Shaping the future of software driven business

Report on Risk Management •

191

Report on Risk Management

Overview

At Persistent, risk management is a continuous process to monitor, identify, assess the risk and taking appropriate steps to

reduce risks to an acceptable level. It facilitates identification of suitable controls for either reducing or eliminating those

risks. The main objective is to manage potential risks in order to minimise the negative impact that they may have on the

organization.

Structure of Risk Management

The objective of Enterprise Risk Management Policy at the Company is to develop, implement and continuously improve a risk

management framework. It integrates the process of managing risks into the Company’s overall governance structure.

The risk management framework at Persistent is given below:

Enterprise Risk Management Policy sets out the objectives and elements of risk management within the organization. The

best risk insurance is prevention. Preventing risks from occurring in business can best be achieved by employee training,

safety checks, equipment maintenance etc. Preventive measures mainly in project management and cyber security are possible

by bringing in the awareness among the employees about the Dos and Donts in identifying these risks much before their

occurrence.

There is a well-established and robust monitoring and alerting mechanism through proactive surveillance by integrated Security

Operations Centre and Network Operations Centre which identify and mitigate information security risks. The Persistent

Risk and Governance team under Information Security and Compliance Group ensures timely communications and incident

management for identified Risks. Awareness campaigns are conducted on a regular basis to cover recent threats, security

incidents and mitigating guidance. InfoSec Awareness Training is part of onboarding of employees and it is a mandatory annual

exercise for all of the Company employees.

At all project execution stages, the project members are briefed on proactively identifying the key risks for the Company

and seriously thinking about the consequences of these risks for which they are responsible. They are also informed about

communicating those risks up or down the organization that demands attention of others.

The primary responsibility for risk management lies at the business level. Part of the role of all the heads of business units is to

ensure risks are managed appropriately. The Risk Management Function forms the second line of defence and independently

assesses all risks. Its report is reviewed by the Risk Management Committee on a quarterly basis which, in turn, reports it to

the Board. The Risk Management Structure of the company consists of Risk Officers, Risk Manager and Risk Management

Committee.

The Risk Management Process includes:

•

Identification of key risks and their root causes

•

Assessment of risk for its probability and impact

•

Prioritization of risks based on its ratings

•

Formulation of risk response strategy based on the analysis of business exposure

•

Escalation of risk response in a timely manner to facilitate decision making

•

Identification of Risk Owners within the area of responsibility

•

Monitoring and reporting by the Risk Management Committee of the existence, adequacy and effectiveness of the risks to

the Board of Directors on a quarterly basis.

The Risk Management Process is continuously reviewed in line with the changing risk environment. The process of continuous

evaluation of risks is done on a quarterly basis.

Some of the major risks and measures taken for mitigation of these risks are given below:

Board of Directors

Risk Committee of the

Board of Directors

Risk Management

Council (CFO and Head

of Business Units)

Risk Owners

(Function and

Business Heads)