Enterprise Risk Management ERM as an essential tool

Enterprise Risk Management (ERM) as an essential tool for good corporate governance Rahaju Pal Director, Enterprise Risk Services September 2010

Contents • Corporate Governance - Key elements • Evolution of Corporate Governance – India • Why ERM • ERM for Corporate Governance • Deloitte’s nine principles for building a Risk Intelligent Enterprise • ERM – Key Challenges • Route to Risk Intelligent Governance • Key takeaways • About Deloitte 2 © 2010 Deloitte Touche Tohmatsu India Private Limited

Corporate Governance – Key elements Core Principles • Shareholder rights • Independence • Accountability and disclosure • Board roles and responsibilities Intent • Ensure integrity of accounting and financial reporting • Include independent audit • Ensure appropriate controls over – Financials – Monitoring risks – Compliance with laws and regulations OECD principles of Corporate Governance: “The Board should fulfill certain key functions including: Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards. ” 3 © 2010 Deloitte Touche Tohmatsu India Private Limited

Corporate Governance – Key elements Factors driving state of governance • Globalization • Growth initiatives • Accelerated decision-making • More proactive Boards • Increased competition • Recent scandals Key players involved • CEO / CFO • Board of Directors • Audit Committees and other committees of Board • Shareholders • Regulators 4 © 2010 Deloitte Touche Tohmatsu India Private Limited

Evolution of Corporate Governance – India Confederation of Indian Industry (CII), Associated Chambers of Commerce and Industry (ASSOCHAM) and Securities and Exchange Board of India (SEBI) constituted following committees to recommend initiatives in Corporate Governance for Indian Corporate. Kumar Mangalam Birla Committee 1999 Naresh Chandra Committee 2002 Narayan Murthy Committee 2003 SEBI constituted the Kumar Mangalam Birla Committee in 1999 which made recommendations for changes in clause 49 of listing agreement primarily covering Constituted by Department of company Affairs (DCA) which covered essentially the Auditor – Company relationship and the concept of CEO/CFO certification in line with Sarbanes Oxley Act in the United States. Constituted by SEBI to examine the quality and uniformity of disclosures made under Clause 49 and made recommendations for improvements, drawing upon the existing best practices and the recommendations made by the earlier committees. • Composition of the Board of Directors • Audit Committee • Directors Remuneration • Disclosures Clause 49 of the Listing agreement with Stock Exchanges governs the corporate governance requirements for the Indian Coroporate Sector. 5 © 2010 Deloitte Touche Tohmatsu India Private Limited

Why ERM Meet Legal Requirements Letter of the Law Spirit of the Law • High profile corporate scandals in USA (Enron, Worldcom etc. ) followed by encouragement from SEC & NYSE to adopt Risk Management activities. • In India Clause 49 of the listing agreement stipulates Risk Management as mandatory compliance requirement. • Financial analysts and rating agencies are increasingly interested in a company’s ERM capability. – Moody’s and Standard & Poor’s have ERM listed as one of their evaluation criteria – Even Indian Rating Agencies – CRISIL , ICRA , CARE consider quality of Corporate Governance and Risk Management while assigning their ratings to companies 6 © 2010 Deloitte Touche Tohmatsu India Private Limited

Why ERM contd. . • When a corporate catastrophe occurs, questions quickly arise as to whether the board was complacent in its oversight responsibilities. Perceived complacency can be costly: in case of Satyam the role of independent directors were questioned • S & P announced on Month X, 2008 that an analysis of ERM capability will be a factor in determining a company’s overall credit rating. Evaluations will be conducted as an integral part of their normal credit review process. Discussions with company managers will focus on the following major areas of ERM capability: • Risk-management culture and governance • Risk Controls • Emerging Risk Preparation • Strategic risk management • Maintaining and improving credit ratings will help reduce cost of capital and support greater flexibility in managing debt • Board directors are already demanding increased risk information - this issue will drive even higher expectations • Shareholders and other stakeholders expect management to take more effective steps to minimize the frequency and severity of losses and missed earnings projections • Now more than ever, directors are expected to exercise due diligence and care. Directors are understandably concerned about personal liability and reputation at risk. But without better risk intelligence that comes from an effective enterprise risk management (ERM) approach, it will be difficult for the board to meet stakeholder expectations. 7 © 2010 Deloitte Touche Tohmatsu India Private Limited

