EY Global Governance, Risk and Compliance Survey Global Governance, Risk and Compliance Survey How India stacks up against global trends February 2016 2 E Goba Goverae Rs ad Coae urvey

EY Global Governance, Risk and Compliance SurveyHow India stacks up against global trends February 2016

EY Global Governance, Risk and Compliance Survey2

ContentsForeword: about the GRC survey ............................................01Assessing organizations’ risk profile .......................................05Reporting on Governance and Risk Management .....................11Governance, Risk Management and Compliance Programs ......18Internal Audit Function ..........................................................25Future Evolution in GRC program ...........................................26Survey methodology and demographics .................................28

How India stacks up against global trends 3

Foreword: about the GRC surveyIn 2015, EY had concluded the Global Governance, Risk Management and Compliance (GRC) survey. We focused on a range of topics (e.g., risk strategy, coordination of functions, internal audit, technology) to gain a better understanding of how well organizations are managing risk today. The results were published and analyzed at a global level across sectors and regions. While organizations demonstrated they are making progress, they indicated that further opportunities do exist to improve the way they identify, manage and respond to risk.

This survey was conducted across a very large set of more than 1,000 companies spread over 63 countries and multiple sectors. This included a significant number of Indian companies as well. This provided us with a unique opportunity to compare and contrast the Indian and global responses to understand key similarities and differences. We have presented herein the findings of this analysis.

Our analysis showed several points of convergence and also some divergences in the practices and perceptions in India and globally. Some of the important trends emerging out of this analysis are:

• Organizations in India are more focused on compliance with regulatory and legal requirements as compared to their global counterparts.

• Indian organizations are lagging behind in using technology enabled solutions in GRC and IA function as compared with global trend. However, we are catching up gradually, by increasing the efforts and spend toward technological enablement for these functions.

• There is room to improve internal audit coverage of information security programs in Indian companies.

• Across the world and in India, there is agreement that coordination among various GRC activities in the organization has significant room for improvement.

The detailed results are presented in the following pages. We trust you will find these insightful.

Warm regards

Nitin Bhatt Risk Leader EY India

Manesh Patel Internal Audit Leader EY India


Assessing organizations’ risk profile How do organizations assess their risk profile?

In this section we analyze the trends indicated by the survey results on how organizations assess their exposure to risk and the impact on the business and strategic plans.

A. 1 Overall, the frequency of risk identification, assessment and reporting is similar in India and globally:

Frequency of evaluation of risk profile by the Board or Executive Management

Multiple option answers allowed hence total can be greater than 100%

Impact of risk profile assessment on company’s strategic and business plan

77%

72%

36%

58%

7%

25%

10%

10%

6%

3%

0% 50% 100%

Board

ExecutiveManagement

Global India

68%

62%

34%

47%

13%

26%

11%

17%

4%

0%

0% 50% 100%

Annually Quarterly Real time Other Not at all

Global india

Extensively — risks are identified, assessed and plans to address the risks developed for all key initiatives

Somewhat — risks are identified and discussed

Slightly — significant risks to the organization are discussed at a senior level

Not aware

44%

40%

13%

3%

47%

38%

13%

2%


A. 2 In India, the risk profile of the organization has an increased influence on capital allocation decisions (e.g., funding, expenditures, people/resources, technology, etc.) as compared to global trends:

Extent of influence of risk profile on capital allocations

A. 3 Top current opportunities available and challenges faced by organizations ► ► The list of top-5 opportunities and challenges identified by the respondents indicates some interesting similarities and

divergences between India and the rest of the globe.

Rank Opportunities Challenges

Global India Global India

1 Strategic transactions Strategic transactions Economic stability Reputation

2 Emerging markets Emerging markets Regulatory compliance Competitor innovation

3 Technology shifts Reputation Cybersecurity Economic stability

4 Reputation Technology shifts Reputation Cybersecurity

5 Customer preferences Competitor innovation Strategic transactions Strategic transactions

► The list of opportunities is very similar in both cases.

► Interestingly, even though India is generally perceived to be an emerging market itself, Indian companies are actively focusing on expansion in other emerging markets.

► Economic stability and cybersecurity are perceived to be bigger challenges at global level as compared to India.

► Competitor innovation can either expand the existing market size (increased product usage or application) or wipe out existing markets (disruptive technologies). In India, competitor innovation is perceived to be both a risk and an opportunity.

► Regulatory compliance is clearly seen as a bigger challenge globally than in India.

