Risk Assessment and Management Policy

1. SCOPE

Pursuant to Regulation 17(9), Regulation 21 and other applicable provisions of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“SEBI Listing Regulations”) and the applicable provisions of the Companies Act, 2013, this Risk Assessment and Management Policy (“Policy”) establishes the philosophy of Anupam Rasayan India Limited (“Company”), towards risk identification, analysis and prioritization of risks, development of risk mitigation plans and reporting on the risk environment of the Company. This Policy is applicable to all the functions, departments and geographical locations of the Company. The purpose of this Policy is to define, design and implement a risk management framework across the Company to identify, assess, manage, monitor, report and mitigate risks. Aligned to this purpose is to identify potential events that may affect the Company and manage the risk within the risk appetite and provide reasonable assurance regarding the achievement of the Company’s objectives. This will present a wide approach to ensure that key aspects of risk that have a wide impact are considered in its conduct of business.

Risk: Risk is an event which can prevent, hinder or obstruct an enterprise from achieving its objectives. A business risk is the threat that an event or action may adversely affect an enterprise’s ability to maximize stakeholder value and to achieve its business objectives. 

Risk can cause financial disadvantages, such as increased costs, loss of funds or damage to assets. It can result in loss of value and /or loss of an opportunity to enhance the enterprise operations or activities. 

Risk is the product of probability of occurrence of an event and the financial impact of such occurrence to an enterprise. 

2. OBJECTIVE

 The objective of this Policy is to manage the risks involved in all activities of the Company, to maximize opportunities and minimize adversity. This Policy is intended to assist in decision-making processes that will minimize potential losses, improve the management of uncertainty, and foster an approach to new opportunities, thereby helping the Company to achieve its objectives. The objectives of this Policy can be summarized as follows: 

1. To manage risks within an institutionalized framework by establishing an effective mechanism and consistently achieving desired outcomes;
2. To protect and enhance corporate governance;
3. To implement a process for identifying potential and emerging risks;
4. To implement appropriate risk management initiatives, controls, incident monitoring, reviews, and continuous improvement efforts;
5. To minimize undesirable outcomes arising from potential risks; and
6. To align and integrate risk perspectives across the enterprise.

3. COMPONENTS OF A SOUND RISK MANAGEMENT SYSTEM

The risk management system in the Company should have the following key features:

1. Active oversight by the board of directors, committees and senior -management;
2. Appropriate policies, procedures, and limits;
3. Comprehensive and timely identification, assessment, mitigation, control, monitoring and reporting of risks;
4. Appropriate management information systems at the business level;
5. Comprehensive internal controls in accordance with current regulations; and
6. A risk culture and communication framework.

4. RISK GOVERNANCE

An organization’s ability to conduct effective risk management depends on having an appropriate risk governance structure, and well-defined roles and responsibilities. Risk governance signifies the way the business and affairs of an entity are directed and managed by its board of directors and senior management.

5. RISK MANAGEMENT FRAMEWORK

The Risk Management Committee formed by the Board of Directors of the Company (“Board”) shall evaluate the risk management systems so that management controls the risk through a properly defined network. An effective risk management framework requires consistent processes for assessment, mitigation, monitoring and communication of risk issues across the Company.

Heads of departments shall be responsible for implementation of the risk management system as may be applicable to their respective areas of functioning.

6. RISK MANAGEMENT PROCESS

 Conscious that no entrepreneurial activity can be undertaken without assumption of risks and associated profit opportunities, the Company operates within a risk management framework designed to evaluate and minimize identifiable risks. This enables the management to make informed, strategic decisions.

 Broad outline of the framework is as follows:

a) Risk Identification: Management identifies potential events that may either positively or negatively affect the Company’s ability to implement its strategy and achieve its objectives and performance goals. Potentially, negative events represent risks and are assigned unique identifier. The identification process is carried out in such a way that an expansive risk identification covering operations and support functions are put together and dealt with. 

