The Evolution of Risk Management Oversight by Indian Boards


Afra Afsharipour*& Manali Paranjpe**

[Note: This is an advanced access version of the article that will be published in Volume 33(2)]


The board of directors lies at the core of effective risk management. The board plays a critical role in overseeing and guiding the risk policy of a company, and in ensuring that appropriate systems of control are in place. This Article analyses India’s evolving framework for board oversight of risk management. Over the last decade, India’s legal regime mandating board oversight of risk management has progressed to largely resemble international standards. Nevertheless, recent risk management crises at leading Indian companies highlight the importance, and challenges, of board oversight of corporate risk.

This Article examines key risk concepts and provides an overview of Enterprise Risk Management (ERM). It explains how global concepts of ERM are reflected in recent regulatory mandates in India under the Companies Act, 2013 and the SEBI (Listing Obligations and Disclosures Requirements) Regulations, 2015. The Article also compares India’s evolving regulatory approach to the legal regimes mandating board oversight of risk management in two leading jurisdictions—the United States and the United Kingdom.

While India’s legal framework for board oversight of risk is improving, two recent crises—the collapse of IL&FS and management failures at ICICI Bank—demonstrate the barriers that directors of India companies continue to face in overseeing increasingly complex risks. The increasing complexity of risk and the board’s critical oversight role are also highlighted by the fallout from the COVID-19 pandemic. Directors of Indian firms, particularly independent directors, continue to face a variety of barriers in effectively overseeing risk management, including promoter dominance and limited access to independent external advisors, as well as significant dependence on management for obtaining information on business plans, strategies, and risk preparedness of the company. Nevertheless, such barriers are not insurmountable. This Article’s case study of how the board of Infosys, one of India’s leading technology companies, addressed red flags raised by whistleblowers, illustrates how an empowered board can respond to risk management issues effectively. Drawing lessons from these case studies, this Article concludes with suggestions for how to further enhance the board’s risk oversight function.

I. Introduction

Across jurisdictions, the oversight of risk management has emerged as a central obligation of the board of directors. While companies have long addressed risk management concepts, corporate scandals around the world, coupled with the 2008 global financial crisis, highlighted the need for more systematic risk management at major companies and financial institutions.[1]

As the OECD states, “while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated … Corporate governance should therefore ensure that risks are understood, managed, and, when appropriate, communicated.”[2] Thus, over the past two decades, national legislation, corporate governance guidelines, and codes by leading international organisations have stressed the role of the board of directors in overseeing risk management.

In line with global trends, India too has experienced a robust debate over risk management practices. With the transformation of corporate governance in the country, the regulatory framework governing risk management has evolved to emphasise the risk oversight function of boards.[3] For example, the Companies Act, 2013, addresses the board’s risk oversight responsibilities.

Furthermore, the Securities and Exchange Board of India (SEBI), India’s capital markets regulator, has issued regulations that require the largest listed companies to form a risk management committee. The emphasis on the board’s oversight of risk management is in line with the corporate governance transformations that have taken place in India which increasingly stress a monitoring role for boards of Indian firms.

Despite the shift in its regulation, studies and surveys suggest that risk management has yet to become a priority at many Indian companies. One survey found that even as recently as in 2018, 39 % of companies surveyed did not have a Chief Risk Officer in their executive structure.[4] Furthermore, recent high profile corporate scandals, such as the collapse of Infrastructure Leasing and Financial Services (IL&FS), highlight the persisting challenges in effective risk management.[5]

The COVID-19 Pandemic has also brought the issue of ‘board oversight’ of risk management to the forefront. Not only was India as a nation underprepared to prevent, detect and respond to a pandemic, but also for nearly every board of directors in India, the crisis has been a significant one. In such a crisis, companies with good governance and risk management systems may be better able to address stakeholders’ concerns than companies whose boards have not prepared for such calamities.[6]

The long-term impact of the pandemic on companies’ ability to raise capital, build their businesses, and manage the myriad of risks enhanced by the crisis remains to be seen.[7] For now, the Indian economy has been hit especially hard by the pandemic, with the government reporting that the economy contracted by almost 24% in the first quarter of 2020.[8]

The board of directors lies at the core of effective risk management. The board plays a critical role in overseeing and guiding the risk policy of the company and in ensuring that appropriate systems of control are in place. While risk oversight is improving, Indian boards continue to face significant hurdles in effective risk management. This article uses two recent case studies—the collapse of IL&FS and the management failures at ICICI Bank—to demonstrate the challenges to effective risk oversight by boards.

As companies face increasing risk complexity, boards must continually assess the structure of a company’s risk management policies and procedures. Not only are boards charged with overseeing an increasingly complex set of risks, but most Indian firms are controlled companies, with board members beholden to controllers and management for access to information.

Limited access to independent external advisors such as lawyers, consultants, accountants, and the like, as well as significant dependence on management for obtaining information on business plans, strategies, and risk preparedness of the company can hamper the ability of boards to adequately monitor the company’s risk management policies and procedures. These issues intensify in boards with many outside independent directors.

Nevertheless, as this article’s case study of the board’s approach to red flags raised at Infosys—one of India’s leading technology companies—demonstrates that an empowered board can respond effectively to oversee and address arising risk management issues.

This article proceeds as follows. Part II discusses key risk concepts and provides an overview of a holistic approach to risk management, commonly known as Enterprise Risk Management (‘ERM’). This section addresses the role that the board of directors plays in risk management oversight. It also provides an overview of how two leading jurisdictions—the United States (US) and the United Kingdom (UK)—address the board’s risk oversight role.

Part III details the development of risk management regulations in India, highlighting how the law enjoins the board to discharge its risk management oversight functions.

Part IV examines recent case studies of risk management challenges faced by Indian firms.

Analysing the existing legal framework and the case studies addressed in the article, Part V discusses the barriers that Indian boards face in overseeing risk management policies and the factors that hamper the ability of non-executive directors to focus on risk identification and mitigation. Part V also draws lessons from the case studies to identify how to improve the board’s risk oversight function.

II. Risk Management & the Board of Directors

Across the globe, the focus on effective risk management has intensified over the past two decades as major corporations have experienced risk management failures due to excessive financial risk taking, environmental catastrophes, accounting and corruption scandals, and the like.[9]The monitoring of risks is a significant priority for corporate managers and boards, as well as for regulators and investors.[10]

Across jurisdictions “[t] here is broad agreement . . . about the basic obligation of corporate boards to monitor corporate legal compliance, to oversee risk management policies and procedures and internal controls, and to set corporate strategy.”[11] The following section introduces the concept of enterprise risk management, addressing the board’s oversight role in risk management as well as providing a broad overview of the risk management regimes of two leading jurisdictions—the United States (‘US’) and the United Kingdom (‘UK’).[12]

A. Concepts of Risks and Enterprise Risk Management

Beginning in the mid-1980s, the Committee of Sponsoring Organisations of the Treadway Commission (‘COSO’), initially formed in part to study fraudulent financial reporting, began to articulate a risk management framework.[13]In 2004, following several corporate governance scandals around the world, COSO issued a more detail report defining the broader concept of Enterprise Risk Management (‘ERM’).[14]

ERM is a holistic approach for firms to address their operational, strategic and financial risks.[15]ERM focuses on identifying risks, developing and monitoring a risk management system and reacting to risk events when they occur. As ERM is a firm-wide effort to manage all the firm’s risks, involvement by the company’s board of directors and senior management is imperative.

Since its initial introduction, the COSO framework has been further developed into more detailed guidance on risk assessments and risk appetite.[16] Moreover, other international guidance on ERM such as the ‘ISO 31000 guidelines on risk management’ have recommended principles for effective risk management.[17]The COSO approach presents five interrelated components of risk management: risk governance and culture (the tone of the organisation), setting objectives, execution risk (the assessment of risks that may impact achievement of strategy and business objectives), risk information, communication and reporting, and monitoring enterprise risk management performance.

The various frameworks for ERM acknowledge that firms face a variety of risks, including financial and non-financial risks, IT and cybersecurity risks, and environmental, safety and health risks.[18] COSO’s ERM framework defines risk broadly as “the possibility that events will occur and affect the achievement of strategy and business objectives.”[19] This definition recognises that risk involves “both negative effects (such as a reduction in revenue targets or damage to reputation) as well as positive impacts (that is, opportunities – such as an emerging market for new products or cost savings initiatives).”[20]

Moreover, risks continue to evolve. For example, in 2018, COSO and the World Business Council for Sustainable Development (‘WBCSD’) released guidance to help firms manage environmental, social and governance (‘ESG’) risks.[21] The guidance stressed the increasing complexity of ESG risks—for example, climate change and sexual harassment scandals—and the acceleration of these types of risks.[22]

ERM creates value when effectively executed. Studies suggest that ERM provides more timely information to directors and managers, which in turn enables a quicker response and preservation of firm value.[23]ERM can help a company improve the quality of risk-taking, and thereby give the company a competitive advantage. It allows a company to manage potential future events that create uncertainty and to respond to uncertainty in a manner that reduces the likelihood of downside surprises. Effective ERM can also help a firm avoid value destruction.

Shortcomings in ERM implementation can destroy significant value. Failures in risk management have contributed to some of the most significant scandals and losses suffered by companies. Recent global failures include environmental disasters (e.g. BP Deep Water Horizon, Bhopal), financial fraud (e.g. Enron, WorldCom, Satyam), foreign bribery (e.g. Siemens), massive trading losses (e.g. JPMorgan) and sexual harassment scandals (e.g. Uber, Oxfam).[24]

According to the OECD, these risk management failures were often “facilitated by corporate governance failures, where boards did not fully appreciate the risks that the companies were taking (if they were not engaging in reckless risk-taking themselves), and/or deficient risk management systems.”[25]

B. The Role of the Board in Risk Management

Corporate governance and ERM go hand in hand. Effective ERM requires boards and top management to create a culture that values assessing, discussing, mitigating, and managing risk events.[26] Scholars indicate that the core elements of ERM “revolve around efficient and effective communication channels and active monitoring of the firm’s risks against its risk portfolio and risk appetite.”[27]

Directors are not responsible for the everyday management of risk. However, directors are responsible for setting the company’s risk appetite and strategy. In many jurisdictions, the board is responsible for monitoring key risks and ensuring that the ERM framework achieves its business objectives.[28]

Enhanced communication between the board and business units that underlies ERM can facilitate and strengthen the board’s role in both decision-making and monitoring. For example, risk managers may need direct access to the board to increase the exchange of ideas and information and to reduce the likelihood that risk reports are not reviewed.

Since the 2008 financial crisis, expectations around the board’s risk oversight responsibilities have become heightened as companies face an increasingly complex business, regulatory and political environment.[29] As recently described by leading experts:

Rapidly advancing technologies, new business models, deal-making and interconnected supply chains continue to add to the complexity of corporate operations and the business risks inherent in those operations. The evolving political environment further exacerbates the risks that corporations face. Corporate behavior has been blamed for accelerating environmental degradation and aggravating disparities in income and wealth. In addition, safety scandals and product failures have affected public confidence in the ability of corporations to manage business risk and have given rise to skepticism as to whether companies are sufficiently prioritising consumer and product safety. Environmental, social, governance and sustainability-related issues have become mainstream business topics, encompassing a wide range of issues including business model resilience, employee wages, healthcare, training and retraining, income inequality, supply chain labor standards and corporate culture, as well as climate change.[30]

As discussed in the sections below, regulators and courts have stressed that risk oversight must be prioritised in the board’s agenda.

C. Regulating Risk Management – US and UK Models

Since the early 2000s, several jurisdictions have taken steps to ensure the board’s oversight of risk management policies, including corporate compliance functions and audit and internal controls’ functions. This section briefly discusses the regulatory regimes in two leading jurisdictions, the US and the UK. Both jurisdictions have served as models for corporate governance reforms in India.[31]

In the US, the board’s risk oversight responsibilities derive from state law fiduciary duties, federal and state laws and regulations, stock exchange listing requirements, and certain evolving best practices.[32]The UK takes a somewhat similar approach to the board’s fiduciary responsibilities, but its disclosure and regulatory approach differs somewhat from that in the US.

