Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Enterprise Risk Management Policy &

Framework

Document Version No.: 1.5

Release Date: 26 th July 2024

PRIME For Internal Use Only Document Ver. 1.4

Page 1 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

REVISION HISTORY

Date Version Prepared By Reviewed Approved By Summary of Changes

No. By

26th 1.5 Aniket Rajashree Uma Thomas Updated HITRUST

July Kulkarni Laad/ Balaji verbiage
2024 Seshan

PRIME For Internal Use Only Document Ver. 1.4

Page 2 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

TABLE OF CONTENTS

Contents
1.0 Introduction .....................................................................................................................................4
1.1 Objectives of the Policy ................................................................................................................4
1.2 Scope of policy ..............................................................................................................................5
1.3 Maintenance of Enterprise Risk Register.................................................................................6
2.0 Risk Governance...............................................................................................................................6
2.1 Risk governance structure ............................................................................................................7
2.1.1 Board ....................................................................................................................................8
2.1.2 Ops Management Council (MC) ...........................................................................................8
2.1.3 Chief risk officer (CRO)..........................................................................................................8
2.1.4 Risk Owner ............................................................................................................................9
2.1.5 Risk coordinators ..................................................................................................................9
2.2 Risk reporting structure ..............................................................................................................10
3.0 Risk management approach ..........................................................................................................10
3.1 Risk identification ......................................................................................................................11
3.1.1 Risk categorization..............................................................................................................12
3.2 Risk assessment ..........................................................................................................................12
3.2.1 Detailed guidelines for assessing impact & probability......................................................13
3.3 Risk mitigation strategy ..............................................................................................................15
3.3.1 Risk reduction/mitigation ...................................................................................................16
4.0 Risk monitoring & review ..............................................................................................................17
4.1 Early warning indicators (EWIs).................................................................................................17
4.2 Governance, assurance & management reviews .....................................................................17
4.3 Communication & reporting ......................................................................................................23
5.0 Climate Risk Management .............................................................................................................23
6.0 Training & awareness ....................................................................................................................24
7.0 Annexure ........................................................................................................................................24

PRIME For Internal Use Only Document Ver. 1.4

Page 3 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

1.0 Introduction

Hexaware Technologies has grown over the years with the core value of building transparent
and lasting relationships. Our mission is to Transform how IT Services are delivered and to be
the first IT services company in the world where half the workforce is digital. We strive to
proactively seize opportunities that the market offers in order to achieve our strategic and
business objectives. In this process, we are exposed to several external and internal risks which
may affect our financial and non- financial results. Hexaware (“the company”) is committed to
recognize & manage its risks in a proactive, ongoing & positive manner with the adoption of
risk management framework.

Requirements under the Companies Act 2013 advocates the implementation of an effective
enterprise-wide risk management process. With this in perspective and to ensure reasonable
assurance over the attainment of our business objectives, we have adopted this risk management
policy to guide our risk management activities.

The objective of an Enterprise Risk Management (ERM) system is to ensure that risks are not
treated in isolation. Risks from different sources across the organization are identified, analyzed
and controlled within the enterprise risk management framework of the organization and risks
are treated on a timely basis with robust risk mitigation strategies and early warning indicators
formulated for these risks.

This Policy:
• Articulates the company’s risk management objectives
• Defines various risks and establishes use of common risk language for the company
• Defines the governance model for execution of this policy as well as responsibility for
risk decisions
• Defines authority structure for committees and business functions that have a role in risk
management
The aim of the policy is to ensure that every effort is made by the company to identify, measure,
evaluate, manage, and monitor risk to maximize potential opportunities and minimize the
adverse effects of risk

1.1 Objectives of the Policy

The objective of this policy is to ensure sustainable business growth and to promote a pro-active
approach in identifying, evaluating, reporting, and managing risks associated with the business.
In order to achieve the key business objectives, this policy establishes a structured and disciplined

PRIME For Internal Use Only Document Ver. 1.4

Page 4 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

approach to risk management in order to manage risk related issues. The specific objectives of
this policy are:
• To enable visibility and oversight of the Board on the risk management system and
material risk exposures of the company.
• To ensure all risks across the organization are identified and evaluated through
standardized process and consolidated across the organization to identify the key risks that
matter to the organization to enable risk prioritization.
• To ensure mitigation plans for key risk are agreed upon, assigned to risk owners and
reviewed on a periodic basis
• To ensure that risks are reported at all levels in the organization as per their relevance and
significance.
• To ensure that risk governance structure is aligned with organizational structure and risk
profile of the company with well-defined and delineated roles, responsibility, and
delegation of authority.

• To enable transparency of risk management activities with respect to internal and external
stakeholders.
• To enable compliance to appropriate statutory & regulatory requirements, wherever
applicable, through the adoption of leading practices.
• To assist in defining the early warning indicators and the related leading measures
associated to the top risks identified by the enterprise
• To establish and maintain the risk appetite of the organization within the defined threshold
levels by tracking the early warning indicators
• Assist in safeguarding the value and reputation by avoiding unpleasant shocks and
surprises.
• Validate the implementation of risks management practices and measure the effectiveness
using the risk based internal audits
• To develop a “risk aware” culture which is crucial for long term success.

