Project Report
TITLE: IMPLEMENTING GRC AS PER CLAUSE 49 LISTING REQUIREMENTS
- Governance, Risk and Compliance (GRC) has been at the fore-front of corporate world due to the increasing emphasis on implementing this to meet regulatory requirements of Corporate Governance. Specific provisions highlighting the regulatory requirements for implementing GRC in enterprises as per Clause 49 listing requirements are:
- Risk Management
- CEO/CFO Certification
- Internal Control
- Auditor Certification
Although a GRC program (project) can be implemented primarily from a compliance perspective, it is advisable to consider business requirements also so as to optimize the investments made in implementing relevant processes, control structures and systems. GRC program Implementation requires:
- Defining clearly what GRC requirements are applicable
- Identifying the regulatory and compliance landscape
- Reviewing the current GRC status
- Determining the most optimal approach
- Setting out key parameters on which success will be measured
- Using a process oriented approach
- Adapting global best practices as applicable
- Using uniform and structured approach which is auditable.
- In today’s scenario compliance relating to statutory, contractual or any other requirement has become one of the major risks for business. Compliance is getting more and more demanding, because it’s one thing where senior management is responsible for any non- conformity which depends on the response of their team. E&Y Business Risk Report 2010 listed “REGULATION & COMPLIANCE” as the biggest risk. Compliance has remained one of the most prominent risk since 2008.The Clause 49 of the Listing Agreement of SEBI in India and similar laws in other countries put responsibility on directors, CEOs and CFO’s for adherence to statutory compliance.
DETAILS OF CASE STUDY/PROJECT (PROBLEM)
Introduction
Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock exchange in India. AIT has been traditionally a family owned business with the major shareholders and the senior management of the company belonging to a well renowned business family. The management has decided to professionalize the company by appointing professionals to all key posts and implement documented procedures and policies to meet regulatory and compliance requirements as required as applicable to the company. AIT manufactures a well-known brand of UPS which enjoys a good reputation in the market and has customers across all industry verticals. It has head office at Chennai and factory at Pondicherry. It has regional offices in all metro cities and branch offices in 10 cities across India. It is using an integrated software solution with all offices and factory networked together. It has more than 500 employees across its offices in India. It has combination of in-house IT department and outsourced vendors. It is critically dependent on IT for all key operations. The company is enjoying increasing growth in terms of turnover and market- share.
Background
There have been recent failures of IT for long periods of time which has impacted production and delivery of products and services to customers. The management is concerned with the risk management strategy adapted and the impact on compliance. It would like to make the transition from a family managed company to a professional run company with documented policies and procedures.
PROJECT REPORT (SOLUTION)
Introduction
Agile IT Solutions (AIT), a traditional family owned business manufactures a well-known brand of UPS which enjoys a good reputation in the market and has customers across all industry verticals whose head office situated at Chennai and factory at Pondicherry with regional offices in all metro cities and branch offices in 10 cities across India. The company uses an integrated software solution with all offices and factory networked together. Currently the governance and management part of the business is held within the family and it wants to make transition from family managed company to a company run by professionals with documented systematic operating procedures (SOP).
It has recently gone public and listed in the national stock exchange in India. The listing with a stock exchange brings about a radical change in the entire organization. Through the stringent requirements, the listing ensures discipline in various dimensions, including business, management, public relations, reporting, and information technology, in the company. The company is critically dependent on IT for all key operations and any disruption would impact the key activities of the company.
Since the company likes to make the transition from a family managed company to a professionally run company, the transition has to be evidenced with documented policies and procedures. The listing agreement and the Information Technology Act, as amended in 2008 along with a plethora of other regulatory requirements play a key role in governance and risk management of the company, also lay down a long list of compliance requirements to be met in the due course of its operations.
Auditee Environment
The Company has approached us, M/s ANGEL CONSULTANT, a leader in cloud-based cyber security solutions that help organizations of all sizes to reduce the risk of cyber breaches and demonstrate compliance. Final Assessment`s Final CSO is a revolutionary solution that dramatically streamlines the management of IT governance, risk and compliance (GRC) programs. It accomplishes this by tightly integrating and automating all eight critical IT GRC components: Risk Management, Compliance Management, Audit Management, Vendor Management, Incident Response Management, Vulnerability Management, Policy Management and Training Management. Most important, it provides built-in security and compliance expertise that most organizations lack. Because of its unique architecture and cloud delivery, Final CSO deploys rapidly and reduces the cost of GRC management by as much as 80%. With market experience that spans over 300 customers, Final Assessment offers the insight, products, professional services and partners to support the security and risk management efforts of organizations of all sizes across all industries. Founded in 2014, the company has executive offices in Patna, Bangalore, Hyderabad, Kolkata and New Delhi. For more information, call (0612) 12345678
Background
This assignment is being carried over due to the following reasons:
- Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock exchange in India., due to which company needs to comply with mandatory audit requirement as specified in Clause 49 of the listing agreement mandates certain amount of Governance, Risk Management and Compliance
- Entity critically dependent on IT for all key operations, accordingly, it needs to comply with certain compliances as required by The Information Technology Act as amended in 2008.
