RISK MANAGEMENT POLICY
This document lays down the framework of Risk Management and Audit Committee at West Bengal Highway Development Corporation Limited (hereinafter referred to as the ‘Company’ or ‘WBHDCL’) and defines the policy for the same. This document shall be under the authority of the Board of Directors of the WBHDCL. It seeks to identify risks inherent in any business operations of the Company and provides guidelines to define, measure, report, control and mitigate the identified risks.
Ministry of Corporate Affairs, Government of India for the first time accepted the concept of Risk Management and its relevance to the smooth functioning of the Corporate sector in India across all companies including unlisted companies and therefore introduced a specific provision on Risk Management.
(II) (C) Risk Management
“i). The Board, its Audit Committee and its executive management should collectively identify the risks impacting the company's business and document their process of risk identification, risk minimization, risk optimization as a part of a risk management policy or strategy.”
In the private sector the top most priority is for growth and in the process they leverage. In PSUs, the
feeling is that growth is secondary, first is stability. Hence all decision-making processes always try to
look at the downside of the decision and contingency planning.
Since Government company are dealing with public money, checks and balances are necessary and the risk management practices are need to be much stronger.
As per clause 7.3.1 of Department of Public Enterprises guidelines on Corporate Governance of 2010, the Company shall lay down procedures to inform Board members about the risk assessment and minimisation procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. Procedures will be laid down for internal risk management also.
Risk is simply may be defined as exposure to uncertainty. Thus, risk has two components: Uncertainty
and Exposure to that uncertainty.
A business risk is the threat that an event or action will adversely affect an organisation’s ability to maximize shareholder value which in turn means the public at large and to achieve its business objectives.
3.1.2 Risk Management
Risk Management is a structured, consistent and continuous process for identification and assessment
of risks, undertaking control assessment and continuous monitoring of exposure of the risk.
It is the responsibility of the top management to ensure that an effective risk management program is in place.
3.1.3 Risk Strategy
The Risk Strategy of a company defines the company’s standpoint towards dealing with various risks
associated with the business. It includes the company’s decision on the risk tolerance levels, and
acceptance, avoidance or transfer of risks faced by the company.
In other words, risk strategy is the ability to effectively identify, quantify and control risks and exposures and to implement an effective framework to deliver business objectives and attain greater value for money.
3.1.4 Risk Assessment
Risk Assessment is defined as the overall process of risk analysis and evaluation.
3.1.5 Risk Estimation
Risk Estimation is the process of quantification of risks.
3.1.6 Risk Tolerance/Risk Appetite
Risk Appetite shows how much risk the management is willing to accept. An organisation’s
“appetite” or tolerance for risk will vary with its strategy as well as evolving conditions in its industry
Each organisation’s risk tolerance is unique, and it will vary according to the organisational culture as well as external factors. A critical aspect of the management’s responsibility is to determine which risks, and how each of them, the organisation should take and then to re-evaluate those choices as circumstances change.
3.1.7 Risk Description
A Risk Description is a comprehensive collection of information about a particular risk recorded in a structured manner.
3.1.8 Risk Register
A ‘Risk Register’ is a tool for recording the risks encountered at various locations and levels in a standardised format of Risk Description.
3.1.9 Risk Management and Audit Committee
"Risk Management and Audit Committee or Committee" means Committee of Board of Directors of the Company constituted under the provisions of Companies Act, 2013.
3.1.10 Board of Directors
"Board of Directors" or “Board” in relation to a Company, means the collective body of Directors of the Company. (Section 2(10) of the Companies Act, 2013)
"Policy" means Risk Management Policy.
Risk Management is an integral part of good management. The application of sound risk management allows for continual improvement and greater certainty in decision making. The end result is that there is a better chance that organisation’s objectives are met.
