Table of Contents

Details of Case Study/Project (Problem)

1. Introduction
2. Background

Project Report (Solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. References
7. Deliverables
8. Summary/Conclusion
 DETAILS OF PROJECT
(TITLE: IMPLEMENTING GRC AS PER CLAUSE 49 LISTING REQUIREMENTS )

Governance, Risk and Compliance (GRC) has been at the fore-front of corporate world due to
the increasing emphasis on implementing this to meet regulatory requirements of Corporate
Governance. Specific provisions highlighting the regulatory requirements for implementing
GRC in enterprises as per Clause 49 listing requirements are:

 Risk Management
 CEO/CFO Certification
 Internal Control
 Auditor Certification

Although a GRC program (project) can be implemented primarily from a compliance

perspective, it is advisable to consider business requirements also so as to optimize the
investments made in implementing relevant processes, control structures and systems. GRC
program Implementation requires:

 Defining clearly what GRC requirements are applicable

 Identifying the regulatory and compliance landscape
 Reviewing the current GRC status
 Determining the most optimal approach
 Setting out key parameters on which success will be measured
 Using a process oriented approach
 Adapting global best practices as applicable
 Using uniform and structured approach which is auditable.

In today’s scenario compliance relating to statutory, contractual or any other requirement

has become one of the major risks for business. Compliance is getting more and more
demanding, because it’s one thing where senior management is responsible for any non-
conformity which depends on the response of their team. E&Y Business Risk Report 2010
listed “REGULATION & COMPLIANCE” as the biggest risk. Compliance has remained one of
the most prominent risk since 2008.The Clause 49 of the Listing Agreement of SEBI in India
and similar laws in other countries put responsibility on directors, CEOs and CFO’s for
adherence to statutory compliance.
A. DETAILS OF C ASE S TUDY/PROJECT (P ROBLEM )

1. Introduction

Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock
exchange in India. AIT has been traditionally a family owned business with the major
shareholders and the senior management of the company belonging to a well renowned
business family. The management has decided to professionalize the company by appointing
professionals to all key posts and implement documented procedures and policies to meet
regulatory and compliance requirements as required as applicable to the company. AIT
manufactures a well-known brand of UPS which enjoys a good reputation in the market and
has customers across all industry verticals. It has head office at Chennai and factory at
Pondicherry. It has regional offices in all metro cities and branch offices in 10 cities across
India. It is using an integrated software solution with all offices and factory networked
together. It has more than 500 employees across its offices in India. It has combination of
in-house IT department and outsourced vendors. It is critically dependent on IT for all key
operations. The company is enjoying increasing growth in terms of turnover and market-
share.

2. Background

There have been recent failures of IT for long periods of time which has impacted production
and delivery of products and services to customers. The management is concerned with the
risk management strategy adapted and the impact on compliance. It would like to make the
transition from a family managed company to a professional run company with documented
policies and procedures.
B. PROJECT R EPORT (SOLUTION )

1. Introduction

Agile IT Solutions (AIT), a traditional family owned business manufactures a well-known brand
of UPS which enjoys a good reputation in the market and has customers across all industry
verticals whose head office situated at Chennai and factory at Pondicherry with regional offices
in all metro cities and branch offices in 10 cities across India. The company uses an integrated
software solution with all offices and factory networked together. Currently the governance
and management part of the business is held within the family and it wants to make transition
from family managed company to a company run by professionals with documented
systematic operating procedures (SOP).

It has recently gone public and listed in the national stock exchange in India. The listing with
a stock exchange brings about a radical change in the entire organization. Through the
stringent requirements, the listing ensures discipline in various dimensions, including
business, management, public relations, reporting, and information technology, in the
company. The company is critically dependent on IT for all key operations and any disruption
would impact the key activities of the company.

Since the company likes to make the transition from a family managed company to a
professionally run company, the transition has to be evidenced with documented policies and
procedures. The listing agreement and the Information Technology Act, as amended in 2008
along with a plethora of other regulatory requirements play a key role in governance and risk
management of the company, also lay down a long list of compliance requirements to be met
in the due course of its operations.

2. Auditee Environment

The Company has approached us, M/s ANGEL CONSULTANT, a leader in cloud-based cyber
security solutions that help organizations of all sizes to reduce the risk of cyber breaches and
demonstrate compliance. Final Assessment`s Final CSO is a revolutionary solution that
dramatically streamlines the management of IT governance, risk and compliance (GRC)
programs. It accomplishes this by tightly integrating and automating all eight critical IT GRC
components: Risk Management, Compliance Management, Audit Management, Vendor
Management, Incident Response Management, Vulnerability Management, Policy
Management and Training Management. Most important, it provides built-in security and
compliance expertise that most organizations lack. Because of its unique architecture and
cloud delivery, Final CSO deploys rapidly and reduces the cost of GRC management by as
much as 80%. With market experience that spans over 300 customers, Final Assessment
offers the insight, products, professional services and partners to support the security and
risk management efforts of organizations of all sizes across all industries. Founded in 2014,
the company has executive offices in Patna, Bangalore, Hyderabad, Kolkata and New Delhi.
For more information, call (0612) 12345678 or visit www. angelconsultants.com.
3. Background

