Risk Management Committee

Our governance framework establishes strategic guidelines for achieving our sustainability goals. The Board of Directors (‘Board’) is central to our corporate governance system. To ensure effective decision-making and long-term success, the Board is tasked with overseeing regulatory compliance, risk management, corporate social responsibility (CSR), and sustainability, while upholding ethical and transparent business practices.

Governance Framework and Board Operations

The Board of the Risk Management Committee and the Executive Risk Management Committee help to oversee risk management activities across the organisation.

The purpose of the Board Risk Management Committee is to assist the Board in fulfilling its corporate governance oversight responsibilities in identifying, evaluating, and mitigating strategic, operational, and external environmental risks. It is responsible for approving and monitoring the implementation of the enterprise risk management framework and associated practices of Tata Projects.

The Committee reviews the risk governance structure, risk assessment, and risk management practices, guidelines, policies, and procedures. It evaluates the Company’s significant risk exposures and assesses management’s actions to mitigate exposures in a timely manner, including one-off initiatives and ongoing activities.

Risk Management Framework

The Risk Management Framework has encapsulated our approach to risk management and defined its practices. Risk Management policies, procedures, and plans guide business operations in proactively managing risk matters.

Our end-to-end risk management activities involve a comprehensive approach to identifying, assessing, prioritising, and mitigating risks that may impact the organisation. These activities are designed to protect Tata Projects from potential threats and uncertainties that could negatively impact its objectives, operations, or stakeholders.

The Risk Management Framework defines the organisation’s risk management policy, objectives, and the roles and responsibilities of individuals involved in managing risks. It also provides a structure for implementing risk management processes across Tata Projects:

1. Identify and assess potential risks that can affect the organisation’s strategic, financial, operational, and compliance objectives. This can be achieved through various methods such as brainstorming, risk workshops, risk registers, and risk analysis tools.
2. Assessment of the potential impact and likelihood of each risk occurring with the help of a Risk Officer.
3. Prioritise the risks through risk scoring, risk mapping, or other quantitative and qualitative methods.
4. Development of risk mitigation strategies by respective risk owners. Mitigation strategies include risk avoidance, risk reduction, risk transfer, or risk acceptance. Each risk may require a different approach, and mitigation strategies must be tailored to the specific characteristics of each risk.
5. Implementation of risk mitigation strategies involving various stakeholders across the organisation. Communication and collaboration are essential to ensure that all relevant individuals and departments are aware of the risks and the mitigation plans in place.
6. Monitor and review risks – critical components of end-to-end risk management. This ensures that the organisation remains agile and responsive to changing risk factors.

At Tata Projects, we have rolled out a Crisis Management and Business Continuity Framework to enhance the effectiveness of risk containment efforts. Additionally, the Enterprise Risk Management Framework records the organisation’s risk management efforts, allows for transparency and accountability, and serves as a reference for future risk assessments and reviews.

Processes in Risk Management

Risk Management Practices

Enterprise Risk Management

At Tata Projects, we believe that an effective risk management process is key to sustained operations. It helps protect shareholder value, improve governance processes, achieve strategic objectives, and prepare for adverse situations or unplanned circumstances. All our employees are responsible for the effective management of risks in every aspect of the business. The leadership team is committed to building and maintaining a risk-vigilant culture across all ranks of the Company.

Our approach to risk management is segregated into Enterprise Risk Management and Operational Risk Management (project-level risk management). These two levels have an individually distinct, yet collectively aligned gamut of risk management activities. Top risks are identified, ownership and accountability are assigned, and mitigation actions, progress, and results are regularly monitored in various review forums. Risk ownership and awareness are strengthened by deploying the right controls and additional measures with the execution teams.

The Board and Executive Risk Management Committees provide direction and resources for effective remediation of key risk exposures. Various practices, tools, and templates nudge the operations teams to bring pertinent risk matters to the attention of business leaders to initiate appropriate interventions.

Enterprise Risk Management Framework, Systems, and Policies

Enterprise Risk Management (ERM) systems and policies are essential components of the Company’s strategic framework for identifying, assessing, and mitigating risks across the enterprise. We have adopted a holistic ERM approach, enabling proactive risk management and the seizing of opportunities that could impact strategic objectives, operations, and financial performance.

End-to-end risk management activities involve a comprehensive approach to identifying, assessing, prioritising, and mitigating risks that may impact the organisation. These activities are designed to protect against potential threats and uncertainties that could negatively impact the Company’s objectives, operations, or stakeholders. End-to-end risk management encompasses various processes and steps to ensure effective risk management across the organisation.

At its core, ERM seeks to cultivate a culture of risk awareness and accountability throughout the organisation, integrating risk management into decision-making processes at all levels. This involves developing and implementing comprehensive ERM systems and policies that align with the organisation’s risk appetite, tolerance, and objectives.

