Chapter-wise
Chapter-wise Comparison with Study Material
PART I GOVERNANCE AND SUSTAINABILITY
Chapter
RISK MANAGEMENT
Q1. What is Risk Management, Is Risk management policy mandatory for Private Companies? What are the Advantages of risk management? [Scoring Question]
Ans. Risk Management: The processes which aim to assist organisations to identify, understand, evaluate and take action on their risks with a view to increasing the probability of their success and reducing the impact and likelihood of failure.
Risk management is relevant to all organisations large or small.
Effective risk management practices support accountability, performance measurement and reward.
Enable efficiency at all levels through the organisation.
ADVANTAGE OF RISK MANAGEMENT
Risk management plays vital role in strategic planning. It is an integral part of project management. An effective risk management plan focuses on identifying and assessing possible risks.
Risk management always results in significant cost savings and prevents wastage of time and effort in firefighting. It develops robust contingency planning.
It can help plan and prepare for the opportunities.
Risk Management improves strategic and business planning. It reduces cost by limiting legal action or preventing breakages.
It improves reliability among the stake holders leading to an enhanced reputation.
LEGAL REQUIREMENTS:
Pursuant to section 134(3) of the Companies Act, 2013 which provides disclosures to be made in the Board's Report of company, inter alia provides that the Board’s Report must include a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
18.4 ENVIRONMENTAL, SOCIAL & GOVERNANCE (ESG) - PRINCIPLES & PRACTICE
CONCLUSION: Since Risk Management Policy is becoming more and more relevant for all the types of organisations whether big or small and also it has been mandated as per Companies Act 2013 therefore, we conclude that a private company must have a Risk Management Policy and it will be advantageous also for the company.
STEPS IN RISK MANAGEMENT PROCESS
Q2. ‘‘Risk Identification should involve continuous implementation as new phases, experiences, and viewpoints are introduced.’’ Explain the essentials to risk identification that guarantee maximum results. [Dec. 2022 (5 Marks)]
Ans. RISK IDENTIFICATION: The first and foremost step is risk identification, it is a process is to ensure that all potential project risks are identified, it is a crucial step for efficient risk management, it is an iterative process, firstly information is gathered, by using various techniques are applied and eventually documented, following are the various techniques: -
Team Participation: the project manager must have a face-to-face interaction with his team and everyone must be able to freely participate, communication must be very comprehensive.
Repetition: The risks management process must be continuously updated as per the changes in the information.
Approach: Different approaches must be used for different objectives. One method is to identify all root causes, undesirable events and map their potential impacts. Another is to identify essential functions the project must enact, then find possible issues with each function or goal. Both methods work well, but the latter may be easier due to its defined scope.
Documentation: Consistent and exhaustive documentation leads to comprehensive and reliable solutions for a specific project or future risk management team’s analysis.
Roots and Symptoms: there is a difference between roots and symptoms. A symptom can be confused with the root cause, making it critical to discover the origin of risks and denote what are their symptoms. Other essentials of risk identification involve the analysis phase.
Project Definition Rating Index (PDRI) : PDRI is a risk assessment tool that helps to develop mitigation programs for high-risk areas. It facilitates the team’s risk assessment within the defined project scope, budget and deadlines.
Q3. What are the steps involved in risk identification? [Scoring Question]
Ans. An effective Risk Identification process includes following steps:
Creating a systematic process - The risk identification process should begin with project objectives.
Gathering information from various sources - Reliable and high-quality information is essential for effective risk management.
Applying risk identification tools and techniques - The choice of the best suitable techniques will depend on the types of risks and activities, as well as organizational maturity.
Documenting the risks - Identified risks should be documented in a risk register and a risk breakdown structure, along with its causes and consequences.
Documenting the risk identification process - To improve and ease the risk identification process for future projects, the approach, participants, and scope of the process should be recorded.
Assessing the process effectiveness - To improve it for future use, the effectiveness of the chosen process should be critically assessed after the project is completed.
Q4 Risk analysis is an essential tool and one that could save time money and reputations”. Explain the statement and bring out the use of risk analysis? [Dec. 2020 (5 Marks)]
Ans. RISK ANALYSIS: Once the risk has been identified, second step is to analyzing the risk which helps to identify and manage potential problems that could undermine key business projects and objectives.
(A) USES OF RISK ANALYSIS
Risk analysis is useful in many situations like:
While planning projects, to help in anticipating and neutralizing possible problems.
While deciding whether or not to move forward with a project.
While improving safety and managing potential risks in the workplace. While preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
While planning for changes in environment, such as new competitors coming into the market, or changes to government policy.
18.6 ENVIRONMENTAL, SOCIAL & GOVERNANCE (ESG) - PRINCIPLES & PRACTICE
(B) PROCESS OF RISK ANALYSIS
IDENTIFY THE RISK: First step in risk analysis is identify the existing and possible threats, that one might face. Like Human, Operational, Reputational, Procedural, Financial, Political etc.