1.2 Scope of policy

The policy guidelines are devised in context of the organization’s growth objectives, its business
and strategy plan, global ERM standards and leading industry practices. The Scope of the Policy
shall cover:

• Hexaware and its subsidiaries across all territories

• This policy will be applicable to all Hexaware entities.
• All functions at corporate /branch offices across territories
• All events, both external and internal which shall have significant impact on the
objectives of the organization
• This framework is reviewed & approved by CRO
• This Framework is revised based on changes in the business environment/ regulations/
standards/ best practices in the industry by an outside consultant/ organization that would
present their recommendations to the Chief Risk Officer annually or as per the directives
of the Board /Audit committee

PRIME For Internal Use Only Document Ver. 1.4

Page 5 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

• In case of non-adherence to the policy, the same shall be reported to the Ops
Management Council (MC) & necessary action may be taken in this regard

1.3 Maintenance of Enterprise Risk Register

Centralized Risk register with their mitigation plan shall be maintained by CRO and shall be
reviewed and updated as per the policy guidelines.

2.0 Risk Governance

The company’s vision for risk management is to have a culture in which risks are managed in an
integrated manner that will enable it to:
• Be recognized as a leading organization with best practices; to achieve the vision and
mission.
• Be seen as an organization of high ethics that manages its risks responsibly in addition to
achieving operational and financial goals.
A well-defined risk governance structure serves to communicate the approach of risk management
throughout the organization by establishing clear allocation of roles and responsibilities for the
management of risks on a day-to-day basis. As part of Risk Governance, risk management related
aspects get discussed in Ops Management Council meetings. Ops Management council comprises
of CXOs of the company. This ensures that the risk management activities are undertaken as per
the policy.
CRO shall appoint Risk Owners from all relevant functions at Hexaware and the Risk Owners
would be responsible for establishment and implementation of risk management process
effectively in their respective functions.
The diagram below outlines the governance structure for Hexaware: -

Board

Board
committees
Ops Management
Council (MC)

Corporate Functions

PRIME For Internal Use Only Document Ver. 1.4

Page 6 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Board committees include- Nomination and Remuneration Committee, Audit, Governance and
Compliance Committee, Stakeholders Relationship Committee, Corporate Social Responsibility
Committee

Enterprise Risk Management is one of the agenda points of Ops Management Council (MC)
meeting

2.1 Risk governance structure

Composition of the Risk Management Committee:

1. Mr. Joseph Mclaren Quinlan, Independent Director (Chairman);

2. Mr. Kapil Modi, Non-Executive Director (Member);
3. Mr. Shawn Devilla, Non-Executive Director (Member); and
4. Mr. Milind Sarwate, Independent Director (Member)

The role and responsibility of the Risk Management Committee shall be as follows:

• Review, assess and formulate the risk management system and policy of the Company from
time to time and recommend for an amendment or modification thereof, which shall include:
(a) a framework for identification of internal and external risks specifically faced by the
Company, in particular including financial, operational, sectoral, sustainability
(particularly, environment, social and governance related risks), information, cyber
security, compliance and ethics risks or any other risk as may be determined by the Risk
Management Committee;
(b) measures for risk mitigation including systems and processes for internal control of
identified risks; and
(c) business continuity plan;

• Ensure that appropriate methodology, processes and systems are in place to monitor and
evaluate risks associated with the business of the Company;

• Monitor and oversee implementation of the risk management policy, including evaluating the
adequacy of risk management systems;

• Periodically review the risk management policy, at least once in two years, including by
considering the changing industry dynamics and evolving complexity, and recommend for
any amendment or modification thereof, as necessary;

• Keep the Board of the Company informed about the nature and content of its discussions,
recommendations and actions to be taken;

• Review the appointment, removal and terms of remuneration of the Chief Risk Officer (if
any);

• To implement and monitor policies and/or processes for ensuring cyber security;

• To coordinate its activities with other committees, in instances where there is any overlap
with activities of such committees, as per the framework laid down by the Board; and
PRIME For Internal Use Only Document Ver. 1.4
Page 7 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

• Any other similar or other functions as may be laid down by Board from time to time and/or
as may be required under applicable law, as and when amended from time to time, including
the Securities and Exchange Board of India (Listing Obligations and Disclosure
Requirements) Regulations, 2015.”

The Risk Management Committee shall have powers to seek information from any employee,
obtain outside legal or other professional advice and secure attendance of outsiders with relevant
expertise, if it considers necessary.”

2.1.1 Board

The ultimate responsibility of risk oversight lies with the board. The board is entrusted with the
key role of ensuring effective risk management and aligning the strategic objectives with the
organization’s key risks in order to achieve intended outcomes.
Key roles and responsibilities

• Overall direction of the business including policies, strategies, and risk management
across all the functions
• Review the status of risk management activities
• Ensure that risk management system is established, implemented, and maintained in
accordance with the defined framework
• To review changes in the risk profile of the company from time to time
• Adherence to all applicable laws, regulations & other applicable codes of conduct, both
locally & globally.

2.1.2 Ops Management Council (MC)

Risk Management topics which get discussed in Management Council meetings-

• Review the organization’s risk profile periodically

• Review and assess the current & planned approach to manage key business risks
• Assess and evaluate the key risks anticipated and associated mitigation measures for the
organization and suggest new mitigation measures as necessary.
• Ensure that effective risk mitigation plans are in place and the results are evaluated and
acted upon.
• Evaluate the Early Warning Indicators for key business risks identified by the Risk
Owners
• In case of exigencies / emergent conditions, ensure that the Board is apprised about the
same

2.1.3 Chief risk officer (CRO)

The Chief Risk Officer (CRO) will work with members of Ops MC and risk owners in establishing
and implementation of risk management process effectively in their areas of responsibilities.