  1. The US approach

State law fiduciary duties and corresponding litigation play an important role in framing the board’s risk management oversight duties in the US. Courts in Delaware—the leading jurisdiction for corporate law—have led the formulation of legal standards for U.S. directors’ oversight duties.[33]Delaware jurisprudence on the boards’ oversight duties—often referred to as a duty to monitor or a ‘Caremark’ duty—requires the board to “attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists,” and that it has not  “willfully disregarded compliance “red flags” or other indications that the system is ineffective.”[34]

As noted by experts, claims brought over the past decade “show that the risk of exposure for failure of oversight is real.”[35] For example, over the past few years, the Delaware courts have sustained several Caremark claims against boards for ineffective monitoring[36] or for failure to intervene when warning signs about a company’s risks were apparently disregarded by the board.[37]

Boards in the US also face a complex regulatory structure mandating risk management risk oversight responsibility.The U.S. Securities and Exchange Commission (‘SEC’) requires reporting companies to disclose the board’s involvement in risk oversight in proxy and information statements, annual reports, and registration statements filed with the SEC.[38]

The SEC’s disclosure mandates are intended to provide information to investors on the “board’s role in risk oversight, the relevance of the board’s leadership structure to such matters and the extent to which risks arising from a company’s compensation policies are reasonably likely to have a ‘material adverse effect’ on the company.”[39] Several specific SEC regulations, such as Item 503 of Regulation S-K, require companies to disclose material factors that “make an investment in the registrant or offering speculative or risky.”[40] In crafting its disclosure requirements, the SEC has urged companies to disclose “a broad range of evolving business risks even in the absence of a specific line item requirement that names a particular risk presented.”[41]

In addition to the SEC, other regulatory bodies also play a role in framing the board’s risk oversight responsibilities. For example, the New York Stock Exchange’s (‘NYSE’) corporate governance standards impose risk oversight obligations on listed companies’ audit committees.[42] Moreover, the Department of Justice (‘DOJ’) promotes boards’ self-disclosure of risks by providing benefits to corporations based on their behavior upon learning about corporate misconduct.[43]

For example, under the Foreign Corporate Practices Act’s (‘FCPA’) Corporate Enforcement Policy, if a company self-discloses misconduct, fully cooperates, and timely and appropriately remediates in FCPA matters, then the company may benefit from a presumption that the DOJ will decline to prosecute the company.[44]Boards of financial institutions, in particular, are subject to a host of other requirements regarding their risk governance frameworks.[45]

  • The UK approach

As in the US, in the UK, the board’s risk oversight obligations stem from statutes and common law, beginning with general duties owed by directors.[46] Under the Companies Act 2006, UK corporate directors’ general duties include a duty to promote the success of the company “for the benefit of its members as a whole.”[47]Experts note that as part of this duty, directors may “weigh the likelihood of [risks] and the damage that could be done to the firm” if such risks should occur.[48]

Moreover, “if a director is of the opinion that any particular regulatory risk or likely change in the business environment, including one that is related to an ESG factor, poses a risk to, or provides an opportunity for, the company’s future financial success, that director ought to take account of that factor when exercising power on behalf of the company.”[49] While directors have this expansive duty, there are a variety of barriers to enforcement, including the challenges of bringing derivative action which results in such claims being relatively rare.[50]

Directors are also charged with the duty to exercise reasonable care, skill and diligence.[51]It appears that much of this duty focuses on process, where courts have the expectation that “directors to follow an appropriate process when making decisions” and use their experience and expertise to ensure that risks have been properly accounted for.[52] Thus, while in general directors in the UK have the discretion to determine which risks present the most possibility of adverse effects, “in extreme cases, failure to ask the right questions or to consider a factor which clearly could have an adverse impact on value for a particular company, such as (if relevant and material) climate risk or the risk of corruption or forced labour in the supply chain, could form the basis of a claim for breach of duty.”[53]

Nevertheless, when “directors follow appropriate procedures” then “the probability of breach is low.”[54]As scholars Marc Moore and Martin Petrin explain, while a UK director’s personal liability for oversight failures is theoretically expansive, as with the US regime, actual liability for breach by UK directors is unlikely.[55]

Unlike the broad regulatory regime in the US, UK corporate boards’ risk and compliance management are not defined strictly by laws and regulations.[56] Instead, outside of the financial services and banking sectors,[57]UK boards have looked to the UK Corporate Governance Code (‘the Code’) and regulatory bodies under the Financial Services and Markets Act 2000 (‘FSMA’) for standards of corporate governance and risk management.[58]

Premium listed companies thus report on how they have applied the Code.[59] The Code adopts a “comply or explain” approach. Thus, listed companies have an alternative to complying with the Code if the company is justified, based on a range of factors,[60] in their varied approach.[61] The Code’s principles recommend the board’s engagement in establishing prudent and effective internal frameworks, assessing principal risks, and explaining how risks are being managed and mitigated.[62] Directors are charged with playing a monitoring or oversight role, including responsibility for the “integrity of financial information” and monitoring the company’s “risk management and internal control systems.”[63]

III. The changing face of Risk Management Regulation in India

Like international standards, India’s regulatory framework recognises the board’s central role in ERM. Experts in India have addressed this role since the early 2000s. For example, the 2003 report of the Narayana Murthy Committee included an extensive discussion of risk management. The committee’s report stated that “it is important for corporate boards to be fully aware of the risks facing the business” and that shareholders must “know about the process by which companies manage their business risks.”[64]

More recently, the regulatory structure has also attended to the board’s role in risk management. Not only is the board responsible for overseeing the firm’s risk policy and risk management system, but the SEBI’s listing regulations require large, publicly listed firms to constitute a risk management committee of the board of directors.[65] Over time the SEBI has both expanded this requirement to a greater number of listed firms and enlarged the mandate of the risk management committee. Moreover, regulators have increasingly emphasised the board’s risk management oversight responsibilities.[66]

A. Risk Management under the Companies Act

The Companies Act, 2013 acknowledges the need for risk management; yet arguably the Act does not go far enough. Similar to the ‘general director duties model’ adopted in the UK, the Act does not specifically require a separate risk management committee, nor does it include guidance to boards on how to effectively oversee risk management. Moreover, unlike the US regime, there is little in the way of shareholder litigation in India to hold directors responsible for risk oversight failures.[67]

The first mention of risk management is in Section 134 (3) (n) of the Act, which deals with the Board’s Report. The section provides that companies should issue “a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.”[68]

Looking at the entirety of Section 134, however, it is clear that the Board’s Report is an attachment to the company’s financials that are presented at a general shareholder meeting and the statement on risk management is one of many pieces of information to be included in the report. Moreover, the emphasis on elements of risk that threaten the company’s existence arguably neglects a holistic approach to evaluating risks that could present strategic opportunities as well as reducing potential setbacks.

More broadly, the Act does not address the kinds of risk management policies that companies should consider in the implementation process. For example, Section 177 discusses the requirement of audit committees and states that “[a]udit committees will evaluate internal financial controls and risk management systems.”[69] Similarly, Schedule IV to the Act (Code for Independent Directors) mentions risk management twice. Schedule IV addresses the role of independent directors in risk management, namely, to “[bring] independent judgment to bear on the Board’s deliberations especially on issues of strategy, performance, risk management”and “satisfy themselves . . . that financial controls and the systems of risk management are robust and defensible.”[70]

Similar to the section on audit committees, Schedule IV prescribes that independent directors keep an eye on risk management.However, there is little information in the Act on how companies can develop and implement risk management systems. It is also unclear if the construct of the Act in this regard necessarily extends to all companies or only a select class of companies.

Unlike the Act, the SEBI Listing Regulations specify that overseeing risk management is one of the main functions of the board, and also stipulate the formation of a separate board committee on risk management. In the following section, we discuss in greater detail the legal regime governing risk management at listed Indian companies. In effect, Indian companies that are unlisted and do not fall under the scope of the SEBI Listing Regulations are not subject to very strict regulations on risk management.

B. Risk Management under the SEBI Listing Regulations

The SEBI Listing Regulations make the board of directors responsible for framing and overseeing the risk management plan of the listed entity.[71]Furthermore, certain companies must form a risk management committee of the board of directors. Initially, the Listing Regulations only required that the top 100 listed companies, determined on the basis of market capitalisation, form a risk management committee of the board.[72]As discussed below, this requirement has extended and may continue to expand.

Oversight of risk management is a key function of the board under the SEBI Listing Regulations. Regulation 4(2)(f) provides that a key function of the board of directors is to review and guide the firm’s risk policy. The board must ensure that appropriate systems of control are in place, including systems for risk management, financial and operational control, and compliance with the law and relevant standards.[73]

The regulations mandate the board’s oversight of risk-taking, stating that the board must “ensure that, while rightly encouraging positive thinking, these do not result in over-optimism that either leads to significant risks not being recognised or exposes the listed entity to excessive risk.”[74] The board is required to have the ability to ‘step back’ to assist executive management by challenging the assumptions underlying strategy, strategic initiatives (such as acquisitions), risk appetite, exposures, and the key areas of the company’s focus.[75]

The Listing Regulations mandate the company to lay down procedures to inform members of the board about risk assessment and minimisation procedures. The board is responsible for framing, implementing and monitoring the risk management plan for the listed entity.[76] Further, the Listing Regulations also require the audit committee to evaluate internal financial controls and risk management systems.[77] The Management Discussion and Analysis section of the Annual Report must include a discussion on risk and concerns, as well as internal control systems and their adequacy.[78]

In conjunction with the board’s risk management role, large listed companies must have a risk management committee of the board of directors, although the committee may include both board members and senior executives as members. To ensure board involvement in risk management oversight, a majority of the risk management committee must constitute directors and the committee chair must be a board member.[79]

Since its inception, the role of the risk management committee as envisioned by the SEBI regulations has expanded. For example, in 2017, the SEBI formed the ‘Kotak Committee on Corporate Governance’ to address the need for improved standards of corporate governance in India.[80] Among the recommendations of the Kotak Committee was that the risk management committee’s responsibilities specifically cover cyber security.[81]

The Kotak Committee also recommended that risk management committees meet at least once a year.[82] Most significantly, the Kotak Committee recommended that the requirement for the constitution of a risk management committee should be applicable to the top 500 listed entities based on market capitalisation at the end of the previous financial year.[83]The Committee’s rationale was as follows: “Given the dynamic business environment, an active risk management committee is imperative for identification, mitigation and resolution of risks. These risks that are being managed operationally on a daily basis call for a more formal structure, especially for the next set of high-growth companies.”[84]

The Listing Regulations adopted many of the Kotak Committee’s recommendations. The listed entity is required to adopt processes to inform the board about risk assessment and minimisation procedures[85] and for the top 500[86] listed entities, the board of directors must form a risk management committee. The board is mandated to define the role and responsibility of the risk management committee and may delegate monitoring and reviewing of the risk management plan, as well as other functions deemed fit, to the committee. One such function should specifically cover cybersecurity.[87]

The SEBI has envisioned further changes to the risk management committee. Recognising the need to extend the risk management requirements to a larger number of companies, the SEBI has proposed that boards of the top 1000 listed companies be mandated to form a risk management committee.[88] A November 2020 SEBI Consultation Paper has proposed the specification of the role and responsibility of the risk management committee.[89]

The Consultation Paper proposes that the committee (a) formulate a detailed risk management policy to include a framework for the identification of internal and external risks specifically faced by the company, including financial, operational, sectoral, sustainability (specifically ESG related risks and impact), information and cyber security risks, measures for mitigation of such risks, systems for internal controls and business contingency plan, (b) monitor and oversee implementation of the risk management policy, including the evaluation of the adequacy of risk management and internal control systems, (c) ensure that appropriate methodology, processes, and systems are in place to monitor and evaluate business risks, (d) review the risk management policy annually, (e) inform the board about the nature and content of its discussions, recommendations and actions to be taken, and (f) review jointly with the Nomination and Remuneration Committee, the appointment, removal and terms of remuneration of the Chief Risk Officer (if any).Further, the risk management committee is expected to coordinate its activities with the audit committee in instances where there is any overlap in its functions with audit actions.

In order to strengthen the resources of the risk management committee, the Consultation Paper also envisions empowering the committee to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise. Recognising the significant need to allocate sufficient time to risk oversight, the paper proposes that the committee should meet at least twice a year. The Consultation Paper also proposes that at least one board member be present at all risk management committee meetings.

IV. Risk Management Challenges at Indian Companies

Despite the extant framework for risk management under the law, several leading Indian firms have experienced massive risk failures in the past few years. This section examines several case studies to demonstrate the continuing risk management challenges facing Indian firms. In particular, this section focuses on the downfall of IL&FS and the management failure at ICICI Bank.This section also highlights the risks posed by whistleblower complaints that led to Infosys, one of India’s leading companies, facing multiple regulatory investigations.