- The Company hitherto being run by a family wants to now convert itself into a professionally run company with documented policies and procedures, which requires systematic approach such as COSO / COBIT 5 framework.
- There have been recent failures of IT for long periods of time which has impacted production and delivery of products and services to customers accordingly the management is concerned with the risk management strategy adapted and the impact on compliances .
- The growing size and scale of the company requires a program to, Identify the assets, threats and controls, and then mitigate and manage risk with the right controls.
Situation
The newly appointed CIO and head of IT has approached us as an IS Assurance professional to provide a comprehensive list of regulatory and compliance requirements which are to be met by the company as per various IT and regulatory requirements and specifically for implementing GRC as part of the corporate governance requirements.
Terms and Scope of assignment
- Review adequacy of internal control systems and confirm its appropriateness. In case of control weakness, provide appropriate recommendations for remediation.
- Review functioning of internal audit function, reporting structure coverage and frequency of internal audit and identify areas requiring improvement.
- Review financial and risk management policies as per corporate governance requirements and provides recommendations for improvement.
- Review compliance requirements as per Information Technology Act as amended in 2008.
- Review whether the current risk management strategy is adequate considering the enterprise current and future business plans, business processes, technology deployed, organization structure and regulatory requirements.
References
SEBI Compliances ( SOX in the global scenario)
Companies Act,2013
IT Act 2000, as amended to IT Act 2008
ISO 19011,31000:2009
COBIT 5 Framework
Risk Management Plan of Various Indian Companies
Deliverables
Recommendations on how to improve internal control systems and internal audit system as relevant for AIT.
Internal Control
According to COSO framework internal control is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.
COSO is an Enterprise Risk Management-Integrated Framework which was first published by the Committee of Sponsoring Organizations (COSO) established by Tread way commission in 1992 to define the internal control framework for business organizations, particularly listed companies where the stakeholders are common people who invest in securities. The latest update of COSO is the COSO Framework 2013. COSO has developed the framework for internal controls focusing on designing of controls based on risk assessment.
There are five integrated components of internal control:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communication, and
- Monitoring Activities.
The Framework is adaptable to a given organization’s structure, allowing customization to consider internal controls from an entity, divisional, operating unit, and/or functional level, such as for a shared services Centre. The key role of management judgment in designing, implementing, and maintaining internal control, as well as assessing its effectiveness, is retained.
Adequacy of Internal control
To create an effective internal control system, an organization should establish the following:
Policies and procedures including, among others, organizational structure, job descriptions, authorization matrix
Segregation of duties and responsibilities
Authorization and approval process
Performance monitoring and control procedures
Safeguarding assets, completeness and accuracy
Manpower management
Independent internal audit function
Regulatory compliance and risk management
Appropriateness of Internal control
Controls over the business activities in an organization is said to be appropriate by establishing the following:
Adequacy & compliance of policy and procedures;
Proper governance structure
Monitoring the manpower management
Proper periodical review of business activities;
Internal Control Weakness
The most common weaknesses we see in organizations are:
Philosophy – understood but not written, open to misinterpretation
Roles and responsibilities – responsibilities are not explicit throughout the organisation
Converting strategy to business objectives – strategic objectives do not directly translate into business objectives
Risk to delivering performance – some form of risk profiling, but often divorced from the practical reality of doing business
Performance appetite – lack of understanding of the organization’s appetite for risk taking
Summary of performance and risk effectiveness – Boards do not receive the right information, either too little (under informed) or too much (information overload)
Behavior – disincentives exist which lead employees to behave in a dysfunctional manner. Embedding risk management into the company
Internal Audit
Internal audits are an important part of all management systems. They demonstrate whether your routines and procedures are effective. Effective audits make you aware of potential problems and risks at an early stage before they lead to deviations, complaints, incidents and other undesirable situations.
The following are the principles in ensuring a proper Internal Audit System in the company:
- Choose the right auditor:
A truly good auditor must have the right personal qualities. He or she
- Is open to alternative ideas or opinions, but is still targeted and focused
- Is good at listening, observing and quickly pick up the essentials of all available information
- Is able to be open and friendly, and to communicate with individuals at various levels within the organisation and with different personalities
- Has an analytical orientation
- Is able to stay objective, without letting their personal opinions influence or take control
In short, the auditor should be a person who knows everything and then some! For the position of internal auditor, the company should look for people who, because of their personal qualities, are also in demand of many other tasks. An organisation can even make efforts to breed a good auditor in the company.
