V-Mart Retail Limited€¦ · assets and ensure financial sustainability. The policy facilitates...

Policy Enterprise Risk Management Creation Date 07-Oct-18

Department Internal Controls Approval Date 2nd November 2018

Version 2.0 Effective Date 2nd November 2018

This document is strictly confidential and is for internal use only.

It contains proprietary and confidential information of V-Mart Retail Limited and unauthorised copying,

reproducing or sharing of this Policy is strictly prohibited.

V-Mart Retail Limited

Enterprise Risk Management Policy

Version: 2.0

November 2018

Internal

V-Mart Retail Limited Enterprise Risk Management Policy _____________________________________________________________________________

of 20

Document Revision History

Version Release date Change description (in Brief)

1.0 Dec 2013 Documentation and approval of ERM policy.

2.0 Nov 2018

Revision in Policy with respect to requirements under SEBI (LODR)

Regulations and inclusion of aspects such as:

Implementation Approach

Managing & Reporting Framework

Roles and Responsibilities

Governing Principles

Consequence & Likelihood Assessment Criteria

Document Control

Document Name Policy – Enterprise Risk Management

Version No. 2.0

Issue Date 2nd November 2018

Compliance Status Mandatory

Review Period Not Specified with amendment approval from Board

Security Classification Internal

Distribution Employees of V-Mart Retail Limited

Name Role Signature

Approval As per Board Resolution dated 2nd November 2018.


of 20

Contents

1. Scope of Policy .................................................................................................................... 4

2. Introduction ........................................................................................................................ 4

3. Risk Management – Reporting Structure .............................................................................. 5

4. Risk Management – Roles & Responsibilities ........................................................................ 6

5. Principles of Risk Management ............................................................................................ 8

5.1 Framework Approach .......................................................................................................... 8

5.2 Governing Principles ............................................................................................................ 8

5.3 Implementation Principles .................................................................................................. 9

6. Risk Management Process ................................................................................................. 10

6.1 Risk Identification .............................................................................................................. 10

6.2 Risk Assessment ................................................................................................................ 11

6.3 Risk Mitigation ................................................................................................................... 11

6.4 Risk Monitoring & Review ................................................................................................. 13

7. ERM Policy – Approval and Amendments ........................................................................... 14

8. Appendix .......................................................................................................................... 15

8.1 Glossary of Key terms ........................................................................................................ 15

8.2 Classification of Risks ......................................................................................................... 17

8.3 Impact/Consequence Assessment Matrix ......................................................................... 18

8.4 Likelihood of occurrence Assessment Matrix ................................................................... 19

8.5 Risk Register ...................................................................................................................... 19


of 20

1. Scope of Policy

This Policy lists out the detailed requirements and minimum levels of achievement necessary to implement the risk management elements of the business for V-Mart Retail Limited and hereafter mentioned as ‘V-Mart’.

The purpose of this Policy is to standardize the approach to risk management, provide direction for core aspects of risk management, define the reporting requirements and outline the relationship between risk management and selected functional areas to provide guidance regarding the management of risk to support the achievement of strategic objectives, safeguard people and business assets and ensure financial sustainability.

The policy facilitates management of risks associated with the business activities and minimizes the impact of undesired and unexpected events. It shall form an integral part of V-Mart governance framework and it applies to all employees, contractors, and members across the levels.

2. Introduction V-Mart’s risk management framework objective is to earn competitive returns from business activities at acceptable risk levels and in conformity with the Vision, Mission, and Values of the organization. The framework is necessitated due to various laws, regulations, contracts and internal and external stakeholders.

V-Mart sees risk as the chance of something happening in the future that will have an impact on objectives. The risk management framework shall support the business in achieving its objectives by actively identifying and managing potential threats and opportunities (e.g. taking on, managing or transferring/avoiding risk) to avoid issues arising or a situation where benefits can no longer be realized.

The V-Mart risk management framework encompasses all policies, processes, practices, and procedures established by management and/or the Board. Risk management is a company-wide process and shall necessitate coordination across the business, at all levels, to be efficient and effective. The primary objectives of ERM framework is:

Identifying and assessing risks that could impact the achievement of goals and objectives

Establishing a program structure that engages functional leaders across the levels to identify and prioritize risks

Ensuring appropriate ownership and accountability of risks

Ensuring that risk exposure is identified and adequately monitored and managed

Developing and implementing appropriate risk mitigation and monitoring plans

Providing senior leadership with key information to make risk-informed decisions and to effectively allocate resources

Ensuring Resources are acquired economically, adequately protected and managed efficiently and effectively in carrying out the business;

Develop and ensure procedures to ensure there is an adequate level of compliance with policies, standards, procedures and applicable laws and regulations.

