corporate india's transforming risk landscape — are you prepared?

Corporate India’s transforming risk landscape — are you prepared?

ii | Corporate India’s transforming risk landscape — are you prepared?

iCorporate India’s transforming risk landscape — are you prepared? | iCorporate India’s transforming risk landscape — are you prepared? |

Cont

ents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Categorizing the current conundrum . . . . . . . . . . . . . . . . . . . . . .3Key risk factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Cybercrime: can companies decipher, detect and defend against these risks?Can social media present vulnerabilities?The NPA crisis – turmoil in the financial services sector: what can banks do?Unravelling data integrity issues in the pharmaceutical sector – are companies compliant?

Enhanced enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Increased focus on FCPA enforcement actions against individuals

New combative tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Use of Forensic Data Analytics in anti-bribery and anti-corruption monitoring and investigations

Charting an ethical path for organizational growth . . . . . . . . . .13Leading practices for companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

1 | Corporate India’s transforming risk landscape — are you prepared?1 | Corporate India’s transforming risk landscape — are you prepared?

Introduction

Changing dynamics have a substantial impact on businesses over time. While the corporate world continues to progress in its approach and operating models to build sustainable companies; it continues to face a myriad of risks related to fraud, bribery and corruption. At the same time, these threats have also been constantly evolving over time and present companies with multiple challenges. Hence, it is important for companies to adapt and adopt new techniques to combat these rising risks.

In line with businesses aiming for advancement, there are several factors that are driving the corporate agenda, i.e., increasing the momentum for growth, meeting stakeholder expectations (especially in the case of institutional investors) and cost control. A recent EY survey titled ‘Fraud and corruption — the easy option for growth?’ established that the pressure to achieve growth and develop new revenue opportunities is increasing the propensity of unethical practices and is driving teams and individuals toward these risks. The India findings of the survey indicated that 81% of respondents believe the management to be under increased pressure to identify new revenue opportunities, while 66% believe that the pressure to venture into high risk markets is significant.

India is at crossroads in terms of development, as described by a report of the World Economic Forum titled, ‘The Inclusive Growth and Development Report 2015’, which was published in September 2015. This is because it scores well in terms of access to finance for business development and real economy investment.

However, new business creation continues to be held back by the large administrative burden of starting and running companies, corruption and underdeveloped infrastructure. The Government has realized the country’s need for radical change, and this stance has been visible through several statutory reforms that have been launched during the last few years.

While the Government’s efforts are aimed at creating a favourable environment for growth and development, unless companies are able to effectively identify and address risks associated with fraud, bribery and corruption in proactive manner, the results may not come through.

Given the current context, EY and ASSOCHAM have outlined certain trends that companies in India need to take cognizance of with regard to the risks present, and highlight addressal mechanisms possible to combat the threats posed by fraud and corruption. It is our endeavor to enable a more aware industry in order to restrict these challenges from impacting India’s rapidly developing economy.

Arpinder Singh Partner and National Leader

Fraud Investigation & Dispute ServicesEY

2Corporate India’s transforming risk landscape — are you prepared? | 2Corporate India’s transforming risk landscape — are you prepared? |

Foreword

The existence of all mandated statutory and regulatory policies in practice by the corporates under various empowered authorities provide a mechanism for their fair practices globally. In the light of such fair practices by large number of corporates across the world economy, there have been several and sporadically noticed dire incidences of fraudulent conducts by the organisations which differentiated themselves otherwise. Such frauds have resulted in loss of identity of organisations, massive investments and confidence of investors in the market.

The growing capital infusion, increasing pace of business diversifications, advancement in technologies and business expansions etc. has a major impact on the interest of all stakeholders. All such associated interests are most affected by the corporate frauds and so have been a cause of great concern across the globe. Thus a proper fraud-risk management system is essentially required to safeguard the interest of stakeholders from uncertain and unpredictable but highly prospective and latent corporate frauds of the future.

D .S . Rawat Secretary General

ASSOCHAM

ASSOCHAM, in partnership with Ernst & Young LLP, has come up with this study paper to provide better understanding of the current industry scenario, regulatory viewpoints, various anti-fraud resources, tools, knowledge and the best practices available.

This is an attempt to enhance the understanding and establish sound business practices for reputation enhancement and business growth by equipping companies against frauds.

I am sure this study paper will give rich insight and adequate knowledge to all stakeholders.

I wish the Summit a great success.

3 | Corporate India’s transforming risk landscape — are you prepared?

Key risk factorsThe key vulnerabilities present in the India context today, are broadly representative of an influx of unmonitored technology and a lack of compliance monitoring. Companies are in the wake of a new age of threats that have emerged given the gaps present in the systems and mechanisms which have been implemented within their organizational construct. While external factors have largely been the focus of a company’s combative efforts, insufficient internal monitoring programs and processes have also been contributory factors for the current dilemma. In line with this, here are some emerging risk factors that companies need to watch out for.

