Lead

Proactively managing risk across the enterprise

Faced with complex, dynamic, and distributed business operations, Indian companies are resorting to a structured approach for GRC. Enterprise risk and compliance are aligned centrally with corporate governance and reporting but are distributed to lines of business to assign ownership and accountability for risk and compliance says Akhtar Pasha

With the increasing volatility of today’s business environment and the growing volume and complexity of regulatory mandates nationally and globally, you need an enterprise-wide view into the risks associated with all lines of business and geographies. At the same time, it’s vital that you understand the relationships between risks and your corporate strategy so that you can make better-informed business decisions.

There are some serious thoughts and deployments that have gone into the governance, risk, and compliance (GRC) market in 2007.

“We want to make sure that we have the right landscape and partners to adapt to those changes, respond to our customers’ needs. So [regulations] aren’t just annoyances that you have to keep up with. These are massive strategic weapons you want to deploy because they make your business run more efficiently,” said S Sridharan, Vice President- Information Technology, Orchid Chemicals & Pharmaceuticals Ltd.

“We used to be in a reactive mode; with SAP GRC Access Control, we are now in a proactive mode. In addition to saving valuable time, we were able to avoid the costs and headaches associated with managing a separate system,” said Probir Mitra, Senior General Manager-IT, Tata Motors.

Simply put, it’s not [really] about compliance.…it’s allowed banks to lower their capital reserves. If we follow certain processes, we can decrease the amount they need to keep in their capital reserves, and that saves money—the IT head of a public sector bank.

“We can measure and manage interest rate risks and balance sheet violations and it is all automated now,” said Dr Meera Aranha, Assistant General Manager, Integrated Risk Management, Karnataka Bank Ltd.

Effective GRC strategies show that companies are committed to integrity-driven performance. That’s the message that’s going loud and clear among the companies that are deploying it.

Impact of GRC on EAS

While it would be difficult to put a tag on the growth of GRC, Chris McClean, Analyst, Forrester Research said, “The market’s growth is often very different depending on the region.” In the US, SOX was an important initial driver, but over the last year or so, companies have been extending GRC practices into other areas of operational risk management and corporate compliance. European buyers however, have seemed to be more focused on the process management side of GRC. “In India and other countries with a strong emphasis on outsourcing, GRC programs are more likely to include elements such as information security and quality control. Expectations from regulators, investors, and business partners have continued to grow over the last year, and as companies try to develop consistent methods to track and report on their efforts, the GRC market expands,” he added.

Interestingly some established vendors with complimentary software offerings (such as business intelligence, business process management, enterprise resource planning, etc.) are also seeing significant potential in the GRC market, and developing or acquiring technologies to compete. Some of the world’s largest software companies, including IBM, Oracle, and SAP are all vying for GRC dollars, which will eventually start to make things difficult for GRC players that haven’t established a strong product and customer base. SAP has a complete separate stack of products that address GRC while Oracle’s GRC solutions are part of its ERP suite.

It was SAP, primarily, and to some extent Oracle that were responsible for building this market. Atul Sareen, Vice President, Specialised Solutions Sales Group, SAP India said, “GRC was new from the solution perspective and we started focusing on it in Q2 2007 in India. Over the last eight months, customers have shown active interest in GRC and we have been able to close as many as 20 customers in this timeframe.” SAP ramped up customer acquisition towards Q4 2007 with over half a dozen customers. Sareen added “We have seen high demand from large customers but surprisingly we are seeing a fair amount of traction from mid-sized businesses and there are all kinds of customers from different verticals.” Sandeep Gosain, CTO, Panacea Biotec added, “We are in evaluation stage for investing in a GRC type of solution this year but the characteristics of market is such that it mandates that your software product, business process and people all follow the governance, compliance and risk management and if you happen to be in pharmaceutical manufacturing/healthcare—there are more reasons than one.”

