V-Mart Retail Limited€¦ · assets and ensure financial sustainability. The policy facilitates...
Transcript of V-Mart Retail Limited€¦ · assets and ensure financial sustainability. The policy facilitates...
Policy Enterprise Risk Management Creation Date 07-Oct-18
Department Internal Controls Approval Date 2nd November 2018
Version 2.0 Effective Date 2nd November 2018
This document is strictly confidential and is for internal use only.
It contains proprietary and confidential information of V-Mart Retail Limited and unauthorised copying,
reproducing or sharing of this Policy is strictly prohibited.
V-Mart Retail Limited
Enterprise Risk Management Policy
Version: 2.0
November 2018
Internal
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 2 of 20
Document Revision History
Version Release date Change description (in Brief)
1.0 Dec 2013 Documentation and approval of ERM policy.
2.0 Nov 2018
Revision in Policy with respect to requirements under SEBI (LODR)
Regulations and inclusion of aspects such as:
Implementation Approach
Managing & Reporting Framework
Roles and Responsibilities
Governing Principles
Consequence & Likelihood Assessment Criteria
Document Control
Document Name Policy – Enterprise Risk Management
Version No. 2.0
Issue Date 2nd November 2018
Compliance Status Mandatory
Review Period Not Specified with amendment approval from Board
Security Classification Internal
Distribution Employees of V-Mart Retail Limited
Name Role Signature
Approval As per Board Resolution dated 2nd November 2018.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 3 of 20
Contents
1. Scope of Policy .................................................................................................................... 4
2. Introduction ........................................................................................................................ 4
3. Risk Management – Reporting Structure .............................................................................. 5
4. Risk Management – Roles & Responsibilities ........................................................................ 6
5. Principles of Risk Management ............................................................................................ 8
5.1 Framework Approach .......................................................................................................... 8
5.2 Governing Principles ............................................................................................................ 8
5.3 Implementation Principles .................................................................................................. 9
6. Risk Management Process ................................................................................................. 10
6.1 Risk Identification .............................................................................................................. 10
6.2 Risk Assessment ................................................................................................................ 11
6.3 Risk Mitigation ................................................................................................................... 11
6.4 Risk Monitoring & Review ................................................................................................. 13
7. ERM Policy – Approval and Amendments ........................................................................... 14
8. Appendix .......................................................................................................................... 15
8.1 Glossary of Key terms ........................................................................................................ 15
8.2 Classification of Risks ......................................................................................................... 17
8.3 Impact/Consequence Assessment Matrix ......................................................................... 18
8.4 Likelihood of occurrence Assessment Matrix ................................................................... 19
8.5 Risk Register ...................................................................................................................... 19
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 4 of 20
1. Scope of Policy
This Policy lists out the detailed requirements and minimum levels of achievement necessary to implement the risk management elements of the business for V-Mart Retail Limited and hereafter mentioned as ‘V-Mart’.
The purpose of this Policy is to standardize the approach to risk management, provide direction for core aspects of risk management, define the reporting requirements and outline the relationship between risk management and selected functional areas to provide guidance regarding the management of risk to support the achievement of strategic objectives, safeguard people and business assets and ensure financial sustainability.
The policy facilitates management of risks associated with the business activities and minimizes the impact of undesired and unexpected events. It shall form an integral part of V-Mart governance framework and it applies to all employees, contractors, and members across the levels.
2. Introduction V-Mart’s risk management framework objective is to earn competitive returns from business activities at acceptable risk levels and in conformity with the Vision, Mission, and Values of the organization. The framework is necessitated due to various laws, regulations, contracts and internal and external stakeholders.
V-Mart sees risk as the chance of something happening in the future that will have an impact on objectives. The risk management framework shall support the business in achieving its objectives by actively identifying and managing potential threats and opportunities (e.g. taking on, managing or transferring/avoiding risk) to avoid issues arising or a situation where benefits can no longer be realized.