Roles and Responsibilities of the CRO:

PRIME For Internal Use Only Document Ver. 1.4

Page 8 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

• Manage the establishment and ongoing maintenance of risk management policy pursuant
to the organization’s risk management vision
• Ensure all the relevant functions are represented in the Management Council
• Validate that the risk management policy is implemented in each department and that all
significant risks are being recognized, acknowledged, and effectively managed
• Discuss with risk owners and finalize the ownership of risk registers, thereby entrusting
the person with the responsibility of completion of the risk register
• Coordinate with risk owners for periodic update of risk registers
• Support the Risk Owner in identifying and assessing risks, creating mitigation plans, and
development of early warning indicators

2.1.4 Risk Owner

Risk Owners shall be the heads of respective function/department/location as decided by

Management Council on time-to-time basis depending on the organizational structure and
business imperatives so as to ensure that risks pertaining to all critical and significant
functions/departments/locations are captured while identifying, assessing, and managing risks.
Their name shall reflect as the owner of the respective risk register.

Role and Responsibilities of Risk Owners:

• Risk Owners should ensure that all the risks within their respective functions are
identified, assessed, monitored, and managed effectively to ensure that risk management
practices are implemented. They should also ensure that processes utilized are in
compliance with the entity’s enterprise risk management policies.
• Ensure that risks for their respective functions/department/location are identified and
assessed
• Ensuring that the risk assessment is done as per the risk assessment framework
• Ensuring risks are managed on a daily basis
• Ensuring risk registers are maintained and updated on a monthly basis & shared with
CRO function on a quarterly basis
• Facilitate the identification and implementation of risk mitigation plans
• Development of early warning indicators for key risks identified
• Define L2 EWI’s and track them to measure the effectiveness of the mitigation plans
• Reporting the risks along with assessment and mitigation of the respective function to
the CRO
2.1.5 Risk coordinators

Based on the needs risk coordinators shall be appointed by risk owners within their function (one
or more than one) to assist in the risk management activities.

Role and Responsibilities of Risk Coordinators:

• Assisting the Risk Owner in initiating risk identification and assessments within their
area of responsibility
• Taking timely inputs from Risk Owners
• Timely updating and maintaining the risk register for functions as per the inputs from
Risk Owners.
• Assist the Risk Owners in development of early warning indicators and mitigation plans

PRIME For Internal Use Only Document Ver. 1.4

Page 9 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

2.2 Risk reporting structure

Risk Owners shall report quarterly to CRO with all the risks identified in their respective
functions and the status of the Early Warning Indicators. CRO shall discuss org. risks with
the Ops MC on a periodic basis.

3.0 Risk management approach

Risk Management as a process shall enable the organization to identify, assess and treat risks. It
is the responsibility of everyone in the organization viz. board, management team and all
Hexaware personnel. Risk Management applies to all functions, and operations within the
organization.
The plan for managing enterprise level and operational risk is by communicating it to the
stakeholders and establishing the connection between the risk management policy and the
organization's strategic planning, assessment processes and procedures.

Based on the risk management process, security controls are evaluated for its applicability and
effectiveness. Additionally, based on the changes in the environment or prior to any significant
change, or after a serious incident, or whenever a new significant risk factor is identified, or at
a minimum annually, the risk management process is to be triggered and updating of risk
management policy is to be assessed.

In Hexaware, risk management is iterative. An iteration of the risk management process is

triggered when e.g.:
• The business develops a new goal, undertakes a project or investment, or considers its
strategy for coming years
• Conditions exterior to Hexaware change significantly, e.g. regulatory or legal changes,
major changes in competitive landscape, changes to key partnerships etc.
• Periodic requirements for risk reviews as required by Governing documents, Contracts,
legislation, or other sources
• Organization changes/ M&A

The primary objective(s) of establishing a risk management process is to ensure that:

• Risks faced by the organization shall be identified and recorded in the risk register,
enabling the top management to take a comprehensive view of the same
• Risks identified shall be assessed, mitigated, monitored, and reviewed on an ongoing
basis.
• The level of acceptable risk in the critical infrastructure and business-specific risks is
clearly stated.

PRIME For Internal Use Only Document Ver. 1.4

Page 10 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

• Acceptable risk appetite is set that balances risks and opportunities to contribute to the
achievement of the organization’s strategic objectives.
• Enable the audit committee in assessing the effectiveness of the risk management systems
which are in place and undertaking independent review of the risk mitigation plans which
have been designed for material risks.

Hexaware’s enterprise risk management practices are aligned to ISO 31000:2018 & COSO ERM
2017
The Risk Management Process is depicted below:

3.1 Risk identification

Risk identification sets out to identify an organization’s exposure to uncertainty. This requires an
in- depth knowledge of the organization, the market in which it operates, the economic, legal,
regulatory, social, political, technological and cultural environment in which it exists, as well as
the development of a sound understanding of its strategic and operational objectives, including
factors critical to its success and the threats and opportunities related to the achievement of these
objectives.

PRIME For Internal Use Only Document Ver. 1.4

Page 11 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Risk identification shall be approached in a methodical way to ensure that all significant activities
within the organization have been identified and all the risks flowing from these activities defined.
The following methodologies can be used to identify risks:
• Brainstorming
• Surveys /Interviews/Working groups
• Experiential or Documented Knowledge
• Risk Lists - Lessons Learned
• Historical risk event information

Please refer Annexure 1 for risk register template.

