Bharat Panchal, Head – Risk Management, National Payments Corporation of India
India has seen massive spurt in adoption of technology and data explosion in recent years. Today, technology has reached to a level where it is almost next to impossible to live without it. The revolution in banking and telecommunication, improved infrastructure, increasing disposal income in middle class citizen are major contributors for technology-based growth. Today, India is having more than a billion mobile handsets and there is a technology (USSD *99#) where anyone can do banking transaction with a basic feature phone!! As rightly mentioned by Shri Nandan Nilekani, at present India’s banking industry is going through a 'whatsapp' moment. UPI (Unified Payment Interface) would be a game changer where interoperability among banks, merchants, PSPs (Payment Service Provider) would be made available online, a kind of first ever utility in the world. Dr. Raghuram Rajan, Governor Reserve Bank of India mentioned in his address while launching UPI in April 2016 that India has most sophisticated payment system in the world. Thanks to digital India.
Under Pradhan Mantri Jan Dhan Yojna (PMJDY), around 240 millions new accounts have been opened so far. Direct benefit transfer is now great success story. The country is waiting for next gen high-speed data connectivity. Digital India was sound to be an over-optimistic 2 years ago but its now becoming a reality. In totality, the digital revolution has played a significant role in the increasing proportion of the consumer’s decision-making process, beginning with awareness followed by research, comparison, choice and ending with the eventual purchase. Enabling regulations, evolving technology, changing consumer behavior, rise of Internet and mobile devices and Innovative business models have become major factors driving the digital growth of India.
The rise of technology and its faster dissipation has changed the life of common man in various ways. India is seeing an effect of global village. However, earlier the economy and risks were in different space. Global economy has while increased its space and conversed with the cyber space, it has multiplied the risks which were in isolation from the economy earlier.
The Risk & Compliance Challenges
In the changed business scenario, the challenges have been increased a lot to manage risk and compliance. The scope of compliance is much broader and it impacts business far greater compared to earlier era. The risk and compliance requirements have become more dynamic in nature where risk has to sometime manage in real time situation. Due to ever-evolving technology and completely new business models, operational and compliance risks have become more complex. It has become imperative to use technology for any business and implication of inadequate internal controls tend to be ignored at the initial stage may be due to inadequate risk identification or lack of resources. Similarly business boundaries are not limited within the organization. Vendors, suppliers, technology partners, outsourcing agencies are vital in today’s business. However, the risk what they bring due to weaker control in their environment; has direct impact on customer experience.
Business acumen is one of the major skills, which is necessary for managing the risk and compliance in today’s dynamic world. However, lack of operational and business expertise is making difficult for risk team to provide constructive inputs. To some extent, lesser focus on embedding risk and ethics culture within the organization also increases the complexity to manage risk. All these challenges eventually become an inability to grapple with the continued complexity in complying with regulator’s expectations and finally Risk and Compliance failures continuing to increase reputational risk and threats to impose significant impact on business.
Managing Governance, Risk & Compliance
The foundation of any GRC program is a strong governance framework for risk and compliance. This is established by well-defined and unambiguous roles among teams, well documented operating processes and a clear reporting structure. GRC must be seen as one of the core principles or initiatives to help the organization to effectively manage the risk and compliance in line with business strategy. Setting a risk tolerance, risk culture, prioritize risks, degree of compliance etc. must be set as clear objectives for risk management.
While compliance function has always focused on adherence of law, regulations, global standards, relevant best practices among industry, overlapping of various regulations are one of the key challenges for many organizations which is creating silos and duplication of work overall. These silos need to be eliminated or to be addressed by implementing integrated Risk Management approach across the organization. Integrated approach must be used to eliminate non-value add activities/outputs across compliance activities. Integration of operational and compliance risk function to improve risk coverage would yield into improved controls management and increased efficiency from the risk and compliance point of view.
The digital world has evolved with completely new type and level of risks, which need be addressed with Integrated GRC approach within the organization. Use of new technologies and data analytics techniques to provide improved understanding of business practices would complement the risk framework. The integrated approach must be extended to standardize compliance testing processes across organization; including forensic techniques. The integrated approach must include replacing multiple audits performed by each business unit and function inside the organization by proactive risk assessment. The integrated approach must promote detailed assessment of risk that is integrated across functions like business, marketing, finance, IT, operations and legal. It should also include leveraging data from each functional area and combing that information to enable executives to make fact-based decisions about risk and whether or not they are in compliance with regulatory requirements.
Success of any GRC program is highly dependent on organization’s ability to align its functions and activities to common and an integrated approach for managing governance, risk and compliance. Strength, agility and resilience are three pillars for any GRC program. Building integrated GRC culture requires unified policies, sharing of information; designing and implementing standardized procedures and most importantly, advanced tools for GRC, which can continuously monitor the health of GRC across organization. GRC is no more individual or department centric. It has become a unified approach than a just a set of processes.