Cybercrime: can companies decipher, detect and defend against these risks?

New risks emerge from what the organization does, from changes in the markets in which it operates and developments in external threats. One of the most significant examples of these developing threats is cybercrime.

Businesses are prone to cyber-attacks these days, and these attacks prove to be a dynamic, relentless menace for leading companies. The threat is growing, and it is seen that organizations may not be keeping pace.

Cyber-related incidents have skyrocketed in recent times and if the industry statistics are to be believed, this is bound to continue. There have been cases when large global companies have been breached successfully — some even had ex-employees leading the attacks. In the latter scenario, preventive controls proved to be futile as the ex-employee was aware of the IT environment and means to bypass it.

Categorizing the current conundrum

Indian cybercrime soars

inyears

350%

3

4Corporate India’s transforming risk landscape — are you prepared? |

Cybercrime cases registered and arrests made, 2010-13

966

1791

2876

4356

799

11841522

2098

0

1000

2000

3000

4000

5000

2010 2011 2012 2013Cases registered Arrests

Cybercrime cases registered, by motive, 2013

Source: National Crime Records Bureau

12401116

621

148 112 73 39

2144

0

500

1000

1500

2000

2500

Fraud/illegal gain

Eve teasing/harrassment

Greed/money Cause disrepute Revenge Extortion Prank Others

No.

of c

ases

regi

ster

ed

The increasing stratum of cyber risks


Incidentally, 50% of the respondents of the EY Global Fraud Survey 2014 saw cybercrime as a very or fairly low risk to their business.

According to research by the Economist Intelligence Unit, nearly one-third of all businesses sampled have seen an increase in the number of attacks in 2014 as compared to the previous year.

Key concernsThe EY survey results suggest that some executives may be naïve regarding the scale and severity of the threat posed to their business and that businesses may be slow in adapting to combat the source of these threats. Respondents continue to see hackers as the biggest concern — and are underestimating the risk from organized crime syndicates as well as “advanced persistent threats.” Developing an effective response is more difficult without a proper understanding of the potential sources of attacks.

The impact of cyber breaches continues to show that organizations and their boards must become more aggressive in developing response plans to these persistent threats. A key component for strengthening an organization’s preparedness will be increased awareness of the variety of threat actors — including “hactivists” and nation states.

Changing role of CXOsCyber risks manifest themselves in areas beyond the scope of the Chief Information Security Officer (CISO). They affect employees, business systems and interactions between an organization and its stakeholders — including regulators.

Traditionally, the role of the CISO focused on information security attacks and compromises due to their damaging and potentially public nature. These risks now require immediate and planned responses, organized by inside and outside counsel. Additionally, the potential shareholder impact, risk due to state-run and industrial cyber-espionage, loss of highly valuable IP, unique business process, or client data elevates the responsibility of cyber security to a board-level exercise. The related disclosure issues can be complex.

Governance of the risks therefore, needs to be built around several executives, including the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Technology Officer (CTO) and the general counsel. In the event of a breach, the general counsel’s role becomes significant, since managing the messaging for authorities and the content and timing of any disclosures are critical. Our results also show executives wanting their boards to discuss the risks regularly.

What can companies do?Cyber-attacks probe defenses, searching for weaknesses. An effective defense requires scrutiny of a company’s entire IT platform using diagnostic testing. Diagnostic testing should encompass all networks, systems, logs and events and search for evidence of the four elements of a cyber-attack:

• Entry — to identify evidence of malware that provides the attacker with a digital “beachhead”

• Lateral movement — identifying evidence of the extent to which an attack has spread across different parts of the network

• Harvesting — identifying unusual activity or tools across accounts and data sources that indicate the unauthorized capture of information

• Exfiltration — identifying efforts by the attacker to remove data


Can social media present vulnerabilities?

With new platforms, applications and technologies being discovered almost on a daily basis, social networks are being embraced rapidly by individuals and corporations. While some companies use the internet for business (e-commerce), others use social media channels as part of their branding strategies to build a resolute connect with their stakeholders. These include clients, shareholders, employees and suppliers. There is a dichotomy here — while social media plays a crucial role in business, it can also lead to fraud. In today’s context, when people are sharing their personal information such as birthdays, addresses, current location and frequently visited places (restaurants or workplace) openly through third-party applications; a fraudster finds it even easier.

Key concernsIn corporate work environments, there are enough firewalls and security mechanisms in place to safeguard information residing in devices. However, accessing work emails remotely or through home computers or laptops can give rise to concerns.

1. The personal device tends to be accessed by other people, including family members or friends. While technology-savvy individuals will stay guarded and avoid clicking links shared by unknown sources, digital immigrants may not take any precautions. They could inadvertently download a virus, malware or key logger that could compromise information resting in the system.

