Risk Assessment and Management Policy.
1) SCOPE
This Risk Assessment and Management Policy ("Policy") establishes the philosophy of Nanta Tech Limited ("Company"), towards risk identification, analysis and prioritization of risks. The objective of this Policy is to support the organisation in the risk environment of the Company. This Policy is applicable to all the functions, departments and geographical locations of the Company.
2) OBJECTIVE
The objective of this Policy is to manage the risks involved in all activities of the Company to maximize opportunities and minimize adversity. This Policy is intended to assist in decision making processes that will minimize potential losses, improve the management of uncertainty and the approach to new opportunities, thereby helping the Company to achieve its strategic goals.
The key objectives of this Policy are:
- Establishing a structured and disciplined approach to risk assessment at all stakeholders.
- Laying down of a framework for identification, measurement, evaluation, mitigation and reporting of various risks.
- Enabling management and the Board to continually reexamine risks are directed towards the effective management of potential opportunities and adverse effects, which the business and operations of the Company.
- Balancing between the cost of managing risk and the anticipated benefits.
- To ensure awareness among the employees to assess risks on a continuous basis and develop risk mitigation plans in the interest of the Company.
- To establish at periodic intervals, evaluation of effectiveness and assurance and limited resources.
3) RISK MANAGEMENT FRAMEWORK
The Company shall put in place a system for implementing and monitoring risk management plan and systems for risk management as part of internal controls. The Audit Committee shall periodically evaluate the internal financial controls and risk management systems.
4) RISK MANAGEMENT PROCESS
The Company's approach to risk management involves an integrated four-step process as detailed on a Risk Management Process Framework aimed at minimization of identifiable risks after evaluation as to enable management to take informed decision. Board cycle of the framework is as follows:
Risk Identification:
Management identifies potential events that may positively or negatively affect the Company's ability to implement its strategy and achieve its objectives and opportunities. Potential risks are weighed, negated and opposed a unique identifier. The systematic process is carried out such a way that an expansion risk identification covering operations and support functions are put together and sorted with.
Root Cause Analysis:
Undertaken on a consultative basis, Root Cause Analysis enables identifying the reasons / drivers for existence of a risk element and helps developing appropriate responses.
Risk Scoring:
Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. Likelihood of occurrence of a risk element is scored within a finite time is scored based on period opinion or from analysis of event logs drawn from the past. Likelihood is evaluated based on a risk element's potential impact on cost, revenue, reputation, etc. For example, a potential product failure could result in a 15% loss in annual revenue of the Company and assigned quantifiable scales to each Risk Element based on the "Impact" and "Likelihood" of the occurrence of the Risk on a scale of 1 to 3 as follows:
| Impact | Score | Likelihood |
|---|---|---|
| Minor | 1 | Low |
| Moderate | 2 | Medium |
| Significant | 3 | High |
Risk Categorization:
The identified risks are further grouped in to (i) Preventable (ii) Strategic and (iii) External categories to homogenize risks:
- Preventable Risks are largely internal to organization and are operational in nature. The endeavor is to reduce/eliminate the events in this category as they are controllable. Standard operating procedures and internal controls act as preventive and control such internal operational risks.
- Strategic Risks are those related to the Company's medium and long-term plans. The approach to strategy risk is "Accept/Treat", backed by a risk management system designed to reduce the probability that the assumed risks actually materialize and improve the Company's ability to manage or mitigate them.
- External Risks are those, which are largely external in organization's operations and emanate from the external environment. The Company regularly endeavors to focus on their identification and mitigates integration through "avoid"/"reduce" approach that includes measures like the Business Continuity Plan / Disaster Recovery Management Plan / Fraud Risk insurance / Policy Advocacy etc.
Risk Prioritisation:
- Based on the composite scores, risks are prioritized for mitigation action and reporting.
- Risk Mitigation Plan:
Risk Mitigation Plan:
Management draws up mitigation action on review of various alternatives, costs and benefits, with a view to managing identified risks and limiting the impact to tolerable level. Risk Mitigation Plan drives policy-development as regards risk ownership, control environment timelines, standard operating procedure (SOP) etc.
Risk Mitigation Plan is the core of effective risk management. The mitigation plan covers:
- Required Action
- Required Resources
- Responsibilities
- Timing
- Performance Measures and
- Reporting and Monitoring requirements
Hences is a regular and continuous process and specifically to manage identified risks in terms of documented approach (except, avoid, reduce, alleviate) towards the risks with specific timelines for review and implementation of the risks.
Risk Monitoring:
It is designed to assess on an ongoing basis, the functioning of the risk management components and the quality of performance over time. Staff members are encouraged to carry out assessments throughout the year.
Options for dealing with risk:
There are various options for dealing with risk:
- Tolerate - If we cannot reduce the risk in a specific area for if doing so is out of proportion to the risk) we can decide to tolerate the risk (i.e., do nothing further to reduce the risk).
- Tolerated risks are monitored by the corporate risks register.
- Transfer - Here risks might be transferred to other organizations, for example by use of insurance or outsourcing out an area of work.
- Terminate - This applies to risks we cannot mitigate other than by not doing work in the specific area, or if a particular project is of very high risk and these risks cannot be mitigated.
- Treat - Steps are taken to manage and control risk.
Risk Reporting:
Periodically key risks are reported to board or empowered committees with causes and mitigations undertaken / proposed to be undertaken.
5) COMMUNICATION AND CONSULTATION
Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.
6) PERIODIC REVIEW OF EFFECTIVENESS
Effectiveness of Risk Management Framework is ensured through periodical internal audits. These play an important validation role in the risk exposure of the business may underpin change from time to time due to continuously changing environment, the updation of this Policy will be done as and when required.
APPROVAL OF THE POLICY
The Board is responsible for the overall authority for the company's overall Risk Management System. The Board will, therefore, approve the Risk Management Policy and any amendments thereto from time to time.
SUMMATION:
The above framework is proposed as a broad road-map of risk management policy of the Company.
