Q. What are the key imperatives of a sound GRC program in the current business
You would have often heard that the world is flat. Well, the world might have become flat because of the outsourcing and offshoring phenomena, but the complexities of doing businesses have only escalated. The complexity graph is moving up steadily whereby businesses are exposed to new risks and threats, while at the same time governments are implementing legislations and imposing onerous compliance requirements on companies for the sake of protecting stakeholder interest and ensuring confidence and stability in the global economy. To that end, ‘sophistication’ in Governance, Risk and Compliance (GRC) programs have assumed increased importance across all industries.
External and internal threats call for a ‘robust’ risk management organization: Businesses are at constant risk today from internal and external factors.
External threats: In my view, new business models and competitive pressures are the most crucial external factors threatening organizations today. Look at the retail industry. You don’t need 50,000 square feet of store space to become a retailer today. You need a great website, warehousing facilities, an efficient logistics department and you are pretty much in business. Look at how video conferencing is impacting not just the airline business, but also the hospitality and car rental businesses. If business travel is curtailed, hotels as well as car rental companies will suffer too. These are examples of the immediate consequences of new business models on traditional businesses. Businesses do get affected by many other indirect and collateral consequences. The bottom line however, is new business models are posing a real threat to traditional businesses. Businesses do get affected by many other indirect and collateral consequences. The bottom line however, is new business models are posing a real threat to traditional businesses.
Driven by competitive pressures, companies are being forced to take decisions to venture into areas that are way out of their risk appetite, because they want to stand out from their competitors. However, the irony is that, not taking such risky decisions may cause them to lose out to competition. When companies expand into new areas, be it a new geography or a line of business, they are met with a great deal of uncertainty and unforeseen risks. That’s where a robust risk management practices comes into play.
Internal threats: Any industry at its very core is comprised of people, processes and technology. I believe that risks revolving around process and technology are easier to manage than people related risks. For example, in services-based industries, people are core to the business and if companies want to de-risk themselves, there has to be a huge emphasis around people risk management. The liabilities that can arise from service failure, an error or worse, a breach caused by a single individual can pretty much sink the organization. That’s where robust risk management practices come into play.
Increased focus on government regulations and compliance will require a ‘specialist’ taskforce: As companies focus on protecting market share by following the mantra of ‘no risk, no gain,’ governments are not sitting still. They are not allowing corporations to act recklessly, as there have been hard-hitting instances of aggressive business practices threatening to destroy confidence in capital markets. Governments are introducing legislations because, to a large extent, self-regulation has failed. For example, the Sarbanes-Oxley Act 2002 (SOX) was not implemented because Enron was the first company to fail in the history of corporate failures. Whenever there have been doubts about upholding shareholder interest or protecting economies from the aftermath of business malpractices, governments and / or regulators have been quick to introduce legislation. Most industries are dealing with a barrage of regulations and this will only accelerate with time. Governments will keep introducing legislation where they feel that investor interests could be compromised.
What is interesting is that, many of these legislations are principles-based. Organizations will need experts who can interpret those principles and design the business process and the reporting systems around it to be able to ensure compliance. This requires specialists who are both industry focused, understand the legislation and to a certain extent can even influence the drafting of the legislation. Naturally, every company is now burdened with compliance obligations that it didn’t have earlier. It is extremely important that companies are well geared in terms of having a proactive risk management team and an extremely knowledgeable compliance team to meet the challenges that the current business and legislative environment presents.
Governance structures have changed completely; ‘transparency’ and ‘independence’ are a must: In the past, responsibility for compliance rested only with the legal department. However, companies have to comply with not just local laws but even operational regulations. For instance, a person processing transactions must have working knowledge about the impact of his / her actions with respect to the regulations and / or legislation governing the business. Liabilities rest with the entire hierarchy, from the transaction processor right up to the Board level. As far as the Board is concerned, it must have an independent and transparent corporate governance tree that will make sure that the appropriate escalations are conveyed to the Board in a timely and accurate manner. GRC programs are no longer a ‘tick-in-the-box’ option for organizations. GRC programs must be sophisticated enough to be able to deal with internal as well as external risks. Sophistication in the form of a robust risk management system, a specialist compliance task force and transparent and independent governance structures are key to survive and more importantly thrive in the current business environment.
Q. With sophistication / complexities defining GRC programs, are organizations equipped
to deal with governance, risk
and compliance on their own?
Largely, the answer for a majority of organizations would be ‘no’ simply because of the complexities involved. For any organization, capital is a limited commodity. It is meant to be deployed to earn profits and maximize return on investment. Although businesses are focused on acquiring companies, assets, setting up business lines, expanding into new geographies and so on, investing in risk management has really not been a business imperative. Besides, with the internal threats and external complexities, the multiple business lines and diverse geographies that even medium size businesses operate in today, it is nearly impossible for such companies to have a GRC program that can deal with the multi-faceted challenges facing the organization.
At its root, GRC is a very specialized and complex field since it helps companies in identifying “what can go wrong”. Most companies will eventually set up some form of GRC programs in place, but most of them will not have the resources to set up monitoring and reporting processes and systems.
Q. Traditionally, enterprises have relied upon consulting firms to create GRC
strategies. How do you think BPM companies
can contribute to the organizational GRC goals of enterprises?
You are right about the fact that in a large number of instances, organizations have employed consulting firms to design their GRC processes, systems and frameworks. Typically, a consulting firm owns the responsibility for making but not implementing the stated recommendations. While a consultant may advocate the adoption of best practices, real-world circumstances require those best practices to be suitably tailored in order to achieve compliance goals on the one hand and business objectives on the other.
