Dabur India Limited

RISK MANAGEMENT POLICY

Created By Internal Audit Department

Approved By Board of Directors
Effective from (Date) January 1, 2022
Version 1.0

1
Table of Contents
1. Objective and Scope………………………………………………………………………………….3
2. Applicability………………………………………………………………………………………………3
3. Regulatory Requirement……………………………………………………………………........4
4. Risk Management Framework…………………………………………………………………..5
5. Risk Management Committee…………………………………………………………………..6
6. Roles & Responsibilities…………………………………..………………………………………..7
7. Risk Identification…………………………………………………………………………………….11
I. Risk Register……………………………………………………………………………………..11
II. Risk Register Updation………………………………………………………………………12
8. Risk Reporting………………………………………………………………………………………….13
9. Basis of Risk Variable Scale Assessment…………………………………………………..14
10. Business Continuity Plan………………………………………………………………………….16

2
1. Objective and Scope:-
As a global player, Dabur India Limited (“Dabur” or “Company”) perceives
and regularly monitors several risks that could impact its business.

The Company operates in an environment that’s highly Volatile, Uncertain,

Complex and filled with Ambiguity (VUCA), where effective risk
management is key success factor for realizing strategic objectives. Risk
Management takes place in many different processes and operations
throughout the Company to ensure the long-term resilience of the business.
The Company closely monitors a wide range of potential risks and
opportunities including those that arise from Political, Economic &
Regulatory environment, Exchange Rate fluctuations, Technology changes,
Environment and Climate Change, Pandemic and Competition.

The objective of this policy is to inculcate a culture of risk identification and

risk management governance within the Company across all
department/units in their day to day functioning and accordingly it lays
down the
i. Process for Identification and Mitigation of Risks and
ii. Framework and structure forRisk Governance and
iii. Roles and Responsibilities of various stakeholders within the
organization.
3
2. Applicability:-
This Policy is applicable across all functions in the Company.

3. Regulatory Requirements:-
As per section 177(4)(vii) of the Companies Act 2013, every Audit Committee
shall act in accordance with the terms of reference specified in writing by
the Board which shall, inter alia, include, evaluation of internal financial
controls and risk management systems.

As per section 134(3) of the Companies Act 2013, a statement indicating

development and implementation of a risk management policy for the
company including identification therein of elements of risk if any which in
the opinion of the Board may threaten the existence of the company shall
be attached to the financial statements laid before a Company in its general
meeting by the Board of Directors.

Further as per SEBI (Listing Obligation and Disclosure Requirements)

Regulations 2015, every listed Company is required to define Risk
Management Policy covering the framework for management of key
business risks. The Board, Audit Committee and Risk Management
4
 Committee is responsible to ensure that the Company has a robust Risk
management framework and monitor its effectiveness on periodic basis.

4. Risk Management Framework:-

The following diagram depicts the pillars of Risk Management Framework
and flow of risk information from bottom to top covering people from
Process Owners to Board.

5
 Board of Directors

Audit Committee Risk Management

Committee
Management
Committee (MANCOM)
Chief Risk Officers
(CFO & CS)
Risk Coordinator
(Internal Audit)

Unit Risks Zonal Risks Corporate Risk

Concerned Process
Unit Head Zonal Head Owners

**Risks received from units & zonal offices will be confirmed by concerned process owners in corporate office.

6
5. Risk Management Committee:-
S# Name Role
1 Mr. Ajay Dua Chairman
2 Mr. P. N. Vijay Member
3 Mr. Amit Burman Member
4 Mr. Mohit Burman Member
5 Mr. P D Narang Member
6 Mr. Mohit Malhotra Member
7 Mr. Ankush Jain Member & Joint Chief Risk Officer
8 Mr. A K Jain Member & Joint Chief Risk Officer

**Note - Mr. Girraj Bansal (Head-IA) - Convener and Coordinator for the committee

7
6. Roles & Responsibilities:-
Level Roles & Responsibilities
Board of • Overall responsibility of Risk Management
Directors • Determine Strategic Approach to Risk
Reviewing effectiveness of the Management System
Audit • Audit Committee shall act in accordance with the
Committee terms of reference specified in writing by the
Board which shall, inter alia, include, evaluation
of internal financial controls and risk
management systems.

8
Risk • To formulate a detailed risk management policy
Management which shall include:
Committee (a) A framework for identification of internal and
external risks specifically faced by the listed entity, in
particular including financial, operational, sectoral,
sustainability (particularly, ESG related risks),
information, cyber security risks or any other risk as
may be determined by the Committee.
(b) Measures for risk mitigation including systems
and processes for internal control of identified risks.
(c) Business continuity plan.
• To ensure that appropriate methodology, processes
and systems are in place to monitor and evaluate
risks associated with the business of the Company
• To monitor and oversee implementation of the risk
management policy, including evaluating the
adequacy of risk management systems
• To periodically review the risk management policy, at
least once in two years, considering the changing
industry dynamics and evolving complexity
• To get Risk Management Systems evaluated by the
Audit Committee once in a year
• To keep the Board of Directors informed about the
9
 nature and content of its discussions,
recommendations and actions to be taken;
(a) To update Risk Register on quarterly basis
(b) To report key changes in critical risks to the Board
on quarterly basis
(c) To report all critical risks to the Board in detail on
yearly basis
• The appointment, removal and terms of
remuneration of the Chief Risk Officer (if any) shall be
subject to review by the Risk Management
Committee.
• To perform such other functions as may be
prescribed by the Board of Directors

