II. OBJECTIVE

The objective of this Policy is to manage the risks involved in all activities of the Company to maximize opportunities and minimize adversity. This Policy is intended to assist in decision-making processes that will minimize potential losses, and improve the management of uncertainty and the approach to new opportunities, thereby helping the Company to achieve its objectives.

The key objectives of this Policy are:

(a) Safeguarding the Company's property and the interest of all stakeholders.

(b) Laying down a framework for identification, measurement, evaluation, mitigation, and reporting of various risks.

(c) Evolving the culture, processes, and structures that are directed towards the effective management of potential opportunities and adverse effects, which the business and operations of the Company are exposed to.

(d) Balancing between the cost of managing risk and the anticipated benefits.

(e) To create awareness among the employees to assess risks on a continuous basis and develop risk mitigation plans in the interest of the Company.

(f) Provide a system for setting priorities when there are competing demands on limited resources.

III. RISK MANAGEMENT FRAMEWORK

The Board's role is to ensure the framing, implementation, and monitoring of risk management plans and systems for risk management as part of internal controls. The Audit Committee shall periodically evaluate the internal financial controls and risk management systems.

IV. RISK MANAGEMENT PROCESS

Conscious that no entrepreneurial activity can be undertaken without the assumption of risks and associated profit opportunities, the Company operates on a Risk Management Process /Framework aimed at minimization of identifiable risks after evaluation so as to enable management to take informed decisions. The broad outline of the framework is as follows:

a) Risk Identification:

Management identifies potential events that may positively or negatively affect the Company's ability to implement its strategy and achieve its objectives and performance goals. Potentially, negative events and represent risks are assigned a unique identifier. The identification process is carried out in such a way that an expansive risk identification covering operations and support functions is put together and dealt with.

b) Root Cause Analysis:

Undertaken on a consultative basis, Root Cause Analysis enables tracing the reasons/drivers for the existence of a risk element and helps develop appropriate mitigation action.

c) Risk Scoring:

Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. The likelihood of occurrence of a risk element within a finite time is scored based on polled opinion or from analysis of event logs drawn from the past. The impact is measured based on a risk element’s potential impact on cost, revenue, profit, etc. should the risk element materialize. The composite score of impact and likelihood are tabulated in an orderly fashion and the table is known as Risk Register (RR). The Company has assigned quantifiable values to each Risk Element based on the “Impact” and “Likelihood” of the occurrence of the Risk on a scale of 1 to 3 as follows.

The resultant “Action Required” is derived based on the combined effect of Impact & Likelihood and is quantified as per the summary below.

Impact	Score	Likelihood
Minor	1	Low
Moderate	2	Medium
Significant	3	High

d) Risk Categorization:

The identified risks are further grouped into (i) Preventable (ii) Strategic and (iii) External categories to homogenize risks

(i) Preventable Risks are largely internal to the organization and are operational in nature. The endeavor is to reduce /eliminate the events in this category as they are controllable. Standard operating procedures (SOP) and Audit Plans are relied upon to monitor and control such internal operational risks that are preventable.
(ii) Strategic Risks are voluntarily assumed risks by the Senior Management to generate superior returns/market share from its strategy. Approaches to strategy risk are ‘Accept’/‘Share’, backed by a risk-management system designed to reduce the probability that the assumed risks materialize and to improve the Company’s ability to manage or contain the risk events should they occur.
(iii) External risks arise from events beyond the organization's influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavors to focus on their identification and impact mitigation through an ‘avoid’/‘reduce’ approach that includes measures like a Business Continuity Plan / Disaster Recovery Management Plan / Specific Loss Insurance / Policy Advocacy etc.

e) Risk Prioritization:

Based on the composite scores, risks are prioritized for mitigation actions and reporting

f) Risk Mitigation Plan:

Management develops appropriate responsive action on review of various alternatives, costs, and benefits, with a view to managing identified risks and limiting the impact to a tolerance level. A risk Mitigation Plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure (SOP) etc.

Risk Mitigation Plan is the core of effective risk management. The mitigation plan covers:

1. Required Action
2. Required Resources
3. Responsibilities
4. Timing
5. Performance Measures and
6. Reporting and Monitoring requirements

Hence, it is drawn up with adequate precision and specificity to manage identified risks in terms of a documented approach (accept, avoid, reduce, share) towards the risks with specific responsibility assigned for the management of the risks.

g) Risk Monitoring:

There are various options for dealing with risk.

Tolerate - If we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; i.e., do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register.

Transfer - Here risks might be transferred to other organizations, for example by use of insurance or transferring out an area of work.

Terminate - This applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is of very high risk and these risks cannot be mitigated we might decide to cancel the project.

g) i) Risk Reporting:

Periodically key risks are reported to the Board or empowered committee with causes and mitigations undertaken/proposed to be undertaken.

V. COMMUNICATION AND CONSULTATION

Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.

VI. PERIODICAL REVIEW OF EFFECTIVENESS

The effectiveness of the Risk Management Framework is ensured through periodical Internal Audits. These play an important validation role in providing assurance to the Audit Committee that the critical processes continue to perform effectively, key measures and reports are reliable, and established policies are in compliance.

As the risk exposure of any business may change from time to time due to a continuously changing environment, the updation of this Policy will be done as and when required.

VII. APPROVAL OF THE POLICY

The Board will be the approving authority for the company’s overall Risk Management System. The Board will, therefore, approve the Risk Management Policy and any amendments thereto from time to time.

VIII. SUMMATION

The above framework is proposed as a broad risk management policy of the Company.