Approaching Strategy Delivering Statutory Financial

Introduction Governance BRSR

value creation review value reports statements
RM Report

Risk management report

“During the fiscal, businesses around the world, including ours, faced several macro risks such as the continued
impact of the pandemic, geo-political events in Eastern Europe, tightening of supply chains, demand for talent
and inflation. Our enterprise risk management processes were instrumental in keeping the Company focused
on our most important priorities toward all our stakeholders.”

Deepak Padaki
EVP and Group Head – Corporate Strategy, and Chief Risk Officer

Note: The risk-related information outlined in this section may not be exhaustive. The discussion may contain statements that are forward-
looking in nature. Our business is subject to uncertainties that could cause actual results to differ materially from those reflected in the forward-
looking statements. If any of the risks materializes, our business, financial conditions or prospects could be materially and adversely affected.
Our business, operating results, financial performance, or prospects could also be harmed by risks and uncertainties not currently known to us or
that we currently do not believe are material. Readers are advised to refer to the detailed discussion of risk factors and related disclosures in our
regulatory filings and exercise their own judgment in assessing risks associated with the Company.

Our Enterprise Risk Management (ERM) function enables primary risks, secondary risks, consequential risks and residual
the achievement of the Company’s strategic objectives by risks. The ERM function also enables effective resource allocation
identifying, analyzing, assessing, mitigating, monitoring and through structured qualitative and quantitative risk impact
governing any risk or potential threat to these objectives. While assessment and prioritization based on our risk appetite. Our
this is the key driver, our values, culture and commitment to ERM framework also enables the identification of underlying
stakeholders – employees, customers, investors, regulatory opportunities during risk assessment, which are then further
bodies, partners and the community around us – are the evaluated and actionized by the business. Our ERM framework
foundation for our ERM framework. encompasses all of the Company’s risks, such as strategic,
operational, and legal & compliance risks. Any of these categories
The systematic and proactive identification of risks, and
can have internal or external dimensions. Hence, appropriate
mitigation thereof, enables our organization to boost
risk indicators are used to identify these risks proactively. We
performance with effective and timely decision-making.
take cognizance of risks faced by our key stakeholders and their
Strategic decisions are taken after careful consideration of
cumulative impact while framing our risk responses.

Strategy and strategy execution The risks arising out of the choices we have made in defining our strategy and the risks to the
successful execution of our strategy are covered in this category. For example, risks inherent to our
industry and our competitiveness are analyzed and mitigated through strategic choices of target
markets, our market offerings, business model and talent base.

Operational The risks affecting our policies, procedures, people and systems, thereby impacting service delivery
or operations, or compromising our core values or business practices are covered in this category.
For example, risks such as inefficiencies in internal processes, business activity disruptions due to
natural calamities, climate change events, human conflicts, system failures and cybersecurity attacks.

Legal and compliance The risks arising out of threats posed to our financial, organizational, or reputational standing
resulting from litigations, non-conformance with laws, regulatory or geo-political developments,
codes of conduct and contractual compliances are covered in this category.

Integrated Enterprise Risk Management Framework

We have adopted an integrated ERM framework that is implemented across the organization by the risk management office. Our
ERM framework is developed by incorporating the best practices based on COSO and ISO 31000 and then tailored to suit our unique
business requirements.

Infosys Integrated Annual Report 2021-22 171

 Approaching Strategy Delivering Statutory Financial
Introduction Governance BRSR
value creation review value reports statements
RM Report

Integrated Enterprise Risk Management Framework

STRATEGY PERFORMANCE EVALUATION AND RISK MANAGEMENT GOVERNANCE

Strategy and
business objectives Risk-enabled decision-making 8-layer governance

Risk identification Risk management

Vision and Risk Treatment, mitigation and Board of Directors

s
Legal and compliance
isk

mission assessment control implementation

fr

Business enabling function

o

Operational Risk Management

pe
Ty

Strategy execution Committee (RMC)

Secondary and consequential of the Board
Level 1 Risk
Values and risk assessment
Cybersecurity

Delivery
culture
Level 2 Risk Sub-Committee
Sales Residual risk assessment
Level 3 Risk Risk councils
and decision-making

Opportunity
Strategic and
stakeholder Office of
Level 4 Risk risk management
goals
ps
Auditing, monitoring
ou
gr

Level 5 Risk and reporting Sub-risk councils

ct
pa
Im

Derived Granularity Unit risk councils

goals Risk governance Project and
and disclosures account risk teams

Aligned lines of defense

iGRC platform

Intelligent risk analytics – Live Enterprise

Salient features of our Enterprise Risk Management program

Our ERM program adopts unique methods to identify risks, evaluate potential impact and promote risk awareness
across the organization.

