Thomas Cook India : Risk Management Policy

Thomas Cook (India) Limited

Risk Management Policy

Issued By: Mr Aniruddha Chaudhuri		Recommended By: Risk
(Head - BPIA)		Management Committee
	Approved By: Board of Directors
Effective: August 2021
Version: 1.0

Page 1 of 26

Table of contents:
1.	Foreword	3
2.	Risk Management Committee…	5
3.	Risk Management Framework	6
4.	Risk management	7
4.1	Risk management structure	7
4.2	Risk profiling	16
4.3	Risk mitigation	18
4.4 Risk monitoring and review	18
Annexure 1 - Top Internal & External Risks	19
Annexure 2 - Risk Evaluation Questionnaire	24
Abbreviations	25
Glossary	26

Page 2 of 26

Risk management policy

1. Foreword

Thomas Cook (India) Limited (TCIL) is the leading integrated travel and travel related financial services company in the country offering a broad spectrum of services that include Foreign Exchange, Corporate Travel, MICE, Leisure Travel, Insurance, Visa & Passport services and E- Business.

Risk is an inherent part of the decision making process across the business and much of the success of the company is based upon seizing opportunities and managing the associated risks.

In order to effectively manage the risks, all areas of the company have a structured method for risk identification, measurement, evaluation, reporting, and risk mitigation.

The current dynamic and competitive business environment within which Thomas Cook (India) Limited operates makes it necessary for the company to establish an internally developed proactive and robust risk management framework. The framework will assist the Company in identifying and managing various internal, external and business risks such as credit, operational, market, financial, information technology including cyber security, BCP (business continuity planning), reputational, compliance, human resource and strategic risks, etc., in an effective manner with an aim to achieve its overall business objectives. For this purpose, Thomas Cook (India) Limited has implemented an organization-wide,multi-layered risk management framework aligned to its business needs.

Defining 'Risk'

In business terms, a risk is any threat that may prevent the achievement of business objectives. Whilst it primarily refers to risks with a negative impact such as the loss of assets or of business reputation it also includes risks related to those activities that aim to identify and exploit opportunities within our business.

Purpose and benefits of risk management

Risk management is the process of identifying and mitigating strategic, business, technical, financial and non-financial risks. Risks include events or occurrences that prevent the organization from achieving its business objectives in an effective manner.

The purpose of risk management is also to proactively identify potential risks/ events before they occur, so that risk management activities are planned and invoked as needed to manage adverse impacts on achievement of business objectives. An integrated and robust risk management framework can help support the maximization of business performance through:

• Clarity of roles and responsibilities
• Informed and risk-adjusteddecision-making across the organization

Page 3 of 26

Proprietary and Confidential

Risk management policy

• Improved communication of risks to the Risk Management Committee and Audit Committee wherever required.
• Integrated governance practices and
• Reduced earnings volatility and increased profitability

Scope and objective of enterprise wide risk management policy

The need for an enterprise wide risk management policy is to ensure that an effective risk management framework is established and implemented within Thomas Cook (India) Limited and to provide regular reports on the performance of that framework, including any exceptions, to the Risk Management Committee, and the Audit Committee. This risk management policy complements and does not replace other existing risk management policies such as the Credit Control or Information Security policies, or compliance programs, such as those relating to service, quality and regulatory compliance matters.

The key objectives of this risk management policy are to:

• Provide an overview of the principles of risk management at Thomas Cook (India) Limited
• Define the risk management structure for effective risk management, including roles and responsibilities of various participants in the risk management framework. Define the methods and thresholds for the evaluation of risks
• Explain the methodology for identifying, assessing and managing existing and new risks
• Specify guidelines for implementation of the risk management framework within the Company
• Define the process to be followed for review and monitoring of various business risks.

