REF. CP07RM01 / 3.

0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Purpose The purpose of this procedure is to ensure proper Risk assessment& Risk
Management. The RiskManagement procedure outlines the steps to be taken for
conducting and assessing the risk associated with various processes or equipment
or environment or people assets of and provides a framework for mitigating them.

Scope The scope of this procedure is applicable to all information security risks and EHS
risks covering risk identification,analysis and planning mitigation & tracking of
risks associated with business activities and assets across the organization.

Functional -Identifying, assessing risks and evaluate options for

Responsibility Representaitve treatment, selecting control objectives and controls
for treatment of risk
-Preparing the Risk Assesment sheets
-Preparation of Risk Treakment Plan
Risk Owner Approval of Risk treatment plan
HOD/FH Review of Risk Assessment Sheet
QR Validation of Risk Assesment sheets
CEO Acceptance of Residual Risk
MR Approving the Risk Assesment sheets

Policy:The senior management of is committed to ensure that the procedures are in placefor
identifying, treating and monitoring the Risk associated with information assets and also EHS Risks.
This is ensured through training the risk management team/ core team identified by Senior
Management and the organization and monitoring the implementation from time to time.

References ISO 270001:2013 Risk Management controls

clause 6.1.1: Actions to address risks and opportunities
6.1.2 : Information security Risk assessment
6.1.3: Information security Risk treatment

ISO 14001: 2015 Risk Management controls

Clause: 6.1: Actions to address risks and opportunities

OHSAS 18001: 2007 Risk Management controls

Clause 4.3.1: Hazard identification, Risk assessment and determining controls

Acronyms N&S-Network & Systems

HR-Human Resources

DEFINITIONS:

Asset People, property, and information. People may include employees and customers
along with other invited persons such as contractors or guests. Property assets
consist of both tangible and intangible items that can be assigned a value.
Intangible assets include reputation and proprietary information. Information may
include databases, software code, critical company records, and many other
intangible items.
An asset is what we’re trying to protect.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Threat Anything that can exploit a vulnerability, intentionally or accidentally, and obtain,
damage, or destroy an asset.
A threat is what we’re trying to protect against.
Threats generally can NOT be controlled

Vulnerability Weaknesses or gaps in a security program that can be exploited by threats to gain
(Weakness) unauthorized access to an asset.
A vulnerability is a weakness or gap in our protection efforts.

Vulnerability can be treated. Weaknesses should be identified and proactive

measures taken to correct identified vulnerabilities.

Environmental The elements of an organization's activities, products and services that can interact
Aspect with the environment are called environmental aspects. Examples include a
discharge, an emission, consumption or reuse of a material, or generation of noise
Environmental Changes to the environment, either adverse or beneficial, that result wholly or
Impact partially from environmental aspects are called environmental impacts. Examples
of adverse impacts include pollution of air, and depletion of natural resources.
Examples of beneficial impacts include improved water or soil quality
Health and Occupational Health and Safety Hazards are situations associated with the
Safety Hazard organization’s business activities which could lead to injuries or cause ill health to
people affected.
Ill Health Identifiable, adverse physical or mental condition arising from and/or made worse
by a work activity and/or work-related situation

Incident work-related event(s) in which an injury or ill health(regardlessof severity) or

fatality occurred, or could have occurred
Risk The likelihood of a harm or loss or damage or destruction which could result from
a hazard or vulnerability or threat. Risks can be of various types such as
environmental risks, health & safety risks, information security risks, quality risks,
financial risks, etc.

In case of EHS risks, risk is a result of an unsafe act occurring with unsafe
condition.

In case of Information Security, the potential for loss, damage or destruction of an

asset as a result of a threat exploiting a vulnerability. Risk is the intersection of
assets, threats, and vulnerabilities.

Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy

assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no
vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability,
but if you have no threat, then you have little/no risk

Risk can be mitigated/ managed to either lower vulnerability or the overall impact
on the business.
Risk process of evaluating the risk(s) arising from hazard(s) or vulnerabilities & threats,
Assessment taking into account the adequacy of any existing controls, and deciding whether or
not the risk(s) is/ are acceptable.
Risk Owner A person or entity with the accountability and authority to manage a risk.”
Basically, this is a person who is both interested in resolving a risk, and positioned
highly enough in the organization to do something about it.
So, for instance, an asset owner of a server might be the IT administrator, and a
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

risk owner for risks related to this server might be his boss, the head of the IT
department. The IT administrator will manage the server on a day-to-day basis,
while the head of the IT department will take care of, e.g., investing in better
protection, providing training to the IT administrator, etc.