The Company at present identifies the following key material internal and external risks: 

1. Financial risk;
2. Operational safety risk including sector specific health hazards;
3. Human resource risk;
4. Competition risk;
5. Legal and Compliance risk in terms of compliance with policies, procedures etc. whether internal or regulatory, laws, regulations, rules, guidelines etc. as may be applicable to the Company;
6. Political and economic risk including geo-political risk;
7. Technological obsolescence risk; 
8. Supply-chain disruption risk;
9. Sustainability risk including environmental social and governance (“ESG”) risk;
10. Information risk;
11. Information Technology including Cyber Security risk; and   
12. Foreign Exchange and interest rate exposure risk.
     

b) Root Cause Analysis: Undertaken on a consultative basis, root cause analysis enables tracing the reasons / drivers for existence of a risk element and helps developing appropriate mitigation action.

c) Risk Scoring: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. Likelihood of occurrence of a risk element within a finite time is scored based on expert opinion or analysis of past event logs. Impact is measured based on a risk element’s potential impact on cost, revenue, profit etc. should the risk element materialize. 

The composite score of impact and likelihood are tabulated in an organized manner and the table is known as a ‘Risk Register’. The Company has assigned quantifiable values to each risk element based on the “impact” and “likelihood” of the occurrence of the risk, using a scale of 1 to 3, as follows:

The resultant “action required” shall be derived based on the combined effect of impact and likelihood and shall be quantified as above.

 d) Risk Categorization:

The identified risks are further grouped in to (a) preventable; (b) strategic; and (c) external categories to homogenize risks:

1. Preventable risks are largely internal to the Company and are operational in nature. The endeavor is to reduce /eliminate the events in this category as they are controllable. Standard operating procedures and audit plans are relied upon to monitor and control such internal operational risks that are preventable.
2. Strategy risks are voluntarily assumed risks by the senior management in order to generate superior returns / market share from its strategy. Approaches to strategy risk is ‘accept’/‘share’, backed by a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the Company’s ability to manage or contain the risk events should they occur.
3. External risks arise from events beyond organization’s influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavours to focus on their identification and impact mitigation through ‘avoid’/ ‘reduce’ approach that includes measures like business continuity plan / disaster recovery management plan / specific loss insurance / policy advocacy etc.

 e) Risk Prioritization:

Based on the composite scores, risks are prioritized for mitigation actions and reporting.

 f) Risk Mitigation Plan:

Management develops appropriate responsive action on review of various alternatives, costs and benefits, with a view to managing identified risks and limiting the impact to tolerance level. Risk mitigation plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure, etc.

Risk mitigation plan is the core of effective risk management. The mitigation plan covers:

1. Required action(s);
2. Required resources;
3. Responsibilities;
4. Timing;
5. Performance measures; and
6. Reporting and monitoring requirements.

Hence, it is drawn up in adequate precision and specificity to manage identified risks in terms of documented approach (accept, avoid, reduce, share, transfer) towards the risks with specific responsibility assigned for management of the risks. The Company is required to manage its exposure to the risk due to fluctuation in foreign currency rate risk and the interest rate risk and has in place the risk mitigation plan/policy to manage the forex and interest rate exposure risk. 

g) Business Continuity Plan

The Company shall devise the Business Continuity Plan (“BCP”) outlining the procedures and instructions to restore the critical business functions in the event of disruptions by identifying the critical business functions, resources, time etc. required to respond to the disruptions, support in restoring the critical functions and implementing strategies to recover the business after an unanticipated event.

h) Risk Monitoring:

It is designed to assess on an ongoing basis, the functioning of risk management components and the quality of performance over time. Senior management are encouraged to carry out assessments throughout the year.

 i) Options for dealing with risk

There are various options for dealing with risk.

Tolerate – If we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; i.e., do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register.

Transfer – Here risks might be transferred to other organizations, for example by use of insurance or transferring out an area of work.

Terminate – This applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is of very high risk and these risks cannot be mitigated we might decide to cancel the project.

 j) Risk Reporting:

Periodically, key risks, if any, are reported to Board or empowered committee by Risk Management Committee, with causes and mitigations undertaken/proposed to be undertaken.

k) Risk Management Measures adopted in general by the Company:

The Company has adopted various measures to mitigate the risk arising out of various areas described above, including but not limited to the following:

1. A well-defined organization structure;
2. Defined flow of information to avoid any conflict or communication gap;
3. Hierarchical support personnel to avoid work interruption in absence/ non-availability of functional heads;
4. Discussion and implementation on financial planning with detailed business plans;
5. Detailed discussion and analysis of periodic budgets;
6. Employees training and development programs;
7. Internal control systems to detect, resolve and avoid any frauds;
8. Systems for assessment of creditworthiness of existing and potential contractors/subcontractors/ dealers/vendors/ end-users;
9. Redressal of grievances by negotiations, conciliation and arbitration; and
10. Defined recruitment policy.