The V-Mart risk management framework encompasses all policies, processes, practices, and procedures established by management and/or the Board. Risk management is a company-wide process and shall necessitate coordination across the business, at all levels, to be efficient and effective. The primary objectives of ERM framework is:
Identifying and assessing risks that could impact the achievement of goals and objectives
Establishing a program structure that engages functional leaders across the levels to identify and prioritize risks
Ensuring appropriate ownership and accountability of risks
Ensuring that risk exposure is identified and adequately monitored and managed
Developing and implementing appropriate risk mitigation and monitoring plans
Providing senior leadership with key information to make risk-informed decisions and to effectively allocate resources
Ensuring Resources are acquired economically, adequately protected and managed efficiently and effectively in carrying out the business;
Develop and ensure procedures to ensure there is an adequate level of compliance with policies, standards, procedures and applicable laws and regulations.
V-Mart shall adopt Enterprise Risk Management through integration with other systems and processes as a way of working. The rationale of implementing ERM shall be to ensure that risk management is integrated and embedded into organizational processes. It is important to understand that Risk Management is not a Function or a risk listing. It includes putting practices in place to actively manage risk and addresses other topics such as strategy-setting, governance, communicating with stakeholders
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 5 of 20
and measuring performance. It is a set of principles on which processes can be built or integrated for a particular organization, and it is a system of monitoring, learning, and improving performance
The key indicators of success and outcome of V-Mart ERM shall is that the risks are known, owned and appropriately communicated and managed.
3. Risk Management – Reporting Structure
Implementation of an effective Enterprise Risk Management (ERM) framework is a collective responsibility. Every employee, member, and stakeholder of V-Mart is responsible for the effective risk management including the identification of potential risks. While management is responsible for the development of risk mitigation plans and the implementation of risk reduction strategies, risk management processes shall be integrated with other planning processes and management activities across all levels and functions to integrate it as a way of routine operations.
Reporting and functional approach of implementing ERM at V-Mart is given below:
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 6 of 20
4. Risk Management – Roles & Responsibilities
Roles and Responsibilities of V-Mart Stakeholders with respect to enterprise risk management have been enumerated below:
Stakeholders Roles & Responsibilities
Board of Directors
The Board of Directors shall:
1.1 Constitute a Risk Management Committee; (The members of RMC shall consist of
all Independent Directors. The Chairperson of the Audit Committee shall be deemed to be the Chairman of RMC. The Chairman and Managing Director of V-Mart shall also be an integral part of the Risk Management Committee. The Board of Directors are authorized to nominate any other member in the Risk Management Committee.)
1.2 Define the role and responsibilities of the RMC and delegate the monitoring and reviewing of risk management plan to the RMC;
1.3 Review the corporate strategy, major plans of actions and approve the ERM Policy and review the risk management procedures;
1.4 Ensure that an appropriate system of controls and systems are in place for risk management, financial and operational control, and compliance with the law and relevant standards;
1.5 Ensure balanced decision making that encourages positive thinking but doesn’t result in over-optimism that leads to significant risks not being recognized or exposes the entity to excessive risk;
1.6 Assist executive management by challenging the underlying assumptions of strategy, strategic initiatives, risk appetite, exposures and the key areas of focus; and
1.7 Ensure that procedures are defined for informing the Board about the risk assessment and minimization procedures.
Risk Management Committee (RMC)
The Risk Management Committee (RMC) shall:
2.1 Ensure that a risk management system is established, implemented and maintained in accordance with this policy;
2.2 Be responsible for framing, implementing and monitoring the risk management plan;
2.3 Assign the roles and responsibilities in relation to enterprise risk management;
2.4 Ensuring the chosen risk approach is aligned to the organizational vision, mission, strategy, goals and objectives.
2.5 Nominate a Risk Management Steering Committee (RM-STECO) for identifying, analyzing, evaluating, consulting, treating, monitoring, reviewing and communicating the strategic, operational, regulatory, compliance and cyber-security risks (RM-STECO shall comprise of Chief Financial Officer (CFO), Chief
Operating Officer (COO).The RMC is authorized to nominate any other member in the
RM-STECO.); and
2.6 Be responsible for regular overview of risk management activities in the organization and meet at least once a year to review the risks identified by the RM-STECO.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 7 of 20
Stakeholders Roles & Responsibilities
Risk Management Steering Committee (RM-STECO)
The RM-STECO shall :
3.1 Be Accountable for identification, analysis, evaluation, consulting, treating, monitoring, reviewing and communicating the strategic, operational, regulatory, compliance and cyber-security risks to the Risk Management Committee at least once a year;
3.2 Be responsible for laying down procedures to inform the Board members about risk assessment and minimization procedures;
3.3 Ensure that risk management becomes part of day-to-day management in managing risks and opportunities;
3.4 Ensure that Risk Owners are aware of risks and how to manage them;
3.5 Actively monitor the strategic risks and critical operational risks to implement a continuous improvement approach to risk management;
3.6 Drives a culture of risk management in the organization and shall confirm compliance with the policy to the Board through annual attestation.
