Risk Management Policy

  1. Home
  2. »
  3. Risk Management Policy

1. PREFACE

The Risk Management Committee (RMC) is applicable to the top 1000 listed entities, determined based on market capitalization as at the end of the immediate preceding financial year. Since the Company does not fall into that category, currently, the RMC is not applicable. However, when the Company meets the criteria where the RMC becomes applicable, it will comply with the regulations governing its formation and operation. 

Any omission shall not be construed as non-compliance with any relevant regulations or provisions thereof.

The Board of Directors (the “Board”) of Anthem Biosciences Limited (the “Company”) has voluntarily adopted this policy pursuant to Regulation 17(9) of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“SEBI Listing Regulations”) and Section 134(3) of the Companies Act, 2013. This Risk Assessment and Management Policy (“Policy”) establishes the philosophy of the Company, towards risk identification, analysis and prioritization of risks, development of risk mitigation plans and reporting on the risk environment of the Company. This Policy is applicable to all the functions, departments and geographical locations of the Company. The purpose of this Policy is to define, design and implement a risk management framework across the Company to identify, assess, manage and monitor risks, aligned to this purpose is also to identify potential events that may affect the Company and manage the risk within the risk appetite and provide reasonable assurance regarding the achievement of the Company’s objectives. This will present a wide approach to ensure that key aspects of risk that have a wide impact are considered in its conduct of business.

Risk: Risk is an event which can prevent, hinder or fail to further or otherwise obstruct the enterprise in achieving its objectives. A business risk is the threat that an event or action will adversely affect an enterprise’s ability to maximize stakeholder value and to achieve its business objectives. Risk can cause financial disadvantage, for example, additional costs or loss of funds or assets. It can result in damage, loss of value and /or loss of an opportunity to enhance the enterprise operations or activities. Risk is the product of probability of occurrence of an event and the financial impact of such occurrence to an enterprise. Accordingly, the board of directors of Company (“Board”) has adopted this, policy.

2. OBJECTIVES:

The Company’s objectives in relation to risk management are to: 

  • Ensure that all the current and future risk exposures of the Company are identified, assessed, quantified, appropriately mitigated   a and managed.
  • Establish a framework for the Company’s Risk Management process and to ensure companywide implementation.
  • Ensure systematic, transparent and uniform assessment of risks related with Projects and Operations.
  • Ensure that the risks faced are understood and managed.
  • Promote unified approach to risk management, including a common risk Language.
  • Instil an awareness of risk in employees and ensure that risk is considered in decision making.
  • Create an environment where all employees assume responsibility for managing the risk.
  • Ensure that risks are appropriately monitored through documentation and review and key treatment actions are reported on regular basis.
  • Exploit opportunities.

3. GOVERNANCE FRAMEWORK:

The Company’s ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and responsibilities. Risk governance signifies the way the business and affairs of an entity are directed and managed by its Board and executive management.

The Risk Management Committee (“Committee”) will be formed by the Board and shall periodically review the Risk Assessment and Management Policy of the Company and evaluate the risk management systems so that management controls the risk through a properly defined network.

Each head of departments shall be responsible for implementation of the risk management system as may be applicable to their respective areas of functioning.

If the Company is covered among the top 1000 listed entities based on market capitalization at the end of the preceding financial year, the Risk Management Committee shall have minimum three members with majority of them being members of the board of directors, including at least one independent director. The Chairperson of the Risk management committee shall be a member of the board of directors and senior executives of the listed entity may be members of the committee. The risk management committee shall meet at least twice in a year. 

The quorum for a meeting of the Risk Management Committee shall be either two members or one third of the members of the committee, whichever is higher, including at least one member of the board of directors in attendance. The meetings of the risk management committee shall be conducted in such a manner that on a continuous basis not more than two hundred and ten days shall elapse between any two consecutive meetings. The Risk Management Committee shall have powers to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers necessary. 

The board of directors shall define the role and responsibility of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit such function shall specifically cover cyber security. 

