Final Risk Management Manual Edition 1

8/17/2019 Final Risk Management Manual Edition 1

1/46

First Edition

Risk ManagementManual

Total Quality Management217, Nazrul Islam Avenue, Kolkata- 700059


2/46

- 1 - | P a g e T o t a l Q u a l i t y M a n a g e m e n t

Company Profile

Exide Industries Limited is the country’s largest manufacturer of lead acidstorage batteries and Power storage solutions provider. With seven batteriesmanufacturing plant, two inverter plant & two smelting plant with international

standard factories spread across the nation for producing batteries, thecompany offers one of the widest ranges of batteries for every conceivableapplication in automotive as well as industrial segments. Exide also hasmanufacturing facilities in Sri Lanka & Singapore and does business globallythrough its subsidiaries and international affiliates.

Exide’s products are sold globally, particularly in developed markets like Australia, Japan and Western Europe, under its own brand names.

Exide’s strong brand pull, established in India for more than hundred years, is

supplemented by its nationwide dealer network and a very strong R&D center.With the help of its collaborators – Shin Kobe and Furukawa of Japan andEast Penn of the US - Exide has consistently remained at the cutting edge ofinternational battery technology and introduced various pioneering productsand Power storage solutions in the Indian and global markets.

Exide’s vast product range, that includes everything from the smallest UPSbatteries to the giant submarine batteries, find applications in automotive, two-wheelers, inverters, UPS, Power, telecom and railways, among others. Exideis also present in the non-conventional energy business where it designs andintegrates solar and wind Power solutions for use in remote areas of thecountry.

Exide’s customer list includes some of the top most international names inindustries as diverse as automotive, earth moving equipment, telecom andUPS manufacturers.Exide has recently branched out into the synergistic business ofmanufacturing and marketing its own range of home UPS systems therebyoffering a total end to end solution to its customers.


3/46

- 2 -| P a g e T o t a l Q u a l i t y M a n a g e m e n t

RISK MANAGEMENT POLICY

We at Exide Industries Limited in the pursuit of our vision to be recognised as Word

Class Company and be the customers’ preferred choice in energy storage system,are subject to certain risks that affect our ability to operate, serve customer, protect

assets and implement strategies. These risks are integral part of our operations /

processes and present across the organisation. We are committed to minimizing/

eliminating these risks through effective risk management to

Achieve our business objectives

Control organization exposure to risks and

Strengthen corporate governance

Further, it is the policy of the company to:

Identify all risks in external and internal context of business as legal, regulatory,social, cultural, political, operational strategic, technological, etc. and deploy effectiverisk mitigation strategies to minimize/eliminate their adverse effects on our endeavourto achieve organizational objective, mission and vision.

Establish. Implement and maintain effective Risk Management System across theorganization and insure identification, evaluation, analysis and mitigation of risksthrough the standard process, metrics, monitoring, control and review mechanism.

Ensure that organisation experience and learning in risk management is

managed, sheared and utilized to improve our preparedness and ability to deal

with risks.

Continually improve the adequacy and effectiveness of Risk Management

System and deploy best of breed processes to minimize risks.

Comply with applicable legal, statutory requirements related to Risk

Management System.

Ensure review of Risk Management policy periodically or in response to

significant events or changes in circumstances.

The Risk Management Policy shall be made available to all stakeholders and

interested parties.

Paban Kr.Kataky

MD & CEO

10th April 2015


4/46

- 2 - | Page Total Quality Management


5/46

- 4 - | Page Total Quality Management


6/46


Sl.No Contents Page.No

1 Introduction 7

2 Principles 9

3 Terms And Definitions 124 Framework 14

4.1 General 1415

4.2 Mandate And Commitment 15

4.3 Design Of Framework For Managing Risk 15

4.3.1 Understanding Of The Organization And Its Context 15

4.3.2 Establishing Risk Management Policy 18

4.3.3 Accountability 20

4.3.4 Integration Into Organizational Processes 22

4.3.5 Resources 22

4.3.6 Establishing Internal Communication And ReportingMechanisms

23

4.3.7Establishing External Communication And ReportingMechanisms

24

4.4 Implementing Risk Management 25

4.4.1 Implementing The Framework For Managing Risk 25

4.4.2 Implementing The Risk Management Process 26

4.5 Monitoring And Review Of The Framework 28

4.6 Continual Improvement Of The Framework 28

5 Process 29

5.1 General 29

5.2 Communication And Consultation 29

5.3 Establishing The Context 30

5.3.1 General 30

5.3.2 Establishing The External Context 30

5.3.3 Establishing The Internal Context 31

5.3.4Establishing The Context Of The Risk ManagementProcess

31

5.3.5 Defining Risk Criteria 32

5.4 Risk Assessment 335.4.1 General 33

5.4.2 Risk Identification 33

5.4.3 Risk Analysis 34

5.4.4 Risk Evaluation 35

5.5 Risk Treatment 37

5.5.1 General 37

5.5.2 Selection Of Risk Treatment Options 38

5.5.3 Preparing And Implementing Risk Treatment Plans 38

5.6 Monitoring And Review 39

Corporate Risk Register 40


7/46


Sl.No Contents Page.No

Annexure-1 Company Level Goal & Critical Success Factor 41

Annexure-2 Functional Level Goal & Critical Success Factor 42

Annexure-3 Risk Register 43

Annexure-4 Risk Treatment 44 Annexure-5 Counter Measure (3W1H) 45


8/46


Introduction To Risk Management

To improve the Company’s ability to address the increasingly complex

internal and external legal issues and potential business, in 2015 Exide

Industries Limited (“The Company”) began to apply the concept of risk

management. Through risk management, the Company expects to

proactively identify potential critical problems for the Company’s business

and is able to perform mitigation measures that are considered the most

optimal. To conduct these functions, the Company established the Risk

Management Executive committee.

