Example: quiz answers

EY Global Governance, Risk and Compliance Survey

ow da stas u aast oba treds 3 Foreword: about the GRC survey In 2015, EY had concluded the Global Governance, Risk Management and Compliance (GRC) survey.




Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Text of EY Global Governance, Risk and Compliance Survey

EY Global Governance, Risk and Compliance SurveyHow India stacks up against global trends February 2016EY Global Governance, Risk and Compliance Survey2ContentsForeword: about the GRC survey ........................................ ....01Assessing organizations risk profile .......................................0 5Reporting on Governance and Risk Management .....................11Governance, Risk Management and Compliance Programs ......18Internal Audit Function ........................................ ..................25Future Evolution in GRC program ........................................ ...26Survey methodology and demographics .................................28How India stacks up against global trends3Foreword: about the GRC surveyIn 2015, EY had concluded the Global Governance, Risk Management and Compliance (GRC) survey. We focused on a range of topics ( , risk strategy, coordination of functions, internal audit, technology) to gain a better understanding of how well organizations are managing risk today. The results were published and analyzed at a global level across sectors and regions. While organizations demonstrated they are making progress, they indicated that further opportunities do exist to improve the way they identify, manage and respond to survey was conducted across a very large set of more than 1,000 companies spread over 63 countries and multiple sectors. This included a significant number of Indian companies as well. This provided us with a unique opportunity to compare and contrast the Indian and global responses to understand key similarities and differences. We have presented herein the findings of this analysis showed several points of convergence and also some divergences in the practices and perceptions in India and globally. Some of the important trends emerging out of this analysis are: Organizations in India are more focused on compliance with regulatory and legal requirements as compared to their global counterparts. Indian organizations are lagging behind in using technology enabled solutions in GRC and IA function as compared with global trend. However, we are catching up gradually, by increasing the efforts and spend toward technological enablement for these functions. There is room to improve internal audit coverage of information security programs in Indian companies. Across the world and in India, there is agreement that coordination among various GRC activities in the organization has significant room for detailed results are presented in the following pages. We trust you will find these regardsNitin Bhatt Risk Leader EY IndiaManesh Patel Internal Audit Leader EY IndiaEY Global Governance, Risk and Compliance Survey4Assessing organizations risk profile How do organizations assess their risk profile?In this section we analyze the trends indicated by the survey results on how organizations assess their exposure to risk and the impact on the business and strategic plans. A. 1 Overall, the frequency of risk identification, assessment and reporting is similar in India and globally:Frequency of evaluation of risk profile by the Board or Executive ManagementMultiple option answers allowed hence total can be greater than 100%Impact of risk profile assessment on company s strategic and business plan77%72%36%58%7%25%10%10%6%3%0%50%100% BoardExecutiveManagementGlobalIndia68%62 %34%47%13%26%11%17%4%0%0%50%100%Annually QuarterlyReal timeOtherNot at allGlobalindiaExtensively risks are identified, assessed and plans to address the risks developed for all key initiativesSomewhat risks are identified and discussedSlightly significant risks to the organization are discussed at a senior levelNot aware44%40%13%3%47%38%13%2%How India stacks up against global trends5A. 2 In India, the risk profile of the organization has an increased influence on capital allocation decisions ( , funding, expenditures, people/resources, technology, etc.) as compared to global trends:Extent of influence of risk profile on capital allocationsA. 