EY Governance, Risk and Compliance Survey How stacks up against global trends February 2016
Contents Foreword: about the GRC survey...01 Assessing organizations risk profile...05 Reporting on Governance and Risk Management...11 Governance, Risk Management and Compliance Programs...18 Internal Audit Function...25 Future Evolution in GRC program...26 Survey methodology and demographics...28 2 EY Governance, Risk and Compliance Survey
Foreword: about the GRC survey In 2015, EY had concluded the Governance, Risk Management and Compliance (GRC) survey. We focused on a range of topics (e.g., risk strategy, coordination of functions, internal audit, technology) to gain a better understanding of how well organizations are managing risk today. The results were published and analyzed at a global level across sectors and regions. While organizations demonstrated they are making progress, they indicated that further opportunities do exist to improve the way they identify, manage and respond to risk. This survey was conducted across a very large set of more than 1,000 companies spread over 63 countries and multiple sectors. This included a significant number of n companies as well. This provided us with a unique opportunity to compare and contrast the n and global responses to understand key similarities and differences. We have presented herein the findings of this analysis. Our analysis showed several points of convergence and also some divergences in the practices and perceptions in and globally. Some of the important trends emerging out of this analysis are: O rganizations in are more focused on compliance with regulatory and legal requirements as compared to their global counterparts. I ndian organizations are lagging behind in using technology enabled solutions in GRC and IA function as compared with global trend. However, we are catching up gradually, by increasing the efforts and spend toward technological enablement for these functions. T here is room to improve internal audit coverage of information security programs in n companies. A cross the world and in, there is agreement that coordination among various GRC activities in the organization has significant room for improvement. The detailed results are presented in the following pages. We trust you will find these insightful. Warm regards Nitin Bhatt Risk Leader EY How stacks up against global trends Manesh Patel Internal Audit Leader EY 3
Assessing organizations risk profile How do organizations assess their risk profile? In this section we analyze the trends indicated by the survey results on how organizations assess their exposure to risk and the impact on the business and strategic plans. A. 1 Overall, the frequency of risk identification, assessment and reporting is similar in and globally: Frequency of evaluation of risk profile by the Board or Executive Management 3% 0% 10% 17% Executive Management 25% 26% 58% 47% 72% 62% 6% 4% 10% 11% Board 7% 13% 36% 34% 77% 68% 0% 50% 100% 0% 50% 100% Annually Quarterly Real time Other Not at all Multiple option answers allowed hence total can be greater than 100% Impact of risk profile assessment on company s strategic and business plan 3% india 2% 13% 44% 13% 47% Extensively risks are identified, assessed and plans to address the risks developed for all key initiatives Somewhat risks are identified and discussed 40% 38% Slightly significant risks to the organization are discussed at a senior level Not aware 4 EY Governance, Risk and Compliance Survey
A. 2 In, the risk profile of the organization has an increased influence on capital allocation decisions (e.g., funding, expenditures, people/resources, technology, etc.) as compared to global trends: Extent of influence of risk profile on capital allocations 41% 49% 51% 40% Possible causes of increased influence in High cost of capital More difficult to exit unprofitable business in 10% 9% Does not influence Slightly influences Significantly influences A. 3 Top current opportunities available and challenges faced by organizations The list of top-5 opportunities and challenges identified by the respondents indicates some interesting similarities and divergences between and the rest of the globe. Rank Opportunities Challenges 1 Strategic transactions Strategic transactions Economic stability Reputation 2 Emerging markets Emerging markets Regulatory compliance Competitor innovation 3 Technology shifts Reputation Cybersecurity Economic stability 4 Reputation Technology shifts Reputation Cybersecurity 5 Customer preferences Competitor innovation Strategic transactions Strategic transactions The list of opportunities is very similar in both cases. Interestingly, even though is generally perceived to be an emerging market itself, n companies are actively focusing on expansion in other emerging markets. Economic stability and cybersecurity are perceived to be bigger challenges at global level as compared to. Competitor innovation can either expand the existing market size (increased product usage or application) or wipe out existing markets (disruptive technologies). In, competitor innovation is perceived to be both a risk and an opportunity. Regulatory compliance is clearly seen as a bigger challenge globally than in. How stacks up against global trends 5