As the framework for risk management, Exide Industries Limited. has

established the implementation of a risk management manual that is

prepared with reference to the rules and standards of the Executive

Committee of the Organization. The socialization phase has been

implemented for the managerial level staff through in-house training,

internal seminars, implementation mentoring, dissemination through the

media intranet, and other activities. To facilitate its application in the

field, a risk management handbook has been formulated and distributed

to the leadership ranks of Exide Industries Limited at the “E” Grade and

above, or to Key Persons that have been authorized to manage risk in

their respective processes. A risk is a potential event that negatively

affects the achievement of the vision, mission, goals and targets of the

Company or organizational unit. Risk Management is an attempt to

minimize the negative effects from the various sources of risks facing theCompany’s business activities so that objectives can be achieved

optimally. The Risk Management Division is responsible for ensuring that

analysis and management of risk have been conducted for all units of the

organization and to ensure that the analysis and management of risk

have been implemented in an effective, efficient and consistent manner at

each process.

To ensure that the implementation of Risk Management in the Company

has been conducted audit according to the standards set by

ISO9001:2015,

To support the implementation of Risk Management in all processes, the

Executive committee has prepared the infrastructure as a means to

guide/train, socialize and mentor.

Risk factors have been identified, which are spread throughout almost all

processes, the risks identified are recorded in a Risk register of Exide

Industries Limited.


9/46


The implementations of risk management in the Company, among others,

are done through the following activities:

o The dissemination of risk management implementation internally in

the Company, including the EIL Executive committee

o Risk analysis for processes and corporate risks are conducted as a

representation of the Company risk reporting and as a base for

strategic decisions by Management which is included in the annual

Business Plan.

o Through mentoring the preparation of risk analysis by prioritizing

the main activities of the Company.

o Though preparation of the Company’s risk register.

o Through risk analysis of strategic Company projects (Lead Acid

storage batteries).

o Through spot risk analysis associated with the actual conditionsfacing the Company.

o Conducting risk analysis of environmental, health and occupational

health aspects.

o Implementing different Management System (i.e, QMS, TS, EMS &

OHSAS)) by completing the Key Performance Indicators (KPI) for

the Unit Work Targets with Key Risk Indicators (KRI) in order to

mitigate the performance achievements.

The business risks faced by Exide Industries Limited as Lead acid storage

battery company are classified into four types of risk, these are:

1. Strategic risks (Business Risk), i.e. risks that are strategic for the

development of the company, such as technology development,

government policies, investment plans, new product development,

etc.

2. Operational Risk, the risk of loss due to the failure or inadequacy of

the quality control of business processes.

3. Support Processes Risk, risk that directly or indirectly lead to lossesi.e. financial risk, environmental risk (those impacts on

environmental degradation, environmental pollution, social

disruption, the company’s reputation, etc.),


10/46


Principles Of Risk Management

For risk management to be effective, an organization should at all levels

comply with the principles below.

a) Risk Management Creates And Protects Value.

Risk management contributes to the demonstrable achievement of objectivesand improvement of performance in, for example, human health and safety,security, legal and regulatory compliance, public acceptance, environmentalprotection, product quality, project management, efficiency in operations,governance and reputation.

b) Risk Management Is An Integral Part Of All Organizational Processes.Risk management is not a stand-alone activity that is separate from the mainactivities and processes of the organization. Risk management is part of theresponsibilities of management and an integral part of all organizationalprocesses, including strategic planning and all project and changemanagement processes.

c) Risk Management Is Part Of Decision Making.

Risk management helps decision makers make informed choices, prioritize

actions and distinguish among alternative courses of action.

d) Risk Management Explicitly Addresses Uncertainty.

Risk management explicitly takes account of uncertainty, the nature of thatuncertainty, and how it can be addressed.

e) Risk Management Is Systematic, Structured And Timely.

A systematic, timely and structured approach to risk management contributes

to efficiency and to consistent, comparable and reliable results.

f) Risk Management Is Based On The Best Available Information.

The inputs to the process of managing risk are based on information sourcessuch as historical data, experience, stakeholder feedback, observation,forecasts and expert judgement. However, decision makers should informthemselves of, and should take into account, any limitations of the data ormodelling used or the possibility of divergence among experts.


11/46


g) Risk Management Is Tailored.

Risk management is aligned with the organization's external and internalcontext and risk profile.

h) Risk Management Takes Human And Cultural Factors Into Account.

Risk management recognizes the capabilities, perceptions and intentions ofexternal and internal people that can facilitate or hinder achievement of theorganization's objectives.

i) Risk Management Is Transparent And Inclusive.

Appropriate and timely involvement of stakeholders and, in particular, decisionmakers at all levels of the organization, ensures that risk managementremains relevant and up-to-date. Involvement also allows stakeholders to beproperly represented and to have their views taken into account in determiningrisk criteria.

j) Risk Management Is Dynamic, Iterative And Responsive To Change.

Risk management continually senses and responds to change. As externaland internal events occur, context and knowledge change, monitoring andreview of risks take place, new risks emerge, some change, and othersdisappear.

k) Risk Management Facilitates Continual Improvement Of TheOrganization.

Organizations should develop and implement strategies to improve their riskmanagement maturity alongside all other aspects of their organization.


