Preamble
Risk Management is a key aspect of the “Corporate Governance Principles and Code of Conduct” which aims to improvise the governance practices across the Company’s activities. Risk management policy and processes enable the Company to proactively manage uncertainty and changes in the internal and external environment to limit negative impacts and capitalize on opportunities.
The Company recognizes risk management as an integral component of good corporate governance and fundamental in achieving its strategic and operational objectives. It improves decision-making, defines opportunities and mitigates material risk that may impact shareholder value.
Scope of Policy
This policy contemplates to cover all locations/verticals and applies to all employees, whether full time, part time or casual at any level of seniority with in the business. The policy also applies to contractors and consultant working on behalf of Pennar Industries Limited.
Risk Management Framework
The risk management framework within Company is working on followings two stages:
1. Identification of Risk and their contributing factors: Various risk facing the business into the following broad categories with examples:
- 1.1. Corporate Risk, Example: Brand and reputation risk
- 1.2. Information Technology, Example: Security risks and cyber-attacks
- 1.3. Regulatory, Example: Risk of non-compliances with state/ centre governed statutory guidelines 1.4. Operational, Example: Marketing & Customer retention, Vendor Management
- 1.5. HR, Example: Talent management- recruitment, training, retention
- 1.6. Finance, Example: Business Financial planning
- 1.7. Sustainability Risk, Example: ESG related risks (Environmental, social & Governance)
2. Response against Identified Risk (Mitigation Steps): The Company believes that the Risk cannot be eliminated. However, it can be:
- 2.1. Transferred to another party, who is willing to take risk, say by buying an insurance policy;
- 2.2. Mitigated by having good internal controls;
- 2.3. Eliminated by terminating the activity itself; and
- 2.4. Tolerated, to either avoid the cost of trying to reduce risk or in anticipation of higher profits by taking on more risk.
3. The risk management process entails:
- 3.1. On a regular basis, identifying, analyzing, evaluating and confirming all risk for the business, including:
- 3.2. Assessing the impact of the risks of the business;
- 3.3. Assessing the likelihood of the risk occurring;
- 3.4. Calculating the risk rating as indicated by the likelihood and impact Matrix;
- 3.5. Evaluating which risk needs treatment and the priority for treatment implementation based on risk materiality and the agreed risk appetite.
- 3.6. Developing and maintaining a Risk Register by documentation of all High, medium, and Low risks which are updated regularly.
- 3.7. Developing an mitigation plan for the management of risks
- 3.8. Ensuring formulation of appropriate risk management policies and procedures, their effective implementation and independent monitoring and reporting by Internal Audit.
- 3.9. The Audit Committee of the board reviews internal Audit findings, and provides strategic guidance on internal controls. It monitors the internal control environment within the Company and ensures that Internal Audit recommendations are effectively implemented.
4. Assessment and review of Risk:
Internal auditor of the company also plays a crucial role in assessment/review of overall control environment as he/she is also responsible for overseeing and managing compliance within the organization and ensuring that the company and its employees are complying with regulatory requirement and internal policies & procedure. He/she has to provide reasonable assurance to Senior Management and the Board of Directors that there are effective and efficient policies and procedures in place, well understood and respected by all employees, and that the company is complying with all regulatory requirement. The combination of policies and process as outlined above adequately addresses various risks associated with company’s businesses. The senior management of the Company periodically reviews the risk management’s framework so as to effectively address the emerging challenges in a dynamic business environment.
5. Risk Management Policy
Management is responsible for ensuring that risk are identified, analyzed, evaluated and mitigated at regular interval. Process owner shall be responsible for implementation of the risk management system as may be applicable to their respective areas of functioning. However Internal Auditor shall be responsible for all communication between management and board regarding risk identification, analyses, evaluation and mitigation plan.
The Board is ultimately responsible for identifying and assessing internal and external risk that may impact the Company in achieving its strategic objectives. The board is also responsible for reviewing and approving the risk management framework and risk appetite on an annual basis.
The internal audit program is aligned to the company’s risk profile and is responsible for providing independent assurance in relation to the effectiveness of processes to manage particular areas of risk. The scope of internal audit’s risk based program is agreed to as part of an annual plan which is refined as required from time to time.