Risk Management Policy

Section 134(3)(n) - Risk Management Policy 

There was some relief when the regulators relaxed the reporting requirement of Internal Finance Control (IFC) under section 134(5)(e) of the Companies Act, 2013 (the Act) which is applicable for listed companies and it is now made mandatory for Auditors to comment only from April 1, 2016. But there is another section 134(3)(n) of the Act which requires every company to state in the Board’s Report a statement indicating development and implementation of a Risk Management Policy. This provision is applicable to all types of Companies that have a requirement to provide Boards’ Report.

Significance of Risk Management Policy

Section 134(3)(n) states that the Board’s Report shall contain a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.

The above-mentioned provision makes it mandatory for the Board of Directors to comment on the risk management policy of the company in their report. To provide such details in the Board’s Report, the directors shall ensure to have a risk management policy in place, which shall contain the details of risk involved in the business of the company.

What is Risk Management Policy?

Risk management is the process of making and carrying out the decisions that will minimize the adverse effects of the accidental losses upon the company. In financial terms, it is important to the ability to peruse the goals of the company, and operate programs and to perform duties in an efficient and professional manner. In the Act it is clear that the onus is on the Board to take ownership and opine that there has been identification of elements of risk and that in the opinion of the Board may not threaten the existence of the company.

Threaten the existence of the Company

A Company can identify three broad issues that can threaten the very existence:

a. Corporate Strategy Risks that can be risks and threats from outside the Company

b. Management level risks can be risks from firms’ activities that is with the objects of the Company

c. Operational risks can be risks that may exists within the company

A risk management policy can serve two main purposes:

a. To identify, reduce and prevent undesirable incidents or outcomes and

b. To review past incidents and implement changes to prevent or reduce future incidents

Format of Risk Management Policy:

There is no standard format prescribed for framing this policy under the Companies Act, 2013. The Board shall develop a policy internally in consultation with senior management and such policy can be made available to the members, if required.

Approval of the Risk Management Policy by Board:

It is not mandated under the Act to obtain approval of the Risk Management Policy by the Board, but better governance is to table and take note of the policy in a board meeting or by means of a circular resolution.

Filing of Policy with external agency

There is no requirement of filing the risk management policy with any authorities.

Penal Provision:

The Act provides for penal provision under section 134(8) which states that if a company contravenes the provisions of section 134, the company shall be punishable with fine which shall not be less than fifty thousand rupees but which may extend to twenty-five lakh rupees. The section further provides that every officer of the company who is in default shall be punishable with imprisonment for a term which may extend to three years or with fine which shall not be less than fifty thousand rupees but which may extend to five lakh rupees, or with both.

Thus, if the risk management policy is not in place, the board cannot provide the details of such policy in the Board’ Report and the above-mentioned penal provision may get attracted. Hence the onus is on the Board to ensure that the policy is in place before March 31, 2015.