Risk Management

Risk Management

1 Introduction

This particular report on risk management covers a lot of the dimensions of the Infosys Enterprise’s function of risk management. The information connected to risk that have been discussed under this particular portion might not be exhaustive in nature. The report might also comprise of the statements which are by nature forward – looking. The business is subject to a lot of uncertainties which might lead to real results to vary in material terms from the ones that are seen in those statements which are forward – looking in nature (Zhu & Fukushima, 2009). Considering if a few of the risks materialise, the prospects, the financial conditions and the business might be adversely and materially impacted. The prospects, the financial performance, the operating results as well as the business might also be adversely influenced as a result of the uncertainties as well as the risks which are not presently known or also those which are not presently thought to be practical.

2 An Overview

Discussed below is an overview of the Infosys Enterprise Risk Management (ERM) function which allows the fulfilment of the strategic goals by governing, monitoring, mitigating, assessing, analysing and identifying any potential threat or risk to the goals. Although the fulfilment of the strategic goals is the main driver, the commitment, the obligation, the culture and the values that the company holds towards its community, partners, regulatory bodies, investors, customers and employees are the basis upon which the Enterprise Risk Management framework of the company is grown (Ben-Tal et al., 1998). The proactive and the systematic identification of the mitigation and the risks thereof allow quick or effective decision – making as well as in boosting the organisation’s performance. The Enterprise Risk Management function is an enabler of decision that not just looks towards minimizing the influences of the risk however the same also allows proper allocation of the risks on the basis of the appetite of risk as well as on the ranking of the impacts of the risks. The strategic decisions are made once  minute study has been made upon the residual risks, the tertiary risks, the secondary risks as well as the primary risks.

The Enterprise Risk Management at Infosys covers all of the risks which is faced by the establishment under a variety of different sections which include the compliance risks, legal risks, operational risks as well as strategic risks. Any given section might possess external or internal dimensions. Therefore, the appropriate indicators of risks are made use of for the proactive identification of these risks (Föllmer & Schied, 2002).

3 Main Constituents of the ERM Framework at Infosys

The Infosys enterprise makes use of the incorporated ERM framework which is being used throughout the establishment by the office of the risk – management. The framework is dependent upon the global standards and is tailor – suited to the needs of the business.

Figure 1: Integrated ERM Framework of Infosys.

4 Risk Governance Structure

The risk management framework of the Infosys Enterprise is employed across a lot of different stages throughout the establishment. The main responsibilities as well as the risks involving the management of risks in the organisation have been described as under:

  1. Board of Directors:

The Board of Directors have the responsibility of approving the main objectives of the business which are to be attained by the organisation. They must also have to ensure that the management is focusing upon mitigating the risks. Apart from these, they are also liable to review the performances of the risk and the strategy committee (Ruszczyski & Shapiro, 2006).

  1. RSC or the Risk and Strategy Committee: This particular committee basically comprises of 6 members or independent directors and their main roles include corporate governance oversight with connection to the mitigation, evaluation and identification of compliance, legal, operational and strategic risks. They must also approve and monitor the framework of risk management as well as of the connected practices of the establishment. The must also approve and review the disclosures connected to risk.
  2. Individuals and Project Teams: The main responsibilities and roles of the individuals and the project teams include abiding by the procedures and policies of the risk management. It also includes the implementation of the actions of the prescribed risk mitigation. Furthermore, the duties also include reporting the risk related incidents and events on a time – to – time basis (Shapiro et al., 2009).
  3. Risk Council (RC): This particular council is inclusive of the Chief Risk Officer, Chief Financial Officer, Chief Operating Officer and Chief Executive Officer. The responsibilities also include an oversight of the practices of risk – management which also includes reporting, mitigation, monitoring, assessment of the impact and identification. Another responsibility includes reviewing the risks of the enterprise to the periodical achievement of the business objectives, reviewing the progress of the actions of mitigation, identification of the owners for the actions of mitigation, initiating the actions of mitigation. The duties also include deploying and formulating procedures and policies of risk management. Moreover, they are also entrusted to provide updates regarding the Board as well as the RSC regarding the risks that are encountered as well as the steps which are taken from time to time.
  4. ORM or the Office of Risk Management: This particular office is led by the Chief Risk Officer and it constitutes a network of risk managers from the specialist groups as well as from the business units. Furthermore, their duties include making available the execution of the practices of risk management within the establishment, inside the regions of risk identification, reporting, mitigation as well as monitoring. Giving time – to – time updates to the risk council as well as to the RSC regarding the risks which are involved in the main objectives of the business as well as their mitigation (Soyster, A.L., 1973). Furthermore, the duties include working in close proximity to the units of business, the functions which enable business as well as mitigation action owners in employing the measures of mitigation along with examining the level of effectiveness. Working in close proximity with the management services that ensure the continuity in business, internal audit, intellectual property, information security as well as quality audit teams for the mitigation, monitoring as well as the identification of the operational risks fall among the duties of the Office Risk Managers (Jabbour et al., 2008).
  5. Unit Risk Managers: The duties of the Unit Risk Managers include making sure that the units are administered as per the practices of risk management of the company. Also, their duties include making sure that they are complying with the procedures as well as the policies of risk management which have been set out by the establishment in their individual units of business. Also, the duties and responsibilities are inclusive of managing the risks that are concomitant to the decisions of the business connected to the unit, the area of operations as well as the span of control. Moreover, the unit risk managers are also supposed to ensure the effectiveness of the actions of risk mitigation in their respective areas. Another important duty of the unit risk managers is to report the incidents as well as the risk events which are connected to their individual units from time – to – time.