Policies and Procedures

Our Risk Management Policy defines the objectives and the roles and responsibilities of individuals involved in managing risks. The framework sets the tone for risk management activities and provides an ongoing structure for implementing risk management processes across the Company.

Risk Governance Structure

A well-defined risk governance structure has been established with clear demarcation of responsibility and accountability for managing risks. It outlines the roles and responsibilities of the Board of Directors, senior management, risk committees, and other stakeholders in overseeing and driving the ERM process. This structure ensures that risk management is integrated into the organisation’s governance framework and that there is appropriate oversight of risk-related activities.

Risk Identification and Assessment

This involves identifying potential risks that could affect our strategic, financial, operational, and compliance objectives through methods such as brainstorming, risk workshops, risk registers, and risk analysis tools.

Business and functional teams, with the help of the Risk Officer, assess the potential impact and likelihood of each risk using well-defined criteria and assessment methodologies. Risks are prioritised through risk scoring, risk mapping, and other quantitative and qualitative methods to determine their relative importance. This enables us to focus our resources and attention on the most critical risks.

Risk Mitigation and Control

Our ERM systems and policies include guidelines and processes for mitigating and controlling identified risks to an acceptable level. This involves developing risk treatment plans, implementing control activities, and monitoring key risk indicators to ensure effective management within established tolerance levels.

Mitigation strategies may include risk avoidance, risk reduction, risk transfer, or risk acceptance. Each risk requires a tailored approach, with strategies customised to the specific characteristics of each risk.

Reporting and Communication

Effective communication and reporting are vital components of ERM systems and policies. Risk governance systems establish clear reporting mechanisms and communication channels to ensure the timely and accurate dissemination of risk-related information to relevant stakeholders, including the Board, management, and employees. Transparent and accessible reporting fosters a shared understanding of the organisation’s risk profile and promotes informed decision-making.

Monitoring

Monitoring and reviewing risks are critical components of end-to-end risk management. Processes are in place to monitor the effectiveness of risk mitigation strategies, track changes in the risk landscape, and review the organisation’s risk profile regularly. These activities ensure that the organisation remains agile and responsive to changing risk factors.

In addition to proactive risk management activities, we must be prepared to respond to and recover from risks when they occur. This involves developing and testing contingency plans, crisis management procedures, and business continuity strategies to ensure effective response and recovery from unexpected events or crises. We have implemented a Crisis Management and Business Continuity Framework to enhance the effectiveness of our risk containment efforts.

Risk Management Organogram

Risk Mitigation Approach

Our Risk Management policy is available on our website: https://tataprojects.com/wp-content/uploads/2023/04/RiskManagement_policy.pdf

Board Risk Management Committee members: https://www.tataprojects.com/wp-content/uploads/2024/08/TPL%20Committees%20as%20on%2001%20Aug%202024.pdf

• Mr. Sanjay Bhandarkar (Chairman: Independent Director)
• Ms. Nishi Vasudeva (Member: Independent Director)
• Mr. Deepak Natarajan (Member: CFO)

Project Risk Management

Project risk management is the process of identifying, assessing, and responding to risks that could impact a project’s objectives. It ensures that projects are completed on time, within budget, and to the required specifications, safety, and quality standards. It can also enhance stakeholder confidence and satisfaction.

The Risk Management Policy of Tata Projects outlines the establishment of an effective and integrated framework for managing its risk management process. Considering the nature of our business, the risks have been categorised into two broad areas: enterprise-level (strategic / company-wide) and project / operational level.

Roles & Responsibilities

The Project Manager is the owner of all Project Risk Management processes during execution and is the primary point of focus for managing risk identification, risk assessment, and treatment strategy finalisation. The Project Manager is assisted by the Project Risk Manager, who works closely with other functionaries of the project.

