stronger governance, more robust risk management strategies and capable board leadership and oversight will contribute to strengthening Indian companies and, at the macro level, the Indian economy.

Afra Afsharipour is the Senior Associate Dean for Academic Affairs and a Professor of Law at UC Davis School of Law.

Manali Paranjpe is a Research Associate at The Conference Board in India.