3 Top current opportunities available and challenges faced by organizations The list of top-5 opportunities and challenges identified by the respondents indicates some interesting similarities and divergences between India and the rest of the transactionsStrategic transactionsEconomic stabilityReputation2Emerging marketsEmerging marketsRegulatory complianceCompetitor innovation3Technology shiftsReputationCybersecurityEconomic stability4ReputationTechnology shiftsReputationCybersecurity5Customer preferencesCompetitor innovationStrategic transactionsStrategic transactions The list of opportunities is very similar in both cases. Interestingly, even though India is generally perceived to be an emerging market itself, Indian companies are actively focusing on expansion in other emerging markets. Economic stability and cybersecurity are perceived to be bigger challenges at global level as compared to India. Competitor innovation can either expand the existing market size (increased product usage or application) or wipe out existing markets (disruptive technologies). In India, competitor innovation is perceived to be both a risk and an opportunity. Regulatory compliance is clearly seen as a bigger challenge globally than in obalIndiaDoes not influencePossible causes of increased influence in India High cost of capital More difficult to exit unprofitable business in IndiaSli ghtly influencesSig nificantly influencesEY Global Governance, Risk and Compliance Survey6A. 4 Functions responsible for identification, assessment, management and reporting on risks within the organizations:Functions responsible for risk management activitiesMultiple option answers allowed hence total can be greater than 100% In India, there is clearly a need to increase the focus of the information technology and information security functions on risk management AuditComplianceInternal controlsInformation technologyInformation SecurityERMTaxLegalBusiness unitsSOXOthersGlobalIndiaHow India stacks up against global trends7In this section we analyze the trends indicated by the survey results on how GRC programs operate in organizations and the skills required/expected for handling the GRC and IA function. Furthermore, we analyze the extent of use of technology solutions in performing these functions globally and in 1 Globally and in India, GRC programs address risks in the following order:RankGlobalIndia1Regulatory and compliance2Financial3Operational4Fraud5R eputationalLegal The focus on risks addressed by GRC programs in India and the rest of world is very similar. However, in India, the focus on legal compliance appears to be greater than in the rest of the world. This may be, to some extent, due to recent Company Law amendments, which have put the onus on companies to be compliant with all 2 As regards the skills or knowledge considered most important to enhance the risk, control and compliance functions: Knowledge of risk management, business strategy and audit are given equal weightage in India and rest of the world. Globally, critical/analytical thinking skill is given higher weightage over other skills. Furthermore, in India the need for data analytics skills is being emphasized. Compliance and regulatory knowledge is given more importance in India than to enhance GRC functions:RankGlobalIndia1Risk managementRisk management2Critical/analytical thinkingCompliance/regulatory3Business strategyBusiness strategy4Compliance/regulatoryAudit5Audi tData analyticsB. 3 The top-5 opportunities to enhance the GRC program, as perceived by survey respondents, are:RankGlobalIndia1Better alignment of risk management approach to business strategy and objectives2Clarify risk ownership, processes and structureImprove the enterprise risk assessment process to provide a comprehensive view of risk3Improve the enterprise risk assessment process to provide a comprehensive view of riskImprove the over-arching compliance framework4Enhance ability to monitor for emerging risksLeverage technology more effectively across risk functions5Improve the efficiency and effectiveness of the control environmentClarify risk ownership, processes and structureGovernance, Risk Management and Compliance ProgramsHow do GRC programs function in organizations?EY Global Governance, Risk and Compliance Survey8 Organizations in India and globally understand that risk management activities and business objectives have to function hand-in-hand for staying ahead in the race. In India, there is a clear emphasis on the need for increased focus on compliance as well as on leveraging technology to enhance GRC 4 Mapping of compliance and audit activities to identified risks, to ensure adequate risk coverage: Globally and in India, organizations primarily rely on the internal audit function to identify and assess risks. Furthermore, globally, the ERM function also has a relatively more important role to play in ensuring risk responsible for facilitating coverage of compliance activity and auditsoption answers allowed hence total can be greater than 100%B. 5 Do GRC functions prepare an integrated report addressing the organization s risk and management