Infosys tops list of best voluntary disclosure practices in India

26 November 2018

Global strategy consultancy FTI Consulting has released its ‘India Disclosure Index 2018,’ which evaluates the non-financial and voluntary disclosure practices for firms across the country. Nine companies have scored over 9 out of 10 on the index, while IT services firm Infosys emerged with a perfect 10.

Nestled within the domain of non-financial, voluntary disclosure, FTI’s report for this year generated minimum standards and guidelines based on new disclosure regulations that are expected to be rolled out in the near future. Overall the report relied on twelve different parameters to evaluate firms in India.

These parameters include the relevance of operating metrics, business strategy (long-term corporate goals), diversity of the board, evaluation of the board by a third party, separation between the advisory and executive roles, proportion of independent directors on the board and expertise amongst senior directors.

India disclosure index 2018

Other parameters include the whistleblowing mechanisms in place, analysis transcripts, metrics for risk management, cybersecurity and risk mitigation practices and the compliance of sustainability disclosure with global guidelines. These twelve parameters were separated into three categories, evaluating performance, board quality and risk management respectively.

The firm evaluated India’s top 100 listed companies, and the average score for all the firms on the overall voluntary disclosure index is just over 6 out of 10. Nine out of the top ten companies had a voluntary disclosure score in excess of 9, the only outlier being Wipro with a score of 8.4.

Infosys, meanwhile, emerged as the top firm in the voluntary disclosure index with a score of 10. Other firms in the top ten incude Yes Bank, Vedanta, Tata Chemicals, HCL Technologies, Cipla, Axis Bank and ACC, all of which had scores of 9.2. Kotak Mahindra Bank placed in 9th with a score of 9.

Voluntary disclosure scores (top 10)

Zooming in on specific parameters, the top 100 group had a mixed performance in the board quality category. In terms of board duality, for instance, 76% of the firms had clearly delineated differences between the role of Chairman and that of CEO. In addition, over 80% of the firms have independent directors constitute half of the board at the very least. 

However, the performance drops when it comes to accountability measures, particularly as only 10% of the boards engaged third parties to evaluate board operations. Most boards conduct self-evaluations, which are effective but lack the same degree of objectivity as those conducted by external parties. Nearly 20% of the boards, meanwhile, do not have female representation on their board.

Risk management practices were also lacking for some firms, with as many as 20% missing a user-friendly whistle-blowing system. Perhaps the biggest shortcoming, however, is that nearly 60% of the firms did not disclose their cybersecurity mechanisms in annual reports, which is of particular concern in an increasingly insecure cyber environment.


More news on


The level of preparation in India for regulatory and technological risks

17 September 2018

As regulatory and technological risks become an increasing part of daily organisational life, a number of businesses in India remain unprepared for the upcoming disruption in these domains. Global professional services firm Deloitte reports that two-thirds of the senior management in Indian businesses feel that their risk management systems are inadequate.

Disruption is coming at Indian businesses from all directions. Digital disruption has now become a pertinent reality for most across the world, although the disruptive qualities in India are accentuated by its position as a global hub for IT services. The world is also currently contending with regulatory disruptions, as data protection regulations become increasingly stringent.

Despite being a European legislation, the General Data Protection Regulation is set to have a tangible impact on businesses in India as well, particularly those that manage data for international clients, in addition to multinational corporations with operations in India. The compromise of information for a host of Indian clients in the sustained Deloitte hack that took place last year is an example of why the act has been extended beyond only European firms.

Top three current risks

The incident also brought to light another major form of disruption that most firms will have to contend with in the near future – cyber risks. As firms across India digitalise at a rapid rate, the cybersecurity frameworks do not necessarily develop at the same pace, which has left many firms vulnerable to attacks in the digital domain.

Given the fact that GDPR was enforced only in May this year, regulatory disruption is currently viewed as the biggest threat amongst Indian firms, followed by cyber security and subsequently technological disruption. This scenario looks set to change over the next three years, however, as cyber risks will take centre stage, followed by disruption form technology, while regulatory disruption will become less relevant as organisations settle into GDPR compliance.

The combination of digital and regulatory disruption poses a huge risk to organisations in India, and most appear to be underprepared in this regard. Big Four accounting and advisory firm Deloitte has attempted to enumerate the precise indicators of organisational preparedness, based on which it has evaluated the risk scenario in Indian businesses.

Frequency of meetings with CROs

According to the firm, there are four key organisational changes that indicate preparedness to face risk. The most important of these – reiterated on many occasions throughout Deloitte’s report – is the involvement of the senior management and the board in risk management processes.

To have such procedures in place, a firm must have talent at its disposal that is specialised in risk management, which is Deloitte’s second recommendation. The last two recommendations are interconnected, in that they speak of specialised teams for risk management, and the allocation of sufficient funds to build the same.

Based on this assessment criteria, Deloitte found Indian businesses to be severely unprepared for risk management. 64% the of senior executives surveyed indicated that their organisation lacked the mechanisms to introduce such measures. Nevertheless, most organisations appeared to have a Chief Risk Officer (CRO) in place, and 61% of these incorporated the position into their senior management levels.

Frequency of risk management policy reviews

The problem appears to lie in the communication channels between these CROs and the senior management of an organisation, specifically the CEOs and the Board. Most firms surveyed lacked scheduled meeting times between CROs and the senior management. Of those who did, quarterly meetings were the most frequent schedules, followed by annual updates – an inadequate scenario given the constant nature of cyber and digital risks.

Most organisations also lack the mechanisms to improve on their risk management policies. More than half the firms surveyed review their overall risk management framework only once a year, while 37% do so annually. A meager 5% conduct a monthly review of their policies, and 7% have never conducted such a review.

However, there are promising indications as well, given that nearly 70% of the organisations review their risk management reports on a quarterly basis, and nearly half evaluate the effectiveness of their risk management strategy every quarter as well. The corporate culture of risk management, however, is reviewed primarily on an annual basis.