3.1.1 Risk categorization

Risk Categories are the defined risks that assist in organizing consistent risk identification,
assessment, measurement, and monitoring across the organization. A standardized risk category
would help determine the impact of each risk at aggregate/group level. However, this risk category
would be updated regularly to incorporate new risks that may arise from time to time.

All the risks that have been identified shall be categorized under the following risk categories -
Strategic, Operational, Reporting and Compliance risk.

• Strategic Risk - Risk of loss resulting from business factors. These risks adversely affect
the achievement of strategic objectives and may impair overall enterprise value.

• Operational Risk - Risk of loss resulting from inadequate or failed processes, people and
information systems.

• Compliance Risk - Risk of loss resulting from legal and regulatory factors

• Reporting Risk – Risk arising out of wrong or inaccurate reporting

3.2 Risk assessment

Risk assessment allows an entity to consider the extent to which potential events have an impact
on achievement of objectives. Risk assessment is a continuous process. Continuous evaluation
should be performed both qualitatively and quantitatively. The goal is to identify the interrelations
and enable the management to prioritize the risks.

Regular risk assessment shall be conducted, along with mitigation of risks identified from risk
assessment and threat monitoring procedures.

Risk is assessed whenever there are any major or significant changes. The risk management
process is integrated with the change management process.

PRIME For Internal Use Only Document Ver. 1.4

Page 12 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

The table below captures the scoring methodology for measuring exposure for each risk at an
initial level (unmitigated) and residual level (after mitigation strategies have been implemented).
The final risk rating can be obtained from the table based on the values assigned against each of
the risks identified.
Measure of Risk Exposure = Impact * Probability

Impact Probability Initial & Residual

(Low, (Low, risk rating
Medium Medium (Green (Low),
High) High) Amber (Medium),
Red (High))

Low Low Green

Medium Medium Amber
High High Red
Low High Green
Low Medium Green
Medium Low Green
Medium High Amber
High Low Green
High Medium Amber

3.2.1 Detailed guidelines for assessing impact & probability

The risk analysis can be performed qualitatively or quantitatively. The impact assessment can be
decided based on the following parameters-

Risk Impact Quantitative Qualitative

Low Less than Rs. 50 Lacs (or $ No/ minimal impact on
66000) business reputation /
operations. The impact of
which can be absorbed
through normal activity.
Medium Between Rs. 50 Lacs (or $ Issues impacting the value or
66000) to Rs. 3 Crore (or $ reputation / operations of the
400000) company. Damaged expected
to be limited only to the short
run. (Less than 6 months)
High Greater than Rs. 3 Crore (or $ Issues materially affecting
400000) the value or reputation /
operations of the entire
company or the group

Also, one can refer below detailed parameters for impact assessment.

PRIME For Internal Use Only Document Ver. 1.4

Page 13 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

The impact of a particular risk should be assessed on the following areas. If a particular risk
impacts multiple areas, the highest rating will be considered.
For example, if a particular risk has a ‘High’ Financial Impact and a ‘Low ‘Regulatory
Compliance Impact, the final impact rating for the risk will be ‘High’

Impact Assessment
Parameters
Rating High Medium Low
Financial impact Financial impact (PBT) will
Financial impact
Financial (PBT) could be be less than 0.5 % of
(PBT) can be >2%
between 0.5 % to revenue for the previous
of revenue for the year
2% of revenue for
previous year
the previous year
Business Continuity Continuity Continuity threatened for a
Continuity threatened threatened minor period
permanently temporarily
Major Temporary Manageable disruption/ no
Security disruption/ disruption/ damage to project or
considerable some operations
damage to damage to
project or project or
operations operations
Prosecution No prosecution but
Regulatory/ of Senior Major fines imposition of minor fines/
Management and Minor technical non-
Compliance of the prosecution compliance
company/ of the
suspension of company
operations
Irreparable Localized Localized low-level impact
Reputation/ damage to damage to to company reputation and
Brand company company brand
reputation and reputation
brand on and brand
national/
international
level
Any control
Any control issue in Any control issue in
issue in IT/systems IT/systems that may
Information that may lead
Technology IT/systems temporarily impact
that may lead to a operations but will not lead
to a major: moderate: to breach or loss of data
- Breach of sensitive - Breach of data integrity
data (not considered to

PRIME For Internal Use Only Document Ver. 1.4

Page 14 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

- Loss of data be sensitive)

Integrity - Loss of data
- Impairment of Integrity
Operations - Impairment of
Operations

Probability Assessment
Parameters
High Medium Low
• Event may occur,
• Event expected but only under
to occur in most • Event will probably occur in exceptional
circumstances most circumstances circumstances.
• Definite history of • Probably occur once per decade • May happen
occurrence • History of near miss once per lifetime
• Frequency between
• Probably occur once
once and ten times a
in more than a decade
year

3.3 Risk mitigation strategy

There are four common strategies for treating risk. There is no single “best” response strategy,
and each risk must be considered on its own merits. Some risks may require a combination of
strategies and multiple responses, whereas others may need only one strategy with a single
response.

• Risk avoidance/ termination: This involves doing things differently and thus removing
the risk (i.e. divestments). This is particularly important in terms of project risk, market
risk or customer risks.