This assignment is being carried over due to the following reasons:

 Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock
exchange in India., due to which company needs to comply with mandatory audit
requirement as specified in Clause 49 of the listing agreement mandates certain
amount of Governance, Risk Management and Compliance
 Entity critically dependent on IT for all key operations, accordingly, it needs to comply
with certain compliances as required by The Information Technology Act as amended
in 2008.
 The Company hitherto being run by a family wants to now convert itself into a
professionally run company with documented policies and procedures, which requires
systematic approach such as COSO / COBIT 5 framework.
 There have been recent failures of IT for long periods of time which has impacted
production and delivery of products and services to customers accordingly the
management is concerned with the risk management strategy adapted and the impact
on compliances .
 The growing size and scale of the company requires a program to, Identify the assets,
threats and controls, and then mitigate and manage risk with the right controls.

4. Situation

The newly appointed CIO and head of IT has approached us as an IS Assurance professional
to provide a comprehensive list of regulatory and compliance requirements which are to be
met by the company as per various IT and regulatory requirements and specifically for
implementing GRC as part of the corporate governance requirements.

5. Terms and Scope of assignment

 Review adequacy of internal control systems and confirm its appropriateness. In case
of control weakness, provide appropriate recommendations for remediation.
 Review functioning of internal audit function, reporting structure coverage and
frequency of internal audit and identify areas requiring improvement.
 Review financial and risk management policies as per corporate governance
requirements and provides recommendations for improvement.
 Review compliance requirements as per Information Technology Act as amended in
2008.
 Review whether the current risk management strategy is adequate considering the
enterprise current and future business plans, business processes, technology
deployed, organization structure and regulatory requirements.
6. References

 SEBI Compliances ( SOX in the global scenario)

 Companies Act,2013
 IT Act 2000, as amended to IT Act 2008
 ISO 19011,31000:2009
 COBIT 5 Framework
 Risk Management Plan of Various Indian Companies

7. Deliverables

A. Recommendations on how to improve internal control systems and internal

audit system as relevant for AIT.

 Internal Control

According to COSO framework internal control is defined as “a process, effected by an

entity's board of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives”.
COSO is an Enterprise Risk Management-Integrated Framework which was first
published by the Committee of Sponsoring Organizations (COSO) established by Tread
way commission in 1992 to define the internal control framework for business
organizations, particularly listed companies where the stakeholders are common
people who invest in securities. The latest update of COSO is the COSO Framework
2013. COSO has developed the framework for internal controls focusing on designing
of controls based on risk assessment.
There are five integrated components of internal control:
 Control Environment,
 Risk Assessment,
 Control Activities,
 Information and Communication, and
 Monitoring Activities.

The Framework is adaptable to a given organization’s structure, allowing customization

to consider internal controls from an entity, divisional, operating unit, and/or functional
level, such as for a shared services Centre. The key role of management judgment in
designing, implementing, and maintaining internal control, as well as assessing its
effectiveness, is retained.
Adequacy of Internal control

To create an effective internal control system, an organization should establish the

following:

 Policies and procedures including, among others, organizational structure, job

descriptions, authorization matrix
 Segregation of duties and responsibilities
 Authorization and approval process
 Performance monitoring and control procedures
 Safeguarding assets, completeness and accuracy
 Manpower management
 Independent internal audit function
 Regulatory compliance and risk management

Appropriateness of Internal control

Controls over the business activities in an organization is said to be appropriate by

establishing the following:

 Adequacy & compliance of policy and procedures;

 Proper governance structure
 Monitoring the manpower management
 Proper periodical review of business activities;

Internal Control Weakness

The most common weaknesses we see in organizations are:

 Philosophy - understood but not written, open to misinterpretation

 Roles and responsibilities - responsibilities are not explicit throughout the
organisation
 Converting strategy to business objectives - strategic objectives do not directly
translate into business objectives
 Risk to delivering performance - some form of risk profiling, but often divorced
from the practical reality of doing business
 Performance appetite - lack of understanding of the organization’s appetite for
risk taking
 Summary of performance and risk effectiveness - Boards do not receive the
right information, either too little (under informed) or too much (information
overload)
 Behavior - disincentives exist which lead employees to behave in a
dysfunctional manner. Embedding risk management into the company
 Internal Audit

Internal audits are an important part of all management systems. They demonstrate
whether your routines and procedures are effective. Effective audits make you aware
of potential problems and risks at an early stage before they lead to deviations,
complaints, incidents and other undesirable situations.

