The term “Governance” according to law dictionary means Applying policies, proper implementation, and continuous monitoring. Additionally, Corporate Governance refers to a set of processes, customs, policies, and laws by which an organization is directed, administered or controlled. It is based upon the principles of responsibility, transparency and accountability.
“Risk Management” Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings.
The term “Compliance” means conformity in fulfilling official requirements (i.e. existing laws and regulations).
GRC – The Concept
World-wide the terms Governance, Risk Management and Compliance are spelt together as ‘GRC’. Let’s discuss the concept of GRC in detail along the need of developing GRC related technological solutions.
The term ‘GRC’ defined by Nicolas Racz, Edgar Weippl and Andreas Seufert in their recent research paper ‘Frame of Reference for Research of Integrated Governance, Risk & Compliance (GRC)’ is a comprehensive definition. GRC is defined as “an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness”.
Deloitte Global Risk Management Survey
The term ‘GRC’ has emerged as a big challenge for most of the organization world-wide. Recently, in the eighth edition of the ‘Deloitte Global Risk Management Survey’[1], organisations cited a number of concerns about their risk management information technology systems. In the survey, 85.6% organizations agreed that they benefit from integrating and streamlining use of technology for GRC activities enterprise-wide.
The finding of the survey has been enlisted below:
1) It was found that most organisations were aware of the need for a significant improvement in the way they manage their risk, internal audit and compliance functions.
2) One of the main concerns addressed in the survey was the ability of organisations to easily upgrade or revise their systems risk technology. In the survey 78% of companies are extremely, very or somewhat concerned about their ability to adapt to changing regulatory requirements, as well as the lack of flexibility to extend the current systems. Related to this issue, 75% of organisations are extremely, very or somewhat concerned about a lack of integration among systems and 63% of the organisations have issues with an inability to integrate risk analytics from multiple risk systems.
3) The larger business organization raised one important concern of the pressure from various regulators globally which put emphasis on the ability of organisations to have risk systems that can respond quickly to new requirements. In India, various regulatory changes took place recently in form of the Companies (Amendment) Bill, 2017, SEBI (Listing Obligations and Disclosure Requirement (Amendment) Regulations, 2018 and various other amendments. In the survey, 40% of large institutions said they were extremely or very concerned about the ability of their risk technology to respond to new regulatory requirements, as did 44% of mid-size institutions and only 12% of small institutions.
4) Risk analytics and risk reporting are considered among the top priorities for taking investment decisions in various organization globally. Among the organizations under survey, 53% considered risk analytics as their top priority while making investment decisions whereas 51% emphasized on real-time risk monitoring and the need to create risk dashboards was considered by about 44% organizations.
GRC software market
The GRC software market is dominated by key players like IBM, RSA Archer, Thomson Reuters, SAP or Oracle. GRC software market is dominated by technology industry players since more than last 10 years. The buyers expect high performance from GRC software which helps various organizations not only in risk management but also in compliance of regulatory requirements which differs from one country to another.
The functions of GRC software are evolving on the basis of several trends, which include:
- A growing need for internal audit features as organisations face increasing regulatory requirements, GRC oversight and demands for more business performance audits.
- An increasing need for regulatory content services and change management to deal with regulatory proliferation. In the aftermath of the 2008 global financial crisis, GRC has to support the transparency objectives of regulators and decision making by business leaders. Currently the regulatory focus of the software is on anti-corruption and bribery world-wide.
- The development of risk analytics to support integration of risk management and performance management
- The emergence of third-party risk management to ensure that third parties do not present unacceptable compliance and risk
- A focus on operational technology and critical infrastructure protection, which increases the variety and volume of risk and control data (‘big data’ management)
GRC market seems to emerge and develop in near future as more companies globally have started realizing that investment in GRC software(s) is required for better risk and compliance management.
GRC Programs
In India and across the globe, GRC programs addresses risks in the following order:
The focus on risks addressed by GRC programs in India and the rest of the world is very similar as observed from above table. However, in India, the focus on legal compliances appears to be greater as compared with rest of the world. This may be, to some extent, due to recent Company Law amendments which have put the onus on the companies to be compliant with all laws.
Let’s consider the skills or knowledge which is considered the most important to enhance the risk, control and compliance functions.
The following table shows the requirements to enhance GRC functions:
Rank | Global | India |
1 | Risk management | Risk management |
2 | Critical/analytical thinking | Compliance/regulatory |
3 | Business strategy | Business strategy |
4 | Compliance/regulatory | Audit |
5 | Audit | Data analytics |
This can be concluded after observing the above table that the organizations in India and globally understand that risk management activities and business objectives have to function hand-in hand for staying ahead in the race. In India, there is a clear emphasis on the need for increased focus on compliance as well as on leveraging technology to enhance GRC activities.