The efforts taken by Infosys to respond to the scrutiny while simultaneously reviewing and strengthening its policies are a noteworthy example of how corporations must “manage” as well as “moderate” risks. While the boards at both IL&FS and ICICI Bank failed to identify and act upon the risks that their respective companies faced, the Infosys case study reveals how a board can use a whistleblower system to be made aware of and subsequently address red flags. By doing so, a board can respond to an imminent threat to governance and firm value, and take action to avert a crisis. As discussed in this paper, avoiding potential risks by taking appropriate steps at the correct time is a crucial element of effective ERM.

Moreover, companies face significant challenges wrought by the heightened risk environment of the COVID-19 pandemic. Accordingly, this section discusses the impact of the pandemic on risk management in India and the steps that boards need to take to maintain the standards of good corporate governance.

A. Risk Management Failures at IL&FS

In 2018, IL&FS Ltd., India’s leading infrastructure finance company, defaulted on payment obligations on various bank loans, causing significant “panic” in the Indian capital markets.[90] As a non-banking financial company (‘NBFC’), IL&FS was formed in 1987 as an RBI Registered Core Investment Company by the Central Bank of India, the Housing Development Finance Corporation (‘HDFC’), and the Unit Trust of India (‘UTI’) to finance various infrastructure projects.

IL&FS itself was an unlisted company, and therefore not subject to the SEBI’s listing standards. Nevertheless, its shareholder base included a variety of large institutional investors, including the Life Insurance Corporation of India, the ORIX Corporation – Japan, the IL&FS Employees Welfare Trust, the Abu Dhabi Investment Authority, HDFC, the Central Bank of India, and the State Bank of India.[91]

The IL&FS crisis, as detailed below, demonstrates the risk management shortcomings in the firm’s corporate governance structure and the significant ramifications of such failures for not only the firm itself but for the financial markets at large.

1. The IL&FS Crisis

The IL&FS crisis exploded in mid-2018. As an NBFC, IL&FS issues debt instruments to potential lenders. In return, it pays an interest rate and repays the principal to lenders on a pre-determined due date. By mid-2018, IL&FS had collected over Rs. 91,000 crores (approximately 12.7 billion USD) in debt instruments.[92]

Between July and September 2018, two subsidiaries of IL&FS defaulted on loan payments, inter-corporate deposits, and term and short-term deposits to other lenders.[93]The company also failed to meet commercial paper redemption obligations due in September 2018.[94] These lapses indicated that IL&FS was experiencing a ‘liquidity crunch’, with insufficient cash to meet its operating needs. In response to these defaults, credit rating agencies rapidly downgraded the company’s erstwhile consistently high ratings.[95] The downgrade put investors, banks, and mutual funds associated with IL&FS at severe risk.[96]

The IL&FS crisis was in essence a risk management crisis in the company’s core business.[97]As an infrastructure lending company, the primary source of IL&FS revenue is the income from its infrastructure projects.[98] When infrastructure was on the rise in India, IL&FS took advantage and simultaneously built up a debt-to-equity ratio of 18.7 amongst 24 direct subsidiaries, 135 indirect subsidiaries, six joint ventures, and four associate companies.[99] However, infrastructure in India began to face severe challenges related to land acquisition, lengthy judicial processes, cost escalation, corruption, etc.[100] These barriers to infrastructure resulted in reduced revenue, and the rising market interest rates further burdened IL&FS.[101]

The fallout from the IL&FS crisis was extensive. In October 2018, the Central Government moved an application under Sections 241 and 242 of the Companies Act, 2013, before the National Company Law Tribunal (‘NCLT’).[102] The application stated that IL&FS’s affairs were conducted in a manner prejudicial to public interest. The government sought immediate suspension of the IL&FS board and the appointment of new directors on the grounds that IL&FS had severely mismanaged their finances.[103] The NCLT invoked its powers to suspend the existing board and institute the new, specified board.[104] The NCLT granted immunity to the new board members from any liabilities for past actions of the suspended directors or officers of IL&FS.[105]

Several other agencies also sprang to action, which included focusing on the failures of the auditors involved with IL&FS. Due to major lapses and manipulations in the financial statements created by the statutory auditors,[106] the Disciplinary Directorate of the Institute of Chartered Accountants of India (ICAI) held them prima facie guilty of professional misconduct. Furthermore, the National Financial Reporting Authority also initiated an investigation into the auditors.[107]

In response to these findings, the NCLT granted the Central Government’s petition under Section 130 of the Companies Act, seeking to reopen IL&FS’ and its group companies’ books for the past five financial years.[108]In May 2019, the Serious Frauds Investigation Office (‘SFIO’) submitted a list of 30 parties, including two auditor firms, that would be charged for concealing information and misreporting the financial statements of the IL&FS firms.[109]

The Ministry of Corporate Affairs (‘MCA’) also moved against the company’s auditors, Deloitte Haskins & Sells and BSR & Associates LLP, as well as their former auditors, under Section 140(5) of the Companies Act for their role in perpetuating the fraud.[110]

2. Risk Management Lessons from the IL&FS Crisis

Investigations into corporate governance practices at IL&FS highlighted numerous risk management failures at the board level. As an unlisted company, IL&FS was subject to minimal risk management obligations under the Act. An investigation by the Reserve Bank of India (‘RBI’) revealed the extent of the risk management shortcomings at the company. Some of the board’s key committees, including the risk management committee, had not met for several years.

The RBI found that “there was no risk management measures in vogue” and that “credit risk and linkage with liquidity risk was never identified in credit and investment decisions. Business strategies of the group were never deliberated from the risk perspective.”[111] Similarly, the company’s investment review committee had failed to meet, nor was there a “system of monitoring and reviewing the investment at periodical intervals.”[112] The IL&FS crisis also demonstrated that ERM is not only a risk management committee issue, but that it also encompasses auditor powers as well.[113]

The IL&FS crisis has raised unique governance issues specific to financial institutions. The corporate governance and risk management framework is particularly important for financial institutions whose failures can have a significant impact on the market.[114] Experts have suggested that India’s corporate governance framework is ill-equipped to deal with financial institutions.[115] They argue that while the current governance framework seeks to balance the interests of shareholders and managements, for financial institutions, creditors become a third-party whose interests must be considered.[116]

Arguably, the current framework, which does not consider creditors, encourages management to take extreme risks at the former’s detriment. In addition to the typical issues related to governance failures, when such issues arise in financial institutions, they can have a massive impact on the financial markets and the economy more generally. Finally, financial institutions rely on government bailouts when taking excessive risks, because there is a common interest in preventing economic downturn. These factors may result in financial institutions taking excessive risks.[117] Ultimately, some experts posit that the financial sector should be held to a higher standard of risk management via risk management committees.[118]

B. Corporate Governance Challenges at ICICI Bank

The ICICI Bank is an Indian multinational banking and financial services company. After a long tenure at the bank, Chanda Kochhar became the CEO and managing director (‘MD’) of the Bank in 2009.[119] Under Kochhar’s leadership, the bank experienced significant growth, and ultimately rose to become the second largest bank in India in terms of assets and market capitalisation. Kochhar was celebrated as one of the most powerful businesswomen in the world, winning numerous accolades and awards in India and abroad.[120] Kochhar’s leadership, however, ended in 2018 when she stepped down from her position in connection with allegations of corruption with respect to the loans made by ICICI to businesses tied to her family.

The ouster of Kochhar and the events leading thereto highlighted the governance failures that can arise with insufficient board involvement in assessing all risks, including internal risks.[121]Indian companies are often led by powerful CEOs, some with long tenures at the company. Thus, boards may acquiesce too readily to the CEO’s decision-making.[122]

At the time of the ICICI crisis, global credit agency Standard and Poor’s (‘S&P’) acknowledged the need for banks in India to improve risk management and corporate governance practices, stating that “as a number of banks in India confront serious governance and risk issues, the ‘tone at the top’ is crucial. Leadership groups in Indian banks need to ensure that they enhance the risk culture, reputation, and financial strength of banks.”[123] As discussed below, since the ICICI crisis, the RBI has released a discussion paper which aims to significantly enhance corporate governance at Indian banks.[124]

1. The Downfall of ICICI’s CEO

The ICICI Bank’s corporate governance problems first came to light in 2016 amid concerns about loan irregularities and conflicts of interest involving the Bank’s CEO.[125] Arvind Gupta, a shareholder in both the bank and Videocon Industries, alleged that ICICI Bank CEO Chanda Kochhar induced a quid pro quo arrangement between Videocon and her immediate family members.[126] Gupta’s complaint specifically pointed to the relationship between Videocon founder, chairman, and managing director Venugopal Dhoot, and Kochhar’s husband, Deepak Kochhar.[127]

At the heart of Gupta’s complaint were allegations that Dhoot provided crores of rupees to a firm promoted by Deepak Kochhar and two relatives six months after Videocon received Rs. 3,250 crores as loan from ICICI Bank in 2012.[128]Initially, Gupta’s complaint garnered little attention and the Bank was able to avoid a probe.

In March 2018 however, Gupta’s complaint resurfaced in the public domain and gained momentum, as multiple agencies including the Central Bureau of Investigation (‘CBI’), the Enforcement Directorate (‘ED’), and the Serious Fraud Investigation Office (‘SFIO’) launched probes into Kochhar’s actions.[129] The ICICI Bank’s board preemptively released a statement denying the veracity of any such claims.[130]

The statement cited to the “adequate checks and balances in loan appraisal” and stated that the claims of any sort of quid pro quo, nepotism, or conflict of interest were unsubstantiated.[131]The board, however, did not provide any report or disclosure on the steps that it had taken to investigate the allegations against Kochhar, thus raising many questions about the board’s processes and investigative procedures.[132]

The CBI’s initial inquiry was into the alleged nexus between Deepak Kochhar and Dhoot, and the legitimacy of the quid pro quo deal claims.[133]The CBI acting director, registered a First Information Report (‘FIR’) on the matter in January 2019.[134]The FIR accused Chanda Kochhar of receiving “illegal gratification through her husband (Deepak Kochhar) from Videocon MD VN Dhoot for sanctioning a term loan of Rs. 300 crores to Videocon International Electronics Ltd.”[135]

The FIR asserted that one day after a rupee term loan of Rs. 300 crores was paid by the ICICI Bank to Videocon, Dhoot allegedly transferred Rs. 64 crores to NuPower Renewables (owned by Deepak Kochhar) via another entity controlled by Dhoot.[136] The FIR further indicated that senior bank officials that participated in the decision to sanction the loan may also be probed.[137]

In June 2018, the ICICI Bank’s board initiated an independent probe, appointing retired Supreme Court Justice BN Srikrishna to head the investigating panel.[138]A few months later, the board announced that Chanda Kochhar would be resigning as CEO of the bank after accepting her request for early retirement.[139] Justice Srikrishna’s report, released in January 2019, asserted that Kochhar had violated ICICI’s Code of Conduct and had acted in “conflict of interest.”[140] Upon the report’s release, the bank’s board stated that it would treat Chanda Kochhar’s separation from ICICI Bank as “Termination for Cause” under the bank’s internal policies.[141]

The crisis unfolded into an even more significant one for Kochhar in 2019 and 2020. Following the registration of the FIR and the Srikrishna report, the ED registered a criminal case against Chanda Kochhar, Deepak Kochhar, Dhoot, and others under the Prevention of Money Laundering Act.[142]In early January 2020, as part of the money laundering investigation, the ED moved to attach properties belonging to Chanda Kochhar and her husband.[143] Furthermore, in September 2020, the ED arrested Deepak Kochhar in the money laundering case connected to “illegal sanctioning of loans amounting to Rs. 1,875 crores to the Videocon Group of companies.”[144]

In addition to fighting criminal investigations, in November 2019, Kochhar filed a writ petition against the ICICI Bank in the Bombay High Court for terminating her employment after it accepted her request for early retirement.[145]The petition challenged the bank’s denial of her remuneration and claw back of bonuses and stock options between April 2009 and March 2018.[146]Kochhar contended that her termination was “illegal, untenable, and unsustainable in law.”[147] The Bank objected to the maintainability of Kochhar’s petition, arguing that the termination was a contractual dispute and that ICICI is a private bank against which a writ petition is not maintainable.[148] Kochhar’s counsel then sought to include the RBI as a party.[149]

The RBI responded to the writ petition by defending its approval of Kochhar’s termination as a fair, reasoned decision that did not violate any of the former bank CEO’s fundamental rights.[150]The Bombay High Court dismissed Chanda Kochhar’s petition, agreeing with ICICI’s arguments that for a contractual dispute, Kochhar would have to approach the appropriate forum.[151]

Chanda Kochhar appealed before the Supreme Court.The Supreme Court refused to interfere with the order of the Bombay High Court in early December 2020 and rejected Kochhar’s appeal. The three-judge bench of the Supreme Court opined that the only issue in question pertained to the resignation by Kochhar and the termination of her services by the bank, which was purely a contractual issue between Kochhar and the bank.[152]

2. Corporate Governance and Risk Management Lessons from the ICICI Crisis

The ICICI episode highlights internal risks that corporations may face due to unethical practices followed by their own management, especially when CEOs wield significant power.[153] It underscores the crucial role independent directors play in identifying issues in corporate actions at the board level itself. It also reiterates that in addition to having adequate risk management policies and procedures in place, a company needs a strong, competent, and fearless board. At the board level, independent directors need to appreciate the differing governance risks that promoter-controlled companies and professionally managed companies face.