Risk Assessment and Mitigation

Risk	Risk / Opportunity	Risk definition	Opportunity	Mitigation Measures	Linkage to Strategic Objective	Material Issues addressed	Impact on Capital	Stakeholders impacted
Predictable Project Delivery	Risk and Opportunity	The risk of project delivery falling short of its commitment on timelines, costs, and quality stems from various factors, including but not limited to inadequate planning, inadequate resources,  ineffective project management and / or unforeseen challenges	Ability to deliver projects within planned timelines, budgets and quality expectations would provide a competitive advantage to the Company and support its endeavour of  becoming a preferred EPC partner for reputed companies	Go / no-go decisions (project selection) are taken based on a thorough assessment of the client requirements, availability of company resources and capabilities (man, machine and material), cost estimations, cash flow requirements, and technological partnerships, project complexity considering factors like technical requirements, size, location, stakeholder involvement, regulatory compliance, and other risk factors Identification of key technological domains critical to project success and seeking partnerships that bring relevant expertise and solutions to the table Ensuring appropriate contract terms and conditions that help mitigate risks associated with default on client’s obligations, contract  / price variations, etc Strong internal processes for project planning and management, resource management, quality and safety delivery, project risk assessment and mitigation and on-going project management including financial performance Investment in project management capability development Rigorous project review and monitoring through Operational Review Meetings and Business Review Meetings (ORMs / BRMs) A structured change management process to manage scope changes effectively Pre-qualification and performance monitoring for select categories of suppliers / contractors Strong internal controls over financial accounting and monitoring	Operational Excellence Trust of external stakeholders	Product safety and quality	Financial Manufactured Human Intellectual	Employees Customers Suppliers Investors
Liquidity Management and Capital Allocation	Risk	Considering the nature of the industry the Company operates in, its cash flows are stretched. The Company thus needs to effectively manage its liquidity and capital allocation priorities	-	Diversified client base and project portfolio to reduce dependency on a single client or project Effective credit control framework Strong relationships with banks and financial institutions to ensure timely access to credit facilities or funding options to manage short term liquidity requirements Comprehensive processes to monitor and drive continuous improvements in working capital metrics at corporate and project level Effective project governance supported with thorough financial analysis and due diligence to ensure appropriate cost estimations including future costs, past performance and trends, capital allocation requirements, etc.	Financial Leadership Operational Excellence Trust of external stakeholders	Risk Management and Business continuity	Financial	Customers Suppliers Investors
Dispute Resolution	Risk	Potential risks involved in resolving disputes either with the client / customer or with vendors / sub-contractors, arising out of the respective contracts	-	Well qualified and experienced teams to proactively identify, manage and address disputes; supported by a network of  reputed law firms Formal framework for review of contractual terms and appropriate escalation of onerous terms for effective decision making Strengthening internal processes and controls to adequately ensure compliance with contractual obligations Robust mechanism to respond to notices and defend the Company’s position in all claims and litigation                 Organisation structure enhanced with document controllers for all key projects to strengthen documentation of exchange of correspondence / communication with external parties that would assist in responding to disputes and defending company claims	Financial Leadership	Risk Management and Business Continuity	Financial	Customers Suppliers Investors
Cyber Security	Risk and Opportunity	Cyber threats and attacks may compromise the confidentiality, integrity, and availability of the Company's digital assets, infrastructure and sensitive / business critical information. This can have significant financial, operational, and reputational consequences for the Company	Effective management of cyber security risk will help enhance trust of customers who are more likely to partner with businesses that are able to protect data Effective compliance with regulatory requirements	Comprehensive cyber security risk management framework with use of advanced tools including but not limited to firewalls, IPS / IDS (Intrusion prevention system / Intrusion detection system), Network segmentation, ZTNA (Zero Trust Network Access), Multi factor authentication, Secure Data Storage and Backup, etc. Conducting periodic Vulnerability assessment for critical infrastructure assets and applications to proactively identify and remediate potential vulnerabilities and enhance security posture Continuous monitoring through 24x7 SOC monitoring and SIEM in place to maintain constant vigil and preventing, detecting, analysing and responding to cybersecurity issues Building employee awareness of cyber security risks	Operational Excellence Trust of external stakeholders	Risk Management and Business Continuity	Financial	Employees Customers Suppliers Investors
Talent Management	Risk	Challenges associated with attracting, developing, and retaining talent within the organisation	Effective talent retention can result in higher probability of successful and predictable project delivery. This would help create a competitive advantage for the Company driving its ability to capture the right business opportunities	Project specific talent management strategy designed right from pre-award stage A robust recruitment and selection process to attract top talent, including leveraging professional networks, partnering with educational institutions, or utilising external recruitment agencies with relevant industry expertise Enrichment of skills and competencies through training, education assistance, and leadership development programmes including specific programmes on capability building of Project Managers and Resident Construction Managers Compensation and benefits benchmarking to remain competitive Focused employee engagement to reduce attrition and increase sense of belonging	Great place to work	Employee Management and Development, Diversity and Inclusion	Human	Employees
Ethics and Compliance	Risk and Opportunity	Ever evolving landscape of laws and regulations requires timely identification, analysis, and adaptation of requirements as any non-compliance may lead to fines, penalties, criminal prosecution, and loss of reputation Non compliance with Tata Code of Conduct provisions / negligence / fraudulent actions to obtain unfair advantage or harm the Company’s interest by employees, contractors or suppliers	Strong ethics and compliance reputation can be a source of competitive advantage in an environment where stakeholders are increasingly conscious and demanding of corporate accountability	An effective and reasonably designed, implemented, and enforced compliance and ethics programme under the oversight of Board level Audit Committee Well-defined and widely communicated policies, procedures, and guidance together with awareness and trainings to drive understanding and adherence Focused interventions to strengthen the culture of compliance across stakeholder categories An effective system of internal controls that helps ensure compliance with the laws and regulations of the countries in which TPL does business including those over financial reporting Monitoring of compliances through an e-enabled compliance management framework Comprehensive mechanisms to triage, investigate, respond to, and report on any potential, suspected or actual non-compliance or breach of Code of Conduct Internal audits to provide compliance assurance	Trust of stakeholders ESG Stewardship	Business Ethics and Compliance Sustainable Corporate Governance Human Rights	Human	Employees Customers Suppliers Investors Community
Input Material Inflation	Risk	Challenges and volatilities associated with rising cost of major raw materials and components used in construction projects	-	Appropriate contracting terms with customers and suppliers to adequately mitigate the risk of increased costs Building resilient supply chains and driving value engineering initiatives Basis thorough market analysis and due diligence, utilse appropriate financial instruments to mitigate the impact of input material inflation on project costs Effective project planning and resource allocation	Financial Leadership Operational Excellence	Risk Management and Business Continuity	Financial	Customers Investors
ESG and Climate Change	Risk and Opportunity	Failure to address Environmental, Social, and Governance factors that may impact the Company’s operations, performance and reputation Physical risks  (climate risk) such as increased severity of extreme weather events could disrupt supply chains, halt operations, and damage valuable assets. This can also alter operating conditions (temporarily or permanently), e.g., soil conditions and adversely affect people deployed on sites	-	Comprehensive ESG policy and governance framework with board-level review of ESG  roadmap Regular monitoring of sustainability risks against sustainability targets Site-level sustainability knowledge improvements sessions and plans implemented Focused interventions towards monitoring and reducing energy consumption through various energy and emission saving initiatives Adoption of best practices and guidelines for managing community quality of life through effective noise control, dust management, and traffic management Robust health and safety measures to safeguard the well-being of workers and surrounding communities Adherence to international standards and best practices in occupational health and safety Driving supply chain sustainability through responsible sourcing Adequate and appropriate corporate governance structures to drive accountability and  transparency Detailed evaluation of green vendors and revised green vendor evaluation norms, in line with global norms for disclosures Monthly vendor training programmes at project / site level Strong framework of processes and controls to ensure accuracy, reliability, and transparency of financial reporting and control systems including  procedures for preventing fraud or mismanagement	ESG Stewardship	Sustainable Corporate Governance Emissions Energy Management Waste and Circular Economy Water and Effluents Bio diversity and Ambient Sound Monitoring	Natural Manufactured Human	Community Employees Investors

