Risk Management Policy

Arvind SmartSpaces Limited

0
Risk management
1.1 Purpose
Arvind SmartSpaces Limited is committed to high standards of business conduct and togood risk
management to:
1. achieve sustainable business growth
2. protect the company’s assets,
3. avoid major surprises related to the overall control environment,
4. safeguard stakeholder’s interest and
5. ensure compliance with applicable legal requirements.
This policy is intended to ensure that an effective risk management framework is established and
implemented within Arvind SmartSpaces Limited and to provide regular reports on the performance
of that framework, including any exceptions, to the Audit Committee.
This Risk Management Policy complements and does not replace other existing compliance programs,
such as those relating to environmental, quality, and regulatory compliancematters.

1.2 What is a risk?

A risk is regarded as the threat of some event, action or loss of opportunity that, if occurs,will
adversely affect either / or:
1. Value to shareholders
2. Ability of company to achieve objectives
3. Ability to implement business strategies
4. The manner in which the company operates
5. Reputation

1.3 Types of risks

Risks are classified as follows:
Strategic Risks: Relating to high level goals with challenges and aligned with the company’smission.
Operational Risks: Relating to effective and efficient use of company’s resources and day today
operations.
Regulatory Risks: Relating to the company’s compliance with applicable laws andregulations.

1
Applicability
This Risk Management Policy applies to all employees, major part of Arvind SmartSpacesLimited’s
businesses and functions namely:
1. Business Operations
2. Finance and Accounts
3. Human Resources
4. Information Technology
5. Legal, Regulatory and Corporate Affairs

Objective of risk policy

Arvind SmartSpaces Limited’s Risk management objectives are to:
(1) Identify and manage existing and new risks in a planned and coordinated manner with
the minimum of disruption and cost.
(2) Develop a “risk” culture that encourages all staff to identify risks and associated
opportunities and to respond to them with effective actions.

To realise the risk management objective, Arvind SmartSpaces Limited aims to ensure that:
the acceptance and management of risk is integrated in day to day management of the business; key risks
are identified, assessed in the context of Arvind SmartSpaces Limited’s appetite for risk and their potential
impact on the achievement of objectives, continuously monitored and managed with adequate risk
mitigation measures to an acceptable level; the escalation of risk information is timely, accurate and gives
complete coverage of the keyrisks to support management decision making at all levels; risk is primarily
taken and managed by the business entity transacting the business which gives rise to the risk; and all
employees actively engage in risk management within their own areas of responsibility.

Approach
4.1 Process
Managing Director / CEO / Functional Head must periodically (preferably quarterly) review the risks
facing their business or function. This review should include identifying all Significant Risks.
Managing Director / CEO / each Functional Head must then implement an effective system of internal
controls to manage those risks, including most importantly designatingresponsibilities, and providing
for upward communication of any significant issues that arise.
Risk identification and management is a continuous process supported by formal reviews conducted
on a bi-annual basis.
The generic risk management process is as shown below:

2
4.2 Risk Register
The risks profile of Arvind SmartSpaces Limited will be documented in the Risk Register. It includes
nature of risk, risk description, risk rating with respect to impact & likely-hood, root-causes of the risk
and risk mitigation measures.
The Risk Register is the key document used to communicate the current status of all known risks and
is vital to all management control, reporting and reviews.

4.3 Assess the Risks

Risk assessment enables risks to be categorized and graded in relation to their potential impact; those
risks with potentially significant impact require proactive management. The two components of risks
are the probability (likelihood) of occurrence and the impact (consequence) if the circumstance occurs.
Risk is analyzed by combining estimates of probability and impact in the context of existing control
measures.
Existing control measures are evaluated against Critical Success Factors (CSFs) and Key Performance
Indicators (KPIs) identified for those specific controls. Guiding principles to determine the likelihood of
occurrence and the impact have been set out in Appendix 1.

4.4 Risk reviews

A risk review involves the re-examination of all risks recorded and plan identification of any new risk
on the Risk Register to ensure that the current assessments remain valid and reviewthe progress of risk
reduction actions. Risk reviews should form part of every Risk Management Committee meeting
agenda. The risk register is reviewed and assessed bi- annually.

4.5 Risk Treatment

Risk treatment involves identifying a range of options for treating risk, assessing those options,
preparing and implementing risk treatment plans. The implemented action plans should have the
effect of risks getting eliminated, mitigated or transferred,

3
4.6 Escalation Mechanism
It is critical to an effective system of internal control that specific issues are promptly communicated
and followed up appropriately. Communication will typically be through meetings with functional
heads who will brief risk coordinators; who shall then report them to the Risk Management Committee.

