Professional Documents
Culture Documents
Implementing GRC.
Implementing GRC.
1. Introduction
2. Background
1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. References
7. Deliverables
8. Summary/Conclusion
DETAILS OF PROJECT
(TITLE: IMPLEMENTING GRC AS PER CLAUSE 49 LISTING REQUIREMENTS )
Governance, Risk and Compliance (GRC) has been at the fore-front of corporate world due to
the increasing emphasis on implementing this to meet regulatory requirements of Corporate
Governance. Specific provisions highlighting the regulatory requirements for implementing
GRC in enterprises as per Clause 49 listing requirements are:
Risk Management
CEO/CFO Certification
Internal Control
Auditor Certification
1. Introduction
Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock
exchange in India. AIT has been traditionally a family owned business with the major
shareholders and the senior management of the company belonging to a well renowned
business family. The management has decided to professionalize the company by appointing
professionals to all key posts and implement documented procedures and policies to meet
regulatory and compliance requirements as required as applicable to the company. AIT
manufactures a well-known brand of UPS which enjoys a good reputation in the market and
has customers across all industry verticals. It has head office at Chennai and factory at
Pondicherry. It has regional offices in all metro cities and branch offices in 10 cities across
India. It is using an integrated software solution with all offices and factory networked
together. It has more than 500 employees across its offices in India. It has combination of
in-house IT department and outsourced vendors. It is critically dependent on IT for all key
operations. The company is enjoying increasing growth in terms of turnover and market-
share.
2. Background
There have been recent failures of IT for long periods of time which has impacted production
and delivery of products and services to customers. The management is concerned with the
risk management strategy adapted and the impact on compliance. It would like to make the
transition from a family managed company to a professional run company with documented
policies and procedures.
B. PROJECT R EPORT (SOLUTION )
1. Introduction
Agile IT Solutions (AIT), a traditional family owned business manufactures a well-known brand
of UPS which enjoys a good reputation in the market and has customers across all industry
verticals whose head office situated at Chennai and factory at Pondicherry with regional offices
in all metro cities and branch offices in 10 cities across India. The company uses an integrated
software solution with all offices and factory networked together. Currently the governance
and management part of the business is held within the family and it wants to make transition
from family managed company to a company run by professionals with documented
systematic operating procedures (SOP).
It has recently gone public and listed in the national stock exchange in India. The listing with
a stock exchange brings about a radical change in the entire organization. Through the
stringent requirements, the listing ensures discipline in various dimensions, including
business, management, public relations, reporting, and information technology, in the
company. The company is critically dependent on IT for all key operations and any disruption
would impact the key activities of the company.
Since the company likes to make the transition from a family managed company to a
professionally run company, the transition has to be evidenced with documented policies and
procedures. The listing agreement and the Information Technology Act, as amended in 2008
along with a plethora of other regulatory requirements play a key role in governance and risk
management of the company, also lay down a long list of compliance requirements to be met
in the due course of its operations.
2. Auditee Environment
The Company has approached us, M/s ANGEL CONSULTANT, a leader in cloud-based cyber
security solutions that help organizations of all sizes to reduce the risk of cyber breaches and
demonstrate compliance. Final Assessment`s Final CSO is a revolutionary solution that
dramatically streamlines the management of IT governance, risk and compliance (GRC)
programs. It accomplishes this by tightly integrating and automating all eight critical IT GRC
components: Risk Management, Compliance Management, Audit Management, Vendor
Management, Incident Response Management, Vulnerability Management, Policy
Management and Training Management. Most important, it provides built-in security and
compliance expertise that most organizations lack. Because of its unique architecture and
cloud delivery, Final CSO deploys rapidly and reduces the cost of GRC management by as
much as 80%. With market experience that spans over 300 customers, Final Assessment
offers the insight, products, professional services and partners to support the security and
risk management efforts of organizations of all sizes across all industries. Founded in 2014,
the company has executive offices in Patna, Bangalore, Hyderabad, Kolkata and New Delhi.
For more information, call (0612) 12345678 or visit www. angelconsultants.com.