V-Mart shall adopt Enterprise Risk Management through integration with other systems and processes as a way of working. The rationale of implementing ERM shall be to ensure that risk management is integrated and embedded into organizational processes. It is important to understand that Risk Management is not a Function or a risk listing. It includes putting practices in place to actively manage risk and addresses other topics such as strategy-setting, governance, communicating with stakeholders


of 20

and measuring performance. It is a set of principles on which processes can be built or integrated for a particular organization, and it is a system of monitoring, learning, and improving performance

The key indicators of success and outcome of V-Mart ERM shall is that the risks are known, owned and appropriately communicated and managed.

3. Risk Management – Reporting Structure

Implementation of an effective Enterprise Risk Management (ERM) framework is a collective responsibility. Every employee, member, and stakeholder of V-Mart is responsible for the effective risk management including the identification of potential risks. While management is responsible for the development of risk mitigation plans and the implementation of risk reduction strategies, risk management processes shall be integrated with other planning processes and management activities across all levels and functions to integrate it as a way of routine operations.

Reporting and functional approach of implementing ERM at V-Mart is given below:


of 20

4. Risk Management – Roles & Responsibilities

Roles and Responsibilities of V-Mart Stakeholders with respect to enterprise risk management have been enumerated below:

Stakeholders Roles & Responsibilities

Board of Directors

The Board of Directors shall:

1.1 Constitute a Risk Management Committee; (The members of RMC shall consist of

all Independent Directors. The Chairperson of the Audit Committee shall be deemed to be the Chairman of RMC. The Chairman and Managing Director of V-Mart shall also be an integral part of the Risk Management Committee. The Board of Directors are authorized to nominate any other member in the Risk Management Committee.)

1.2 Define the role and responsibilities of the RMC and delegate the monitoring and reviewing of risk management plan to the RMC;

1.3 Review the corporate strategy, major plans of actions and approve the ERM Policy and review the risk management procedures;

1.4 Ensure that an appropriate system of controls and systems are in place for risk management, financial and operational control, and compliance with the law and relevant standards;

1.5 Ensure balanced decision making that encourages positive thinking but doesn’t result in over-optimism that leads to significant risks not being recognized or exposes the entity to excessive risk;

1.6 Assist executive management by challenging the underlying assumptions of strategy, strategic initiatives, risk appetite, exposures and the key areas of focus; and

1.7 Ensure that procedures are defined for informing the Board about the risk assessment and minimization procedures.

Risk Management Committee (RMC)

The Risk Management Committee (RMC) shall:

2.1 Ensure that a risk management system is established, implemented and maintained in accordance with this policy;

2.2 Be responsible for framing, implementing and monitoring the risk management plan;

2.3 Assign the roles and responsibilities in relation to enterprise risk management;

2.4 Ensuring the chosen risk approach is aligned to the organizational vision, mission, strategy, goals and objectives.

2.5 Nominate a Risk Management Steering Committee (RM-STECO) for identifying, analyzing, evaluating, consulting, treating, monitoring, reviewing and communicating the strategic, operational, regulatory, compliance and cyber-security risks (RM-STECO shall comprise of Chief Financial Officer (CFO), Chief

Operating Officer (COO).The RMC is authorized to nominate any other member in the

RM-STECO.); and

2.6 Be responsible for regular overview of risk management activities in the organization and meet at least once a year to review the risks identified by the RM-STECO.


of 20


Risk Management Steering Committee (RM-STECO)

The RM-STECO shall :

3.1 Be Accountable for identification, analysis, evaluation, consulting, treating, monitoring, reviewing and communicating the strategic, operational, regulatory, compliance and cyber-security risks to the Risk Management Committee at least once a year;

3.2 Be responsible for laying down procedures to inform the Board members about risk assessment and minimization procedures;

3.3 Ensure that risk management becomes part of day-to-day management in managing risks and opportunities;

3.4 Ensure that Risk Owners are aware of risks and how to manage them;

3.5 Actively monitor the strategic risks and critical operational risks to implement a continuous improvement approach to risk management;

3.6 Drives a culture of risk management in the organization and shall confirm compliance with the policy to the Board through annual attestation.

Project Management Office (PMO)

The PMO team shall :

4.1 Act as ‘Implementation Responsible’ for implementation of the Risk Management framework in V-Mart and shall consist of members from PMO, Internal Controls and other relevant teams.