4.1 Operational Risks
New Project viability
Political Risk (Domestic)
Change Managements Risks
Quality Control and Time Management
Supplier provisioning risk
Weather Volatility (Seasonality, Catastrophes (Cat) Risk
Manpower Risks – Specialized manpower leaving the jobs
Reputation Risk (Company, Product/Service Defamation)
Operations Failure Risk Information Technology Change in technology
Sharing confidential information with competitors
Risk being under utilisation/placement in areas where they are misfit
Risk of Materials and Inventory
4.2 Financial Risks
Funding Risks (Government Contract Funding, Allocations, Deposit Works)
Credit default risk
Foreign Exchange Risks
Incorrect Financial Reporting Risk
Earning Volatility Risk
Project Financing (Debt Equity)
Labour and Material Costs (Contract, Outsourced)
Earnings Volatility (Revenue Recognition, EPS Growth)
Currency Fluctuation (Foreign Exchange, Arbitrage)
Interest Rate Changes (Credit and Interest Rate Risks)
Commodity Price Fluctuations (Derivatives)
Regulatory Exposures (Company(Derivatives) Rate Risks)
Liquidity Risk resulting in cash flow problems, Imposition of fresh or increase taxed or levies on the industry, by the Government
4.3 Strategic Risks
Lack of responsiveness towards change in economic conditions
4.4 Contractual Risks & Exposures
Contractual Liability (Breach, Third Party Actions)
Indemnification (Hold Harmless Clauses)
Design Responsibility (Design Delegation, Assumption of Risk)
Liquidated, Consequential and Punitive Damages Clauses
Force Majeure Clauses (Schedule Delay)
Subcontractor Default, Abandonment
4.5 Insurable Risk & Exposures
Workers Compensation and Employers Liability
Contractors All Risks Policy
Commercial Property and Builders Risk
Environmental Liability (Pollution Coverage)
Contractors Professional Liability
Directors and Officers Liability
Employment Practices Liability (EPL)
Project Specific Coverages (OCP, PMPL)
Owners and Contractors Protective Liability (OCP)
Project Management Protective Liability (PMPL)
Subcontractor Default Liability
4.6 Human Resource Risks
Inadequate succession planning
Inability to attract quality personnel
Employees Health & Safety
Restriction on compensation due to Govt. Guidelines
High attrition rate in employees
Fraud & Integrity
4.7 Legal Regulatory & Compliance Risks
Commercial Interests not protected by Legal Agreements
Non conformance or inability to comply with rules, regulations
Contractual Liability, etc.
4.8 External Risks
Major dependence on one client
Lack of responsiveness towards change in economic conditions
5. SCOPE AND OBJECTIVE
Risk Management Policy has been developed to assist in establishing and maintaining an effective
risk management framework for WBHDCL. WBHDCL operates in a business environment that is
characterised by providing good infrastructure facility for the state of West Bengal to facilitate
industrial growth and socio-economic development of the State.
Risk management framework assists the management in effectively dealing with uncertainty and associated risks & opportunities, thereby enhancing the organisation’s capacity to build value.
WBHDCL is subject to certain risks that affect our ability to operate, serve people at large, and
protect assets. These include risks to employees and volunteers, liability to others, and risks to
property. Controlling these risks through a formal program is necessary for the well-being of the
organisation and everyone in it and for the betterment of the public. The jobs and services
organisation provides, the safety of the workplace and other benefits all depend to an extent on our
ability to control risks.
Management has the ultimate responsibility to control risks. Control includes making decisions regarding which risks are acceptable and how to address those that are not. Those decisions can be made only with the participation of the entire workforce, because each of us understands the risks of his or her own tasks better than anyone else in the organisation. Each is responsible for reporting any unsafe conditions they see. Also, each is encouraged to suggest ways in which we can operate more safely. We are committed to the careful consideration of everyone's suggestions, and to taking appropriate action to address risks.
Key Objectives of the “policy” is:
To ensure that all the current and future material risk exposures of the company are identified, assessed, quantified, appropriately mitigated and managed;
To establish a framework for the company’s risk management process and to ensure company wide implementation;
To ensure proactive rather than reactive management;
To enable compliance with appropriate regulations, wherever applicable, through the adoption of best practices;
Providing a framework that enables future activities to take place in a consistent and controlled manner.
To provide assistance to and improve the quality of decision making throughout the organisation;
Strategic Objectives of the “policy” is:
Improving decision making, planning and prioritisation by comprehensive and structured understanding of business activities, volatility and opportunities/threats.