The role of the committee shall, inter alia, include the following: 

  1. To formulate a detailed Risk Assessment and Management Policy which shall include: 
    • A framework for identification of internal and external risks specifically faced by the listed entity, in particular including financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks or any other risk as may be determined by the Committee. 
    • Measures for risk mitigation including systems and processes for internal control of identified risks. 
    • Business continuity plan. 
  2. To ensure that appropriate methodology, processes and systems are in place to monitor and evaluate risks associated with the business of the Company; 
  3. To monitor and oversee implementation of the Risk Assessment and Management Policy, including evaluating the adequacy of risk management systems; 
  4. To periodically review the Risk Assessment and Management Policy, at least once in two years, including by considering the changing industry dynamics and evolving complexity; 
  5. To keep the board of directors informed about the nature and content of its discussions, recommendations and actions to be taken; 
  6. The appointment, removal and terms of remuneration of the Chief Risk Officer (if any) shall be subject to review by the Risk Management Committee. 

The Risk Management Committee shall coordinate its activities with other committees, in instances where there is any overlap with activities of such committees, as per the framework laid down by the board of directors.

4. RISK MANAGEMENT PROCESS

Conscious that no entrepreneurial activity can be undertaken without assumption of risks and associated reward opportunities, the Company operates on a risk management process/ framework aimed at minimization of identifiable risks after evaluation so as to enable management to take informed decisions. 

Broad outline of the framework is as follows: 

  • Risk Identification:
    Management identifies potential events that may positively or negatively affect the Company’s ability to implement its strategy and achieve its objectives and performance goals.

    Risks can be identified under the following broad categories. This is an illustrative list and not necessarily an exhaustive classification.
    • Internal risks including:
      1. Strategic Risk: Competition, inadequate capacity, high dependence on a single customer/vendor.
      2. Business Risk: Project viability, process risk, technology obsolescence/ changes, development of alternative products.
      3. Finance Risk: Liquidity, credit, currency fluctuation.
      4. Environment Risk: Non-compliances to environmental regulations, risk of health to people at large.
      5. Personnel Risk: Health & safety, high attrition rate, incompetence.
      6. Operational Risk: Process bottlenecks, non-adherence to process parameters/ pre-defined rules, fraud risk.
      7. Reputation Risk: Brand impairment, product liabilities.
      8. Regulatory Risk: Non-compliance to statutes, change of regulations.
      9. Technology Risk: Innovation and obsolescence.
      10. Information and Cyber Security Risk: Cyber security related threats and attacks, Data privacy and data availability.
    • External risks including:
      1. Sectoral Risk: Unfavourable consumer behavior in relation to the relevant sector etc.
      2. Sustainability Risk: Environmental, social and governance relates risks.
      3. Political Risk: Changes in the political environment, regulation/ deregulation due to changes in political environment.
      4. Root Cause Analysis: Undertaken on a consultative basis, root cause analysis enables tracing the reasons / drivers for existence of a risk element and helps developing appropriate mitigation action.
  • Root Cause Analysis:
    Undertaken on a consultative basis, root cause analysis enables tracing the reasons/ drivers for existence of a risk element and helps developing appropriate mitigation action.
  • Risk Categorization:
    The identified risks are further grouped in to (a) preventable; (b) strategic; and (c) external categories to homogenize risks.
    1. Preventable risks are largely internal to the Company and are operational in nature. The endeavour is to reduce /eliminate the events in this category as they are controllable. Standard operating procedures and audit plans are relied upon to monitor and control such internal operational risks that are preventable.
    2. Strategy risks are voluntarily assumed risks by the senior management in order to generate superior returns / market share from its strategy. Approaches to strategy risk is ‘accept’/‘share’, backed by a risk- management system designed to reduce the probability that the assumed risks actually materialize and to improve the Company’s ability to manage or contain the risk events should they occur.
    3. External risks arise from events beyond organization’s influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavours to focus on their identification and impact mitigation through ‘avoid’/‘reduce’ approach that includes measures like business continuity plan / disaster recovery management plan / specific loss insurance / policy advocacy etc.
  • Risk Prioritization:
    Risks are prioritized for mitigation actions and reporting based on how they affect the company.
  • Risk Mitigation Plan:
    Management develops appropriate responsive action on review of various alternatives, costs, and benefits, with a view to managing identified risks and limiting the impact to tolerance level. Risk mitigation plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure, etc. Risk mitigation plan is the core of effective risk management. The mitigation plan covers:
    1. Required action(s);
    2. Required resources;
    3. Responsibilities;
    4. Timing;
    5. Performance measures; and
    6. Reporting and monitoring requirements

      The mitigation plan may also covers: 
    1. preventive controls – responses to stop undesirable transactions, events, errors or incidents occurring;
    2. detective controls – responses to promptly reveal undesirable transactions, events, errors or incidents so that appropriate action can be taken;
    3. corrective controls – responses to reduce the consequences or damage arising from crystallization of a significant incident.