3. Background
Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock
exchange in India., due to which company needs to comply with mandatory audit
requirement as specified in Clause 49 of the listing agreement mandates certain
amount of Governance, Risk Management and Compliance
Entity critically dependent on IT for all key operations, accordingly, it needs to comply
with certain compliances as required by The Information Technology Act as amended
in 2008.
The Company hitherto being run by a family wants to now convert itself into a
professionally run company with documented policies and procedures, which requires
systematic approach such as COSO / COBIT 5 framework.
There have been recent failures of IT for long periods of time which has impacted
production and delivery of products and services to customers accordingly the
management is concerned with the risk management strategy adapted and the impact
on compliances .
The growing size and scale of the company requires a program to, Identify the assets,
threats and controls, and then mitigate and manage risk with the right controls.
4. Situation
The newly appointed CIO and head of IT has approached us as an IS Assurance professional
to provide a comprehensive list of regulatory and compliance requirements which are to be
met by the company as per various IT and regulatory requirements and specifically for
implementing GRC as part of the corporate governance requirements.
Review adequacy of internal control systems and confirm its appropriateness. In case
of control weakness, provide appropriate recommendations for remediation.
Review functioning of internal audit function, reporting structure coverage and
frequency of internal audit and identify areas requiring improvement.
Review financial and risk management policies as per corporate governance
requirements and provides recommendations for improvement.
Review compliance requirements as per Information Technology Act as amended in
2008.
Review whether the current risk management strategy is adequate considering the
enterprise current and future business plans, business processes, technology
deployed, organization structure and regulatory requirements.
6. References
7. Deliverables
Internal Control
Internal audits are an important part of all management systems. They demonstrate
whether your routines and procedures are effective. Effective audits make you aware
of potential problems and risks at an early stage before they lead to deviations,
complaints, incidents and other undesirable situations.
The following are the principles in ensuring a proper Internal Audit System in
the company:
A truly good auditor must have the right personal qualities. He or she
In short, the auditor should be a person who knows everything and then some! For
the position of internal auditor, the company should look for people who, because of
their personal qualities, are also in demand of many other tasks. An organisation can
even make efforts to breed a good auditor in the company.
Checklist:
2. Auditing is a competency
In addition to having the right qualities and skills the good auditor also needs to have
the appropriate knowledge and experience. The auditor must (just like any other
position within an organisation) be professional based on education, training, work-
and auditing experience.
The ISO 19011 guidelines for auditing management systems lists some of the
knowledge and experience needed:
An audit must focus on the business risks and relevant issues from the beginning.
Internal and external audits require time and resources. It's not just about the auditor's
time, but also - and this is sometimes forgotten - the time the respondents spend on
the audit. Additionally, management spends time on going through the reports, look for
causes, actions and how to follow these up. The time is well spent only if the report
focuses on the most important areas for your business.
According to the ISO 19011 guideline, the objectives of internal audits can very well
be based on
Checklist:
Is management actively involved in determining the scope and area of interest for the
auditors?
Has the management gone beyond and above the level where it's about meeting the
requirements of the standard?
Is there a direct link between the auditors result and what management is working
with?
If the result is such that management should pay attention, is it formulated in such a
way that management will act on its own?
Company must often invest time and energy into the auditors on a single occasion,
namely when appointed. As long as the auditors present their reports in accordance with
the planning they hear nothing more from the management. Auditing is a competency.
Competencies need to be nurtured and developed. Competencies that you do not invest
in stagnate and become obsolete.
Checklist:
Are regular training sessions arranged for the auditors – to provide in-depth and
broadened knowledge, training on changes in legislation and standards, personal
development?
Is the management regularly evaluating the quality of auditors and audits? Is tutoring
and regular personal feedback built into the audit process?
Is the management keeping the auditors' competence profile up to date?
Is there enough space for personal development and growth, within the auditor role?
5. Renew periodically
Marketers know this: sometimes they have to renew the product for it to remain
attractive. Sometimes, a new packaging is all it takes, and sometimes you need a
revolutionary product innovation. One thing is certain; a product that stays the same
year after year will become less attractive.
