Risk management report

The risk management report discusses various dimensions of our enterprise risk management. The risk-related information
outlined in this section may not be exhaustive. The discussion may contain statements that are forward-looking in nature.
Our business is subject to uncertainties that could cause actual results to differ materially from those reflected in the
forward‑looking statements. Readers are advised to refer to the detailed discussion of risk factors and related disclosures in
our regulatory filings, and exercise their own judgment in assessing risks associated with the Company.

A. Overview
Our Enterprise Risk Management (ERM) framework Several risks can impact the achievement of a particular
encompasses practices relating to the identification, analysis, business objective. Similarly, a single risk can impact the
evaluation, treatment, mitigation and monitoring of the achievement of several business objectives. The focus of
strategic, operational, and legal and compliance risks to risk management is to assess risks and deploy mitigation
achieving our key business objectives. ERM at Infosys seeks measures. This is done through periodic review meetings of
to minimize the adverse impact of these risks, thus enabling the risk and strategy committee of the Board.
the Company to leverage market opportunities effectively and Our core values and ethics provide the platform for our risk
enhance its long-term competitive advantage. management practices.

B. Key components of the Infosys risk management framework

Risk categories Strategy Operational Legal and Compliance Risk governance

structure

Project teams
Business and individuals
Risk management processes
objectives
Unit risk managers
Financial

Risks are aggregated

Strategic planning

Risks are inherited

Markets and Office of Risk Management
offerings
Migration and Reporting and Identification, Risk council
analysis and
Operations monitoring disclosures evaluation
Risk and strategy
Talent committee
Treatment
Sustainability Board of Directors

1. Risk governance structure

Our risk management framework is implemented at various levels across the enterprise. The key roles and responsibilities
regarding risk management in the Company are summarized as follows :
Level Key roles and responsibilities
Board of Directors (Board) • Approving key business objectives to be achieved by the Company. Ensuring that the
executive management focuses on managing risks to key business objectives
• Reviewing the performance of the risk and strategy committee
Risk and Strategy Committee • Comprises six independent directors :
(RSC) –– Ravi Venkatesan, Chairperson
–– Kiran Mazumdar-Shaw
–– Roopa Kudva
–– Prof. John W. Etchemendy
–– Dr. Punita Kumar-Sinha
–– D. N. Prahlad
• Corporate governance oversight with regard to the identification, evaluation and
mitigation of strategic, operational, and legal and compliance risks
• Monitoring and approving the risk management framework and associated practices of
the Company
• Reviewing and approving risk-related disclosures
Project teams and individuals • Adhering to risk management policies and procedures
• Implementing prescribed risk mitigation actions
• Reporting risk events and incidents in a timely manner

Infosys Annual Report 2016-17 Risk management report | 101

Level Key roles and responsibilities
Risk council (RC) • Comprises the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer
and Chief Risk Officer
• Oversight of risk management practices, including identification, impact assessment,
monitoring, mitigation, and reporting
• Reviewing enterprise risks to the achievement of business objectives periodically,
initiating mitigation actions, identifying owners for mitigation actions, and reviewing
progress of mitigation actions
• Formulating and deploying risk management policies and procedures
• Providing updates to the RSC and the Board from time-to-time on the enterprise risks
and actions taken
Office of Risk Management • Headed by the Chief Risk Officer
(ORM) • Comprises a network of risk managers from business units and specialist groups
• Facilitating the execution of risk management practices in the enterprise, in the areas
of risk identification, impact assessment, monitoring, mitigation and reporting
• Providing periodic updates to the risk council and quarterly updates to the RSC on
risks to key business objectives and their mitigation
• Working closely with business units, business enabling functions and mitigation action
owners in deploying mitigation measures and monitoring their effectiveness
• Working closely with internal audit, business continuity management services,
information security, intellectual property and quality audit teams for identifying,
monitoring, and mitigating operational risks
Unit risk managers • Ensuring units are managed in accordance with the Company’s risk management
practices
• Ensuring compliance with risk management policies and procedures laid out by the
Company in their respective business units
• Managing risks concomitant with the business decisions relating to their unit, span of
control or area of operations
• Ensuring effectiveness of risk mitigation actions in their units
• Reporting risk events and incidents relating to their unit in a timely manner

2. Business objectives base. Details of the Company’s strategy are described in other
Our industry and company are in significant transformation, sections of this document. Potential risks to the long-term
and this has naturally resulted in heightening of risks related scalability and sustainability of the organization are also
to strategic choices, strategy execution along with traditional analyzed and mitigated – for example, societal risks relating
operational and compliance related risks. The business to the impact of our strategy on the environment, local
objectives of the Company are articulated as a set of specific communities, and conservation of essential resources.
near-term goals, and long-term strategic goals in a corporate We periodically assess risks to the successful execution of
scorecard. These goals cover the dimensions of consistent our strategy, such as the effectiveness of strategic programs
financial performance, market penetration, differentiation that are being executed, the momentum in new initiatives,
of our solutions, momentum of software-enabled services, the impact of strategy on financial performance, leveraging
operational excellence, cost optimization initiatives, attracting of inorganic strategies, effectiveness of organization structure
and retaining talent, and the long-term sustainability of the and processes, retention and development of high-performing
organization. In addition, progress of initiatives to mitigate talent and leadership.
the impact of potential changes to immigration and labor
Operational
regulations in the United States and other countries are
captured in the scorecard. Risks arising out of internal and external factors affecting
policies, procedures, people and systems in our support
3. Risk categories functions thereby impacting service delivery, compromises
Our risk management framework considers the following our core values or not in accordance with generally accepted
broad categories of risks : business practices or impacting their own service operations
are covered in this category – for example, risks of business
Strategy activity disruptions due to natural calamities, terrorist
Risks arising out of the choices we have made in defining attacks or war or regional conflicts, or disruptions in
our strategy and the risks to the successful execution of these telecommunications, system failures, virus attacks or breach
strategies are covered in this category – for example, risks of cyber security.
inherent to our industry and competitiveness are analyzed
and mitigated through strategic choices of target markets,
the Company’s market offerings, business models and talent