Checklist:
- Is management aware of the importance of choosing the right auditors?
- Are the internal audits organised in such a way that they attract the people we want to use as internal auditors?
- Auditing is a competency
In addition to having the right qualities and skills the good auditor also needs to have the appropriate knowledge and experience. The auditor must (just like any other position within an organisation) be professional based on education, training, work- and auditing experience.
The ISO 19011 guidelines for auditing management systems lists some of the knowledge and experience needed:
- Audit principles, procedures and techniques
- Relevant standards, laws, regulations and other requirements
- Management system set up, methods and techniques within auditing
- Business processes and associated terminology
Checklist to ensure auditing competency in the organisation:
- Has the company decided what skills are important to it?
- Has it defined mandatory internal and external training programs?
- Is there a program for advanced internal training of auditors?
- Is there a training program that is customised to individual needs?
- Focus on the right issues
An audit must focus on the business risks and relevant issues from the beginning. Internal and external audits require time and resources. It’s not just about the auditor’s time, but also – and this is sometimes forgotten – the time the respondents spend on the audit. Additionally, management spends time on going through the reports, look for causes, actions and how to follow these up. The time is well spent only if the report focuses on the most important areas for your business.
According to the ISO 19011 guideline, the objectives of internal audits can very well be based on
- The board of directors’ priorities
- Business (“commercial”) objectives
- Statutory and contractual requirements
- Risks for the organisation
Checklist:
- Is management actively involved in determining the scope and area of interest for the auditors?
- Has the management gone beyond and above the level where it’s about meeting the requirements of the standard?
- Is there a direct link between the auditors result and what management is working with?
- If the result is such that management should pay attention, is it formulated in such a way that management will act on its own?
- Improve the quality
Company must often invest time and energy into the auditors on a single occasion, namely when appointed. As long as the auditors present their reports in accordance with the planning they hear nothing more from the management. Auditing is a competency. Competencies need to be nurtured and developed. Competencies that you do not invest in stagnate and become obsolete.
Checklist:
- Are regular training sessions arranged for the auditors – to provide in-depth and broadened knowledge, training on changes in legislation and standards, personal development?
- Is the management regularly evaluating the quality of auditors and audits? Is tutoring and regular personal feedback built into the audit process?
- Is the management keeping the auditors’ competence profile up to date?
- Is there enough space for personal development and growth, within the auditor role?
- Renew periodically
Marketers know this: sometimes they have to renew the product for it to remain attractive. Sometimes, a new packaging is all it takes, and sometimes you need a revolutionary product innovation. One thing is certain; a product that stays the same year after year will become less attractive.
Reporting Structure Coverage
Preparing an annual programme of work, often described as the internal audit plan, has always been a challenge. Demand for assurance and consulting services usually exceeds available budgets or resources. This means choices have to be made that will determine the impact internal audit has upon the organization and the way people perceive the value of internal audit. The following factors need to be considered before deciding the coverage of the internal audit plan:
- Create a framework to enable an overall opinion.
- Prepare an internal audit strategy
- Review maturity level of risk assessment
- Review the things that matter high priority objectives and risks.
Frequency of Internal Audit
Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that internal audits are scheduled at planned intervals; they do not established a specific frequency nor do they establish that all processes need to have a yearly internal audit. Organizations need to establish a frequency that is right for them. They decide if the audits will be performed monthly, quarterly, twice a year or once a year. However, there are some criteria that should be considered before defining a frequency that adjusts to an organization’s context and needs. These are:
- Crucial or high risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year.
- Low risk processes can be audited just once a year or every other year.
- Well established processes that run efficiently can be audited once a year or every other year.
- New developed processes should be audited quarterly until they are stable.
- Processes that have a history of frequent deficiencies or non-conformities, can be audited quarterly or twice a year.
- Processes with troubles achieving targets and objectives can also be audited quarterly or twice a year.
- An organization’s budget for the execution of internal audits.
- Regulatory or customers’ requirements.
Some Recommendations as relevant for AIT:
- Introduce theme audits.
- Include one of management’s specific focus areas at each audit.
- Connect with current problems and current objectives.
- Refresh the reporting – review presentation methods and templates.
- Renew the auditor pool.
- Remember to sometimes focus on external audits of suppliers and subcontractors.
- Replace auditors with the company next door/ affiliates or perform comprehensive audits within the company.
- Focus attention upon the risk management process; its design, application and reporting mechanisms – review and report upon the organization risk maturity level
- Build the audit plan around high priority risks, key areas of change and the assurance needs of stakeholders.