A. 4 Functions responsible for identification, assessment, management and reporting on risks within the organizations: Functions responsible for risk management activities Internal Audit 91% 96% Compliance 68% 68% Internal controls 53% 51% Information technology 32% 53% Information Security 40% 53% ERM 55% 65% Tax 28% 26% Legal 47% 57% Business units 53% 59% SOX 19% 26% Others 9% 13% Multiple option answers allowed hence total can be greater than 100% In, there is clearly a need to increase the focus of the information technology and information security functions on risk management activities. 6 EY Governance, Risk and Compliance Survey
Governance, Risk Management and Compliance Programs How do GRC programs function in organizations? In this section we analyze the trends indicated by the survey results on how GRC programs operate in organizations and the skills required/expected for handling the GRC and IA function. Furthermore, we analyze the extent of use of technology solutions in performing these functions globally and in. B. 1 ly and in, GRC programs address risks in the following order: Rank 1 Regulatory and compliance 2 Financial 3 Operational 4 Fraud 5 Reputational Legal The focus on risks addressed by GRC programs in and the rest of world is very similar. However, in, the focus on legal compliance appears to be greater than in the rest of the world. This may be, to some extent, due to recent Company Law amendments, which have put the onus on companies to be compliant with all laws. B. 2 As regards the skills or knowledge considered most important to enhance the risk, control and compliance functions: Knowledge of risk management, business strategy and audit are given equal weightage in and rest of the world. ly, critical/analytical thinking skill is given higher weightage over other skills. Furthermore, in the need for data analytics skills is being emphasized. Compliance and regulatory knowledge is given more importance in than globally. Requirements to enhance GRC functions: Rank 1 Risk management Risk management 2 Critical/analytical thinking Compliance/regulatory 3 Business strategy Business strategy 4 Compliance/regulatory Audit 5 Audit Data analytics B. 3 The top-5 opportunities to enhance the GRC program, as perceived by survey respondents, are: Rank 1 Better alignment of risk management approach to business strategy and objectives 2 Clarify risk ownership, processes and structure Improve the enterprise risk assessment process to provide a comprehensive view of risk 3 Improve the enterprise risk assessment process to provide a comprehensive view of risk Improve the over-arching compliance framework 4 Enhance ability to monitor for emerging risks Leverage technology more effectively across risk functions 5 Improve the efficiency and effectiveness of the control environment Clarify risk ownership, processes and structure How stacks up against global trends 7
Organizations in and globally understand that risk management activities and business objectives have to function hand-inhand for staying ahead in the race. In, there is a clear emphasis on the need for increased focus on compliance as well as on leveraging technology to enhance GRC activities. B. 4 Mapping of compliance and audit activities to identified risks, to ensure adequate risk coverage: ly and in, organizations primarily rely on the internal audit function to identify and assess risks. Furthermore, globally, the ERM function also has a relatively more important role to play in ensuring risk coverage. Functions responsible for facilitating coverage of compliance activity and audits 76% 85% 47% 37% 40% 38% option answers allowed hence total can be greater than 100% 7% 10% 6% 6% Internal Audit Compliance ERM Other No assurance map in place B. 5 Do GRC functions prepare an integrated report addressing the organization s risk and management actions for the Board and Executive management? Frequency of presenting an integrated report on identified risks and management actions 35% 30% 29% Annually 51% Quarterly Monthly 4% An integrated report is not prepared 32% 19% 0% n companies are clearly lagging behind their global counterparts in the area of integrated risk reporting. 8 EY Governance, Risk and Compliance Survey