Taking the ICICI episode as an example, scholars argue that there is a large possibility that the CEO may put his or her interests before those of the stakeholders if not duly monitored.[154]While the manager-shareholder agency issue is more prominent in dispersedly held companies, the ICICI crisis indicates that boards must actively monitor the acts and/or omissions of management, even if the company is professionally managed. Yet, independent directors often face the challenge of being reliant on information as provided to them by the management.[155]

The ICICI crisis, along with the IL&FS crisis, has also led to increased focus on the specific corporate governance needs of banks and other financial institutions.[156] In light of various bank crises, in June 2020, the RBI proposed to restrict promoters from holding a CEO position for more than 10 years and to cap the tenure of a non-promoter CEO at 15 years.[157] If converted into regulation, the proposal would have significant implications on promoter led banks such as the Kotak Mahindra Bank and the Bandhan Bank.[158]

The RBI’s discussion paper[159] also offers guidelines to boards of banks to reinforce the “tone at the top.”[160] The discussion paper recommends that boards play the lead role in establishing the bank’s culture and values, and in ensuring that these are being followed, through adequate training, communication, monitoring and supervision.[161] Further the discussion paper also emphasises the need to identify and manage “conflict of interest” at the board level.

The paper also calls upon banks to put a risk governance framework in place that includes well defined organisational responsibilities for risk management, typically referred to as the ‘three lines of defense’ – the business line, a risk management function and a compliance function independent from the business line.[162] Although the discussion paper is laudable in its efforts to propose rules which seek to enhance governance at banks, scholars argue that the effective enforcement of such risk policies would be vital for ensuring the success of this policy framework.[163]

C. Board Management of Risk: Infosys Whistleblower Matter

Infosys is a NYSE listed global IT consulting firm headquartered in Bengaluru, India. The company offers business, technology, and software consulting services to corporations in India and overseas. After several CEO shakeups, Salil Parekh filled the position in December 2017. Less than two years after his appointment, Infosys faced whistleblower complaints alleging that Parekh and other executives had engaged in unethical practices. As the discussion below shows, the board’s response to and the management of these complaints, as well as its actions following the resolution of these matters, provide important guidance on how effective board practices can address significant risks.

1. 2019 Whistleblower Allegations

On September 20, 2019, an anonymous group of whistleblowers made allegations that the CEO, Salil Parekh, and the CFO, Nilanjan Roy, had engaged in “disturbing unethical practices” to represent higher revenue and profit numbers.[164] The whistleblowers submitted their complaint in the form of a letter to both the Infosys board and the US Securities Exchange Commission (‘SEC’).[165]The allegations arose two years after another set of allegations regarding conflicts of interest led to the ouster of the then CEO.[166]

In the first complaint, the whistleblowers alleged that employees were instructed not to fully recognise expenses in an effort to boost profits.[167] Additionally, the complaint alleged that, inconsistent with standard accounting practices, some employees were pressured to not recognise the reversal of a $50 million upfront payment in a contract.[168] The allegations claimed that vital information was withheld from the board and auditors, and revenue recognition in larger contracts was forced.[169]

The letter also alleged that the CEO, Parekh, had bypassed approval processes in large deals and instructed the sales team to make incorrect assumptions in order to represent inflated profit margins.[170] The whistleblowers further claimed that Parekh and Roy had dismissed their concerns and prevented them from presenting data on large deals and financial measures at board meetings and from making key disclosures.[171] Finally, the complaint alleged that the company paid for Parekh’s personal travel expenses, and that he used his travel expenses to the U.S. as a green card holder to avoid taxes.[172]

Several weeks after the first set of allegations, Infosys received a second undated whistleblower complaint accusing Parekh of engaging in a variety of misdemeanors and urging the Board to take action against him.[173] The complaint made allegations related to Parekh’s residence, travel, and personal investments.[174]

Regulators in both India and the United States responded quickly to the whistleblower allegations. In October 2019, the SEC initiated an investigation.[175] Moreover, the SEBI,[176] the National Stock Exchange (‘NSE’), the Bombay Stock Exchange (‘BSE’), the National Financial Reporting Authority (‘NFRA’), and the Registrar of Companies, Karnataka, each opened investigations and sought further information about the alleged unethical practices.[177] The company stated in a press release that they would provide information and cooperate with these authorities.[178]

2. Board Response to Whistleblower Allegations

On October 22, 2019, the Company issued a public statement that the Board had received two anonymous whistleblower complaints as of September 30, 2019.[179] Both complaints were placed before the Audit Committee on October 10, 2019, and before the non-executive members of the Board on October 11, 2019.[180] The Audit Committee commissioned independent legal counsel, Shardul Amarchand Mangaldas & Co., and PricewaterhouseCoopers to lead the investigations.[181] Parekh and Roy were both recused from the investigations.

On January 10, 2020, Infosys published a detailed press release about the findings of its internal investigations.[182] D. Sundaram, Chairperson of the Audit Committee, stated, “The Audit Committee commissioned a thorough investigation with the assistance of independent legal counsel. The Audit Committee determined that there was no evidence of any financial impropriety or executive misconduct.”[183] The press release detailed the methodology of the investigations, the amount and types of data reviewed, and the interviews with relevant Company personnel.

The press release stated that the Investigation Teams had full access to information, and received cooperation from the Company, its directors, and employees.[184] The extensive investigation included 128 interviews with 77 persons, and a review of over 210,000 electronic or imaged documents, with over 8 terabytes of electronic data processed.[185] Non-executive Chairman Nandan Nilekani stated that the investigation was conducted with complete transparency, with its results largely open to the public for review. The press release addressed each allegation from the whistleblower complaints, explaining the findings of the investigation.

The Infosys board’s management of the whistleblower complaints allowed the firm to avoid long-lasting negative ramifications, In March 2020, the SEC concluded its investigation, stating that it did not anticipate any further action.[186] On March 24, 2020, Infosys confirmed it had cooperated with the SEC and that it has responded to all inquiries received from Indian regulatory authorities.[187]

As of November 2020, there has been no further update on whether the Indian regulatory authorities have concluded or are continuing their inquiries,[188] and no order has been passed by the SEBI. Additionally, two class action lawsuits were filed in October 2019 and December 2019[189] to recover losses suffered by investors in the wake of the whistleblowers’ complaints.[190] On May 22, 2020, Infosys announced that the October 2019 lawsuit was voluntarily dismissed by the plaintiff without prejudice.[191]

On April 20, 2020, the Infosys Board announced that it had amended several of its policies and charters, including the company’s Related Party Transaction Policy, the Policy for Determining Materiality for Disclosures, and the Audit Committee Charter.[192] Several of the changes appeared to respond to the matters at issue in the whistleblower-related investigation. For example, the board updated the company’s Related Party Transaction Policy so that omnibus approvals of certain repetitive Related Party Transactions, under SEBI Regulation 23(3), were not applicable to transactions entered into between a holding company and its wholly owned subsidiary whose accounts were consolidated with such holding company and placed before the shareholders at the general meeting for approval.[193]

It also broadened certain reporting requirements from “details of all material transactions” to “details of all transactions.”[194]Notably, the Whistleblower Policy remained unchanged from its April 1, 2019 version.[195]This was in line with statements made at the company’s January 10, 2020 press conference, where the board chair, Nilekani, underscored the Company’s desire to protect whistleblowers, as they may expose genuine fraud.[196]

Actions by the Infosys board provide lessons on how transparent processes and clarity regarding the company’s investigation process allowed the board to assess, identify and manage risks raised by serious allegations. Furthermore, the board undertook additional steps to strengthen disclosure mechanisms by reviewing and revising applicable policies. By responding and taking charge of the governance challenge facing the company, the Infosys board was able to prevent further harm to the stakeholders’ interests as well as its own reputation.

D. The COVID-19 Pandemic and the Board’s Role in Crisis Risk Management

On January 30, 2020, India reported its first confirmed case of coronavirus.[197] By March 26, 2020, the government imposed a lockdown across the country and announced a stimulus package to aid the poor affected by the coronavirus outbreak. Companies rushed to implement social distancing policies that limited physical meetings and ensured the safety of their workers.[198] The MCA and the SEBI issued several circulars relaxing physical meeting requirements and deadlines for certain filing and reporting requirements.[199]The amendments were meant to protect companies from penalties and enable companies to address business matters while taking measures to prevent the rapid spread of the coronavirus.[200] Despite these relaxations, emerging governance risks from the pandemic necessitated quick responses from boards of directors and management teams.

As with other major crises, the pandemic raises a myriad of issues for boards with respect to the oversight of risk. Experts note that the COVID-19 pandemic “made the risk landscape much more volatile. Risks that have long been on the agenda have transformed and intensified, and new risks have emerged that, combined with other threats, can have unforeseen consequences.”[201]

For board members, understanding the scope and extent of their statutory and fiduciary duties to push for agile corporate governance throughout the pandemic became critical.[202]As a result of the pandemic, there was an even a greater emphasis on directors acting “on a fully informed basis, in good faith, with due diligence and care, and in the best of interest” of companies and stakeholders.[203]

The board’s obligation to reasonably oversee a company’s operations and regulatory compliance encompassed a variety of matters, such as developing practices[204] including the MCA’s and the SEBI’s amended guidelines, monitoring compliance with the Competition Act,[205] and supervising Corporate Social Responsibility (‘CSR’) Programs to avoid ethical lapses and fraud.[206] Furthermore, companies appropriately needed to prioritise the health and safety of their workers as an immediate response to the pandemic.[207]

Given the gravity of the situation, to ensure faster decision-making and approvals, digital communications garnered far more involvement from board members than in-person meetings.[208] Naturally, informal board meetings have surged alongside virtual meetings to accelerate decision-making and keep directors informed about a company’s situation.[209]

However, the surge in both informal and virtual meetings increases governance risks to companies if proper records are not maintained.[210]Experts advise boards to stringently maintain meeting records in safe custody.[211] In addition, directors should ensure companies are integrating adequate technologies and protocols so that listed entities’ conduct virtual Annual General Meetings (‘AGMs’) and Extraordinary General Meetings (‘EGMs’) in accordance with the MCA’s procedural guidelines.[212]

The crisis also stresses the need for effective communication between managements and boards. Management should keep directors informed of the company’s material risks and how the company is addressing such risks.[213] Meanwhile, directors should proactively keep themselves informed of the company’s affairs.[214] If a disclosure to the stock exchange of any material event is warranted, communication with company stakeholders about the current and potential impacts of the pandemic on business operations should be carefully planned and coordinated with legal teams.[215]

Boards may also find it helpful to engage in regular dialogue with sectoral regulators, government agencies, and stakeholders.[216] In the context of financing documents, experts advise directors to carefully monitor companies’ compliance with contractual obligations and be alert to any need to change or renegotiate terms with lenders.[217]

Companies’ creation and implementation of effective business continuity and succession plans are central to a company’s survival and success throughout the pandemic. For effective succession planning, the board should consider vacancy, availability, readiness, disruption and control related risks.[218]As such, boards should consistently monitor management teams’ ongoing implementation of COVID-19 plans to ensure that companies are sufficiently flexible in responding to evolving situations.[219]

Boards must not only advise management and discuss their internal communication plans, but also engage with them to assess the post crisis strategies.[220]Business continuity plans should focus on addressing any potential contingencies—such as necessary work-from-home protocols, continued digital communications, contract execution, regulatory filings and compliances, and even a “special protocol” for key managerial people.[221]

Boards should consider establishing committees such as a crisis management team to help the board make urgent decisions in emergency situations, and assess the pandemic’s impact on business operations and a company’s preparedness to execute contingency plans.[222] Plans constructed by board committees should focus on balancing between short, medium, and long-term responses to the pandemic.[223]Boards must also consider impacts on business arising out of, for example, supply chain disruptions.[224]With an increasing reliance on digital communication tools and companies’ efforts to collect personal information for contact tracing, committees should also consider developing a data privacy policy for companies to adopt.[225]

As companies attempt to mitigate the impact of the pandemic on their business operations, they will rely significantly on boards’ corporate governance leadership to adjust to the evolving situations. Boards’ communications with management, stakeholders, and customers play a pivotal role in guiding companies through the risks presented by the pandemic and in assuring the broader community and eco-system of the organisation that their interests are considered and valued by the organisation while navigating through this crisis.[226] Moreover, boards’ contributions to business continuity and succession plans will be integral to companies’ adaptability to the new normal.