10% 9%

49%40%

41% 51%

Global India

Does not influence

Possible causes of increased influence in India• High cost of capital • More difficult to exit unprofitable business in India

Slightly influencesSignificantly influences


A. 4 Functions responsible for identification, assessment, management and reporting on risks within the organizations:

Functions responsible for risk management activities


► ► In India, there is clearly a need to increase the focus of the information technology and information security functions on risk management activities.

91%

68%

53%

53%

53%

65%

28%

57%

59%

26%

9%

96%

68%

51%

32%

40%

55%

26%

47%

53%

19%

13%

Internal Audit

Compliance

Internal controls

Information technology

Information Security

ERM

Tax

Legal

Business units

SOX

Others

Global India


In this section we analyze the trends indicated by the survey results on how GRC programs operate in organizations and the skills required/expected for handling the GRC and IA function. Furthermore, we analyze the extent of use of technology solutions in performing these functions globally and in India.

B. 1 Globally and in India, GRC programs address risks in the following order:

Rank Global India

1 Regulatory and compliance

2 Financial

3 Operational

4 Fraud

5 Reputational Legal

► ► The focus on risks addressed by GRC programs in India and the rest of world is very similar.

► ► However, in India, the focus on legal compliance appears to be greater than in the rest of the world. This may be, to some extent, due to recent Company Law amendments, which have put the onus on companies to be compliant with all laws.

B. 2 As regards the skills or knowledge considered most important to enhance the risk, control and compliance functions:

► ► Knowledge of risk management, business strategy and audit are given equal weightage in India and rest of the world.

► ► Globally, critical/analytical thinking skill is given higher weightage over other skills.

► ► Furthermore, in India the need for data analytics skills is being emphasized.

► ► Compliance and regulatory knowledge is given more importance in India than globally.

Requirements to enhance GRC functions:

Rank Global India

1 Risk management Risk management

2 Critical/analytical thinking Compliance/regulatory

3 Business strategy Business strategy

4 Compliance/regulatory Audit

5 Audit Data analytics

B. 3 The top-5 opportunities to enhance the GRC program, as perceived by survey respondents, are:

Rank Global India

1 Better alignment of risk management approach to business strategy and objectives

2 Clarify risk ownership, processes and structure Improve the enterprise risk assessment process to provide a comprehensive view of risk

3 Improve the enterprise risk assessment process to provide a comprehensive view of risk

Improve the over-arching compliance framework

4 Enhance ability to monitor for emerging risks Leverage technology more effectively across risk functions

5 Improve the efficiency and effectiveness of the control environment

Clarify risk ownership, processes and structure

Governance, Risk Management and Compliance ProgramsHow do GRC programs function in organizations?


► ► Organizations in India and globally understand that risk management activities and business objectives have to function hand-in-hand for staying ahead in the race.

► ► In India, there is a clear emphasis on the need for increased focus on compliance as well as on leveraging technology to enhance GRC activities.

B. 4 Mapping of compliance and audit activities to identified risks, to ensure adequate risk coverage:

► ► Globally and in India, organizations primarily rely on the internal audit function to identify and assess risks.

► ► Furthermore, globally, the ERM function also has a relatively more important role to play in ensuring risk coverage.

Functions responsible for facilitating coverage of compliance activity and audits

option answers allowed hence total can be greater than 100%

B. 5 Do GRC functions prepare an integrated report addressing the organization’s risk and management actions for the Board and Executive management?

Frequency of presenting an integrated report on identified risks and management actions

Global India

76%

37%

47%

7%10%

85%

40% 38%

6% 6%

Internal Audit Compliance ERM Other No assurance mapin place

29%

32%

4%

35%

30%

19%

0%

51%

Annually

Quarterly

Monthly

An integrated report is not prepared

Global India

► ► Indian companies are clearly lagging behind their global counterparts in the area of integrated risk reporting.


B. 6 To what extent is technology utilized to enable or support the risk management activities?

► ► Whereas, globally, multiple solutions are deployed for supporting/enabling GRC activities, Indian companies seem to be behind the curve.

► ► As evident from B.3 above, this is clearly seen as an improvement opportunity by Indian companies.

Extent of technology solutions used to support/enable risk management activities

14%

24%

11%

46%

5%17%

17%

4%53%

9%

Yes, single solutions

Yes, multiple solutions

Yes, we utilize technology

No

Don't know

Global India

B. 7 Estimated cost for the functions performing GRC activities: ► 45% of the Indian organization surveyed are not aware of the total spend on GRC activities/function, as compared with 26%

globally.

► Globally, spend on GRC activities also tends to be to be higher than Indian companies.