4.2 Identify, analyze, evaluate, consult, treat, monitor, review and communicate the strategic, operational, regulatory, compliance and cybersecurity risks to the RM-STECO and RMC;

4.3 Continuously improve the risk management policy and supporting framework under consultation with Risk STECO;

4.4 Be responsible for laying down procedures to inform the Board members about risk assessment and minimization procedures;

4.5 Conduct meetings with RM-STECO members, Risk Owners and Risk Coordinators for brainstorming on identification, analysis, and evaluation, treating, monitoring, and reviewing the risks on a periodic basis;

4.6 Review progress against agreed risk management plans and communication to the RM-STECO and RMC.

Risk Owners The Risk Owners shall:

5.1 Be accountable for strategic risk assessment within areas under their control including the devolution of the operational risk management process to respective managers and development of risk management plans;

5.2 Responsible for: a) Adherence to the processes; b) Identifying, assessing and monitoring risks associated with the business

operations in consultation with the Risk Management team; c) Implementation & maintenance of policies and control procedures to give

adequate protection against key risks;

5.3 Implementation of the Risk Management policy within their respective areas of responsibility and ensure staff in their team comply with the risk


of 20


management policy and foster a culture where risks can be identified and escalated;

5.4 Reporting on the status of the risk, in so far as it impacts on their respective responsibilities, as part of the annual planning and review cycle; and

5.5 Reporting new risks or considerable change in the risk level of existing risks through established reporting lines.

5.6 Nominate Risk Coordinators for assisting implementation of ERM framework in the V-Mart who shall be responsible for:

a) Assisting the Risk Owners / Functional Heads in Risk Owners in the identification, analysis, evaluation and monitoring the operational, regulatory, compliance and cyber-security risks;

b) Performing operational risk management by overviewing processes and identifying, assessing and monitoring risks & opportunities;

c) Drive implementation of policies and control procedures to give adequate protection against the identified risks; and

d) Comply with risk management policies and procedures.

5. Principles of Risk Management

5.1 Framework Approach

V-Mart Enterprise Risk Management framework is inspired from the principles enumerated under Enterprise Risk Management Integrating with Strategy and Performance, 2017 by Committee of Sponsoring Organizations of the Treadway Commission (COSO), ISO 31000:2018 and mandatory reporting requirements under Companies Act, Rules and SEBI (Listing Obligations and Disclosure Requirement) Regulations 2018.

5.2 Governing Principles

Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. V-Mart shall continue to reinforce the governance culture in the DNA of the organization.

Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic planning process. A risk appetite shall be established and align with strategy; business objectives put the strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

Performance: Risks that may impact the achievement of strategy and business objectives shall be identified and assessed. Risks shall be prioritized by severity in the context of risk appetite. The RM STECO then shall select risk responses and take a portfolio view of the amount of risk it has assumed. The results of this process shall be reported to key stakeholders.

Review and Revision: RMC and RM-STECO by reviewing entity performance, can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.


of 20

Information, Communication, and Reporting: Implementation of Enterprise risk management shall necessitate a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

5.3 Implementation Principles

a) V-Mart shall develop culture, practice and the structures to accomplish the Vision, Mission and Strategic objectives which systematically recognize and address opportunities and threats to the business. The desired culture is one of risk awareness where there is transparency of risk and where risk ownership is designated and accepted. The desired practice embeds risk management in the business as an on-going and iterative activity at all levels of V-Mart. The desired structure’s focus is to realize potential opportunities whilst managing unfavorable effects by recognizing risk and acting appropriately upon it.

b) The Risk Owners, Managers, and Coordinators shall ensure that risk management is integrated and embedded into organizational processes. All line managers shall assume responsibility for risk management within their areas of responsibility, and shall ensure that risk management is embedded in the day-to-day business processes.

c) Risk management shall be forward-looking. V-Mart does not consider only the current issues or problems as risks. However, V-Mart recognizes that a response to issues may represent a future risk. Risk management shall focus at relevant strategies, goals, objectives, initiatives, requirements or other stated objectives to enable stakeholders to understand the risk profile, communicate it and act upon risk appropriately. It shall also take into consideration past learnings.

d) Risks shall be known to stakeholders, owned by an individual within the organization and managed appropriately. Risk information shall be considered when making decisions. Likelihoods and consequences of risk outcomes shall be taken into account. Management considerations of risk shall be documented for important decisions. Risk information and risk decisions shall be adequately documented so that it is easy to find it, communicate it, understand it and follow up on it. Important risks shall as a minimum be subject to enhanced monitoring. Risk owners are not permitted to take on risks where the assessed consequence of a materialized risk exceeds the authority granted to them.

e) In V-Mart, risk management shall be aligned with the stated objectives and strategy of the business and uses risk assessments to identify and rate risk. Risk strategies shall be chosen and pursued in order to support the business achieving objectives. Risk monitoring enables the business to remain risk-aware; risk communication underpins stakeholder awareness of risk.

f) Risk information shall be current. Risks assessments may take place at any time over the year, but risks shall be reviewed by RM-STECO at least once every six months before submission to RMC. Risks reported to the Board through the annual strategic risk assessment process shall be presented to RM-STECO by the Risk Management team prior to submission to RMC or Board.