V. Bolstering the Board’s Risk Management Oversight Function

International frameworks and Indian laws reveal that “a key responsibility of the board is to ensure the soundness of risk management and to determine the firm’s overall risk tolerance and risk policies.”[227] As both the aforementioned regulatory framework and the risk management case studies demonstrate, the pressure on boards of directors to oversee and manage risks continues to increase. Over the past decade, corporate India has become much more engaged with and sensitised to ERM.

Leading companies have formed risk management and compliance teams that are integrated within the firm and provide valuable information to the board. Furthermore, boards have taken significant steps to enhance their oversight over firms’ ERM systems.[228] Nevertheless, the continuing pace of risk management failures at leading Indian firms suggests that there is room for improvement. This section examines and draws lessons from the challenges that Indian boards face in the oversight of risk management.

A. Director Independence and Risk Management Oversight

The corporate governance framework of any jurisdiction heavily shapes its approach to risk management and the ability of the board to exercise effective oversight of ERM.[229] Ownership concentration is prevalent in India, as it is in much of the rest of the world.[230] While there are thousands of publicly listed firms in India, even publicly listed Indian firms operate with concentrated shareholding in the hands of a controlling shareholder (promoter) that is often a business family, the state or a foreign multinational.[231]The average shareholding of promoters in listed Indian companies is around 50%.[232] Even post-economic liberalisation, ownership patterns “continue to be skewed toward controlling inside shareholders – a legacy of family-owned business ventures and state nationalisation’ and that ‘the trend seems to be moving away from outside share ownership.”[233]

Promoter control has long vexed corporate governance reforms in India.[234]As with many other jurisdictions, a commonly used tool to institute effective corporate governance has been the requirement of director independence.[235] Both the Companies Act and the SEBI Listing Regulations impose director independence requirements on listed Indian firms. Under Section 149(4) of the Act, every listed company must have at least one-third of the total number of directors as independent directors.[236] For listed companies, the SEBI Listing Regulations similarly prescribe director independence, with no less than 50% of the board of directors comprising non-executive directors.[237]

Further, for listed companies in which the chair of the board is “non-executive,” at least one-third of the board must comprise independent directors and where the listed company does not have a regular non-executive board chair, at least half of the board must comprise independent directors. Where the regular non-executive chair is a promoter of the listed company or is related to any promoter or person occupying management positions at the board level or one level below, at least half of the board of directors of the listed entity must consist of independent directors.[238]

Scholars have noted that the corporate governance reforms enacted through the Companies Act, 2013 and the SEBI Listing Regulations “represent a turning point in the evolution of corporate governance in India and they usher in greater stringency in governance norms, accompanied by further reliance on independent directors as a key institution.”[239] As discussed in Part III above, the Companies Act, the accompanying rules, and the Listing Regulations impose significant responsibilities on independent directors including those with respect to risk management. These changes have been largely welcomed as improving India’s corporate governance standards,but there has also been concern about the large burdens and responsibilities placed on independent directors.[240]

While the legal regime places significant pressure on independent directors to play a monitoring role, including those with respect to risk oversight, board members of Indian companies are still often beholden to promoters who typically control the necessary shareholder vote to elect directors.[241]Furthermore, in firms where promoters also control the management of the company, independent directors must rely on promoters to sufficiently access firm information and effectively participate in their risk management oversight strategies. As the Infosys case study demonstrates, to exercise their oversight responsibilities, independent directors need sufficient access to resources, including independent legal, financial, and accounting advisors.

B. Establishing the “tone at the top”

The board plays a central role in establishing an ethical risk culture.[242] As experts note, “[t]he board’s vision for the corporation should include its commitment to risk oversight, ethics and avoiding compliance failures, and this commitment should be communicated effectively throughout the organisation.”[243]To establish this vision and set “the appropriate ‘tone at the top,’ transparency, consistency and communication” are integral.[244]

A company may put a detailed ERM framework in place for identification,analysis and evaluation of risk, but it must also address cognitive biases in the corporate culture to ensure that behaviors are not contrary to the ERM process.[245]Risk management experts frequently state that a well-defined risk management strategy requires an “open and transparent culture that promotes the right level of dialogue on risks between the board, executive management and the risk owners.”[246]

The ICICI case study reveals the challenges that boards face in establishing a firm’s culture and values in the face of prominent CEOs.[247] Rather than focusing on transparency and establishing its own tone, the ICICI board reiterated its support for Chanda Kochhar,even when information about potential conflicts of interest arose.However, as scholars have noted, boards must be vigilant in overseeing management which has “incentives to under-monitor and under-disclose risk.”[248]

In establishing an effective risk culture, both a risk management architecture and leadership in risk management is necessary.[249]A Chief Risk Officer and ERM team can enable boards and senior officers to communicate openly about risks,arrive at common priorities and collaborate in mitigating them.[250] This team can allocate resources in line with risk priorities in an efficient manner. The crisis at IL&FS shows the potential dangers of an inadequately resourced risk management team with little indication of significant communication between the board and management on key risk factors.

C. Addressing Major Areas of Risk and Preparing for New Risks

In India, many complex areas of risks have emerged in the last decade or so, making risk management particularly challenging. Various corporate scandals, including the ICICI scandal, reveal that corruption, bribery and corporate fraud remain significant risks in India.[251]Over the last decade, other traditional areas of risk, such as political instability, strikes and unrest, appear to have subsided while other risks, such as information and cyber security as well as terrorism and insurgency, have increased in prominence.[252]

Companies in a wide variety of industries have experienced the theft of data and sensitive information, and most companies view cybersecurity and technology disruption among their chief risks.[253] For companies in major cities, the threat of terror attacks has become a growing cause for concern, one which can be hard to manage by the company itself. Governance and regulatory risks, risks arising out of non-compliance with data privacy laws and impact on business due to climate change are some of the new risks that Indian companies have identified.[254]

Not only have risks increased, but frequently such risks are interrelated and pose challenges for firms across business lines. ERM requires a firm to take a portfolio view of risk; boards must consider how various risks interrelate, rather than treating each business and risk individually. Experts also note that proactive boards interact with “think tanks, academic and industry experts to gain better insights” into complex and evolving risks.[255]

In the face of risk complexity, securing an adequate budget and access to resources are necessary for effective risk management.[256]But while the costs of risk management failures can be high, designing and implementing efficient ERM can also be quite costly, especially for small and medium-sized firms. For example, hiring consultants or the necessary staff to develop stress-testing and early warning systems to alert the board regarding significant risks can be difficult to do in smaller companies. In addition, while large firms can establish a chief risk officer function with direct report to the board, doing so is much harder for smaller companies.[257]

D. Overseeing Systems that Integrate Risk and Strategy

As the IL&FS case study reveals, integrating risk management into the overall corporate strategy is a challenge for many Indian firms. “Effective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship.”[258] In other words, taking appropriate risk needs to be at the heart of corporate strategy. The board’s oversight responsibility entails designing an ERM system that is capable of being applied in strategy setting across the enterprise.For this to happen, the board must understand and guide the company’s appetite and ability to take risk and communicate the same to the company’s risk management team.[259]

Operationally, what does ‘tying risk with strategy’ mean for management? It means that risk managers must be integrated in implementing the company’s strategy and must not be separated from the board and management, so that actual risk taken is tied to the company’s risk appetite and ability. Moreover, the ERM programs must be developed with input from various functions in the organisation, such as finance, sales, legal, etc. In India, however, boards have faced the dearth of qualified risk professionals to help tackle the discussion on ERM.[260]

There are important steps that boards can take to enhance the risk management system of a firm and the board’s own role in risk oversight. The COSO 2009 release on effective enterprise risk management oversight recommended that board members must (a) understand the company’s risk philosophy and concur with its risk appetite, (b) review the company’s risk portfolio against that appetite, (c) know the extent to which management has established effective enterprise risk management, and (d) be apprised of the most significant risks and whether management is responding appropriately.[261]

To accomplish these goals, experts have set forth detailed steps that boards should take as part of their risk management oversight, including steps to increase an ongoing risk dialogue with management.[262]

Further, in addition to the steps and processes outlined above, boards should also focus on risk disclosures,[263]to increase transparency in dealings with counterparties and stakeholders. Companies may explore the myriad possibilities of utilising artificial intelligence to identify potential risks in the system and send alerts that can be acted upon immediately,[264] Leading management education institutions in India are revising their curriculum to include multidisciplinary courses on the new and complex risks that the COVID-19 pandemic has generated.[265]

Taking a leaf out of their book and understanding the importance of appropriate identification and mitigation of risks, companies may consider educating and sensitising their employees, management and boards to enable them to not only identify risks, but also to encourage a dialogue between the various levels of personnel on risk strategies. Scholars have also considered outsourcing[266] of risk management process to external experts as a viable option for boards in certain cases. Similarly, boards may also actively engage with lawyers, auditors and risk management advisory agencies to seek their assistance in these processes.[267]

VI. Conclusion

While the corporate governance regime in India seeks to ensure various levels of risk scrutiny, it is up to firms to follow the true spirit of the regulations.[268]India has taken steps to implement risk management into its corporate culture. However, more is required of boards to meet the dynamic demands of risk management wrought by India’s rapidly growing economy and increasing globalisation.

With over 4000 listed companies[269] on the BSE, in what could be Asia’s fastest growing economy,[270] India firms are grappling with multifarious issues. As illustrated in the case studies discussed in this article, India has witnessed the downfall of several large firms that previously enjoyed strong investor confidence. The faith of stakeholders in corporations is not strengthened merely by the power of the regulations that govern them, but also by sound and ethical business models. While the overarching umbrella of statutory regulation can extend to govern almost every aspect of corporate risk, the risks that arise out of unethical conduct are difficult to identify and regulate with appropriate oversight and “tone at the top.”

Thus, the board serves as a crucial element of ethical business conduct and consideration of stakeholders’ interests. Recent risk management failures at leading India firms have highlighted the nexus between the acts and omissions of boards and the fate of the corporation. To prevent further failures, Indian boards must take more proactive steps. Stronger governance, more robust risk strategies and capable board leadership will make priceless contributions at a micro level, to the corporation itself, and at the macro level, to the Indian economy.

* Senior Associate Dean for Academic Affairs & Professor of Law, UC Davis School of Law.

** Research Associate, The Conference Board, India. Portions of this article were adapted from Afra Afsharipour and Manali Paranjpe, Handbook on Corporate Governance in India: Legal Standards and Board Practices (2nd edn, The Conference Board 2021). Ishika Desai and Evelynn Chun provided excellent research assistance. We thank Professor Umakanth Varottil and an anonymous peer reviewer for their comments.

[1] OECD, Risk Management and Corporate Governance (Report No 6, 2014) (‘RMCG’).

[2] ibid 7.

[3] For an overview of corporate governance reforms in India, see, Umakanth Varottil, ‘The Evolution of Corporate Law in Post-Colonial India: From Transplant to Autochthony’ (2016) 31 American University International Law Review 253.

[4] ‘Risk Survey 2018: Transforming Risks Into Opportunities’ (Deloitte Touche Tohmatsu India LLP, 2018) 11<> accessed 15 June 2020 (‘Deloitte: Risk Survey 2018’).

[5] George Mathew, ‘IL&FS Mess Got Deeper but its Top Risk Committee Never Met in Last Two Years’ The Indian Express (Mumbai, 3 October 2018).

[6] Umakanth Varottil, ‘Corporate Governance in the Age of a Pandemic’ (IndiaCorpLaw Blog, 4 May 2020) <> accessed 15 June 2020.