Preparing an annual programme of work, often described as the internal audit plan,
has always been a challenge. Demand for assurance and consulting services usually
exceeds available budgets or resources. This means choices have to be made that will
determine the impact internal audit has upon the organization and the way people
perceive the value of internal audit. The following factors need to be considered before
deciding the coverage of the internal audit plan:
Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that
internal audits are scheduled at planned intervals; they do not established a specific
frequency nor do they establish that all processes need to have a yearly internal audit.
Organizations need to establish a frequency that is right for them. They decide if the
audits will be performed monthly, quarterly, twice a year or once a year. However,
there are some criteria that should be considered before defining a frequency that
adjusts to an organization’s context and needs. These are:
Risk management is about managing threats and opportunities. ISO 31000:2009 describes
risk as the ‘effect of uncertainty on objectives’ When management of risks or opportunities is
effective, it often remains unnoticed. When it fails, the consequences for clients and staff may
be significant and politically high profile. Having good risk management practice ensures that
the department can undertake activities with the knowledge that measures are in place to
maximize the benefits and minimize the negative effect of uncertainties on organizational
objectives.
An organization’s ability to manage risk effectively depends on its intentions and its capacity
to achieve those intentions. This intent and capacity is referred to as its risk management
framework and is part of its system of governance and management. The quality of the
framework is important because effective risk management requires:
The risk management framework should not attempt to replace the natural capability of
people to manage risk; rather it should enhance good practices so that the process is
reliable, comprehensive and consistent. For this to occur and for the required capability to
be achieved, the organization requires
The typical elements of a framework and an illustration of how this supports the integration
of the risk management process is shown in the figure below.
For risk management to be effective, the company should at all levels comply with the
principles below.
Risk management is not a stand-alone activity that is separate from the main activities and
processes of the company. Risk management is part of the responsibilities of management
and an integral part of all organization processes, including strategic planning and all project
and change management processes.
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and
how it can be addressed.
The inputs to the process of managing risk are based on information sources such as historical
data, experience, stakeholder feedback, observation, forecasts and expert judgement.
However, decision makers should inform themselves of, and should take into account, any
limitations of the data or modelling used or the possibility of divergence among experts.
IS/ISO 31000: 2009
Risk management is aligned with the company's external and internal context and risk profile.
Risk management recognizes the capabilities, perceptions and intentions of external and
internal people that can facilitate or hinder achievement of the company's objectives.
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all
levels of the company, ensures that risk management remains relevant and up-to-date.
Involvement also allows stakeholders to be properly represented and to have their views
taken into account in determining risk criteria.
Risk management continually senses and responds to change. As external and internal events
occur, context and knowledge change, monitoring and review of risks take place, new risks
emerge, some change, and others disappear.
Company should develop and implement strategies to improve their risk management
maturity alongside all other aspects of their company.
Attributes of enhanced risk management
The company should aim at the appropriate level of performance of their risk management
framework in line with the criticality of the decisions that are to be made. The list of attributes
below represents a high level of performance in managing risk.
Continual improvement
This can be indicated by the existence of explicit performance goals against which the
organization's and individual manager's performance is measured. The company's
performance can be published and communicated. Normally, there should be at least an
annual review of performance and then a revision of processes, and the setting of revised
performance objectives for the following period.
This risk management performance assessment is an integral part of the overall organization's
performance assessment and measurement system for departments and individuals.
Enhanced risk management must include comprehensive, fully defined and fully accepted
accountability for risks, controls and risk treatment tasks. Designated individuals should fully
accept accountability, must be appropriately skilled and have adequate resources to check
controls, monitor risks, improve controls and communicate effectively about risks and their
management to external and internal stakeholders.
This can be indicated by all members of an organization being fully aware of the risks, controls
and tasks for which they are accountable. Normally, this will have to be recorded in
job/position descriptions, databases or information systems. The definition of risk
management roles, accountabilities and responsibilities should be part of all the organization's
induction programmes.
The company should ensure that those who are accountable are equipped to fulfil that role by
providing them with the authority, time, training, resources and skills sufficient to assume
their accountabilities.
All decision making within the Company, whatever the level of importance and significance,
involves the explicit consideration of risks and the application of risk management to some
appropriate degree.