Structure
5.1 Roles and responsibilities
The risk management roles and responsibility will be as follows:

Audit 1. Approve risk policy and strategy

Committee 2. Review risk reports
3. Supports an environment that does not tolerate behavior which
might compromise prudent risk management practice
4. Delegate the review & monitoring of implementation of risk
management policy to the Risk Management Committee
5. Reviews adequacy and effectiveness of business risk management
6. Monitors business risk reporting
7. Advises Business/support functions on Risk initiatives
Risk 8. Improves risk management techniques and enhances
Managem management awareness

ent 9. Sets standards for risk documentation and monitoring

Committee 10. Ensures a structured and consistent approach

11. Monitors emerging issues and shares best practice
12. Commissions and oversee projects to define and implement risk
mitigation strategies

Managing 13. Responsible for identifying risks

Director & 14. Responsible for preparing risk profile
CEO /
Functional 15. Responsible for managing risk
Heads 16. Preparation and review of Risk Register
Internal 17. Tests compliance at all relevant levels
Audit 18. Quality assurance on risk management process
19. Scopes audit work based upon severity of risk to the business
20. Special investigations as requested

4
 Employees 21. Compliance with requests from Management in connection with
application of this policy
22. Exercise reasonable care to prevent loss, to maximize opportunity
and to ensure that the operations, reputation and assets are not
adversely affected

5.2 Operation
The Risk Management Committee shall review on a bi-annual basis or as needed for urgent or other
matters for reviewing the progress on risk mitigation measures and also to identify new risks that may
have arisen since last review. The Audit Committee shall also review the same on bi-annual basis.

5.3 Deliverables
At a minimum, the Risk Management Committee will deliver:
1. Annual assessment of Risks with reference to the Risk Appetite.
2. Updated Risk Register (which includes mitigation plans).
3. Reports required for the Audit Committee.

Appendix 1 – Impact and Likely-hood Factors

(i) The following are guiding factors that may be used to determine inherent impact of identified
risks:

5
Rating 1 2 3 4 5
Parameters Minor Moderate Serious Critical Catastrophic
EBITDA Insignificant Moderate Significant Substantial Substantially
(Operatin impact on impact on impact on impact on huge impact
g Profits)* Operating Operating Operating Operating on Operating
Profits Profits Profits Profits Profits
say < 5% Say 5 % to Say 10% to Say 20% to Say >50%
10% impact 20% impact 50%
on turnover on turnover
Reputation Letter to Series of Negative Short term Long term
competent letters to Media negative negative
authority and competent coverage media media
Media authority coverage and coverage and
and media disruption to long term
customer / disruption of
investor customer /
confidence investor
confidence
Regulatory, Minor Minor Major Major Business
Project admonition Penalties penalties and penalties and closure
Approval/Policy litigations litigations
Changes (Prosecution)
Health and Minor injury / Serious Multiple Single Multiple
Safety environmental injury / injuries / fatalities / fatalities/
damage environment environmental major Major
damage damage environmental environmental
damage damage

6
Safeguarding Communicati Communication Communication Communicati Communica
of assets and on of historic of current of key on of tion of
information data information information sensitive highly
information which may be which may not information sensitive
which is publicly be publicly and frauds information
publicly available available and leading to and frauds
available. frauds leading major leading to
to moderate financial erosion of
Minor fraud losses Damage losses net worth.
issues (expense or theft of
claim errors) physical assets
Damage or Damage or Damage or
theft of physical theft of theft of
assets physical physical
assets assets
Management An event, the An event, the A significant A critical A disaster
effort impact of consequence of event which can event which with
which can be which can be be with proper potential to
absorbed absorbed but managed under management lead to
through management normal can be collapse of
normal effort is circumstances endured the business
activity required to
minimize the
impact. The event will
require the MD
Issues will be or senior
Issues would delegated to management Events and Will require
be delegated the middle and
intervention problems will direct
to middle, senior require intervention
junior management Board and of the Board
management for resolution Managing
and staff to Director
resolve attention
*To be reviewed annually

7
(ii) Following are the guiding factors that may be used to determine inherent likelihood
ofidentified risks:

Rating 1 2 3 4 5
Parameters Rare Unlikely Moderate Likely Almost Certain
Occurrence Event may Event could Event could Event will Event is
and occur only in occur in occur in probably expected to
Probability exceptional some time some time occur in most occur in most
circumstances circumstances circumstances
(Probability is (Probability is (Probability is
0-10%) (Probability (Probability
50-80%) 80-100%)
is 10-30%) is 30-50%)
(beyond 36
12-18 (next 12
months) (next 24-36 (next 18-24 (next
months) months)
months) months)