Risk Management Policy

  • Purpose :


    • The purpose of this memorandum is to document the Risk Management Policy of the Company.

The main objective of this policy is to ensure sustainable business growth with stability and to promote a pro-active approach in reporting, evaluating and resolving risks associated with the business. In order to achieve the key objective, the policy establishes a structured and disciplined approach to Risk Management, in order to guide decisions on risk related issues. The specific objectives of the Risk Management Policy are:

  • To ensure that all the current and future material risk exposures of the company are identified, assessed, appropriately mitigated and managed.


  • To establish a framework for the company’s risk management process and to ensure implementation.
  • To ensure systematic and uniform assessment of risks related with the project.


  • To enable compliance with appropriate regulations, wherever applicable, through the adoption of best practices.
  • To assure business growth with financial stability.


II          Definitions:

1) “Risk” is a uncertain future situation or event, which could influence the achievement of Company’s objectives or realization of opportunities, including strategic, operational, financial and compliance objectives.

2) “Risk Management” is the process of systematically identifying, quantifying, and managing all risks and opportunities that can affect achievement of a corporation’s strategic and financial goals.

3) “Risk Strategy” of a company defines the company’s standpoint towards dealing with various risks associated with the business. It includes the company’s decision on the risk tolerance levels, and acceptance, avoidance or transfer of risks faced by the company.

4) “Risk appetite” is an expression of how much risk an organization is prepared to take. It can vary over time and from work area to work area. If the Company’s risk appetite is clearly articulated to staff, they can take this into account while making their decisions.
III        Underlying approach to Risk Management :

The following key principles outline the Company’s approach to risk management and internal control:

      • The Audit Committee (“The Committee”) assumes responsibility for overseeing risk management within the Companies


      • The Committee should routinely identify and evaluate the risk for achievement of business objectives. This would include regular assessment of both the significance and the likelihood of occurrence of the risks arising. Having assessed the significance and likelihood of the risks arising, a Risk Prioritization program should be devised in addressing higher priority items.
      • An open and receptive approach in solving risk problems should be adopted by the Committee


      • All staff members are responsible for encouraging good risk management practice within their areas of work and take decisions and work as per the Risk management policy approved and adopted.


IV        Role of the Committee

The Committee will be responsible for management of risks associated with the operations of the Company.  It will inter alia:

Set the tone and influence the culture of risk management within the company. This includes:

        • communicating approach to risk


        • determining which type of risks are acceptable and which are not
        • setting the standards and expectations of staff with respect to conduct and probity.


      • Determine the appropriate risk appetite or level of exposure for the company.
      • Receive assurance that the preventable risks are being actively managed, with the appropriate controls in place and working effectively


      • Periodical review the Company’s approach to risk management and approval of changes or improvements to key elements of its processes and procedures.



V         Risk Management Process:

Conscious that no entrepreneurial activity can be undertaken without assumption of risks and associated profit opportunities, the Company operates on a Risk Management Process /Framework aimed at minimization of identifiable risks after evaluation so as to enable management to take informed decision

Broad outline of the framework is as follows:

      • Risk Identification: Management identifies potential events that may positively or negatively affect a company’s ability to implement its strategy and achieve its objectives and performance goals.  The identification process is carried out in such a way that an expansive risk identification covering operations and support functions are put together and dealt with.  


      • Root Cause Analysis: Undertaken on a consultative basis, Root Cause Analysis enables tracing the reasons / drivers for existence of a risk element and helps developing appropriate mitigation action.  
      • Risk Scoring: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. Likelihood of occurrence of a risk element within a finite time is scored based on polled opinion or from analysis of event logs drawn from the past. Impact is measured based on a risk element’s potential impact on cost, revenue, profit etc. should the risk element materialize.


      • Risk Categorization: The identified risks are further grouped in to (i) Preventable (ii) Strategic and (iii) External categories to homogenize risks


        • Preventable Risks are largely internal to organization and are operational in nature. The endeavor is to reduce / eliminate the events in this category as they are controllable. Standard operating procedures and Audit Plans are relied upon to monitor and control such internal operational risks that are preventable.


        • Strategy Risks are voluntarily assumed risks by the Senior Management in order to generate superior returns / market share from its strategy. Approaches to strategy risk is ‘Accept’ /‘Share’, backed by a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.
        • External risks arise from events beyond organization’s influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavors to focus on their identification and impact mitigation through ‘avoid’ / ‘reduce’ approach that includes measures like Business Continuity Plan / Disaster Recovery Management Plan / Specific Loss Insurance / Policy Advocacy etc.


      • Risk Prioritization: Based on the evaluation, risks are prioritized for mitigation actions and reporting
      • Risk Mitigation Plan: Management develops appropriate responsive action on review of various alternatives, costs and benefits, with a view to managing identified risks and limiting the impact to tolerance level. Risk Mitigation Plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure etc. 


             Risk Mitigation Plan is the core of effective risk management. The mitigation plan covers:

        • Required Action
        • Required Resources
        • Responsibilities
        • Timing
        • Performance Measures and
        • Reporting and Monitoring requirements


Hence it is drawn up in adequate precision and specificity to manage identified risks with a systematic approach (accept, avoid, reduce, share) towards the risks with specific responsibility assigned for management of the risks.

      • Risk Monitoring: It is designed to assess on an ongoing basis, the functioning of risk management components and the quality of performance over time. Staff members are encouraged to carry out assessments throughout the year.


Options for dealing with risk:
There are various options for dealing with risk.

Tolerate – if we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; i.e., do nothing further to reduce the risk.

Transfer – here risks might be transferred to other organisations, for example by use of insurance or transferring out an area of work.

Terminate – this applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is of very high risk and these risks cannot be mitigated we might decide to cancel the project.

      • Risk Reporting: Periodically key risks are reported to the Board of Directors or Chairman and Managing Director or Chief Executive Officer or Executive Director or Chief Financial Officer with causes and mitigations undertaken / proposed to be undertaken.


VI          Periodical Review of Effectiveness:

Effectiveness of Risk Management Framework is ensured through periodical review / Internal Audits. These play an important role to provide assurance the Audit committee that the critical processes continue to perform effectively, key measures and reports are reliable and established policies are in compliance 

 As the risk exposure of any business may undergo change from time to time due to continuously    changing environment, the updation of the Risk Policy will be done as and when required.

Approval of the Policy:

The Board of Directors will be the approving authority for the company’s overall Risk Management System. The Board will, therefore, approve the Risk Management Policy and any material amendments thereto from time to time.

VII      Summation:

The above framework is proposed as a broad risk management policy of the Company.