That’s where organizations need an industry focused BPM partner that can work alongside it in implementing stated best practices as well as have enough industry knowledge and on-going organizational connect to be able to tailor such best practices to suit the organizational requirements. BPM companies such as WNS, have deep industry knowledge and experience in managing business processes as well as outcomes for their clients. By outcomes, I mean not just the business impact but even the management of risk as well as ensuring compliance.
In my experience, while organizations have mature governance structures and robust risk management processes, it is the compliance program which usually lacks in investment. Organizations are forced to water down their compliance programs simply because they don’t have the resources for it.
Q. Can you please elaborate on the way a BPM partner like WNS would work with a client
organization in order to achieve
its GRC objectives?
Yes absolutely. A BPM company such as WNS, which operates on an end-to-end vertical structure, understands the nuances of the industry as well as the specific business processes and the embedded legal and regulatory requirements that accompany it. Our knowledge of operating processes that we manage with an overlay of data analytics, gives us an edge to provide a much better, value added output. In fact we hold ourselves accountable to it by measuring our deliverables against specific service levels, which also include compliance against set requirements.
For instance, having worked on business processes for insurance firms from multiple geographies has built WNS’s expertise in business processes for the insurance industry. Today we are in a competitive position to provide clients the support they need in complying with say, the Solvency II directive. Our services for Solvency II compliance would include actuarial modeling to facilitate reserving and pricing computations, critical for Solvency II capital estimation, as well as facilitating timely reporting and independent assurance on an ongoing basis. In addition, we provide country-specific regulatory reporting requirements and work across the entire value chain from data compilation, analysis and reporting. Besides, our data analytics-based fraud claim detection model has ensured significant savings on a continuous basis for one of our insurance clients.
Similarly, we work with leading banks to support them in areas such as compliance with OCC guidelines, thereby facilitating substantial cost saving apart from eliminating process redundancies through data analytics-driven solutions.
For all our clients, WNS has implemented a Business Process Risk Management and Audit (BPRMA) framework. The Business Process Risk Management (BPRM) framework includes the identification of process and system level risks for all outsourced processes, which is shared with our clients in the form of a ‘risk register’ in order for them to get a better view of risks in the offshore environment. Some of these risks, if not addressed, could even lead to non-compliance with regulations. These risks are then mitigated based on an agreed upon mitigation plan that is tracked in a periodically conducted joint governance meeting. The offshore risk registers are also available to our clients and can be consolidated with the onshore risk registers in order to arrive at the overall risk posture.
The Business Process Audit (BPA) framework requires a cyclical audit to be conducted on all outsourced business processes to ensure that the mitigation steps mentioned above are indeed implemented and address the stated risks. These audits also provide assurance around stated regulatory requirements, if any.
In the non-financial services sectors, clients have engaged with us to conduct operational risk reviews and SOX control testing on a continuous basis. With these solutions we have been able to highlight exceptions on a near real-time basis, thereby facilitating process improvements apart from ensuring regulatory compliance.
WNS’s analytics offerings help clients understand the underlying risks associated with the business, while supporting their compliance initiatives. Integration of business processes to the overall GRC framework is critical for success.
Essentially, the key differentiators for a BPM company such as WNS are a strong analytics backbone coupled with deep industry knowledge.
Q. What are the key tenets around GRC that an organization has to bear in mind while
partnering with a BPM company?
To begin with, outsourcing of business processes to a BPM company does not take away the responsibility around governance, risk and compliance from the organization. However, as is evident from my earlier response, organizations that partner with BPM companies that have deep industry knowledge as well as domain expertise are much closer to achieving their organizational GRC objectives.
Another important factor that comes to play here is analytics. Today, analytics plays an important role in risk management. Analytics helps identify risks of frauds and errors, likely to be missed by the human eye, on a mere glance of a transaction. Organizations must partner with BPM companies that can overlay analytics with the outsourced processes.
Analytical tools also facilitate risk measurement based on a combination of historical data, external data as well as scenario analysis. With the advent of Big Data and the availability of advanced analytics models, risk management can be strengthened, through real-time triggers on potential risks. This in turn, facilitates informed decisionmaking as well as timely risk mitigation . Through analytical tools and techniques, the compliance function becomes more robust and facilitates deeper introspection of likely errors or frauds so that better controls can be implemented.
Q. What should be the level of collaboration between the client’s and the BPM Company’s
risk and compliance function?
A quick response to this question would be ‘absolute’. Given the complexity of the business as well as a plethora of regulations that most companies need to comply with, a lack of co-ordination and collaboration between the client and the BPM partner could have disastrous consequences.
The partnership approach that we follow at WNS is resonating very well with our clients. In my view, this kind of collaboration has worked well for achieving our clients’ GRC objectives.
At WNS, we follow the ‘Three Lines of Defense’ model across all our client programs. Our First Line of Defense is the Quality function that manages the day-to-day compliance with stated program objectives. This even includes compliance checks around regulatory requirements that are specific to a client program.
The Second Line of Defense is the Risk Management and Audit function that manages the BPRMA framework and activities that I have mentioned earlier.
The client’s as well as WNS’s Second Line of Defense work very closely to interpret and weave in the internal policy as well as regulatory requirements into the processes we manage for the client. WNS’s First Line of Defense then checks whether the objectives set by the risk management team are being met and reports the same accordingly.
The Third Line of Defense is always retained by the client’s internal audit team, which holds full rights to audit WNS’s operational risk management and compliance programs to ensure design efficiency and operational effectiveness.