Examples:

Sl No Vulnerability Threat Risk Risk mitigation

/Control
1 Unrestriced access An unauthorized The visitor can The risk is mitigated
to server room visitor entry to damage the server with the usage of
server room or deny access to biometric access
the server control system and
installation of CCTV
2 The USB access is Copying A dissatisfied The risk is mitigated
enabled in the organizational employee may share by disabling the USB
computer confidential data this confidential access in the
into pen drive. data with the computer and
competitor and implementing Data
damage the Leakage Prevention
organization tool.
reputation.

PART A - Procedure for Information Security Risk Assessment & Mitigiation:-

The following 11steps provides methodology for Risk assessment & migitation.The risk assessment
sheet will be prepared by Functional Representative of respective department / function. For
operation department, risk assessment is done at customer group level to capture specific needs to
each customer for data security. For all other departments, it is done at department level. This
procedure defines “Risk acceptance criteria” & “criteria for performing information security risk
assessment”

Step 1: System Characterization:

During this first stage, information about the system is gathered andclassified into one of the
following categories:
 Hardware
 Software
 System interfaces (internal/external connectivity)
 Data and information
 Users and Administrators of the system
 System mission (processes performed)
 System and data criticality (value to ‘s ability to perform its mission)
 System and data sensitivity
 Additional information
 Services

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Functional requirements of the system; System security laws/regulations/policies/standards governing

the system; System security architecture; network diagrams; data flow; etc.

Asset owner and Custodian of the asset are identified. Understanding the system mission, system and
data criticality levels, system and data sensitivity levels, the asset value is determined as given below :

Asset Value: = Maximum of (Confidentiality , Integrity , Availability)

Refer below table for the ranking definition related to CIA:

Ranking Ranking Confidentiality Integrity Availability
Definition
5 Very High Extremely confidential Extremity Extremely critical to meet
in the business point of the service level
important
view
4 High Can be accessed only Loss of integrity Critical for the business
by department process
can affect the
managers and above
business
3 Medium Can be accessed only Need to have high Is important for business
by team leaders and process
integrity
above
2 Low Limited access Not very critical Will have moderate affect
on the business process
1 Very Low Not confidential Not very Will not affect the
business process
important

Step 2: Threat identification:

The goal of this step is to identify the potential threat sources and create a list of those threat
sources that have access to the system being evaluated. Threat sources can be natural, human,
or environmental.
Levels of Threat: It is defined based on severity of threat, which can exploit vulnerability in
the system, cause loss or demage to system:

Ranking Ranking Levels of Threat Criteria

Definition
5 Very High A potential threat affects safe system performance and/or involves
noncompliance with government regulation with or without
warning
A Threat can cause system in operable, with loss of primary
function, required continuous monitoring.
4 High A Threat can cause system in operable, with loss of primary
function, required continuous monitoring.
3 Medium A Threat can cause demage to part of critical systems (system will
run with reduced permformance).

2 Low A Threat can cause demage to non-critical systems only.

1 Very Low Neither affects system performance or availability, a threat source
can be identified at initial stage itself.
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Output from this step will be a written “threat statement” listing threat sources that could
exploit vulnerabilities of the system being evaluated.

Step 3: Vulnerability Identification:

The goal of this step is to develop a list of system vulnerabilities that could be exploited by
the potential threat-sources.

Step 4: Risk owner Identification:

The goal of this step is to identify the Risk owner who is a person or entity with
accountability and authority to manage a risk. The Functional Representative need to identify
the Risk Owner in consultation with respective HOD/FH.

Step 5: Control Analysis:

The goal of this step is to analyze the controls that have been implemented, or are planned for
implementation, by the organization to minimize or eliminate the likelihood (or probability) of a
threat’s exercising a system vulnerability.