- Where possible work with and rely upon other assurance providers.
- Work with external providers of assurance in a co-sourced arrangement to fill skills and knowledge gaps.
- Consider the importance of routine processes and activities (audit universe) but keep this in tune with key business risks and developments.
Make key choices, including what is not being done, transparent to key stakeholders to engage stakeholders in questions of risk appetite and the need for assurance. Using these principles will ensure conformance to the Standards and provide
Current financial and risk management policies to meet the corporate governance requirements
Risk management is about managing threats and opportunities. ISO 31000:2009 describes risk as the ‘effect of uncertainty on objectives’ When management of risks or opportunities is effective, it often remains unnoticed. When it fails, the consequences for clients and staff may be significant and politically high profile. Having good risk management practice ensures that the department can undertake activities with the knowledge that measures are in place to maximize the benefits and minimize the negative effect of uncertainties on organizational objectives.
The risk management process is a “systematic application of management policies, procedures and practices to the activities of communicating and consulting, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk”.
An organization’s ability to manage risk effectively depends on its intentions and its capacity to achieve those intentions. This intent and capacity is referred to as its risk management framework and is part of its system of governance and management. The quality of the framework is important because effective risk management requires:
- Clear expectations from ‘the top’
- Appropriate capability (skills, resources, support)
- Sound relationships with stakeholders
- Integration of necessary risk management practices into the day-to-day activities and accountabilities of the management team
- A commitment to continually learn and improve.
The risk management framework should not attempt to replace the natural capability of people to manage risk; rather it should enhance good practices so that the process is reliable, comprehensive and consistent. For this to occur and for the required capability to be achieved, the organization requires
- A set of suitable ‘tools’
- A coherent approach to training and communicating to people so that they can use those tools in a competent and consistent manner
- An approach that signals and reinforces the correct behaviour and way of thinking.
The typical elements of a framework and an illustration of how this supports the integration of the risk management process is shown in the figure below.
Current financial and risk management policies to meet the corporate governance requirements
Risk management is about managing threats and opportunities. ISO 31000:2009 describes risk as the ‘effect of uncertainty on objectives’ When management of risks or opportunities is effective, it often remains unnoticed. When it fails, the consequences for clients and staff may be significant and politically high profile. Having good risk management practice ensures that the department can undertake activities with the knowledge that measures are in place to maximize the benefits and minimize the negative effect of uncertainties on organizational objectives.
The risk management process is a “systematic application of management policies, procedures and practices to the activities of communicating and consulting, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk”.
An organization’s ability to manage risk effectively depends on its intentions and its capacity to achieve those intentions. This intent and capacity is referred to as its risk management framework and is part of its system of governance and management. The quality of the framework is important because effective risk management requires:
- Clear expectations from ‘the top’
- Appropriate capability (skills, resources, support)
- Sound relationships with stakeholders
- Integration of necessary risk management practices into the day-to-day activities and accountabilities of the management team
- A commitment to continually learn and improve.
The risk management framework should not attempt to replace the natural capability of people to manage risk; rather it should enhance good practices so that the process is reliable, comprehensive and consistent. For this to occur and for the required capability to be achieved, the organization requires
- A set of suitable ‘tools’
- A coherent approach to training and communicating to people so that they can use those tools in a competent and consistent manner
- An approach that signals and reinforces the correct behaviour and way of thinking.
The typical elements of a framework and an illustration of how this supports the integration of the risk management process is shown in the figure below.
For risk management to be effective, the company should at all levels comply with the principles below.
Risk management creates and protects value.
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.
Risk management is an integral part of all company processes.
Risk management is not a stand-alone activity that is separate from the main activities and processes of the company. Risk management is part of the responsibilities of management and an integral part of all organization processes, including strategic planning and all project and change management processes.
Risk management is part of decision making.
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
Risk management explicitly addresses uncertainty.
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
Risk management is systematic, structured and timely.
A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
Risk management is based on the best available information.
The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
IS/ISO 31000: 2009
Risk management is tailored.
Risk management is aligned with the company’s external and internal context and risk profile.
Risk management takes human and cultural factors into account.
Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the company’s objectives.
Risk management is transparent and inclusive.
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the company, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
Risk management is dynamic, iterative and responsive to change.
Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
Risk management facilitates continual improvement of the company.
Company should develop and implement strategies to improve their risk management maturity alongside all other aspects of their company.
Attributes of enhanced risk management
The company should aim at the appropriate level of performance of their risk management framework in line with the criticality of the decisions that are to be made. The list of attributes below represents a high level of performance in managing risk.
Continual improvement
An emphasis should be placed on continual improvement in risk management through the setting of organizational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills.