Spend on GRC in Indian companies compared to global scenario

47%

38%

10% 11%

6%

2%5%

2%2% 0%5% 2%

26%

45%

G L O B A L I N D I A

<$3 mn

$3 mn - $4.9 mn

$5 mn - $9.9 mn

$10 mn - $19.9 mn

$20 mn - $29.9 mn

>$30 mn

Don't know


B. 8 Are performance indicators or metrics defined and monitored through GRC technology? ► In a relatively large proportion of Indian companies, the key performance indicators (KPI)/key risk indicators (KRI) are not

defined.

► Furthermore, in a significant proportion of companies (36% in India and 47% globally), KPI and/or KRI are defined, but not monitored. This is clearly an improvement area for all.

Number of global and Indian organizations where KPI/ KRI are defined and monitored


19%17%

15%

20%

8%

19%

31%

15%17%

15%13%

4%

19%

38%

KPIs KRIs KPIs and KRIsmonitored

KPIs aredefined, but

not monitored

KRIs aredefined, but

not monitored

KPIs and KRIsare defined,

but notmonitored

Indicators notdefined

Global India


In this section we analyze the trends indicated by the survey results on how GRC and IA function report risks and at what level are they managed in the organizations. Furthermore, we evaluate the practice of defining dashboards/metrics/performance indicators to measure risk exposure and frequency of reporting at different levels in the organizations.

C.1 Globally risk management is addressed by either the full Board or in a committee of the Board, whereas in India Audit Committees play an enhanced role.

Reporting structure for GRC activities

C.2 In India and globally, most organizations have management risk committees; however, in India a CRO is not appointed in most organizations surveyed.

Particulars Global India

Management Risk Committee exists 70% 72%

Chief Risk Officer (CRO) is Not Appointed 44% 60%

► It is expected that most organizations in India will soon comply with the requirements of the Companies Act and appoint Risk Management Committees.

36%

33%

19%

4%8% 26%

38%

32%

4% 0%

Full Board

Audit Committee of the Board

Risk Committee of the Board

Not addressed

Global India

Reporting of Governance and Risk Management ActivitiesHow do organizations report and manage risks?


C.3 Visibility of risk exposure, through dashboards, metrics and performance indicators is more prevalent currently at CEO/ CFO levels…

Levels at which there is visibility on risk exposure of the organization


► In 21% of global organizations and 30% of Indian organization, dashboards, metrics and performance indicators are not defined to identify/ measure the risk exposure.

C.4 … where these dashboard/ metrics do exist, they are mostly reviewed on a quarterly and monthly basis:

Frequency of reviewing the dashboards, metrics and performance indicators

42%48%

27%

51%

24%

46%

23%28%

21%

36%

43%

26%

45%

21%

45%

11%15%

30%

Full Board AuditCommittee

RiskCommittee

CEO COO CFO CRO CAE Nodashboards

Global India

Other

Annually21%

Quarterly42%

Monthly29%

8%

Global

Annually18%

Quarterly52%

Monthly25%

Other5%

India


In this section we analyze the trends indicated by survey results on the organizations’ existing Internal Audit (IA) function covering expected skills reporting structure, skills/knowledge expected and usage of data analytics and technology for enabling or supporting the IA activities.

D.1 Globally and in India the internal audit reporting structure tends to be broadly similar as seen below:

Particulars Global India

Administratively I.CEO 36% 40%

II. CFO 32% 32%

Functionally I. Audit Committee of the Board 65% 79%

II. Full Board 11% 9%


D.2 The survey results indicate that the top 6 skills required to enhance the IA functions, globally and in India are as below:

Global India

Critical/ analytical thinking Data analytics

Data analytics Compliance/ regulatory

Audit Risk management

Risk management Audit

Deep industry experience Critical/ analytical thinking

Process improvement Fraud prevention/ detection

► ► Globally there is more emphasis on critical and analytical thinking skills whereas in India, compliance/ regulatory knowledge are more important.

► ► Furthermore, globally there seems to be a more emphasis on industry experience and process improvement skills than in India.

D.3 Globally and in India the top opportunities to enhance the IA function are perceived to be as follows:

Rank Global India

1 Improve reporting: includes presenting issues in perspective to the risk and identify trends

2 Enhance ability to identify and assess emerging risk Enhance objectivity/ independence

3 Improve ability to advise the business on major change programs

4 Enhance objectivity/independence Improve ability to benchmark business processes and control practices against other organizations

5 Better leverage the work of other risk/control/compliance function Increase use of data analytics

► ► In India and globally, skills on reporting risks and the ability to advise the business on real time basis are most sought after.