12/46


Relationships Between Risk Management Principles, Framework &

Processes


13/46


Term And Definition

Sr.no Terms Definition

1 Risk Effect of uncertainty on objectives

2Riskmanagement

Coordinated activities to direct and control anorganization with regard to risk

3Riskmanagementframework

Set of components that provide the foundationsand organizational arrangements for designing,implementing, monitoring , reviewing andcontinually improving risk management throughoutthe organization

4Riskmanagementpolicy

Statement of the overall intentions and direction ofan organization related to risk management

5 Risk attitudeOrganization's approach to assess and eventuallypursue, retain, take or turn away from risk

6Riskmanagementplan

Scheme within the risk management frameworkspecifying the approach, the managementcomponents and resources to be applied to themanagement of risk

7 Risk ownerPerson or entity with the accountability andauthority to manage a risk

8

Risk

managementprocess

Systematic application of management policies,procedures and practices to the activities of

communicating, consulting, establishing thecontext, and identifying, analyzing, evaluating,treating, monitoring and reviewing risk

9Establishingthe context

Defining the external and internal parameters to betaken into account when managing risk, andsetting the scope and risk criteria for the riskmanagement policy

10Externalcontext

External environment in which the organizationseeks to achieve its objectives

11 Internal contextInternal environment in which the organization

seeks to achieve its objectives

12Communicationandconsultation

Continual and iterative processes that anorganization conducts to provide, share or obtaininformation and to engage in dialogue withstakeholders regarding the management of risk

13 StakeholderPerson or organization that can affect, be affectedby, or perceive themselves to be affected by adecision or activity

14Riskassessment

Overall process of risk identification, risk analysisand risk evaluation

15 Riskidentification

Process of finding, recognizing and describingrisks


14/46


16 EventOccurrence or change of a particular set ofcircumstances

17 Consequence Outcome of an event affecting objectives

18 Likelihood Chance of something happening

19 Risk profile Description of any set of risks

20 Risk analysisProcess to comprehend the nature of risk and todetermine the level of risk

21 Risk criteriaTerms of reference against which the significanceof a risk is evaluated

22 Level of riskMagnitude of a risk or combination of risks,expressed in terms of the combination ofconsequences and their likelihood

23 Risk evaluationProcess of comparing the results of risk analysiswith risk criteria to determine whether the risk

and/or its magnitude is acceptable or tolerable24 Risk treatment Process to modify risk

25 Residual risk Risk remaining after risk treatment

26 Monitoring

Continual checking, supervising, criticallyobserving or determining the status in order toidentify change from the performance levelrequired or expected

27 Review Activity undertaken to determine the suitability,adequacy and effectiveness of the subject matterto achieve established objectives


15/46


4. Framework

4.1 General

The success of risk management will depend on the effectiveness of the

management framework providing the foundations and arrangements that willembed it throughout Exide at all levels. The framework assists in managingrisks effectively through the application of the risk management process (seeClause 5) at varying levels and within specific contexts of Exide. Theframework ensures that information about risk derived from the riskmanagement process is adequately reported and used as a basis for decisionmaking and accountability at all relevant processes.

This clause describes the necessary components of the framework formanaging risk and the way in which they interrelate in an iterative manner, as

shown,


16/46


4.2 Mandate And Commitment

Exide’s introduction of risk management and ensures its ongoingeffectiveness with strong and sustained commitment by management of theorganization, as well as strategic and rigorous planning to achieve

commitment from all levels. Management of Exide Industries Limited

o define and endorse the risk management policy;o ensure that the organization's culture and risk management policy are

aligned;o determine risk management performance indicators that align with

performance indicators of the organization;o align risk management objectives with the objectives and strategies of

the organization;o ensure legal and regulatory compliance;o assign accountabilities and responsibilities at appropriate levels within

the organization;o ensure that the necessary resources are allocated to risk management;o communicate the benefits of risk management to all stakeholders; ando ensure that the framework for managing risk continues to remain

appropriate.

4.3 Design Of Framework For Managing Risk

4.3.1 Understanding Of The Organisation And Its Context

Exide has identified its external and internal context to design andimplementation of framework for managing risk. Evaluating the externalcontext includes and is not limited to:The social and cultural, political, legal, regulatory, financial, technological,economic, natural and competitive environment, whether international,national, regional or local;

External Risks

Economic Risk

The battery industry is an industry that produces solution for all type of

batteries related to Lead acid storage batteries to meet the needs of

automotive, Industrial, Defence etc . Therefore, the Company has taken

strategic steps to anticipate various scenarios of events that could adversely

affect the Company’s business continuity.


17/46


Raw Materials Scarcity Risks

Major raw materials of Exide namely Lead, still come from imports so that

there is the risk of shortages of raw materials for production. The efforts by the

Company to minimize the negative impact of the risk of scarcity of raw

materials, include among others:

o Encourage the establishment of a local Smelters to support the needs

of Lead raw materials.

o Working closely with R&D and collaborators in research to minimise the

wastage of raw materials.

o Expand the network of suppliers for Long term supply of raw materials.

o Improving the database and evaluating the performance of suppliers.

Energy Scarcity Risks (Gas And Electricity)

Energy is a major raw material requirement of the battery industry. In order to

minimize the negative impacts of the risk of energy shortages, the Company

has initiated the following:

o Promote an internal program for energy efficiency through efficiency

programs in all operational areas.

Risk Of Damage And Loss Of Assets

To control the risk of damage and loss of assets, the Company has initiatedthe following:

o Develop the inventory management as prevention and protection

against damage or loss of the Company’s assets.

o Insure all assets and property of the Company, which are exposed to

the risk of loss due to damage, fire, loss and other possible causes are

insured.

o Insure all goods (cargo) that are in transit (transport) with respect to the

agreed terms of delivery by the seller or buyer.

o Insure all possible losses that might occur to the assets themselves andthird parties who are located at the office and factory areas owned by

the Company.