Step 6: Likeliness Determination

To derive an overall likelihood rating that indicates the likelihood that a potential vulnerability may be
exercised within the construct of the associated threat environment, the following governing factors
must be
considered:
 Threat-source motivation and capability
 Nature of the vulnerability
 Existence and effectiveness of current controls
 Assign likelihood a numeric value as given below:.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Step 7: Determine the Likelihood of Occurrencetaking account of vulnerability aspects& current

control in place.
Refer below table for the evaluation criteria for Occurrence:

Ranking Ranking Levels of Vulnerability (Likelihood of occuernce)

Definition
5 Very High Failure almost inevitable.
High exposure, High loss Vulnerability requires few resources to
exploit, with significant potential for loss.
4 High Repeated failures.
Vulnerability can be expected to affect more than onesystem element or
component

3 Medium Occasional failures

Moderate exposure, Moderate severity vulnerability requires little
resources to exploit, moderate potential for loss.
2 Low Relatively few failures
1 Very Low Failure is unlikely.
Minor exposure, Minor severity. Vulnerability requires significant
resources to exploit, with little potential for loss

Step 8: ImpactLevel of Threat Analysis:

The Analysison Impact Level of Threat determines the adverse impact that would result if the
vulnerability exploit was successful.

Step 9: Risk Determination

The risk value is a mathematical product of Asset Value(Max of CIA), Level of Threat and
Likelihood of Occurrence (Level of Vulnerability)

Risk Value = Asset Value(Max of CIA)XLevel of ThreatXLikelihood of Occurrence (Level of

Vulnerability)
This number is used to place priority on items that require additional risk treatment.
Note: - For all rankings use only integer values (fractional values are not allowed)

If the risk Value is more than 18, the risk is unacceptable and suitable measures are to be taken to
mitigate the risk.

Risk value less than or equal to 18is considered as acceptable risk.

In case of work execution in geographically exntended customer networks (customer supplied

dedicated networks), the risks releated to access control to public domains are captured in risk
assessment report.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Step 10: Control Recommendations:

The goal of controls recommendation is to reduce the level of risk to the system and its data to an
acceptable level.

To determine which controls are required and appropriate for a specific organization, a cost-benefit
analysis should be conducted for the proposed recommended controls to demonstrate that the costs of
implementing the controls can be justified by the reduction in the level of risk.

To identify and determine controls, SOA (Annex A) is used as a reference.

Additionally, the operational impact (affect on system performance) and feasibility (technical
requirements, user acceptance) of introducing the recommended option should be evaluated carefully
during the risk mitigation process.

And also SVES performs risk assessment (in Risk assessment form) on its system once in year or
whenever there is a new threat or vulnerability identified,whenever there is a change in systems and
processing environment, addition or deletion of assets). Risk assessment & BCP reports to be updated
as mandatory requirement before closure of incident considering the effects of the incident as
applicable.
The risk value is computed again to prioritise the risk and do proper risk treatment.

Step 11 Risk Treatment Procedure:

Risk mitigation is the systematic methodology used by senior management to reduce risks at SVES .
The respective Risk Owner will approve the Risk Treatment Plan.

Avoid:Eliminate threat by eliminating cause (Use a differenttechnology). e.g. Instead of flying plan
due to fear or brakefailure, use a train service. These are usuallydramatic.

Mitigate:Reduce the probability of impact of a threat by making it asmaller risk and removing it
from the top list (e.g. Build inredundancy etc). e.g. To reduce chance of brake failure in aflight,
incorporate triple brake system.

Transfer:Make another party responsible for risk by purchasinginsurance, bonds, warranties etc. e.g.
Life insurance or fire lossinsurance etc

Accept:Accept the risk in concurrent with Management team, revisit them periodically to evaluate
and apply better risk treatment.

Residual Risk : After selecation of additional control for reduction of risks

there will always be residual risks - no system can be made absolutely secure.

The Risk Assessment Form with the above details will be reviewed by respective department /
function HOD/FH/Delivery Heads. After the review by respective HOD/FH/Delivery Heads, the Risk
Assessment Form will be validated by QR for the correctness and completeness.

It is a management decision whether these risks will be acceptedbecause of other constraints (like
costs, or simply impossibility of prevention - as in the case ofplanes crashing on a building or
earthquakes); In case residual risk is unaccepted, further additional controls to be planned to reduce
the risk value.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

The MR will approve and release the Risk Assessment Form after acceptance by Management Team.