Management • Ensure adherence to risk management policies and

Committee procedures
• Implementing prescribed risk mitigation actions
Reporting risk events and incidents in a timely
manner
• Ensuring that the Key Risk Indicators or triggers are
embedded into business plans, and monitored as a
part of the quarterly business reviews
10
Chief Risk • Formulating and deploying Risk Management policies
Officers and procedures
• Providing updates to Management Committee and
the Board from time-to-time on the enterprise risks
and actions taken
Risk Co- • Facilitating execution of Risk Management practices
ordinator in the organisation
• Working closely with business units, business
enabling functions and mitigation action owners in
deploying mitigation measures and monitoring their
effectiveness
• Working with cross-functional teams for identifying,
monitoring, and mitigating operational risks
• Providing periodic updates to the CRO and quarterly
updates to the Management Committee on risks to
key business objectives and their mitigation

11
 Zonal & Unit • Ensuring units and zones are managed in accordance
Heads and with the Company’s risk management practices
Process • Ensuring compliance with risk management policies
Owners and procedures
• Ensuring effectiveness of risk mitigation actions
• Reporting risk events and incidents relating to their
units and divisions in a timely manner

7. Risk Identification:-
Each unit , business division and functional department is responsible for
identifying the probable risks in their areas of operation, which is then
escalated to the management level. The Risk Coordinator coordinates with
all corporate functions, units and zonal offices, seeking up dation of existing
risks as well as identification of new, emerging risks in their respective areas.

I. Risk Register:-
Risk Registers are categorized into Critical and Non Critical. High and
Medium Risk forms part of Critical Risk Register. Low Risk forms part of Non
Critical Risk Register.

Risk Variable Scale Assessment basis Likelihood and Impact are pre-defined
12
and approved by the Risk Management Committee.

Risk categorization basis aforesaid Scale Assessment are mapped in Heat

MAP (i.e. basis criticality).

Internal audit scope is aligned with the Risk Register.

Risk register shall be maintained in Digital Form and be periodically digitally

signed by Chief Risk Officer and CEO. Periodicity should be minimum once in
a year or whenever there is change in Risks, whichever is earlier

II. Risk Register Updation:-

Risk Register is updated on Quarterly basis in the following manner: -
✓ Internal Audit Dept. coordinates with all functions, Units, Zonal Offices
seeking updation in existing Risk as well as for new risk emerged in their
respective areas if any.

✓ New risk received from Units and Zonal Offices if any are confirmed by
concerned process owners at Corporate Office.

✓ All updates received from respective process owners including

Mitigation plan are updated in draft Risk Register by Internal Audit
13
 Department and discussed internally in presence of Chief Risk Officers
for their inputs before presentation to MANCOM.

✓ Inputs based on internal discussion are incorporated in the draft Risk

Register before presentation to MANCOM and post Presentation to
MANCOM, inputs suggested by MANCOM are also updated in the draft
Risk Register.

✓ Post incorporation, these changes are again discussed internally with

Chief Risk Officers for their review and then presentation is circulated
to the Risk Management Committee as part of committee agenda
papers. Post confirmation by Risk Management Committee, the Risks
are updated in the Risk Register.

8. Risk Reporting:-
Risk Management Presentation is made to the MANCOM and Risk
Management Committee at quarterly frequency.
✓ An annual updated Risk Management Presentation shall be made to
the Board once in a year.
✓ Key Changes in the Risks ( ie addition of new Risk or removal of a
mitigated risk) shall be updated to board on quarterly basis

14
 ✓ Risk Management Systems shall be presented to the Audit Committee
once in a year for their evaluation

9. Basis of Risk Variable Scale Assessment:-

✓ 2 Variables - Likelihood and Business Impact
✓ 3 Scale - Low, Moderate and High
✓ 3 * 3 Matrix

✓ Likelihood Assessment (i.e. probability of occurrence of risk is)

• Low </= 30% chance of happening
• Moderate > 30% but less than < 50% chance of happening
• High >/= 50% chance of happening

✓ Impact Quantification
• Low </= 5 crore INR
• Moderate > 5 crore INR less than or equal to 25 crore INR
• High > 25 crore INR

15
 Example of Critical Risk Matrix

1. Contingent Liability - Excise & 1. Limited availability of

1. Covid-19 Risk
Sales Tax Cases critical Raw Materials
2. Default Risk on payment of
2. Prohibition on use of plastic
investment in DHFL & RHFL
High packing material

3. GST Implementation

1. Spurious Products
2. Demand on account of
Stamp Duty
Impact

3. FSSAI Draft Regulation on

HFSS
4. Inflation Risk
5. CSE Report – Honey NMR
Testing

Low

Low High

16
10. Business Continuity Plan:-
A detailed business continuity plan exercise shall be undertaken periodically
with an objective to ensure in case of any evantuality of High Risk Nature,
they are addressed immediately within 24 hours with no disruption in the
business including Production and Sales and related financial transaction
processing
Mancom shall be the Crisis Management Team for the purpose and can
invite internal or external persons to plan and implement mitigation
action plan.

Mitigation Plan
In case of occurrence of an event leading to particular plant shutdown,
alternative arrangements should be made at another plant or at Third party
manufacturing location immediately without any loss of Production/Sales.

In case of critical IT application disaster or cyber attack, mitigation action

should be implemented immediately within the defined time limits to
restore the impacted application or an alternative application or the same
application from an alternative place.

The Business Continuity Plan should be tested for its effectiveness at

17
periodical intervals not exceeding three years to ensure company is well
prepared to manage any crisis event and ensure Business Continuity.

18