SEBI Consults on Risk Management Committee

Risk management has acquired a crucial status in corporate governance. Its importance tends to get accentuated in the wake of crises. The concept came to the forefront after the global financial crisis more than a decade ago, and it became entrenched in specific sectors such as banking and financial services that were severely affected by the crisis. Even industrial accidents such as the BP oil spill in 2010 spawned a discussion on risk management. In India, eyebrows were raised after the collapse of IL&FS on account of the fact that the company’s risk management committee was inattentive. Given these circumstances, the Securities and Exchange Board of India (SEBI) in 2017 mandated that the top 500 listed companies in India have a risk management committee that monitors risks, including cyber security risk, and that the committee meet at least once a year. These requirements are enshrined in regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015.

With the ongoing pandemic, the need for more robust risk management practices has intensified. SEBI earlier this week published a “Consultation Paper on the Applicability and Role of the Risk Management Committee”. It seeks to extend the requirement of having a risk management committee from the top 500 listed companies to the top 1000 listed companies. More importantly, it prescribes the role of the risk management committee more specifically. Such a detail role for the committee is lacking under the current regime. According to the consultation paper, the committee is expected to formulate a detailed risk management policy that covers both internal and external risks, including “financial, operational, sectoral, sustainability (specifically, environmental, social and governance related risks and impact), information and cyber security risks”. The policy is also proposed to contain steps for implementation of the policy, including measures for mitigation, the relevant systems and well as business contingency preparation. The paper also details the manner in which the policy will operate, including information sharing within the company and cooperation between the risk management committee and the audit committee. The consultation paper also contains details regarding the quorum requirements and frequency of meetings (which has been increased from the present one meeting a year to two meetings).

While one may quarrel with the fact that the proposal is somewhat too prescriptive, there appears to be nothing fundamentally objectionable in it. All the risks identified in the consultation paper are significant, and the Covid-19 outbreak and the ongoing risks to business and the economy only highlight the increasing uncertainty within which companies operate. The need for instituting a risk management policy to be implemented by a specific committee will compel companies to pay adequate attention to possible risks even when times are normal, and to remain in a state of preparedness to address risks that may emanate from time to time. Finally, such a detailed treatment of risk management will also enable greater transparency, especially on environmental, social and governance matters.

About the author

Umakanth Varottil

Umakanth Varottil is an Associate Professor at the Faculty of Law, National University of Singapore. He specializes in corporate law and governance, mergers and acquisitions and cross-border investments. Prior to his foray into academia, Umakanth was a partner at a pre-eminent law firm in India.

Add comment


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Top Posts & Pages


Recent Comments


web analytics

Social Media