Enterprise risk management report
Mindtree believes in encouraging a culture of informed risk taking to achieve growth. The objective of our Enterprise Risk management (ERM) program is to facilitate informed and responsible risk taking by the organization. The Mindtree ERM framework has been designed by looking at frameworks of COSO, ISO 31000: 2009 and the IRM Risk Management Standard and by incorporating elements of these frameworks and customizing them to Mindtree requirements. Risks to key business goals are identified and assessed under defined categories. Processes have been laid down to treat, monitor and report risks accordingly.
The following risk categories have been defined for Mindtree:
- Strategic Risks:Strategic risks can be defined as the uncertainties and untapped opportunities embedded in the strategic intent and how well they are executed. Strategic risks are evaluated from the perspective of impact they would have on the entire business and are not restricted to a specific business unit. Strategic risks include Competition, M&A, Industry Changes, Strategy Development and Loss of Large Business.
- Environment and Market Risks:Environment and market risks include uncertainties and untapped opportunities arising due to changes in the global economy/ market fluctuations or disruptive business models/ innovations.
- Operations Risks:Operations risks include risks to efficient and effective utilization of resources (excluding financial resources). This category includes all the uncertainties faced by corporate enabling functions and includes areas such as Business Continuity Management (BCM), Security, Physical Infrastructure and Facilities, IT Infrastructure, People -related risks, vendor management, immigration, sustainability and quality risks.
- Financial Risks:Financial risks include uncertainties and untapped opportunities in effective and efficient utilization of financial resources as well as uncertainties in financial reporting. In addition, risks in the areas of currency fluctuation, liquidity and funding, capital management, credit risk and financial guidance are addressed as part of financial risks.
- Compliance and Internal Control Risks:These risks cover risks due to non-compliance to applicable laws, regulations and standards or ineffective internal controls leading to potential fraud in key operational areas.
- Contractual and Counter party Risks:Given the nature of our business, contractual and counterparty risks create the biggest potential exposure to Mindtree and hence is called out separately. These risks cover risks arising from poor contract definition with clients, business partners and vendors as well as risks associated with contractual compliance with clients and business partners.
The Mindtree ERM approach is provided below:
1. Key Business Goals:The enterprise risk management approach is set in the context of Mindtree’s key business goals as set by Executive Management and the Board of Directors. Based on the goals identified and the level of acceptable risk, the ERM approach shall put in place frameworks, processes and controls to facilitate achievement of these goals.
2. Risk Identification:Risk identification is the process of determining uncertainties that could potentially impact achievement of business objectives. We use a combination of looking at the business plan, strategic initiatives and function specific goals to identify potential risks. Internal audits and periodic assessment of various business processes also help in identification of risks impacting strategic, business unit, operational, financial and other objectives.
3. Risk Assessment:Having understood the risks, the next step is to evaluate the risks identified and possible impact on Mindtree. Business processes and the risk environment are evaluated to assess the significant risks which can impact the achievement of business goals. Operational risks are assessed for effectiveness of the process, strength of the underlying controls and compliance to applicable laws and regulations. Critical risks are evaluated based on probability of occurrence and business impact.
4. Risk Treatment:Treatment plans for the identified risks are drawn up based on the type of risks. Risk treatment can be classified into the following buckets:
- Mitigate - Reduce the risk by taking adequate mitigation plans and coming up with adequate control mechanisms.
- Transfer - Transferring the risks arising out of the activity to a third party vendor/insurer/outsourcer/ specialists, who will accept the risk in a cost effective manner.
- Tolerate - If the risks undertaken by Mindtree are within the tolerable limits set by the company, risks may be accepted provided reasons for acceptance are documented and the risk is accepted at the right level of management.
- Terminate - The activity, project, proposal, etc. is too risky and hence not worth pursuing.
- Exploit - Is a risk response technique for positive risks or opportunities. This strategy involves making sure that appropriate risks are taken to ensure the opportunity is fully exploited and benefits realized by the organization.
Risk treatment may also introduce secondary risks which shall be assessed, treated, monitored and reviewed.
5. Monitoring and Reporting
Owners are identified for the mitigation plans and progress on the risk treatment plans is reviewed. Dashboards, heat maps and trend lines are created which enable key stakeholders to monitor the status of identified critical risks.
Risks shall be reported externally/internally as appropriate. Based on reviews, decisions shall be made on how the risk management framework, policy and plan can be improved. These decisions shall lead to continual improvements in the organization’s risk management, and risk management culture.