To achieve the risk management objectives, the Company aims to adhere to the following risk management principles:

• The identification and management of risk is integrated in the day to day management of the business
• Risks are identified, continuously monitored, assessed, and reported in the context of the Company's appetite for risk and their potential impact on the achievement of objectives and managed to an acceptable level
• The escalation of risk information is timely, accurate and gives complete information on the risks to support decision making at all management levels
• Risk is primarily managed by the individual business units transacting the activity wherein the risk arises, and the support functions such (e.g. airlines, credit control, IT, compliance,

Page 4 of 26

Proprietary and Confidential

Risk management policy

shared services centre, business process improvement & audit, etc.) and reported to the Executive Risk Committee and The Risk Management Committee for oversight and mitigating action, if any.

• Employees actively engage in risk management within their own areas of responsibility and in a coordinated manner across the business units as mentioned above.
• Activities which may affect the Company's image, reputation or financial stability will be reported to the Executive Risk Committee and the Risk Management Committee.

Ownership

The Risk Management Committee of TCIL will have the overall responsibility for the risk management policy, framework and its effectiveness. An Executive Risk Committee [comprising the MD, the ED & CEO, the CFO, the Heads of Business Units (BUs), and the Head of the Business Process Improvement & Audit (BPIA) team] will be responsible for its implementation and day to day monitoring.

Applicability

This policy applies to all employees of Thomas Cook (India) Limited and every part of its business and functions.

Approval authority

This risk management policy and periodic updates to it will be reviewed and recommended by Risk Management Committee and subsequently approved by the Board of Directors of the Company.

2. Risk Management Committee

2.1 Composition:

The Risk Management Committee (RMC) shall have minimum three members with majority of them being members of the board of directors, including at least one independent director.

The Chairperson shall be a member of the board of directors and senior executives of the listed entity may be invitees/ members of the committee.

The Managing Director, the Chief Executive Officer, the Chief Financial Officer and the Head - Business Process Improvement & Audit shall be permanent invitees. The Company Secretary shall act as the Secretary to the Committee, whereas the Head of Business Process Improvement & Audit will be the rapporteur.

Page 5 of 26

Proprietary and Confidential

Risk management policy

2.2 Quorum

The quorum for a meeting of the RMC shall be either two members or one third of the members of the Committee, whichever is higher, including at least one member of the board of directorsin attendance.

2.3 Frequency of meetings

The RMC shall meet on a half yearly basis, and not more than one hundred and eighty (180) days shall elapse between any two consecutive meetings.

3. Risk Management Framework

The key elements of the company's internal risk management framework include

• Risk management structure
• Risk profiling
• Risk mitigation
• Risk monitoring and review

Risk management structure

Risk management structure provides effective management of risks by establishing appropriate reporting relationships and authorization protocols. It facilitates identification, assessment, review and monitoring of risks and controls at appropriate levels within the Company and also includes roles and responsibility of key levels defined in the risk management structure.

Risk profiling

Risk profiling is the process of creating an organization-wide repository of risks impacting the business objectives. This phase begins with risk identification, followed by risk assessment and finally recording / updating of risks in the risk registers for risk monitoring and review.

Risk identification

Risk identification refers to the process of recognizing both internal and external potential risk factors/events affecting the achievement of business objectives and includes identification of their root causes and existing/ planned mitigation measures.

Page 6 of 26

Proprietary and Confidential

Risk management policy

Risk register

The risk register is a central repository of organization-wide risks. The purpose of the risk register is to record identified risks and related information in a structured manner. The risk register is a key document used to communicate the current status of all known risks and is vital for management reporting.

Risk assessment

Risk assessment refers to the process of quantification of Company's exposure to the risk on the basis of their impact significance and likelihood of occurrence. This is to assist the company in quantifying the risk exposures and prioritizing risks for management oversight and review. Refer Annexure 2 for Risk Evaluation Questionnaire.

Risk mitigation

Mitigation of risks involves managing the Company's exposure of various risks and bringing them in line with the risk appetite of the Company through avoidance, reduction, transfer or acceptance of risk.

Risk monitoring and review

Risk review involves re-examination of risks recorded in the risk register on a periodic basis with an aim to determine current exposure to the Company and to review the progress of risk mitigating actions/controls (Refer Annexure 1 for top External & Internal Risks). The progress of risk mitigating actions/controls is measured by evaluating the Company's performance on the Key Risk Indicators ('KRI') defined for every risk.