This can be indicated by the existence of explicit performance goals against which the organization’s and individual manager’s performance is measured. The company’s performance can be published and communicated. Normally, there should be at least an annual review of performance and then a revision of processes, and the setting of revised performance objectives for the following period.
This risk management performance assessment is an integral part of the overall organization’s performance assessment and measurement system for departments and individuals.
Full accountability for risks
Enhanced risk management must include comprehensive, fully defined and fully accepted accountability for risks, controls and risk treatment tasks. Designated individuals should fully accept accountability, must be appropriately skilled and have adequate resources to check controls, monitor risks, improve controls and communicate effectively about risks and their management to external and internal stakeholders.
This can be indicated by all members of an organization being fully aware of the risks, controls and tasks for which they are accountable. Normally, this will have to be recorded in job/position descriptions, databases or information systems. The definition of risk management roles, accountabilities and responsibilities should be part of all the organization’s induction programmes.
The company should ensure that those who are accountable are equipped to fulfil that role by providing them with the authority, time, training, resources and skills sufficient to assume their accountabilities.
Application of risk management in all decision making
All decision making within the Company, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree.
This can be indicated by records of meetings and decisions to show that explicit discussions on risks took place. In addition, it should be possible to see that all components of risk management are represented within key processes for decision making in the organization,
e.g. for decisions on the allocation of capital, on major projects and on re-structuring and
organizational changes. For these reasons, soundly based risk management is seen within the company as providing the basis for effective governance.
Continual communications
Enhanced risk management includes continual communications with external and internal stakeholders, including comprehensive and frequent reporting of risk management performance, as part of good governance.
This can be indicated by communication with stakeholders as an integral and essential component of risk management. Communication is rightly seen as a two-way process, such that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria. Comprehensive and frequent external and internal reporting on both significant risks and on risk management performance contributes substantially to effective governance within the company.
Full integration in the organization's governance structure
Risk management is viewed as central to the company’s management processes, such that risks are considered in terms of effect of uncertainty on objectives. The governance structure and process are based on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organization’s objectives.
This is indicated by managers’ language and important written materials in the company using the term “uncertainty” in connection with risks. This attribute is also normally reflected in the company’s statements of policy, particularly those relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.
Developing an Enterprise-wide Risk Management Framework
The Standard ISO 19011:2011 outlines an approach to developing a framework that will assist companies to integrate risk management into their enterprise-wide risk management systems. Companies are encouraged to consider the links between the foundations of their risk management framework and their business objectives. A company’s risk management framework needs to include its policy objectives and its commitment to risk management alongside its legislative responsibility. The risk management framework should be embedded within the agency’s overall strategic and operational policies and practices, and take into consideration internal and external relationships, accountabilities, resources, processes and activities.
Strategic objectives
Senior Executives within a company should be responsible for providing the strategic direction of the company. This approach, while usually long term, describes the vision for the management of risk and what overarching outcomes will be achieved.
Operational objectives
The middle managers of a company would be responsible for aligning the strategic objectives with the company’s operations in order to achieve outcomes. The strategic plans developed at this level outline what each business unit must do to achieve their outcomes.
Line objectives
Similarly, line managers would be responsible for developing strategic plans that are more specific to achieving outcomes and are short term in nature. These plans prescribe in detail how the processes or activities of the agency’s outcomes will be actioned and completed.
Standard Approach
In order to make risk management more effective in IT organization, AIT Should follow these:
Implement a framework for risk assessment and mapping.
Outline the responsibilities of risk managers with their respective domains
Identify and define the risks to which the business is exposed and how to map incidents.
Determine the threat level and focus on the risk that have the greatest potential to affect enterprise performance.
Establish levels of controls for processes commensurate with the perceived threat.
Record and retain risk incident and near-miss information.
Conduct periodic risk assessments to determine changes in th company’s risk profile and assess performance.
Checklist for specific compliance requirements as per Information Technology Act as amended in 2008 as applicable to AIT.
The IT Amendment Act 2008 is a comprehensive legislation that touches several aspects of the business of any organization which uses computers. Many sections of the Act are expected to directly or indirectly affect the compliance as well as IT security strategy. Attached is a questionnaire to ensure specific compliance requirements as per Information Technology Act as amended in 2008.