This can be indicated by records of meetings and decisions to show that explicit discussions
on risks took place. In addition, it should be possible to see that all components of risk
management are represented within key processes for decision making in the organization,
e.g. for decisions on the allocation of capital, on major projects and on re-structuring and
organizational changes. For these reasons, soundly based risk management is seen within the
company as providing the basis for effective governance.
Continual communications
Enhanced risk management includes continual communications with external and internal
stakeholders, including comprehensive and frequent reporting of risk management
performance, as part of good governance.
Risk management is viewed as central to the company's management processes, such that
risks are considered in terms of effect of uncertainty on objectives. The governance structure
and process are based on the management of risk. Effective risk management is regarded by
managers as essential for the achievement of the organization's objectives.
This is indicated by managers' language and important written materials in the company using
the term “uncertainty” in connection with risks. This attribute is also normally reflected in the
company's statements of policy, particularly those relating to risk management. Normally,
this attribute would be verified through interviews with managers and through the evidence
of their actions and statements.
The Standard ISO 19011:2011 outlines an approach to developing a framework that will assist
companies to integrate risk management into their enterprise-wide risk management
systems. Companies are encouraged to consider the links between the foundations of their
risk management framework and their business objectives. A company’s risk management
framework needs to include its policy objectives and its commitment to risk management
alongside its legislative responsibility. The risk management framework should be embedded
within the agency’s overall strategic and operational policies and practices, and take into
consideration internal and external relationships, accountabilities, resources, processes and
activities.
Strategic objectives
Senior Executives within a company should be responsible for providing the strategic direction
of the company. This approach, while usually long term, describes the vision for the
management of risk and what overarching outcomes will be achieved.
Operational objectives
The middle managers of a company would be responsible for aligning the strategic objectives
with the company’s operations in order to achieve outcomes. The strategic plans developed
at this level outline what each business unit must do to achieve their outcomes.
Line objectives
Similarly, line managers would be responsible for developing strategic plans that are more
specific to achieving outcomes and are short term in nature. These plans prescribe in detail
how the processes or activities of the agency’s outcomes will be actioned and completed.
Standard Approach
In order to make risk management more effective in IT organization, AIT Should follow
these:
The IT Amendment Act 2008 is a comprehensive legislation that touches several aspects of
the business of any organization which uses computers. Many sections of the Act are expected
to directly or indirectly affect the compliance as well as IT security strategy. Attached is a
questionnaire to ensure specific compliance requirements as per Information Technology Act
as amended in 2008.
Areas Referen Assessment Questions Yes/ Observati Compl Rema
ce to No/ on iant/ rks/
ITACT Not Non- Action
2008 Sure/ Compl Points
NA iant
1) Definition of Body Sec 43A Is the organization a ‘body corporate’ as defined
Corporate in the IT (Amendment) Act, 2008 (ITAA 2008)?
Definition Body Corporate – means any company and
includes a firm, sole proprietorship, or other
association of individuals engaged in
commercial or professional activities
2) Organization's Role Clarificatio Is the Organization aware of the privacy role it
n Issued performs based on its functions, activities &
u/s 43A business?
Role 1: Data Provides services to its end customers (individuals –
Controller ‘providers of information’ under the ITAA 2008)
under a direct relationship and determined the
means and purpose of data collection and processing
Role 2: Data Processor Provides services to its clients (organizations) under
a lawful contract having indirect relationship with
the end customers (providers of information) as per
the instructions from data controller; e.g. business
process outsourcing service providers
Role 3: Data Provides employment or other related services
Controller / benefits to its employees and / or enable
employees to perform their duties
3) Sensitive Sec 43A Does the organization deal (collect, process, store,
Personal Data or transfer, access) with following categories of
Information “sensitive personal data or information” (SPDI) as
(SPDI) defined under sec43A of the ITAA, 2008? Has it
identified such functions, operations and activities
that deal with SPDI?
Definition of SPDI Rule 3 i. Password (Capable of providing information or
(u/s access to SPDI listed below)
43A) ii. financial information such as Bank account or
credit card or debit card or other payment
instrument details
iii. physical, physiological and mental health
condition
iv. sexual orientation
6) Consent Rule 5(1) Does the organization take written consent from
and the provider of information regarding purpose of
usage before collecting their SPDI?