► ► In India, ability to benchmark processes and control practices against other organizations and data analytics is getting increased attention.

Internal Audit function and activitiesHow does Internal Audit function in organizations?



► ► In India, there is clearly scope to improve review of information security programs by IA.

► ► In 13% Indian organizations and 8% global organizations IA does not audit GRC functions.

D.5 Estimated cost for functions performing internal audit activities: ► ► It is interesting to note that the spending profile of Indian companies is quite similar to their global counterparts.

► ► Furthermore, in a significant proportion of companies (13% globally, 21% India) spend on the IA function does not seem to be tracked/measured. This is clearly a big improvement opportunity.

Spend on IA in Indian and global companies

47%

64%73% 69%

1%

25%

8%13%

3%

34%

70%79%

60%

2%13% 13%

6%0%

ERM Compliance Internal controls

Information security

Data SOX program

IA does not audit GRC functions

Other Don’t know

Global India

64%60%

11% 11%6% 6%

3%0%1% 0%2% 2%

13%

21%

Global India

<$3 mn

$3 mn - $4.9 mn

$5 mn - $9.9 mn

$10 mn - $19.9 mn

$20 mn - $29.9 mn

>$30 mn

Don’t know

D.4 Following chart represents the GRC functions reviewed by internal audit :


D.6 Trend in use of data analytics in IA life cycle at each stage is demonstrated:


► Globally and in India, data analytics is extensively used at execution and testing stage.

► ► However, globally, data analytics is relatively more emphasized at initial stages in the IA, i.e., risk assessment and planning.

► ► In India, data analytics is more extensively used for reporting and measuring the IA effectiveness/performance.

D.7 Trend in use of technology in IA life cycle at each stage is demonstrated below:


► Globally there is an increased inclination toward technology solutions in initial stages such as risk assessment and engagement and project setup.

► ► However, in India, technology is mostly used for audit execution, work paper documentation, reporting and issue follow up.

► ► Increasing the focus of technology in initial stages, may help in ensuring adequate coverage and identification of emerging risks and also help to save cost and efforts.

37%46%

72%

26%20%

7% 10%

34% 38%

79%

36% 32%

6% 2%

Risk assessment Planning Execution andtesting

Reporting IA effectiveness/performance

Don’t Know Not At All

Global India

43%

34%

63%56%

42%

50%

6%12%

34%

19%

72%

53%49% 49%

6%11%

Risk assessment

Engagement andproject setup

Audit programexecution

Work paper anddocumentation

repository

Audit reporting

Issue follow-up Not aware No technology

utilized

Global India


E.1 Risk management’s level of involvement and impact on company’s strategic decision making (e.g., divesture, acquisitions, investment, capital allocations, etc.).

► The involvement of risk management in strategic decision making is currently low in India.

► ► Globally and in India, over three years, there is an increasing trend in the involvement of risk management in the strategic decision-making process.

Trend in involvement of risk management in strategic decision making

24%

26% 26%

42%34%

28%

8% 13%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Global

Today After 3 years

India

54%47%

34%34%

8%15%

4% 4%

Global India

Provide inputs, but not directly involved Very closely involved

Informed, but not involved Not involved at all

Future Evolution in GRC and IA Where do organizations perceive themselves after three years?


E.3 How well are GRC activities (e.g., business, risk management, compliance, internal controls, Internal Audit) coordinated within the organizations, today…

21%

52%

21%

5% 1%

13%

64%

19%

2% 2%

India IndiaGlobal

Currently After 3 years

Global

67%

25%

4% 1% 3%

70%

26%

2%0% 2%

Most organizations believe that there is scope for

improvement and plan to be much better

coordinated in a few years

Well-coordinated Somewhat coordinated Minimal coordination No coordination at all Don’t know

Today After 3 years

33%

49%

40%

32%

13%6%4%6%4%4%9% 2%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Global India

12% 6%

34%34%

23% 36%

20%17%

8%6%3%

Global India

Don’t knowNot at allSlightly but not satisfactorySlightly & satisfactorySatisfactorilySignificantly

E.2 In India and globally, it is believed that internal audit does not adequately leverage the work of other risk/compliance activities; however, after three years in India it is believed that IA will be able to leverage these much more efficiently.

Degree of leverage exercised by IA function in using work done by other functions


Our global governance, risk and compliance survey 2015 was conducted between February and March 2015: it asked how well organizations are managing risk and what they need to do to better manage the risks that drive performance. Almost 1,200 C-suite members, board audit committees and various assurance and/or compliance executives participated — representing major industries in 63 countries around the globe. The majority of the survey responses were collected during face-to-face meetings — when this was not possible, the questionnaire was completed online. We thank all participants for their invaluable insights.