[7] ‘Is Corporate Governance Still Relevant During the Pandemic’ (BTG Legal, 11 May 2020), <> accessed 15 June 2020.

[8] Lauren Frayer, ‘Indian Economy Shrinks by 24% as the Country sees its Highest Coronavirus Numbers’ (NPR, 31 August 2020) <> accessed 16 June 2020. 

[9] RMCG (n 1) 10.

[10] Martin Lipton, Daniel A. Neff and Andrew R. Brownstein, ‘Risk Management and the Board of Directors’ (Harvard Law School Forum on Corporate Governance, November 2019) 2-3 <> accessed 16 June 2020 (‘RMBD’). 

[11]Virginia Harper Ho, ‘Board Duties: Monitoring, Risk Management, and Compliance’ in Afra Afsharipour and Martin Gelter (eds), Research Handbook on Comparative Corporate Governance (Edward Elgar Publishing Ltd, forthcoming 2021) 4.

[12] For an excellent comparative analysis of the risk management and compliance regimes in several leading jurisdictions, including the US and UK, see generally, Harper Ho (n 11).

[13] COSO is a joint initiative of five private-sector organisations that provides thought leadership through the development of frameworks and guidance on critical aspects of organisational governance, including enterprise risk management.

[14] ‘COSO’s Enterprise Risk Management–Integrated Framework’ (Enterprise Risk Management Initiative, 1 September 2004) <> accessed 17 June 2020.

[15] Michelle M. Harner, ‘Barriers to Effective Risk Management’ (2010) 40 Seton Hall Law Review 1332.

[16] Committee of Sponsoring Organisation of the Treadway Commission (COSO), Enterprise Risk Management: Integrating with Strategy and Performance (Report No 2, June 2017) (‘COSO ERM’).

[17] RMCG (n 1) 15-16.

[18] ibid 14.

[19] COSO ERM (n 16) 9.

[20] ‘Enterprise Risk Management: Applying Enterprise Risk Management to Environmental Social and Governance-Related Risks’ (Committee of Sponsoring Organisations of the Treadway Commission, October 2018) <> accessed 17 June 2020 (‘COSO ESG’).

[21] ibid 1.

[22] COSO ESG (n 20) 1-3.

[23] Harner (n 15)1335-36.

[24] COSO ESG (n 20) 3; see also, RMCG (n 1) 10.

[25] RMCG (n 1) 10.

[26] Grant Thornton India LLP, Governance Observer: The Changing Face of Corporate Boardrooms,vol 2 (9 December 2014) 94.

[27] Harner (n 15) 1334.

[28] RMCG (n 1) 16.

[29] See generally, Harper Ho (n 11) for a description of a variety of developments that have transformed the risk oversight function of boards.

[30] RMBD (n 10) 2.

[31] See generally, Varottil (n 3); Afra Afsharipour, ‘Corporate Governance Convergence: Lessons from the Indian Experience’ (2009) 29 Northwestern Journal International Law & Business 335 (‘Afsharipour’).

[32] Martin Lipton, Daniel A. Neff and Andrew R. Brownstein, ‘Risk Management and the Board of Directors’ 4 (Lowell Milken Institute, June 2020), <> accessed 18 June 2020 (‘RMBD-II’).

[33] ibid 4; See, In re Caremark International Inc Derivative Litigation, 698 A 2d 959, 971 (Del Ch 1996) (opening the door for directors to be liable for a failure of board oversight, but only where there is “sustained or systemic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”); Marchand v Barnhill, 212 A 3d 805, 821-23 (Del 2019) (noting “the fact that Blue Bell nominally complied with FDA regulations” was not enough, standing alone, for directors to avoid Caremark exposure); see also, Wells Fargo & Co Shareholder Derivative Litigation, In re 282 F Supp 3d 1074, 1099 (ND Cal 2017) (finding that the defendants “ignore[d] the bigger picture by addressing each of these ‘red flags’ in piecemeal fashion,” rather than viewing the ‘red flags’ collectively as the defendants argued).

[34] Harper Ho (n 11) 7 (citing Caremark International Inc Derivative Litigation, In re 698 A2d 959, 971 (Del Ch 1996)).

[35] RMBD-II (n 32) 5.

[36] Marchand v Barnhill 212 A 3d 805, 821-23 (Del 2019) (noting that the board of an ice cream distribution company “had no [board] committee overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be advised of food safety reports and developments”); Hughes v Xiaoming Hu, No CA 2019-0112, 2020 WL 1987029, [16-17] (Del Ch, 27 April 2020) (reasoning that the absence of documents produced in response to a stockholder’s inspection demand was evidence that the directors had failed “to act in good faith to maintain a board-level system for monitoring the company’s financial reporting”).

[37] Clovis Oncology, Inc Derivative Litigation, In re No CA 2017-0222, 2019 WL 4850188 (Del Ch,1 October 2019) (noting that a board of a life science company developing cancer drugs was “comprised of experts” and “operates in a highly regulated industry,” and that the directors “should have understood” problems with clinical testing of the drug and intervened to address any issues).

[38] ‘SEC Final Rule: Proxy Disclosure Enhancements, Release No 33-9089’ (SEC, 16 December 2009) 1 <> accessed 18 June 2020 (‘SEC Final Rule’).

[39] RMBD-II  (n 32) 7; see also, SEC Final Rule (n 38).

[40] Code of Federal Regulations 2020, s 229.105 (Item 105).

[41] Division of Corporation Finance:  Coronavirus (COVID-19), CF Disclosure Guidance: Topic No. 9’ (US Securities and Exchange Commission, 25 March 2020) <> accessed 18 June 2020. For example, the SEC has highlighted that although no existing disclosure requirement specifically refers to cybersecurity risks, several requirements may impose an obligation on companies to disclose such risks. See, ‘Commission Statement and Guidance on Public Company Cybersecurity Disclosures: Release No. 33-10459’ (US Securities and Exchange Commission, 26 February 2018) <> accessed 18 June 2020.

[42] NYSE rules require committees to “discuss guidelines and policies to govern the process by which risk assessment and management is undertaken.” See, NYSE Listed Company Manual 2010, s 303A.07; RMBD-II (n 32) 8.

[43] ‘Department of Justice, 9-47.120 – FCPA Corporate Enforcement Policy’ (Justice, March 2019) <> accessed 18 June 2020.

[44] ibid.

[45] For example, the Office of the Comptroller of the Currency (‘OCC’) requires boards of banks to oversee the design and implementation of the risk governance framework, and confirm that the system identifies, measures, monitors, and controls risks. ‘Office of the Comptroller of the Currency, Corporate and Risk Governance’ (OCC, July 2019) 55 <> accessed 18 June 2020.

[46]See, Harper Ho (n 11) 7, 45 (citing Marc Moore and Martin Petrin, Corporate Governance: Law, Regulation, and Theory (Red Globe Press 2017) 220-21 (‘Moore and Petrin’).

[47] Companies Act 2006, c. 46, s 172(1). For an analysis of the development of the modern risk management regime in the UK, see, Marc T. Moore, ‘The Evolving Contours of the Board’s Risk Management Function in UK Corporate Governance’ (2010)10(2) Journal of Corporate Law Studies 279.

[48] ‘The Duty of UK Company Directors to Consider Relevant ESG Factors’ (Debevoise & Plimpton, 10 September 2019) 5 <> accessed 19 June 2020 (‘Debevoise & Plimpton’).

[49] ibid 5.

[50]See generally, Andrew Keay, ‘Assessing and Rethinking the Statutory Scheme for Derivative Actions Under the Companies Act 2006’ (2016) 16 Journal of Corporate Law Studies 39. Andrew Keay has argued that the duty as currently articulated and enforced cannot assure that directors will respond to the expansive set of risks facing companies. See generally, Andrew Keay, ‘The Duty to Promote the Success of the Company: Is It Fit for Purpose in a Post-Financial Crisis World?’ in Joan Loughrey (ed), Directors’ Duties and Shareholder Litigation in the Wake of the Financial Crisis  (Edward Elgar Publishing 2012).

[51] Companies Act 2006, s 174.

[52] Debevoise & Plimpton (n 48) 7.

[53] ibid.

[54] David Kershaw, The Foundations of Anglo-American Corporate Fiduciary Law (Cambridge University Press 2018) 280.

[55] Moore and Petrin (n 46) 222-225.

[56] Marc Walton and others, ‘Risk & Compliance Management in the United Kingdom’ (Lexology, 6 July 2018), <> accessed 18 June 2020 (‘Marc Walton’).

[57] The Financial Services and Markets Act 2000 (‘FSMA’) addresses corporate risk and risk management for financial services firms and authorises regulation by the Prudential Regulation Authority (‘PRA’) and the Financial Conduct Authority (‘FCA’). See, Financial Services and Markets Act 2000, c. 8, ss 1A-3T. Specifically, the PRA regulates “banks, building societies, credit unions, insurers and major investment firms” while the FCA regulates other financial services firms. See, Marc Walton (n 56).

[58] Deloitte LLP, ‘Internal Control and the Board: What is All the Fuss About?’ (The Deloitte Academy, November 2019) 6 <> accessed 18 June 2020.

[59] ‘UK Corporate Governance Code’ (Institute of Chartered Accountants in England and Wales) <> accessed 6 February 2021. The Financial Reporting Council (‘FRC’) publishes the Code and provides guidance for applying the Code. See, ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ (Financial Reporting Council, September 2014), <> accessed 6 February 2021; ‘Guidance on the Going Concern Basis of Accounting and Reporting on Solvency and Liquidity Risks’ (Financial Reporting Council, April 2016), <> accessed 6 February 2021.

[60] Such factors include the size, complexity, history and ownership structure of a company. See, ‘2018 UK Corporate Governance Code – FAQs’ (Financial Reporting Council) < code/2018-uk-corporate-governance-code-faqs> accessed 7 February 2021.

[61] ibid.

[62] Principles C and O recommend boards establish an internal framework of prudent and effective controls that enable risk to be assessed and managed. ‘The UK Corporate Governance Code’ (Financial Reporting Council, July 2018) 4, 10, 12 <> accessed 7 February 2021.

[63] bid. Provisions 24 and 25 encourage use of audit committee and recommend an audit committee consist of independent non-executive directors since the audit committee should be tasked with reviewing risk management systems. Provisions 28 and 29 emphasise the board’s role in assessing principal risks, explaining how risks are being managed or mitigated, and reviewing a company’s risk management and internal control systems.

[64] Securities and Exchange Board of India, Report of the SEBI Committee on Corporate Governance (8 February 2003) (‘Murthy Report’).

[65] Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, pt III, s 4, no 17(9)(b) (‘Listing Regulations’).

[66] For example, in the recent Nirav Modi scam involving the Punjab National Bank, the RBI, in its statement to the parliamentary panel, emphasised the primary responsibility of the bank’s board in understanding the risks that the bank takes, as well as ensuring the appropriate management of such risks. Nukunj Ohri, ‘RBI on Nirav Modi Fraud: The Buck Stops with PNB’s Board’ Bloomberg Quint (20 June 2018).

[67]See generally, Vikramaditya S. Khanna and Umakanth Varottil, ‘The Rarity of Derivative Actions in India: Reasons and Consequences’ in Harald Baum, Michael Ewing-Chow, and Dan W. Puchniak (eds), Derivative Actions in Major Asian Economies: Legislative Design and Legal Practice (Cambridge University Press 2012); Vikramaditya Khanna, ‘Enforcement of Corporate and Securities Laws in India: The Arrival of the Class Action?’ in Robin Hui Huang and Nicholas Calcina Howson (eds), Enforcement of Corporate and Securities Law: China and the World (Cambridge University Press 2017).

[68] Companies Act 2013, s 134 (Companies Act).

[69] ibid s 177(4)(vii).

[70] Companies Act (n 68) sch IV.

[71] SEBI Listing Regulations, reg 17(9)(b) (‘SEBI Listing Regulations’).

[72] ibid. Original reg 21(5).

[73]SEBI Listing Regulations (n 71) reg 4(2)(f)(ii)(7).

[74] SEBI Listing Regulations (n 71) reg 4(2)(f)(iii)(9).

[75] SEBI Listing Regulations (n 71) reg 4(2)(f)(iii)(10).

[76] SEBI Listing Regulations (n 71) reg 17(9)(b). Further, effective from October 1, 2018, the top 500 listed entities by market capitalisation calculated as on March 31 of the preceding financial year, are required to undertake Directors and Officers insurance (‘D and O insurance’) for all their independent directors of such quantum and for such risks as may be determined by its board of directors. See, SEBI Listing Regulations (n 71) reg 25.

