Annual Report 2022-23 
Risk management
Ensuring best-in-class risk management and controls
The Company has an oorganisation-wide ERM framework, reviewed annually by the Board, best-in-class standard, clearly aligned to the environment in which it operates, which has been detailed as part of the MDA which can be referred at page 116.
To augment the Risk Management Framework, the services of an external entity - KPMG were utilised and based on their recommendations, enhanced risk governance was implemented which included embedding Risk Management with First Line of Defence, Introduced Risk Champions, Strengthened three Lines of Defence, and Documentation in respect of ERM, Risk Appetite and KRI were enhanced.
Risk Governance at CAMS
Highlights of Enterprise Risk Management in FY23
Due to the volume of sensitive data that the company manages, it is susceptible to highly targeted cyber-attacks that try to exploit security flaws. The Company has embraced digital model for most part of their operations, where data flow is necessitated with various stakeholders, who may or may not have necessary tools and technology to protect the data. Company’s inability to safeguard the data from Cyber-attacks / breaches would adversely impact the reputation and non-compliance, which may lead to losses.
Capitals at risk:
KRI monitored: BitSight score which indicates the overall security posture is monitored - This is presently at an all-time high of 800.
- Due to the volume of sensitive data that the company manages, it is susceptible to highly targeted cyber-attacks that try to exploit security flaws. The Company has embraced digital model for most part of their operations, where data flow is necessitated with various stakeholders, who may or may not have necessary tools and technology to protect the data. Company’s inability to safeguard the data from Cyber-attacks / breaches would adversely impact the reputation and non-compliance, which may lead to losses.
- Darktrace Enterprise Immune System that uses new ML-led algorithms for monitoring and detecting unpredictable threats
- Enterprise security assessment solution (SAFE) that continuously monitors and assesses multiple vectors, and provides a score (Current score at 4.74 out of 5.0)
- Endpoint Detection Response (EDR) solution that uses AI / ML algorithms for determining systemic steps to mitigate unknown cyber threats or abnormal behaviour on the endpoint desktops and laptops
- A Technology Committee, consisting of Industry experts in the field oversees the cyber governance and provide necessary guidance
- Risk-based security assessments including Vulnerability Assessment (VA) of applications, Vulnerability Assessment and Penetration Testing (VAPT) of infrastructure, Periodic simulation and testing to assess effectiveness of controls, Awareness program for employees are carried out
Operational Risk refers to the risk of loss of various types (Financial / Reputational / Compliance / Clients) on account of inadequate or failed internal processes, systems, and people or from external events, that could lead to significant monetary and reputational losses. There can also be frauds perpetrated by third party.
Capitals at risk:
KRI monitored: Critical Incident Reporting tracker and proactive monitoring of potential risks.
The Company has a strong Operational Risk Management Policy which broadly covers:
- The Risk and Control Self-Assessment Framework (RCSA)
- Critical Incident Management and Reporting
- Operational Loss Appetite Levels (Restricted Actions)
- Strategies / Mechanisms for monitoring and mitigation of Operational Risk
- Training is imparted on the Operational Risk, across the organisation to raise awareness and bring the required risk sensitisation
- New products, processes and regulatory implementations are always approved by the risk management function prior to roll out
- The Company has developed solutions using advanced algorithms and data analysis, towards fraud detection models, which support in identifying the fraudulent transaction with speed and accuracy
Our businesses are guided by various regulators which subject us to periodic audits from them. Any non-compliance to regulations could result in observations from authorities like SEBI, IRDAI, RBI, MCA, PFRDA which can expose us to warnings, penalties and even cancellation of licenses.
Capitals at risk:
KRI monitored: Internal compliance monitoring tools including Legatrix – which is an external third-party tool for identifying any potential violations or defaults.
- The Company has an in-house compliance team that monitors compliances with dedicated functional heads. To support the team, the Company also engages external experts
- The Company has implemented a process to identify known outliers on real-time basis to undertake remedial measures and explore further automation of the platform for avoiding recurrence of the risk
We are required to comply with a host of regulations like reporting to government agencies and regulators and timely, error-free fulfilment of regulatory requirements. Any default could result in fines and penalties.
Capitals at risk:
KRI monitored: Internal compliance monitoring tools including Legatrix – which is an external third-party tool for identifying any potential violations or defaults.
- We have an extensive system for monitoring compliances with dedicated functional heads tasked with specific areas and have also engaged external experts on retainership to provide necessary across all areas
- We undertake to carry out multiple audits for ensuring all compliances, the findings of which are reported to the Audit Committee/Board at its Meetings. Further, we ensure all audit /other related mitigating avenues that have been identified are implemented
Client Servicing is becoming increasingly complex & dynamic, and the Company is required to ensure utmost client satisfaction to retain the existing clients. As the company services limited number of clients and its revenue is concentrated on those set of clients, the concentration is considered as a risk.
- The Company has forayed into multiple business offerings which enhances the client base
- The strong brand value, offer of innovative products and top-class quality management ensures client satisfaction