Risk of Exchange Rate Fluctuations

The floating exchange rate system that is implemented by the Government ,

the Rupiah exchange rate movements against foreign currencies, including

U.S. dollars, difficult to predict. The possibility of the Rupiah depreciatingagainst the dollar or other hard foreign currencies is very real. For the


18/46


Company, the depreciation of the rupiah will greatly affect the cost structure,

given its substantial dependence on imported raw materials. To control this

risk, the Company initiated the following efforts:

o Established sale prices adjusted for exchange rate changes.

Business Competition Risk

Lead Acid storage Battery industry is relatively open. Demand does not make

significant restrictions on market shear. To control this risk, the Company

initiated the following:

o Improve cost competitiveness in all areas.

o Ensure accuracy and speed in handling consumer claims.

o Meet on time delivery and quality demands.o Establish a network of distributors.

o Analyse annual customer feedback to strengthen the Company’s

relationships with customers, while also enhancing customer loyalty.

o Conduct annual customer satisfaction surveys to determine the level of

customer satisfaction with the Company’s products, and to determine

aspects that need to be improved on an on-going basis.

International Regulatory Risk

Globalization, among others, is marked by an increasing role of the World

Trade Organization (WTO), giving birth to a variety of new regulations, which

makes business competition in the entire production chain, from raw materials

procurement to distribution and sale of products increasingly stringent. To

minimize the adverse effects of market liberalization, the Company initiated

the following efforts:

o Regularly assessing the impact of international regulations on the

Company.

o Propose solutions to the minister and the ministries concerned to protect

the interests of the industry.

Risk of Government Policy

Trends in world trade, together with domestic influence government policy, As

a precaution against possible negative impacts, the Company initiated a

variety of efforts including:


19/46


o Studying the impact of government policies against the Company and

act follow up on these studies.

o Propose solutions to the minister and the relevant Technical

Department to protect the interests of the national industry.

Internal Risk

Evaluating the internal context includes and is not limited to:

Operation Risk Factory

To control the risk of possible disruption of plant operations, the Company has

conducted the following actions:

o Implemented predictive programs and preventive maintenance

consistently.

o Conducting daily, weekly and monthly studies on the operating

performance of its production facilities to increase efficiency and

profitability.

o Assess and implement the revitalization program to ensure reliable

operation of production facilities.

Employee Risk

Risks associated with personnel issues are very broad, including accidents,health, pension plans, retirement, termination of employment, and more. To

minimize such risks, the Company has initiated the following steps:

o Involve all employees in the Workers Social program (Social Security)

which includes insurance for Accidents, Death Benefits, and Pension

Plans, through the Body for the Implementation of the Labor Social

Security Program in accordance with the legislations in force.

o Providing health care to employees and their families.

o Organizing Pension Plans and Old Age Retirement Programs.

o

Provide and grant the rights of employees in accordance with theCollective Labor agreement between the Company and Labor Unions.

Environmental Impact Risk

Environmental pollution, for any reason, can have a negative impact on the

work environment, employee health, and safety of workplace equipment and

also create lawsuits. As evidence of the Company’s commitment to

environmental protection, the Company has commissioned a unit specifically

tasked with managing Safety, Health and Environment. The Company has


20/46


consistently and dutifully also implemented rules and regulations, including

those set out in the Environmental Management System (ISO 14000) and

Occupational Health Safety Management system (OHSAS).

4.3.2 Establishing Risk Management Policy

Exide has defined his risk management policy and clearly states theorganization objective for and commitment to “risk management”

As defined in page number 2 of Risk management manual Edition 1


21/46


4.3.3. Accountability

Exide has ensure that there is accountability, authority and appropriatecompetence for managing risk, including implementing and maintaining therisk management process and ensuring the adequacy, effectiveness andefficiency of any controls.

Organisation chart:

Chief-

Manufacturing

Industrial

MD & CEO

Chief – TQM & MR

MRR-Hsr

MRR-Chn

MRR-Tlj

MRR-Shm

MRR-Hal

MRR-Bwl

Jt. MD. Dir-Indl.

Chief R&D-Auto

VP Projects

Com. Sec &Sr. VP Legal

Dir- HR,

Personnel

Chief-Commercial

Mktg,

Sales &

Service

Orgn

EVP-

Infra,

Mktg. &

Sales

Chief-

Manufacturing

Automotive

COM-Hsr

COM-Chn

COM-Tlj

COM-Shm

Dy. COM-Hal

COM-Bwl

Dir-Finance

Chief R&D-

Indl

COM-Ahm

MRR-Ahm

VP-Sub

MRR-R&D

EVP Special

Projects

MRR-CPSSL

MRR-CML

MRR-CAIL

MRR-Haridwar

MRR-Roorkee

Dy COM-

CML

Dy COM-

CAIL

GM-IT

Dy COM-

Haridwar

Dy COM-

Roorkee

Chief – VD

EVP-FMIB-Business


22/46


Roles And Responsibilities

Management Board

o Annual review of the risk register and mitigation of risks, ensuring that

the risk management process works effectively .

o Identification of additional corporate risks and their mitigation plan.

Executive Committee

o Identification of corporate risks, their mitigation plan, and effective

deployment of risk management process.

o Half yearly Review of corporate risks and mitigating actions., their

effectiveness.

o Ensure evaluation of risk while making decisions, ensure preparedness

& control.