Respondents by Industry sector India Globally

Aerospace and Defense 14

Airlines 11

Asset Management and PE 27

Automotive and Transportation 8 77

Banking and Capital Markets 3 129

Chemicals 1 23

Cleantech 5

Consumer Products 6 96

Diversified Industrial Products 2 61

Government and Public Sector 71

Healthcare 1 27

Insurance 35

Media and Entertainment 1 32

Mining and Metals 1 40

Oil and Gas 2 49

Other 12 147

Power and Utilities 1 81

Professional Firms and Services 1 23

Retail and Wholesale 2 53

Technology 5 56

Telecommunications 1 41

Real Estate 47

Life Sciences and Provider Care 51

Total 47 1196

Respondents by number of employees India Global

Less than 1,000 20 320

1,000 to 5,000 2 293

5,000 to 15,000 13 235

15,000 to 50,000 6 188

50,000 plus 6 160

Total 47 1,196

Respondents by total annual company revenue India Global

Less than US$10 million 1 198

US$10 million to US$100 million 6 95

US$100 million to US$1 billion 23 248

US$1 billion to US$10 billion 15 393

US$10 billion to US$50 billion 1 174

> US$50 billion 1 55

Government, non-profit 21

Not applicable 12

Total 47 1196

Profile of participants

respondents

1,196Countries worldwide

63Industry sectors

25

Survey methodology and demographics


Our officesAhmedabad2nd floor, Shivalik IshaanNear. C.N VidhyalayaAmbawadiAhmedabad-380015Tel: +91 79 6608 3800Fax: +91 79 6608 3900

Bengaluru12th & 13th floor“U B City” Canberra BlockNo.24, Vittal Mallya RoadBengaluru-560 001Tel: +91 80 4027 5000+91 80 6727 5000Fax: +91 80 2210 6000 (12th floor)Fax: +91 80 2224 0695 (13th floor)

1st Floor, Prestige EmeraldNo.4, Madras Bank RoadLavelle Road JunctionBengaluru-560 001 IndiaTel: +91 80 6727 5000Fax: +91 80 2222 4112

Chandigarh1st FloorSCO: 166-167Sector 9-C, Madhya MargChandigarh-160 009Tel: +91 172 671 7800Fax: +91 172 671 7888

ChennaiTidel Park6th & 7th FloorA Block (Module 601,701-702)No.4, Rajiv Gandhi SalaiTaramaniChennai-600113Tel: +91 44 6654 8100Fax: +91 44 2254 0120

Delhi NCRGolf View CorporateTower – BSector 42, Sector RoadGurgaon–122 002Tel: +91 124 464 4000Fax: +91 124 464 4050

3rd & 6th Floor, Worldmark-1IGI Airport Hospitality DistrictAerocity New Delhi-110037, IndiaTel: +91 11 6671 8000 Fax +91 11 6671 9999

4th & 5th Floor, Plot No 2BTower 2, Sector 126NOIDA-201 304Gautam Budh Nagar, U.P. IndiaTel: +91 120 671 7000Fax: +91 120 671 7171

HyderabadOval Office18, iLabs CentreHitech City, MadhapurHyderabad - 500081Tel: +91 40 6736 2000Fax: +91 40 6736 2200

Kochi9th Floor “ABAD Nucleus”NH-49, Maradu POKochi - 682 304Tel: +91 484 304 4000Fax: +91 484 270 5393

Kolkata22, Camac Street3rd Floor, Block C”Kolkata-700 016Tel: +91 33 6615 3400Fax: +91 33 6615 3750

Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (west)Mumbai-400 028, IndiaTel: +91 22 6192 0000Fax: +91 22 6192 1000

5th Floor Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai-400 063, IndiaTel: +91 22 6192 0000Fax: +91 22 6192 3000

PuneC—401, 4th floorPanchshil Tech ParkYerwada (Near Don Bosco School)Pune-411 006Tel: +91 20 6603 6000Fax: +91 20 6601 5900

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata – 700016

© 2016 Ernst & Young LLP. Published in India. All Rights Reserved.

SCORE NO. ED 0616

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

JS

EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global Limited

Ernst & Young LLPEY | Assurance | Tax | Transactions | Advisory

Documents

EY Global Governance, Risk and Compliance Survey Global Governance, Risk and Compliance Survey How India stacks up against global trends February 2016 2 E Goba Goverae Rs ad Coae urvey