• Risk reduction/ mitigation: Reduce or Treat the risk. This is the most widely used
approach. The purpose of treating a risk is to continue with the activity which gives rise
to the risk but to bring the risk to an acceptable level by taking action to control it in
some way through either:
o Containment actions (lessen the likelihood or consequences and applied before
the risk materializes) or;
o Contingent actions (put into action after the risk has happened, i.e. reducing the
impact. Must be pre-planned)

Risk acceptance: Accept and tolerate the risk. Risk Management doesn’t necessarily mean risk
reduction and there could be certain risks within the organization that it might be willing to
accept and continue with its operational activities. The organization shall tolerate such risks that
are considered to be acceptable, for example:
o a risk that cannot be mitigated cost effectively
o a risk that opens up greater benefits than loss
o uncontrollable risks

PRIME For Internal Use Only Document Ver. 1.4

Page 15 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

It’s the role of function head to decide the tolerance level of a risk, and when such a decision is
taken, the rationale behind it shall be fully documented. In addition, the risk shall continue to be
monitored and contingency plans shall be in place in the event of the risk occurring.

Risk transfer: Transfer some aspects of the risk to a third party. Examples of risk transfer include
insurance and hedging. This option is particularly good for mitigating financial risks or risks to
assets.

• The following aspects shall be considered for the transfer of identified risks to the
transferring party:
o Internal processes of the organization for managing and mitigating the identified
risks.
o Cost benefit of transferring the risk to the third party.

3.3.1 Risk reduction/mitigation

If the risk treatment mechanism selected is risk mitigation or risk transfer for an identified risk
than the next step shall be to review and revise existing controls to mitigate the risks falling
beyond the risk appetite and also identify new and improved controls.

Risk mitigation process:

Implement
Identify Mitigation Evaluate Mitigation
Mitigation Plan/
Plan/Controls Plan/Controls
Controls

Identify controls
New control activities are designed in addition to existing controls post assessment of risk
exposure at current level to ensure that the risks are within the accepted risk appetite.

Control activities are categorized into Preventive or Detective on the basis of their nature and
timing:
o Preventive controls – focus on preventing an error or irregularity.
o Detective controls – focus on identifying when an error or irregularity has
occurred. It also focuses on recovering from, repairing the damage from, or
minimizing the cost of an error or irregularity.

Evaluate Controls
The controls identified for each risk event shall be evaluated to assess their effectiveness in
mitigating the risks falling beyond the risk appetite.

Implement Controls
It is the responsibility of the function head to ensure that the risk mitigation plan for their
function is in place and is reviewed regularly.
Risk tolerance thresholds are defined for each category of risk. Risk reassessment is conducted to
ensure management's stated level of acceptable risk is still valid.

PRIME For Internal Use Only Document Ver. 1.4

Page 16 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

4.0 Risk monitoring & review

The Ops Management Council (MC) is the key group which shall work on an ongoing basis within
the risk management framework outlined in this policy to mitigate the risks to the organization’s
business as it may evolve over time.
4.1 Early warning indicators (EWIs)
Early Warning Indicators are rule based quantitative or qualitative triggers based on multiple
sources of information for early identification of potentially harmful scenarios. They have the
following characteristics
• Rule based triggers - These are triggers to flag risks early based on rules – that can be
quantitative (like sharp increase in resource cost) or qualitative (like change in government
policies)
• Multiple sources of information - The triggers could be based on internal information like
supplies, labour issues, high attrition etc. or external information like changes in travel
regulations, macro-economic developments etc.
• There are two levels of EWI’s defined Level 1 (Strategic Level), Level 2 (Operational
Level). Both the categories of EWI’s are tracked using the format provided in Annexure -
3
• Defined EWIs can be found out in Annexure 4

4.2 Governance, assurance & management reviews

The Three Lines of Défense model distinguishes among three groups (or lines) involved in
effective risk management:

PRIME For Internal Use Only Document Ver. 1.4

Page 17 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Three Levels of Defense - Model

Governing Body / Board/ Audit Committee

Executive Council & Sr. Management

Govt. and Regulatory authorities

Financial Controls Risk based internal
Level2
audits

External audits
Information security Audits

Operational Risk management

Process compliance (PHI)

Internal Quality Audits Level-3

Management Internal
controls controls
Level-2

Level-1

Level 1: Functions that own and manage risks

As the first line of Défense, operational managers own and manage risks. They are also responsible
for implementing corrective actions to address process and control deficiencies. Operational
management is responsible for maintaining effective internal controls and for executing risk and
control procedures on a day-to-day basis.
Operational management identifies, assesses, controls, and mitigates risks, guiding the
development and implementation of internal policies and procedures and ensuring that activities
are consistent with goals and objectives.

Level 2: Functions and processes to oversee risks

Management establishes various risk management and compliance functions to help build and/or
monitor the first line-of-Défense controls. Management establishes these functions to ensure the
first line of Défense is properly designed, in place, and operating as intended. These functions
ensure that information about risks and their management is communicated to all stakeholders.
The Ops Management Council (MC) facilitates and monitors the implementation of effective risk
management practices by operational management and assists risk owners in defining the target
risk exposure and reporting adequate risk-related information throughout the organization.

