State of Risk Management in India

Risk Management as a practice seems to be in a nascent stage in India.  In most cases risk management is thought to be confined to be IT Security and management of risks in these areas.  Due to Satyam episode there seems to be more awareness regarding Governance. 


I believe very few Indian companies are performing comprehensive Risk Management.  This is not taken up as this is not part of any complinace or regulators are not demanding it.  So there is very little incentive, since the benefits of risk management are long term and most times are not easily quantifiable.


So as a community what can be done in order to convince management about the benefits of risk management and why should they do it ?  Can we start to quantify the benefits so that the activity can be seen in real rupee sense ?


I will appreciate others comments.





You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Email me when people reply –


  • Well said, but in my opinion it remains in books and never done in principle. Unless, we see some major impacts or attendant risks to the business, none of the stakeholders would move their feet to take some nifty steps towards a framework or Governance model, which could prove to be highly beneficial and useful to them. But on the other side, organizations passing through the recession periods have become very sensitive and cautious about their security investments, and take help of some independent consultants, who might have done ISO 27001 LI/LA certifications carry out Implementation at a very cheaper cost and I have seen customers using that route have had their own nightmares not to offend any of the Independent consultants. That is what has been my experience. Day is not far, when I see organizations treating ISMS as any other ISO 9001:2008 Management standard and paying a meager fee to consultants, who would like to put appropriate frameworks and adequate controls meeting organization’s security objectives. Today’s mantra is to get work done and not look at what quality and standard.

    Having said that, there are larger organizations, where their internal risks teams have put in an ERM framework in place and are continuously monitoring and reviewing their business risks. They are the people, who drive this through Biggies. Apart from this, scene in India is very poor and our CxO have business pressures to ensure their core business works smoothly without much of expenditure on IT Infra, leaving aside the need for a special focus on Risk Management practices. In my opinion, there is transformation required to see through the realm of risks in our lives and understand how it translates in our professional practices, which might kindle some thoughts to raise bars, inspiring to take steps towards building these frameworks and Governance Models. Also, India needs legislative and statutory bodies to bring more strict disciplines or norms into the industry, which makes it mandatory for every organization to maintain security standards and that way, we can see some change in the industry. In fact some of the organizations have seriously started looking at IT Act 2008, especially BFSI / KPO/LPOs. This is all driven by business need.

    Please do share your opinions as well.
  • Nagesh, well said. We need to figure out the organizations we can influence starting with ICAI. How do you think we should go about it?

  • Thank you Manish and Sonia for your comments.

    As Manish said the risk management culture has to be imbibed. For this to happen the from "tone at the top", which is not only "saying the right things" but also "doing the right things" has to be there. Yes in order to develop a risk management culture and a risk management framework a definite amount of effort has to be there which needs to be supported by top management, board.

    Regarding corruption, lately I have seen it has become rampant. Consider the telecom 2G scam which runs into thousands of crores. Then the CWG scam which again is thousands of crores. All this money ending in Swiss bank accounts and siphoned off to other countries. According to latest estimates 125 billion dollars have been siphoned off between 2000 to 2008. If you include the latest scams the figure will only increase. You can check out my blog on this at
    There is mining corruption, and politics regarding to mining corruption, case in point is Karnataka political crisis, where MLAs are being bought by bidding (they should put themselves up on ebay)

    I feel there is deteriorating standards in terms of corruption and volumes of these corruption. This is just not in public life and public companies and surely affecting the private companies. I recently did business with a private company which shall remain unnamed, they deducted TDS but I suspect they have not submitted the tax deducted to the Government and properly provide TDS certificate to me. There seems to be some incentive to the employees to deduct these "TDS" and pocket it.

    So what are we to do regarding this ? We as a whole need to put pressure that this is not acceptable. Consider the case in point as in loud booing for Suresh Kalamadi at the closing ceremony of CWG. I am sure Sonia and Monmohan who have been in the audience were influenced to take more stricter action.
    Similarly the stock holders of the companies should demand better governance at company AGMs. The regulator should enforce stricter regulations not just make it voluntary guidelines. So we as risk management professionals what is our role in all this ?Our role is to make aware of benefits which is quantifiable and a business case developed for implementing comprehensive risk management solutions.

  • I came across this interesting article - Economic Uncertainty Drives Enterprise Risk Management Activity on Market Watch
    read below :

    In a survey of over 210 companies worldwide, Aberdeen research finds that top performing companies are 83% more likely to be able to clearly assess the status of existing risk and 71% more likely to have transparency and clear communication of risk information, thereby building a risk-aware culture.

    "With today's increased consumer and governmental scrutiny, companies must be aware of events that directly impact their brand image and their competitive position. By integrating risk information into strategic planning, capital allocation, core decision-making and performance management, top performers gained a 17% improvement in effectiveness of risk detection and assessment year over year: 7% higher than all other companies," said David Hatch, senior vice president and general manager of Aberdeen Group's research operations"

    Link is here:
  • Hi Nagesh & Manish,

    Very valid points brought forward. Although the Company Law requires Internal Audit and maintenance of controls, the focus is on maintaining control on transactions. The organizations need to have a comprehensive focus on risk management from strategic, operational, financial, social and geopolitical aspects. ERM would be a good tool.

    The one thing which strikes me is that Indian organizations are not focused on building healthy corporate culture. If workplace ethics and culture are not priority, the internal control environment will be negatively impacted. Corruption is rampant, and organizations do not have anti-bribery policies.. The diversity and workplace aggression issues are dealt with by issuing paper policies, rather than incorporating in the culture.

    So definitely we need to focus on it and be able to educate the CXO level. In all these matters the tone at the top counts.

    In most cases the internal audit head is reporting to the CFO. The CFO has maximum time with the board. But still there is no progress on the risk management aspects. As a first step the risk management head should get a direct seat at the board and report to the CEO. That will create more visibility.

    What is your opinion?

  • Hi Nagesh

    .Hi Nagesh

    I agreed with your viewpoints. Indian Companies are not showing their interest in Risk Management.
    Focusing on Risk Management is very important. Model Risk, Liquidity, Market Risk, Credit Risk and operational Risk should be the major focus area. It's amazing even after recent credit crisis; companies are less bothered about Risk Management. From my viewpoint a culture of risk management needs to be developed. Managers need to understand the importance and should ready to come forward for Risk management implementation. ERM framework can be best for handling all risk together in integrated format.
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!