RISK ASSESSMENT AND MANAGEMENT POLICY

1) SCOPE

This Risk Assessment and Management Policy (“Policy”) establishes the philosophy of Nanta Tech Limited (“Company”), towards risk identification, analysis and prioritization of risks, development of risk mitigation plans and reporting on the risk environment of the Company. This Policy is applicable to all the functions, departments and geographical locations of the Company.

2) OBJECTIVE

The objective of this Policy is to manage the risks involved in all activities of the Company to maximize opportunities and minimize adversity. This Policy is intended to assist in decision making processes that will minimize potential losses, improve the management of uncertainty and the approach to new opportunities, thereby helping the Company to achieve its objectives.

The key objectives of this Policy are:

Safeguarding the Company’s property and interest of all stakeholders.
Laying down of a framework for identification, measurement, evaluation, mitigation and reporting of various risks.
Evolving the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects, which the business and operations of the Company are exposed to.
Balancing between the cost of managing risk and the anticipated benefits.
To create awareness among the employees to assess risks on a continuous basis and develop risk mitigation plans in the interest of the Company.
Provide a system for setting of priorities when there are competing demands on limited resources.

3) RISK MANAGEMENT FRAMEWORK

The Board’s role is to ensure framing, implementing and monitoring risk management plan and systems for risk management as part of internal controls. The Audit Committee shall periodically evaluate the internal financial controls and risk management systems.

4) RISK MANAGEMENT PROCESS

Conscious that no entrepreneurial activity can be undertaken without assumption of risks and associated profit opportunities, the Company operates on a Risk Management Process /Framework aimed at minimization of identifiable risks after evaluation so as to enable management to take informed decision. Broad outline of the framework is as follows:

The resultant “Action Required” is derived based on the combined effect of Impact & Likelihood and is quantified as per the summary below.

Risk Identification: Management identifies potential events that may positively or negatively affect the Company’s ability to implement its strategy and achieve its objectives and performance goals. Potentially, negative events and represent risks are assigned a unique identifier. The identification process is carried out in such a way that an expansive risk identification covering operations and support functions are put together and dealt with.
Root Cause Analysis: Undertaken on a consultative basis, Root Cause Analysis enables tracing the reasons / drivers for existence of a risk element and helps developing appropriate mitigation action.
Risk Scoring: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of identified risk elements. Likelihood of occurrence of a risk element within a finite time is scored based on polled opinion or from analysis of event logs drawn from the past. Impact is measured based on a risk element’s potential impact on cost, revenue, profit etc. should the risk element materialize. The composite score of impact and likelihood are tabulated in an orderly fashion and the table is known as Risk Register (RR). The Company has assigned quantifiable values to each Risk Element based on the “Impact” and “Likelihood” of the occurrence of the Risk on a scale of 1 to 3 as follows.

Impact	Score	Likelihood
Minor	1	Low
Moderate	2	Medium
Significant	3	High

Risk Categorization :
The identified risks are further grouped in to (i) Preventable (ii) Strategic and (iii) External categories to homogenize risks
Preventable Risks are largely internal to organization and are operational in nature. The endeavor is to reduce /eliminate the events in this category as they are controllable. Standard operating procedures (SOP) and Audit Plans are relied upon to monitor and control such internal operational risks that are preventable.
Strategic Risks are voluntarily assumed risks by the Senior Management in order to generate superior returns / market share from its strategy. Approaches to strategy risk is ‘Accept’/‘Share’, backed by a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the Company’s ability to manage or contain the risk events should they occur.
External risks arise from events beyond organization’s influence or control. They generally arise from natural and political disasters and major macroeconomic shifts. Management regularly endeavors to focus on their identification and impact mitigation through ‘avoid’/‘reduce’ approach that includes measures like Business Continuity Plan / Disaster Recovery Management Plan / Specific Loss Insurance / Policy Advocacy etc.

Risk Prioritization :
Based on the composite scores, risks are prioritized for mitigation actions and reporting
Risk Mitigation Plan:

Management develops appropriate responsive action on review of various alternatives, costs and benefits, with a view to managing identified risks and limiting the impact to tolerance level. Risk Mitigation Plan drives policy development as regards risk ownership, control environment timelines, standard operating procedure (SOP) etc.

Risk Mitigation Plan is the core of effective risk management. The mitigation plan covers:

Required Action
Required Resources
Responsibilities
Timing
Performance Measures and
Reporting and Monitoring requirements

Hence it is drawn up in adequate precision and specificity to manage identified risks in terms of documented approach (accept, avoid, reduce, share) towards the risks with specific responsibility assigned for management of the risks.

Risk Monitoring: It is designed to assess on an ongoing basis, the functioning of risk management components and the quality of performance over time. Staff members are encouraged to carry out assessments throughout the year.
Options for dealing with risk:

There are various options for dealing with risk.

Tolerate – If we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; i.e., do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register.
Transfer – Here risks might be transferred to other organizations, for example by use of insurance or transferring out an area of work.
Terminate – This applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is of very high risk and these risks cannot be mitigated we might decide to cancel the project.

Risk Reporting:
Periodically key risks are reported to Board or empowered committee with causes and mitigations undertaken / proposed to be undertaken.

5) COMMUNICATION AND CONSULTATION

Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole.

PERIODICAL REVIEW OF EFFECTIVENESS: Effectiveness of Risk Management Framework is ensured through periodical Internal Audits. These play an important validation role to provide assurance to the Audit committee that the critical processes continue to perform effectively, key measures and reports are reliable and established policies are in compliance. As the risk exposure of any business may undergo change from time to time due to continuously changing environment, the updation of this Policy will be done as and when required.
APPROVAL OF THE POLICY:The Board will be the approving authority for the company’s overall Risk Management System. The Board will, therefore, approve the Risk Management Policy and any amendments thereto from time to time.
SUMMATION: The above framework is proposed as a broad risk management policy of the Company.