The level of preparation in India for regulatory and technological risks

17 September 2018 4 min. read
More news on

As regulatory and technological risks become an increasing part of daily organisational life, a number of businesses in India remain unprepared for the upcoming disruption in these domains. Global professional services firm Deloitte reports that two-thirds of the senior management in Indian businesses feel that their risk management systems are inadequate.

Disruption is coming at Indian businesses from all directions. Digital disruption has now become a pertinent reality for most across the world, although the disruptive qualities in India are accentuated by its position as a global hub for IT services. The world is also currently contending with regulatory disruptions, as data protection regulations become increasingly stringent.

Despite being a European legislation, the General Data Protection Regulation is set to have a tangible impact on businesses in India as well, particularly those that manage data for international clients, in addition to multinational corporations with operations in India. The compromise of information for a host of Indian clients in the sustained Deloitte hack that took place last year is an example of why the act has been extended beyond only European firms.

Top three current risks

The incident also brought to light another major form of disruption that most firms will have to contend with in the near future – cyber risks. As firms across India digitalise at a rapid rate, the cybersecurity frameworks do not necessarily develop at the same pace, which has left many firms vulnerable to attacks in the digital domain.

Given the fact that GDPR was enforced only in May this year, regulatory disruption is currently viewed as the biggest threat amongst Indian firms, followed by cyber security and subsequently technological disruption. This scenario looks set to change over the next three years, however, as cyber risks will take centre stage, followed by disruption form technology, while regulatory disruption will become less relevant as organisations settle into GDPR compliance.

The combination of digital and regulatory disruption poses a huge risk to organisations in India, and most appear to be underprepared in this regard. Big Four accounting and advisory firm Deloitte has attempted to enumerate the precise indicators of organisational preparedness, based on which it has evaluated the risk scenario in Indian businesses.

Frequency of meetings with CROs

According to the firm, there are four key organisational changes that indicate preparedness to face risk. The most important of these – reiterated on many occasions throughout Deloitte’s report – is the involvement of the senior management and the board in risk management processes.

To have such procedures in place, a firm must have talent at its disposal that is specialised in risk management, which is Deloitte’s second recommendation. The last two recommendations are interconnected, in that they speak of specialised teams for risk management, and the allocation of sufficient funds to build the same.

Based on this assessment criteria, Deloitte found Indian businesses to be severely unprepared for risk management. 64% the of senior executives surveyed indicated that their organisation lacked the mechanisms to introduce such measures. Nevertheless, most organisations appeared to have a Chief Risk Officer (CRO) in place, and 61% of these incorporated the position into their senior management levels.

Frequency of risk management policy reviews

The problem appears to lie in the communication channels between these CROs and the senior management of an organisation, specifically the CEOs and the Board. Most firms surveyed lacked scheduled meeting times between CROs and the senior management. Of those who did, quarterly meetings were the most frequent schedules, followed by annual updates – an inadequate scenario given the constant nature of cyber and digital risks.

Most organisations also lack the mechanisms to improve on their risk management policies. More than half the firms surveyed review their overall risk management framework only once a year, while 37% do so annually. A meager 5% conduct a monthly review of their policies, and 7% have never conducted such a review.

However, there are promising indications as well, given that nearly 70% of the organisations review their risk management reports on a quarterly basis, and nearly half evaluate the effectiveness of their risk management strategy every quarter as well. The corporate culture of risk management, however, is reviewed primarily on an annual basis.