actions for the Board and Executive management?Frequency of presenting an integrated report on identified risks and management actionsGlobalIndia76%37%47%7%10%85%40%38 %6%6%Internal AuditComplianceERMOtherNo assurance mapin place29%32%4%35%30%19%0%51%AnnuallyQuart erlyMonthlyAn integrated report is not preparedGlobalIndia Indian companies are clearly lagging behind their global counterparts in the area of integrated risk India stacks up against global trends9B. 6 To what extent is technology utilized to enable or support the risk management activities? Whereas, globally, multiple solutions are deployed for supporting/enabling GRC activities, Indian companies seem to be behind the curve. As evident from above, this is clearly seen as an improvement opportunity by Indian of technology solutions used to support/enable risk management activities14%24%11%46%5%17%17%4%53%9%Yes , single solutionsYes, multiple solutionsYes, we utilize technologyNoDon't knowGlobalIndiaB. 7 Estimated cost for the functions performing GRC activities: 45% of the Indian organization surveyed are not aware of the total spend on GRC activities/function, as compared with 26% globally. Globally, spend on GRC activities also tends to be to be higher than Indian on GRC in Indian companies compared to global scenario47%38%10%11%6%2%5%2%2%0%5%2%26%4 5%G L O B A LI N D I A<$3 mn$3 mn - $ mn$5 mn - $ mn$10 mn - $ mn$20 mn - $ mn>$30 mnDon't knowEY Global Governance, Risk and Compliance Survey10B. 8 Are performance indicators or metrics defined and monitored through GRC technology? In a relatively large proportion of Indian companies, the key performance indicators (KPI)/key risk indicators (KRI) are not defined. Furthermore, in a significant proportion of companies (36% in India and 47% globally), KPI and/or KRI are defined, but not monitored. This is clearly an improvement area for of global and Indian organizations where KPI/ KRI are defined and monitoredMultiple option answers allowed hence total can be greater than 100%19%17%15%20%8%19%31%15%17%15%13%4%19 %38%KPIsKRIsKPIs and KRIsmonitoredKPIs aredefined, butnot monitoredKRIs aredefined, butnot monitoredKPIs and KRIsare defined,but notmonitoredIndicators notdefinedGlobalIndiaHow India stacks up against global trends11In this section we analyze the trends indicated by the survey results on how GRC and IA function report risks and at what level are they managed in the organizations. Furthermore, we evaluate the practice of defining dashboards/metrics/performance indicators to measure risk exposure and frequency of reporting at different levels in the Globally risk management is addressed by either the full Board or in a committee of the Board, whereas in India Audit Committees play an enhanced structure for GRC In India and globally, most organizations have management risk committees; however, in India a CRO is not appointed in most organizations Risk Committee exists70%72%Chief Risk Officer (CRO) is Not Appointed44%60% It is expected that most organizations in India will soon comply with the requirements of the Companies Act and appoint Risk Management BoardAudit Committee of the BoardRisk Committee of the BoardNot addressedGlobalIndiaReporting of Governance and Risk Management ActivitiesHow do organizations report and manage risks?EY Global Governance, Risk and Compliance Visibility of risk exposure, through dashboards, metrics and performance indicators is more prevalent currently at CEO/ CFO at which there is visibility on risk exposure of the organizationMultiple option answers allowed hence total can be greater than 100% In 21% of global organizations and 30% of Indian organization, dashboards, metrics and performance indicators are not defined to identify/ measure the risk ... where these dashboard/ metrics do exist, they are mostly reviewed on a quarterly and monthly basis:Frequency of reviewing the dashboards, metrics and performance indicators42%48%27%51%24%46%23%28%21%36% 43%26%45%21%45%11%15%30%Full BoardAuditCommitteeRiskCommitteeCEOCOOCF OCROCAENodashboardsGlobalIndiaOtherAnnua lly21%Quarterly42%Monthly29%8%GlobalAnnu ally18%Quarterly52%Monthly25%Other5%Indi aHow India stacks up against global trends13In this section we analyze the trends indicated by survey results on the organizations existing Internal Audit (IA) function covering expected skills reporting structure, skills/knowledge expected and usage of data analytics and technology for enabling or supporting the IA activities. Globally and in India the internal audit reporting structure tends to be broadly similar as seen CFO32%32%FunctionallyI. Audit Committee of the Board65%79%II. Full Board11%9%Multiple option answers allowed hence total can be greater than 100% The survey results indicate that