Contributing towards more efficient use/allocation of the resources within the organisation.
Protecting and enhancing assets and company image.
Reducing volatility in various areas of the business.
Developing and supporting people and knowledge base of the organisation.
Optimizing operational efficiency.
Accidents and other situations involving loss or near-loss will be investigated as part of the effort to manage risks.
Every employee's and volunteer’s performance will be evaluated, in part, according to how he or she complies with this policy.
Risk Management Policy is framed as per the following regulatory requirements:
COMPANIES ACT, 2013
1. Provisions of the Section 134(3):
“There shall be attached to financial statements laid before a company in general meeting, a report by its Board of Directors, which shall include-
(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.”
2. Section 177(4) stipulates:
“Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include,-
(vii) evaluation of internal financial controls and risk management systems.”
3. SCHEDULE IV [Section 149(8)]
“Code for Independent Directors.
II. Role and functions:
The independent directors shall:
(1) help in bringing an independent judgment to bear on the Board’s deliberations especially on issues of strategy, performance, risk management, resources, key appointments and standards of conduct;
(4) satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible;”
WBHDCL being an unlisted company is required to adhere only to the regulations made by the Companies Act, 2013.
7. RISK MANAGEMENT FRAMEWORK
Key elements of Risk Management Framework include Risk Strategy, Risk Structure, Risk Portfolio,
Risk Measuring & Monitoring Risk Optimizing and Risk Treatment. The implementation of the
framework is supported through criteria for risk assessment and Categorisation, risk reporting matrix,
risk forms & MIS.
The overall objective of risk management process is to optimize the risk-return relationship.
7.1 Risk Strategy
Business strategy indicates the direction of the business; similarly a risk strategy provides guidance
for risk activities within the company. It sets the tone for aggressive or conservative risk management
activities, dictate how measuring and monitoring activities can be carried out and provide the overall
view, needed by the management and the Board of Directors.
Accountability for enterprise-wide risks resides with the Board of Directors as mentioned in Companies Act 2013, although responsibility for enterprise wide risks is dispersed throughout the company under the supervision of the and Risk Management and Audit Committee.
Risk Management Strategy entails establishing a framework ensuring realisation of the Company's objectives. The strategy aims at:
To identify, evaluate and manage risks for the achievement of objectives.
To assess the likelihood, impact and acceptability of all risks to which the company is exposed.
To deliver controls and mitigation treatment to reduce the probability and impact of risks to an acceptable level.
To integrate risk management activities at all levels in the company.
To continuously monitor the effectiveness of the management of risks having particular regard to failings/weaknesses reported.
To ensure that necessary action is being taken promptly to remedy failings/weaknesses.
To identify and ensure delivery of effective risk management training programmes.
To continuously monitor and review risks and controls to cater for external/internal changes.
7.2 Risk Structure
A formal risk organisation structure with defined roles and responsibilities for risk management
activities is an essential prerequisite for an effective risk management framework.
Board of Directors (BOD) is responsible for overseeing and approving risk management strategy and policies. BOD may delegate the responsibility and authority of assessing effectiveness of the risk management procedures to the Risk Management and Audit Committee.
7.3 Risk Portfolio
The risk portfolio management cycle begins with risk identification and is followed by risk assessment, risk categorisation and finally by recording of risks in the risk registers.
“Risk Management Cycle”
Risk portfolio management includes risk identification, assessment and additions to the risk register.
7.4 Risk Identification
The purpose of risk identification is to identify potential events that have an adverse impact on the
achievement of business objectives along with the public welfare and development.
The identification of risks is the first step in the risk management framework. Potential events that might have an impact on the entity must be identified. Event identification includes identifying factors – internal and external – that influence how potential events may affect strategy implementation and achievement of objectives. Management identifies interrelationships between potential events and may categorize events in order to create and reinforce a common risk language across the entity and form a basis for considering events from a portfolio perspective.
Risk identification refers not only to the systematic identification of risks but also to the identification of their root causes.
