Risk Assessment and Management Policy
Pursuant to Regulation 17(9) of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 and Section 134(3) of the Companies Act, 2013, this Risk Assessment and Management Policy (“Policy”) establishes the philosophy of Anupam Rasayan India Limited® (“Company”), towards risk identification, analysis and prioritization of risks, development of risk mitigation plans and reporting on the risk environment of the Company. This Policy is applicable to all the functions, departments and geographical locations of the Company. The purpose of this Policy is to define, design and implement a risk management framework across the Company to identify, assess, manage and monitor risks. Aligned to this purpose is to identify potential events that may affect the Company and manage the risk within the risk appetite and provide reasonable assurance regarding the achievement of the Company’s objectives. This will present a wide approach to ensure that key aspects of risk that have a wide impact are considered in its conduct of business.
Risk: Risk is an event which can prevent, hinder or fail to further or otherwise obstruct the enterprise in achieving its objectives. A business risk is the threat that an event or action will adversely affect an enterprise’s ability to maximize stakeholder value and to achieve its business objectives. Risk can cause financial disadvantage, for example, additional costs or loss of funds or assets. It can result in damage, loss of value and /or loss of an opportunity to enhance the enterprise operations or activities. Risk is the product of probability of occurrence of an event and the financial impact of such occurrence to an enterprise.
The objective of this Policy is to manage the risks involved in all activities of the Company, to maximize opportunities and minimize adversity. This Policy is intended to assist in decision making processes that will minimize potential losses, improve the management of uncertainty and the approach to new opportunities, thereby helping the Company to achieve its objectives. The objectives of the Policy can be summarized as thus –
- To manage risks with an institutionalized framework and consistently achieving desired outcomes;
- To protect and enhance the corporate governance;
- To implement a process to identify potential / emerging risks;
- To implement appropriate risk management initiatives, controls, incident monitoring, reviews and continuous improvement initiatives;
- Minimize undesirable outcomes arising out of potential risks; and
- To align and integrate views of risk across the enterprise.
COMPONENTS OF A SOUND RISK MANAGEMENT SYSTEM
The risk management system in the Company should have the following key features:
- Active board of directors, committee and senior management oversight;
- Appropriate policies, procedures and limits;
- Comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
- Appropriate management information systems at the business level;
- Comprehensive internal controls in accordance with current regulations; and
- A risk culture and communication framework
An organization’s ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and responsibilities. Risk governance signifies the way the business and affairs of an entity are directed and managed by its board of directors and executive management.
RISK MANAGEMENT FRAMEWORK
The audit committee formed by the board of the Company (“Board”) shall periodically review the risk assessment and management policy of the Company and evaluate the risk management systems so that management controls the risk through a properly defined network.
Heads of departments shall be responsible for implementation of the risk management system as may be applicable to their respective areas of functioning.
RISK MANAGEMENT PROCESS
Conscious that no entrepreneurial activity can be undertaken without assumption of risks and associated profit opportunities, the Company operates on a risk management process /framework aimed at minimization of identifiable risks after evaluation so as to enable management to take informed decisions.
Broad outline of the framework is as follows:
- Risk Identification: Management identifies potential events that may positively or negatively affect the Company’s ability to implement its strategy and achieve its objectives and performance goals. Potentially, negative events represent risks and are assigned a unique identifier. The identification process is carried out in such a way that an expansive risk identification covering operations and support functions are put together and dealt with.
The Company at present identifies the following key material internal and external risks –
- Human resource risk;
- Competition risk;
- Regulatory risk in terms of government policies and changes in laws including tax laws and environmental regulations;
- Sector specific health hazards;
- Compliance risk;
- Legal risks;
- Political and economic risk;
- Technological obsolescence risk; and
- Supply-chain mismatch risk.
- Root Cause Analysis: Undertaken on a consultative basis, root cause analysis enables tracing the reasons / drivers for existence of a risk element and helps developing appropriate mitigation action.