Project Management Office (PMO)
The PMO team shall :
4.1 Act as ‘Implementation Responsible’ for implementation of the Risk Management framework in V-Mart and shall consist of members from PMO, Internal Controls and other relevant teams.
4.2 Identify, analyze, evaluate, consult, treat, monitor, review and communicate the strategic, operational, regulatory, compliance and cybersecurity risks to the RM-STECO and RMC;
4.3 Continuously improve the risk management policy and supporting framework under consultation with Risk STECO;
4.4 Be responsible for laying down procedures to inform the Board members about risk assessment and minimization procedures;
4.5 Conduct meetings with RM-STECO members, Risk Owners and Risk Coordinators for brainstorming on identification, analysis, and evaluation, treating, monitoring, and reviewing the risks on a periodic basis;
4.6 Review progress against agreed risk management plans and communication to the RM-STECO and RMC.
Risk Owners The Risk Owners shall:
5.1 Be accountable for strategic risk assessment within areas under their control including the devolution of the operational risk management process to respective managers and development of risk management plans;
5.2 Responsible for: a) Adherence to the processes; b) Identifying, assessing and monitoring risks associated with the business
operations in consultation with the Risk Management team; c) Implementation & maintenance of policies and control procedures to give
adequate protection against key risks;
5.3 Implementation of the Risk Management policy within their respective areas of responsibility and ensure staff in their team comply with the risk
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 8 of 20
Stakeholders Roles & Responsibilities
management policy and foster a culture where risks can be identified and escalated;
5.4 Reporting on the status of the risk, in so far as it impacts on their respective responsibilities, as part of the annual planning and review cycle; and
5.5 Reporting new risks or considerable change in the risk level of existing risks through established reporting lines.
5.6 Nominate Risk Coordinators for assisting implementation of ERM framework in the V-Mart who shall be responsible for:
a) Assisting the Risk Owners / Functional Heads in Risk Owners in the identification, analysis, evaluation and monitoring the operational, regulatory, compliance and cyber-security risks;
b) Performing operational risk management by overviewing processes and identifying, assessing and monitoring risks & opportunities;
c) Drive implementation of policies and control procedures to give adequate protection against the identified risks; and
d) Comply with risk management policies and procedures.
5. Principles of Risk Management
5.1 Framework Approach
V-Mart Enterprise Risk Management framework is inspired from the principles enumerated under Enterprise Risk Management Integrating with Strategy and Performance, 2017 by Committee of Sponsoring Organizations of the Treadway Commission (COSO), ISO 31000:2018 and mandatory reporting requirements under Companies Act, Rules and SEBI (Listing Obligations and Disclosure Requirement) Regulations 2018.
5.2 Governing Principles
Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. V-Mart shall continue to reinforce the governance culture in the DNA of the organization.
Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic planning process. A risk appetite shall be established and align with strategy; business objectives put the strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
Performance: Risks that may impact the achievement of strategy and business objectives shall be identified and assessed. Risks shall be prioritized by severity in the context of risk appetite. The RM STECO then shall select risk responses and take a portfolio view of the amount of risk it has assumed. The results of this process shall be reported to key stakeholders.