[77] SEBI Listing Regulations (n 71) sch II, pt C.

[78] SEBI Listing Regulations (n 71) sch V.

[79] In case of a listed entity having outstanding equity shares with superior voting rights, at least two thirds of the Risk Management Committee shall comprise of independent directors. SEBI Listing Regulations, reg 21 (as amended by the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) (Fourth Amendment) Regulations 2019, pt III, s 4).

[80] ‘Kotak Committee Recommendations on Corporate Governance Get SEBI Sanction’ (Moneycontrol, 2 April 2019) <> accessed 7 February 2021.

[81] Securities and Exchange Board of India, Report Submitted by the Committee on Corporate Governance (October 2017) (‘Kotak Committee Report’); KPMG, ‘SEBI Decision Regarding Kotak Committee Recommendations’ (March 2018) <> accessed 7 February 2021.

[82] KPMG (n 81).

[83] ibid.

[84] Kotak Committee Report (n 81) 42.

[85] SEBI Listing Regulations, reg 17(9)(a).

[86] Previously this requirement applied only to the top 100 listed companies. This expansion was recommended by the Kotak Committee and accepted by SEBI. See, Kotak Committee Report (n 81) 42.

[87] This was recommended by the Kotak Committee and was accepted by the SEBI. See, SEBI Listing Regulations, reg 21(4).

[88] ‘Consultation Paper on the Applicability and Role of the Risk Management Committee’ (Securities and Exchange Board of India, 10 November 2020) <> accessed 7 February 2021.

[89] ibid.

[90] ‘IL&FS: The Crisis that has India in Panic Mode’ The Economic Times (3 October 2018) (‘IL&FS Panic’).

[91] Shashank Pandey, ‘Explainer: The IL&FS Insolvency Case’ (Bar and Bench, 21 July 2019), <> accessed 7 February 2021.

[92] IL&FS Panic (n 90).

[93] ibid.

[94] IL&FS Panic (n 90).

[95] Abhirup Roy and Aditya Kalra, ‘Rating Agencies knew of Stress at India’s IL&FS, but gave Good Ratings – Audit’ (Reuters, 20 July 2019) <> accessed 7 February 2021.

[96] ‘Explained: What is IL&FS Crisis and How Bad It Is?’ (The Week Magazine, 25 September2018), <> accessed 7 February 2021.

[97] Hemindra Hazari, ‘Behind IL&FS Default, A Board that Didn’t Bark When It Was Supposed To’ (The Wire, 17 September 2018) <> accessed 7 February 2021.

[98] IL&FS Panic (n 90).


[100] IL&FS Panic (n 90).

[101] IL&FS Panic (n 90).

[102] ‘Press Release’ (Ministry of Corporate Affairs, 1 October 2018), <> accessed 7 February 2021.

[103] ibid.

[104] Pandey (n 91).

[105] ibid.

[106] Pandey (n 91).

[107] Sachin Dave, ‘IL&FS Case: NFRA, ICAI Spar Over Probe into Auditors’ Role’ The Economic Times (27 April 2019).

[108] ‘Union of India, Ministry of Corporate Affairs v IL&FS NCLT Order’ (NCLT, 1 January 2019), <> accessed 7 February 2021.

[109] Pandey (n 91).

[110] ibid.

[111] ‘Key Committees in IL&FS Did not Meet for Years, Reveals RBI Probe’ Livemint (16 August 2019).

[112] ibid.

[113] Jayshree P. Upadhyay, ‘Inside the Audit Lapses That Led to IL&FS Crisis’ Livemint (21 May 2019). 

[114] RMCG (n 1) 12-14.

[115] Umakanth Varottil, ‘Governance of Financial Institutions: Call for a Paradigm Shift’ BloombergQuint (8 October 2018) (‘Varottil: Governance of Financial Institutions’).

[116] ibid 115.

[117] Varottil: Governance of Financial Institutions(n 115) 115.

[118] Varottil: Governance of Financial Institutions(n 115) 115.

[119] ‘Complaint of Arvind Gupta on ICICI Bank – Videocon Loan Frauds’ (Scribd, 15 March 2016), <> accessed 7 February 2021 (‘Gupta Complaint’).

[120] ‘Asia Game Changer Awards: Chanda Kochhar’ (Asia Society, 2015) <> accessed 7 February 2021.

[121] ‘Could Chanda Kochhar have kept her job at ICICI Bank?’ (Institutional Investor Advisory Services Blog, 26 October 2018) <> (‘IiAS: Kochhar job’).

[122] Nirmalya Kumar, ‘India’s Corporate Governance Problem Continues’ BloombergQuint (14 April 2018).

[123] ‘Indian Banks Need to Improve Risk Management, Governance Practices: S&P’ Business Standard (12 April 2018). 

[124] Reserve Bank of India, Department of Regulation, Discussion Paper on Governance in Commercial Banks in India (June 2020) (‘RBI: DPGCB’).

[125] ‘Here’s a Timeline of the ICICI Bank-Videocon Loan Case’ (Moneycontrol, 31 January 2019) <> accessed 7 February 2021 (‘ICICI Timeline’).

[126] ibid.

[127] Gupta Complaint (n 119).

[128] Gupta Complaint (n 119); ‘Who is Deepak Kochhar, the Man at the Centre of the ICICI-Videocon Controversy?’ Business Today (2 April 2018).

[129] ICICI Timeline (n 125).

[130] IiAS: Kochhar job (n 121).

[131]ICICI Bank Statement on Findings in the Enquiry Report of Hon’ble Mr Justice (Retd) B.N. Srikrishna’ (ICICI Bank, 30 January 2019) <> accessed 7 February 2021.

[132] IiAS: Kochhar job (n 121).

[133] ‘Chanda Kochhar: Here’s why the Star Banker Decided to Quit’ The Economic Times (4 October 2018).

[134] Rashmi Rajput and Raghav Ohri, ‘ICICI Probe: CBI had Almost Closed Preliminary Enquiry Against Kochhars’ The Economic Times (28 January 2019) (‘ICICI Probe’).

[135] ibid.

[136] ICICI Probe(n 134).

[137] ICICI Probe(n 134).

[138] ICICI Timeline (n 125).

[139] Sahil Joshi, ‘Srikrishna Panel Finds Chanda Kochhar Violated Norms; Ex-ICICI CEO ‘Deeply Shocked’ Over Board’s Decision’ Business Today (30 January 2019); ‘Full Text: ICICI Bank Statement On Srikrishna Enquiry Report on Chanda Kochhar’ BloombergQuint(30 January 2019) (‘Full Text: ICICI’).

[140] ibid.

[141] Full Text: ICICI (n 139).

[142] Rashmi Rajput, ‘ED Quizzes Chanda Kochhar for 3rd Day in Moneylaundering Case’ The Economic Times (4 March 2019).

[143] ‘Chanda Kochhar Steps Down as Chairperson of Vadodara IIIT’ The Economic Times (24 January 2020).

[144] Rashmi Rajput, ‘Chanda Kochhar’s Husband Deepak Kochhar Arrested by ED in Money Laundering Case’ The Economic Times (8 September 2020).

[145] Vidya, ‘Now ICICI Bank Files Suit Against Chanda Kochhar Seeking Recovery of Funds’ India Today (13 January 2020).

[146] Maulik Vyas and Reena Zachariah, ‘Chanda Kochhar Moves High Court Against ICICI Bank Over Termination’ The Economic Times (1 December 2019) (‘Vyas and Zachariah’).

[147] ibid; ‘ICICI Bank-Videocon Loan Case: Bombay High Court Dismisses Chanda Kochhar’s Plea Against Termination of Employment’ (Firstpost, 5 March 2020) <> accessed 7 February 2021. 

[148] Swati Deshpande, ‘Bombay HC Allows Chanda Kochhar to Amend Plea Against Her Termination’ TheTimes of India (3 December 2019).

[149] ibid.

[150] ‘Chanda Kochhar’s Writ Petition Shouldn’t Be Entertained, RBI Pleads in Court’ The Financial Express (19 December 2019).

[151] Chanda Deepak Kochhar v ICICI Bank Ltd 2020 SCC OnLine Bom 374; see also, Swati Deshpande, ‘Chanda Kochhar’s Writ Petition Against Termination of Service Not Maintainable: HC’ The Times of India (6 March 2020).

[152] Chandra Deepak Kochhar v ICICI Bank Ltd 2020 SCC OnLine SC 969; see also, ‘Supreme Court Junks Chanda Kochhar’s Plea Challenging Termination as MD, CEO’ The Economic Times (1 December 2020).

[153] Nirmalya Kumar, How CEOs Subvert Boards (30 June 2018), <> accessed 7 February 2021.

[154] Nirmalya Kumar, ‘Comment – ICICI Bank: A Board That Failed’ (Moneycontrol, 25 June 2018), <> accessed 7 February 2021 (‘Kumar: ICICI’).

[155] ibid.

[156] Umakanth Varottil, ‘RBI’s Discussion Paper on Bank Governance’ (IndiaCorpLaw Blog, 15 June 2020) <> accessed 7 February 2021 (‘Varottil’).

[157] ‘Reserve Bank of India Moots 10 Years Cap on Promoters’ CEO Term’ The New Indian Express (12 June 2020) (‘Cap on Promoters’); ‘RBI Moves in to Strengthen Governance in Commercial Banks’ The Hindu Business Line (12 June 2020); ‘RBI Plans to Overhaul Corporate Governance Structure of Banks’ The Economic Times (13 June 2020).

[158] Cap on Promoters (n 157).

[159] RBI: DPGCB (n 124).

[160] Based on the ‘Guidelines on corporate governance principles for banks: Basel Committee on Banking Supervision’ (Bank for International Settlements, July 2015) <> accessed 8 February 2021.

[161] RBI: DPGCB (n 124).

[162] ibid.

[163] Varottil (n 156).

[164] Megha Bahree, ‘Indian Tech Giant Infosys Shaken By Whistleblower Complaints’ (Forbes, 25 October 2019) <–whistleblower-complaints/#1aa4c2101874> accessed 8 February 2021 (‘Bahree’).

[165] Shilpa Phadnis, ‘Anonymous Employees Allege Infosys is Dressing Up its Books’ The Times of India (21 October 2019) (‘Phadnis’).

[166] ‘Five Reasons why CEO Vishal Sikka had to leave Infosys’ The Economic Times (18 August 2017).

[167] Phadnis (n 165).

[168] ibid.

[169] Phadnis (n 165).

[170] Phadnis (n 165).

[171] Bahree (n 164).

[172] Phadnis (n 165).

[173] ‘Infosys Faces Another Whistleblower Complaint, CEO Accused of Misdeeds’ The Economic Times (12 November 2019).

[174] Ayushman Baruah, ‘Infosys CEO Hit by More Charges in Second Whistleblower Letter’ Livemint (12 November 2019).

[175] ‘Press Release: Infosys Update on Whistleblower Complaints’ (Infosys Limited, 24 October 2019) <> accessed 8 February 2021 (‘Infosys’).

[176] Bahree (n 164).

[177] ‘NFRA, RoC Seek Information on Whistleblower Complaints: Infosys’ The Economic Times (6 November 2019).

[178]Infosys (n 175).

[179] ‘Press Release: Infosys Company Statement’ (Infosys Limited, 22 October 2019), <>accessed 8 February 2021.

[180] Ibid.

[181]‘Press Release, Infosys Audit Committee Finds No Evidence of Financial Impropriety of Executive Misconduct’ (Infosys Limited, 10 January 2020) <> accessed 8 February 2021 (‘Press Release: No Evidence of Financial Impropriety’).

[182] ibid.

[183] Press Release: No Evidence of Financial Impropriety (n 181).

[184] Press Release: No Evidence of Financial Impropriety (n 181).

[185] Press Release: No Evidence of Financial Impropriety(n 181).

[186]Infosys Gets Clean Chit from SEC in Whistleblower Complaint CaseMint (24 March 2020).

[187] ‘Company Statement’ (Infosys Limited, 24 March 2020).

[188] ‘Financials & Filings’ (Infosys Limited, 27 November 2020).

[189] Megha Mandavia, ‘Class Action Lawsuit Dismissed Against Infosys’ The Economic Times (22 May 2020); ‘Infosys Down 2.50% as US Law Firm Files Suit’ The Hindu Business Line (12 December 2019).