102 | Risk management report Infosys Annual Report 2016-17

Legal and compliance impact are carried out periodically, presented and discussed
Risks arising out of threats posed to our financial, with the risk council and risk and strategy committee.
organizational, or reputational standing resulting from Key external and internal incidents are reported and reviewed
violations or non-conformance with laws, regulations, codes of at appropriate fora, such as the Information Security Council
conduct or organizational prescribed practices or contractual and meetings of the executive board. Risks relating to client
compliances are covered in this category – for example, risks project execution and client account-level risks are reported
of potential litigations, breach of contractual agreement, non- and discussed at appropriate levels within the Company.
compliance to regulations, potential risk arising out of major Periodic updates are provided to the Board highlighting key
regulatory / geo‑political changes, potential risk arising out risks, their impact, and mitigation actions. Key risk factors
of strategic or business or operational decisions. are disclosed in regulatory filings.

4. Risk management processes C. Risk management highlights for the year

Our risk management practices are : During the year, our risk management practices were
primarily focused on the effectiveness of strategic programs
Risk identification, analysis, and evaluation in improving our competitive position and differentiation in
Mechanisms for identification of risks include annual risk market segments, the momentum of new initiatives to achieve
surveys across the Company, industry benchmarking, periodic our long-term business aspirations, our preparedness to
assessments of the business environment, incident analysis, address any incidents that may cause business disruptions to
findings of internal audits, discussions with the risk council our physical and technological infrastructure, strengthening
and the risk and strategy committee and analysis of the internal controls to detect fraudulent activity, leadership
Company’s performance relative to the corporate scorecard development, leadership succession planning, and monitoring
goals. Risk analysis and evaluation are carried out using possible impact of changes in our regulatory environment.
scenario-based assessments to decide the potential impact, We carried out the following risk management activities
likelihood of occurrence and in some cases, the detectability during the last fiscal :
of the risk. Estimated risks are compared with established risk
• Assessed and strengthened the enterprise risk management
criteria and thresholds to determine the priority and method
framework for further standardization of risk identification,
of risk treatment.
assessment and governance of risks across the organization.
Risk treatment • Assessment of our business momentum relative to
Risk treatment is the process of selecting and implementing competition and competitive position in key market
measures to alleviate the impact of identified risks. segments comprising geographies, industries and service
• Avoid : A decision to nullify the risk by refraining from the lines were conducted and actions.
activities that cause it • Regularly assessed progress on the execution of strategic
• Share : A decision to share the specific risk with another programs, specifically, progress on the growth of new
entity software enabled services, impact of automation,
• Reduce : A decision to reduce the level of risk through performance of subsidiary businesses, leadership
targeted mitigation, if not to completely nullify it succession planning and operating cost optimization. Deep
• Accept : A decision to allow the risk to remain as is, dive assessments were done in identified areas by members
irrespective of its severity of the committee.
• Escalate : A decision to escalate the risk to senior management • Regularly assessed the business environment including
Risk mitigation and monitoring trend line of key external indicators and internal business
indicators such as client concentration, client technology
Mitigation plans are finalized, owners are identified and the
spend, growth of top clients and revenue bookings from
progress of mitigation actions are monitored and reviewed.
large outsourcing engagements.
The risk and strategy committee periodically does a deep dive
into understanding the scope and effectiveness of mitigation • Reviewed key operational risks and actions based on inputs
plans and provides feedback to mitigation teams. from the internal risk register, external assessments, internal
audit findings and incidents. Reviewed operational risk
Risk-based approach to strategic planning areas including client service delivery, information security
At Infosys, the functions of strategic planning and risk (cyber-attacks and threat intelligence), women’s safety,
management are intertwined. Risks to achieving business physical security, succession planning, capital expenditures
objectives are key inputs to the formulation and development on infrastructure and business continuity management.
of strategy and business planning. Key strategic initiatives are • Monitored key developments in the regulatory environment,
identified to mitigate specific risks. This approach is practiced especially of the United Kingdom and the United States of
at various levels of the Company, such as in client account America, relating to immigration laws, minimum wages
teams, project teams, support departments, and subsidiaries. and impact to businesses of our clients.
Risk reporting and disclosures • Monitored the availability of natural resources, such as
Dashboards help track external and internal indicators for water and power, and its impact on our operations.
each identified risk and assess its severity. The trend line
assessment of top risks, analysis of exposure and potential

Infosys Annual Report 2016-17 Risk management report | 103