What can companies do?In both these scenarios, social media, in some ways, unintentionally leads to data breach or compromise, even though the individual may have assumed caution. Companies need to take a number of proactive and reactive steps to protect themselves from social media risks. These range from installing firewalls, anti-virus software, encryption, blocking unsecure websites and other technology upgrades to mitigate the possibility of any breach. They should also have mandatory training and a well-communicated social media policy.

2. On the other hand, youngsters who are digital natives, but are using social platforms purely as a means to network and share information could also fall prey to such risks. The inclination to be present and active on new social channels is so high that it could lead to the possibility of bugs getting into the system.

3. Another way by which data can be compromised is with the use of unsecured Wi-Fi. Many public places tend to offer free Wi-Fi to their patrons, and there are multiple cases when you do not require a password to connect. In such a case, it is not difficult for any spyware to gain access to the device when you log in to social media and compromise the device.


The NPA crisis — turmoil in the financial services sector: what can banks do?

Recent news around the rising “Non-Performing Assets” (NPA) and instances of bribery and corruption has brought to the fore the risks faced by the sector in India. Notwithstanding the billions of funds in restitution, fines and litigation costs incurred to date by banks and securities firms, regulatory pressure is not expected to dissipate soon. Important themes from 2014 will likely continue going forward as the industry responds to broad regulatory focus on systemic risk.

Regulatory actions have been intense lately, with revisions in guidelines and new mandates being released. While the Reserve Bank of India (RBI) has taken steps to initiate recoveries of these loans by introducing regulation which avoids postponing the problem, increasing the credibility of sales to asset reconstruction companies and early resolution of potential NPAs, the issues around fraudulent promoters requires a higher degree of attention. While all resolutions now mandate a forensic audit, the very essence of promoter integrity needs more focus given the size of the problem.

9.2

10.2

10

10.7

11.1

1

2.3

2.2

2.5

2.5

3.4

4.2

4.1

4.5

4.6

0 2 4 6 8 10 12

Mar 2013

Sep 2013

Mar 2014

Sep 2014

Mar 2015

NNPAsGNPAs Overall stressed advances

The rise of stressed assets (in %*)

*As percentage of total advances; GNPA stands for gross non-performingassets; NNPA stands for net non-performing assetsSource: RBI (Source: RBI)

Stressed asset percentages have consistently been a cause of concern over the last few years. As on March 2015, gross NPAs stood at 4.6% as compared to 4.1% in previous year. Furthermore, gross NPAs for public sector banks stood at 5.17% of advances as of March 2015 while the stressed assets (NPAs and restructured loans) were 13.2%.

Key concernsWhile corporate borrowers have repeatedly blamed the economic slowdown as the primary factor behind it, periodic independent audits on borrowers have revealed diversion of funds or wilful default leading to stressed situations. Analysing the gravity of the current situation, pre-sanction due diligence and sanctioning processed have also been under the scanner of the regulator to gauge the control mechanism at banks.

A close scrutiny of loan sanctioning, disbursement and recovery processes have uncovered a number of gaps and inefficiencies including identification and reporting of NPAs. Key issues identified are:

1. Inherent complexities around automated systems used by banks for NPA identification and provisioning

2. Overdependence on third parties for managing and providing technical support for NPA system, resulting in lack of transparency and limited monitoring

3. Unrestricted access to carry out changes in repayment schedule or adjustment entries in the customer accounts

4. Lack of adequate audit trails around change management and access privileges leading to inadequate monitoring

According to the RBI, banks tend to report an account as fraud, only when they exhaust the chances of further recovery. At times, reluctance for undertaking an investigation on borrowers may be due to their long-standing relationship. The new guidelines by RBI have now provided an incentive to banks for prompt reporting. They can spread the provision over four quarters, provided there is no delay in reporting of fraud.

Key findings from a recently released EY Fraud Investigation & Dispute Services survey titled ‘Unmasking India’s NPA issues — can the banking sector overcome this phase?’

2outof3

44%

36%

32%

Around 44% stated that the impact on the provisioning or performance of the branch is one of the key reasons that are preventing banks from reporting NPA borrowers as “wilful defaulters” and/or fraud

Not being aware of the intent of borrower in case of default

Impact on future recovery from the borrower

According to the survey, two out of three respondents considered third-party reports (valuation, field verification etc.) could be manipulated to favor the borrower. While a minority negated it (5%), 29% were uncertain about it.