      Therefore, it is drawn with adequate precision and specificity to manage identified risks in terms of documented approach (accept, avoid, reduce, share) towards the risks with specific responsibility assigned for management of the risk events.
  • Risk Monitoring:
    It is designed to assess on an ongoing basis, the functioning of risk management components and the quality of performance over time. Staff members are encouraged to carry out assessments throughout the year.

    Fraud & Operations Risk, team works on a robust and dynamic real-time transaction monitoring mechanism via an automated rule engine already in place. This engine functions basis predefined set of rules. Our Operations Risk team comprises Risk Experts and Data Scientists who evaluate and monitor merchant transaction and market trends to raise alerts which are actioned as per the alert monitoring protocols.

  • Options for dealing with risk:
    There are various options for dealing with risk.

    Tolerate – If we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk i.e., do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register.

    Transfer – Here risks might be transferred to other organizations, for example by use of insurance or transferring out an area of work.

    Terminate – This applies to risks we cannot mitigate other than by not doing work in that specific area. So, if a particular project is of very high risk and these risks cannot be mitigated, we might decide to cancel the project.

  • Risk Reporting:
    Periodically, key risks are reported to the Board or risk management committee with causes and mitigation actions undertaken/ proposed to be undertaken. The internal auditor carries out reviews of the various systems of the Company using a risk based audit methodology.

    The internal auditor is charged with the responsibility for completing the agreed program of independent reviews of the major risk areas and is responsible to the audit committee which reviews the report of the internal auditors on a quarterly basis.

    The statutory auditors carry out reviews of the Company’s internal control systems to obtain reasonable assurance to state whether an adequate internal financial controls system was maintained and whether such internal financial controls system operated effectively in the company in all material respects with respect to financial reporting.

    On regular periodic basis, the Board will, on the advice of the audit committee, receive the certification provided by the CEO and the CFO, on the effectiveness, in all material respects, of the of the risk management and internal control system in relation to material business risks.

    The Board shall include a statement indicating development and implementation of a Risk Assessment and Management Policy for the Company including identification of elements of risk, if any, which in the opinion of the Board may threaten the existence of the Company.

  • Risk Management Measures adopted in general by the Company:
    The Company has adopted various measures to mitigate the risk arising out of various areas described above, including but not limited to the following:
    1. A well-defined organization structure;
    2. Defined flow of information to avoid any conflict or communication gap;
    3. Hierarchical support personnel to avoid work interruption in absence/ non-availability of functional heads;
    4. Discussion and implementation on financial planning with detailed business plans;
    5. Detailed discussion and analysis of periodic budgets;
    6. Employees training and development programs;
    7. Internal control systems to detect, resolve and avoid any frauds;
    8. Systems for assessment of creditworthiness of existing and potential contractors/subcontractors/ dealers/vendors/ end-users;
    9. Redressal of grievances by negotiations, conciliation and arbitration; and
    10. Defined recruitment policy.

5. ROLES AND RESPONSIBILITIES

The Board along with the Risk Management Committee is responsible for overseeing risk management with a scheme of delegation to the other Committee and policy implementation by the Director and senior staff. All senior staff are responsible for encouraging good risk management practice within their areas of responsibility and all project managers (researchers and professionals) will need to have regard to risk for the projects that they lead or support.

The Board as a whole will:

  • Approve the overall policy statement;
  • Offer periodic advice on risk appetite and risk tolerance;
  • Satisfy itself about the assessment of strategic risks via annual consideration of the Strategic Risk List;
  • Monitor the management of significant risks to ensure that appropriate controls are in place;
  • Identify any strategic risks that require inclusion or updating in the Strategic Risk List to ensure that it reflects Company’s overall strategy and operating context;
  • Approve major decisions, taking into account Company’s risk profile or exposure;
  • Satisfy itself that less significant risks are being actively managed, and that appropriate controls are in place and working effectively to ensure the implementation of policies approved by the Board;
  • Review regularly the Institute’s approach to risk management and approve changes where necessary to key elements of its processes and procedures.