g) Ownership of Risks: Each risk listed in the annual strategic risk shall be owned by a member of the executive management i.e. by the HOD or Functional Head. A risk may only be owned by one member of executive management, but any member of executive management may own any number of risks.

h) Templates and guidelines: Risk Owners and Coordinators shall use the template issued by the Risk Management Team while reporting the risks identified as part of the risk assessment process. Supporting guidelines or other information regarding risk assessment and risk rating shall be periodically updated on the company communication platform i.e. Wooqer. Risk maps/risk matrices shall conform to V Mart’s preferred 4*4 cell format. In special cases, the RM-STECO may approve the use of other templates or methodologies, provided the deviation is justified and documented in writing.


of 20

i) Other Governance Frameworks enhancing the effectiveness of Risk Management: V-Mart shall be committed to develop an integrated risk management framework with development and monitoring of multi-layered governance structures. It shall include effective implementation and sustenance of multi-dimensional frameworks covering:

o Cyber Security o Information Security & Management o Anti-Corruption/ Anti-bribery Management System o Legal Compliance o Customer Privacy o Business Continuity & Crisis Management o Fraud Risk Management o Loss Prevention o Internal Financial Controls o Quality Management o Supply Chain Sustainability

6. Risk Management Process

Risk Management as a process shall enable the organization to identify, assess and treat risks. It is a collective responsibility of everyone in the organization viz. Board, Management Team and all the personnel. Risk Management applies to all functions, verticals and operations within the organization. Apart from periodic exercise of performing the risk assessment, the risk management shall also be an iterative process. An iteration of the risk management process is triggered when there is a change in operating conditions, such as:

The organization develops a new goal, undertakes a project or investment or reconsiders its strategy for coming years

Conditions exterior to V-Mart change significantly, e.g. regulatory or legal changes, major changes in competitive landscape, changes to key partnerships, launch of a large competitor capable of disrupting the market, etc.

Periodic requirements for risk reviews as required by the governing documents of V-Mart, contracts or legislations.

The process of risk management is enumerated below:

6.1 Risk Identification

Risk identification shall be performed to identify exposure to uncertainties. This shall necessitate an in-depth knowledge of the organisation, the market in which it operates, the economic, legal, regulatory, social, political, technological and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification shall be approached in a methodical way to ensure that all significant activities within the organization have been identified and all the risks flowing from these activities defined. The following methodologies can be used to identify risks:

Brainstorming

Identification Assessment MitigationMonitoring &

Evaluation


of 20

Surveys /Interviews/Working groups

Experiential or Documented Knowledge

Risk Lists - Lessons Learned

Historical risk event information Identified risks shall be categorised under the four broad risk categories i.e.:

Strategic Risk - Risk of loss resulting from business factors. These risks adversely affect the achievement of strategic objectives and may impair overall enterprise value.

Operational Risk - Risk of loss resulting from inadequate or failed processes, people and information systems.

Reporting Risk - Risk of inadequate internal or external reporting due to wrong financial as well as non-financial information in the reports

Compliance Risk - Risk of loss resulting from legal and regulatory factors Above mentioned risks which have been identified shall be further classified as per Annexure 8.2 to prioritize the risks.

6.2 Risk Assessment

Risk assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Management should assess events from two perspectives:

Likelihood/Probability; and

Impact/Consequence.

Risk rating is the result of the product of impact and likelihood of occurrence of a risk with the consideration of controls in place. The risks identified will be evaluated by their likelihood and impact parameters as per the methodology mentioned in Annexure 8.3 and Annexure 8.4 The risk assessment methodology adopted defines risk exposure as a product of Impact (rating) of the risk and the Likelihood of occurrence (rating) of the risk.

6.3 Risk Mitigation

V-Mart shall adopt responses to mitigate the risks identified. While there can’t be a single best response strategy as every risk must be evaluated on its own merits. Hence, some risks shall necessitate a combination of strategies and multiple responses while other others may need one strategy with a single response. The available response options for mitigating the risks is given below:

Risk Response Strategy Detailed Description

Avoidance/Termination This involves doing things differently and thus removing the risk. This is particularly important in terms of project risk, market risk or customer risk but also quite often wishful thinking in terms of the strategic risks.