ESTIMATE RISK: Once the threats are identified, it is required to calculate both the likelihood of these threats, and their possible impact, this is to make best estimate of the probability of Identify Threats Estimate Risk the event occurring, and then to multiply this by the amount it will cost to set things on the right track. This gives a value for the risk:
Risk Value = Probability of Event × Cost of Event
(C) APPROACHES OF RISK ANALYSIS;
A number of different approaches can be used to carry out analysis:
Make a list if any of these threats are relevant.
Think about the systems, processes, or structures used and analyze risks to any part of these.
Ask others for different perspectives, input from team members and consult others in the organization, or those who run similar projects.
Tools such as SWOT Analysis and Failure Mode and Effects Analysis can also help to uncover threats, while the Scenario Analysis tool helps to explore possible future threats.
Q5. Businesses determine the importance of each risk to achieving their overall objectives through risk assessment, what do you understand by Risk assessment and process of the same? [Scoring Question]
Ans. Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative terms.
Develop Assessment Criteria: The first step in the risk assessment process is to create a standard set of evaluation standards that will be used by all business units, corporate departments, and major capital projects.
Assess risks: The established criteria, values are assigned to each risk and opportunity as part of the risk assessment process, quantitative and qualitative assessment is done for assessing the risk.
Assess risk interactions: Businesses now understand how crucial it is to manage risk interactions. Even risks that seem modest on their own have the capacity to provide big opportunities or great harm when they interact with other circumstances and events.
Prioritize risks: Prioritizing for risk response, prioritizing aids in giving senior management and the board focus when addressing and paying attention to key risks, even though each risk captured may be significant to management at the function and business unit level.
Response to Risks: The outcomes of the risk assessment process are then used as the main input for risk responses, i.e. accept, minimize, share, or avoid risks.
Effective and sustainable risk assessment process: To be effective and sustainable, the risk assessment process needs to be simple, practical, and easy to understand.
RISK MITIGATION
Q6. What is meant by handling of risk? Explain risk retention as a method of handling risk? [Scoring Question] OR
Q7. ‘‘Responsibilities and accountabilities of the person handling risks need to be identified and assigned.’’ Explain the ways of handling the different types of risk existing in the business. [Dec. 2022 (5 Marks)]
Ans.
I. DEFINITION OF RISK HANDLING: By the term risk handling
1) Means allocation of the ownership of the risk
2) Fixing the responsibilities and accountabilities of the person.
3) Documentation
4) Reporting of the risk to higher authority.
II. RISK HANDLING ARE OF FOUR TYPES:
1) Risk Avoidance
2) Risk Retention
3) Risk Reduction
4) Risk Transfer
III. RISKS CAN BE HANDLED IN FOLLOWING WAYS:
1) RISK AVOIDANCE: means to avoid taking up risky business or projects. For eg.: For example, one may avoid investing in stock market due to price volatility.
2) RISK RETENTION/ABSORPTION: It is type of Handling of the risk in which unavoidable risks are handled internally, either because insurance cannot be purchased or the insurance is expensive. Risk Retention are of two types: Active risk retention and Passive Risk Retention.
ACTIVE RISK RETENTION: After the conscious evaluation of all possible losses, risk is retained as a part of management strategy.
PASSIVE RISK RETENTION: In this type risk handling the risk taker is unaware about the risk or does not know the risk, therefore risk retention is occurred due to negligence.
3) RISK REDUCTION: By the term risk reduction we mean to reduce the risk by reducing the probability of the occurrence of the risk. The ideal time for the risk reduction is at the planning stage, when maximum improvement can be achieved. Risk prevention generally should be evaluated in the same way as other investment projects.
4) RISK TRANSFER: By the term Risk Transfer means Legal Transfer or assignment of the potential losses to another, the main method of risk transfer is “INSURANCE”, as it deals with those risks that could be transferred to an organization that specialises in accepting them, at a price. Usually, there are 3 major means of loss transfer viz.
By Tort, By contract other than insurance, By contract of insurance
Q8. What are Risk Mitigation Strategies that an organisation can apply? [Scoring Question]
Ans. Once risks have been identified and assessed, the strategies to manage the risk fall into one or more of the following categories.
1) TRANSFER RISK: Different agencies work together and these agencies take care to transfer risk in their areas to another agency which is better equipped to take care of a risk for a consideration. Whenever a particular agency, individual or a firm finds that it is dealing in an area where it does not have the core competence to deal with, it seeks the help of another agency which has the specific core competence to transfer its own risk.