B. 6 To what extent is technology utilized to enable or support the risk management activities? Whereas, globally, multiple solutions are deployed for supporting/enabling GRC activities, n companies seem to be behind the curve. As evident from B.3 above, this is clearly seen as an improvement opportunity by n companies. Extent of technology solutions used to support/enable risk management activities 9% 5% 17% 14% Yes, single solutions Yes, multiple solutions 46% 24% 17% Yes, we utilize technology No Don't know 53% 11% 4% B. 7 Estimated cost for the functions performing GRC activities: 45% of the n organization surveyed are not aware of the total spend on GRC activities/function, as compared with 26% globally. ly, spend on GRC activities also tends to be to be higher than n companies. Spend on GRC in n companies compared to global scenario 47% 45% 38% 26% <$3 mn $3 mn - $4.9 mn $5 mn - $9.9 mn 10% 11% 6% 5% 5% 2% 2% 2% 2% 0% G L O B A L I N D I A $10 mn - $19.9 mn $20 mn - $29.9 mn >$30 mn Don't know How stacks up against global trends 9
B. 8 Are performance indicators or metrics defined and monitored through GRC technology? In a relatively large proportion of n companies, the key performance indicators (KPI)/key risk indicators (KRI) are not defined. Furthermore, in a significant proportion of companies (36% in and 47% globally), KPI and/or KRI are defined, but not monitored. This is clearly an improvement area for all. Number of global and n organizations where KPI/ KRI are defined and monitored 38% 31% 19% 15% 17% 17% 15% 15% 20% 13% 19% 19% 8% 4% KPIs KRIs KPIs and KRIs monitored KPIs are defined, but not monitored KRIs are defined, but not monitored KPIs and KRIs are defined, but not monitored Indicators not defined Multiple option answers allowed hence total can be greater than 100% 10 EY Governance, Risk and Compliance Survey
Reporting of Governance and Risk Management Activities How do organizations report and manage risks? In this section we analyze the trends indicated by the survey results on how GRC and IA function report risks and at what level are they managed in the organizations. Furthermore, we evaluate the practice of defining dashboards/metrics/performance indicators to measure risk exposure and frequency of reporting at different levels in the organizations. C.1 ly risk management is addressed by either the full Board or in a committee of the Board, whereas in Audit Committees play an enhanced role. Reporting structure for GRC activities 4% 0% 4% 8% 26% 32% 19% 36% Full Board Audit Committee of the Board Risk Committee of the Board Not addressed 33% 38% C.2 In and globally, most organizations have management risk committees; however, in a CRO is not appointed in most organizations surveyed. Particulars Management Risk Committee exists 70% 72% Chief Risk Officer (CRO) is Not Appointed 44% 60% It is expected that most organizations in will soon comply with the requirements of the Companies Act and appoint Risk Management Committees. How stacks up against global trends 11
C.3 Visibility of risk exposure, through dashboards, metrics and performance indicators is more prevalent currently at CEO/ CFO levels Levels at which there is visibility on risk exposure of the organization 42% 36% 48% 43% 51% 45% 46% 45% 27% 26% 24% 21% 23% 28% 21% 30% 11% 15% Full Board Audit Committee Risk Committee CEO COO CFO CRO CAE No dashboards Multiple option answers allowed hence total can be greater than 100% In 21% of global organizations and 30% of n organization, dashboards, metrics and performance indicators are not defined to identify/ measure the risk exposure. C.4 where these dashboard/ metrics do exist, they are mostly reviewed on a quarterly and monthly basis: Frequency of reviewing the dashboards, metrics and performance indicators Monthly 29% Other 8% Annually 21% Monthly 25% Other 5% Annually 18% Quarterly 42% Quarterly 52% 12 EY Governance, Risk and Compliance Survey
Internal Audit function and activities How does Internal Audit function in organizations? In this section we analyze the trends indicated by survey results on the organizations existing Internal Audit (IA) function covering expected skills reporting structure, skills/knowledge expected and usage of data analytics and technology for enabling or supporting the IA activities. D.1 ly and in the internal audit reporting structure tends to be broadly similar as seen below: Particulars Administratively I.CEO 36% 40% II. CFO 32% 32% Functionally I. Audit Committee of the Board 65% 79% II. Full Board 11% 9% Multiple option answers allowed hence total can be greater than 100% D.2 The survey results indicate that the top 6 skills required to enhance the IA functions, globally and in are as below: Critical/ analytical thinking Data analytics Audit Risk management Deep industry experience Data analytics Compliance/ regulatory Risk management Audit Critical/ analytical thinking Process improvement Fraud prevention/ detection ly there is more emphasis on