In the Nirav Modi case, a single rogue employee’s actions have threatened to wipe out more than a quarter of Punjab National Bank (PNB) shareholders’ equity. This incident follows other similar international scandals in which Nick Leeson brought down Barings Bank, and Hamanaka caused significant losses to Sumitomo, both in 1995. This brings up the question whether such occurrences can be prevented or at least minimised with a long-term solution rather than simply a quick fix.
Enterprise Risk Management (ERM) is designed to minimise the likelihood of such occurrences. The state of the art is to use ERM for risk management and the three-lines-of-defence model for risk governance. Worldwide, financial institutions such as banks and insurance companies have implemented risk governance and are continuously improving their practice of it. India trails behind international best practices in risk governance by almost a decade.
Before ERM, companies relied on Traditional Risk Management (TRM) where each department or project head used to manage the risk in their own areas of operation. Organisations were unaware of their risks in a holistic manner. In 2004 the Committee of Sponsoring Organizations (COSO, a group of US-based academic and practitioners’ organisations concerned with financials and assurance) introduced an ERM framework. Under this framework, the board of directors plays a key role in setting and overseeing the risk governance infrastructure, ERM policy, and risk appetite statement, and management executes it. Risk appetite sets the amount and type of risk a company is willing to take to meet its strategic objectives. A set of risk-mitigation and reporting processes support the execution of the adopted policy.
The three-lines-of-defence model is a structure for risk governance where front line staff represents the first line, board and risk professionals such as chief risk officers (CRO) are the second line, and auditors the third. The first line of defence is responsible for managing their activities within the bounds of the risk policies and frameworks set by the board, and reporting risk events and emerging risks. The second line of defence oversees risk management. The CRO’s office ensures that risk limits are followed and reported. The board sets the risk policy by specifying the types and degree of risk that the company is willing to accept. It sets and enforces clear lines of responsibility and accountability. The third line of defence consists of auditors who provide independent assurance that risk governance is working as it should. Risk culture ties together the three lines and reflects their collective beliefs, values, and attitudes towards risk based on their shared understanding of the organisation's ERM policy.
Indian regulations too require risk governance. Financial institutions such as banks and insurance companies are required to form risk management committees of their boards, and have a risk governance infrastructure such as an ERM policy and risk appetite statements. However, the P.J. Nayak Committee on banking reforms found that Indian bank boards spend hardly any time on strategic matters such as risk management. It quotes one example in which the board spent as much time on the taxi fare reimbursement policy as on NPA recovery. With a lack of leadership from the top, it is not surprising to find a poor risk culture and the occurrence of incidents such as Nirav Modi’s.
In our research on risk governance, we find that even in advanced countries a regulatory nudge is generally necessary for financial institutions to adopt risk governance seriously. It is common worldwide, especially on complicated issues like risk management that are difficult to do well, that companies comply in form rather than substance. Regulatory skills and expertise therefore determine whether companies comply in substance or merely in form.
After the global financial crisis of 2007-08, risk became a major issue for regulators worldwide. They attributed the crisis to excessive risk taking and a lack of risk disclosure, and levied heavy penalties. Year 2013 was the most disastrous year in terms of penalties for financial institutions. In the U.K., the Financial Services Authority (FSA) was split into the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). Regulators such as the FCA have moved from regulating not just conduct but also culture. The latter cannot be measured, but with expertise in doing so it can be managed.
FCA’s focus on culture required an increased focus on changing the systems and process within companies to integrate new regulatory requirements. One large and mature British insurance company we studied already had all the elements of the risk governance infrastructure in place, and yet found that it was not meeting FCA’s high expectation on risk culture. It took up the challenge of enhancing the risk culture and was able to do so by developing a cognitive risk culture—one where people across all three lines of defence understand risks well, and also their responsibilities in relation to those risks.
The change was accomplished by creating a cadre of first-line staff called risk champions who are not risk experts; rather they are front-line staff working partly with the risk function and given an extra role of creating risk awareness in the organisation. The risk champions helped improve communication between the first and second lines of defence. The company also developed IT tools to better communicate risks throughout the organisation. The improved communication resulted in the development of a cognitive risk culture.
The regulatory push therefore led to an improvement even in one of the largest and most respected companies. Our learning from this case is that regulators can make a difference even to well-managed companies. Company executives and boards can make a difference by adopting the spirit of continuous improvement.
Indian banks need to align risk culture with the three lines of defence model not just in form but also in spirit, so that risk becomes a part of day to day decision-making rather than a year-end audit or compliance activity. To this end, India needs board members and senior executives of financial institutions to develop the skills and expertise that would put them on par with the best globally. To shape risk governance in banks, the Indian banking regulator, RBI, needs to act as a supervisor to guide, nurture and improve the current standard of risk governance. To do so, the RBI must develop expertise and keep up with global best practices. Sustaining economic growth requires nothing less.
(Views expressed are personal.)
Ruchi Agarwal is senior researcher at the Indian School of Business.
Sanjay Kallapur is professor of accounting and deputy dean at the Indian School of Business.