5 Business Objectives

The company as well as the industry of Infosys Enterprise are transforming considerably and this has genuinely led to risks’ heightening which are connected to those choices which are strategic in nature, the strategy execution as well as conventional compliance and operational related risks. The objectives of the business have been written in a set of particular goals in the near – term and strategic goals in the long – term within a corporate score – card. The goals encompass the areas of continuous long – term sustainability of the establishment, retaining as well as attracting talent, initiatives of cost – optimisation, operational excellence as well as keeping the momentum of the services which are software – enabled. Moreover, the initiatives of progress include the reduction of the effects of the possible influences to the regulations of the labour and immigration in the US along with various other nations (Artzner et al., 1999).

6 Risk Categories

The framework of risk management thinks of the following wide sections of risk:

  1. Strategy: The risks which emanate out of the decisions that have been made while defining the strategies as well as the risks to the eventual carrying out of the strategies are encapsulated under this particular section – for instance, the risks are inherent to the competitiveness as well as to the industry are mitigated and analysed via the strategic decisions of the target markets, the market offerings of the company, the models of business as well as the talent base. The information regarding the strategies of the company have been elucidated in different other parts of the documents (Lüthi & Doege, 2005). The probable risks tow the long – term sustainability and the scalability of the establishment have also been mitigated as well as analysed – for instance, the societal risks which are connected to the influence that the strategies have over the protection of the important resources, the local communities as well as upon the environment.
  2. Operational Risks :The elements of risk that come out of external and internal factors put their impact upon different policies, procedures, concerned individuals and systems in the support functions of Infosys. Therefore it affects the service delivery which compromises their most important values or not going in line with the universally accepted practices of business are taken into account in this category of business. In this respect, the given points of risk can be mentioned:
  • Risks with regard to inefficiencies in various internal processes
  • Risks that are concerned with disruptions in business activities due to natural disasters
  • Regional conflicts or terrorist attacks
  • Telecom disruptions
  • Disruptions in systems
  • Cyber security breach or malware attacks
  1. Legal and compliances:

The risks that come out of the threats being directed to the organisational, financial or reputational standings of the company result from different elements such as non- conformity or violations of laws and regulations, contractual compliances, potential litigations, code of conduct or other prescribed practices of the organisation are taken into account in this category. It also incorporates the potential risks which emerge out important geopolitical/ regulatory changes or risks that arise out of business or strategic or operational decisions (Infosys, 2019).

7 The process of risk management

The ERM framework of the organisation defines the steps in order to figure out, evaluate and assess the risk factor.  Residual as well as secondary risks are applied as key ingredients for takings decisions upon the key strategies of risk mitigation.

Risk governance

The company has taken into account a structure of multi level governance in order to oversee and report the different sort of risks as well as their mitigations. Cross functional risks or critical risks at all the different levels are being enhanced to the next phase with respect to the governance structure. The critical risks falling under different risk classifications at the Group level are properly evaluated by the CEO (Chief Executive Officer), Chief Risk Officer, Chief Financial Officer, Chief Operating Officer as well as the General Counsels at different counsels. The critical risks emerging out of these councils are given to Internal Board of Directors and hence to the Board’s committee of risk management on quarterly basis (Infosys, 2019).

Risk Library

The risk management office has developed a multi level risk register. To consider about the highest level, the risks in order to achieve the strategic goals of the company for Scaling Agile digital and Energizing the Core. It has also been initiated in order to make sure organisational hygiene, which is concerned with efficiency, effectiveness, integrity, security, governance. To move further down into the hierarchy of the risk register includes the risks concerned with sub processes as well as controlled risks.

The quantitative exposure of the company from the exposure of the risks at different levels are brought together in order to make an appraisal of the company’s risk exposure. This hierarchy guarantees that there exists a risk library which is common in the company (Infosys, 2017).

The common risk register is being activated on the iGRC of the company, the technology portal of the company.