critical and analytical thinking skills whereas in, compliance/ regulatory knowledge are more important. Furthermore, globally there seems to be a more emphasis on industry experience and process improvement skills than in. D.3 ly and in the top opportunities to enhance the IA function are perceived to be as follows: Rank 1 Improve reporting: includes presenting issues in perspective to the risk and identify trends 2 Enhance ability to identify and assess emerging risk Enhance objectivity/ independence 3 Improve ability to advise the business on major change programs 4 Enhance objectivity/independence Improve ability to benchmark business processes and control practices against other organizations 5 Better leverage the work of other risk/control/compliance function Increase use of data analytics In and globally, skills on reporting risks and the ability to advise the business on real time basis are most sought after. In, ability to benchmark processes and control practices against other organizations and data analytics is getting increased attention. How stacks up against global trends 13
D.4 Following chart represents the GRC functions reviewed by internal audit : 70% 64% 79% 73% 69% 60% 47% 34% 25% 1% 2% 13% 13% 8% 13% 6% 3% 0% ERM Compliance Internal controls Information security Data SOX program IA does not audit GRC functions Other Don t know Multiple option answers allowed hence total can be greater than 100% In, there is clearly scope to improve review of information security programs by IA. In 13% n organizations and 8% global organizations IA does not audit GRC functions. D.5 Estimated cost for functions performing internal audit activities: It is interesting to note that the spending profile of n companies is quite similar to their global counterparts. Furthermore, in a significant proportion of companies (13% globally, 21% ) spend on the IA function does not seem to be tracked/measured. This is clearly a big improvement opportunity. Spend on IA in n and global companies 64% 60% <$3 mn $3 mn - $4.9 mn 13% 11% 11% 21% $5 mn - $9.9 mn $10 mn - $19.9 mn $20 mn - $29.9 mn 6% 6% 1% 3% 2% 0% 0% 2% >$30 mn Don t know 14 EY Governance, Risk and Compliance Survey
D.6 Trend in use of data analytics in IA life cycle at each stage is demonstrated: 79% 72% 37% 34% 46% 38% 36% 26% 32% 20% 7% 6% 10% 2% Risk assessment Planning Execution and testing Reporting IA effectiveness/ performance Don t Know Not At All Multiple option answers allowed hence total can be greater than 100% ly and in, data analytics is extensively used at execution and testing stage. However, globally, data analytics is relatively more emphasized at initial stages in the IA, i.e., risk assessment and planning. In, data analytics is more extensively used for reporting and measuring the IA effectiveness/performance. D.7 Trend in use of technology in IA life cycle at each stage is demonstrated below: 72% 63% 43% 56% 53% 49% 50% 49% 42% 34% 34% 19% 6% 6% 12% 11% Risk assessment Engagement and project setup Audit program execution Work paper and documentation repository Audit reporting Issue follow-up Not aware No technology utilized Multiple option answers allowed hence total can be greater than 100% ly there is an increased inclination toward technology solutions in initial stages such as risk assessment and engagement and project setup. However, in, technology is mostly used for audit execution, work paper documentation, reporting and issue follow up. Increasing the focus of technology in initial stages, may help in ensuring adequate coverage and identification of emerging risks and also help to save cost and efforts. How stacks up against global trends 15
Future Evolution in GRC and IA Where do organizations perceive themselves after three years? E.1 Risk management s level of involvement and impact on company s strategic decision making (e.g., divesture, acquisitions, investment, capital allocations, etc.). The involvement of risk management in strategic decision making is currently low in. ly and in, over three years, there is an increasing trend in the involvement of risk management in the strategic decision-making process. Trend in involvement of risk management in strategic decision making Today After 3 years 100% 90% 8% 13% 4% 4% 8% 15% 80% 70% 60% 24% 28% 34% 34% 50% 40% 42% 34% 30% 20% 54% 47% 10% 26% 26% 0% Very closely involved Informed, but not involved Provide inputs, but not directly involved Not involved at all 16 EY Governance, Risk and Compliance Survey