Process Heads

o To identify risks to the achievement of their unit’s business plan which

might also be corporate risks to compliance officer of such risks.

o To identify relevant mitigating actions, to include these within their unit’s

business plan, and to ensure the business plan is achieved.

o Implement the mitigating actions, monitor & ensure control for

effectiveness.

Compliances Officer

To manage the risk management process ensuring that:

o The Corporate Risk Register is presented to board as appropriate;

o The risk register is access able, and employees are encouraged to

contribute, towards mitigation action.


23/46


o Inconsistencies, gaps and process deviations, in the Corporate Risk

Register are identified & addressed.

o To ensure that the Corporate Risk Management Policy is kept up to

date

o Ensure that applicable regulatory & statutory requirements pertaining to

risk management are fully addressed.

o Ensure timely reporting / response to any query to regulatory &

statutory authorities.

4.3.4 Integration Into Organisational Process

Exide has embedded in all the processes in a way that risk management is

relevant, effective and efficient. The risk management process should becomepart of, and not separate from, those organizational processes. In particular,risk management has embedded into the policy development, business andstrategic planning and review, and change management processes.Exide ensure that the risk management policy is implemented and that riskmanagement is embedded in all of the processes.

4.3.5 Resources

Exide has allocated appropriate resources for risk management where majorconsideration has been given to the following:

o People, skills, experience and competence;o Resources needed for each step of the risk management process;o The organization's processes, methods and tools to be used for

managing risk;o Documented processes and procedures;o Information and knowledge management systems; ando Training programmes.


24/46


4.3.6 Establishing Internal Communication And Reporting Mechanisms

Exide has identified the process for internal communication systemo Individual process owner will identify the risk within the processo The risk will be communicated to process Heado Team of process head within the process will review the risk

assessmento The team will forward the risk to executive committee


25/46


o Executive committee will review the risk assessment and give its reportto process head if its found not satisfactory.

o If the assessment found satisfactory the same will be forwarded tomanaging board.

o Board will finally give its decision based on business / policyrequirement.

4.3.7 Establish External Communication And Reporting Mechanisms

Exide Industries Limited has developed and implements a plan tocommunicate with external stakeholders. This has involved:

o Engaging external stakeholders and ensuring an effective exchange ofinformation in board meeting.

o Reporting to comply with legal, regulatory, and governancerequirements;

o Providing feedback and reporting on communication and consultation;o Using communication to build confidence in the organization; ando Communicating with stakeholders in the event of a crisis or

contingency.These mechanisms have or where appropriate, include processes toconsolidate risk information from a variety of sources.


26/46


4.4 Implementing Risk Management

4.4.1 Implementation The framework Of Managing Risk

Exide has developed and implement a plan as to how it will communicate withexternal stakeholders.This should involve:o engaging appropriate external stakeholders and ensuring an effective

exchange of information;o external reporting to comply with legal, regulatory, and governance

requirements;o providing feedback and reporting on communication and consultation;o using communication to build confidence in the organization; ando Communicating with stakeholders in the event of a crisis or

contingency.

These mechanisms should, where appropriate, include processes toconsolidate risk information from a variety of sources, and may need toconsider the sensitivity of the information.

Following framework will be used for identifying and recording the risks

identified with the organisation.


27/46


Risk Identification: The Process of finding, recognizing and describing a Risk

associated with an event that might.

4.4.2 Implementation Of Risk Management Process

Risk management should be implemented by ensuring that the riskmanagement process outlined in Clause 5 is applied through a riskmanagement plan at all relevant levels and functions of the organization aspart of its practices and processes.

Risk Management Process

Achieveme

nt ofobjectives

Delay

Create

Enhanc

e

Prevent

Acceler

ate

Degra

de


28/46


Risk Management process

1 Risk identification Create risk managementinfrastructure for the organization.

Define business risk management. Review stated business goals. Identify and define

customer/stakeholders/interestedparties and their association it goals.

Identify and define impliedexpectations.

Identify potential risks in thebusiness.

2 Risk assessment Transform risk data into decision-making information.

For each risk, describe likely impactsand the effect on business goals. Estimate risk probabilities. Identify risks to be escalated /

delegated within the organization. Identify risks to be transferred outside

the organization. Rank the retained risks based on

their probability /impact scores.

3 Risk treatment Identify owners for retained risks.

Translate risk information intodecisions and present and futuremitigating actions.

Plan controlling actions for the mostsignificant risks.

Prioritize controlling actions based onthe impact on reducing risks.

Integrate risk planning with technical,commercial and financial proposals.

4 Monitoring Monitor business risk indicators.

Correct for deviations from the plans. Implement selected controlling

actions. Monitor effectiveness of controlling

actions. Report on retained risks.

5 Counter measure Monitor effectiveness of controllingactions.

Capture results of risk managementprogram.

Use information to learn from

experience.


29/46


4.5 Monitoring And Review Of The Framework

In order to ensure that risk management is effective and continues to supportorganizational performance, Exide has

o Measure risk management performance against indicators, which areperiodically reviewed by executive committee and the managing board.

o Executives committee will periodic review in Quarterly basis andmanaging board in Half yearly basis to check effectiveness,

o Periodically review whether the risk management framework, policy andplan are still appropriate, given the organizations' external and internalcontext;

o Report in form of audit report and VCS on risk, progress with the riskmanagement plan and how well the risk management policy is beingfollowed; and

o Review the effectiveness of the risk management framework.

4.6 Continual Improvement Of The Framework

Based on results of monitoring and reviews, managing board will takedecisions on how the risk management framework, policy and plan can beimproved. These decisions will lead to improvements in the organization'smanagement of risk and its risk management culture.