The following are the principles in ensuring a proper Internal Audit System in
the company:

1. Choose the right auditor:

A truly good auditor must have the right personal qualities. He or she

 Is open to alternative ideas or opinions, but is still targeted and focused

 Is good at listening, observing and quickly pick up the essentials of all available
information
 Is able to be open and friendly, and to communicate with individuals at various
levels within the organisation and with different personalities
 Has an analytical orientation
 Is able to stay objective, without letting their personal opinions influence or
take control

In short, the auditor should be a person who knows everything and then some! For
the position of internal auditor, the company should look for people who, because of
their personal qualities, are also in demand of many other tasks. An organisation can
even make efforts to breed a good auditor in the company.

Checklist:

 Is management aware of the importance of choosing the right auditors?

 Are the internal audits organised in such a way that they attract the people we
want to use as internal auditors?

2. Auditing is a competency

In addition to having the right qualities and skills the good auditor also needs to have
the appropriate knowledge and experience. The auditor must (just like any other
position within an organisation) be professional based on education, training, work-
and auditing experience.

The ISO 19011 guidelines for auditing management systems lists some of the
knowledge and experience needed:

 Audit principles, procedures and techniques

 Relevant standards, laws, regulations and other requirements
 Management system set up, methods and techniques within auditing
 Business processes and associated terminology

Checklist to ensure auditing competency in the organisation:

  Has the company decided what skills are important to it?
 Has it defined mandatory internal and external training programs?
 Is there a program for advanced internal training of auditors?
 Is there a training program that is customised to individual needs?

3. Focus on the right issues

An audit must focus on the business risks and relevant issues from the beginning.
Internal and external audits require time and resources. It's not just about the auditor's
time, but also - and this is sometimes forgotten - the time the respondents spend on
the audit. Additionally, management spends time on going through the reports, look for
causes, actions and how to follow these up. The time is well spent only if the report
focuses on the most important areas for your business.

According to the ISO 19011 guideline, the objectives of internal audits can very well
be based on

 The board of directors' priorities

 Business ("commercial") objectives
 Statutory and contractual requirements
 Risks for the organisation

Checklist:

 Is management actively involved in determining the scope and area of interest for the
auditors?
 Has the management gone beyond and above the level where it's about meeting the
requirements of the standard?
 Is there a direct link between the auditors result and what management is working
with?
 If the result is such that management should pay attention, is it formulated in such a
way that management will act on its own?

4. Improve the quality

Company must often invest time and energy into the auditors on a single occasion,
namely when appointed. As long as the auditors present their reports in accordance with
the planning they hear nothing more from the management. Auditing is a competency.
Competencies need to be nurtured and developed. Competencies that you do not invest
in stagnate and become obsolete.

Checklist:

 Are regular training sessions arranged for the auditors – to provide in-depth and
broadened knowledge, training on changes in legislation and standards, personal
development?
 Is the management regularly evaluating the quality of auditors and audits? Is tutoring
and regular personal feedback built into the audit process?
 Is the management keeping the auditors' competence profile up to date?
 Is there enough space for personal development and growth, within the auditor role?

5. Renew periodically

Marketers know this: sometimes they have to renew the product for it to remain
attractive. Sometimes, a new packaging is all it takes, and sometimes you need a
revolutionary product innovation. One thing is certain; a product that stays the same
year after year will become less attractive.

Reporting Structure Coverage

Preparing an annual programme of work, often described as the internal audit plan,
has always been a challenge. Demand for assurance and consulting services usually
exceeds available budgets or resources. This means choices have to be made that will
determine the impact internal audit has upon the organization and the way people
perceive the value of internal audit. The following factors need to be considered before
deciding the coverage of the internal audit plan:

 Create a framework to enable an overall opinion.

 Prepare an internal audit strategy
 Review maturity level of risk assessment
 Review the things that matter high priority objectives and risks.

Frequency of Internal Audit

Management systems such as ISO 9001, ISO 14001 and OHSAS 18001, require that
internal audits are scheduled at planned intervals; they do not established a specific
frequency nor do they establish that all processes need to have a yearly internal audit.
Organizations need to establish a frequency that is right for them. They decide if the
audits will be performed monthly, quarterly, twice a year or once a year. However,
there are some criteria that should be considered before defining a frequency that
adjusts to an organization’s context and needs. These are:

 Crucial or high risk processes should be audited on a more frequent basis,

perhaps quarterly or twice a year.
 Low risk processes can be audited just once a year or every other year.
 Well established processes that run efficiently can be audited once a year or
every other year.
 New developed processes should be audited quarterly until they are stable.
  Processes that have a history of frequent deficiencies or non-conformities, can
be audited quarterly or twice a year.
 Processes with troubles achieving targets and objectives can also be audited
quarterly or twice a year.
 An organization’s budget for the execution of internal audits.
 Regulatory or customers’ requirements.

