Mindtree believes in encouraging a culture of informed risk taking to achieve growth. The objective of our Enterprise Risk management (ERM) program is to facilitate informed and responsible risk taking by the organization. The Mindtree ERM framework has been designed by looking at frameworks of COSO, ISO 31000: 2009 and the IRM Risk Management Standard and by incorporating elements of these frameworks and customizing them to Mindtree requirements. Risks to key business goals are identified and assessed under defined categories. Processes have been laid down to treat, monitor and report risks accordingly.
The following risk categories have been defined for Mindtree:
The Mindtree ERM approach is provided below:
1. Key Business Goals:The enterprise risk management approach is set in the context of Mindtree’s key business goals as set by Executive Management and the Board of Directors. Based on the goals identified and the level of acceptable risk, the ERM approach shall put in place frameworks, processes and controls to facilitate achievement of these goals.
2. Risk Identification:Risk identification is the process of determining uncertainties that could potentially impact achievement of business objectives. We use a combination of looking at the business plan, strategic initiatives and function specific goals to identify potential risks. Internal audits and periodic assessment of various business processes also help in identification of risks impacting strategic, business unit, operational, financial and other objectives.
3. Risk Assessment:Having understood the risks, the next step is to evaluate the risks identified and possible impact on Mindtree. Business processes and the risk environment are evaluated to assess the significant risks which can impact the achievement of business goals. Operational risks are assessed for effectiveness of the process, strength of the underlying controls and compliance to applicable laws and regulations. Critical risks are evaluated based on probability of occurrence and business impact.
4. Risk Treatment:Treatment plans for the identified risks are drawn up based on the type of risks. Risk treatment can be classified into the following buckets:
Risk treatment may also introduce secondary risks which shall be assessed, treated, monitored and reviewed.
5. Monitoring and Reporting
Owners are identified for the mitigation plans and progress on the risk treatment plans is reviewed. Dashboards, heat maps and trend lines are created which enable key stakeholders to monitor the status of identified critical risks.
Risks shall be reported externally/internally as appropriate. Based on reviews, decisions shall be made on how the risk management framework, policy and plan can be improved. These decisions shall lead to continual improvements in the organization’s risk management, and risk management culture.
The year in review
In 2013-14, we further heightened our focus on ERM. The emphasis for the year has been on implementing the Mindtree ERM framework and enhancing the governance around risk management. In addition, several initiatives have been taken to develop risk management awareness at all levels of the organization.
In 2013-14, the Mindtree ERM framework has been given a formal shape by publishing an Enterprise Risk Management Charter which has been presented to the Audit Committee of the Board. The Charter outlines the principles, key responsibilities and reporting requirements for risk management within Mindtree. In addition, the ERM approach has also been documented. These documents allow us to demonstrate the maturity of our risk management processes by laying down a uniform risk rating methodology across different risk areas by taking into account financial, reputational, people and market impact of risk events.
To ensure appropriate functioning of the ERM framework, we have prepared an elaborate governance mechanism through a Responsibility-Accountability-Consulted-Informed (RACI) matrix which ensures appropriate oversight of the risk management program and also provides for granular risk ownership and treatment. An ERM Council consisting of the CEO, COO, CFO, Head of Strategy and the Chief Risk Officer (CRO) has been created as the owner of the Mindtree risk management program.
At an implementation level, 2013-14 has seen progress on multiple fronts. Significant effort has been invested in creating an Enterprise Risk Register. Risks to Mindtree have been categorized and rated. Existing risk controls and risk treatment measures implemented/ proposed have also been identified. The risk register provides our management a consolidated view of the risks being faced by Mindtree and potential impact.
Additionally, the following planned initiatives were implemented during the year:
RISK MAP DATA - MINDTREE RISK REGISTER
2014-15 promises to be an exciting year for business and risk management will correspondingly play an important role. Along with continuing and enhancing existing risk management programs, the following initiatives have been planned:
1. Treatment plans for significantly high and high risks identified in the enterprise risk register shall continue to be monitored closely to ensure risks are managed appropriately. These include the risks discussed in the Management Discussion and Analysis section. Risks in other categories shall also be tracked to ensure any increases in potential impact are addressed before they escalate into issues.
2. In 2013-14 we engaged a leading international risk consulting firm to evaluate the maturity of our ERM program and suggest a road map benchmarked to industry best practices. This exercise was completed in February 2014 and the recommendations received shall be implemented in the 2014-15 time frame.
3. Develop a model where critical risks in the organization, to the extent possible, are quantified. This will help us have a sense of the value of the risks we are carrying at any given point in time.
4. While initial discussions have happened with business teams and risk templates have been developed, tighter integration of risk management with business unit strategy has been planned.
5. Roll out risk management across the organization to ensure different groups implement consistent risk management processes.
6. Ensure significant risks are incorporated into audit plans and audited for assurance.