Systemic Integration of Governance, Risk & Compliance - How Effective

By Vimal Kishor, Head- Legal, Compliance & Company Secretary, Liberty Videocon General Insurance


Vimal Kishor, Head- Legal, Compliance & Company Secretary, Liberty Videocon General Insurance

Governance became buzzword, upon introduction of Clause 49 in the listing agreement, which required the listed companies to follow a particular governance framework. The term Governance evolved over the period of time and in today’s context, governance has much wider connotation.  In India several legislations, including the Companies Act, SEBI Regulations, Banking regulations, IRDAI Regulations requires the organizations to have an effective governance framework. Some of the essentials of the effective governance framework are the composition of Executive, Non-Executive & Independent Director’s mix in the Board of the Company, Women representation in the boardroom, Appropriateness of the person to be appointed as Director, Director’s evaluation, Code of Conduct for Directors, Various Committees including Audit Committee, Ethics Committee, Risk Management Committee and Nomination and Remuneration Committee, Related Party Transactions approvals and policies, standardization of financial reporting and enhanced disclosures, mandatory audits, mandatory obligations of statutory auditors to report frauds etc.

While Governance, represent overall governing framework of the organization including its relationship with the internal and external stakeholders, compliance includes the operational framework of the governance to ensure the adherence to the rules, either framed under Governance framework or by various regulators/supervisors or various policies adopted by the organization, and monitoring of the same.

Section 134(5) of the Companies Act 2013 mandates a specific statement in the Directors Responsibility Statement confirming that the Board has devised proper systems to ensure compliance with the provisions of the applicable laws and the said systems are adequate and operating effectively. Applicable Law has wide coverage and a particular organization may be required to comply with hundreds of laws, guidelines and regulations applicable in the geography it operates.

Risks are an integral part of any business decisions and historically, whenever a business decision is taken, the risks related to the same are also considered and analyzed by the organizations. Healthy business plan always have the alternative plan generally known as Plan B to be resorted, if the principal plan is succumbed to the risks associated with it. As part of business planning, Indian organizations have been practicing the risk management practices for a while now.

Legislative requirements enforcing the Governance Risks & Compliance (GRC) framework are principally enshrined under the Companies Act, 2013 & Securities and Exchange Board of India (SEBI) (Listing Obligations and Disclosure Requirements (LODR)) Regulations. The said requirements are also prescribed by the Sectoral Regulators e.g. Reserve bank of India, Insurance Regulatory & Development Authority of India etc. for the organizations under their supervision separately and such requirements are in addition to the requirements under the Companies Act or under SEBI(LORD) Regulations.

As per Section 134 of the Companies Act 2015, the board of director’s report must include a statement indicating development and implementation of a risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. Further as per Section 177 of the Act, the audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall, inter alia, include evaluation of risk management systems. Additionally Schedule IV outlines that the Independent directors should satisfy themselves that systems of risk management are robust and defensible. As per SEBI (LODR) Regulations, top 100 companies are required to constitute a separate Risk Management Committee of the Board of Director inter alia to regulate and oversee the risk management practices of the Company.

Digitization has enabled the availability of large information base and various tools have increased the organization’s ability to analyze the said information and in view of the same, it is logical to have the convergence of tools to monitor all three functions represented in GRC. Additionally, Governance, Risk and Compliances are the control functions and therefore have several commonalities which lead to duplication/overlapping, if these functions are performed on mutual exclusive basis. To address the duplication/overlapping, conventionally, Governance, Risk and Compliance may be converted to a combined function as GRC, for the purpose of systemic integration related to the regulation, supervision and monitoring relating individual functions.

Though specific need has been spelt out for implementation of GRC policies and processes, most Indian Companies are at the beginner stage of adopting the system based tools to regulate, supervise and monitor the GRC activities. There are several Indian Companies which are  owned by large Indian business houses or promoted by foreign investors or venture capitalists, have inculcated the GRC culture in their respective organizations. However there is lack of standardization with respect to the GRC practices and framework and such practices varies from company to company with lot of subjectivity.

Since the need of systemic implementation of GRC is felt, the GRC solution providers from across the word have jumped into the area to leverage on the opportunity. Additionally, all big consulting firms have started there specialized GRC practice and same are also offering the computer solutions to their clients. For past couple of years, some Indian startup companies have also started their specialized software to provide solutions/tools for GRC framework implementation.

In the regime of the plethora of laws/regulations/circulars in India, there is an imperative need to have one stop GRC solution by type of organization/industry and huge amount of work is required to be carried out in this space for next couple of years. This usher the big opportunity for the solution providers as well as for the GRC professional in the areas of advising and developing the GRC framework for various type of organization/industries and providing regulatory / supervisory / monitoring tools for the same.

Current Issue