Reduction/Mitigation This involves reducing or Treating the risk. While this is one of the most widely used approach, the purpose of treating a risk is to continue with the activity which gives rise to the risk but to bring the risk to an acceptable level by taking action to control it in some way through either:

o Containment actions (lessen the likelihood or consequences and applied before the risk materializes) or;


of 20

o Contingent actions (put into action after the risk has happened, i.e. reducing the impact. Must be pre-planned)

Acceptance/ Retention This involves accepting and tolerating the risk. Risk Management doesn’t necessarily mean risk reduction and there could be certain risks within the organization that it might be willing to accept and continue with its operational activities. The organization shall tolerate such risks that are considered to be acceptable, for example:

o a risk that cannot be mitigated cost effectively; o a risk that opens up greater benefits than loss o uncontrollable risks

It’s the role of RM-STECO to decide to tolerate a risk, and when such a decision is taken, the rationale behind it shall be fully documented and should be communicated to RMC as well. In addition, the risk shall continue to be monitored and contingency plans shall be in place in the event of the risk occurring.

Risk Transfer This includes transfer of some aspects of the risk to a third party. This option is particularly good for mitigating financial risks or risks to assets. While transferring the identified risks to the transferring party, Internal processes of the selected organization for managing & mitigating the identified risks and Cost-Benefit of transferring the risk to the third party needs to be assessed.

Risk Reduction & Mitigation Process

If the risk treatment mechanism selected is risk mitigation or risk transfer for an identified risk than the next step shall be to review and revise existing controls to mitigate the risks falling beyond the risk appetite and also identify new and improved controls.

Process Detailed Description

A. Identify controls It includes designing of new control activities in addition to existing controls post assessment of risk exposure at current level to ensure that the risks are within the accepted risk appetite. Control activities are categorized into Preventive or Detective on the basis of their nature and timing:

o Preventive controls – focus on preventing an error or irregularity.

o Detective controls – focus on identifying when an error or irregularity has occurred. It also focuses on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.

B. Evaluate Controls The controls identified for each risk event shall be evaluated to assess their effectiveness in mitigating the risks falling beyond the risk appetite.

C. Implement Controls & Plan

It is the responsibility of the PMO team to ensure that the risk mitigation plan for each function is in place and is reviewed regularly.

Identify Evaluate Implement


of 20

6.4 Risk Monitoring & Review

The Risk Management – Steering Committee (RM-STECO) shall be accountable ensuring the process adherence on an ongoing basis within the risk management framework outlined in this policy to mitigate the risks to the organization’s business. The monitoring and review process shall also determine whether:

Risk measures adopted accomplished the objectives for which they were performed;

The procedures adopted and information gathered for undertaking the assessment were appropriate;

Acceptability of each identified risk and mitigation plan by the Risk Owners to identify key strategic risks for the organization;

Proposed actions to eliminate, reduce or manage each significant risk shall be considered and agreed; and

Responsibilities for the mitigation measures for key risks management of each risk shall be assigned to appropriate department/regional heads.

As the risk exposure of any business may undergo change from time to time due to continuously changing environment, the risks with their mitigation measures shall be updated on a regular basis. Hence as a risk monitoring action plan:

The risk owners shall review and report the status of risks and treatment actions to the RM-STECO through PMO and Risk Coordinators.

Any new or changed risks shall be identified and escalated to the RM-STECO and RMC if deemed necessary as per the defined framework.

The RM-STECO along with PMO shall identify the key risks to be put up in the Risk management Committee meetings.

The RMC shall monitor and supervise the development and implementation of the Risk Management Policy and maintain enterprise wide view of the key risks and their mitigation measures faced by the organization.

The RM-STECO through PMO shall report the key risks and their mitigation plans to the Risk Management Committee on quarterly basis.

The RMC shall review the key risks faced by the organization and the mitigation measures taken on the quarterly basis.

Changes in the organization and the environment in which it operates must be identified and appropriate modifications made to risk management practices by the Risk Owners in agreement with RM-STECO.

The PMO shall provide assurance to RM-STECO that there are appropriate controls in place for the organization’s risks.

Internal Controls shall perform regular audits of policy and standards compliance shall be carried out and standards performance reviewed to identify opportunities for improvement.

The PMO shall review progress on the actions agreed to mitigate the risk and make an assessment of the current level of risk including:

o Establishing whether actions have been completed or are on target for completion. o Report the status of implementation of mitigation plans to the Risk Committees. o Maintain centralized Risk register with their mitigation plan and shall be reviewed and

updated as per the policy guidelines.


of 20

7. ERM Policy – Approval and Amendments

The decision of the Board of Directors of the V-Mart with regard to any or all matters relating to this policy shall be final and binding on all concerned. The Board of Directors in consultation with the Risk Management Committee shall have the power to modify, amend or replace this policy in part or full as may be thought fit from time to time in their absolute discretion.

The Board of Directors in their meeting held on 2nd November 2018 has constituted Risk Management Committee which shall be the approving authority for the company’s overall Risk Management Policy. The Risk Management Committee shall, therefore, monitor the compliance and approve the Risk Management Policy and any amendments thereto from time to time.