| Areas | Referen ce to ITACT 2008 | Assessment Questions | Yes/ No/ Not Sure/ NA | Observati on | Compl iant/ Non- Compl iant | Rema rks/ Action Points | |
|---|---|---|---|---|---|---|---|
| 1) | Definition of Body Corporate | Sec 43A | Is the organization a ‘body corporate’ as defined in the IT (Amendment) Act, 2008 (ITAA 2008)? | ||||
| Definition | Body Corporate – means any company and includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities | ||||||
| 2) | Organization’s Role | Clarificatio n Issued u/s 43A | Is the Organization aware of the privacy role it performs based on its functions, activities & business? | ||||
| Role Controller 1: Data | Provides services to its end customers (individuals – ‘providers of information’ under the ITAA 2008) under a direct relationship and determined the means and purpose of data collection and processing | ||||||
| Role 2: Data Processor | Provides services to its clients (organizations) under a lawful contract having indirect relationship with the end customers (providers of information) as per the instructions from data controller; e.g. business process outsourcing service providers | ||||||
| Role Controller 3: Data | Provides employment or other related services / benefits to its employees and / or enable employees to perform their duties | ||||||
| 3) | Sensitive Personal Data or Information (SPDI) | Sec 43A | Does the organization deal (collect, process, store, transfer, access) with following categories of “sensitive personal data or information” (SPDI) as defined under sec43A of the ITAA, 2008? Has it identified such functions, operations and activities that deal with SPDI? | ||||
| Definition of SPDI | Rule 3 (u/s | i. Password (Capable of providing information or access to SPDI listed below) | |||||
| 43A) | ii. financial information such as Bank account or credit card or debit card or other payment instrument details | ||||||
| iii. physical, physiological and mental health condition | |||||||
| iv. sexual orientation | |||||||
| v. medical records and history | |||||||
| vi. biometric information | |||||||
| vii. any of the detail relating to the above categories of SPDI or information received under above categories of SPDI by the organization for processing, stored or processed under lawful contract or otherwise | |||||||
| Exceptions | Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information | ||||||
| 4) | Privacy Policy | Rule 4 | Does the organization have a privacy policy? | ||||
| Requirements | a) Is it published on the website of the organization? | ||||||
| b) Is the policy easily accessible? | |||||||
| c) Is the policy simple & easy to understand | |||||||
| d) Does it provide links to organization’s practices and policies | |||||||
| e) Does it state? i. Type of SPDI being collected (refer question no. 3) | |||||||
| ii. Reason for collecting such information | |||||||
| iii. The intended usage of the provided information | |||||||
| iv. Disclosure policy and practices of the organization (refer question number 11) | |||||||
| v. Reasonable security practices and procedures adopted by the organization for securing SPDI | |||||||
| For organizations that act as data processors [refer Q 2 above], questions 5 to 11 (Rules 5 & 6 of Sections 43A in ITAA, 2008) are not applicable | |||||||
| 5) | Collection Limitation | Rule 5 2(a) | Does the organization follow any due diligence to ensure SPDI is collected for a lawful purpose which is associated with the function or activity of the organization? | ||||
| Due Diligence | Rule 5 2(b) | Does the organization follow any due diligence to ensure SPDI which is necessary for the above purpose is only collected? | |||||
| Informing the Providers of Information | Rule 5(3) | When directly collecting SPDI from the provider of information, does the organization take reasonable steps to ensure that the provider of information is having knowledge about: | |||||
| i. the fact that the SPDI is being collected | |||||||
| ii. the purpose for which SPDI is collected | |||||||
| iii. the intended recipients of SPDI | |||||||
| iv. the name & address of the agency which is collecting the SPDI | |||||||
| v. the agency tha will retain the SPDI | |||||||
| 6) | Consent | Rule 5(1) and | Does the organization take written consent from the provider of information regarding purpose of usage before collecting their SPDI? | ||||
| Modes for Obtaining Consent | Clarificatio n Issued u/s 43A | a. Letter | |||||
| b. Fax | |||||||
| c. Email | |||||||
| d. Click in an online environment | |||||||
| e. Instant messaging | |||||||
| f. IVR | |||||||
| g. Any other mode of electronic communication | |||||||
| Choice | Rule 5(7) | Does the organization provide an option to the provider of information to decline providing data or information sought to be collected for availing service? | |||||
| Consent Withdrawal | Does the organization provide option to the provider of information to withdraw his / her consent given earlier? | ||||||
| 7) | Purpose Limitation | Rule 5(5) | Does the organization perform any due diligence to ensure that the usage of SPDI is consistent with the purpose for which has been collected? | ||||
| 8) | Access & Correction | Rule 5(6) | Does the organization allow providers of information, as & when requested by them, the facility to review the SPDI they have provided? | ||||
| Mechanisms | Does the organization have mechanisms in place that allow providers of information to modify / update / correct their SPDI, if found to be outdated and / or incorrect? | ||||||
| 9) | Information Retention | Rule 5(4) | Does the organization ensure that the SPDI is not retained for a period longer than required for its lawful use or is otherwise required by any other law for the time being in force? | ||||
| 10) | Grievance Officer | Rule 5(9) | Has the organization designated a grievance officer to address any discrepancies & grievances raised by the providers of information? | ||||
| Publication on website | Has the organization published the name and contact details of the grievance officer on its website? | ||||||
