Enterprise Risk Management Report
Mindtree's risk management program plays a key role in supporting the business to deliver sustainable growth and generating value for its customers, investors, employees and other stakeholders. This is achieved by deploying a best-in-class risk management framework supported by a consistent risk-focused culture. The Mindtree Enterprise Risk Management (ERM) framework has been designed by incorporating elements of leading risk management standards such as COSO, ISO 31000: 2009 and the IRM Risk Management Standard and customizing them to Mindtree's requirements. Risks to key business goals are identified and assessed under defined categories. Processes have been laid down to treat, monitor and report risks accordingly.
Risks across Mindtree are reviewed across the following categories:
- Strategic Risks: Competition, M&A, industry changes, strategy development, loss of large business
- Operations Risks: Immigration, HR, infrastructure, BCP, security, fraud, vendors, quality
- Financial Risks: Currency fluctuation, liquidity & funding, capital management, credit risk, financial guidance
- Compliance and Internal Control Risks: Non-compliance to applicable laws and regulations or ineffective internal controls
- Contractual and Counter Party Risks: Contracts with clients, vendor and business partners
- Environment and Market Risks: Global economic/ market fluctuations, disruptive innovations
The year in review
2014-15 witnessed the roll out of several risk management initiatives and deeper implementation of risk programs that were successfully launched in previous years. The emphasis has been on streamlining existing processes to drive compliance and also to address areas of emerging risks.
Significant efforts have been made in enhancing the governance structure around risk management, given its increasing importance in facilitating achievement of Mindtree's business objectives. Governance is directed by the Mindtree Board of Directors. To provide enhanced oversight of risk management, a Risk Management Committee of the Board has been created, given that effective risk management is seen as a strategic differentiator. The Committee is chaired by the CEO and the majority of its members are from the Board of Directors. The CFO and CRO are permanent invitees to Risk Management Committee meetings. The Committee's Terms-of- Reference include:
- Framing, implementation, monitoring and review of the Mindtree risk management policy/ plan.
- Evaluation of Mindtree's risk management procedures including risk recognition, assessment, minimization.
- Any other matter referred to the Risk Management Committee by the Mindtree Board of Directors.
The CEO is the owner of the ERM program while the Chief Risk Officer (CRO) is the custodian of the program and is responsible for implementing an organization-wide risk management framework. The CRO is supported by a dedicated ERM team, which includes specialists from different areas. Risk management responsibilities are cascaded by executive management to business unit and enabling function leaders. The ERM program has been reviewed to ensure compliance with regulations, laws, corporate governance and industry best-practices.
Additionally, the following planned initiatives have been implemented during the year:
- Risk treatment plans for key risks identified in the Enterprise Risk Register have been monitored to ensure risks are being managed appropriately.
- Detailed reviews of Revenue Risk have been provided by the Chief Risk Officer to executive management.
- The quarterly Account Risk Index (ARI) developed to provide a holistic risk rating model to monitor key customers across a range of risk parameters including delivery, people, revenue and credit risks has been improved and made even more relevant to our Account and Delivery Managers.
- The Contractual Risk model has been extended to include Contractual Risk scorecards for our key accounts and verticals. This has helped proactive assessment of contractual risks.
- Credit Risk management for new prospects has been automated by integration with Mindtree's CRM system. This has streamlined the overall process while also enhancing compliance.
- An Operational Risk Management (ORM) framework has been developed to cover areas such as process, and fraud risks in our enabling functions. The framework includes Key Risk Indicators (KRIs) which serve as early warning indicators of increased risk exposure in various areas of enterprise as well as Key Control Indicators (KCIs) which help to determine the effectiveness of the controls around risks identified.
- The ERM team has played a key role in facilitating different audits including ISO 27001, SSAE16/ ISAE3402, CMMi and client audits.
- Corporate actions of our major clients have been monitored and advisories provided to business teams to enable informed decision-making.
- The risk awareness program has continued to gather pace throughout the year. The program uses different mechanisms to target different audiences ranging from senior leaders to Mindtree Minds who have joined us fresh from campus and has received a very enthusiastic response.
- Major initiatives have also been undertaken in the areas of Information Security, Business Continuity Management (BCM) and process mapping.
- Industry connects have been established to share and learn best practices for risk management.
- ERM processes have been audited for assurance.
For additional details on how Mindtree manages its financial risks including Foreign Currency, Credit and Liquidity risks, please refer to Section 14 of the IFRS Financial Statements.
In 2015-16, risk management shall continue to play a key role in achievement of organizational objectives. The following areas of focus have been identified for the year ahead:
- Strategic Risks
- Operational Risk Management
- Emerging business risk
- Data Privacy and Information Security
- Credit Risk Management