In order to identify risks, a range of potential events must be considered while taking into account past events and trends as well as possible future exposures. An event identified may have negative or positive impacts. An event with positive impact represents an opportunity and an event with negative impact represents a risk.
a. Risk identification procedure
Risk identification begins with understanding the objectives of WBHDCL and the strategies that have been adopted to achieve the same. Identification of risks is a continuous process and is carried out by Risk Management and Audit Committee, Project Heads together with the other employees. Common sources for identification of risks include, operating and financial results, reports, concern areas highlighted during meetings of various committees (such as Executive Committee, RMC, etc) and relevant information from the public domain.
Risk Management and Audit Committee through its members facilitates the risk identification process by undertaking the following activities:
Holding discussions on the highlighted risk/issues through meetings and workshops.
Providing consultation/ guidance with respect to risk identification process.
b. Risk Assessment
Risk assessment involves quantification of the impact of risks to enable prioritisation based on potential severity and probability of occurrence. This would allow an entity to consider the extent to which potential events might have an impact on achievement of objectives of the Company.
c. Risk Categorisation
Risk Categorisation into different groups helps to prioritize risks, within the company. Categorisation enables management to focus on a specific group of risks.
Risks are categorised into the following categories: Strategic; Operational; Human Resource; Legal Regulatory & Compliance; Financial; and External Risk.
d. Risk Recording
“The Risk Register acts as a central repository of key risks”
Purpose of the risk register is to record identified key risks and related information in a structured manner. Reports drawn from the register are used to communicate the current status of all known risks and are vital for assessing management control, reporting and reviewing the risks faced by WBHDCL.
The ‘Risk Register’ should contain the following information:
i. Identified key risk:
ii. Risk description,
iii. Risk category,
iv. Risk owner,
v. Root causes,
vi. Impact and probability
vii. Qualitative impact
viii. Mitigating controls and action plan
ix. Timelines for implementation of action plans.
MIS will be developed by the Functional Head for gathering report of risks and early warning in respect thereof. Risks will be recorded in a Corporate Risk Register (CRR). The Corporate Risk Register shall remain in the custody of the Chief Risk Officer vis a vis Functional Head.
The sample form of Risk Register is placed at Annexure-2 to the policy.
7.5 Risk Measuring and Monitoring
A risk review involves re-examination of all risks recorded in the risk register to ensure validity of the
The risk reviews will be conducted by the management (RMC and Risk Owners) on a periodical basis to monitor the effectiveness of the risk management framework. On need basis, an independent compliance review may be performed through an external consultant.
Risk reviews involve the following:
Assessment of completeness and validity of risks recorded in the risk register.
Assessment of changes in the business processes, operating and regulatory environment since the last risk assessment carried out and corresponding changes required in the risk profile, risk appetite and risk management policy and procedures of the organisation.
Review of efficacy and implementation status of action plans for identified risks and consequent revision in action plans.
7.6 Risk Optimisation
The final step in a risk management framework involves optimisation of risks faced by the Company. Optimising involves managing the exposure of various risks and bringing them in line with the risk appetite of the Company. It includes reducing costs related to excessive controls or taking action to expand risks in areas where existing controls provide additional risk capacity. Management should continually balance the cost/ benefit of taking such action with the need for to optimize risk in the organisation.
7.7 Risk Treatment
Following are key risk treatment options which management may adopt to optimise risks:
Risk Acceptance: Risks which cannot be avoided, reduced or transferred are to be accepted by the company. The company also accepts risks where additional risk handling is not cost effective or potential returns are attractive in relation to the risk exposure.
Risk Avoidance: This option is utilised for risks whose likelihood, consequences or organizational impact is significant. Hence, management may choose to avoid them altogether by withdrawing from such activities. (E.g. refuse orders, withdraw from some geographies etc).
Risk Mitigation: It is an approach to reduce either the likelihood or the consequences of the risk event by designing specific controls (E.g. disaster recovery plan etc).
Risk Transfer: Transferring means soliciting the involvement of a third party, thereby ‘passing on’ the impact of a risk event. (E.g. Insurance, joint ventures etc).
8. ACTION PLAN
Risk Management in the company will look into all organisational processes involved in advance detection of risks as well as in identifying and taking suitable action to counter them.