RISC360 is the Governance, Risk Management and Compliance (GRC) program of the company that brings together three layer defences within one ambit in order to stimulate the risk- based auditing and decision making. The company has incorporated a technology platform known as iGRC, to assist the initiative. This new platform provides a consolidated picture of the strategic goals as well as the relevant risks concerned with leadership in order to facilitate effective and quick form of decision making throughout the enterprise risk, in conformity with Sarbanes Oxley Act, corporate audit and internal audit. The very process of their integration while taking into account on platform which is common to the company makes sure that the audits rely upon the risks that are attached to the overall structure of the company and it gets the privilege synergies amongst the different defence lines (Infosys, 2019).

8 Risk management highlights for year 2019

In course of the period, the emphasis of the company was on consideration of the idea of adopting the ERM framework (integrated) throughout the organisation as well as bolstering the program of risk management:

Considering it as a part of appraising the major risks, the office of the risk management:

  • Made an evaluation of the momentum of business relative to competitive position and competition in major marketing segments which would be composed of industries, geographies and service lines.
  • Consistently made an assessment of the progress with regard to the execution of different programs on strategic planning, more particularly concentrating on the US localisation progress, automation effects, the development of digital service, performance of subsidiary business houses, talent forecasting/ fulfilment, carrying out the leadership succession planning and enhancing the traditional offerings (Infosys, 2017).
  • Assessed the business environment on a regular basis while taking into account the external indicators’ trend lines such as client technology spent and revenue bookings out of the huge outsourcing engagements. Furthermore, the elements of risks prior to business penetration are reviewed.
  • Made an assessment of the risks that are concerned with process of customer contract management.
  • Made a review of the risks that are concerned with information security which is inclusive of threat intelligence as well as cyber attacks and the risks that are concerned with GDPR. It kept on monitoring the progress of the actions of mitigation.
  • Made a review of the actions and operational actions which relied upon the inputs relying upon the internal risk register’s input, assessments that are conducted externally, findings of the internal audits that are conducted and the relevant incidents.
  • Conducted a review on the areas of operational risks which are inclusive of the delivery of clients’ service, engagement as well as retention of the employees, training and development of the employees, safety of women, brand value, the value of capital expenditure being incurred upon the infrastructure management of business continuity.
  • Carried on a process of appraisal on major areas of development, e.g. Brexit, altering the laws of immigration, guarantees the minimum level of wages, the effect to the clients’ business running in the regulatory business environment. This is more prevalent in countries/ regions such as Continental Europe, United States of America, United Kingdom and Australia.
  • Made an appraisal of the accessibility of basic natural resources such as power and water, and how it puts its effect upon the operations of the company (Infosys, 2019).

9 Conclusion

Risk management in any company plays a very important role in mitigating or neutralising the elements which might otherwise turn out to be harmful for the concerned business. From the above analysis of the facts, it is evident that the Infosys had made serious efforts to effectively manage the risk. Among others, the risk management unit of the company assessed the business environment on a regular basis while taking into account the external indicators’ trend lines such as client technology spent and revenue bookings out of the huge outsourcing engagements. Furthermore, the elements of risks prior to business penetration are reviewed. These findings collectively proved the point that the company is capable of incorporating the risk management measures.


Artzner, P., Delbaen, F., Eber, J.-M., Heath, D., 1999. Coherent risk measures. Mathematical Finance 9 (3), 203–228.

Barvinok, A., 2002. A Course in Convexity. American Mathematical Society, Ann Arbor.

Ben-Tal, A., Nemirovski, A., 1998. Robust convex optimization. Mathematics of Operations Research 23 (4), 769–805.

Föllmer, H., Schied, A., 2002. Convex measures of risk and trading constraints. Finance & Stochastics 6 (4), 429–447.

Infosys. (2017). Infosys: Annual Report 2016- 17. Retrieved 14th October, 2019 from https://www.infosys.com/investors/reports-filings/annual-report/annual/Documents/AR-2017/financials/pdf/Infosys_AR17_Risk_Management_Report.pdf

Infosys. (2019). Infosys: Annual Report 2018- 19. Retrieved 14th October, 2019 from https://www.infosys.com/investors/reports-filings/annual-report/annual/Documents/infosys-ar-19.pdf

Jabbour, C., Peña, J., Vera, J., Zuluaga, L., 2008. An estimation-free robust cvar portfolio allocation model. Journal of Risk 11, 57–78.

Lüthi, H.-J., Doege, J., 2005. Convex risk measures for portfolio optimization and concepts of flexibility. Mathematical Programming, Series B 104, 541–559.

Ruszczyski, A., Shapiro, A., 2006. Optimization of convex risk functions. Mathematics of Operations Research 31, 433–452.

Shapiro, A., Dentcheva, D., Ruszczyn´ ski, A., 2009. Lectures on Stochastic Programming: Modeling and Theory. SIAM, Philadelphia.

Soyster, A.L., 1973. Convex programming with set-inclusive constraints and applications to inexact linear programming. Operations Research 21 (5), 1154–1157.

Zhu, S., Fukushima, M., 2009. Worst-case conditional value-at-risk with application to robust portfolio management. Operation Research 57 (5)

Leave a Comment