30/46


5. Process

5.1 General

Exide has identified its risk management process as:

o An integral part of management,o Embedded in the culture and practices, ando Tailored to the business processes of the organization.

It comprises the activities described in 5.2 to 5.6. The risk management

process is shown in Figure 3.

5.2 Communication And Consultation

Exide has identified a process of communication and consultation withexternal and internal stakeholders during all stages of the risk managementprocess.

Plans for communication and consultation have been developed at an earlystage. These plan address issues relating to the risk itself, its causes, itsconsequences, and the action being taken to treat it. Effective external andinternal communication and consultation are in place to ensure that thoseaccountable for implementing the risk management process and stakeholdersunderstand the basis on which decisions are made.


31/46


The Executive committee approach will:o Help establish the context appropriately;o Ensure that the interests of stakeholders are understood and

considered;o Help ensure that risks are adequately identified;o Bring different areas of expertise together for analyzing risks;o Ensure that different views are appropriately considered when defining

risk criteria and in evaluating risks;o Secure endorsement and support for a treatment plan;o Enhance appropriate change management during the risk management

process; ando Develop an appropriate external and internal communication and

consultation plan.Exide has developed activity for effective communication and consultation withstakeholders to make judgements about risk based on their perceptions ofrisk. The decision will vary due to differences in values, needs, assumptions,concepts and concerns of stakeholders. As their views can have a significantimpact on the decisions made, the stakeholders' perceptions will be identified,recorded, and taken into account in the decision making process.Communication and consultation will facilitate truthful, relevant, accurate andunderstandable exchanges of information, taking into account confidential andpersonal integrity aspects.

5.3 Establishing The Context

5.3.1 General

By establishing the context, the organization articulates its objectives, definesthe external and internal parameters to be taken into account when managingrisk, and sets the scope and risk criteria for the remaining process. Whilemany of these parameters are similar to those considered in the design of therisk management framework (see 4.3.1).

5.3.2 Establishing The External Context

Exide has external context in which the organization seeks to achieve itsobjectives. Exide understands important in order to ensure that the objectivesand concerns of external stakeholders are considered when developing riskcriteria. It is based on the organization-wide context, but with specific details oflegal and regulatory requirements, stakeholder perceptions and other aspectsof risks specific to the scope of the risk management process.Exide has identified external context but is not limited to:

o The social and cultural, political, legal, regulatory, financial,technological, economic, natural and competitive environment, whether

international, national, regional or local;


32/46


o Key drivers and trends having impact on the objectives of theorganization; and

o Relationships with, perceptions and values of external stakeholders.

5.3.3 Establishing The Internal Context

The internal context is the internal environment in which the Exide seeks toachieve its objectives. The risk management process had been aligned withthe Exide culture, processes, structure and strategy. Internal context isconsidered that can influence the way in which an organization will managerisk.It has been established concerning:

risk management in the context of the objectives of the organization;

Objectives and criteria of a particular project, process or activity are in-lined with the objectives of the organization.

Exide has identified its internal context but is not limited to:

o Governance, organizational structure, roles and accountabilities;o Policies, objectives, and the strategies that are in place to achieve

them;o Capabilities, understood in terms of resources and knowledge (e.g.

capital, time, people, processes, systems and technologies);o

The relationships with and perceptions and values of internalstakeholders;o The organization's culture;o Information systems, information flows and decision making processes

(both formal and informal);o Standards, guidelines and models adopted by the organization; ando Form and extent of contractual relationships.

5.3.4 Establishing The Context Of The Risk Management Process

Exide has identified objectives, strategies, scope and parameters of theprocesses, where the risk management process is being applied. Themanagement of risk will be undertaken with full consideration of the need to justify the resources used in carrying out risk management. The resourcedefines responsibilities and authorities, and the records to be kept in a riskmanagement register. The contexts of the risk management process aredefined as follows.


33/46


Risk Register

Risk Identification Risk Assessment

R i s k N u m b e r

D a t e I d e n t i f i e d

r t c a u c c e s s

F a c t o r

R i s k D e s c r i p t i o n

C a u s e

C o n s e q u e n c e

P r o b a b i l i t y

I m p a c t

R i s k S c o r e

R i s k R a n k i n g

R i s k L e v e l - L . M . H

C u r r e n t C o n t r o l s

R i s k T r e a t m e n t

M e t h o d

It has involve following aspects:o Defining the goals and objectives of the risk management activities;

o Defining responsibilities for and within the risk management process;o Defining the activity, process, function, project, product, service or asset

in terms of time and location;o Defining the risk assessment methodologies;o Defining the way performance and effectiveness is evaluated in the

management of risk (As defined above in risk analysis);o Identifying and specifying the decisions that have to be made; ando Identifying, scoping or framing studies needed, their extent and

objectives, and the resources required for such studies. Attention to these and other relevant factors should help ensure that the risk

management approach adopted is appropriate to the circumstances, to theorganization and to the risks affecting the achievement of its objectives.

5.3.5 Defining Risk Criteria

Exide has define criteria to be used to evaluate the significance of risk. Thecriteria will reflect the organization's values, objectives and resources. Some

of the criteria are imposed by, or derived from, legal and regulatoryrequirements and other requirements to which the organization subscribes.Risk criteria are in-lined with the organization's risk management policy (see4.3.2), be defined at the beginning of any risk management process and becontinually reviewed.When defining risk criteria (Refer 4.4.1), factors to be considered shouldinclude the following:


34/46


Risk Analysis

The Process to comprehend the nature and level of risk, this involves

consideration of Causes & Sources of Risk, their impact/consequences, and

likelihood.