ERM for Corporate Governance • Top-down involvement (board and executive management) • Common infrastructure to identify, assess and respond to risks • Discipline around making risk-informed decisions • Require risk management as a competency across level Deloitte’s nine fundamental principles assist organisations to become Risk Intelligent 8

Deloitte’s nine principles for building a Risk Intelligent Enterprise Risk Governance Common Definition of Risk A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to manage risks. Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization Transparency for Governing Bodies Governing bodies (e. g. , Boards, Audit Committees, etc. ) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities Risk Infrastructure & Management Common Risk Infrastructure A common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities Executive Management Responsibility Executive management is charged with designing, implementing and maintaining an effective risk program Objective Assurance and Monitoring Other functions (e. g. , internal audit, risk management, compliance, etc. ) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management. Risk Ownership 9 Business Unit Responsibility Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management Support of Pervasive Functions Certain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program © 2009 Deloitte Touche Tohmatsu India Private Limited

ERM – Key Challenges Factors driving state of ERM • Risk is becoming personal for Board Members and Executives • Risk is managed in silos • Risk Management is focused on ‘Unrewarded Risk’ rather than ‘Rewarded Risk’ Creating shareholder value New product development Increased revenue Increased market share Penalties and fines Preserving shareholder value Fraud Lawsuits 10 + V A L U E − © 2010 Deloitte Touche Tohmatsu India Private Limited

ERM – Key Challenges contd. . Key questions for Board to ask • What is the company’s policy and process for managing risks on an integrated, enterprise-wide basis? • What are the company’s key risks and vulnerabilities, and what are the plans to address them? • Who has the authority to take risk on behalf of the company? Some of the common ERM challenges are: Strategy • Unclear risk strategy and philosophy • Lack of actionable details and support from top management towards implementation of the risk strategy • Lack of transparency and understanding of risk issues at Board and Executive levels 11 Execution Behavior • Lack of consistent practices and critical success factors across organization • Ineffective change management and communication to manage organizational resistance to new ERM practices • Unclear definition of the roles and responsibilities of the riskrelated functions and risk owners • Risk related activities positioned as redundant except ones required for compliance • Business units treating risk management as interference of the management into their functioning • Decision-making driven by earnings rather than riskadjusted results © 2010 Deloitte Touche Tohmatsu India Private Limited

Stakeholder Value Journey that most companies make on the road to Risk Intelligence Deloitte's Risk Intelligence maturity model Risk Intelligent Systematic Unaware Fragmented Top Down Stages of Risk Management Capability Maturity Typical Symptoms Unaware Fragmented • Independent risk management • Depends primarily on activities individual heroics, • Limited focus on the capabilities, and verbal linkage between risks wisdom • Limited alignment of risk to strategies • Disparate monitoring & reporting functions • Ad hoc/chaotic 12 Top Down Systematic • Common framework, program statement, policy • Routine risk assessments • Communication of top strategic risks to the Board • Executive/Steering Committee • Knowledge sharing across risk functions • Awareness activities • Formal risk consulting • Dedicated team • Coordinated risk management activities across silos • Risk appetite is fully defined • Enterprise-wide risk monitoring, measuring, and reporting • Technology implementation • Contingency plans and escalation procedures • Risk management training Risk Intelligent • Risk discussion is embedded in strategic planning, capital allocation, product development, etc. • Early warning risk indicators used • Linkage to performance measures and incentives • Risk modeling/scenarios • Industry benchmarking used regularly © 2009 Deloitte Touche Tohmatsu India Private Limited