Some Recommendations as relevant for AIT:

 Introduce theme audits.

 Include one of management's specific focus areas at each audit.
 Connect with current problems and current objectives.
 Refresh the reporting - review presentation methods and templates.
 Renew the auditor pool.
 Remember to sometimes focus on external audits of suppliers and subcontractors.
 Replace auditors with the company next door/ affiliates or perform comprehensive
audits within the company.
 Focus attention upon the risk management process; its design, application and
reporting mechanisms - review and report upon the organization risk maturity level
 Build the audit plan around high priority risks, key areas of change and the assurance
needs of stakeholders.
 Where possible work with and rely upon other assurance providers.
 Work with external providers of assurance in a co-sourced arrangement to fill skills
and knowledge gaps.
 Consider the importance of routine processes and activities (audit universe) but keep
this in tune with key business risks and developments.
 Make key choices, including what is not being done, transparent to key stakeholders
to engage stakeholders in questions of risk appetite and the need for assurance. Using
these principles will ensure conformance to the Standards and provide
B. Current financial and risk management policies to meet the corporate governance
requirements

Risk management is about managing threats and opportunities. ISO 31000:2009 describes
risk as the ‘effect of uncertainty on objectives’ When management of risks or opportunities is
effective, it often remains unnoticed. When it fails, the consequences for clients and staff may
be significant and politically high profile. Having good risk management practice ensures that
the department can undertake activities with the knowledge that measures are in place to
maximize the benefits and minimize the negative effect of uncertainties on organizational
objectives.

The risk management process is a “systematic application of management policies,

procedures and practices to the activities of communicating and consulting, establishing the
context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk”.

An organization’s ability to manage risk effectively depends on its intentions and its capacity
to achieve those intentions. This intent and capacity is referred to as its risk management
framework and is part of its system of governance and management. The quality of the
framework is important because effective risk management requires:

 Clear expectations from ‘the top’

 Appropriate capability (skills, resources, support)
 Sound relationships with stakeholders
 Integration of necessary risk management practices into the day-to-day activities
and accountabilities of the management team
 A commitment to continually learn and improve.

The risk management framework should not attempt to replace the natural capability of
people to manage risk; rather it should enhance good practices so that the process is
reliable, comprehensive and consistent. For this to occur and for the required capability to
be achieved, the organization requires

 A set of suitable ‘tools’

 A coherent approach to training and communicating to people so that they can use
those tools in a competent and consistent manner
 An approach that signals and reinforces the correct behaviour and way of thinking.

The typical elements of a framework and an illustration of how this supports the integration
of the risk management process is shown in the figure below.
For risk management to be effective, the company should at all levels comply with the
principles below.

a) Risk management creates and protects value.

Risk management contributes to the demonstrable achievement of objectives and

improvement of performance in, for example, human health and safety, security, legal and
regulatory compliance, public acceptance, environmental protection, product quality, project
management, efficiency in operations, governance and reputation.

b) Risk management is an integral part of all company processes.

Risk management is not a stand-alone activity that is separate from the main activities and
processes of the company. Risk management is part of the responsibilities of management
and an integral part of all organization processes, including strategic planning and all project
and change management processes.

c) Risk management is part of decision making.

Risk management helps decision makers make informed choices, prioritize actions and
distinguish among alternative courses of action.

d) Risk management explicitly addresses uncertainty.

Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and
how it can be addressed.

e) Risk management is systematic, structured and timely.

A systematic, timely and structured approach to risk management contributes to efficiency

and to consistent, comparable and reliable results.

f) Risk management is based on the best available information.

The inputs to the process of managing risk are based on information sources such as historical
data, experience, stakeholder feedback, observation, forecasts and expert judgement.
However, decision makers should inform themselves of, and should take into account, any
limitations of the data or modelling used or the possibility of divergence among experts.
IS/ISO 31000: 2009

g) Risk management is tailored.

Risk management is aligned with the company's external and internal context and risk profile.

h) Risk management takes human and cultural factors into account.

Risk management recognizes the capabilities, perceptions and intentions of external and
internal people that can facilitate or hinder achievement of the company's objectives.

i) Risk management is transparent and inclusive.

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all
levels of the company, ensures that risk management remains relevant and up-to-date.
Involvement also allows stakeholders to be properly represented and to have their views
taken into account in determining risk criteria.

j) Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As external and internal events
occur, context and knowledge change, monitoring and review of risks take place, new risks
emerge, some change, and others disappear.

k) Risk management facilitates continual improvement of the company.

Company should develop and implement strategies to improve their risk management
maturity alongside all other aspects of their company.
Attributes of enhanced risk management

The company should aim at the appropriate level of performance of their risk management
framework in line with the criticality of the decisions that are to be made. The list of attributes
below represents a high level of performance in managing risk.