| Resolution | Is the grievance officer mandated to redress the grievances of the providers of information within one month (maximum) from the date of the receipt of grievance? | ||||||
| 11) | Disclosure of Information | Rule 6(1) | Does the contract signed between the organization and providers of information mention the disclosure of SPDI to third parties? | ||||
| Prior Permission | If not, does the organization take prior permission of the providers of information before disclosing their SPDI to third parties or publishing it? | ||||||
| Exceptions | Are there any legal obligations under which the organization needs to disclose the SPDI without informing or taking permission of the providers of information? | ||||||
| Publishing in Public Domain | Rule 6(3) | Does the organization take due diligence to ensure that the SPDI is not published intentionally or unintentionally in public domain, i.e., made available to unauthorized persons or public? | |||||
| Controls | Rule 6(4) | Has the organization put in place the mechanisms / controls to ensure that the third party with which SPDI is shared does not disclose it further? | |||||
| 12) | Transfer of Information | Rule 7 | Does the organization follow due diligence to ensure that the same level of data protection (please refer Question 13) is adhered to by third parties (which may be located in India or abroad) to whom the organization transfers SPDI for performance of a lawful contract between the organization and | ||||
| providers of information or where the providers of information have given their consent for such transfers? | |||||||
| 13) | Security Practices | Sec 43A | Has the organization implemented ‘Reasonable Security Practices’ for protecting SPDI? | ||||
| a. Agreement through contractual instruments | Does the contract signed between organization & provider of information or between organization & third party contains provisions that specify security practices and procedures designed to protect SPDI from unauthorized access, damage, use, modification, disclosure or impairment? | ||||||
| Does the contract include: i. Comprehensive documented information security policies & programs | |||||||
| ii. Managerial, technical, operational & physical security controls that are commensurate with the value of information assets being protected and the risk exposure | |||||||
| iii. Audit / assessment mechanisms for testing implementation of controls | |||||||
| b. In absence of any Contract | Rule 8(1), 8(2) & 8(3) | Has the organization implemented documented information security policies & programs that contain managerial, technical, operational & physical security controls that are commensurate with the value of information assets being protected and the risk exposure? Such security practices & procedures could be: a. IS/ISO/IEC 27001 b. Codes of best practices of an industry association (where the organization is a member) that are duly approved & notified by the central government | |||||
| Rule 8(4) | Do such security practices & procedures get | ||||||
| certified or audited by a government approved independent auditor, on a regular basis (at least once a year or as & when the organization undertakes significant up gradation of its processes & computer resources)? | |||||||
| c. Demonstration of Security Practices in case of security incident / data breach | Sec 43A | Does the organization maintain the requisite records, logs, trails, etc. for demonstrating compliance? | |||||
| Can the organization demonstrate that it has implemented security controls as per the documented security policies & programs? |
Risk Management Strategy / Policy
BACKGROUND
‘Risk’ in literal terms can be defined as the effect of uncertainty on the objectives. Risk is measured in terms of consequences and likelihood. Risks can be internal and external and are inherent in all administrative and business activities. Every member of any organisation continuously manages various types of risks. Formal and systematic approaches to managing risks have evolved and they are now regarded as good management practice also called as Risk Management.
‘Risk Management’ is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of uncertain events or to maximize the realisation of opportunities. Risk management also provides a system for the setting of priorities when there are competing demands on limited resources.
Effective risk management requires:
- A strategic focus,
- Forward thinking and active approaches to management
- Balance between the cost of managing risk and the anticipated benefits, and
- Contingency planning in the event that critical threats are realised.
In today’s challenging and competitive environment, strategies for mitigating inherent risks in accomplishing the growth plans of the Company are imperative. The common risks inter alia are: Regulations, competition, Business risk, Technology obsolescence, return on investments, business cycle, increase in price and costs, limited resources, retention of talent, etc.
LEGAL FRAMEWORK
Risk Management is a key aspect of Corporate Governance Principles and Code of Conduct which aims to improvise the governance practices across the business activities of any organisation. The new Companies Act, 2013 and the Clause 49 of the Equity Listing Agreement have also incorporated various provisions in relation to Risk Management policy, procedure and practices.
The provisions of Section 134(3)(n) of the Companies Act, 2013 necessitate that the Board’s Report should contain a statement indicating development and implementation of a risk management policy for the Company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the Company.
Further, the provisions of Section 177(4)(vii) of the Companies Act, 2013 require that every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall inter alia include evaluation of risk management systems.
In line with the above requirements, it is therefore, required for the Company to frame and adopt a “Risk Management Policy” (this Policy) of the Company.