7. COMMUNICATION AND CONSULTATION

Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.

8. PERIODICAL REVIEW OF EFFECTIVENESS

Effectiveness of risk management framework is ensured through periodical internal audits. These audits play an important validation role to provide assurance to the audit committee that critical processes continue to perform effectively; key measures and reports are reliable and established policies are in compliance.

As the risk exposure of any business may undergo change from time to time due to evolving environment, this Policy will be updated as and when required.

 9. ROLES & RESPONSIBILITIES 

Board of Directors: 
The Board of Directors (“Board”) will undertake the following actions to ensure risk is managed appropriately:

• the Board shall define the role and responsibility of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the Committee and such other functions as it may deem fit including cyber security;
• the Board shall frame, implement and monitor the risk management plan and policy for the Company or authorise the Risk Management Committee and ensure that the systems for risk management are in place; 
• the Board shall ensure that, while rightly encouraging positive thinking, these do not result in over-optimism that either leads to significant risks not being recognized or exposes the listed entity to excessive risk;
• the Board shall participate in major decisions affecting the organization’s risk profile; 
• the Board shall ensure that the risk management is integrated into board reporting and annual reporting mechanisms. 

Risk Management Committee: 
The role of the Committee shall, inter alia, include the following: 

• to formulate a detailed risk management policy which shall include: 
  1. a framework for identification of internal and external risks specifically faced by the listed entity, in particular including financial, operational, sectoral, sustainability (particularly ESG related risks), information, cyber security risks or any other risk as may be determined by the Committee; 
  2. measures for risk mitigation including systems and processes for internal control of identified risks; 
  3. business continuity plan. 
• to ensure that appropriate methodology, processes and systems are in place to monitor and evaluate risks associated with the business of the Company; 
• to formulate/re-formulate, assess, implement, monitor, recommend the risk management system and policy of the Company from time to time and approve/ recommend any amendment or modification thereof including evaluating the adequacy of risk management system; 
• to periodically review the risk management policy, at least once in two years, including by considering the changing industry dynamics and evolving complexity; 
• to review the Company’s risk appetite and strategy relating to key risks as well as the guidelines, policies and processes for monitoring and mitigating such risks and any other risks associated with the business of the Company;
• to oversee Company’s process and policies for determining risk tolerance and review management’s measurement and comparison of overall risk tolerance to established levels, monitor breach/trigger trips of risk tolerance limits and recommend action;
• to review and analyse risk exposure related to specific issues, concentrations and limit excesses, and provide oversight of risk across organization;
• to review and recommend potential risk involved in any new business plans and processes;
• to keep the Board informed about the nature and content of its discussions, recommendations and actions to be taken and to carry out any other function as is referred by the Board from time to time or required under the relevant provisions of the applicable laws, regulations and various circulars issued by the regulatory authorities, from time to time;
• the appointment, removal and terms of remuneration of the Chief Risk Officer (if any) shall be subject to review by the Risk Management Committee; 
• to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers necessary;
• to nurture a healthy and independent risk management function in the Company.

The Risk Management Committee shall coordinate its activities with other committees, in instances where there is any overlap with activities of such committees, as per the framework laid down by the Board. 

Audit Committee:

The Audit Committee is delegated with the responsibilities which inter alia includes the evaluation of internal financial controls and risk management systems.

10. AMENDMENT OF THE POLICY

Any amendments to this Policy shall be approved by the Board of Directors or the Risk Management Committee or any of its committees (as may be authorized by the Board of Directors in this regard). The Board of Directors or Risk Management Committee or any of its authorized committees shall have the right to withdraw and / or amend any part of this Policy or the entire Policy, at any time, as they deem fit. The decision of the Board or its committee in this respect shall be final and binding. 

Any subsequent amendment / modification in the SEBI Listing Regulations or any other applicable laws shall automatically apply to this Policy. 

-----------------------------------------------------------------------------------------------------------------------------------------------