Deployment of integrated planning, control and monitoring systems and corporate governance systems and fine tune them on an ongoing basis to ensure that risks are detected at early stage and properly assessed and appropriately managed.
Risk management, a key success factor will form an integral component of company's management system. To promote risk awareness throughout the company, risk culture at all levels shall be developed through the mechanism of review framework, progress monitoring and discussions in open forums.
All identified risks will be assigned an impact, probability, category, timescale and action to be taken. This will be complemented with focus on quantitative reporting. A key element of early warning system will be regulated through a mechanism in which Risk Managers will inform the Risk Controllers, who in turn will report to the Functional Head acting as Chief Risk Officer about the probable/potential risk.
Functional Head acting as Chief Risk Officer shall compile all reported risks on quarterly basis with such details about risks in tabular form. This analysis will form an integral part of reporting and will be periodically reviewed by the Risk Management and Audit Committee/Board.
9. RISK MANAGEMENT INFORMATION SYSTEM (MIS)
The Company will have an enterprise-wide integrated Risk Management Information System ( MIS)
to be implemented.
The structure of the MIS will be as follows:
10. GUIDELINES TO DEAL WITH THE RISKS
Business Plan including Capital Expenditure and Fund Flow Statement for total business segment together with SWOT analysis, Assets, Accounts Receivables and Payables as well as Regulatory Regime applicable shall be reviewed in the light of the material risks identified. Through deliberations of the Committee a comprehensive plan of action to deal with the risks shall be developed and guidelines flowing from such plan shall be communicated to the employees concerned for mitigation of the risks.
11. BOARD APPROVAL
The Board will be the approving authority for the company’s overall Risk Management System. The
Board will, therefore, monitor the compliance and approve the Risk Management Policy and any
amendments thereto from time to time.
The Action Plan and guidelines decided by the Risk Management and Audit Committee shall be approved by the Board before communication to the personnel for implementation.
The Board shall approve the Risk Management (including Risk Treatment) strategy, control structure and policy guidelines and delegate authority and accountability for risk management to the Company’s executive team.
ROLE OF RISK MANAGEMENT AND AUDIT COMMITTEE
The following shall serve as the Role and Responsibility of the Risk Management and Audit Committee authorised to evaluate the effectiveness of the Risk Management Framework:
Review of the strategy for implementing risk management policy.
To examine the organisation structure relating to Risk management.
Evaluate the efficacy of Risk Management Systems – Recording and Reporting.
To review all hedging strategies/risk treatment methodologies vis a vis compliance with the Risk Management Policy and relevant regulatory guidelines.
To define internal control measures to facilitate a smooth functioning of the risk management system.
Ensure periodic review of operations and contingency plans and reporting to Board in order to counter possibilities of adverse factors having a bearing on the risk management systems.
12. INTEGRATION OF RISK MANAGEMENT STRATEGY
WBHDCL’s risk management strategy is to be integrated with the overall business strategies of the organisation and its mission statement to ensure that its risk management capabilities aide in establishing competitive advantage and allow management to develop reasonable assurance regarding the achievement of the Company’s objectives.
The penalties are prescribed under the Companies Act, 2013 (the Act) under various sections which
stipulate having a Risk Management Framework in place and its disclosure.
Section 134 (8) (dealing with disclosure by way of attachment to the Board Report): If a company contravenes the provisions of this section, the company shall be punishable with fine which shall not be less than fifty thousand rupees but which may extend to twenty-five lakh rupees and every officer of the company who is in default shall be punishable with imprisonment for a term which may extend to three years or with fine which shall not be less than fifty thousand rupees but which may extend to five lakh rupees, or with both.
There are other provisions of the Act as well as SEBI Act(applicable only to listed companies) which stipulate stiff penalties.
Therefore, this Policy prescribes that violation of the provisions applicable to Risk Management Framework is something the Company cannot afford to risk.
This policy has been implemented w.e.f 15th January, 2016 when the Board has adopted in its
This policy shall evolve by review by the Risk Management and Audit Committee and the Board from time to time as may be necessary.
This Policy will be communicated to all vertical/functional heads and other concerned persons of the Company.