87%64%

54%

Around 87% of the respondents believe that the rise in NPA/stressed asset numbers is due to the diversion of funds to unrelated business or fraud

Around 54% attributed this to the inefficiencies in the post-disbursement monitoring process

While 64% of the respondents believed that a major reason for every stressed asset/NPA is lapses in the initial borrower due diligence (pre-sanction)


What can companies do?According to survey respondents, stricter penal measures for fraudulent borrowers, e.g., restricting access to additional bank borrowing and restructuring, prompt reporting of cases to law enforcement agencies etc. will act as deterrents and help prevent larger exposures of bad accounts in the banks’ books. Widening of the scope of “wilful defaulters” ably supported by Securities and Exchange Board of India (SEBI) will assist in restricting defaulting borrowers from accessing the equity and debt markets. The creation of the Central Fraud Registry will benefit banks in obtaining access to critical details of frauds reported by other banks and thereby avoid lending to tainted borrowers. The boards of the banks will conduct a detailed scrutiny of the quarterly and annual financial results, review NPA management and reported NPA and provisioning integrity.

The RBI, the Government and other authorities have initiated various steps toward governance, accountability and responsibility. It is anticipated that the Government’s reforms in the core sectors such as infrastructure, power, telecom, metals and mining will help reduce the stress in the banking sector.

The new RBI circular on “Framework for dealing with loan frauds” demonstrates its commitment to address concerns pertaining to detection, reporting, mitigating and accountability with regards to loan frauds.

Significant expansion in the role of “Fraud Monitoring Group” (FMG) within the banks is expected based on the circular. Further, importance has also been laid on implementing a strong whistle-blower policy to encourage employees to report concerns.

The recent circular around “Strategic Debt Restructuring Scheme” is also a firm step by the RBI giving strong clutches to the bankers to take over management control of the defaulters. This will be implemented when they feel that the borrower company is incapable of coming out of stress due to operational or managerial inefficiencies.

Analysis of the current situation indicate that banks need to become more proactive in framing policies or guidelines and implementing it right from the grass-root level, with constant supervision by the top management. The new RBI guidelines have laid a firm pathway for improving overall robustness to manage loan frauds. Banks would need to adopt and implement the measures in true spirit and substance, and not just ‘form’.

The key to proactive identification of red flags would be to integrate and analyse transactional data (bank statements) with documents available (audit report, sanction documents etc.) and information from the public domain including market information to find anomalies. Specific roles for designated persons who constitute the FMG, to certify compliance with the circular guidelines would be necessary to ensure accountability of decisions taken.

The road to recovery is long and winding. But bankers are cautiously optimistic that the NPA situation will improve, albeit at a slow pace.


Unravelling data integrity issues in the pharmaceutical sector — are companies compliant?

There is a notable expansion of the exposure that life sciences companies face when operating in multiple jurisdictions. Staying abreast of the differing anti-corruption laws and standards, particularly in markets where the rule of law is not always clear, is presenting challenges and opportunities for companies that deeply depend on growth in those markets.

The Indian pharmaceutical industry is grappling with various compliance challenges — increased regulation, mergers and acquisitions, push toward harmonization and data integrity concerns. In addition, there has been a recent upsurge in enforcement actions on data integrity cases.

Companies therefore, have to rethink methods to ensure quality and compliance, and sustaining business.

Key concernsA recently released EY Fraud Investigation & Dispute Services survey on the state of data integrity compliance in the pharmaceutical industry in India highlighted the following as the key areas of concern for the industry:

1. Absence of quality process and procedures

2. Lapses in data integrity continue to rise

3. Technology upgrade is the need of the hour

4. Work pressure and shortage of manpower affect quality compliance

5. Setting up whistle-blowing frameworks is still work in progress

Regulatory actions such as import alerts or warning letters create an immediate need for companies to conduct data integrity reviews.

There is a need to adopt regular internal and external data integrity assessments to identify gaps. This will help understand if laboratory test data files have been deleted outside of routine archiving process, monitor data to identify potential trial runs, re-processed files and use of common or shared login id and password.

In addition, it is imperative that the Indian pharmaceutical industry make efforts to comply with the essentials of Part 11 — Title 21 of the Code of Federal Regulations (21 CFR 11). The key requirements include ensure audit trail of laboratory systems, respect unique user id and password at all times, ensure administration rights are with the right people and department and that computer systems are validated.

What can companies do?With the Government of India’s focus on the “Make in India” initiative, and commitment to battling fraud and corruption, the Indian pharmaceutical industry is being watched very closely to recoup and lead the initiative. The Government is more vigilant and is emphasising on Good Manufacturing Practice (GMP) compliance guidelines set by global, central and state regulators.

While the pharmaceutical industry is committed to gearing up on quality and compliance, the remedy for the industry now is to get more proactive in its quality compliance drives. The same can be done by adopting regular internal and external data integrity assessments to identify gaps if any, such as to identify if laboratory test data files have been deleted outside of the routine archiving process, monitor data to identify potential trial runs, re-processed files and use of common or shared login ID and password. This not only acts as self-assurance, but may also provide comfort to regulators, customers and investors, on the management’s commitment to quality and compliance.