Review and Revision: RMC and RM-STECO by reviewing entity performance, can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 9 of 20
Information, Communication, and Reporting: Implementation of Enterprise risk management shall necessitate a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
5.3 Implementation Principles
a) V-Mart shall develop culture, practice and the structures to accomplish the Vision, Mission and Strategic objectives which systematically recognize and address opportunities and threats to the business. The desired culture is one of risk awareness where there is transparency of risk and where risk ownership is designated and accepted. The desired practice embeds risk management in the business as an on-going and iterative activity at all levels of V-Mart. The desired structure’s focus is to realize potential opportunities whilst managing unfavorable effects by recognizing risk and acting appropriately upon it.
b) The Risk Owners, Managers, and Coordinators shall ensure that risk management is integrated and embedded into organizational processes. All line managers shall assume responsibility for risk management within their areas of responsibility, and shall ensure that risk management is embedded in the day-to-day business processes.
c) Risk management shall be forward-looking. V-Mart does not consider only the current issues or problems as risks. However, V-Mart recognizes that a response to issues may represent a future risk. Risk management shall focus at relevant strategies, goals, objectives, initiatives, requirements or other stated objectives to enable stakeholders to understand the risk profile, communicate it and act upon risk appropriately. It shall also take into consideration past learnings.
d) Risks shall be known to stakeholders, owned by an individual within the organization and managed appropriately. Risk information shall be considered when making decisions. Likelihoods and consequences of risk outcomes shall be taken into account. Management considerations of risk shall be documented for important decisions. Risk information and risk decisions shall be adequately documented so that it is easy to find it, communicate it, understand it and follow up on it. Important risks shall as a minimum be subject to enhanced monitoring. Risk owners are not permitted to take on risks where the assessed consequence of a materialized risk exceeds the authority granted to them.
e) In V-Mart, risk management shall be aligned with the stated objectives and strategy of the business and uses risk assessments to identify and rate risk. Risk strategies shall be chosen and pursued in order to support the business achieving objectives. Risk monitoring enables the business to remain risk-aware; risk communication underpins stakeholder awareness of risk.
f) Risk information shall be current. Risks assessments may take place at any time over the year, but risks shall be reviewed by RM-STECO at least once every six months before submission to RMC. Risks reported to the Board through the annual strategic risk assessment process shall be presented to RM-STECO by the Risk Management team prior to submission to RMC or Board.
g) Ownership of Risks: Each risk listed in the annual strategic risk shall be owned by a member of the executive management i.e. by the HOD or Functional Head. A risk may only be owned by one member of executive management, but any member of executive management may own any number of risks.
h) Templates and guidelines: Risk Owners and Coordinators shall use the template issued by the Risk Management Team while reporting the risks identified as part of the risk assessment process. Supporting guidelines or other information regarding risk assessment and risk rating shall be periodically updated on the company communication platform i.e. Wooqer. Risk maps/risk matrices shall conform to V Mart’s preferred 4*4 cell format. In special cases, the RM-STECO may approve the use of other templates or methodologies, provided the deviation is justified and documented in writing.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 10 of 20
i) Other Governance Frameworks enhancing the effectiveness of Risk Management: V-Mart shall be committed to develop an integrated risk management framework with development and monitoring of multi-layered governance structures. It shall include effective implementation and sustenance of multi-dimensional frameworks covering:
o Cyber Security o Information Security & Management o Anti-Corruption/ Anti-bribery Management System o Legal Compliance o Customer Privacy o Business Continuity & Crisis Management o Fraud Risk Management o Loss Prevention o Internal Financial Controls o Quality Management o Supply Chain Sustainability
6. Risk Management Process
Risk Management as a process shall enable the organization to identify, assess and treat risks. It is a collective responsibility of everyone in the organization viz. Board, Management Team and all the personnel. Risk Management applies to all functions, verticals and operations within the organization. Apart from periodic exercise of performing the risk assessment, the risk management shall also be an iterative process. An iteration of the risk management process is triggered when there is a change in operating conditions, such as:
The organization develops a new goal, undertakes a project or investment or reconsiders its strategy for coming years
Conditions exterior to V-Mart change significantly, e.g. regulatory or legal changes, major changes in competitive landscape, changes to key partnerships, launch of a large competitor capable of disrupting the market, etc.
Periodic requirements for risk reviews as required by the governing documents of V-Mart, contracts or legislations.
The process of risk management is enumerated below:
6.1 Risk Identification
Risk identification shall be performed to identify exposure to uncertainties. This shall necessitate an in-depth knowledge of the organisation, the market in which it operates, the economic, legal, regulatory, social, political, technological and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification shall be approached in a methodical way to ensure that all significant activities within the organization have been identified and all the risks flowing from these activities defined. The following methodologies can be used to identify risks:
Brainstorming
Identification Assessment MitigationMonitoring &
Evaluation
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 11 of 20
Surveys /Interviews/Working groups
Experiential or Documented Knowledge
Risk Lists - Lessons Learned
Historical risk event information Identified risks shall be categorised under the four broad risk categories i.e.:
Strategic Risk - Risk of loss resulting from business factors. These risks adversely affect the achievement of strategic objectives and may impair overall enterprise value.