5.4.1 General

Risk assessment is the overall process of risk identification, risk analysis and

risk evaluation.

5.4.2 Risk Identification

Exide will identify:o sources of risk,o areas of impacts,o events (including changes in circumstances) ando their causes and their potential consequences.

The aim of this step is to generate a comprehensive list of risks based on

those events that will create, enhance, prevent, degrade, accelerate or delaythe achievement of objectives. It is important to identify the risks associatedwith not pursuing an opportunity. Comprehensive identification is critical,because a risk that is not identified at this stage will not be included in furtheranalysis.

o Identification will include risks whether or not their source is under thecontrol of the organization, even though the risk source or cause maynot be evident.

o Risk identification will include examination of the knock-on effects of

particular consequences, including cascade and cumulative effects.o It will also consider a wide range of consequences even if the risk

source or cause may not be evident.o As well as identifying what might happen, it is necessary to consider

possible causes and scenarios that show what consequences canoccur.

o All significant causes and consequences will be considered andrecorded into risk register.


35/46


5.4.3 Risk Analysis

o Risk analysis involves developing an understanding of the risk.o Risk analysis provides an input to risk evaluation and to decisions on

whether risks need to be treated, and on the most appropriate risktreatment strategies and methods.

o Risk analysis will also provide an input into making decisions wherechoices must be made and the options involve different types and levelsof risk.

o Risk analysis involves consideration of the causes and sources of risk,their positive and negative consequences, and the likelihood that thoseconsequences will occur.

o Factors that affect consequences and likelihood should be identified.o Risk is analyzed by determining consequences and their likelihood, and

other attributes of the risk.o A project will have multiple consequences and can affect multiple

objectives. Existing controls and their effectiveness and efficiencyshould also be taken into account.

o The activity in which consequences and likelihood are expressed andthe process in which they are combined to determine a level of riskmust reflect the type of risk, the information available and the purposefor which the risk assessment output is to be used.

o It is also important to consider the interdependence of different risksand their sources.

o The confidence in determination of the level of risk and its sensitivity topreconditions and assumptions should be considered in the analysis,and communicated effectively to decision makers and stakeholders.

o Factors such as divergence of opinion among experts, uncertainty,availability, quality, quantity and ongoing relevance of information, orlimitations on modelling should be stated and can be highlighted.

o Risk analysis must be undertaken with varying degrees of detail,depending on the risk, the purpose of the analysis, and the information,data and resources available.

o Consequences and their likelihood can be determined by modelling the

outcomes of an event or set of events, or by extrapolation fromexperimental studies or from available data.o Consequences will be expressed in terms of tangible and intangible

impacts. More than one numerical value or descriptor is required tospecify consequences and their likelihood for different times, places,groups or situations.


36/46


Risk Assessment- Impact

The impact of a risk shall be assessed, as per criteria given below

Impact Rating Criteria

Very Low 1 Likely to have very minor impact in one area

Low 2 Likely to have minor impact in many areas

Medium 3 Likely to have major impact in one area

High 4 Likely to have major impact in many areas

Very High 5 Likely to have major impact in whole Exide

Risk Assessment- Probability

The identified risks shall be assessed, for their likelihood (Probability) as per

given criteria in table

Probability Rating Assessment Criteria

Very Low 1 Extremely unlikely, virtually impossible (0-5% chance)

Low 2 Low but not impossible ( 6-20% chance)

Medium 3 Fairly likely to occur ( 21-50% chance)

High 4 Most likely to occur (51-80% chance)

Very High 5 Almost certain, will occur ( 81-100% chance)

5.4.4 Risk Evaluation

o Exide has identified a process of risk evaluation is to assist in makingdecisions, based on the outcomes of risk analysis, about which risksneed treatment and the priority for treatment implementation.

o Risk evaluation involves comparing the level of risk found during theanalysis process with risk criteria established when the context wasconsidered. Based on this comparison, the need for treatment can beconsidered.

o Decisions will take account of the wider context of the risk and includeconsideration of the tolerance.


37/46


o The risk evaluation can lead to a decision to undertake further analysis.o The risk evaluation can also lead to a decision not to treat the risk in

any way other than maintaining existing controls.o This decision will be influenced by the organization's risk attitude and

the risk criteria that have been established.

Risk Evaluation Matrix

Probability

Very Low

( 1)

Low (

2)

Medium

( 3)

High

(4)

Very High

(5)

5 10 15 20 25 Very High

(5)

I m p a c

t

4 8 12 16 20 High (4)

3 6 9 12 15 Medium(3)

2 4 6 8 10 Low (2)

1 2 3 4 5 Very Low(1)

Criteria Condition

Very High Major Impact at organization level posing direct threat to businessHigh Major impact due to disruption of processes in many areas

Medium Major impact due to disruption of site specific process

Low Minor impact due to disruption of activities at multiple sites

Very Low Minor impact due to disruption of activities at multiple sites


38/46


Corporate Risk Register

The Exide has appointed a competent person to comprehensively review the

risks identified by process heads, review its comprehensiveness, interactions,

linkages and identify the critical risks that company is exposed to. This is

documented as Corporate Risk Register.

Following steps have been followed to prepare the corporate risk register

o Training, understanding of framework to all the process heads

o The identification of risks along with process heads following analysis &

evaluation criteria established

o Filtration of high impact risks as an input to corporate risk register

o Additional risks which might have not been covered, inter functional

nature of riskso Preparation of draft corporate risk register

o Review of draft corporate risk register by EXCOM and identification of

additional risks in half yearly basis.

o Incorporation of EXCOM input and concluding final risk register.

o Taking input for risk criticality rating ( Scale 1- 5, 5 being highly critical)

from EXCOM and key leadership positions having insight to external

and internal business environment.

o Declaration of Final “Corporate Risk Register “.

o EXCOM will decide wither the risk has to be discussed in board meeting

based on the criticality of risk.

o Repeat this cycle on annual frequency.