The risk management policy shall be reviewed as and when required but not later than 3 years based on changes in the business environment, regulations, standards or best practices in the industry Any changes to this policy including amendments to the Impact and Likelihood Matrices shall be recommended by the PMO team, approved by RM-STECO and Notified to RMC.


of 20

8. Appendix

8.1 Glossary of Key terms

# Term Definition / Detailed Description

1 Consequence /

Impact

Outcome of event affecting objectives. An event can lead to a range of

consequences.

2 Enterprise Risk

Management

Risk management refers to the practice of identifying potential risks in

advance, analysing them and taking precautionary steps to reduce/curb

the risk.

Enterprise risk management is a process, effected by an entity’s board of

directors, management and other personnel, applied in strategy setting

and across the enterprise, designed to identify potential events that may

affect the entity, and manage risk to be within its risk appetite, to provide

reasonable assurance regarding the achievement of entity objectives.

3 Event Occurrence or change of a particular set of circumstances.

An event can be one or more occurrences and can have several

causes.

An event can consist of something not happening.

An event can sometimes be referred to as an “incident” or an

“accident.”

4 Inherent Risk The current or original risk rating which considers current controls prior

to the addition of risk treatments.

5 Level of Risk Magnitude or a risk or combination of risks expressed in terms of the

combination of consequences and their likelihood.

6 Likelihood Chance of something happening

7 Risk Effect of uncertainty on objectives. Risk is an uncertain event or condition

that, if it occurs, has a positive or negative effect on the achievement of

objectives. Risk can also be explained as a chance of something

happening that will have an impact on the achievement of the

organizational objectives. Risk is measured in terms of

consequences/Impact and likelihood. Negative risks are known as threats

while positive risks are known as opportunities.

8 Risk Appetite Amount and type of risk that an organisation is willing to pursue or retain.

9 Risk Assessment

The systematic process of identifying and analysing risks.

10 Risk Categories Risks can be categorized into several categories and may include

strategic, financial, operational & compliance. The risk categories can be

further classified into various types such as Competition, Contract,

environmental, safety & security, people and reputation.

The detailed list of such risk is given in Annexure 1

11 Risk Description Structured statement of risk usually containing four elements: sources, events, causes and consequences

12 Risk Factors The objectives of the Company are subject to risks that can be broadly

categorized under external and internal risk factors.

13

Risk Identification Process of finding, recognizing and describing risks.


of 20

14 Risk Matrix Tool for ranking and displaying risks by defining ranges for consequence and likelihood.

15 Risk Owner The Risk Owner is the designated person who shall make decisions

to respond or not to respond to a Risk and shall ensure this decision

is carried out.

In ordinary course of business, he/she is a functional head and part

of senior level management who takes decisions on behalf of the

function and who has the authority to manage the risk.

Person or entity with the accountability and authority to manage

risk.

16 Risk Profile Risk profile is an evaluation of organizational willingness and ability to

take risks. It is description of any set of risks. The set of risks can contain

those that relate to the whole organisation, part of the organisation, or as

otherwise defined.

17 Residual Risk Risk remaining after risk treatment. Residual risk can be known as

“retained risk”.

18 Risk Register Risk Register is a Documented record of information about identified

risks. Risk Register is a compilation of risks identified along with aspects

such as:

Key Risk Factors i.e. what could trigger those risks to happen

Consequence or impact of occurrence / non occurrence

Probability of occurrence of those risks

Risk Mitigation Plan with Implementation Responsible and

Timelines

Potential Financial Impact

19 Risk Source Element which alone or in combination has the intrinsic potential to give

rise to risk.

20 Risk Treatment Process to modify risk and can involve:

Avoiding the risk by deciding not to start or continue with the

activity that fives rise to the risk;

Taking or increasing risk in order to pursue an opportunity;

Removing the risk source;

Changing the likelihood;

Changing the consequence;

Sharing the risk with another party or parties (including contracts

and risk financing); and

Retaining the risk by informed decision

Risk treatment is also defined as: "Risk control" and means taking action

to eliminate risks so far as is reasonably practicable, and if that is not

possible, minimising the risks so far as is reasonably practicable.

Eliminating a hazard will also eliminate any risks associated with that

hazard.

21 Risk Treatment

Owner

The officer/manager responsible for managing the treatment of risks. This

includes ensuring that the treatment strategy outlined is implemented

and is doing what it was designed to do – manage the risk.

The risk treatment owner is not always (will be in some cases) the risk

owner.


of 20

8.2 Classification of Risks

Asset Risk- Risk of loss resulting from depreciation, underutilization or loss of control over physical assets of company

Competition Risk – Risks pertaining to the external competitors of the company such as entry of new competitors, e-commerce penetration, etc.