Compliance function

PRIME For Internal Use Only Document Ver. 1.4

Page 18 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

The compliance function monitors specific risks such as noncompliance with applicable laws and
regulations. Hexaware uses “Compliance Manager Tool” which tracks & records applicable
legislations, regulations & laws. Compliance owners identified report whether Hexaware is in
compliance with the requirements and Compliance approvers identified review the submission of
compliance owners. The compliances are classified as per the risk inherent in it. The
classifications are- Critical, High, Moderate, Low.
The criteria to arrive at the classification is-
Risk rating criteria (On meeting any one of the criteria listed)
Material Possibility of Possibility of
Risk Rating Possibility of
Financial Impact closure of Reputational
Imprisonment
(USD) Million Business Risk
Imprisonment of
directors/ Key Complete closure
Critical >=1 Most Likely
executives and non- of business
compoundable
Potential risk of Partial Closure
High >= 0.5 < 1 Likely
imprisonment of business
Moderate >= 0.1 to < 0.5 Not Likely No Impact Not Likely
Low < 0.1 Not Likely No Impact Not Likely

Guidance for reporting on critical items

Material Financial Any potential statutory noncompliance/regulatory notices/ claims/
Impact investigation/ pending or threatening litigation which has a potential financial
impact of more than USD 1 million. The financial impact can be inferred
from claim value of the matter/penalty specified in the regulatory notice. For
matters where financial impact is not specified, the functional owner has to
assess based on the circumstances of the case and take assistance of
internal/external counsel, wherever required.
Examples:
1. Litigations against the company for recovery/damages/tortious
liability/Third party infringement claims with claims in excess of above
threshold.
2. Employee litigation challenging a legal position taken by the company
which may materially translate into a class action suit.
Criminal Any potential statutory noncompliance/regulatory notices/ claims/
Liability/Imprisonment investigation/ pending or threatening litigation which can potentially
to Directors/Key implicate the directors/ Key Executives (KEs) for criminal or personal
Executives with non- liability. If there are regulatory notices/litigations which are under specific
compoundable offence provisions of law which entail criminal/personal liability for a director/KEs,
such legal matters should be reported.

PRIME For Internal Use Only Document Ver. 1.4

Page 19 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Possibility of closure Any potential statutory noncompliance/regulatory notices/ claims/

of Business investigation/ pending or threatening litigation which has the potential to
disrupt business operations.
Examples:
1. Notice for closure of a building facility due to safety hazard identified
(E.g., Fire safety, Occupancy Certificate)
2. Failure to obtain or renew critical licenses which may impact ability to
continue business. (E.g. Debt Collection License for regulated activities,
Environment license for operating)
3. Potential Infringement claim/investigations/litigation with implications on
closure of any business/key service line or product. (E.g. Third Party IP
claims over product or services offered by company)
4. Notice for cancellation of Immigration sponsorship license.
Reputational Risk The potential that negative publicity regarding an institution’s business
practices, whether true or not, will cause a decline in the customer base,
costly litigation or revenue reductions.

Examples:
1. Pending/ threatening litigations which may result in potential employment
claim in nature of threatened class action or group action having potential
wage or benefits which may result in potential investigation by the regulators
and / or sanctions.
2. Pending/ threatening Litigation arising out of potential termination of
contract of more than USD 1 million and claim of damages by the client in
excess of USD 1 million on account of non-performance, sub-optimal
performance, breach of contractual terms, material non-compliance with
supply chain regulations Anti-Bribery, Anti-Trust, Environment related
regulations.
3. Pending/ threatening litigations arising out of whistle blower claims
related to any matter.
4. Audit / investigations initiated by regulators based on complaint received
from employee, customer, vendor, shareholders or any third party for
potential non-compliance covering multiple years and potential for the claim
exceeding USD 1 million.
5. Tax assessment / notices which are raised on suspecting major income
escaping / misreporting or tax fraud provisions which could be seen as
reputation damaging if highlighted in media.
6. Compliance issues which lead to:
(a) Institutional investors seek probe on leadership decisions; or
(b) Institutional investors seek leadership change; or
(c) any compliance incident (E.g. Data security/Cybersecurity breach) for
any key service lines as per the Incident reporting policy
7. Any fatality or major accident. Any breach with respect to women's safety.
8. Any regulatory notice with respect to FCPA, UK Bribery Act or any of
the Anti-Bribery regulation.
Note
There may also be risk criteria which may overlap i.e.an issue may pose a reputational
risk as well as have a material financial impact.

PRIME For Internal Use Only Document Ver. 1.4

Page 20 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

The following are the key activities of Risk & Compliance Functions in the ERM framework:
• Supporting management policies, defining roles and responsibilities, and work with
different organization entities in setting goals for implementation.
• Identifying known and emerging issues.
• Assisting management in developing processes and controls to manage risks and issues.
• Providing guidance and training on risk management processes.
• Facilitating and monitoring implementation of effective risk management practices by
operational management.
• Alerting operational management to emerging issues and changing regulatory and risk
scenarios.
• Monitoring the adequacy and effectiveness of internal controls, accuracy and
completeness of reporting, compliance with laws and regulations, and timely remediation
of deficiencies.
Financial Controls: Corp. Finance function monitors financial risks and financial reporting issues
Project Health Index (PHI): This is performed on a monthly basis by the process consultants for
all the projects. The scores are published to the leadership team. This process uncovers the key
indicators that helps the Project Manager to identify and controls the risks. This report is reviewed
every month as part of the monthly reviews by the vertical delivery heads. The organization level
risks identified are shared with the CRO
Account Level Information Security and Governance Audits: This audit helps to identify the
risks related to cyber security, data privacy and business continuity. This helps the Sr. management
to take some timely measures for mitigating the risks.
Third-Party Vendor Risk Assessments: This assessment is performed once a year to identify
the risks associated with third-party vendors and their services and tools implemented in Hexaware
environment. The risks identified from this assessment are reported to the leadership team to take
appropriate decisions and actions.
Internal Vulnerability & Assessment & Penetration Testing: The internal VAPT is performed
on the critical devices / networks/ internet facing applications etc. The findings are classified as
Critical, high, medium, and Low. The Internal scanning team ensures to close critical and high
findings within the agreed SLA. This ensures an acceptable level of security posture of the
organization.
Monthly Reviews- Support functions: The support function performs the self- assessment and
publish their dashboard to the function head. Action plans for the critical risks identified are
implemented with appropriate approvals from the leadership team. This review includes the
compliance requirements as applicable to the respective functions.
As the risk exposure of Hexaware may undergo change from time to time due to continuously
changing environment, the risks with their mitigation measures shall be updated on a regular basis.
PRIME For Internal Use Only Document Ver. 1.4
Page 21 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Level 3. Functions that provide independent assurance