PURPOSE AND SCOPE OF THE POLICY
The main objective of this Policy is to ensure sustainable business growth with stability and to promote a pro-active approach in reporting, evaluating and resolving risks associated with the Company’s business. In order to achieve the key objective, this Policy establishes a structured and disciplined approach to Risk Management, in order to guide decisions on risk related issues.
The specific objectives of this Policy are:
- To ensure that all the current and future material risk exposures of the Company are identified, assessed, quantified, appropriately mitigated, minimized and managed i.e. to ensure adequate systems for risk management.
- To establish a framework for the company’s risk management process and to ensure its implementation.
- To enable compliance with appropriate regulations, wherever applicable, through the adoption of best practices.
- To assure business growth with financial stability.
APPLICABILITY
This Policy applies to all areas of the Company’s operations.
KEY DEFINITIONS
Risk Assessment – The systematic process of identifying and analysing risks. Risk Assessment consists of a detailed study of threats and vulnerability and resultant exposure to various risks
Risk Management – The systematic way of protecting business resources and income against losses so that the objectives of the Company can be achieved without unnecessary interruption.
Risk Management Process – The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
RISK FACTORS
The objectives of the Company are subject to both external and internal risks that are enumerated below:-
External Risk Factors
Economic Environment and Market conditions
Political Environment
Competition
Revenue Concentration and liquidity aspects
Each business area of products such as pumps, turbines, motors, generators, switchgears and turnkey projects has specific aspects on profitability and liquidity. The risks are therefore associated on each business segment contributing to total revenue, profitability and liquidity. Since the projects have inherent longer time-frame and milestone payment requirements, they carry higher risks for profitability and liquidity.
Inflation and Cost structure-
Inflation is inherent in any business and thereby there is a tendency of costs going higher. Further, the project business, due to its inherent longer timeframe, as much higher risks for inflation and resultant increase in costs.
Technology Obsolescence
The Company strongly believes that technological obsolescence is a practical reality. Technological obsolescence is evaluated on a continual basis and the necessary investments are made to bring in the best of the prevailing technology.
Legal
Legal risk is the risk in which the Company is exposed to legal action. As the Company is governed by various laws and the Company has to do its business within four walls of law, the Company is exposed to legal risk.
Fluctuations in Foreign Exchange
The Company has limited currency exposure in case of sales, purchases and other expenses. It has natural hedge to some extent. However, beyond the natural hedge, the risk can be measured through the net open position i.e. the difference between un-hedged outstanding receipt and payments. The risk can be controlled by a mechanism of “Stop Loss” which means the Company goes for hedging (forward booking) on open position when actual exchange rate reaches a particular level as compared to transacted rate.
Internal Risk Factors
Project Execution
Contractual Compliance
Operational Efficiency
Hurdles in optimum use of resources
Quality Assurance
Environmental Management
Human Resource Management
Culture and values
RESPONSIBILITY FOR RISK MANAGEMENT
Generally every staff member of the Organisation is responsible for the effective management of risk including the identification of potential risks. Management is responsible
for the development of risk mitigation plans and the implementation of risk reduction strategies. Risk management processes should be integrated with other planning processes and management activities.
COMPLIANCE AND CONTROL
All the Senior Executives under the guidance of the Chairman and Board of Directors has the responsibility for over viewing management’s processes and results in identifying, assessing and monitoring risk associated with Organization’s business operations and the implementation and maintenance of policies and control procedures to give adequate protection against key risk. In doing so, the Senior Executive considers and assesses the appropriateness and effectiveness of management information and other systems of internal control, encompassing review of any external agency in this regards and action taken or proposed resulting from those reports.
REVIEW
This Policy shall be reviewed at least every year to ensure it meets the requirements of legislation and the needs of organization.
AMENDMENT
This Policy can be modified at any time by the Board of Directors of the Company.
SUMMARY
As IT is a key enabler of organisation process, it is critical to implement GEIT as an integral part of governance. Also, regulatory requirement mandate the implementation of governance, enterprise risk management and internal control, for that it is very important to use right type of GEIT framework, like COBIT 5, a globally accepted GEIT framework. By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues can be easily addressed. Such an approach can:
Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization.
Eliminate all redundant work in various initiatives
Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk and compliance initiatives can be managed with one software solution
Provide a “single version of the truth” available to employees, management, auditors and regulatory bodies
Checklist for specific compliance requirements as per Information Technology Act as amended in 2008 as applicable to AIT.
The IT Amendment Act 2008 is a comprehensive legislation that touches several aspects of the business of any organization which uses computers. Many sections of the Act are expected to directly or indirectly affect the compliance as well as IT security strategy. Attached is a questionnaire to ensure specific compliance requirements as per Information Technology Act as amended in 2008.