The above residual risks are reviewed on yearly basis to monitor the likelihood of occurrence. Any
Change in Likelihood will result in the residual risk becoming unacceptable residual risk and suitable
steps to be taken as mentioned above.

Part B – Procedure for EHS Risk Assessment and Mitigation

Overview of EHS Risk Assessment

EHS Risk Assessment in the organization follows the following steps given below:

Step 1 Identification of activities

Step 2 Identification of Environmental Aspects/ Occupational Health and Safety
Hazards
Step 3 Identification of Environmental Impact/ Occupational Health and Safety
Impact
Step 4 Identification of Legal and other requirements
Step 5 Risk Analysis.
Step 6 Risk Prioritization
Step 7 Risk Mitigation
Step 8 Risk Monitoring/ Tracking

As a practice, the environmental risks and occupational health and safety risks are identified by EHS
Core team members in consultation with the other personnel in the organization.

EHS Core Team Members shall follow the methodology given in this document for the above.

Step 1 - Identification of Activities

This section of the procedure covers those EHS hazards of activities and services that the organization
can control or over, which it can be, expected to have an influence. Significant EHS Hazards
identified through this process shall be considered in the setting EHS objectives and targets.

The procedure consists of an initial screening of activities based on available data by theEHS Core
Team consisting of cross-functional personnel within the organization. Such cross functional team
shall consist of personnel from all levels of the organization.
Cross functional team assesses the environmental aspects and occupational health & safety hazards,
determines which of these might result in significant impacts, then sets priorities for further analysis,
as needed.
The management team consisting of CEO, HODs and MR reviews the information developed during
the evaluation on a regular basis to ensure that it is up-to-date.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Initial Screening or Baseline Evaluation:

Initial screening or baseline evaluation is carried out whenever a new process is set up and/ or during
the initial implementation of EHSMS in the organization.
The initial screening is carried out across all functions such as Operations, Human Resources,
Corporate Services, Maintenance, Commercial, Corporate Communication, Systems, Network &
Systems, Corporate, Finance and Quality.
MR along with EHS Core Team Members conducts a review meeting to perform the evaluation of all
activities.
EHS Core Team brainstorms each activity/ task involved in every stage of operations or other
activities. Each activity/ task is evaluated for its environmental aspects and impacts and also
occupational health and safety hazards and impacts under the guidance of MR.

Step 2 - Identification of Environmental Aspects/ Occupational Health and Safety Hazards

EHS Hazards shall be determined separately as Environmental Aspect and Occupational Health and
Safety Hazards.
Steps involved in identification of Environmental Aspects/ Occupational Health & Safety Hazards are
as follows:

 Identify the activity/ task in each department.

 Identify the Hazards/ Aspects associated with those activities/ tasks.
 Determine the Condition under which the respective environmental aspect or OHS
Hazard is applicable below:
 Normal – Normal working condition
 Abnormal - Any condition which is not being complied with
 Emergency - an unforeseen or sudden occurrence, especially of a danger
demanding immediate remedy or action
 Determine if the EHS Hazard has a beneficial impact or adverse impact on
the environment.
Some of the factors of examples of activities to be considered for identification of EHS Hazards/
Aspects include:
 Operations and activities, which could interface with the environment in a way that
could result in environmental impact or affect health and safety of people or lead to
property damage.

 All natural resources including water, energy sources used in the operations and
activities.

 Emissions into the air, water or land.

 Generation of wastes and disposal of these materials having potential environmental
impact such as e-waste.

 Use or release or fugitive emission of ozone depleting substances from the Air
Conditioning/ HVAC System.
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

 Release of Green House Gases (GHGs) directly or indirectly

 RoHS materials in end products due to design specifications
 Generation of Noise

In case an Aspect or Hazard of the activity has an Emergency impact, the same shall be addressed in
the Emergency Preparedness Plan.

Once the EHS Hazard is identified, the source of hazard shall also be determined by the EHS Core
Team.

EHS Core team shall also identify if there are any legal requirements applicable or legal obligations
for controlling the respective EHS hazards.

Team shall also identify the current controls, if any to mitigate the EHS hazards.

