Risk management report

The risk management report discusses the various dimensions of our enterprise risk management practices. Readers are cautioned that the risk related information outlined here is not exhaustive and is for information purposes only. The discussion may contain statements, which may be forward-looking in nature. Our business model is subject to uncertainties that could cause actual results to differ materially from those reflected in the forward-looking statements. Readers are advised to exercise their own judgment in assessing risks associated with the Company and refer to discussions of risks in the Company’s previous annual reports and the filings with the Securities and Exchange Commission, USA.

A. Overview

Enterprise Risk Management (ERM) at Infosys encompasses practices relating to identification, assessment, monitoring and mitigation of various risks to our business objectives. ERM at Infosys seeks to minimize adverse impact of risks on our business objectives and enable the Company to leverage market opportunities effectively. Further, our risk management practices seek to sustain and enhance the long-term competitive advantage of the Company. Risk management is integral to our business model, described as ‘Predictable, Sustainable, Profitable and De-risked’ (PSPD). Our core values and ethics provide the platform for our risk management practices.

B. Infosys risk management framework

Our risk management framework comprises of the following key components.

1. Risk management structure

The risk management structure at Infosys spans across the enterprise at all levels. These levels also form the various lines of defense in our risk management.

The key roles and responsibilities regarding risk management in the Company are summarized below :


Key roles and responsibilities

Board of Directors

  • Corporate governance oversight of risk management performed by the Executive Management
  • Review the performance of the Risk Management Committee

Risk Management
Committee (RMC)

  • Comprises four independent directors
  • David L. Boyles, Chairperson
  • Sridar A. Iyengar
  • Dr. Omkar Goswami
  • Prof. Jeffrey S. Lehman
  • Assisting the Board in fulfilling its corporate governance oversight responsibilities with regard to identification, evaluation and mitigation of operational, strategic and external environment risks
  • Monitoring and reviewing risk management practices of the Company
  • Reviewing and approving risk-related disclosures


  • Comprises the Chief Executive Officer (CEO), the Chief Operating Officer (COO) and the Chief Financial Officer (CFO)
  • Reviewing enterprise risks from time to time, initiating mitigation actions, identifying the owners and reviewing the progress and effectiveness of mitigation actions
  • Formulation and deployment of risk management policies
  • Deploying practices for the identification, assessment, monitoring, mitigation and reporting of risks

Risk Council (RC)

  • Providing updates to RMC and the Board from time to time on the enterprise risks and actions taken

Office of Risk Management (ORM)

  • Comprises the network of risk managers from units and our group companies and is led by the Chief Risk Officer (CRO)
  • Facilitating the execution of risk management practices in the enterprise as mandated, in the areas of risk identification, assessment, monitoring, mitigation and reporting
  • Providing periodic updates to the RC and quarterly updates to the RMC on top risks and their mitigation
  • Working closely with owners of risk in deploying mitigation measures and monitoring their effectiveness.

Unit Heads

  • Responsible for managing their functions as per the Company risk management philosophy
  • Responsible for managing risks concomitant to the business decisions relating to their unit, span of control or area of operations
  • Manage risks at the unit level that may arise from time to time, in consultation with the Risk Council

The Infoscion

  • Adhering to risk management policies and procedures
  • Implementation of prescribed risk mitigation actions
  • Reporting risk events and incidents in a timely manner

2. Risk categories

The following broad categories of risks have been considered in our risk management framework :

3. Key risk management practices

The key risk management practices include those relating to risk assessment, measurement, monitoring, reporting, mitigation actions and integration with strategy and business planning.

Key components of Infosys Risk Management Framework

Risk Categories

C. Overview of risk environment and key risk management activities of the year

While the business risk environment gradually improved during the year, several macro economic and regulatory developments required our close monitoring and interventions. In our key markets, business outlook indicators improved and the financial position of several key clients stabilized during the year. While unemployment rates in key markets moderated, they continued to be high prompting several government policy interventions. There were regulatory changes and proposals relating to visa policies in key markets. Macroeconomic developments in the Eurozone led to high volatility in currencies from which we derive our revenues. Keeping in view the business risk environment, we closely monitored our competitive position and deployed interventions.

Our risk management approach and practices continued to focus on minimizing the adverse impact of risks on our business objectives and to enable the Company to leverage market opportunities based on risk-return parity. Our active management of currency risks minimized the impact in a volatile currency market. Our continued emphasis on credit risk management through periodic credit quality assessments and focused collection mechanisms resulted in the improvement of credit quality indicators. We continued our emphasis on talent management relating to attraction, retention, engagement and competency development. We further strengthened operational risk mitigation mechanisms in areas including information security, data protection, physical security, project service delivery and contracts management. Our periodic assessment and monitoring of business risk and regulatory environment resulted in timely deployment of appropriate mitigation measures.

The following risk management activities were conducted :

1. Top risk identification, tracking and review

2. Risk assessments and review