Actions for Risk Intelligent Governance • Define the board’s risk oversight role • • Define the board’s risk governance roles and responsibilities Consider board composition Establish an enterprise-wide risk management framework Perform site visits • Foster a Risk Intelligent culture • • Lead by example in communicating about risk Build cohesive teams with management Reward Risk Intelligent behavior Consider a third-party assessment • Help management incorporate Risk Intelligence into strategy • Design processes for integrating risk management into strategic planning • Monitor strategic alignment • Establish accountability 13 © 2010 Deloitte Touche Tohmatsu India Private Limited

Actions for Risk Intelligent Governance contd • Help define the risk appetite • Distinguish between risk appetite and risk tolerance • Serve as a sounding board • Execute the Risk Intelligent governance process • • Work with management on process design Monitor the overall risk management process Conduct formal risk management program assessments Clarify accountability at the board and management levels • Benchmark and evaluate the governance process • • 14 Use internal monitoring and feedback Participate in continuing education and updates Solicit independent viewpoints Include risk as a topic in the annual board self-assessment © 2010 Deloitte Touche Tohmatsu India Private Limited

The program and organization structure for Risk Intelligent Enterprise Board of Directors Executive Risk Oversight People Process Technology Common Risk Infrastructure Risks Risk Ownership BU A BU B BU C BU D Identify Risks Governance 15 Internal Audit Executive Risk Committee Assess & Evaluate Risks Strategy & Planning Respond to Risks Design & Test Controls Monitor, Assure, Escalate Operations / Infrastructure Compliance Reporting Sustain and Continuously Improve Develop and Deploy Strategies Risk Governance © 2009 Deloitte Touche Tohmatsu India Private Limited

Our customised approach for ERM Designing the ERM program Scoping and planning Objectives The objectives of this phase are: • Project set up and governance • Assess the current state of risk management • Assess the maturity of risk management activities within the organisation. The objective of this phase is to design an ERM Program that will enable achieving the strategic objectives of the organization and comply with risk management guidelines Risk Prioritisation Workshops The objective of the workshop module is to sensitize the senior management on the significance of active risk management and their role in the program. Manage risks on an ongoing basis Risk workshops Approach Conduct risk workshops across management levels Risk Diagnostic Tool Key Deliverables 16 Assess workshop needs • Project scope and governance documentation. • Risk Management architecture and framework elements Risk intelligence Framework • • • Governance Structure ERM policy document Guidelines on Risk Appetite Framework Risk reporting design Risk assessment at a business process level Develop workshop plan and material Risk Maturity Development Framework • Risk registers across key business processes of the Company • Risk Workshops (2) • Identification of top 20 risks of the organisation • Root cause analysis and risk profiling for top 20 risks indentified • Risk prioritisation and reporting © 2010 Deloitte Touche Tohmatsu India Private Limited

Relevant tools from Deloitte The Risk Intelligence Diagnostic Tool The Risk Intelligence Map Risk Infrastructure & Oversight Risk Intelligence Whitepaper Series 17 © 2010 Deloitte Touche Tohmatsu India Private Limited

Key takeaways Risk Intelligent governance stands among the most valuable contributions a board can make to its organization. As seasoned business leaders, board’s combined breadth of perspective, depth of experience, and knowledge of the enterprise can lend support to the organization’s risk management efforts that is not only invaluable, but also unavailable elsewhere. The competitive benefits of Risk Intelligent Governance include: • A means to improve strategic flexibility for both upside and downside scenarios • Employ risk management for competitive advantage • Assist in shaping the organization’s response to regulatory issues • Drive long-term growth while preserving assets • A common risk management infrastructure with sufficient autonomy for individual business units/functions to exploit their specialized knowledge and expertise • The ability to provide a “comfort level” to the Board and other stakeholders that the full range of risks is understood and managed In the present business scenario, where being and staying profitable is a paramount objective, a Risk Intelligent Enterprise. TM can look forward to a bottom line impact 18 © 2010 Deloitte Touche Tohmatsu India Private Limited