Step 3. Identification of Impact of Environment, Occupational Health and Safety Hazards

EHS Core Team shall brainstorm to determine the impact of each of the EHS Hazard identified.
While determining the same, EHS Core Team shall consider the following cause – effect scenarios/
combination to ensure completeness of the EHS impact assessment.
One to One Relationship  One EHS Hazard leading to One Impact
One to Many Relationship  One EHS Hazard leading to more than one impacts
Many to One Relationship  Many EHS Hazards leading to one Impact
Many to Many Relationship  Many EHS Hazards leading to many Impacts.

While determine the impact, EHS Core Team shall clearly describe the impact in terms of the
environment, property of people affected, scale of the impact to enable consistent estimation of the
severity rating.

Once the impact assessment is carried out, EHS Core Team shall analyze all the EHS Hazards
identified as given below:

EHS Risk Analysis

All the EHS Hazards identified shall be analyzed and prioritized based on applicability of LOR and
any interested party concerns and Risk Priority Number determined as described below:

EHS Risk Assessment involves three paratmeters viz., Severity Rating, Occurrence Rating and
Compliance with Legal and other Requirements and interested parties concerns.

In case Legal Requirements are applicable, then

RPN (Risk Priority Number) or Risk Value =
Severity Rating X Occurrene Rating X Legal Compliance

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

In case LOR and interested party concerns are not applicable, then

RPN (Risk Priority Number) or Risk Value = Severity Rating X Occurrene Rating

Severity, Occurrence and Compliance Ratings are determined based on the following tables:

SEVERITY RATING
Severity Severity Level Severity Description
Rating
5 Fatal/ Dangerous Health and Safety - Could lead to loss of Life,
Environment - may cause environmental pollution beyond permissible levels
causing large scale pollution to the environment
4 Extremely Health and Safety - Could lead to ill health and permanent disability, non-
Harmful/ Very compliance with legal or other requirements
High Impact Environment - may cause environmental pollution beyond permissible levels
causing large scale pollution to the environment for a short duration or
generate hazardous waste
3 Moderately Health and Safety - Could lead to Lost Time Injuries/ Property Loss
Harmful/ Impact Environment - may cause environmental pollution within permissible levels, or
consume natural resources
2 Low Harm/ Impact Health and Safety - Could lead to discomfort but no lost time injuries,
Environment – may cause slight environmental pollution, generate solid waste
(non-toxic)
1 Very Low Impact Health and Safety – No impact on people,
Environment – No or negligible environmental impact

OCCURRENCE RATING
Probability Probability Level Probability Description
Rating
5 Very High Health and Safety – Hazards exist continuously and people are exposed to the
hazard
Environment – continuous emission into air. Releases into water or soil
pollution
4 High Health and Safety – Hazards are found once in a month to six months
Environment – Environmental Hazards found once in a month to six months
3 Medium Health and Safety – Hazards are found once in a six months to one year
Environment – Environmental Hazards found once in a six months to one year
2 Low Health and Safety – Hazards are found once in a one to two years
Environment – Environmental Hazards found one to two years
1 Very Low Health and Safety – Hazards rarely occur
Environment – Environmental Hazards rarely occur

COMPLIANCE RATING
Complince Compliance Level Compliance Description
Rating
2 Non-Compliant Requirements of the Statute or Legal or Other Requirements not being met
completely.
1 Compliant Requirements of the Statute or Legal or Other Requirements met completely.

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

EHS Risks shall be prioritized for mitigation or improvement action based on their significance
determined as given below

PRIORITIZATION GUIDELINES
Risk Prioritization Rule to classify as Significant EHS Risk.
– When legal and other requirements and interested party concerns are applicable to a risk
– Any Risk with a RPN Value of “15 or More”
– Any Risk with a Severity Rating of 5.

Note:With reference with above prioritization guidelines it implies that when LOR and interested
party concerns are applicable for a risk it shall be considered as Significant Risk and under such cases
assessment shall be done for only to check if complied or not i.e ratings for serverity and occurrence
is not required in such cases

Threshold Values of Risk Priority Number and Other Parameters defined above shall be reviewed
periodically during the Management Review Meetings to drive improvements and reduce EHS risks
and ensure compliance with the applicable legal, regulatory and other requirements and other
interested parties concerns.