Globally and in India, organizations primarily rely on the internal audit function to identify and assess risks. Furthermore, globally, the ERM function also has a relatively more important role to play in ensuring risk coverage. In a GRC survey conducted by GRC Ernst & Young LLP in the year 2015[2]; it was found that the Indian companies were lagging behind in preparation of an integrated report addressing the organization’s risk and management actions for the Board and Executive management at various internals say, annually, quarterly, monthly as compared with their global counterparts. Further, it was also observed that at global level various GRC solutions are available in form of GRC software(s) which supports and enables GRC activities. However, in India companies seems to be behind with respect to utilization and implementations of latest globally available GRC software(s) for better risk and compliance management. It was found that 45% of the Indian organization surveyed are not aware of the total spend on GRC activities/function, as compared with 26% globally. Further, globally the expenditure in GRC activities is higher as compared to Indian context. Therefore, India can be considered as an emerging market for deployment of GRC software(s) in near future. Additionally, it was observed that relatively in large proportion of Indian companies, the key performance indicators (KPI)/key risk indicators (KRI) are not defined. In a significant proportion of companies (36% in India and 47% globally), KPI and/or KRI are defined, but not monitored. This clearly, indicates that the activities such as defining and monitoring – KPI and KRI is surely considered as one of the area for improvement.
Reporting of GRC activities
Globally risk management is addressed by either the full Board or in a committee of the Board, whereas in India Audit Committees and Risk Management Committees play an enhanced role. Globally and in India most organizations have management risk committees; however, in India a CRO is not appointed in most organizations surveyed. Further, it was observed that in 21% of global organizations and 30% of Indian organization, dashboards, metrics and performance indicators are not defined to identify/ measure the risk exposure. Additionally, where these dashboard/ metrics do exist, they are mostly reviewed on a quarterly and monthly basis.
Internal Audit (IA) function of the organizations
It was noticed that globally and in India the internal audit reporting structure tends to be broadly similar.
The following table shows the top 6 skills required to enhance the IA functions, globally and in India:
Global | India |
Critical/ analytical thinking | Data analytics |
Data analytics | Compliance/ regulatory |
Audit | Risk management |
Risk management | Audit |
Deep industry experience | Critical/ analytical thinking |
Process improvement | Fraud prevention/ detection |
It can be observed from the above table that the skills regarding reporting of various types of risks and the ability to advise the business organizations on real time basis are highly in demand in India as well as globally. Further, in India, ability to benchmark processes and control practices against other organizations and data analytics is getting high attention.
In India, there is ample scope for improvement of information security programs through internal audit mechanism. It was found that in 13% Indian organizations and 8% global organizations IA do not audit GRC functions.
Additionally, it was evidenced that the expenditure of internal audit activities of Indian companies has similarity with the global companies. Further, it was noticed that 13% global companies and 21% Indian companies do not measure/monitor their spending on IA activities. Therefore, measurement and thereafter monitoring the expenditure of various companies in India and globally can be considered as a big opportunity of improvement.
It can be evidenced from the above table, globally and in India, data analytics is extensively used at execution and testing stage. However, globally, data analytics is relatively more emphasized at initial stages in the IA, i.e., risk assessment and planning. In India, data analytics is more extensively used for reporting and measuring the IA effectiveness/performance.
It was also noticed that there is an increased inclination towards technology solutions in initial stages such as risk assessment and engagement and project setup globally whereas in India, technology is mostly used for audit execution, work paper documentation, reporting and issue follow up. It is recommended that in India an increased focus on technology in initial stages, may help in ensuring adequate coverage and identification of emerging risks and also help to save cost and efforts.
Conclusion
Presently, the involvement of risk management activities in strategic decision making is minimal in India. Therefore, it can be concluded that there is a wide scope of development and emergence of risk management as one of the key activities assisting in company’s strategic decision making. It is foreseen that in forthcoming years internal audit will be able to leverage the work of other risk/compliance activities much more efficiently. In future years to come, it is believed that GRC activities such as risk management, compliance, internal controls, Internal Audit have a huge scope of improvement with the emergence of technological solutions.
[1] https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu_en_ins_governance-risk-compliance-software_05022014.pdf
[2] https://www.ey.com/Publication/vwLUAssets/Ey-global-governance-risk-compliance-survey/%24FILE/Ey-global-governance-risk-compliance-survey.pdf
(Author can be reached at [email protected])