Operational Risk - Risk of loss resulting from inadequate or failed processes, people and information systems.
Reporting Risk - Risk of inadequate internal or external reporting due to wrong financial as well as non-financial information in the reports
Compliance Risk - Risk of loss resulting from legal and regulatory factors Above mentioned risks which have been identified shall be further classified as per Annexure 8.2 to prioritize the risks.
6.2 Risk Assessment
Risk assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Management should assess events from two perspectives:
Likelihood/Probability; and
Impact/Consequence.
Risk rating is the result of the product of impact and likelihood of occurrence of a risk with the consideration of controls in place. The risks identified will be evaluated by their likelihood and impact parameters as per the methodology mentioned in Annexure 8.3 and Annexure 8.4 The risk assessment methodology adopted defines risk exposure as a product of Impact (rating) of the risk and the Likelihood of occurrence (rating) of the risk.
6.3 Risk Mitigation
V-Mart shall adopt responses to mitigate the risks identified. While there can’t be a single best response strategy as every risk must be evaluated on its own merits. Hence, some risks shall necessitate a combination of strategies and multiple responses while other others may need one strategy with a single response. The available response options for mitigating the risks is given below:
Risk Response Strategy Detailed Description
Avoidance/Termination This involves doing things differently and thus removing the risk. This is particularly important in terms of project risk, market risk or customer risk but also quite often wishful thinking in terms of the strategic risks.
Reduction/Mitigation This involves reducing or Treating the risk. While this is one of the most widely used approach, the purpose of treating a risk is to continue with the activity which gives rise to the risk but to bring the risk to an acceptable level by taking action to control it in some way through either:
o Containment actions (lessen the likelihood or consequences and applied before the risk materializes) or;
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 12 of 20
o Contingent actions (put into action after the risk has happened, i.e. reducing the impact. Must be pre-planned)
Acceptance/ Retention This involves accepting and tolerating the risk. Risk Management doesn’t necessarily mean risk reduction and there could be certain risks within the organization that it might be willing to accept and continue with its operational activities. The organization shall tolerate such risks that are considered to be acceptable, for example:
o a risk that cannot be mitigated cost effectively; o a risk that opens up greater benefits than loss o uncontrollable risks
It’s the role of RM-STECO to decide to tolerate a risk, and when such a decision is taken, the rationale behind it shall be fully documented and should be communicated to RMC as well. In addition, the risk shall continue to be monitored and contingency plans shall be in place in the event of the risk occurring.
Risk Transfer This includes transfer of some aspects of the risk to a third party. This option is particularly good for mitigating financial risks or risks to assets. While transferring the identified risks to the transferring party, Internal processes of the selected organization for managing & mitigating the identified risks and Cost-Benefit of transferring the risk to the third party needs to be assessed.
Risk Reduction & Mitigation Process
If the risk treatment mechanism selected is risk mitigation or risk transfer for an identified risk than the next step shall be to review and revise existing controls to mitigate the risks falling beyond the risk appetite and also identify new and improved controls.
Process Detailed Description
A. Identify controls It includes designing of new control activities in addition to existing controls post assessment of risk exposure at current level to ensure that the risks are within the accepted risk appetite. Control activities are categorized into Preventive or Detective on the basis of their nature and timing:
o Preventive controls – focus on preventing an error or irregularity.
o Detective controls – focus on identifying when an error or irregularity has occurred. It also focuses on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.
B. Evaluate Controls The controls identified for each risk event shall be evaluated to assess their effectiveness in mitigating the risks falling beyond the risk appetite.
C. Implement Controls & Plan
It is the responsibility of the PMO team to ensure that the risk mitigation plan for each function is in place and is reviewed regularly.