2) TOLERATE RISK OR RISK RETENTION: It is a type of risk retention, by risk retention we mean, when risks involved are small and the cost of insurance is much higher that the loss to be sustained, hence all losses that cannot be reduced, transferred, avoided are retained. For example: War is an example since most
property and risks are not insured against war, so the loss attributed by war is retained by the insured.
3) REDUCE RISK: The purpose of treatment is not necessarily to obviate the risk, but more likely to contain the risk to an acceptable level. Internal controls are actions instigated from within the organization (although their effects may be felt outside of the organization) which are designed to contain risk to acceptable levels.
4) AVOID RISK: This method results in complete elimination of exposure to loss due to a specific risk. It can be established by either avoiding to undertake the risky project or discontinuance of an activity to avoid risk. This means that no risky projects are undertaken. Alternatively, a project may be abandoned midway to mitigate the risk while handling a project.
5) COMBINE RISK: When the business faces two or three risks, the overall risk is reduced by combination. This strategy is suitable mainly in the areas of financial risk. Different financial instruments say, shares and debentures are taken in a single portfolio to reduce the risk.
6) SHARING RISK: Insurance is a method of sharing risk for a consideration. For example, by paying insurance premium the company shares the risk with companies and the insurance companies themselves share their risk by doing reinsurance.
7) HEDGING RISK: Exposure of funds to fluctuations in foreign exchange rates, prices etc., bring about financial risks resulting in losses or gain. The downside risk is often taken care.
FRAUD RISK MANAGEMENT
Q9. Discuss Fraud Risk Management? [Scoring Question] OR
Q10. While conducting the Audit, Secretarial Auditor found that by forged signature, accountant had transferred huge amount in dummy account. There was a big financial scam in the organization. Reporting on fraud, Management has desired that a Risk Management Policy to detect and control the Fraud be prepared. Being a Company Secretary, point out the major aspects to be included in Fraud Risk Management Policy. [June 2019 (5 Marks)] OR
Q11. Explain the Fraud Risk and the methodology to manage the Fraud Risk in an organisation. [June 2022 (5 Marks)]
18.10
ENVIRONMENTAL,
SOCIAL & GOVERNANCE (ESG) - PRINCIPLES & PRACTICE
Ans. By fraud we mean “any behavior by which one person intends to gain a dishonest advantage over another”. In other words, fraud is an act or omission which is intended to cause wrongful gain to one person and wrongful loss to the other, either by way of concealment of facts or otherwise.
Fraud risk management processes:
1) Identifying Risks: For a corporation to effectively manage its fraud risk, it is absolutely essential to identify risks. Risk identification calls for employee brainstorming. Prioritizing the risks comes next after risk identification.
2) Assessing Risks: organizations should recognize problems and develop appropriate solutions in order to resolve them. The root causes of the risk should be addressed. They should also consider how those risks might impact the company.
3) Responding to Risks: They must develop risk-mitigation plans and choose who will be in charge of carrying them out.
4) Monitoring and reviewing risks: businesses need to continuously monitor and analyses their fraud risk management. Additionally, new dangers could materialize at any time, so businesses should be ready for them as soon as possible.
5) Reporting risks: When reporting concerns, one should act objectively, take concrete steps, and offer advise on how to reduce the likelihood of fraud.
RESPONSIBILITY OF RISK MANAGEMENT
Q12. Different laws enforce responsibility of risk management onto individuals, write a short note on how different laws do the same? [Scoring Question]
Ans.
1) Section 134(3) (n) of the Companies Act, 2013 provides that a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
2) SEBI (LODR) Regulations, 2015 also provides that company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. The Board shall be responsible for framing, implementing and monitoring the risk management plan for the company.
3) The Risk Management Plan must include all elements of risks. The traditional elements of potential likelihood and potential consequences of an event must be combined with other factors like the timing of the risks, the correlation of the possibility of an event occurring with others, and the confidence in risk estimates.
4) Risk management policies should reflect the company’s risk profile and should clearly describe all elements of the risk management and internal control system and any internal audit function. A company’s risk management policies should clearly describe the roles and accountabilities of the board, audit committee, or other appropriate board committee, management and any internal audit function.
5) A company should have identified Chief Risk Officer manned by an individual with the vision and the diplomatic skills to forge a new approach. He may be supported by “risk groups” to oversee the initial assessment work and to continue the work till it is completed.
6) Regulation 21 of SEBI (LODR) Regulations, 2015, requires that every listed company should have a Risk Management Committee (details are provided under the chapter of Board Committees).
ROLE OF COMPANY SECRETARY IN RISK MANAGEMENT
Q13. A Company Secretary plays an important role in controlling the risk management. Discuss. [Scoring Question]
Ans.
(A) Introduction: The company secretaries are governance and Risk management professionals, there role is to enforce a compliance framework to safeguard the integrity of the organization and to promote high standards of ethical behaviour.
(B) The functions of governance professional is as follows;
1) Advising on best practice in governance, risk management and compliance.