Compliance Risk - Risk of loss resulting from legal and regulatory factors, such as privacy legislation, compliance laws and intellectual property enforcement

Contract Risk – Risks pertaining to the contracts signed with client and subcontractors

Contractor/ Vendor Risk – Risks originating from company’s relationship and dependence on third party vendors, contractors or outsourcing partners

Environmental Risk – Risks having implications on the environment, weather, pollution or risks arising due to changes in environment

Expense Risk – The risk of a change in value caused by the fact that the timing and/or the amount of expenses incurred differs from those expected, e.g. assumed for pricing basis.

Financial Risk - All risks which have a financial implication such as adverse movements in foreign exchange rates, capital expenditure etc.

Foreign environment risk - The risk arising due to exposure to foreign laws, regulation and socio-political environment

Litigation Risk - Risk of loss arising out of litigations against or litigation initiated by the company

Market Risk – Risks pertaining to external market factors such as demand uncertainty, price volatility etc

People Risk - Risks (like attrition) that are part of the personnel related processes of the company such as recruitment, skill sets and performance measurement

Process Risk/ Execution Risk – The risk arising due to lack of adequate process or inadequate execution of defined processes

Project Risk – Risks which impacts the execution of any project resulting in time and cost overrun

Regulatory/Political Risk - The risk arising due to change in regulatory policy of the country

Reporting Risk - Risk of inadequate internal or external reporting due to wrong financial as well as non-financial information in the reports

Reputation Risk – Risks having implications on the brand and reputation of the company

Technology Risk – Risks originating from usage and deployment of technology in the organization in its operations and management such as product obsolescence because of technology gap


of 20

8.3 Impact/Consequence Assessment Matrix

* In case, the rating based on different parameters are different, higher of the two or more ratings should be considered as the final risk rating. E.g. For a particular risk, Impact rating could be 1 based on the Compliance parameter but 3 based on Impact and Reputation, the final impact rating should be taken to be as 3.


of 20

8.4 Likelihood of occurrence Assessment Matrix

To assess the likelihood, following matrix shall be considered:

Likelihood Scale Classification

Description Likelihood

1 - Low

Rare Has not occurred or can occur in exceptional cases only

2 - Medium

Unlikely but possible Event has occurred remotely in past years but not expected to occur again but may happen

3 - High

Likely Event has occurred in past one year and likely to occur again

4 - Very High

Certain More than once in a year with a certainty that event will occur

8.5 Risk Register

Below mentioned Excel based tool shall be considered for recording, monitoring and reporting the risks and mitigation plans.


of 20

8.6 List of Consulted Documents (For reference of Senior Management only and to be removed while releasing Policy)

https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf https://resource.cdn.icai.org/47774bosfinal-p6a-cp8.pdf https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en https://www.icai.org/post.html?post_id=14160 http://www.icsi.edu/portals/32/Enterprise%20Risk%20Management.pdf https://www.icsi.edu/media/webmodules/companiesact2013/Final_LODR.pdf https://www.amrae.fr/sites/default/files/udr/2017_10_CosoEnterpriseRiskManagementFrameworkIntegratingStrategyPerformance_AMRAE_C.pdf https://acrp.stanford.edu/erm/process http://www.oecd.org/daf/ca/risk-management-corporate-governance.pdf https://www.ey.com/Publication/vwLUAssets/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018/$File/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018.pdf https://www.ey.com/Publication/vwLUAssets/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm/$FILE/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm.pdf https://www.iimcal.ac.in/sites/all/files/pdfs/wps_722_0.pdf https://apps.treasury.act.gov.au/insurance-and-risk-management/risk-management/risk-management-glossary-of-terms https://economictimes.indiatimes.com/Reference/risk-management https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx http://www.mca.gov.in/SearchableActs/Schedule4.htm https://www.accaglobal.com/ie/en/student/exam-support-resources/professional-exams-study-resources/strategic-business-leader/technical-articles/coso-enterprise-risk-management-framework.html http://icmai.in/upload/Institute/Journal/Oct_2013.pdf http://www.anz.com/about-us/corporate-sustainability/governance-risk/risk-management/ http://www.kiriindustries.com/wp-content/uploads/2016/09/Risk_Management_Policy.pdf https://www.tatapower.com/pdf/aboutus/risk-management-policy.pdf https://www.ermpower.com.au/wp-content/uploads/2016/02/160218-Risk-Management-Framework-Policy-V3.pdf https://www.jnj.com/_document?id=00000165-639d-d3f1-a775-e7bd7ae00001 http://www.heritagefoods.in/images/RMPolicy.pdf https://www.cdslindia.com/downloads/IPO/Risk%20Management%20Policy.pdf http://www.jindalsaw.com/pdf/risk-management-policy.pdf https://static.goair.in/media/1441/risk-management-policy.pdf http://www.amtek.com/ir/AAL_Risk_Management_Policy.pdf http://kohinoorfoods.in/pdf/Risk-Management-Policy.pdf http://www.akshoptifibre.com/pdf/Risk-Management-Policy_2018.pdf https://www.escortsgroup.com/templates/escortsgroup_home/images/pdf/policy-on-risk-management.pdf http://bel-india.in/Documentviews.aspx?fileName=Annexure%201%20-%20Q.7%20-%20Risk%20Management%20Policy.pdf http://www.indoramaindia.com/pdf/policies/Risk-Management-Policy.pdf https://www.lemontreehotels.com/factsheet/LTHRisk_ManagementPolicy.pdf