The year in review
In 2013-14, we further heightened our focus on ERM. The emphasis for the year has been on implementing the Mindtree ERM framework and enhancing the governance around risk management. In addition, several initiatives have been taken to develop risk management awareness at all levels of the organization.
In 2013-14, the Mindtree ERM framework has been given a formal shape by publishing an Enterprise Risk Management Charter which has been presented to the Audit Committee of the Board. The Charter outlines the principles, key responsibilities and reporting requirements for risk management within Mindtree. In addition, the ERM approach has also been documented. These documents allow us to demonstrate the maturity of our risk management processes by laying down a uniform risk rating methodology across different risk areas by taking into account financial, reputational, people and market impact of risk events.
To ensure appropriate functioning of the ERM framework, we have prepared an elaborate governance mechanism through a Responsibility-Accountability-Consulted-Informed (RACI) matrix which ensures appropriate oversight of the risk management program and also provides for granular risk ownership and treatment. An ERM Council consisting of the CEO, COO, CFO, Head of Strategy and the Chief Risk Officer (CRO) has been created as the owner of the Mindtree risk management program.
At an implementation level, 2013-14 has seen progress on multiple fronts. Significant effort has been invested in creating an Enterprise Risk Register. Risks to Mindtree have been categorized and rated. Existing risk controls and risk treatment measures implemented/ proposed have also been identified. The risk register provides our management a consolidated view of the risks being faced by Mindtree and potential impact.
Additionally, the following planned initiatives were implemented during the year:
- The Chief Risk Officer (CRO) prepared detailed risk notes on the FY 13-14 Business Plan to ensure we took full advantage of opportunities identified as part of the strategic risk assessment and also effectively treated potential risks identified.
- A holistic risk rating model has been developed to monitor key customers across a range of risk parameters including Delivery, People, Revenue and Credit risks. This ensures that we proactively monitor key accounts and can identify areas for attention before they become critical issues.
RISK MAP DATA - MINDTREE RISK REGISTER
- A risk rating model to assess contractual risk exposure has also been put in place to evaluate risks in the contracts with our top customers. This has helped us assess contractual risks proactively.
- A credit risk mechanism has been developed to evaluate credit worthiness of potential customers before contracting business. The credit evaluation system allows us to adjust credit and payment terms appropriately during contract negotiation and even avoid business where the risks are greater than potential rewards.
- Scenario planning and contingency planning exercises have been conducted for specific high risk events.
- A comprehensive risk awareness program has been launched across the enterprise. The program uses different mechanisms to target different audiences ranging from business/ enabling function leaders to Mindtree Minds who have joined us fresh from campus. Multiple channels including blogs, executive email communications, comic strips, LCD displays, infographics and interactive sessions have been used to communicate risk awareness to Mindtree Minds. These initiatives are complemented by an ERM portal which is hosted on our intranet and can be accessed by all Mindtree Minds. Very positive feedback has been received to each of these initiatives across the organization.
- Risk advisories have been circulated to Business Teams and Enabling Functions to brief them on emerging risk events such as regulatory changes and geo-political situations which have potential to impact business.
- Major initiatives have been undertaken in the areas of Business Continuity Management (BCM) and process mapping. These initiatives have significantly reduced the risks from these areas.
- The Audit Committee of the Mindtree Board have been briefed on the ERM program and the major risks being faced by Mindtree.
2014-15 promises to be an exciting year for business and risk management will correspondingly play an important role. Along with continuing and enhancing existing risk management programs, the following initiatives have been planned:
1. Treatment plans for significantly high and high risks identified in the enterprise risk register shall continue to be monitored closely to ensure risks are managed appropriately. These include the risks discussed in the Management Discussion and Analysis section. Risks in other categories shall also be tracked to ensure any increases in potential impact are addressed before they escalate into issues.
2. In 2013-14 we engaged a leading international risk consulting firm to evaluate the maturity of our ERM program and suggest a road map benchmarked to industry best practices. This exercise was completed in February 2014 and the recommendations received shall be implemented in the 2014-15 time frame.
3. Develop a model where critical risks in the organization, to the extent possible, are quantified. This will help us have a sense of the value of the risks we are carrying at any given point in time.
4. While initial discussions have happened with business teams and risk templates have been developed, tighter integration of risk management with business unit strategy has been planned.
5. Roll out risk management across the organization to ensure different groups implement consistent risk management processes.
6. Ensure significant risks are incorporated into audit plans and audited for assurance.