Identify Evaluate Implement
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 13 of 20
6.4 Risk Monitoring & Review
The Risk Management – Steering Committee (RM-STECO) shall be accountable ensuring the process adherence on an ongoing basis within the risk management framework outlined in this policy to mitigate the risks to the organization’s business. The monitoring and review process shall also determine whether:
Risk measures adopted accomplished the objectives for which they were performed;
The procedures adopted and information gathered for undertaking the assessment were appropriate;
Acceptability of each identified risk and mitigation plan by the Risk Owners to identify key strategic risks for the organization;
Proposed actions to eliminate, reduce or manage each significant risk shall be considered and agreed; and
Responsibilities for the mitigation measures for key risks management of each risk shall be assigned to appropriate department/regional heads.
As the risk exposure of any business may undergo change from time to time due to continuously changing environment, the risks with their mitigation measures shall be updated on a regular basis. Hence as a risk monitoring action plan:
The risk owners shall review and report the status of risks and treatment actions to the RM-STECO through PMO and Risk Coordinators.
Any new or changed risks shall be identified and escalated to the RM-STECO and RMC if deemed necessary as per the defined framework.
The RM-STECO along with PMO shall identify the key risks to be put up in the Risk management Committee meetings.
The RMC shall monitor and supervise the development and implementation of the Risk Management Policy and maintain enterprise wide view of the key risks and their mitigation measures faced by the organization.
The RM-STECO through PMO shall report the key risks and their mitigation plans to the Risk Management Committee on quarterly basis.
The RMC shall review the key risks faced by the organization and the mitigation measures taken on the quarterly basis.
Changes in the organization and the environment in which it operates must be identified and appropriate modifications made to risk management practices by the Risk Owners in agreement with RM-STECO.
The PMO shall provide assurance to RM-STECO that there are appropriate controls in place for the organization’s risks.
Internal Controls shall perform regular audits of policy and standards compliance shall be carried out and standards performance reviewed to identify opportunities for improvement.
The PMO shall review progress on the actions agreed to mitigate the risk and make an assessment of the current level of risk including:
o Establishing whether actions have been completed or are on target for completion. o Report the status of implementation of mitigation plans to the Risk Committees. o Maintain centralized Risk register with their mitigation plan and shall be reviewed and
updated as per the policy guidelines.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 14 of 20
7. ERM Policy – Approval and Amendments
The decision of the Board of Directors of the V-Mart with regard to any or all matters relating to this policy shall be final and binding on all concerned. The Board of Directors in consultation with the Risk Management Committee shall have the power to modify, amend or replace this policy in part or full as may be thought fit from time to time in their absolute discretion.
The Board of Directors in their meeting held on 2nd November 2018 has constituted Risk Management Committee which shall be the approving authority for the company’s overall Risk Management Policy. The Risk Management Committee shall, therefore, monitor the compliance and approve the Risk Management Policy and any amendments thereto from time to time.
The risk management policy shall be reviewed as and when required but not later than 3 years based on changes in the business environment, regulations, standards or best practices in the industry Any changes to this policy including amendments to the Impact and Likelihood Matrices shall be recommended by the PMO team, approved by RM-STECO and Notified to RMC.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 15 of 20
8. Appendix
8.1 Glossary of Key terms
# Term Definition / Detailed Description
1 Consequence /
Impact
Outcome of event affecting objectives. An event can lead to a range of
consequences.
2 Enterprise Risk
Management
Risk management refers to the practice of identifying potential risks in
advance, analysing them and taking precautionary steps to reduce/curb
the risk.
Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting
and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
3 Event Occurrence or change of a particular set of circumstances.
An event can be one or more occurrences and can have several
causes.
An event can consist of something not happening.
An event can sometimes be referred to as an “incident” or an
“accident.”
4 Inherent Risk The current or original risk rating which considers current controls prior
to the addition of risk treatments.
5 Level of Risk Magnitude or a risk or combination of risks expressed in terms of the
combination of consequences and their likelihood.
6 Likelihood Chance of something happening
7 Risk Effect of uncertainty on objectives. Risk is an uncertain event or condition
that, if it occurs, has a positive or negative effect on the achievement of
objectives. Risk can also be explained as a chance of something
happening that will have an impact on the achievement of the
organizational objectives. Risk is measured in terms of
consequences/Impact and likelihood. Negative risks are known as threats
while positive risks are known as opportunities.
8 Risk Appetite Amount and type of risk that an organisation is willing to pursue or retain.
9 Risk Assessment
The systematic process of identifying and analysing risks.
