GRC Summit 2012: Lessons in risk avoidance
Ahead of the GRC Summit 2012, we look at the importance of managing governance, risk and compliance for corporate
Besides being highly complex, the corporate world is experiencing an incremental rise in risks, crises and fraud. At the same time, it also needs to adhere to a growing number of regulations and compliances. In this scenario, it is indeed important to have a comprehensive and integrated strategy to manage governance issues and risks, as well as compliances.
There is no argument that governance, risk and compliance (GRC) management is important. But how important is it? Arvind Mehrotra, president and head Asia-Pacific and Australia, NIIT Technologies, says that managing GRC in the corporate environment is not optional any longer; rather, it is an essential and critical function. He argues that the financial crash of 2008 instilled the attitude across the world that the CEO, board and top management of companies are personally accountable under a raft of statutes for corporate governance that includes compliance and risk management — known as SOX in the US and Clause 49 in India. “The CEO has to personally certify that he has reviewed these areas and that they are in order. Risk in the supply chain is another area of concern as companies which outsource activities — be it manufacturing, material, supplies or services — have very little visibility of what their vendors are producing internally and how the work and material is outsourced.” He says that risks that were previously assumed to be non-existent have now emerged for businesses. This has brought about the development of a risk register, and managing this must come to the fore.
According to Rajdeep Premkumar Pai, senior partner at Sarrof Pai & Associates, whenever an organisation crosses its boundaries of risk appetite and ethical practices, it weakens governance and the risk management process, thereby giving the strong invitation for a crisis. “On the other hand, top management initiatives and the active support for strong governance and risk management processes — embedded in ethical practices implemented across entity-wide operations — will reap the benefit of driving principle performance, weathering financial crises and never losing sight of balancing strategic long-terms goals with short return and gains.”
Jyotin Mehta of Voltas personally believes that as Indian corporates aspire increasingly to go global, their governance, risk and compliance efforts will have to be explicitly demonstrated to justify credibility to partner with international partners. “The top management needs to view the focus on GRC as a business enabler or accelerator,” he says.
Suparna Singh, VP for governance and risk management at the Essar Group, offers an interesting insight: “If we delve into the corporate philosophy, we will find that a corporation is actually a trust-bridge between the supplier, manufacturer and the customer to take the right actions at the right time and in the right manner in order to maximise returns to all stakeholders.” She believes the model of GRC assures society that power is not being misused. Sanjay K Mathur of Tata Communications says that GRC provides a bird’s eye view on risk and control to top management. “It reduces redundancy and duplication of audit, which helps the management to focus on the risk that matters most for the company. This integrated risk approach also helps to manage the cost of governance effectively without compromising the quality,” he adds.
Implementation and benefits
Mehrotra of NIIT Technologies says that since the penalties for non-compliance are severe, the only way for the CEO to certify compliance is through bottom-up compliance certification. “Implementing such a bottom-up process of compliance and certification through a workflow-based application is therefore very necessary. The workflow-based application may require compliance by parties with whom we have contract or who represent the brand. Across the organisation, implementing GRC applications improves the company’s business performance and productivity through identification of risks and mitigating these. Risks could be market risks, supply chain risks and so on. Today, trade barriers are coming through new sets of compliances; thus, deploying enterprise-wide GRC becomes critical and also ERP systems only cover 50-70 per cent of activities or data that an organisation manages or processes,” he explains. Mehta says that, besides demonstrating commitment to meet global compliance standards, focus on GRC will help business manage risks better and in a structured manner, rather than depending on a gut feeling. “Structured GRC framework will ensure robust compliance processes that will help business functions without fear of nasty surprises or disruptions.”
Mehrotra says manual or paper-based GRC systems are prone to manipulation and non-compliance. “Today, GRC applications can be bolt-ons riding over the company’s core ERP backbone. Cloud-based GRC or risk management solutions are making this affordable and easier. NIIT Technologies has invested and built GRC platforms and also offers Cloud-based risk management systems. Some GRC solutions are restricted to an industry,” he says.
According to Mehta, the single biggest concern is the risk of making GRC a checklist exercise. “The best approach is to have the right tone emanating from the board and top management to ensure that GRC is followed in spirit and is dynamic enough to match business requirements,” he says.
Mehrotra believes things are not very different in manufacturing. “For product manufacturing norms, environment regulations, health and safety reporting and traceability are key requirements, which are very often clubbed along with GRC requirements,” he adds.
Jyotin says CSR progressively is bound to be covered as legislation governing CSR is rolled out. Suparna suggests the Government should reward GRC initiatives by the manufacturing sector first by simplifying requirements and thereafter expediting the approval process.
Name: GRC Summit 2012
Dates: March 15-16, 2012
Venue: Peninsula Grand, Mumbai
Contact for details: Abidali Dossa
Head — Conferences & Knowledge Forum
Direct: +91 22 6154 6013
GSM: +91 9702 849915