E.2 In and globally, it is believed that internal audit does not adequately leverage the work of other risk/compliance activities; however, after three years in it is believed that IA will be able to leverage these much more efficiently. Degree of leverage exercised by IA function in using work done by other functions Today After 3 years 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 9% 4% 4% 13% 40% 33% 2% 4% 6% 6% 32% 49% 3% 6% 8% 17% 20% 23% 36% 34% 34% 12% 6% Don t know Not at all Slightly but not satisfactory Slightly & satisfactory Satisfactorily Significantly E.3 How well are GRC activities (e.g., business, risk management, compliance, internal controls, Internal Audit) coordinated within the organizations, today Currently After 3 years 2% 2% 13% 0% 2% 2% 19% 21% 5% 1% 21% 26% 4% 1% 3% 25% 67% 52% 64% Most organizations believe that there is scope for improvement and plan to be much better coordinated in a few years 70% Well-coordinated Somewhat coordinated Minimal coordination No coordination at all Don t know How stacks up against global trends 17
Survey methodology and demographics Our global governance, risk and compliance survey 2015 was conducted between February and March 2015: it asked how well organizations are managing risk and what they need to do to better manage the risks that drive performance. Almost 1,200 C-suite members, board audit committees and various assurance and/or compliance executives participated representing major industries in 63 countries around the globe. The majority of the survey responses were collected during face-to-face meetings when this was not possible, the questionnaire was completed online. We thank all participants for their invaluable insights. Profile of participants 1,196 63 25 respondents Countries worldwide Industry sectors Respondents by Industry sector ly Aerospace and Defense 14 Airlines 11 Asset Management and PE 27 Automotive and Transportation 8 77 Banking and Capital Markets 3 129 Chemicals 1 23 Cleantech 5 Consumer Products 6 96 Diversified Industrial Products 2 61 Government and Public Sector 71 Healthcare 1 27 Insurance 35 Media and Entertainment 1 32 Mining and Metals 1 40 Oil and Gas 2 49 Other 12 147 Power and Utilities 1 81 Professional Firms and Services 1 23 Retail and Wholesale 2 53 Technology 5 56 Telecommunications 1 41 Real Estate 47 Life Sciences and Provider Care 51 Total 47 1196 Respondents by number of employees Less than 1,000 20 320 1,000 to 5,000 2 293 5,000 to 15,000 13 235 15,000 to 50,000 6 188 50,000 plus 6 160 Total 47 1,196 Respondents by total annual company revenue Less than US$10 million 1 198 US$10 million to US$100 million 6 95 US$100 million to US$1 billion 23 248 US$1 billion to US$10 billion 15 393 US$10 billion to US$50 billion 1 174 > US$50 billion 1 55 Government, non-profit 21 Not applicable 12 Total 47 1196 18 EY Governance, Risk and Compliance Survey
Our offices Ahmedabad 2nd floor, Shivalik Ishaan Near. C.N Vidhyalaya Ambawadi Ahmedabad-380015 Tel: +91 79 6608 3800 Fax: +91 79 6608 3900 Bengaluru 12th & 13th floor U B City Canberra Block No.24, Vittal Mallya Road Bengaluru-560 001 Tel: +91 80 4027 5000 +91 80 6727 5000 Fax: +91 80 2210 6000 (12th floor) Fax: +91 80 2224 0695 (13th floor) 1st Floor, Prestige Emerald No.4, Madras Bank Road Lavelle Road Junction Bengaluru-560 001 Tel: +91 80 6727 5000 Fax: +91 80 2222 4112 Chandigarh 1st Floor SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh-160 009 Tel: +91 172 671 7800 Fax: +91 172 671 7888 Chennai Tidel Park 6th & 7th Floor A Block (Module 601,701-702) No.4, Rajiv Gandhi Salai Taramani Chennai-600113 Tel: +91 44 6654 8100 Fax: +91 44 2254 0120 Delhi NCR Golf View Corporate Tower B Sector 42, Sector Road Gurgaon 122 002 Tel: +91 124 464 4000 Fax: +91 124 464 4050 3rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity New Delhi-110037, Tel: +91 11 6671 8000 Fax +91 11 6671 9999 4th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA-201 304 Gautam Budh Nagar, U.P. Tel: +91 120 671 7000 Fax: +91 120 671 7171 Hyderabad Oval Office 18, ilabs Centre Hitech City, Madhapur Hyderabad - 500081 Tel: +91 40 6736 2000 Fax: +91 40 6736 2200 Kochi 9th Floor ABAD Nucleus NH-49, Maradu PO Kochi - 682 304 Tel: +91 484 304 4000 Fax: +91 484 270 5393 Kolkata 22, Camac Street 3rd Floor, Block C Kolkata-700 016 Tel: +91 33 6615 3400 Fax: +91 33 6615 3750 Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (west) Mumbai-400 028, Tel: +91 22 6192 0000 Fax: +91 22 6192 1000 5th Floor Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai-400 063, Tel: +91 22 6192 0000 Fax: +91 22 6192 3000 Pune C 401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune-411 006 Tel: +91 20 6603 6000 Fax: +91 20 6601 5900 How stacks up against global trends 19
Ernst & Young LLP EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is one of the n client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in. Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata 700016 2016 Ernst & Young LLP. Published in. All Rights Reserved. SCORE NO. ED 0616 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. JS EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Limited