5.5 Risk Treatment

5.5.1 General

Risk treatment involves selecting one or more options for modifying risks, andimplementing those options. Once implemented, treatments provide or modifythe controls.Risk treatment involves a cyclical process of:

o Assessing a risk treatment;o Deciding whether residual risk levels are tolerable;o If not tolerable, generating a new risk treatment; ando Assessing the effectiveness of that treatment.

Risk treatment options are not necessarily mutually exclusive or appropriate inall circumstances. The options can include the following:

o Avoiding the risk by deciding not to start or continue with the activity thatgives rise to the risk;


39/46


o Taking or increasing the risk in order to pursue an opportunity;o Removing the risk source;o Changing the likelihood;o Changing the consequences;o Sharing the risk with another party or parties (including contracts and

risk financing); ando Retaining the risk by informed decision.

5.5.3 Preparing And Implementing Risk Treatment Plans

Exide has identified as risk treatment plans is to 5W1H & 3W1H record.The information provided in treatment plan includes:

o The reasons for selection of treatment options, including expectedobjective to be gained;

o Proposed actions;o Resource requirements including contingencies;o Performance measures and constraints;o Reporting and monitoring requirements; ando Timing and schedule.

Action plans will be integrated with the management processes of theorganization and discussed with appropriate stakeholders. Decision makersand other stakeholders will be aware of the nature and extent of the residualrisk after risk treatment in. The residual risk will be documented and subjectedto monitoring, review and, where appropriate, further treatment.

Corporate risk treatment plan will be prepared by cross functional team

depending on the scope of risks. Following steps shall be followed for

treatment of corporate risks. The CFT shall be appointed by EXCOM.

o Risk treatment planning shall be done by appointed CFTs. The CFT

shall be doing the necessary preparatory action towards this planning,

including availability of relevant information, estimation etc.

o The CFT shall present the planned treatment action to ExecutiveCommittee for necessary input towards comprehensiveness of plan.

o The necessary resource approval shall be done for treatment actions.

o The each planned action shall have clearly defined responsibility with

time line as per 5W1H format.

o The CFT shall meet on monthly frequency, and review the progress of

plan. The gap shall be identified in 3W1H formats.

o The CFT shall monitor the respective KPIs against plan.

o Monthly MIS shall be prepared and communicated to compliance

officer.


40/46


5.6 Monitoring And Review

Both monitoring and review will be a planned part of the risk managementprocess and involve regular checked in for of audit (Frequency: half yearly). And Risk management System audit in annual basis.

It will be reviewed every quarter by the executive committee. The monitoringand review processes will encompass all aspects of the risk managementprocess for the purposes of:

o ensuring that controls are effective and efficient in both design andoperation;

o obtaining further information to improve risk assessment;o analyzing and learning lessons from events (including near-misses),

changes, trends, successes and failures;o detecting changes in the external and internal context, including

changes to risk criteria and the risk itself which will be require revisionof risk treatments and priorities; and

o Identifying emerging risks.Progress in implementing risk treatment plans provides a performancemeasure. The results will be incorporated into the organization's overallperformance management, measurement and external and internal reportingactivities in for of audit.The results of monitoring and review will be recorded and internally reportedto executive committee, and will also be used as an input to the review of therisk management framework (see 4.5).

5.7 Recording The Risk Management Process

o Record of risk management will be maintained in for of risk register &corporate risk register for the retention period of 3 years. The custody ofthe record will be with compliance officer.

o MIS for KPI’s will be retained for 12months trend.


41/46



42/46

41 | P a g e T o t a l Q u a l i t y M a n a g e m e n t

Company Level Goal & Critical Success Factors

C o m p a n

y l e v e l G o a l

S t r a t e g i c

/ O p e r a t i o n a l

S B U L

e v e l G o a l

C r i t i c a l S u

c c e s s F a c t o r

K e y P e

r f o r m a n c e

I n d

i c a t o r

U n i t o f M

e a s u r e m e n t

2 0 1 2 -

1 3 A c t u a l

2 0

1 3 - 1 4

A

c t u a l

2 0

1 4 - 1 5

A

c t u a l

I n d u s t r y b e s t

B

e n c h

m

a r k

N a m e o f

B e n c h M a r k

O r g a

n i s a t i o n

T a r g e t f o r 2 0 1 5 - 1 6

T a r g e t f o r 2 0 1 6 - 1 7

T a r g e t f o r 2 0 1 7 - 1 8

R e m a r k s


43/46



44/46


Risk Register

Risk Identification Risk Assessment

R i s k N o .

D a t e I d e n t i f i e d

C r i t i c a l S u c c e

s s F a c t o r

R i s k D e s c r i p t i o n

C a u s e

C o n s e q u e n c e

P r o b a b i l i t y

I m p a c t

R i s k S c o r e

R i s k R a n k i n g

R i s k L e v e l - L . M

. H

C u r r e n t C o n t r

o l s

R i s k T r e a t m e n t M e t h o d


45/46


RISK TREATMENT

Dept. Risk No. Risk Rank.

Critical SuccessFactor

KPI

Risk Description

Project LeaderTeam members

Current State

Target

Problem definition

Root causes

5W1H

S. No. What

When

Where Who Why HowStart Date End Date


46/46

Counter Measure/ 3W1H

S. No. What When Who How

Documents

Final Risk Management Manual Edition 1