Risk Based Internal Audits:
The Risk based internal audit brings in a higher level of independence and objectivity within the
organization. This high level of independence is not available in the second line of Défense.
Internal audit provides assurance on the effectiveness of governance, risk management and
internal controls, including the way in which the first and second lines of Défense achieve risk
management and control objectives. Internal audit actively contributes to effective organizational
governance fostering independence and professionalism.
The scope of this assurance function covers Hexaware and its subsidiaries, Business unit/verticals,
support functions and their applicable business processes. It includes:
• A broad range of objectives, including efficiency and effectiveness of operations and
controls.
• Safeguarding of organizational Hardware/Software assets & environment.
• Reliability and integrity of reporting processes & transactions within the entity.
• Compliance with laws, regulations, policies, procedures, and contracts.
• All elements of the risk management and internal control framework, which includes
internal control environment; all elements of an organization’s risk management
framework (i.e., risk identification, risk assessment, and response); information and
communication; and monitoring.
The Chief Risk Officer will ensure adequate coordination and communication between the risk
management and Internal Audit functions. This includes discussions with the internal auditors on
the scope and coverage and internal audit findings
Daily Status Reviews – Delivery
Hiding risks and/or denying problems can inhibit the future success of the company. Everybody
should be encouraged to identify problems and new risks and therefore the project manager must
have a positive attitude toward risk. Hexaware management has created a constructive
environment / daily status review forum in which all employees feel free to raise concerns and
admit mistakes.
External Audits & Assessments:
External auditors, regulators, and other external bodies reside outside the organization’s structure,
but they have an important role in the organization’s overall governance and control structure.
External audits and security and other assessments are performed annually or as per the frequency
defined in the standards. These audits and assessments are carried out to measure the effectiveness
of the internal audit, assurance reviews and other internal assessments. The first, second and third
level of Défense control’s effectiveness is measured based on the outcome of these reviews.
Tailoring /Exceptions: In a few cases the second and third level of Défense related activities may
be carried out by the same group due to the overlap in the operational responsibilities.

Combined view - Level of Défense

PRIME For Internal Use Only Document Ver. 1.4
Page 22 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

4.3 Communication & reporting

The outcomes of the risk management are published & communicated to the relevant stakeholders
across the organization. The timely communication of the outcomes enables the Sr. Management
and board to take appropriate decisions. The report is also helping the leaders from the middle
management teams to take mid-course corrective actions to reduce the consequences.

Hexaware has open culture environment. Different forums such as Periodic CEO Town-Halls,
Leadership Town-Halls, Team connect, HR connects where employees can understand the
existing risks and voice out the new/associated risks/impacts if any to the leadership/management
team.

5.0 Climate Risk Management

It is widely recognized that continued emission of greenhouse gases will cause further warming
of the Earth and that warming above 1.5° Celsius (1.5°C), relative to the pre-industrial period,
could lead to catastrophic economic and social consequences. For managing climate related risks,
Hexaware adheres to practices of “Task Force on Climate-related Financial Disclosures (TCFD)”
which is a framework providing guidance on Climate Risk Management. The climate risks will
be managed as per the Risk Management process detailed in Section 3. 0 Risk Management
Approach.
Climate Risks as per our Risk Management approach
a) Physical Risks (Risks related to the physical impacts of climate change.)
Acute risks • Cyclone
• Floods
• Wildfire
Chronic risks • Heat stress
• Water stress

b) Transition Risks (Risks related to the transition to a lower-carbon economy)

PRIME For Internal Use Only Document Ver. 1.4

Page 23 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Policy & Legal • Regulatory compliance in regions of

operation
• Emissions reduction targets of
countries and regions of operation
Market • Customer and investor demand for
sustainable business services
• Product/Service price variations
• Energy efficiency in operations and
shift to renewable energy sources
• Supplier resilience and practices
• Client preferences and standards
Technology • Proliferation of climate-smart
technology and equipment
• Energy Efficiency and Performance
Optimization
Reputation • Stakeholder and investor preferences

6.0 Training & awareness

In order to increase the knowledge and competency related to enterprise risk management
framework the following activities will be undertaken:

• The CRO shall identify the training needs for all employees and stakeholders from risk
management perspective
• Periodic awareness sessions and end of training assessments for the relevant stakeholders
(Risk owners, key members of the support function etc.)
• Periodic Awareness mailers to all employees

7.0Annexure
Annexure 1: Risk register format

Stakeholders Initial Risk Assessment

Risk Initial Controls/
Source Risk Impact Probability Risk Mitigation
Risk
# (Internal Cause Treatment Supported (Low, (Low, Rating plan
Description Owner
/ Category By Medium Medium (Green, /Action
External) High) High) Amber, plan
Red)

PRIME For Internal Use Only Document Ver. 1.4

Page 24 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Residual Risk after mitigation