Risk assessment is done for all activities and reports are summarized as below:
1) Risk assessment report for Admin department
2) Risk assessment report for N&S department
3) Risk assessment report – Common (Marketing, Operations, HR, Quality, Commercial,
Systems, Finance, Corporate(Legal)
Reporting the Risk Assessment Results

Once the significant EHS risks are determined, EHS Core Team shall present the same to the Top
Management consisting of MR, CEO and other HODs.

If the EHS Core Team determines that additional information is needed to evaluate a particular
activity, the Top Management shall assign the responsibility for collecting that information to
appropriate personnel. Once the information is made available, then EHS Core Team shall continue
with the EHS risk assessment.
The details of the assessment as described above are recorded in EHS Risk Assessment Report.

On approval or acceptance of the significant EHS risks by the top management team, the significant
EHS Risks shall be prioritized for initiating mitigation actions.

MR and CEO shall ensure that significant EHS Risks identified by the EHS Core Team & HODs are
considered in setting EHS objectives and targets at functional level.

EHS Risk Mitigation

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

Mitigation of EHS risks are primarily of two types either initiating an EHS Management Program or
establishing an Operational Control Procedure as mentioned below:

 Initiating EHSMP - in case of major changes to be made in infrastructure or facility or

automation or building awareness and skills in people on a large scale as a one time
activity, an EHS Management Program shall be initiated.

 Establishing OCP – in case mitigation plan involves establishing monitoring and control
activities on a routine/ periodical basis, then an Operational Control Procedure shall be
established detailing the monitoring, measuring and initiating immediate reaction plan in
case of out of control situation.

While determining controls, respective HODs/ MR shall ensure that all associates at all levels are
included as appropriate.

While determining the controls, respective HODs/ MR shall also consider the legal requirements,
voluntary standards and codes of practice that can specify appropriate controls for specific hazards.
Respective HODs/ MR shall ensure to the extent possible, determine controls that are capable of
attaining “As Low As Reasonably Practicable” (ALARP) levels of risk.

Follow-up Evaluation:

Follow-up evaluations or periodical evaluations are carried out once in a year or as decided in the
management reviews. The results of the most recent EHS Risk Assessment shall be reviewed during
the Management Reviews.

Based on this review, the EHS Core Team determines the need to update the EHS Risk Assessment.
Factors such as improved assessment methodologies, or major changes to the organization’s mission,
facilities, services are considered in determining the need to update the assessment.

Need arising out due to changes in Legal Requirements:

Whenever changes in legal requirements arise, respective HODs shall review the same against the
most recent EHS Risk AssessmentResults. The results are reviewed with the MR, EHS Core Team
and the required changes in EHS RiskAssessment Reports (both environment and occupational health
& safety) are incorporated.

Then the process described above is followed for identification of significant EHS Risks.

Need arising due to changes in Operations or Facilities:

Whenever changes are required to be made in the operations or equipment or facilities or

infrastructure including expansions, scale ups, etc., concerned HOD initiates the EHS Risk Analysis
using Infrastructure Change Request (ICR) raised on MR. MR in turn reviews the EHS hazards of the
changes, if any and records the same on the same form
Need for change may also arise from factors such as the following:
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
 REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14

 The need to determine whether existing controls are effective and adequate
 The need to respond to new hazards
 The need to respond to feedback from monitoring activities, incident investigation,
emergency situations or the results of testing of emergency procedures (mock
drills)
 External factors such as emerging occupational health issues
 Advances in control technologies
 Changing diversity in the workforce, including the contractors
 Changes proposed by corrective and preventive action

Top Management Team reviews the impact of changes on environment, occupational health
& safety and decides whether to approve the change or not.
In case the change is not approved, ICR is returned to the initiator. In case the change is
acceptable, then approved ICR is sent to respective HODs for initiating the required actions.
Respective HOD with assistance from EHS Core Team then modifies the EHS Risk Assessment
Report. In case the changes result in possibility of any significant EHS risks, the same are handled as
described above

Verification Implementation of this procedure shall be verified during the audits.

References
Associated Risk Assesment Form
Documentation Risk Assessment Flow Chart
EHS Risk Assessment Report
Infrastructure Change Request
EHS Management Programs
Operational Control Procedures

Workplace SOA (Statement of Applicability)

References

Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR

Uncontrolled If Printed