The Risk Management report discusses various dimensions of our enterprise risk management. The risk-related information outlined in this section may not be exhaustive. The discussion may contain statements that are forward-looking in nature. Our business is subject to uncertainties that could cause actual results to differ materially from those reflected in the forward-looking statements. Readers are advised to refer to the detailed discussion of risk factors and related disclosures in our regulatory filings, and exercise their own judgment in assessing risks associated with the Company.
Our Enterprise Risk Management (ERM) framework encompasses practices relating to the identification, analysis, evaluation, treatment, mitigation and monitoring of the strategic, external and operational controls risks to achieving our key business objectives. ERM at Infosys seeks to minimize the adverse impact of these risks, thus enabling the Company to leverage market opportunities effectively and enhance its long-term competitive advantage.
Several risks can impact the achievement of a particular business objective. Similarly, a single risk can impact the achievement of several business objectives. The focus of risk management is to assess risks and deploy mitigation measures. This is done through periodic review meetings of the risk and strategy committee of the Board.
Our core values and ethics provide the platform for our risk management practices.
B. Key components of the Infosys risk management framework
1. Risk governance structure
Our risk management framework works at various levels across the enterprise. The key roles and responsibilities regarding risk management in the Company are summarized as follows:
Key roles and responsibilities
Board of Directors (Board)
Risk and strategy committee (RSC)
Risk council (RC)
Office of Risk Management (ORM)
Unit risk managers
Project teams and individuals
2. Business objectives
The business objectives of the Company are articulated as a set of specific near-term goals, and long-term strategic goals in a corporate scorecard. These goals cover the dimensions of consistent financial performance, market penetration, differentiation in solutions, services and operational excellence, leveraging talent and long-term sustainability of the organization.
3. Risk categories
Our risk management framework considers the following broad categories of risks:
Risks arising out of the choices we have made in defining our strategy and the risks to the successful execution of these strategies are covered in this category – for example, risks inherent to our industry and competitiveness are analyzed and mitigated through strategic choices of target markets, the Company’s market offerings, business models and talent base. Details of the Company’s strategy are described in other sections of this document. Potential risks to the long-term scalability and sustainability of the organization are also analyzed and mitigated – for example, societal risks relating to the impact of our strategy on the environment, local communities, and conservation of essential resources.
We periodically assess risks to the successful execution of our strategy, such as the effectiveness of strategic programs that are being executed, the momentum in new initiatives, the impact of strategy on financial performance, leveraging of inorganic strategies, effectiveness of organization structure and processes, retention and development of high-performing talent and leadership.
Risks arising out of uncontrollable factors from outside the organization are covered in this category – for example, risks of adverse developments in the regulatory environment in which we operate, unfavorable trends in the macroeconomic environment including currency fluctuations, natural disasters and attacks on our physical and technology infrastructure.
Risks arising out of inefficiencies in the design, operations or systems of internal controls are covered in this category – for example, risks of non-compliance to policies, information security, data privacy, intellectual property, individuals engaging in unlawful or fraudulent activity or breaches of contractual obligations. These risks could typically result in penalties, financial loss, litigation and loss of reputation and are assessed primarily on dimensions such as business process effectiveness, segregation of duties, compliance with policies and procedures, and strength of underlying controls. These risks also include counterparty risks arising from our association with entities for conducting business, namely clients, vendors, alliance partners and their respective industries.
4. Risk management processes
The Company’s risk management practices are:
Risk identification, analysis, and evaluation
Mechanisms for identification of risks include annual risk surveys across the Company, industry benchmarking, periodic assessments of the business environment, incident analysis, findings of internal audits, discussions with the risk council and the risk and strategy committee and analysis of the Company’s performance relative to the corporate scorecard goals. Risk analysis and evaluation is carried out using scenario-based assessments to decide the potential impact, likelihood of occurrence and in some cases, the detectability of the risk. Estimated risks are compared with established risk criteria and thresholds to determine the priority and method of risk treatment.
Risk treatment is the process of selecting and implementing measures to alleviate the impact of identified risks.
- Avoid: A decision to nullify the risk by refraining from the activities that cause it
- Transfer: A decision to transfer the specific risk to another entity
- Reduce: A decision to reduce the level of risk through targeted mitigation, if not to completely nullify it
- Accept: A decision to allow the risk to remain as is, irrespective of its severity
Risk mitigation and monitoring
Mitigation plans are finalized, owners are identified and the progress of mitigation actions are monitored and reviewed. The risk and strategy committee periodically does a deep dive into understanding the scope and effectiveness of mitigation plans and provides feedback to mitigation teams.
Risk-based approach to strategic planning
At Infosys, the functions of strategic planning and risk management are intertwined. Risks to achieving business objectives are key inputs to the formulation and development of strategy and business planning. Key strategic initiatives are identified to mitigate specific risks. This approach is practiced at various levels of the Company, such as in client account teams, project teams, support departments and subsidiaries.
Risk reporting and disclosures
Dashboards help track external and internal indicators for each identified risk and assess its severity. The trend line assessment of top risks, analysis of exposure and potential impact are carried out periodically, presented and discussed with the risk council and risk and strategy committee. Key external and internal incidents are reported and reviewed at appropriate fora, such as the Information Security Council and meetings of the executive board. Risks relating to client project execution and client account level risks are reported and discussed at appropriate levels within the Company. Periodic updates are provided to the Board highlighting key risks, their impact and mitigation actions. Key risk factors are disclosed in regulatory filings.
C. Risk management highlights for the year
During the last fiscal, our risk management practices were primarily focused on the effectiveness of strategic programs in improving our competitive position and differentiation in market segments, the momentum of new initiatives to achieve our long-term business aspirations, our preparedness to address any incidents that may cause business disruptions to our physical and technological infrastructure, strengthening internal controls to detect fraudulent activity, leadership development and monitoring possible impact of changes in our regulatory environment.
We carried out the following risk management activities during the last fiscal:
- An annual risk survey was conducted across functions to get inputs on key risks to the achievement of business objectives, their prioritization and mitigation actions to minimize impact.
- Top risks were reviewed and discussed with the risk council and the risk and strategy committee. Deep dive assessments were done in identified areas by members of the committee.
- Risk assessment of our business momentum relative to competition and competitive position in key market segments comprising geographies, industries and service lines were conducted and actions were reviewed.
- Regularly assessed business environment including trend-line of key external indicators and internal business indicators along with assessments by market segments, top clients' growth, currency risk and credit risk.
- Reviewed key operational risks and actions based on inputs from the internal risk register, external assessments, internal audit findings and incidents. Reviewed operational risk areas including client service delivery, information security (cyber attacks and threat intelligence), women’s safety, physical security, succession planning and business continuity management.
- Monitored key developments in the regulatory environment relating to visas, immigration laws and impact assessments.
- Monitored availability of natural resources, such as water and power and its impact on our operations.