Risk Scoring: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. Likelihood of occurrence of a risk element within a finite time is scored based on polled opinion or from analysis of event logs drawn from the past. Impact is measured based on a risk element’s potential impact on cost, revenue, profit etc. should the risk element materialize. The composite score of impact and likelihood are tabulated in an orderly fashion and the table is known as a ‘Risk Register’. The Company has assigned quantifiable values to each risk element based on the “impact” and “likelihood” of the occurrence of the risk on a scale of 1 to 3 as follows.
Impact Score Likelihood Minor 1 Low Moderate 2 Medium Significant 3 High
The resultant “action required” is derived based on the combined effect of impact & likelihood and is quantified as per the summary below.
Risk Categorization: The identified risks are further grouped in to (a) preventable; (b) strategic; and (c) external categories to homogenize risks
- Preventable risks are largely internal to the Company and are operational in nature. The endeavour is to reduce /eliminate the events in this category as they are controllable. Standard operating procedures and audit plans are relied upon to monitor and control such internal operational risks that are preventable.
- Strategy risks are voluntarily assumed risks by the senior management in order to generate superior returns / market share from its strategy. Approaches to strategy risk is ‘accept’/‘share’, backed by a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the Company’s ability to manage or contain the risk events should they occur.
- External risks arise from events beyond organization’s influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavours to focus on their identification and impact mitigation through ‘avoid’/‘reduce’ approach that includes measures like business continuity plan / disaster recovery management plan / specific loss insurance / policy advocacy etc.
- Risk Prioritization: Based on the composite scores, risks are prioritized for mitigation actions and reporting
Risk Mitigation Plan: Management develops appropriate responsive action on review of various alternatives, costs and benefits, with a view to managing identified risks and limiting the impact to tolerance level. Risk mitigation plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure, etc.
Risk mitigation plan is the core of effective risk management. The mitigation plan covers:
- Required action(s);
- Required resources;
- Performance measures; and
- Reporting and monitoring requirements
Hence it is drawn up in adequate precision and specificity to manage identified risks in terms of documented approach (accept, avoid, reduce, share) towards the risks with specific responsibility assigned for management of the risks.
- Risk Monitoring: It is designed to assess on an ongoing basis, the functioning of risk management components and the quality of performance over time. Staff members are encouraged to carry out assessments throughout the year.
Options for dealing with risk: There are various options for dealing with risk.
Tolerate – If we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; i.e., do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register.
Transfer – Here risks might be transferred to other organizations, for example by use of insurance or transferring out an area of work.
Terminate – This applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is of very high risk and these risks cannot be mitigated we might decide to cancel the project.
- Risk Reporting: Periodically, key risks are reported to Board or empowered committee with causes and mitigations undertaken / proposed to be undertaken.
Risk Management Measures adopted in general by the Company:
The Company has adopted various measures to mitigate the risk arising out of various areas described above, including but not limited to the following:
- A well-defined organization structure;
- Defined flow of information to avoid any conflict or communication gap;
- Hierarchical support personnel to avoid work interruption in absence/ non-availability of functional heads;
- Discussion and implementation on financial planning with detailed business plans;
- Detailed discussion and analysis of periodic budgets;
- Employees training and development programs;
- Internal control systems to detect, resolve and avoid any frauds;
- Systems for assessment of creditworthiness of existing and potential contractors/subcontractors/ dealers/vendors/ end-users;
- Redressal of grievances by negotiations, conciliation and arbitration; and
- Defined recruitment policy.
COMMUNICATION AND CONSULTATION
Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.
PERIODICAL REVIEW OF EFFECTIVENESS
Effectiveness of risk management framework is ensured through periodical internal audits. These play an important validation role to provide assurance to the audit committee that the critical processes continue to perform effectively, key measures and reports are reliable and established policies are in compliance.
As the risk exposure of any business may undergo change from time to time due to continuously changing environment, the updation of this Policy will be done as and when required.
APPROVAL OF THE POLICY
The Board will be the approving authority for the company’s overall risk management system. The Board will, therefore, approve this Policy and any amendments thereto from time to time.