 Continual improvement

An emphasis should be placed on continual improvement in risk management through the

setting of organizational performance goals, measurement, review and the subsequent
modification of processes, systems, resources, capability and skills.

This can be indicated by the existence of explicit performance goals against which the
organization's and individual manager's performance is measured. The company's
performance can be published and communicated. Normally, there should be at least an
annual review of performance and then a revision of processes, and the setting of revised
performance objectives for the following period.

This risk management performance assessment is an integral part of the overall organization's
performance assessment and measurement system for departments and individuals.

 Full accountability for risks

Enhanced risk management must include comprehensive, fully defined and fully accepted
accountability for risks, controls and risk treatment tasks. Designated individuals should fully
accept accountability, must be appropriately skilled and have adequate resources to check
controls, monitor risks, improve controls and communicate effectively about risks and their
management to external and internal stakeholders.

This can be indicated by all members of an organization being fully aware of the risks, controls
and tasks for which they are accountable. Normally, this will have to be recorded in
job/position descriptions, databases or information systems. The definition of risk
management roles, accountabilities and responsibilities should be part of all the organization's
induction programmes.

The company should ensure that those who are accountable are equipped to fulfil that role by
providing them with the authority, time, training, resources and skills sufficient to assume
their accountabilities.

 Application of risk management in all decision making

All decision making within the Company, whatever the level of importance and significance,
involves the explicit consideration of risks and the application of risk management to some
appropriate degree.

This can be indicated by records of meetings and decisions to show that explicit discussions
on risks took place. In addition, it should be possible to see that all components of risk
management are represented within key processes for decision making in the organization,
e.g. for decisions on the allocation of capital, on major projects and on re-structuring and
organizational changes. For these reasons, soundly based risk management is seen within the
company as providing the basis for effective governance.

 Continual communications

Enhanced risk management includes continual communications with external and internal
stakeholders, including comprehensive and frequent reporting of risk management
performance, as part of good governance.

This can be indicated by communication with stakeholders as an integral and essential

component of risk management. Communication is rightly seen as a two-way process, such
that properly informed decisions can be made about the level of risks and the need for risk
treatment against properly established and comprehensive risk criteria. Comprehensive and
frequent external and internal reporting on both significant risks and on risk management
performance contributes substantially to effective governance within the company.

 Full integration in the organization's governance structure

Risk management is viewed as central to the company's management processes, such that
risks are considered in terms of effect of uncertainty on objectives. The governance structure
and process are based on the management of risk. Effective risk management is regarded by
managers as essential for the achievement of the organization's objectives.

This is indicated by managers' language and important written materials in the company using
the term “uncertainty” in connection with risks. This attribute is also normally reflected in the
company's statements of policy, particularly those relating to risk management. Normally,
this attribute would be verified through interviews with managers and through the evidence
of their actions and statements.

Developing an Enterprise-wide Risk Management Framework

The Standard ISO 19011:2011 outlines an approach to developing a framework that will assist
companies to integrate risk management into their enterprise-wide risk management
systems. Companies are encouraged to consider the links between the foundations of their
risk management framework and their business objectives. A company’s risk management
framework needs to include its policy objectives and its commitment to risk management
alongside its legislative responsibility. The risk management framework should be embedded
within the agency’s overall strategic and operational policies and practices, and take into
consideration internal and external relationships, accountabilities, resources, processes and
activities.

 Strategic objectives

Senior Executives within a company should be responsible for providing the strategic direction
of the company. This approach, while usually long term, describes the vision for the
management of risk and what overarching outcomes will be achieved.
  Operational objectives

The middle managers of a company would be responsible for aligning the strategic objectives
with the company’s operations in order to achieve outcomes. The strategic plans developed
at this level outline what each business unit must do to achieve their outcomes.

 Line objectives

Similarly, line managers would be responsible for developing strategic plans that are more
specific to achieving outcomes and are short term in nature. These plans prescribe in detail
how the processes or activities of the agency’s outcomes will be actioned and completed.

Standard Approach

In order to make risk management more effective in IT organization, AIT Should follow
these:

 Implement a framework for risk assessment and mapping.

 Outline the responsibilities of risk managers with their respective domains
 Identify and define the risks to which the business is exposed and how to map
incidents.
 Determine the threat level and focus on the risk that have the greatest potential to
affect enterprise performance.
 Establish levels of controls for processes commensurate with the perceived threat.
 Record and retain risk incident and near-miss information.
 Conduct periodic risk assessments to determine changes in th company’s risk profile
and assess performance.
C. Checklist for specific compliance requirements as per Information Technology Act
as amended in 2008 as applicable to AIT.