Modes for Obtaining Clarificatio a. Letter
Consent n Issued
u/s 43A b. Fax
c. Email
e. Instant messaging
f. IVR
1. BACKGROUND
‘Risk’ in literal terms can be defined as the effect of uncertainty on the objectives. Risk is
measured in terms of consequences and likelihood. Risks can be internal and external and
are inherent in all administrative and business activities. Every member of any organisation
continuously manages various types of risks. Formal and systematic approaches to managing
risks have evolved and they are now regarded as good management practice also called as
Risk Management.
A strategic focus,
Forward thinking and active approaches to management
Balance between the cost of managing risk and the anticipated benefits, and
Contingency planning in the event that critical threats are realised.
In today’s challenging and competitive environment, strategies for mitigating inherent risks
in accomplishing the growth plans of the Company are imperative. The common risks inter
alia are: Regulations, competition, Business risk, Technology obsolescence, return on
investments, business cycle, increase in price and costs, limited resources, retention of talent,
etc.
2. LEGAL FRAMEWORK
Risk Management is a key aspect of Corporate Governance Principles and Code of Conduct
which aims to improvise the governance practices across the business activities of any
organisation. The new Companies Act, 2013 and the Clause 49 of the Equity Listing Agreement
have also incorporated various provisions in relation to Risk Management policy, procedure
and practices.
The provisions of Section 134(3)(n) of the Companies Act, 2013 necessitate that the Board’s
Report should contain a statement indicating development and implementation of a risk
management policy for the Company including identification therein of elements of risk, if
any, which in the opinion of the Board may threaten the existence of the Company.
Further, the provisions of Section 177(4)(vii) of the Companies Act, 2013 require that every
Audit Committee shall act in accordance with the terms of reference specified in writing by
the Board which shall inter alia include evaluation of risk management systems.
In line with the above requirements, it is therefore, required for the Company to frame and
adopt a “Risk Management Policy” (this Policy) of the Company.
3. PURPOSE AND SCOPE OF THE POLICY
The main objective of this Policy is to ensure sustainable business growth with stability and
to promote a pro-active approach in reporting, evaluating and resolving risks associated with
the Company’s business. In order to achieve the key objective, this Policy establishes a
structured and disciplined approach to Risk Management, in order to guide decisions on risk
related issues.
To ensure that all the current and future material risk exposures of the Company are
identified, assessed, quantified, appropriately mitigated, minimized and managed i.e.
to ensure adequate systems for risk management.
To establish a framework for the company’s risk management process and to ensure
its implementation.
To enable compliance with appropriate regulations, wherever applicable, through the
adoption of best practices.
To assure business growth with financial stability.
4. APPLICABILITY
5. KEY DEFINITIONS
A. Risk Assessment – The systematic process of identifying and analysing risks. Risk
Assessment consists of a detailed study of threats and vulnerability and resultant exposure
to various risks
B. Risk Management – The systematic way of protecting business resources and income
against losses so that the objectives of the Company can be achieved without unnecessary
interruption.
6. RISK FACTORS
The objectives of the Company are subject to both external and internal risks that are
enumerated below:-
Political Environment
Competition
Each business area of products such as pumps, turbines, motors, generators, switchgears and
turnkey projects has specific aspects on profitability and liquidity. The risks are therefore
associated on each business segment contributing to total revenue, profitability and liquidity.
Since the projects have inherent longer time-frame and milestone payment requirements,
they carry higher risks for profitability and liquidity.
Inflation is inherent in any business and thereby there is a tendency of costs going higher.
Further, the project business, due to its inherent longer timeframe, as much higher risks for
inflation and resultant increase in costs.
Technology Obsolescence –
Legal –
Legal risk is the risk in which the Company is exposed to legal action. As the Company is
governed by various laws and the Company has to do its business within four walls of law,
the Company is exposed to legal risk.
9. REVIEW
This Policy shall be reviewed at least every year to ensure it meets the requirements of
legislation and the needs of organization.
10. AMENDMENT
This Policy can be modified at any time by the Board of Directors of the Company.
SUMMARY
THANK YOU