The Risk Management Committee will:

  • Ensure the implementation of the Risk Assessment and Management Policy and advise on any modifications to the policy;
  • Receive advice from the Board on the need for inclusion or amendment of strategic risks in the Strategic Risk List;
  • Ensure that adequate information is provided for the Board and its committees, as appropriate, on the status of risks and controls;
  • Ensure that an annual report is provided to the Board on the effectiveness of the system of internal controls;
  • Ensure that local risk registers in the country offices are reviewed regularly.

The Strategic Management Team will:

  • Regularly review the Strategic Risk List and submit this to the F&A committee quarterly and thence bi-annually, to the Board;
  • Advise on modifications to the policy;
  • Assess the adequacy of internal controls and advise the Board as necessary;
  • Decide on risk mitigation where Board or FAC action is not required;
  • Advise on Company’s appetite for risk and its tolerance of risk;
  • Inform all its strategic decisions with considerations of risk;
  • Ensure other Sub Committees take appropriate steps in respect of risk;
  • Keep the overall Strategic framework under review;
  • Advise on thresholds for risk assessment in proposals and projects;
  • Engage with the Institute’s internal and external auditors on internal controls;
  • Ensure appropriate training is available for staff;
  • Advise on any supporting policies;
  • Advise on thresholds for risk-based decisions;
  • Ensure appropriate insurance cover is in place to mitigate risks.

Directors and Heads of Professional Function will:

  • Implement policies on risk management;
  • Identify particular risks that arise in their area of responsibility e.g. a data protection breach an employment relations challenge;
  • Develop and maintain a local Risk Register and forward a copy of the Register annually to the CFO and Head of Finance;
  • Support their staff to develop and apply risk management principles and tools for individual projects;
  • Regularly view risks with their staff and help Project Managers identify and manage risks appropriately.

Project Managers will:

  • Identify and manage risks in individual projects;
  • Provide input to the local Risk Register and report on progress;
  • Support their staff to apply good risk management principles.

Individual members of staff will:

  • Take care to apply good risk management practice in their day-to-day work;
  • Follow the principles and objectives set out in this policy;
  • Follow other policies that contribute to managing risks such as the social media Policy and Travel Policy;
  • Draw on the guidance from the QUAD process when development project proposals;
  • Take part in relevant training where this will help with confidence and capacity in risk management.

6. INTERNAL CONTROLS

Internal controls encompass a review of the risks inherent in each activity. The Audit Committee report to the Board on the adequacy of internal controls. As part of its remit, the Committee reviews the work of the Internal and External Auditors and of Company’s management. The Committee is therefore well placed to advise the Board on the effectiveness of the internal control system. Further, as part of the annual audit, Company’s External Auditors will advise the Audit Committee on the operation of the internal financial controls.

7. PERIODICAL REVIEW OF EFFECTIVENESS

Effectiveness of risk management framework is ensured through periodical review of this Policy, provided that such review should be undertaken at least once in two years. As the risk exposure of any business may undergo change from time to time due to the changing industry dynamics, evolving complexity and continuously changing environment, the updation and review of this Policy will be done as and when required, by the risk management committee to ensure it meets the requirements of legislation and the needs of organisation.

8. COMMUNICATION AND CONSULTATION

Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.

9. DISCLAIMER CLAUSE

The risks outlined above are not exhaustive and are for information purposes only. Management is not an expert in assessment of risk factors, risk mitigation measures and management’s perception of risks. Readers are therefore requested to exercise their own judgment in assessing various risks associated with the Company.

10. AMENDMENTS / LIMITATION

In the event of any conflict between the Companies Act, 2013 or the SEBI Listing Regulations or any other statutory enactments and the provisions of this Policy, the Regulations shall prevail over this Policy. Any subsequent amendment/modification in the SEBI Listing Regulations, in this regard shall automatically apply to this policy.

VERSION HISTORY

This policy has been approved by the Board of Directors of the Company at its meeting held on 14th Dec, 2024 and shall be effective from 14th Dec, 2024.