Secondary, consequential and residual risks Intelligent risk analytics – Live Enterprise
Secondary risks are threats that could impede the mitigation Internal and external risk and performance indicators,
of primary risks. Consequential risks are the unintended loss incidents are used real-time to identify, analyze and
consequences of primary mitigation, and residual risks are assess potential issues that could negatively impact
those risks that are left over after mitigation. strategic goals.
Enterprise
Aggregation and accumulation Risk Management RISC360 : iGRC
program
Exposure for same risks are aggregated as it goes up the RISC360 is the Company’s Governance, Risk management and
hierarchy. This provides enterprise-wide view Salient features Compliance (GRC) program that combines three lines of defense
to the leadership. Cumulated risk view is also provided to under one umbrella. This enables risk-based decision-making and
understand total exposure arising out of all risks at a unit level. auditing. The Company has implemented a technology platform,
iGRC, to provide a consolidated view of risks to strategic goals.
Process risk frameworks
Risk culture
Process-specific risk frameworks have been
developed for decision-making, Our risk culture encourages open and upward communication.
for example, frameworks for customer risk, Coupled with our belief systems and core values, this drives
vendor risk, contractual liability, contractual behavior, guides daily activities and decision-making throughout
weighted-risk and credit risk. the organization. We encourage sharing of knowledge and best
practices, continuous process improvement and a strong
commitment to ethics and integrity.

172 Infosys Integrated Annual Report 2021-22

 Approaching Strategy Delivering Statutory Financial
Introduction Governance BRSR
value creation review value reports statements
RM Report

Highlights of fiscal 2022

During fiscal 2022, we extended the adoption of the integrated automation, employee engagement and retention. Specifically,
ERM framework across the organization, strengthening our these included risks arising from the multiple waves of the
risk management program with a technology platform and pandemic, readiness for post-pandemic operational resilience,
enhancing the risk culture. The risk office played a key role in geopolitical and macro-economic events such as the conflict in
identifying, assessing and managing primary and secondary Eastern Europe, contractual liabilities, heightened cybersecurity
risks – so as to ensure the smooth delivery of services to our threats, employee attrition and data protection regulations.
clients, transparent communication with all stakeholders
While the Company tracks several risks to its business as
and fulfilling our social responsibility while ensuring
mentioned in the Management’s Discussion and Analysis section
employee safety and health.
of this Integrated Annual Report, the key risks are described
The risk office assessed, monitored and reported on risks below along with the Company’s approach to mitigate them.
related to strategic programs covering sales, cost optimization,

Key risks Mitigation approach

Adverse geo-political, economic or health events may impact demand Broad-based growth to reduce concentration in any single region,
for our offerings and /or technology and talent supply chain. client or industry, operational agility to assess and respond to
situations
Commoditization of traditional offerings may impact our market share Investment in launching innovative new offerings, a broad portfolio of
and profitability. interconnected services and solutions, and focused growth of digital
capabilities
Talent attrition beyond acceptable levels may impact our ability to Employee engagement and care, holistic employee retention and
staff projects or optimize cost structures. recognition policies, focus on career and leadership development
Cost inflation may impact our cost structure and longer-term Effective operations with sustainable cost optimization levers,
profitability. automation and planned capex program
Disruptive technologies such as cloud, software-as-a-service and Robust alliance strategy, consulting and industry-domain-knowledge-
automation software may diminish the value of some of our service led solutions, reskilling program for employees into newer
offerings (emerging risk). technologies and methodologies, and large deal program
Cyber attacks that breach our information network or failure to Robust cybersecurity framework, controls, governance, preparedness
protect sensitive information of our stakeholders in accordance with for response to incidents, insurance, region-specific data protection
applicable laws may impact our operations or result in significant controls and awareness campaigns
regulatory penalties.
New regulations or amendments to existing regulations (e.g., Active engagement with policymakers and trade associations,
immigration, wages, tax, sanctions) may have an adverse impact on well-governed compliance framework and controls, and de-risked
our operations (emerging risk). operations
If our employees operate remotely for extended periods, it may Implement a hybrid operational model that balances client
adversely impact their productivity, our information security controls requirements, evolving employee preferences, legal requirements and
and the social capital of the organization. information security risks
Physical disasters or climate change events may adversely impact our Well-established and tested business continuity plans, crisis
operations. management policy, distributed operations, sustainability and
community engagement initiatives

Cybersecurity risk management

Cyber risks, being one of the key risks, is managed through multi- A high-level working group, the enterprise Information Security
layered controls with a defense-in-depth approach starting from Council (ISC) has been established, which is responsible for
the thoughtfully-crafted Cybersecurity Strategy, supplemented governing and overseeing the Information Security Management
by policies, processes and controls (preventive, detective, and System (ISMS) at Infosys. ISC focuses on establishing, directing,
corrective). Our strategy is focussed on four areas: transparency monitoring, and executing the information security program
& experience, continual improvement & compliance, cyber with representation from various departments and business
resilience, and building & maintaining a positive cybersecurity units at Infosys and reports to the Operational Risk Council for
culture within the organization, thus making cybersecurity a highlighting key risks to the executive leadership.
sustainable and repeatable process throughout the organization.

Infosys Integrated Annual Report 2021-22 173