33%21% 21% stated that audit trails on laboratory equipment are not always enabled in their organizations

33% respondents did not conduct reviews to assess potential gaps in assurance of data integrity

30%57%33%

More than 30% of respondents had received inspectional observations (issues raised) by global regulators

33% mentioned to have shared employee login IDs and passwords for laboratory systems such as High Performance Liquid Chromatography (HPLC), Gas Chromatography (GCs). This shows that organizations still need to make a significant headway in being compliant with global standards.

57% admitted seeing manufacturing personnel being under immense work pressure, impacting overall efficiency of processes


Key highlights from the survey titled ‘Analyzing the state of Data Integrity Compliance in the Indian pharmaceutical industry’


Enhanced enforcementIncreased focus on FCPA enforcement actions against individuals

With a number of rapidly growing economies and increasingly sophisticated consumer markets, multinationals continue to invest heavily across a wide range of industry sectors. However, the perceived level of corruption in the region, and the attention of US authorities on business conduct, is prompting organizations to reassess their controls, testing and compliance programs.

Key concernsThe issue of corruption is also at the centre of the governance structure of organizations ; that are increasingly realising the importance wherein each rupee lost to corruption puts stress on the growth of a nation with the inability of such funds being deployed for infrastructure projects, healthcare and education initiatives.

What can companies do?Global regulations around anti-bribery and anti-corruption are compelling organizations to appropriately educate and drive their management to follow the letter of the law. Some of the key enablement tools that helps to keep a check on any problematic instances that may occur could be the transparency framework and mechanisms that boost an inclusive morale within the organization. These are some necessary elements required for developing an ethical culture.

A recent case, which came to the forefront while emphasizing the after effects of transnational enforcement agency co-operation, clearly demonstrated how the senior management plays a key role in defining how operations are carried out, especially in terms of the ethicality of decisions.

The company was vying to obtain a contract for a large-scale project in India. In order to gain a favourable advantage over competitors, it resorted to unethical practices involving paying bribes to the authorities and kickbacks to certain company officials who were in charge of orchestrating the same. A subsequent confession about the methodology used to obtain this contract, was made to an overseas enforcement agency. Due to increased transnational border cooperation, the Indian authorities began probing this case and commissioned investigations into the company and authoritative bodies involved in procuring the vendor for the project. They consequentially identified the money-trail, which prompted several arrests.

Case study


What can companies do?Forensic Data Analytics is a science used to proactively seek opportunities to prevent and detect fraud, waste and abuse by leveraging such financial information in corporate data systems. It enables identification of meaningful patterns and correlations in existing historic data to identify fraudulent activity. While such information is generally “invisible” to the common eye, it carries with it significant information to enable organizations to base their business decisions related to fraud, disputes and misconduct.

Anti-Bribery and Corruption analytics (ABAC) uses the same data to detect anomalies that are traditionally indicative of fraud or other misconduct or irregularity. The ABAC analytic models are generally developed to identify improper transactions in financial data sets, which may negatively impact an organization. The model factors various aspects from simple narration captured in a transaction to complicated pattern, text mining analysis – identifying deceitful keywords, establishing anomalous relationships between entities, combined with visual analytics.

Any dataset in historic, near real time and real time form can be assimilated through ABAC analytics solutions to help a company improve its bottom line by checking fraudulent activities.

New combative toolsUse of Forensic Data Analytics in anti-bribery and anti-corruption monitoring and investigations

Data analytics, traditionally the domain of marketing and sales, has effectively migrated into the realm of internal audit, compliance, and corporate oversight. Companies now have opportunities to use forensic data analytics for proactive monitoring of business data. There is a need for organizations to develop a better understanding of the risks and rewards of forensic data analytics and how these techniques can be used to transform data to help detect potential instances of fraud and corruption and implement effective risk mitigation programs.

With technology advancements, organizations have entered the digital world. Almost all the accounting and transaction data is now accessible through sophisticated computer applications which can be retrieved whenever required.

The volume, variety and velocity of transactions data coming into the organization have reached unprecedented levels. About millions of transactions are posted in the system each day, and that number is doubling every month. Deploying customized techniques and tools to these large volumes can help increase the overall efficiency, effectiveness and provide better insight to the data.

Key benefitsText mining, sentiment analysis and concept analysis: Text analytics to identify and extract information related to fraud, corruption, waste and abuse matters based on keywords or phrases. It involves grouping similar transactions into clusters for the purpose of identifying anomalies or red flag.

Data Visualization: Identifying the “hidden” from “not so apparent”. Data Visualization techniques have proved to be effective, since humans can better absorb large pieces of information in a visual format than displayed numbers or text. When the result of a fraud identification query is combined with data visualization, e.g., an account payable or journal entry data, a significant amount of useful and previously invisible information can be reviewed at one go. They not only display information visually, but also create interactive maps or charts and can effectively analyse data. These tools also possess the capability to combine different databases to a single view and publish interactive dashboards on the web.