10 Risk Categories Risks can be categorized into several categories and may include
strategic, financial, operational & compliance. The risk categories can be
further classified into various types such as Competition, Contract,
environmental, safety & security, people and reputation.
The detailed list of such risk is given in Annexure 1
11 Risk Description Structured statement of risk usually containing four elements: sources, events, causes and consequences
12 Risk Factors The objectives of the Company are subject to risks that can be broadly
categorized under external and internal risk factors.
13
Risk Identification Process of finding, recognizing and describing risks.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 16 of 20
14 Risk Matrix Tool for ranking and displaying risks by defining ranges for consequence and likelihood.
15 Risk Owner The Risk Owner is the designated person who shall make decisions
to respond or not to respond to a Risk and shall ensure this decision
is carried out.
In ordinary course of business, he/she is a functional head and part
of senior level management who takes decisions on behalf of the
function and who has the authority to manage the risk.
Person or entity with the accountability and authority to manage
risk.
16 Risk Profile Risk profile is an evaluation of organizational willingness and ability to
take risks. It is description of any set of risks. The set of risks can contain
those that relate to the whole organisation, part of the organisation, or as
otherwise defined.
17 Residual Risk Risk remaining after risk treatment. Residual risk can be known as
“retained risk”.
18 Risk Register Risk Register is a Documented record of information about identified
risks. Risk Register is a compilation of risks identified along with aspects
such as:
Key Risk Factors i.e. what could trigger those risks to happen
Consequence or impact of occurrence / non occurrence
Probability of occurrence of those risks
Risk Mitigation Plan with Implementation Responsible and
Timelines
Potential Financial Impact
19 Risk Source Element which alone or in combination has the intrinsic potential to give
rise to risk.
20 Risk Treatment Process to modify risk and can involve:
Avoiding the risk by deciding not to start or continue with the
activity that fives rise to the risk;
Taking or increasing risk in order to pursue an opportunity;
Removing the risk source;
Changing the likelihood;
Changing the consequence;
Sharing the risk with another party or parties (including contracts
and risk financing); and
Retaining the risk by informed decision
Risk treatment is also defined as: "Risk control" and means taking action
to eliminate risks so far as is reasonably practicable, and if that is not
possible, minimising the risks so far as is reasonably practicable.
Eliminating a hazard will also eliminate any risks associated with that
hazard.
21 Risk Treatment
Owner
The officer/manager responsible for managing the treatment of risks. This
includes ensuring that the treatment strategy outlined is implemented
and is doing what it was designed to do – manage the risk.
The risk treatment owner is not always (will be in some cases) the risk
owner.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 17 of 20
8.2 Classification of Risks
Asset Risk- Risk of loss resulting from depreciation, underutilization or loss of control over physical assets of company
Competition Risk – Risks pertaining to the external competitors of the company such as entry of new competitors, e-commerce penetration, etc.
Compliance Risk - Risk of loss resulting from legal and regulatory factors, such as privacy legislation, compliance laws and intellectual property enforcement
Contract Risk – Risks pertaining to the contracts signed with client and subcontractors
Contractor/ Vendor Risk – Risks originating from company’s relationship and dependence on third party vendors, contractors or outsourcing partners
Environmental Risk – Risks having implications on the environment, weather, pollution or risks arising due to changes in environment
Expense Risk – The risk of a change in value caused by the fact that the timing and/or the amount of expenses incurred differs from those expected, e.g. assumed for pricing basis.
Financial Risk - All risks which have a financial implication such as adverse movements in foreign exchange rates, capital expenditure etc.