They say that the proof of the pudding is in the eating. Names such as Tata Motors, Wipro Technologies, Dr. Reddy’s Labs, HCL, Asian Paints, Bharat Petroleum Corporation Ltd, BHEL, M&M, Infosys Technologies, ABB, GMR Group, Tata Chemicals, Orchid Chemicals & Pharma, LANCO Infrastructure, Subros Ltd, KPIT Cummins, Syntel Corp, Godrej Sara Lee, Watson Pharmaceuticals and Karnataka Bank (Oracle’s only customer) speaks volumes about the growth of the GRC market in India.

Fragmented approach

Achieving a high level of visibility and control is nearly impossible when you have fragmented and manual GRC activities and systems. Disjointed approaches to risk management mean that risk teams lack the support needed to coordinate activities across the enterprise. For example, different areas of the business may describe, analyze, and track risks inconsistently, a real problem when it comes to aggregating risks and auditing processes. Line-of-business owners may not have a formalized process for risk identification, so they learn about risks too late or tend to focus on the wrong risks. Nor can executives see what’s happening in other areas of the enterprise or understand the organizational impact of seemingly localized risk events. The end result is that the organization is often left in the dark until risks turn into losses. Mitra agreed, “There was no IT set-up earlier for GRC when we wanted to get listed on the New York Stock Exchange. Since there was no automated software there was no authorization management. We have about 4,000 SAP users across our operations and there were huge conflicts of duties in our business operations.” For example if a person is approving of prices, there were chances that this person could change the master data. The company was using spreadsheets and managing manual paper-based documents that made the audit process difficult and cumbersome.

Expensive status quo

From a pure cost perspective, the status quo is simply too expensive to sustain. The financial impact of fragmented GRC efforts with respect to human capital, services, and technology costs has not been calculated, but the cost of compliance efforts alone have been well documented. A slew of corporate scandals, including at Enron, WorldCom, Adelphia and Arthur Anderson, in the past have compelled organizations and governments to put in place several compliance and regulatory norms to prevent the recurrence of such incidents. Spending on Governance, Risk and Compliance (GRC) will hit $30 billion in 2007, according to AMR Research.

Step one: Access and Process control

According to Forrester, GRC consists of things that companies anyway do today. All of them have to have some level of governance structure, they make decisions based on their best understanding of risks, and they all have some level of regulatory and standard obligations to address. The strategic importance in overseeing these various efforts from a centralized position can be seen in two key areas—the first is in creating more efficient processes by which these critical tasks are achieved by minimizing redundancies and introducing consistent practices throughout the organization. The second is being able to aggregate and monitor a lot of valuable information centrally, so that key decisions are informed with detailed analysis of the impact on governance, risk management, and compliance.

“One of the key drivers is to create a single source of record for compliance. Companies have tremendous pressure from environmental, financial, labor, and other regulations depending on their industry, and keeping track of them all with spreadsheets has become cumbersome. Another key driver is the understanding of risk management as a critical factor in decision making in all areas of the business. GRC programs are being put together to get broad participation in risk assessments and control assessments,” said McClean.

Sareen said, “The Indian economy is bustling and businesses across sectors are witnessing higher growth and many companies are getting listed at bourses both domestic and globally and to ensure proper governance they need solutions that can help them adhere to GRC norms. He added that two things—compliance & regulation and the need for self governance are driving investments in GRC.” Additionally auditors such as PwC and Deloitte are also acknowledging that possible frauds can be detected in real time and are recommending that companies have GRC systems in place, said Sareen.

“SAP products (Virsa) gave us a better control over Authorization Management and helped us solve SoD (segregation-of-duties) conflicts,” Mitra added. His company has been able to perform ongoing checks of segregation of duties and work with managers to review roles, risks, and conflicts. When someone requests a modification to his or her role or to a function, IT runs a simulation to see if the change is going to create a new conflict. SAP GRC Access Control identifies the risk and describes it; the reports are easy to understand. This enables users to make a decision that, yes, this should be part of their role, or no, they need to negotiate with another team to integrate that capability. “This helps our business users who like to know in advance if there are any conflicts. The SoD checks uncover conflicts like the one in customer service, where users were not only processing orders but also creating customers. The application identified the risk – someone who could create a customer and process orders could modify the system and change address details,” said Mitra. In another case, users that issue online purchase-order agreements wanted to modify data at the customer level for order consolidation. In SAP GRC Access Control highlighted that this would create a conflict, so the users transferred that responsibility to the master data team to achieve the assurance that Tata Motors required.

