Risk management report
The risk management report discusses the various dimensions of our enterprise risk management practices. Readers are cautioned that the risk related information outlined here is not exhaustive and is for information purposes only. The discussion may contain statements, which may be forward-looking in nature. Our business model is subject to uncertainties that could cause actual results to differ materially from those reflected in the forward-looking statements. Readers are advised to exercise their own judgment in assessing risks associated with the Company and refer to discussions of risks in the Company’s previous annual reports and the filings with the Securities and Exchange Commission, USA.
Enterprise Risk Management (ERM) at Infosys encompasses practices relating to identification, assessment, monitoring and mitigation of various risks to our business objectives. ERM at Infosys seeks to minimize adverse impact of risks on our business objectives and enable the Company to leverage market opportunities effectively. Further, our risk management practices seek to sustain and enhance the long-term competitive advantage of the Company. Risk management is integral to our business model, described as ‘Predictable, Sustainable, Profitable and De-risked’ (PSPD). Our core values and ethics provide the platform for our risk management practices.
B. Infosys risk management framework
Our risk management framework comprises of the following key components.
1. Risk management structure
The risk management structure at Infosys spans across the enterprise at all levels. These levels also form the various lines of defense in our risk management.
The key roles and responsibilities regarding risk management in the Company are summarized below :
Key roles and responsibilities
Board of Directors
- Corporate governance oversight of risk management performed by the Executive Management
- Review the performance of the Risk Management Committee
- Comprises four independent directors
- David L. Boyles, Chairperson
- Sridar A. Iyengar
- Dr. Omkar Goswami
- Prof. Jeffrey S. Lehman
- Assisting the Board in fulfilling its corporate governance oversight responsibilities with regard to identification, evaluation and mitigation of operational, strategic and external environment risks
- Monitoring and reviewing risk management practices of the Company
- Reviewing and approving risk-related disclosures
- Comprises the Chief Executive Officer (CEO), the Chief Operating Officer (COO) and the Chief Financial Officer (CFO)
- Reviewing enterprise risks from time to time, initiating mitigation actions, identifying the owners and reviewing the progress and effectiveness of mitigation actions
- Formulation and deployment of risk management policies
- Deploying practices for the identification, assessment, monitoring, mitigation and reporting of risks
Risk Council (RC)
- Providing updates to RMC and the Board from time to time on the enterprise risks and actions taken
Office of Risk Management (ORM)
- Comprises the network of risk managers from units and our group companies and is led by the Chief Risk Officer (CRO)
- Facilitating the execution of risk management practices in the enterprise as mandated, in the areas of risk identification, assessment, monitoring, mitigation and reporting
- Providing periodic updates to the RC and quarterly updates to the RMC on top risks and their mitigation
- Working closely with owners of risk in deploying mitigation measures and monitoring their effectiveness.
- Responsible for managing their functions as per the Company risk management philosophy
- Responsible for managing risks concomitant to the business decisions relating to their unit, span of control or area of operations
- Manage risks at the unit level that may arise from time to time, in consultation with the Risk Council
- Adhering to risk management policies and procedures
- Implementation of prescribed risk mitigation actions
- Reporting risk events and incidents in a timely manner
2. Risk categories
The following broad categories of risks have been considered in our risk management framework :
- Strategy : Risks emanating out of the choices we make on markets, resources and delivery model which can potentially impact our long-term competitive advantage
- Industry : Risks relating to inherent characteristics of our industry including, competitive structure, technological landscape, extent of linkage to economic environment and regulatory structure
- Counterparty : Risks arising from our association with entities for conducting business. These include clients, vendors, alliance partners and their respective industries
- Resources : Risks arising from inappropriate sourcing or sub-optimal utilization of key organizational resources such as talent, capital and infrastructure
- Operations : Risks inherent to business operations including those relating to client acquisition, service delivery to clients, business support activities, information security, intellectual property, physical security and business activity disruptions
- Regulations and compliance : Risks due to inadequate compliance to regulations, contractual obligations and intellectual property violations leading to litigation and loss of reputation.
3. Key risk management practices
The key risk management practices include those relating to risk assessment, measurement, monitoring, reporting, mitigation actions and integration with strategy and business planning.
- Risk identification and assessment : Periodic assessment of business risk environment to identify significant risks for the Company and prioritizing the risks for action. Mechanisms for identification and prioritization of risks include risk survey, business risk environment scanning and focused discussions in the RC and the RMC. A risk survey of executives across units, functions and subsidiaries is conducted before the annual strategy exercise. The risk register and internal audit findings also provide pointers for risk identification.
- Risk measurement, mitigation and monitoring : For top risks, dashboards are created that track external and internal indicators relevant for risks, so as to indicate the risk level. The trend line assessment of top risks, analysis of exposure and potential impact are carried out. Mitigation plans are finalized, owners are identified and the progress of mitigation actions are monitored and reviewed.
- Risk Reporting : The top risks report outlining the risk level, trend line, exposure, potential impact and status of mitigation actions is discussed in the RC and the RMC on a periodic basis. In addition, risk update is provided to the Board. Entity level risks such as project and account level risks are reported to and discussed at the appropriate levels within the organization.
- Integration with strategy and business planning : Identified risks are used as one of the key inputs for the development of strategy and annual business plan.
Key components of Infosys Risk Management Framework
C. Overview of risk environment and key risk management activities of the year
While the business risk environment gradually improved during the year, several macro economic and regulatory developments required our close monitoring and interventions. In our key markets, business outlook indicators improved and the financial position of several key clients stabilized during the year. While unemployment rates in key markets moderated, they continued to be high prompting several government policy interventions. There were regulatory changes and proposals relating to visa policies in key markets. Macroeconomic developments in the Eurozone led to high volatility in currencies from which we derive our revenues. Keeping in view the business risk environment, we closely monitored our competitive position and deployed interventions.
Our risk management approach and practices continued to focus on minimizing the adverse impact of risks on our business objectives and to enable the Company to leverage market opportunities based on risk-return parity. Our active management of currency risks minimized the impact in a volatile currency market. Our continued emphasis on credit risk management through periodic credit quality assessments and focused collection mechanisms resulted in the improvement of credit quality indicators. We continued our emphasis on talent management relating to attraction, retention, engagement and competency development. We further strengthened operational risk mitigation mechanisms in areas including information security, data protection, physical security, project service delivery and contracts management. Our periodic assessment and monitoring of business risk and regulatory environment resulted in timely deployment of appropriate mitigation measures.
The following risk management activities were conducted :
1. Top risk identification, tracking and review
- Annual risk survey across functions and subsidiaries to get inputs on key risks and prioritization. Subsequent discussions in the RC and the RMC for finalization of top risks
- Review of top risks in the RC and the RMC covering risk level, trend line, exposure, potential impact and progress of key mitigation actions
- Review discussions on key items from risk register by the RC and the RMC
2. Risk assessments and review
- Periodic assessment of business risk environment including analysis of top clients, counterparty exposures, competitive positioning and sovereign risk
- Risk assessment of regulatory environment, especially those relating to visa and taxation
- Assessment and review of financial risks such as currency risk, credit risk and liquidity
- Risk assessments in multiple areas including talent management, competitive positioning, service delivery, information security, intellectual property, physical security and business continuity
- Review of contractual compliance monitoring systems and account risk management systems in business units
- Evaluation of the company’s ERM program with global best practices