the top 6 skills required to enhance the IA functions, globally and in India are as below:GlobalIndiaCritical/ analytical thinkingData analyticsData analyticsCompliance/ regulatoryAuditRisk managementRisk managementAuditDeep industry experienceCritical/ analytical thinkingProcess improvementFraud prevention/ detection Globally there is more emphasis on critical and analytical thinking skills whereas in India, compliance/ regulatory knowledge are more important. Furthermore, globally there seems to be a more emphasis on industry experience and process improvement skills than in Globally and in India the top opportunities to enhance the IA function are perceived to be as follows:RankGlobalIndia1Improve reporting: includes presenting issues in perspective to the risk and identify trends2Enhance ability to identify and assess emerging riskEnhance objectivity/ independence3Improve ability to advise the business on major change programs4Enhance objectivity/independenceImprove ability to benchmark business processes and control practices against other organizations5Better leverage the work of other risk/control/compliance functionIncrease use of data analytics In India and globally, skills on reporting risks and the ability to advise the business on real time basis are most sought after. In India, ability to benchmark processes and control practices against other organizations and data analytics is getting increased Audit function and activitiesHow does Internal Audit function in organizations?EY Global Governance, Risk and Compliance Survey14Multiple option answers allowed hence total can be greater than 100% In India, there is clearly scope to improve review of information security programs by IA. In 13% Indian organizations and 8% global organizations IA does not audit GRC Estimated cost for functions performing internal audit activities: It is interesting to note that the spending profile of Indian companies is quite similar to their global counterparts. Furthermore, in a significant proportion of companies (13% globally, 21% India) spend on the IA function does not seem to be tracked/measured. This is clearly a big improvement on IA in Indian and global companies47%64%73%69%1%25%8%13%3%34%70%7 9%60%2%13%13%6%0%ERMComplianceInternal controlsInformation securityDataSOX programIA does not audit GRC functionsOtherDon t knowGlobalIndia64%60%11%11%6%6%3%0%1%0%2 %2%13%21%GlobalIndia<$3 mn$3 mn - $ mn$5 mn - $ mn$10 mn - $ mn$20 mn - $ mn>$30 mnDon t Following chart represents the GRC functions reviewed by internal audit :How India stacks up against global Trend in use of data analytics in IA life cycle at each stage is demonstrated:Multiple option answers allowed hence total can be greater than 100% Globally and in India, data analytics is extensively used at execution and testing stage. However, globally, data analytics is relatively more emphasized at initial stages in the IA, , risk assessment and planning. In India, data analytics is more extensively used for reporting and measuring the IA Trend in use of technology in IA life cycle at each stage is demonstrated below:Multiple option answers allowed hence total can be greater than 100% Globally there is an increased inclination toward technology solutions in initial stages such as risk assessment and engagement and project setup. However, in India, technology is mostly used for audit execution, work paper documentation, reporting and issue follow up. Increasing the focus of technology in initial stages, may help in ensuring adequate coverage and identification of emerging risks and also help to save cost and assessmentPlanningExecution andtestingReportingIA effectiveness/performanceDon t KnowNot At AllGlobalIndia43%34%63%56%42%50%6%12%34% 19%72%53%49%49%6%11%Risk assessmentEngagement andproject setupAudit programexecutionWork paper anddocumentationrepositoryAudit reportingIssue follow-upNot awareNo technologyutilizedGlobalIndiaEY Global Governance, Risk and Compliance Risk management s level of involvement and impact on company s strategic decision making ( , divesture, acquisitions, investment, capital allocations, etc.). The involvement of risk management in strategic decision making is currently low in India. Globally and in India, over three years, there is an increasing trend in the involvement of risk management in the strategic decision-making in involvement of risk management in strategic decision making24%26%26%42%34%28%8%13%0%10%20%30% 40%50%60%70%80%90%100%GlobalTodayAfter 3 yearsIndia54%47%34%34%8%15%4%4%GlobalInd iaProvide inputs, but not directly involved Very closely involvedInformed, but not involved Not involved at allFuture Evolution in GRC and IA Where do organizations perceive themselves after three years?How