The IT Amendment Act 2008 is a comprehensive legislation that touches several aspects of
the business of any organization which uses computers. Many sections of the Act are expected
to directly or indirectly affect the compliance as well as IT security strategy. Attached is a
questionnaire to ensure specific compliance requirements as per Information Technology Act
as amended in 2008.
 Areas Referen Assessment Questions Yes/ Observati Compl Rema
ce to No/ on iant/ rks/
ITACT Not Non- Action
2008 Sure/ Compl Points
NA iant
1) Definition of Body Sec 43A Is the organization a ‘body corporate’ as defined
Corporate in the IT (Amendment) Act, 2008 (ITAA 2008)?
Definition Body Corporate – means any company and
includes a firm, sole proprietorship, or other
association of individuals engaged in
commercial or professional activities
2) Organization's Role Clarificatio Is the Organization aware of the privacy role it
n Issued performs based on its functions, activities &
u/s 43A business?
Role 1: Data Provides services to its end customers (individuals –
Controller ‘providers of information’ under the ITAA 2008)
under a direct relationship and determined the
means and purpose of data collection and processing
Role 2: Data Processor Provides services to its clients (organizations) under
a lawful contract having indirect relationship with
the end customers (providers of information) as per
the instructions from data controller; e.g. business
process outsourcing service providers
Role 3: Data Provides employment or other related services
Controller / benefits to its employees and / or enable
employees to perform their duties
3) Sensitive Sec 43A Does the organization deal (collect, process, store,
Personal Data or transfer, access) with following categories of
Information “sensitive personal data or information” (SPDI) as
(SPDI) defined under sec43A of the ITAA, 2008? Has it
identified such functions, operations and activities
that deal with SPDI?
Definition of SPDI Rule 3 i. Password (Capable of providing information or
(u/s access to SPDI listed below)
 43A) ii. financial information such as Bank account or
credit card or debit card or other payment
instrument details
iii. physical, physiological and mental health
condition
iv. sexual orientation

v. medical records and history

vi. biometric information

vii. any of the detail relating to the above

categories of SPDI or information received
under above categories of SPDI by the
organization for processing, stored or processed
under lawful contract or otherwise
Exceptions Any information that is freely available or accessible
in public domain or furnished under the Right to
Information Act, 2005 or any other law for the time
being in force shall not be regarded as sensitive
personal data or information
4) Privacy Policy Rule 4 Does the organization have a privacy policy?

Requirements a) Is it published on the website of the

organization?
b) Is the policy easily accessible?

c) Is the policy simple & easy to understand

d) Does it provide links to organization's

practices and policies
e) Does it state?
i. Type of SPDI being collected (refer question
no. 3)
ii. Reason for collecting such information
 iii. The intended usage of the provided
information
iv. Disclosure policy and practices of the
organization (refer question number 11)
v. Reasonable security practices and
procedures adopted by the organization for
securing SPDI
For organizations that act as data processors [refer Q 2 above], questions 5 to 11 (Rules 5 & 6 of Sections 43A in ITAA,
2008) are not applicable
5) Collection Rule 5 Does the organization follow any due diligence to
Limitation 2(a) ensure SPDI is collected for a lawful purpose which
is associated with the function or activity of the
organization?
Due Diligence Rule 5 Does the organization follow any due diligence
2(b) to ensure SPDI which is necessary for the above
purpose is only collected?
Informing the Rule 5(3) When directly collecting SPDI from the
Providers of provider of information, does the organization
Information take reasonable steps to ensure that the
provider of information is having knowledge
about:
i. the fact that the SPDI is being collected

ii. the purpose for which SPDI is collected

iii. the intended recipients of SPDI

iv. the name & address of the agency which is

collecting the SPDI
v. the agency tha will retain the SPDI

6) Consent Rule 5(1) Does the organization take written consent from
and the provider of information regarding purpose of
usage before collecting their SPDI?
 Modes for Obtaining Clarificatio a. Letter
Consent n Issued
u/s 43A b. Fax