Foreign environment risk - The risk arising due to exposure to foreign laws, regulation and socio-political environment
Litigation Risk - Risk of loss arising out of litigations against or litigation initiated by the company
Market Risk – Risks pertaining to external market factors such as demand uncertainty, price volatility etc
People Risk - Risks (like attrition) that are part of the personnel related processes of the company such as recruitment, skill sets and performance measurement
Process Risk/ Execution Risk – The risk arising due to lack of adequate process or inadequate execution of defined processes
Project Risk – Risks which impacts the execution of any project resulting in time and cost overrun
Regulatory/Political Risk - The risk arising due to change in regulatory policy of the country
Reporting Risk - Risk of inadequate internal or external reporting due to wrong financial as well as non-financial information in the reports
Reputation Risk – Risks having implications on the brand and reputation of the company
Technology Risk – Risks originating from usage and deployment of technology in the organization in its operations and management such as product obsolescence because of technology gap
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 18 of 20
8.3 Impact/Consequence Assessment Matrix
* In case, the rating based on different parameters are different, higher of the two or more ratings should be considered as the final risk rating. E.g. For a particular risk, Impact rating could be 1 based on the Compliance parameter but 3 based on Impact and Reputation, the final impact rating should be taken to be as 3.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 19 of 20
8.4 Likelihood of occurrence Assessment Matrix
To assess the likelihood, following matrix shall be considered:
Likelihood Scale Classification
Description Likelihood
1 - Low
Rare Has not occurred or can occur in exceptional cases only
2 - Medium
Unlikely but possible Event has occurred remotely in past years but not expected to occur again but may happen
3 - High
Likely Event has occurred in past one year and likely to occur again
4 - Very High
Certain More than once in a year with a certainty that event will occur
8.5 Risk Register
Below mentioned Excel based tool shall be considered for recording, monitoring and reporting the risks and mitigation plans.
V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________
Page 20 of 20
8.6 List of Consulted Documents (For reference of Senior Management only and to be removed while releasing Policy)
https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf https://resource.cdn.icai.org/47774bosfinal-p6a-cp8.pdf https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en https://www.icai.org/post.html?post_id=14160 http://www.icsi.edu/portals/32/Enterprise%20Risk%20Management.pdf https://www.icsi.edu/media/webmodules/companiesact2013/Final_LODR.pdf https://www.amrae.fr/sites/default/files/udr/2017_10_CosoEnterpriseRiskManagementFrameworkIntegratingStrategyPerformance_AMRAE_C.pdf https://acrp.stanford.edu/erm/process http://www.oecd.org/daf/ca/risk-management-corporate-governance.pdf https://www.ey.com/Publication/vwLUAssets/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018/$File/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018.pdf https://www.ey.com/Publication/vwLUAssets/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm/$FILE/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm.pdf https://www.iimcal.ac.in/sites/all/files/pdfs/wps_722_0.pdf https://apps.treasury.act.gov.au/insurance-and-risk-management/risk-management/risk-management-glossary-of-terms https://economictimes.indiatimes.com/Reference/risk-management https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx http://www.mca.gov.in/SearchableActs/Schedule4.htm https://www.accaglobal.com/ie/en/student/exam-support-resources/professional-exams-study-resources/strategic-business-leader/technical-articles/coso-enterprise-risk-management-framework.html http://icmai.in/upload/Institute/Journal/Oct_2013.pdf http://www.anz.com/about-us/corporate-sustainability/governance-risk/risk-management/ http://www.kiriindustries.com/wp-content/uploads/2016/09/Risk_Management_Policy.pdf https://www.tatapower.com/pdf/aboutus/risk-management-policy.pdf https://www.ermpower.com.au/wp-content/uploads/2016/02/160218-Risk-Management-Framework-Policy-V3.pdf https://www.jnj.com/_document?id=00000165-639d-d3f1-a775-e7bd7ae00001 http://www.heritagefoods.in/images/RMPolicy.pdf https://www.cdslindia.com/downloads/IPO/Risk%20Management%20Policy.pdf http://www.jindalsaw.com/pdf/risk-management-policy.pdf https://static.goair.in/media/1441/risk-management-policy.pdf http://www.amtek.com/ir/AAL_Risk_Management_Policy.pdf http://kohinoorfoods.in/pdf/Risk-Management-Policy.pdf http://www.akshoptifibre.com/pdf/Risk-Management-Policy_2018.pdf https://www.escortsgroup.com/templates/escortsgroup_home/images/pdf/policy-on-risk-management.pdf http://bel-india.in/Documentviews.aspx?fileName=Annexure%201%20-%20Q.7%20-%20Risk%20Management%20Policy.pdf http://www.indoramaindia.com/pdf/policies/Risk-Management-Policy.pdf https://www.lemontreehotels.com/factsheet/LTHRisk_ManagementPolicy.pdf
____________________________________________________________________________________