Is Risk
Residual Early
Impact Probability Treatment Residual Risk
Rating Warning
(Low, (Low, required for Risk Proposed Status
(Green, Indicators
Medium Medium residual Treatment Action Plan
Amber,
High) High) risks? (Yes Category
Red)
or No)

Hex 5692- Enterprise Risk Management Risk Register

Annexure 2: Definitions

Enterprise Risk Management (ERM)

COSO’s (Committee of Sponsoring Organization of Treadway Commission) integrated
framework defines ERM as:
“Enterprise risk management is a process, effected by an entity’s board of directors, management
and other personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”

Risk
One of the standard definitions of risk accepted worldwide in the domain of enterprise risk
management has been framed by Committee of Sponsoring Organization of Treadway
Commission (COSO) as a part of its ‘Enterprise Risk Management – Integrated Framework’ It
defines risk as:
‘Risk is the possibility that an event will occur and adversely affect the achievement of objectives.’
According to ISO 31000 standards, risk is the “effect of uncertainty on objectives” where an effect
is a positive or negative deviation from what is expected.
In line with the above leading practices risk at HEXAWARE is defined as ‘the possibility that an
event will happen and adversely impact achievement of HEXAWARE’s objective’.

Risk Owner
Risk Owner is the person with the accountability and authority to manage a risk.

Risk Coordinator
The risk coordinator is the person nominated by risk owner to assist the risk owner in managing
the risk management activities within the domain of respective risk owner.

PRIME For Internal Use Only Document Ver. 1.4

Page 25 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

Risk Identification
Risk identification is the process of identifying the organization’s exposure to uncertainty.
Risk Identification is the continuous process that helps the organization to proactively identify the
parameters that can negatively /positively /both ways impact the organization / the specific entity
of the organization to meet its business objectives.
The organization can use different techniques for identifying uncertainties that may affect one or
more objectives. (Refer Risk management guidelines HEX-2224 to get more details on the Risk
identification techniques)
Input Tools Output

✓ Information from the ✓ Document reviews Risk Register

past ✓ Information gathering
✓ Business /Strategic Techniques
Plan (Brainstorming, Delphi,
✓ Threats, FMEA, etc.)
vulnerabilities, ✓ Taxonomy
capabilities, and based risk
opportunities questionnaire
affecting business
✓ Internal / External
Factors
✓ Compliance
reviews
✓ Risk based internal Audits

Key parameters
The following are some of the key parameters that denotes the characteristics of the risk
• Source: The elements/factors that may potentially increase the risk to the business
objectives. The following are the key internal and external factors to identify the risk
sources
# Internal External
1 business objectives, strategies, political & economical changes
tactical plans, policies
2 enterprise governance, operational & socio-cultural factors
organizational structure, roles
and accountabilities

PRIME For Internal Use Only Document Ver. 1.4

Page 26 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

3 processes, standards, innovations & technological changes

guidelines followed by the
organization
4 people skills and awareness relationships, perceptions, values, needs
and expectations
5 internal assets, systems, tools, contractual relationships and
applications, and configurations commitments
6 customer data handling external vendor/third-party
/Information processed and dependencies
information flows
7 cyber security controls and legal, regulatory implications
data privacy controls
8 contractual relationships and environment related parameters
commitments;
• Event: Change of environment / change in regular operational circumstance
• Likelihood or probability: The chances of the risk occurrence
• Consequences or impact: The effect of the risk towards the business objectives (positively,
negatively, or both)
• Appetite, Tolerance & Threshold: Appetite is the quantum /amount of risk that the
organization is prepared to take / pursue. The threshold is the single point value/
goal/metric, and the tolerance is the variation /range/acceptable level in which the risk
appetite can be pursued.
• Risk residuals: The threat a risk poses after considering the current mitigation activities in
place to address it and can be an important metric for assessing overall risk appetite. A risk
tolerance range for acceptable levels of residual risk is typically set by the committee
responsible for risk management oversight.
This means that if a risk’s impact on the organization, multiplied by its likelihood of occurring,
multiplied by the effectiveness of current mitigation activities falls outside of the level deemed
acceptable, then the risk factor is out of tolerance.
Business process owners must then adjust mitigation activities, procedures, or controls in order to
keep the residual risk within the defined risk tolerance.
Setting enterprise risk tolerances is a calibration exercise, meaning you need to collect a number
of risk assessments for areas known to have high and low risk.
This provides an opportunity to compare residual risk to measurements of known acceptability.
Risk Assessment
Risk assessment is the overall process of risk analysis and risk evaluation. It allows an entity to
consider the extent to which potential risk events have an impact on achievement of objectives.

Annexure 3: Format for reporting Early Warning Indicators (Illustrative)

In order to control the risks effectively, the frequency of monitoring plays an important role.

PRIME For Internal Use Only Document Ver. 1.4

Page 27 of 28
 Hex 5689

ENTERPRISE RISK MANAGEMENT POLICY & FRAMEWORK

In order to enable this practice, the early warning indicators are defined with the following
parameters
• Reporting frequency
• Source of Data
• Threshold
• Tolerance Range
• Actual value
• Current Status in -Red, Amber, Green
As per the frequency defined, the entity level SPOC’s /managers must collect the actual data and
measure the current status of the risk appetite.

Annexure 4- EWI Indicators

Hex 5690 - Consolidated Early Warning Indicators (EWI)

Annexure 5: Risk Policy and Framework Mapping with COSO

• Refer Hex 5691 – ERM Framework Mapping with COSO Framework

PRIME For Internal Use Only Document Ver. 1.4

Page 28 of 28