c. Email

d. Click in an online environment

e. Instant messaging

f. IVR

g. Any other mode of electronic communication

Choice Rule 5(7) Does the organization provide an option to the

provider of information to decline providing data
or information sought to be collected for availing
service?
Consent Withdrawal Does the organization provide option to the
provider of information to withdraw his / her
consent given earlier?
7) Purpose Limitation Rule 5(5) Does the organization perform any due diligence to
ensure that the usage of SPDI is consistent with the
purpose for which has been collected?
8) Access & Correction Rule 5(6) Does the organization allow providers of
information, as & when requested by them, the
facility to review the SPDI they have provided?
Mechanisms Does the organization have mechanisms in place
that allow providers of information to modify /
update / correct their SPDI, if found to be outdated
and / or incorrect?
9) Information Rule 5(4) Does the organization ensure that the SPDI is not
Retention retained for a period longer than required for its
lawful use or is otherwise required by any other law
for the time being in force?
10) Grievance Officer Rule 5(9) Has the organization designated a grievance
officer to address any discrepancies &
grievances raised by the providers of
information?
Publication on website Has the organization published the name and
contact details of the grievance officer on its
website?
Resolution Is the grievance officer mandated to redress the
grievances of the providers of information
within one month (maximum) from the date of
the receipt of grievance?
11) Disclosure of Rule 6(1) Does the contract signed between the
Information organization and providers of information
mention the disclosure of SPDI to third parties?
Prior Permission If not, does the organization take prior permission
of the providers of information before disclosing
their SPDI to third parties or publishing it?
Exceptions Are there any legal obligations under which the
organization needs to disclose the SPDI without
informing or taking permission of the providers of
information?
Publishing in Public Rule 6(3) Does the organization take due diligence to
Domain ensure that the SPDI is not published
intentionally or unintentionally in public
domain, i.e., made available to unauthorized
persons or public?
Controls Rule 6(4) Has the organization put in place the mechanisms /
controls to ensure that the third party with which
SPDI is shared does not disclose it further?
12) Transfer of Rule 7 Does the organization follow due diligence to ensure
Information that the same level of data protection (please refer
Question 13) is adhered to by third parties (which
may be located in India or abroad) to whom the
organization transfers SPDI for performance of a
lawful contract between the organization and
 providers of information or where the providers of
information have given their consent for such
transfers?
13) Security Practices Sec 43A Has the organization implemented 'Reasonable
Security Practices' for protecting SPDI?
a. Agreement Does the contract signed between organization &
through provider of information or between organization
contractual & third party contains provisions that specify
instruments security practices and procedures designed to
protect SPDI from unauthorized access, damage,
use, modification, disclosure or impairment?
Does the contract include:
i. Comprehensive documented information
security policies & programs
ii. Managerial, technical, operational & physical
security controls that are commensurate with the
value of information assets being protected and the
risk exposure
iii. Audit / assessment mechanisms for testing
implementation of controls
b. In absence of any Rule 8(1), Has the organization implemented
Contract 8(2) documented information security policies &
& 8(3) programs that contain managerial,
technical, operational & physical security
controls that are commensurate with the
value of information assets being protected
and the risk exposure?
Such security practices & procedures could be:
a. IS/ISO/IEC 27001
b. Codes of best practices of an industry
association (where the organization is a
member) that are duly approved & notified by
the central government
Rule 8(4) Do such security practices & procedures get
 certified or audited by a government approved
independent auditor, on a regular basis (at least
once a year or as & when the organization
undertakes significant up gradation of its processes
& computer resources)?
c. Demonstration of Sec 43A Does the organization maintain the requisite
Security Practices in
case of security records, logs, trails, etc. for demonstrating
incident / data breach compliance?
Can the organization demonstrate that it has
implemented security controls as per the
documented security policies & programs?
D. Risk Management Strategy / Policy

1. BACKGROUND

‘Risk’ in literal terms can be defined as the effect of uncertainty on the objectives. Risk is
measured in terms of consequences and likelihood. Risks can be internal and external and
are inherent in all administrative and business activities. Every member of any organisation
continuously manages various types of risks. Formal and systematic approaches to managing
risks have evolved and they are now regarded as good management practice also called as
Risk Management.

‘Risk Management’ is the identification, assessment, and prioritization of risks followed by

coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of uncertain events or to maximize the realisation of opportunities.
Risk management also provides a system for the setting of priorities when there are
competing demands on limited resources.

Effective risk management requires:

 A strategic focus,
 Forward thinking and active approaches to management
 Balance between the cost of managing risk and the anticipated benefits, and
 Contingency planning in the event that critical threats are realised.

In today’s challenging and competitive environment, strategies for mitigating inherent risks
in accomplishing the growth plans of the Company are imperative. The common risks inter
alia are: Regulations, competition, Business risk, Technology obsolescence, return on
investments, business cycle, increase in price and costs, limited resources, retention of talent,
etc.

2. LEGAL FRAMEWORK

Risk Management is a key aspect of Corporate Governance Principles and Code of Conduct
which aims to improvise the governance practices across the business activities of any
organisation. The new Companies Act, 2013 and the Clause 49 of the Equity Listing Agreement
have also incorporated various provisions in relation to Risk Management policy, procedure
and practices.

The provisions of Section 134(3)(n) of the Companies Act, 2013 necessitate that the Board’s
Report should contain a statement indicating development and implementation of a risk
management policy for the Company including identification therein of elements of risk, if
any, which in the opinion of the Board may threaten the existence of the Company.

Further, the provisions of Section 177(4)(vii) of the Companies Act, 2013 require that every
Audit Committee shall act in accordance with the terms of reference specified in writing by
the Board which shall inter alia include evaluation of risk management systems.

In line with the above requirements, it is therefore, required for the Company to frame and
adopt a “Risk Management Policy” (this Policy) of the Company.
 3. PURPOSE AND SCOPE OF THE POLICY

The main objective of this Policy is to ensure sustainable business growth with stability and
to promote a pro-active approach in reporting, evaluating and resolving risks associated with
the Company’s business. In order to achieve the key objective, this Policy establishes a
structured and disciplined approach to Risk Management, in order to guide decisions on risk
related issues.