____________________________________________________________________________________

https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf

https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf

https://resource.cdn.icai.org/47774bosfinal-p6a-cp8.pdf

https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en

https://www.icai.org/post.html?post_id=14160

http://www.icsi.edu/portals/32/Enterprise%20Risk%20Management.pdf

https://www.icsi.edu/media/webmodules/companiesact2013/Final_LODR.pdf

https://www.amrae.fr/sites/default/files/udr/2017_10_CosoEnterpriseRiskManagementFrameworkIntegratingStrategyPerformance_AMRAE_C.pdf

https://www.amrae.fr/sites/default/files/udr/2017_10_CosoEnterpriseRiskManagementFrameworkIntegratingStrategyPerformance_AMRAE_C.pdf

https://acrp.stanford.edu/erm/process

http://www.oecd.org/daf/ca/risk-management-corporate-governance.pdf

https://www.ey.com/Publication/vwLUAssets/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018/$File/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018.pdf

https://www.ey.com/Publication/vwLUAssets/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018/$File/EY-sebi-listing-obligations-and-disclosure-requirements-amendment-regulations-2018.pdf

https://www.ey.com/Publication/vwLUAssets/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm/$FILE/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm.pdf

https://www.ey.com/Publication/vwLUAssets/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm/$FILE/EY-companies-act-13-embedding-risk-management-in-the-business-rhythm.pdf

https://www.iimcal.ac.in/sites/all/files/pdfs/wps_722_0.pdf

https://apps.treasury.act.gov.au/insurance-and-risk-management/risk-management/risk-management-glossary-of-terms

https://economictimes.indiatimes.com/Reference/risk-management

https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx

https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx

http://www.mca.gov.in/SearchableActs/Schedule4.htm

https://www.accaglobal.com/ie/en/student/exam-support-resources/professional-exams-study-resources/strategic-business-leader/technical-articles/coso-enterprise-risk-management-framework.html

https://www.accaglobal.com/ie/en/student/exam-support-resources/professional-exams-study-resources/strategic-business-leader/technical-articles/coso-enterprise-risk-management-framework.html

http://icmai.in/upload/Institute/Journal/Oct_2013.pdf

http://www.anz.com/about-us/corporate-sustainability/governance-risk/risk-management/

http://www.kiriindustries.com/wp-content/uploads/2016/09/Risk_Management_Policy.pdf

https://www.tatapower.com/pdf/aboutus/risk-management-policy.pdf

https://www.ermpower.com.au/wp-content/uploads/2016/02/160218-Risk-Management-Framework-Policy-V3.pdf

https://www.jnj.com/_document?id=00000165-639d-d3f1-a775-e7bd7ae00001

http://www.heritagefoods.in/images/RMPolicy.pdf

https://www.cdslindia.com/downloads/IPO/Risk%20Management%20Policy.pdf

http://www.jindalsaw.com/pdf/risk-management-policy.pdf

https://static.goair.in/media/1441/risk-management-policy.pdf

http://www.amtek.com/ir/AAL_Risk_Management_Policy.pdf

http://kohinoorfoods.in/pdf/Risk-Management-Policy.pdf

http://www.akshoptifibre.com/pdf/Risk-Management-Policy_2018.pdf

https://www.escortsgroup.com/templates/escortsgroup_home/images/pdf/policy-on-risk-management.pdf

http://bel-india.in/Documentviews.aspx?fileName=Annexure%201%20-%20Q.7%20-%20Risk%20Management%20Policy.pdf

http://www.indoramaindia.com/pdf/policies/Risk-Management-Policy.pdf

https://www.lemontreehotels.com/factsheet/LTHRisk_ManagementPolicy.pdf

V-Mart Retail Limited€¦ · assets and ensure financial sustainability. The policy facilitates...

Documents

Transcript of V-Mart Retail Limited€¦ · assets and ensure financial sustainability. The policy facilitates...