Enterprise risk management report
Mindtree has put in place an Enterprise Risk Management (ERM) program in the current year. The ERM framework has been designed by looking at frameworks of COSO, ISO 31000: 2009 and AS/NZS 4360:2004 and picking up the best of the elements of these frameworks.
ERM in Mindtree involves looking at practices around identification, assessment, mitigation and monitoring of risks which will impact the achievement of key business objectives.
Mindtree ERM approach is such that risk awareness gets embedded as part of every business leader and is part of every critical business process so that the organization is evaluating and mitigating risks continuously as part of its normal process.
ERM approach in Mindtree
In Mindtree we look at all our risks across the six broad areas of Strategic Risks, Environment & market risks, Contractual & Counter Party risks, Financial Performance risks, Operational Risks and Compliance and Internal Control risks. Operational risks include Climate change and sustainability related risk assessments as well.
Strategic Risks: Are identified as part of the strategy discussions. The company and business unit strategies are looked at and strategic risks identified and then understand what portions of these risks are manageable and controllable. The mitigation strategies for these risks will need to be tested for effectiveness. Strategic risks are also looked at from an opportunity perspective where, the identified risks can be either exploited in favor of the company or benefits arising can be shared with the customer or partner, Invest additionally to better exploit the risk.
Market/ Environment Risks: Identifying potential risks early and alerting business units through industry and peer monitoring. The Slowdown in US and Europe is one of the biggest risks to mid-sized IT companies the specific strategies adopted to ensure growth continues helps partly address this risk.
Contractual and Counterparty Risks: Evaluating and reviewing the Master Services Agreement (MSA) of our top 30 customers across Mindtree is being carried out to identify the critical risks. The critical risks so identified are discussed with the account and delivery managers. Adequate preventive controls are taken to avoid or mitigate these risks identified. We have also put in a process to ensure adequate reviews happen to address critical risks in the Statement of Works (SOW) we agree with our customers.
Operational Risks: Critical support functions such as Travel, Immigration, Information Systems, Talent Acquisition, Facilities and Administration are being assessed to identify the top risks which could have an impact on the organization. Operational metrics are being built around the risks for reporting on a periodic basis and to keep a tab on the risks identified. Operational risks also include evaluation of risks related to climate change and sustainability.
Financial Performance Risks: Identifying gaps/risks in business units plans to achieve their financial performance targets of Revenue and Profit goals for the business unit and the company as a whole. We also assess credit risks arising out of new customer acquisitions. A new credit score card is put in place to evaluate the credit worthiness of the customer. Any new prospect is evaluated for credit risk before we eventually decide to work with the prospect.
Compliance and Internal Controls: Working with functions like Legal, Immigration , admin and have a dash board of status on compliance and key risks in meeting the compliance needs and working with Internal audit to verify/ascertain compliance levels in key risk areas.
Risk management process
Key practices in ERM
Risk Identification: Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or function from achieving its objectives. We use a combination of looking at the business plan, identified strategic initiatives and function specific initiatives to identify potential risks. Internal audits and periodic assessment of various business processes also help in risk identification of both operational and enterprise wide risks.
Risk Assessment: Having understood the risks the next step in the risk assessment process is to evaluate the risks identified and impact it would have on the organization. Business process and the risk environment are evaluated to assess the significant risks which can impact the achievement of the business goals. Operational risks are assessed for effectiveness of the process, strength of the underlying controls and compliance to applicable laws and regulations. Critical risks are evaluated based on probability of occurrence, business impact and velocity of the impact.
Risk Mitigation and Monitoring: Mitigation plans for the identified risks are drawn up based on the type of risks. Risk mitigation can be classified into the following buckets
- Treat- Treat the risk by taking adequate mitigation plans and coming up with adequate control mechanisms. Wherein the reward is higher than the risk.
- Transfer- Transferring the risks arising out of the activity to a third party. Mitigation of the risk by a third party vendor/insurer/outsourcer/ specialists, who will accept the risk in a cost effective manner.
- Tolerate- Is the right balance between the risk and reward. If the risks undertaken by Mindtree are within the tolerable limits set by the company.
- Terminate- The activity, project, proposal, etc. is too risky and hence not worth pursuing.
Owners are identified for the mitigation plans and progress on the mitigation plans is reviewed. Dashboards, heat maps and trend lines are created which will provide visibility to key stakeholders on the status of the identified critical risks.
Risk to achieving key business goals, Impact and mitigation plans are reported and discussed in business reviews. Key internal and external incidents with potential impact are reported and reviewed at appropriate forums like the Security Council. Risks related to Customer project execution and customer level risks are reviewed and discussed at appropriate forums.
We have created an ERM framework and listed down key areas. We have monthly reviews with the CEO and CFO to evaluate progress made on the framework and identified focus areas.
There are plans to enhance the governance structure by having a larger team comprising the CEO, CFO, COO and CRO look at critical risks of the company and review identified mitigation plans. As the ERM function starts maturing we will look to enhance the size of this team even further by getting the business unit heads involved in these reviews and eventually have this reviewed at the board level.
Looking ahead we would like to achieve the following key objectives in the next few years as we start rolling out Enterprise Risk Management in Mindtree
- Create a Risk Register/ Inventory of critical risks impacting the company and mitigation plans to address them.
- Integrate our risk management process to strategic planning so that we take advantage of opportunities identified as part of the strategic risk assessment and also effectively mitigate potential risks identified.
- Evolve a model which will give us a sense of risk score of our key customers addressing key customer metrics of Credit risk, Revenue Risk, Operational Risks, Delivery Risk and Competitive risks.
- Develop the ability to visualize various scenarios of critical risks either operational risks or business risks and have a mitigation plan or approach to dealing with such risks.
- Create a framework where all critical risks in the company to the extent possible can be quantified and hence will help us have a sense of the value of the risks we are carrying at any given point in time.