Link Analysis: It is a data-analysis technique used to evaluate relationships (connections) between nodes, including organizations, people and transactions. Using link analysis, companies can establish “hidden” relationships and information leakage from suspected employees to identified vendors for possible “kickbacks”.

Statistical conclusion, representative sampling and hypothesis testing: To identify data of interest based on a fraud score and facts of an investigation. It highlights fraud risk involved with transactions by identifying hit traits among different analysis and trends associated with suspicious behaviour and fraudulent transactions.


Markets are never static. New risks constantly emerge, and the matters that regulators and the public consider inappropriate or fraudulent are evolving. In the recent past, regulators have been increasingly challenging corporate compliance and governance models, given that companies need to ensure risk mitigation while maintaining growth that shareholders would appreciate. Companies need to constantly challenge their mechanisms to derive whether the right compliance risks have been identified and are being effectively managed. The easy gains and quick wins for the compliance function have been secured.

Further progress from here is likely to be difficult for many companies. Indeed for some companies compliance fatigue may have already set in. The 2014 EY Global Fraud Survey of more than 2,700 executives across 59 countries shows that the risks businesses are facing are not receding. The incidence of fraud and reported levels of corruption are not declining. The results show a correlation between executive roles and willingness to justify certain activity when under pressure to meet financial targets.

The current scenario presents a paradoxical situation — while companies have improved on compliance and governance structures, there still seems to be an increase in terms of instances of fraud and corruption and nervousness around these issues.

This situation could be considered the result of an organizations strategy to implement compliance frameworks with a mere ‘tick in the box’ approach, rather than understand the spirit in which it was formulated. Perhaps — while organizations have laid out policies — they have not done so believing it to be a strategic decision for the board to consider, but as it is largely driven by regulations etc.

Additionally, while there is a team to monitor compliance, the resources are not adequately enabled or lack a commitment to the cause (budgets etc.) There also seems to be an ambiguity in regard to procedures and processes. These aspects more often do not have a definitive arrangement when it comes to escalation, response plans and timeframes basis specific types of incidents.

Charting an ethical path for organizational growth


Leading practices for companies

Instituting adequate anti-bribery and anti-corruption due diligence

Specialized due diligence should be the norm, not the exception. If conducting such work during pre-closure of a project is not possible, then doing a robust post-closure procedure is essential given that the company may own the liability for illegal acts if not identified and disclosed to regulators in a timely manner.

Efforts to mitigate corruption risks posed by agents, consultants, commercial sales representatives and other third parties break down into four separate activities:

• Pre-contract due diligence and acceptance procedures

• Contracting provisions with anti-fraud and anti-bribery representations, warranties and other vendor requirements such as certifications and anti-corruption training

• Special payments review and approval

• Audits of intermediaries

The company then needs to categorize its vendors, analyse the risks posed by vendor type and determine if any groups warrant enhanced treatment to mitigate corruption risks. Companies should also develop a policy and specific procedures for anti-corruption due diligence in any contemplated merger, acquisition or joint venture; this would be a safeguard against inheriting liability for past corrupt activities.

Enhancing Board engagement

Compliance risks cannot be effectively addressed without robust oversight by the board. It is essential that the board sets a demanding plan, continues to ask tough questions and actively holds senior management accountable for the results. This level of scrutiny will drive a higher level of engagement among senior executives and should reduce the risk of compliance activities being delegated too far. Senior management themselves are highly exposed to risks. For example, CEOs are three times as likely as other respondents to have been asked to pay a bribe (basis the 2014 EY Global Fraud Survey). So their engagement in compliance efforts is not just about protecting the business, but also about protecting themselves.

Boards need to appropriately challenge management regarding the quality and frequency of their risk assessments, particularly around new risks like cyber-fraud and cybercrime. Board members can push the company to foster better collaboration between legal, compliance and internal audit, and they should request regular updates from management regarding fraud, bribery and corruption risks.

Allocating suitable budgets and resource support for compliance functions

While the business needs to own the risk, internal audit and compliance play essential roles in both improving standards of business conduct and in keeping the company out of trouble. Companies need to understand the value that these functions bring in and ensure that an adequate amount of resources and budgets are allocated to enable thorough enforcement of policy and procedure.

Tailoring appropriate training programs

The trainings should be customized in the local language and should include a mix of classroom and other online or video components. Participant information should be tracked and business unit leaders — including those in foreign locations — should be evaluated on participation levels. C-suite executives need to lead on training and cannot be exempt from it. Board members too should undergo dedicated trainings for better enablement. Organizations need to invest in developing specific training modules given the profile of the personnel, seniority and risk associated with employees or third party to discharge duties etc. A generic training module usually proves to be a futile exercise as the employee base most often is unable to relate to most of the scenarios present in the session.