Gosain said, “The GRC approach should be such that instead being reactive it should be proactive.” For example in Production planning—Process Instruction sheets, Engineering change management, Recipe management, Electronic batch record, Master production and control records all need to be regulated so that a proper audit trail is maintained and that any deviation will trigger notification and the risk can be tracked and tackled before it does any damage. “The GRC works on the basis of authorization profiles with a generally-accepted phrase ‘That which is not permitted is prohibited’ i.e a Materials purchase person’s role should not include invoice verification and payments authorizations. In case someone tries to include it, the system should immediately escalate it to risk managers and authorizations will be locked, disallowing any unauthorized person from carrying out tasks that are outside their assigned job role or portfolio.”

Sridharan added “SoD is an important step in GRC that any company should follow and it is mostly driven by CFOs today. There is a paradigm shift in an organization’s thinking that instead of adopting a reactive approach most businesses are adopting a proactive approach.”

Risk planning and new rules

Gosain added, “There are other driving factors for GRC—regulatory, statutory, exports and green environment. For example, in regulatory compliance, if you are planning to market your product in Europe or in the US there are stringent country-specific norms that apply.” For example in Europe it’s UK MHRA and in the US it’s US FDA titled 21 CFR Part 11 that mandates the maintenance of electronic records and signatures as part of good clinical, laboratory and manufacturing practice. “The second one being statutory compliance—when any materials are received or leaves the premises of the company, VAT details/payables had to trigger off and any deviation should be captured immediately and an active decision taken to rectify the same. And if you are doing international business (exports) there are country-specific financial reporting and policies that need to be followed. Last but not the least, global environmental, health and safety compliance norms that must be followed by pharma/heathcare companies. It includes the disposal of hazardous materials and methods, not to procure materials that are banned or regulated for manufacturing and carbon credits (points are given for not polluting the environment),” said Gosain. He added that “Compliance is integral to pharmaceutical manufacturing and every part of product and process in manufacturing should totally compliant.”

Sridharan said that his industry deals with activities from drug discovery to delivery. The regulatory (all the manufacturing plants needed to be US FDA 21 CFR Part 11 compliant), statutory and risk management requirements have driven Orchid to invest in SAP GRC for Access Control, Process Control and Risk Management. “We wanted to identify possible deviations or violations that can occur during business processes and map these with our business so that we can address the possible effects that these may have on our business operations. Hence we wanted to automate systems wherein any violation in the process or access can be addresses as it happens rather then doing a post-mortem when it has done the damage,” he added.

Dr Aranha said, “Oracle Risk Manager provides fundamental periodic analysis on balance sheet positions, simulations capabilities and RBI compliance reports and Basel II guidelines.” An Oracle spokesperson added that while the larger and competitive banks are increasingly spending towards ensuring adherence to compliance, the smaller banks are also getting their act right as the RBI deadline fast approaches. Because, Basel II regulations will impact Indian banks across segments by altering the market risk capitalization, especially because they are still holding a significant portion of their portfolio in investments. On the whole, Indian banks will see their Capital Adequacy Ratio (CAR) figures go down after the adoption of Basel II standards, which will make it necessary for them to raise capital through public offerings.

Access (SoD) and Process control are the first step in GRC and most Indian companies are focusing here. Up next we predict that environmental safety would be the driver for GRC as discussed by Panacea Biotec followed by Global Trade Services, which we shall be discussing in detail as it happens. As of today, distributed GRC is converging to a federated model in many organizations. Increased risk and regulatory pressures in a distributed business environment are propelling organizations to craft consistent game plans for centralizing GRC oversight and responsibility while allowing accountability to fall across the organization.

akhtar.pasha@expressindia.com