KRI are variances between budgeted and actual performance of various business activities and helps to determine the effectiveness of the control.

4. Risk management

4.1Risk management structure

For the ongoing success of risk management, it is vital that the risk management framework is embedded into the Thomas Cook (India) Limited organization structure and aligned with its

Page 7 of 26

Proprietary and Confidential

Risk management policy

corporate culture. Risk management must not be the task of one dedicated business unit or function, but rather is an explicit or implicit part of everyone's job description.

To facilitate the identification and communication of relevant risk information to the responsible decision-makers, the group has defined the following risk management structure, including roles and responsibilities at each level.

The Risk Management Committee, will co-ordinate with the Audit Committee (AC) and other committees, and will primarily be responsible for overseeing the risk management policies and framework. While the Risk Management Committee oversees the Company's risk management, the Executive Risk Committee, Business Unit / Support services Heads are responsible for day- to-dayexecution of the risk management framework. Head - Business Process Improvement & Audit will provide the necessary support to the aforementioned personnel in implementing the framework.

Roles and responsibilities

The risk management roles and responsibilities at various levels are as follows:

• Risk Management Committee
• Executive Risk Committee

Page 8 of 26

Proprietary and Confidential

Risk management policy

• Head - BPIA
• Business Unit / Support Services Heads

Risk Management Committee

The Risk Management Committee provides overall guidance and oversight of the risk management framework and its governance within TCIL. It also reviews and approves the overall risk management framework and related policies.

Roles and responsibilities of the Risk Management Committee:

On an annual basis

• Review and approve the risk management framework, policy and structure (including changes thereto, if any, during annual reviews)
• Oversight on the effectiveness of the risk management framework
• Review of the reports of audits conducted - internal audits, concurrent audits, IFC audit, Secretarial Audit
• Review of the omnibus limits suggested by the management for transactions with related parties (RPTs)
• Approve risk management disclosures in annual filings/reports

On a half yearly basis

• Review critical risks and existing/proposed measures to manage these risks effectively
• Review the ratifications of the Sub-Committee on credit limits, and on RPTs, if any
• Provide inputs on any emerging critical risks

Power:

The Risk Management Committee shall have powers to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers necessary.

Duties:

The Risk Management Committee shall coordinate its activities with other committees, in instances where there is any overlap with activities of such committees, as per the framework laid down by the board of directors.

Page 9 of 26

Proprietary and Confidential

Risk management policy

Executive Risk Committee

The Executive Risk Committee comprises of the MD, the ED & CEO, the CFO and Heads of Business & Support services. The MD is the Chairperson of the Executive Risk Committee.

The Executive Risk Committee is responsible for developing, implementing and maintaining an effective risk management framework within Thomas Cook (India) Limited.

Roles and responsibilities of the Executive Risk Committee

• Promote and foster a proactive risk management culture within the Company
• Responsible for managing current and potential risks within the Company and ensuring that risk exposures are within the acceptable risk thresholds of the Company.
• Review and monitor risks and measures to manage them effectively
• Evaluate and provide inputs on emerging risks emanating out of changes in business and economic environment. These risks need to be documented in the risk register and reported as per the reporting framework.
• Responsible for reviewing all projects/ decisions/ initiatives reported to the Executive Risk Committee for decision making as per the risk threshold.
• Review the cumulative exposure of the company and status of any new projects/ decisions/ initiatives.
• Ensure communication and implementation of risk management policies throughout the Company.
• Developing and providing recommendations to the Risk Management Committee on the following:
• • Risk management framework (including risk policy, risk threshold, risk management structure and roles and responsibilities)
• Define Key Result Areas ('KRAs') for the Support services and business unit heads, their direct reportees and line managers to ensure identification and mitigation of risks and strengthening of controls.
• Escalate critical risks and mitigation measures to the Risk Management Committee on a periodic basis (half-yearly) and also based on urgency of the risk materialization
• Advise BU/ Support service heads on risk initiatives and risk management strategy
• Develop and review the risk management disclosures which need to be made to stakeholders

The Executive Risk Committee shall submit a summary of the key

Page 10 of 26

Proprietary and Confidential