2) Implementing the compliance framework.
3) To safeguard organization integrity.
4) Promoting and acting as a ‘sounding board’ on standards of ethical and corporate behaviour.
5) Balancing the interests of the Board, management and other stakeholders.
(C) The function of risk management professional
Pursuant to Section 203(1) CS is a Key Managerial Person, can play a role in ensuring that Enterprise-wide Risk Management [ERM] is applied effectively throughout the company. The board of directors may have a risk management sub-committee assisted by a Risk Management Officer.
(D) A Company Secretary can ensure that the following questions are effectively addressed at the board level:
1) What is the organization’s risk management philosophy?
2) Is that philosophy clearly understood by all personnel?
18.12 ENVIRONMENTAL, SOCIAL & GOVERNANCE (ESG) - PRINCIPLES & PRACTICE
3) What are the relationships among ERM, performance, and value?
4) How is ERM integrated within organizational initiatives?
5) What is the desired risk culture of the organization and at what point has its risk appetite been set?
6) What strategic objectives have been set for the organization and what strategies have been or will be implemented to achieve those objectives?
7) What related operational objectives have been set to add and preserve value?
8) What internal and external factors and events might positively or negatively impact the organization’s ability to implement its strategies and achieve its objectives?
INTERNAL CONTROL
Q14. Internal controls should be tailored to the specific needs and risks of each organization and regularly assessed and updated to remain effective in dynamic business environments. Scope of risk management and internal control? [Scoring Question]
Ans. Scope of risk management and internal control;
1) Risk management focuses on identifying threats and opportunities, while internal control helps counter threats and take advantage of opportunities.
2) Proper risk management and internal control assist organizations in making informed decisions about the level of risk that they want to take and implementing the necessary controls to effectively pursue their objectives.
3) Risk management focuses on identifying threats and opportunities, while internal control helps counter threats and take advantage of opportunities.
4) Proper risk management and internal control assist organizations in making informed decisions about the level of risk that they want to take and implementing the necessary controls to effectively pursue their objectives.
INTERNAL AUDIT
Q15. The internal audit function provides insights and recommendations to enhance the organization's performance and achieve its goals? Write short note on Internal Audit and its applicability? [Scoring Question]
Ans. Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
IMPORTANCE OF INTERNAL AUDIT:
1) Increase productivity: Internal audit improve the efficiency and effectiveness of these processes and they also help to an organization to dependent on processes rather than on people.
2) Evaluate Risk and protect the assets: Help to an organization to track and document any changes that have been made to environment and ensure the mitigation of any found risks.
3) Quality Control: Internal auditor help the organization how well system and process are designed and keep the company goals on track and also provide the consulting on how to improve those system and processes if and when necessary.
4) Independent and unbiased insight: Internal audit provides unbiased view into how effective internal controls of your business.
5) Good Corporate Governance: Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes.
APPLICABILITY OF PROVISIONS OF INTERNAL AUDIT
Pursuant to section 138 of the Companies Act, 2013 read with rule 13 of Companies (Accounts) Rules, 2014;
(a) every listed company;
(b) every unlisted public company having-
(i) paid up share capital = 50 crore rupees or more during the preceding financial year; or
(ii) turnover = 200 crore rupees or more during the preceding financial year; or
(iii) outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year; or
(iv) outstanding deposits = 25 crore rupees or more at any point of time during the preceding financial year; and
(c) every private company having-
(i) turnover of 200 crore rupees or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year.
ENVIRONMENTAL SOCIAL & GOVERNANCE (ESG) PRINCIPLES & PRACTICE | CRACKER
AUTHOR : Ankush Bansal
PUBLISHER : TAXMANN
DATE OF PUBLICATION : January 2025
EDITION : 3rd Edition
ISBN NO : 9789364559713
NO. OF PAGES : 308
BINDING TYPE : PAPERBACK
DESCRIPTION
This book is prepared exclusively for the Professional Level of Company Secretary Examination requirement. It includes comprehensive past exam questions (topic-wise) and detailed answers aligned with the latest ICSI syllabus. The Present Publication is the 3rd Edition for the CS-Professional | New Syllabus | June/Dec. 2025 Exams. This book is authored by CS Ankush Bansal, with the following noteworthy features:
• [Strict Adherence to the New ICSI Syllabus] Ensuring complete alignment with the latest requirements
• [Comprehensive Coverage]
o Past Exam Questions (Topic-wise), including:
- CS Professional – Dec. 2024 | Suggested Answers
• [Most Updated & Amended] Answers are fully updated as per relevant provisions and case laws
• [Chapter-wise Marks Distribution] from June 2024 onwards
• [Exam Trend Analysis] for previous exams, starting June 2024
• [ICSI Study Material Comparison] is provided chapter-wise for a comprehensive understanding
ORDER NOW