Hazard Identification and Risk Assessment

At Tata Projects, Enterprise Risk Management is closely integrated with Safety and Health requirements, ensuring a comprehensive approach to identifying, assessing, and mitigating risks across the organisation. This is achieved through well-defined processes such as the Hazard and Effect Management Process (EPM No. 13.02.01) and the HSE Communication Process (EPM No. 13.02.04), which are foundational to our proactive risk management strategy.

Central to this approach is the Risk Assessment (RA) team, composed of experts from various disciplines. The RA team conducts thorough risk assessments across project sites, offices, and manufacturing units, evaluating both routine and non-routine activities. Factors such as infrastructure, human elements, and potential emergencies are considered, with risk ratings assigned using a standardised matrix (Fig 2). The organisation also maintains a Hazard Identification and Risk Assessment (HIRA)/Aspect Register, which documents all identified risks. Control measures are communicated to the workforce through Toolbox Talks or HIRA talks before any work begins. These systematic processes ensure that Safety and Health considerations are integrated into strategic planning and daily operations, fostering a culture of safety and risk awareness throughout the organisation.

Incident Reporting and Investigation

At Tata Projects, incident reporting and investigation are categorised into six distinct types based on severity, each managed through a standardised process with specific timelines and stakeholder involvement. When an incident occurs, a dedicated investigation team, led by the corporate HSE head or BU HSE head, conducts a thorough investigation. The investigation results in a detailed report outlining root causes along with corrective and preventive actions (CAPAs). These actions are promptly implemented by the RCM to prevent recurrence, with updates made to procedures and the Hazard Identification and Risk Assessment (HIRA) processes as needed. Learnings from incidents, particularly those categorised as High Potential Incidents (HiPos) or Potential Severe Events (PSEs), are communicated and deployment is ensured through our Incident Action Tracker, facilitated by our digital tool.

This approach underscores Tata Projects' commitment to maintaining a safe and secure working environment, with continuous improvement driven by robust risk management and incident response processes.