Big data mining to mitigate corruption risks

Effectively harnessing technology to support risk management is the greatest weakness or opportunity for most organizations. Over the past several years, the term big data has been a major theme of the information technology media and increasingly made its way into compliance, internal audit and fraud risk management-related publications. Mining big data using forensic data analytics tools can improve compliance and investigation outcomes and can help management provide useful summary information to the board. For business executives across many industries and geographies, “big data” presents tremendous opportunities. For those charged with deterring, detecting and investigating misconduct, mining such data can be a particularly powerful tool to be utilized in their overall compliance and anti-fraud efforts.

Establishing effective escalation procedures

Companies should have a response plan in place and clearly defined escalation procedures. These should include whether to respond to a whistle-blower or a cyber-incident, to minimize the damage being done, and would need to include how certain types of incidents should be highlighted to the board within a given timeframe. Furthermore, when deemed necessary, consultation with outside legal counsel, forensic accountants and IT security professionals should be directed.

The regulatory stance in India is improving, and the Government has taken several steps to set up empowered enforcement authorities to tackle these issues. At the same time, regulators are working together across borders like never before to hold companies and their executives accountable for their actions.

Companies, their boards and other stakeholders would be well versed to understand the complexities of the new-age business environment and appropriately deliver on these important priorities. Companies need to ensure that they are able to assess the risks present in their system, identify potential threats and accordingly safeguard their reputation and business. With more focus on driving revenues from less mature markets; the challenges for companies are getting more complex. Therefore, it is time for companies to reinforce their commitment to drive ethical growth for better sustenance.

Conclusion


17 | Corporate India’s transforming risk landscape — are you prepared?17 | Corporate India’s transforming risk landscape — are you prepared?

Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from your efforts to achieve your company’s potential. Enhanced management of fraud risk and compliance is a critical business priority — whatever the industry sector. With our 3,500 fraud investigation and dispute professionals around the world, we will assemble the right multi-disciplinary and culturally aligned team to work with you and your legal advisors. In addition, we will provide you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our global activities.

FIDS India• Deep competencies: Our FIDS team has specific domain knowledge along with wide

industry experience.

• Forensic technology: We use sophisticated tools and established forensic techniques to provide requisite services to address individual client challenges.

• Global exposure: Our team members have been trained on international engagements and have had global exposure to fraud scenarios.

• Market intelligence: We have dedicated field professionals, who are specifically experienced and trained in corporate intelligence, and are capable of conducting extensive market intelligence and background studies on various subjects, industries, companies and people.

• Thought leadership: We serve a variety of leading clients, which gives us deep insight into a wide range of issues affecting our clients and business globally.

• Qualified professionals: We have a qualified and experienced mix of Chartered Accountants, Certified Fraud Examiners, Lawyers, CIAs, CISAs, Engineers, MBAs and Forensic Computer Professionals.

About EY Fraud Investigation & Dispute Services

Our services• Anti-fraud and fraud risk assessment

• Fraud Investigation

• Anti-bribery and Anti-corruption Compliance Services

• Dispute Advisory Services

• Competition and Trade Services

• Ethics and Integrity Due Diligence

• Third-party Due Diligence

• Whistle-blowing Services

• Supply Chain Compliance

• Data Integrity Reviews

• Forensic Technology & Discovery Services

• Computer forensics

• Forensic Data Analytics

• e-Discovery

• Software License and Forensic Disputes Services

• Cybercrime Investigation and Intelligence Services

Arpinder Singh Partner and National Leader +91 22 6192 0160 [email protected]

Sandeep Baldava Partner +91 40 6736 2121 [email protected]

Vivek Aggarwal Partner +91 12 4464 4551 [email protected]

Mukul Shrivastava Partner +91 22 6192 2777 [email protected]

Anurag Kashyap Partner +91 22 6192 0373 [email protected]

Anil Kona Partner +91 80 6727 5500 [email protected]

Rajiv Joshi Partner +91 22 6192 1569 [email protected]

Yogen Vaidya Partner +91 22 6192 2264 [email protected]

Dinesh Moudgil Partner +91 22 6192 0584 [email protected]

Jagdeep Singh Partner +91 20 6603 6119 [email protected]

Contact us


About ASSOCHAM

The knowledge architect of corporate IndiaThe Associated Chambers of Commerce and Industry of India (ASSOCHAM), India’s premier apex chamber covers a membership of over 4 lakh companies and professionals across the country. ASSOCHAM is one of the oldest Chambers of Commerce which started in 1920. ASSOCHAM is known as the “knowledge chamber” for its ability to gather and disseminate knowledge. Its vision is to empower industry with knowledge so that they become strong and powerful global competitors with world class management, technology and quality standards.

ASSOCHAM is also a “pillar of democracy” as it reflects diverse views and sometimes opposing ideas in industry group. This important facet puts us ahead of countries like China and will strengthen our foundations of a democratic debate and better solution for the future. ASSOCHAM is also the “voice of industry” – it reflects the “pain” of industry as well as its “success” to the government. The chamber is a “change agent” that helps to create the environment for positive and constructive policy changes and solutions by the government for the progress of India.