India stacks up against global How well are GRC activities ( , business, risk management, compliance, internal controls, Internal Audit) coordinated within the organizations, 3 yearsGlobal67%25%4%1%3%70%26%2%0%2%Most organizations believe that there is scope for improvement and plan to be much better coordinated in a few yearsWell-coordinatedSomewhat coordinatedMinimal coordinationNo coordination at allDon t knowTodayAfter 3 years33%49%40%32%13%6%4%6%4%4%9%2%0%10%2 0%30%40%50%60%70%80%90%100%GlobalIndia12 %6%34%34%23%36%20%17%8%6%3%GlobalIndiaDo n t knowNot at allSlightly but not satisfactorySlightly & In India and globally, it is believed that internal audit does not adequately leverage the work of other risk/compliance activities; however, after three years in India it is believed that IA will be able to leverage these much more efficiently. Degree of leverage exercised by IA function in using work done by other functionsEY Global Governance, Risk and Compliance Survey18Our global governance, risk and compliance survey 2015 was conducted between February and March 2015: it asked how well organizations are managing risk and what they need to do to better manage the risks that drive performance. Almost 1,200 C-suite members, board audit committees and various assurance and/or compliance executives participated representing major industries in 63 countries around the globe. The majority of the survey responses were collected during face-to-face meetings when this was not possible, the questionnaire was completed online. We thank all participants for their invaluable by Industry sectorIndiaGloballyAerospace and Defense 14Airlines 11Asset Management and PE 27Automotive and Transportation877Banking and Capital Markets3129Chemicals123Cleantech 5Consumer Products696Diversified Industrial Products261Government and Public Sector 71Healthcare127Insurance 35Media and Entertainment132Mining and Metals140Oil and Gas249Other12147Power and Utilities181Professional Firms and Services123Retail and Wholesale253Technology556Telecommunicati ons141Real Estate 47Life Sciences and Provider Care 51Total471196Respondents by number of employeesIndiaGlobalLess than 1,000203201,000 to 5,00022935,000 to 15,0001323515,000 to 50,000618850,000 plus6160Total471,196Respondents by total annual company revenueIndiaGlobalLess than US$10 million1198US$10 million to US$100 million695US$100 million to US$1 billion23248US$1 billion to US$10 billion15393US$10 billion to US$50 billion1174> US$50 billion155Government, non-profit 21Not applicable 12Total471196Profile of participantsrespondents1,196Countries worldwide63Industry sectors25Survey methodology and demographicsHow India stacks up against global trends19Our officesAhmedabad2nd floor, Shivalik IshaanNear. VidhyalayaAmbawadiAhmedabad-380015Tel: +91 79 6608 3800Fax: +91 79 6608 3900Bengaluru12th & 13th floor U B City Canberra , Vittal Mallya RoadBengaluru-560 001Tel: +91 80 4027 5000+91 80 6727 5000Fax: +91 80 2210 6000 (12th floor)Fax: +91 80 2224 0695 (13th floor)1st Floor, Prestige , Madras Bank RoadLavelle Road JunctionBengaluru-560 001 IndiaTel: +91 80 6727 5000Fax: +91 80 2222 4112Chandigarh1st FloorSCO: 166-167Sector 9-C, Madhya MargChandigarh-160 009Tel: +91 172 671 7800Fax: +91 172 671 7888ChennaiTidel Park6th & 7th FloorA Block (Module 601,701-702) , Rajiv Gandhi SalaiTaramaniChennai-600113Tel: +91 44 6654 8100Fax: +91 44 2254 0120Delhi NCRGolf View CorporateTower BSector 42, Sector RoadGurgaon 122 002Tel: +91 124 464 4000Fax: +91 124 464 40503rd & 6th Floor, Worldmark-1IGI Airport Hospitality DistrictAerocity New Delhi-110037, IndiaTel: +91 11 6671 8000 Fax +91 11 6671 99994th & 5th Floor, Plot No 2BTower 2, Sector 126NOIDA-201 304Gautam Budh Nagar, IndiaTel: +91 120 671 7000Fax: +91 120 671 7171HyderabadOval Office18, iLabs CentreHitech City, MadhapurHyderabad - 500081Tel: +91 40 6736 2000Fax: +91 40 6736 2200Kochi9th Floor ABAD Nucleus NH-49, Maradu POKochi - 682 304Tel: +91 484 304 4000Fax: +91 484 270 5393Kolkata22, Camac Street3rd Floor, Block C Kolkata-700 016Tel: +91 33 6615 3400Fax: +91 33 6615 3750Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (west)Mumbai-400 028, IndiaTel: +91 22 6192 0000Fax: +91 22 6192 10005th Floor Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai-400 063, IndiaTel: +91 22 6192 0000Fax: +91 22 6192 3000PuneC 401, 4th floorPanchshil Tech ParkYerwada (Near Don Bosco School)Pune-411 006Tel: +91 20 6603 6000Fax: +91 20 6601 5900About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata 700016 2016 Ernst & Young LLP. Published in India. All Rights NO. ED 0616This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global LimitedErnst & Young LLPEY | Assurance | Tax | Transactions | Advisory

Related search results