Deloitte’s leadership position in risk consulting The Kennedy Vanguard for Risk Consulting Practices, 2009 * “The Forrester Wave. TM: Risk Consulting Services, Q 1 2009”, Michael Rasmussen and Chris Mc. Clean “Deloitte’s approach to risk consulting engagements focuses on risk management’s crucial role in creating and protecting business value. An important thought leader in the space, Deloitte also leads the market with a full range of services from risk strategy and process design down to technology development and implementation. Deloitte stood out with this holistic approach as well as its emphasis on a “risk intelligence” framework for driving enterprise wide communication and action. ”* 19 © 2010 Deloitte Touche Tohmatsu India Private Limited

A unique multi disciplinary practice of professionals § Deloitte’s operations in India constitutes a large and important part of the global firm. Our success can be attributed to the following: § Multi Disciplinary services – Our traditional and non traditional service offerings are the most comprehensive in the industry and allow us to help our clients grow while managing risks. We service our clients out of the 13 offices across India § Global Resource Pool – Our practice is structured to ensure the best talent reaches the customer. Teams are rigorously trained in applying proprietary Deloitte methodologies and have access to Deloitte’s Global Knowledge databases and research § Industry Experience – We draw upon industry leaders to augment our knowledge, stay on top of developing trends and build experienced team with key team members having been involved in corporate and business unit strategy development across a range of industries and geographies We have worked with the largest Banks, Insurance and Asset Management companies on Strategy, Operations, Technology, and Risk Management projects 20

Shaping the industry through world-class thought leadership • Deloitte Research is a cross-industry group, which is known in the marketplace for bringing new perspective to real-world concerns. Deloitte Research is comprised of leading thinkers on strategic, economic, regulatory, technology, and industry issues. • GFSI develops industry and sector-specific research on hot topics and business issues. • Deloitte Strategy, Research and Innovation Group (SR&I) is a centralized research and development organization built on the firm’s deep understanding of business and industry trends, in-depth capabilities in client and market analysis and competitive strategies, and the insightful work of our research professionals that includes issuespecific expertise and innovative ideas related to our clients’ unique business challenges. Our SR&I organization enables Deloitte to better understand the issues that are important to clients and how our resources can be brought to solve their business challenges. SR&I has long had a Center of Excellence in India to support escalating client demand for research services. This unique operation enables the SR&I organization to literally work around the clock, giving our clients access to best-inclass industry research and analysis Representative industry association relationships • • • 21 CFA Institute (formerly AIMR) Investment Company Institute (ICI) National Investment Company Service Association (NICSA) Managed Funds Association Money Management Institute Global Alternative Investment Management (GAIM) American Chamber of Commerce in Japan (ACCJ), Investment Management Subcommittee Japanese Institute of Certified Public Accountants (JICPA), Investment Trusts Subcommittee Securities Analysts Association of Japan (SAAJ), IPS Verification Committee Korea Accounting Standards Board(KASB), Working Group on Uniform Accounting Standard for Asset Management • • Guernsey International Fund Association (GIFA) Jersey Fund Managers Association (JFMA) Dublin Funds Industry Association (DFIA) Alternative Investment Management Association (AIMA) Association Luxembourgeoise des Fonds d’Investissement (ALFI) ALFI hedge fund working group Auditors’ Institute Committee on Banking and Asset Management AIMA and the Investment Management Association © 2009 Deloitte Touche Tohmatsu India Private Limited

In this material Deloitte refers to Deloitte Touche Tohmatsu India Private Limited (DTTIPL), a Company established under the Indian Companies Act, 1956, as amended. DTTIPL is a member firm of Deloitte Touche Tohmatsu, a Swiss Verein, whose member firms are legally separate and Independent entity. Please see www. deloitte. com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms This material prepared is intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s). Further, the views and opinions expressed herein are the subjective views and opinions of DTTIPL based on such parameters and analyses which in its opinion are relevant to the subject. Accordingly, the information in this material is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this material. © 2010 Deloitte Touche Tohmastu India Private Limited 22 © 2010 Deloitte Touche Tohmatsu India Private Limited