As an apex industry body, ASSOCHAM represents the interests of industry and trade, interfaces with Government on policy issues and interacts with counterpart international organizations to promote bilateral economic issues. ASSOCHAM is represented on all national and local bodies and is, thus, able to pro-actively convey industry viewpoints, as also communicate and debate issues relating to public-private partnerships for economic development.

The road is long. It has many hills and valleys – yet the vision before us of a new resurgent India is strong and powerful. The light of knowledge and banishment of ignorance and poverty beckons us calling each member of the chamber to serve the nation and make a difference.

ASSOCHAM OfficesHead officeThe Associated Chambers of Commerce and Industry of India (ASSOCHAM)5 Sardar Patel Marg, Chankyapuri, New Delhi 110 021Tel: +91 11 4655 0555Fax: +91 11 2301 7008/9E-mail: [email protected]: www.assocham.org

Southern regional officeD-13, D-14, D Block, Brigade MM,1st floor, 7th Block, Jayanagar,K R Road, Bangalore 560 070Telephone: +91 80 4094 3251/53Fax : +91 80 4125 6629E-mail: [email protected], [email protected], [email protected]

Eastern regional officeF 4, “Maurya Centre” 48, Gariahat RoadKolkata 700 019Telephone: +91 33 4005 3845/41Fax: +91 33 4000 1149E-mail: [email protected]

Western regional office4th floor, Heritage Tower,Bh. Visnagar Bank, Ashram Road,Usmanpura, Ahmedabad 380 014Tel: +91 79 2754 1728/29, 2754 1867Fax: +91 79 3000 6352Email: [email protected]@assocham.com

Regional office — Ranchi503/D, Mandir Marg-CAshok NagarRanchi 834 002Phone: +91 98350 40255Email: [email protected]


Unmasking India’s NPA issues – can the banking sector overcome this phase?

Reining in sexual harassment at the workplace in India

Analyzing the state of Data Integrity Compliance in the Indian pharmaceutical industry

Forensic Outlook 2015: Re-energizing corporate India’s ethics and compliance quotient

Calibrating the pulse of Competition Law in India

The whistle-blowing quandary: India Inc.’s journey from oblivious to obvious

Recent FIDS reports


EY offices

Ahmedabad2nd floor, Shivalik Ishaan Near C.N. VidhyalayaAmbawadiAhmedabad - 380 015Tel: + 91 79 6608 3800Fax: + 91 79 6608 3900

Bengaluru6th, 12th & 13th floor“UB City”, Canberra BlockNo.24 Vittal Mallya RoadBengaluru - 560 001Tel: + 91 80 4027 5000 + 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor)Fax: + 91 80 2224 0695 (13th floor)

1st Floor, Prestige Emerald No. 4, Madras Bank RoadLavelle Road JunctionBengaluru - 560 001Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112

Chandigarh1st Floor, SCO: 166-167Sector 9-C, Madhya MargChandigarh - 160 009 Tel: + 91 172 671 7800Fax: + 91 172 671 7888

ChennaiTidel Park, 6th & 7th Floor A Block (Module 601,701-702)No.4, Rajiv Gandhi Salai, TaramaniChennai - 600 113Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120

HyderabadOval Office, 18, iLabs CentreHitech City, MadhapurHyderabad - 500 081Tel: + 91 40 6736 2000Fax: + 91 40 6736 2200

Kochi9th Floor, ABAD NucleusNH-49, Maradu POKochi - 682 304Tel: + 91 484 304 4000 Fax: + 91 484 270 5393

Kolkata22 Camac Street3rd floor, Block ‘C’Kolkata - 700 016Tel: + 91 33 6615 3400Fax: + 91 33 2281 7750

Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (W), Mumbai - 400 028Tel: +91 22 6192 0000Fax: +91 22 6192 1000

5th Floor, Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai - 400 063Tel: + 91 22 6192 0000Fax: + 91 22 6192 3000

NCRGolf View Corporate Tower BNear DLF Golf CourseSector 42Gurgaon - 122 002Tel: + 91 124 464 4000Fax: + 91 124 464 4050

10th Floor, Tower D&E Cyber Green, DLF Phase-3, Gurgaon - 122 002Tel: + 91 124 671 4400

6th floor, HT House18-20 Kasturba Gandhi Marg New Delhi - 110 001Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200

4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, Noida - 201 304 Gautam Budh Nagar, U.P. Tel: + 91 120 671 7000 Fax: + 91 120 671 7171

PuneC-401, 4th floor Panchshil Tech ParkYerwada (Near Don Bosco School)Pune - 411 006Tel: + 91 20 6603 6000Fax: + 91 20 6601 5900

Ernst & Young LLPEY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2015 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN1509-109

ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

PP

EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global Limited

corporate india's transforming risk landscape — are you prepared?

Documents