The specific objectives of this Policy are:

 To ensure that all the current and future material risk exposures of the Company are
identified, assessed, quantified, appropriately mitigated, minimized and managed i.e.
to ensure adequate systems for risk management.
 To establish a framework for the company’s risk management process and to ensure
its implementation.
 To enable compliance with appropriate regulations, wherever applicable, through the
adoption of best practices.
 To assure business growth with financial stability.
4. APPLICABILITY

This Policy applies to all areas of the Company’s operations.

5. KEY DEFINITIONS

A. Risk Assessment – The systematic process of identifying and analysing risks. Risk
Assessment consists of a detailed study of threats and vulnerability and resultant exposure
to various risks

B. Risk Management – The systematic way of protecting business resources and income
against losses so that the objectives of the Company can be achieved without unnecessary
interruption.

C. Risk Management Process - The systematic application of management policies, procedures

and practices to the tasks of establishing the context, identifying, analysing, evaluating,
treating, monitoring and communicating risk.

6. RISK FACTORS

The objectives of the Company are subject to both external and internal risks that are
enumerated below:-

A. External Risk Factors

 Economic Environment and Market conditions

 Political Environment
  Competition

 Revenue Concentration and liquidity aspects

Each business area of products such as pumps, turbines, motors, generators, switchgears and
turnkey projects has specific aspects on profitability and liquidity. The risks are therefore
associated on each business segment contributing to total revenue, profitability and liquidity.
Since the projects have inherent longer time-frame and milestone payment requirements,
they carry higher risks for profitability and liquidity.

 Inflation and Cost structure-

Inflation is inherent in any business and thereby there is a tendency of costs going higher.
Further, the project business, due to its inherent longer timeframe, as much higher risks for
inflation and resultant increase in costs.

 Technology Obsolescence –

The Company strongly believes that technological obsolescence is a practical reality.

Technological obsolescence is evaluated on a continual basis and the necessary investments
are made to bring in the best of the prevailing technology.

 Legal –
Legal risk is the risk in which the Company is exposed to legal action. As the Company is
governed by various laws and the Company has to do its business within four walls of law,
the Company is exposed to legal risk.

 Fluctuations in Foreign Exchange

The Company has limited currency exposure in case of sales, purchases and other expenses.
It has natural hedge to some extent. However, beyond the natural hedge, the risk can be
measured through the net open position i.e. the difference between un-hedged outstanding
receipt and payments. The risk can be controlled by a mechanism of “Stop Loss” which
means the Company goes for hedging (forward booking) on open position when actual
exchange rate reaches a particular level as compared to transacted rate.

B. Internal Risk Factors

 Project Execution
 Contractual Compliance
 Operational Efficiency
 Hurdles in optimum use of resources
 Quality Assurance
 Environmental Management
 Human Resource Management
 Culture and values

7. RESPONSIBILITY FOR RISK MANAGEMENT

Generally every staff member of the Organisation is responsible for the effective
management of risk including the identification of potential risks. Management is responsible
 for the development of risk mitigation plans and the implementation of risk reduction
strategies. Risk management processes should be integrated with other planning processes
and management activities.

8. COMPLIANCE AND CONTROL

All the Senior Executives under the guidance of the Chairman and Board of Directors has
the responsibility for over viewing management’s processes and results in identifying,
assessing and monitoring risk associated with Organization’s business operations and the
implementation and maintenance of policies and control procedures to give adequate
protection against key risk. In doing so, the Senior Executive considers and assesses the
appropriateness and effectiveness of management information and other systems of internal
control, encompassing review of any external agency in this regards and action taken or
proposed resulting from those reports.

9. REVIEW
This Policy shall be reviewed at least every year to ensure it meets the requirements of
legislation and the needs of organization.

10. AMENDMENT
This Policy can be modified at any time by the Board of Directors of the Company.

SUMMARY

As IT is a key enabler of organisation process, it is critical to implement GEIT as an integral

part of governance. Also, regulatory requirement mandate the implementation of governance,
enterprise risk management and internal control, for that it is very important to use right type
of GEIT framework, like COBIT 5, a globally accepted GEIT framework. By taking an integrated
GRC process approach and deploying a single system to manage the multiple governance,
risk and compliance initiatives across the organization, the issues can be easily addressed.
Such an approach can:

 Have a dramatic positive impact on organizational effectiveness by providing a clear,

unambiguous process and a single point of reference for the organization.
 Eliminate all redundant work in various initiatives
 Eliminate duplicative software, hardware, training and rollout costs as multiple
governance, risk and compliance initiatives can be managed with one software solution
 Provide a “single version of the truth” available to employees, management, auditors
and regulatory bodies

THANK YOU