[190] ‘Infosys Faces Another Lawsuit in US’ The Economic Times (12 December 2019).

[191] ‘Class Action Lawsuit Dismissed’ (Infosys Limited, 22 May 2020).

[192] ‘Form 6-K’ Infosys Ltd, SEC filing for quarter ended March 31, 2020, filed on April 20, 2020.

[193] ‘Related Party Transaction Policy’ (Infosys Limited, 20 April 2020) (‘Infosys 2020 Related Party Transaction Policy’); ‘Related Party Transaction Policy’ (Infosys Limited, 12 April 2019) (‘Infosys 2019 Related Party Transaction Policy’).

[194] Infosys 2020 Related Party Transaction Policy (n 193); Infosys 2019 Related Party Transaction Policy (n 193).

[195] ‘Whistleblower Policy’ (Infosys Limited, 1 April 2019).

[196] ‘Transcripts of the Press Conference and Earnings Call Conducted after the Meeting of Board of Directors on January 10, 2020’ (Infosys Limited, 10 January 2020).

[197] Vasanthi Vara, ‘Coronavirus in India: How the Covid-19 Could Impact the Fast-Growing Economy’ (Pharmaceutical Tech, 20 April 2020) <> accessed 9 February 2021.

[198] Umakanth Varottil, ‘Corporate Governance in the Age of a Pandemic’ (IndiaCorpLaw, 4 May 2020) <> accessed 9 May 2021.

[199] ‘Covid-19 Regulatory Updates (Corporate And Commercial) – Volume I’ (Khaitan & Co. 1, 2 (2020)) <> accessed 9 February 2021; ‘Measures Taken by MCA and SEBI in Light of the COVID-19 Outbreak’ (AZB & Partners, 21 March 2020) <> accessed 9 February 2021 (noting companies are permitted to hold meetings via video conferencing or other audio visual means until June 30, 2020) (‘AZB’); see also, Sourav Kanti De Biswas and others, ‘COVID-19 – Temporary Relaxations for Corporate Compliances’ (Cyril Amarchand Mangaldas: India Corp L Blog, 8 April 2020) <> accessed 9 February 2021 (explaining that listed entities are exempted from the maximum gap requirement between board and audit committee meetings held between December 1, 2019 and June 30, 2020) (‘Sourav Kanti De Biswas’); ‘Coronavirus: Sebi Allows Listed Companies to File Q4 Results by June 30’ The Financial Express (20 March 2020) <> accessed 9 February 2021 (noting the extension for companies to file their quarterly and annual financial results by June 30, 2020).

[200]Sourav Kanti De Biswas (n 199); AZB (n 199).

[201] Sharon Sutherland, ‘Four Ways Boards Can Oversee Risk Management Beyond COVID-19’ (EY, 19 October 2020) <> accessed 9 February 2021.

[202] ‘Impact of Covid-19 on India Inc.’ (Cyril Amarchand Mangaldas 1, 8-9 (2020)), <> accessed 9 February 2021 (‘COVID-19 Impact: CAM’).

[203]Sandip Bhagat and others, ‘COVID-19: Certain Issues to Consider for Listed Indian Companies’ (S&R Associates, 27 April 2020) <> accessed 9 February 2021.

[204] Bharat Vasani and others, ‘Covid-19: Officially A Pandemic’ (Cyril Amarchand Mangaldas: India Corp L Blog, 18 March 2020) 18-20 <> accessed 10 February 2021 (‘Vasani’).

[205] ‘Tread With Caution to Ensure Compliance With Competition Law: CII Tells Cos Amid Covid-19 Crisis’ The Economic Times (24 May 2020) (warning companies to be wary of enticing opportunities to collaborate with competitors).

[206] Sachin Dave, ‘Companies to See Frauds in Their CSR Programs During Covid-19 Pandemic: EY Report’ The Economic Times (20 May 2020) (“Lack of due diligence on implementation partners, weak governance and limited management involvement are contributing to ethical lapses and fraud in corporate social responsibility (CSR) programs, the report said.”).

[207] SreeradhaBasu, ‘Employee Safety Top Priority of Companies, Finds Survey on Covid-19 Impact’ The Economic Times (3 June 2020).

[208] Kala Vijayaraghavan and Lijee Philip, ‘Company Boards Click On Virtual Mode to Hold Meetings’ The Economic Times (15 May 2020).

[209] Arjun Lall and others, ‘Corporate House-Keeping During a Crisis’ (Cyril Amarchand Mangaldas: India Corp L Blog, 17 April 2020) <> accessed 11 February 2021; ‘Informal Board Meetings Surge in Times of Covid’ The Economic Times (19 May 2020) (‘Meetings Surge’).

[210] Meetings Surge (n 209).

[211] Prachi Goel and others, ‘COVID-19 Pandemic: What to (or Not to) Do – A Quick Guide for Decision Makers’ (S&R Associates, 16 April 2020) <> accessed 11 February 2021 (‘Goel’); Maheshwari Sundaresh and others

, ‘Vote from Home – A Positive Move for Shareholder Meetings’ (Cyril Amarchand Mangaldas: India Corp L Blog, 29 April 2020) <> accessed 11 February 2021.

[212] ‘COVID-19 Update – MCA Permits Holding of AGMs Through Video Conferencing or Other Audio Visual Means’ (AZB & Partners, 15 May 2020) <> accessed 12 February 2021; ‘COVID-19 Update – MCA Permits Holding of EGMs Through Video Conferencing’ (AZB & Partners, 17 April 2020) <> accessed 12 February 2021.

[213] ‘Impact of Covid-19 on India Inc.’ (Cyril Amarchand Mangaldas, 2020) 1, 8-9 <> accessed 13 February 2021 (‘COVID-19 Impact: CAM’).  COVID-19 Impact: CAM (n 202).

[214] Goel (n 211).

[215] Vasani (n 204); see also, SEBI Circular No SEBI/HO/CFD/CMD1/CIR/P/2020/84 dated May 20, 2020 on Advisory on disclosure of material impact of COVID–19 pandemic on listed entities under SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. SEBI. The circular sets out an illustrative list of information for companies to consider while disclosing the impact of the pandemic on their operations. SEBI also directed companies to assess and disclose the financial impact of the COVID-19 pandemic on their business and financial statements, to the extent possible.

[216]Sharad Abhyankar and Saranya Mishra, ‘India: Corporate Governance in the times of COVID-19’ (Mondaq, 18 April 2020) <> accessed 13 February 2021 (‘Abhyankar and Mishra’).

[217] COVID-19 Impact: CAM (n 202) 8-9.

[218] ‘Stepping in: The board’s role in the COVID-19 crisis’ (Deloitte – Global Center for Corporate Governance, March 2020) <–the-board-s-role-in-the-covid-19-crisis—deloitte-.html> accessed 13 February 2021 (‘Deloitte 2020’).

[219] Stephen Kemash, ‘COVID-19: Board Oversight During Times of Uncertainty’ (Ernst & Young Global Limited, 19 March 2020) <> accessed 13 February 2021 (‘Kemash’); Vasani (n 204).

[220] ‘COVID-19’s Workplace Disruption: A Test of Board Resiliency (An Expanded Discussion)’ (Protiviti) <> accessed 13 February 2021.

[221] Rica Bhattacharyya, ‘Uncertain Times Call for Certain CXO Protocol’ The Economic Times (29 May 2020) (highlighting how Tech Mahindra’s contingency plan seamlessly fills critical and senior management roles in case of an unexpected absence or quarantine); Writankar Mukherjee, ‘ITC Developing Business Continuity Plan Amidst Coronavirus Outbreak’ The Economic Times (19 March 2020) (noting ITC Ltd’s comprehensive business continuity plan).

[222] Goel (n 211).

[223] Kemash (n 219).

[224] Abhyankar and Mishra (n 216).

[225]Shivaji Bhattacharya and Anindhya Shrivastava, ‘COVID-19: Implications on the Data Protection Framework in India’ (S&R Associates, 30 April 2020) <> accessed 13 February 2021.

[226] Deloitte 2020 (n 218).

[227] RMCG (n 1) 53.

[228] Deloitte: Risk Survey 2018 (n 4) 5.

[229]See generally, RMCG (n 1).

[230] Adriana De La Cruz, Alejandra Medina and Yung Tang, ‘Owners of the World’s Listed Companies: OECD Capital Market Series’ (OECD, 2019) 6 <> accessed 13 February 2021.

[231] Afsharipour (n 31) 362-65.

[232] ‘Ownership Structure of Listed Companies in India’ (OECD, 2020), <> accessed 13 February 2021 (‘OECD: Listed Companies in India’).

[233] George S. Geis, ‘Shareholder power in India’ in Jennifer G. Hill and Randall S. Thomas (eds), Research Handbook on Shareholder Power (Edward Elgar Publishing 2015) 592; see also, OECD: Listed Companies in India (n 232) 9 (finding that “the portion of companies where the promoter’s share ranges between 50% and 75% has increased over the years.”).

[234] Afsharipour (n 31) 393-97.

[235] For an analysis of the history and promise of director independence in India, see, Vikramaditya Khanna and Umakanth Varottil, ‘Board Independence in India: From Form to Function?’ in D. Puchniak, H. Baum, and L. Nottage (eds), Independent Directors in Asia: A Historical, Contextual and Comparative Approach (Cambridge University Press 2017) 352-389 (‘Khanna and Varottil’).

[236] Companies Act 2013, s 149(4).

[237] SEBI (Listing Obligations and Disclosure Requirements) Regulations 2019, reg 17(1).

[238] SEBI Listing Regulations, pt III, s 4, no 17.

[239] Khanna and Varottil (n 235) 372.

[240] ibid 373, 378.

[241] Khanna and Varottil (n 235) 376-377.

[242] RMCG (n 1) 60.

[243] RMBD (n 10) 3.

[244] RMBD (n 10) 2.

[245]Harper Ho (n 11) 14.

[246] Deloitte: Risk Survey 2018 (n 4) 28.

[247] Kumar: ICICI (n 154).

[248] Harper Ho(n 11) 13.

[249] Deloitte: Risk Survey 2018 (n 4) 8.

[250] ibid.

[251] Pinkerton and FICCI, ‘India Risk Survey 2019’ (Pinkerton, 2019) <> accessed 13 February 2021 (‘Pinkerton and FICCI’).

[252] See generally, Deloitte: Risk Survey 2018 (n 4); Pinkerton and FICCI (n 251).

[253] Deloitte: Risk Survey 2018 (n 4) 20, 22.

[254] Pinkerton and FICCI (n 251).

[255] Deloitte: Risk Survey 2018 (n 4) 16.

[256] ibid 32.

[257] Deloitte: Risk Survey 2018 (n 4) 11.

[258] RMCG (n 1) 12.

[259] ibid.

[260] Sonjai Kumar, ‘Current Risk Management Position in India’ (Legal Era Online,9 November 2017) <> accessed 13 February 2021.

[261] Commission of Sponsoring Organisation of the Treadway Commission (COSO), Effective Enterprise Risk Oversight: The Role of the Board of Directors (2009), 3-4.

[262] Martin Lipton, Sabastian V Niles, and Marshall L Miller, ‘Risk Management and the Board of Directors’ (Harvard Law School Forum on Corporate Governance, 20 March 2018) <> accessed 13 February 2021.

[263] David Bergeron and Michelle Daisley, ‘The Role of the Board in Risk Management- Perspectives for Indian Financial Institutions’ (Oliver Wyman, 2012) <> accessed 13 February 2021.

[264] Sharon Sutherland, ‘COVID-19: Five Ways Boards can Help Businesses Improve their Resilience’ (EY, 23 April 2020) <> accessed 13 February 2021.

[265]Gunjan Sharma, ‘Risk management to HR dynamics: Lessons from COVID-19 to Take Centre Stage at B-Schools’ (Business Insider, 12 May 2020) <> accessed 13 February 2021.

[266] Harper Ho (n 11) 19-20.

[267] ibid 19.

[268] For example, the Risk Management Committee of the IL&FS met only once between 2015 and 2018. Surya Sarathi Ray, ‘IL&FS Risk: Leverage Rose to 13, but Risk Panel Met Just Once in 4 Years’ The Financial Express (3 October 2018).

[269] For a list of companies listed on the BSE in the equity segment, see, ‘List of Securities’ (BSE) <> accessed 13 February 2021.

[270] Puneet Wadhwa, ‘Nomura Says India would be Fastest growing Asian Economy in 2021’ Business Standard (9 December 2020).


Please enter your comment!
Please enter your name here