Ease of Doing Business in India

A perspective on the risks and challenges

As most people are aware, India is a multi-cultural, multi-lingual society governed by a Federal system of governance – where the Central Government and several State Governments have their own jurisdiction and freedom in prescribing regulatory compliances.

Shri K.V. Subramanian, Chief Economic Advisor to the Finance Ministry at a press conference at New Delhi, said that if you want to start a restaurant business in New Delhi you need 45 documents to obtain just one of 26 licences—one for getting a clearance from the Delhi Police. But if you want to own a gun, you need only 19 documents to get the go-ahead from the police. And these number of licences differs from city to city depending on which State it is located. He was making the case for doing away with unnecessary controls.

While India has jumped up in the World Bank ranking for Ease of Doing Business (EoDB) to the 63rd position among 190 countries studied by it, there is still a long way to go for India. To understand what “Ease of Doing Business” (EoDB) means please read the Appendix given below.

In my opinion, the following are the top 5 risks and challenges that have to be addressed:

  1. Understanding the local language and geography of India: Any new venture’s first step is to understand the local culture, language where it wants to set up business. If you want to set up a manufacturing unit in Tamil Nadu and employ local labour, guidance is required on all the nuances of how to deal with Trade Unions affiliated to different political parties. You could end up in major labour disputes and lockdowns if you do not have a strong top and middle management who knows the ground reality. There are various religious, ethnic and annual holidays to consider – State-wise variations included – that one needs to consider even for business meetings or working days.
  2. Stability in Government policies: Every five years, when Central and State Governments in India face change of political parties at the helm of affairs, a trend has been witnessed to ditch the previous regime’s policies and initiatives or stall several projects.

One political party (DMK), when in power, sanctioned the extraction of hydrocarbon project in Tamil Nadu. When a change in Government took place, the same political party (DMK) that sanctioned it earlier opposes it tooth-and-nail – there is no logic or reason behind this except opposing for opposition sake – a case where “ease of business” is not considered. Several such examples can be given across many States where the ruling party is against the Central Government.

3. Reach of “real” education: Societal reforms begin with influencing community on major issues confronting them and what they could do to resolve them. This begins by emphasizing on communal harmony, cooperation, voice against bribery and corruption. Continuous awareness campaigns and education must pervade at all levels – from the super-rich celebrities (who don’t care a damn about anything other than their own careers) to the lowest level of poverty-stricken masses (who don’t care a damn about anything other than day-to-day existence). Unless the divisive tactics for vote-bank politics is shunned by the society, there will always be dissent and roadblocks to any improvements to “ease of doing business”.

4. Prevention of bribes and corruption: Let’s face facts on ground. Although e-filing for building permits has shortened the time for sanction, the grim fact is that at the penultimate or final stage it reaches an officer-in-charge who has to approve sanction and in the pretext of calling for clarifications there are many instances of underhand dealings (more so in high value properties). Unless there is decency and decorum in governance for the benefit of people and businesses, powerful to petty politicians and boot-licking bureaucrats have a field day with their own interpretations of rules and regulations to harass applicants and make money.

New companies, existing companies wanting to expand operations, foreign investors – all of them face high risk of being subject to corruption in many forms. It is a serious issue, despite the Prevention of Corruption Act and the Companies Act, and is prevalent in the police, politicians, judiciary, public services and public or private procurement sectors. Measures like e-filing, single window processing, e-auctioning, etc. may help to some extent, but ultimately the human interface process at some stage needs to be efficient and effective.

5. Start effective implementation, not just streamlining statutory regulations:

There are many confusions and a maze of laws in force in India (including archaic ones from the British regime). But the implementation is haphazard and not effective, some of these laws are irrelevant in current times but the statute still exists and have not been repealed.

This makes investment in Indian business complex and a risky one – here are a few examples:

Existing industries must have easy singular access to compliance and regulations that are relevant for them. Currently one needs a legal expert to wade through several laws to end up with a compliance checklist.

  1. Clarity must be provided to NRIs and foreign investors in easily understandable language about the various options available for them to invest and “make in India”. Impact of the option chosen in the short and long term must be provided, depending on the nature and size of business– whether one should have a Representative office, Branch office, liaison office, private limited company, limited liability partnership, etc.
  2. Industry specific regulations are plentiful – whether it is the services sector or the banking and financial services or the telecom industry or any other – with each one of them having to be complied with different agencies – TRAI for telecom, RBI for banks and financial institutions, IRDA for insurance, FIPB for foreign investments and so on.
  3. Manufacturing sector has a plethora of laws that will bewilder a new start up business and existing ones have to be constantly vigil on whether they are compliant with all applicable ones.
  4. Taxation laws are complex and do not enable businesses to do long-term business planning on the likely outgo and keeps changing every fiscal year or even ad hoc at times.

 

APPENDIX

What is Ease of Doing Business? – www.makeinindia.org which is an Indian Government website has published the below information on the same:

The Ease of Doing Business (EoDB) index is a ranking system established by the World Bank Group. In the EODB index, ‘higher rankings’ (a lower numerical value) indicate better, usually simpler, regulations for businesses and stronger protections of property rights.

The research1 presents data for 190 economies and aggregates information from 10 areas of business regulation:

  1. Starting a Business
  2. Dealing with Construction Permits
  3. Getting Electricity
  4. Registering Property
  5. Getting Credit
  6. Protecting Minority Investors
  7. Paying Taxes
  8. Trading across Borders
  9. Enforcing Contracts
  1. Resolving Insolvency

Rankings and weights on each of the mentioned parameters are used to develop an overall EoDB ranking. A high EoDB ranking means the regulatory environment is more conducive for starting and operating businesses.

Since assuming office in 2014, the Narendra Modi-led National Democratic Alliance government has pledged to improve the ease of doing business in India.  Many action points have been completed by the Central Government regarding various factors like starting a business, getting construction permits, trading across borders, enforcing contracts, getting electricity, registering property and paying taxes, there are still some underway and state reforms have to also step up their initiatives in this regard. (More details at //www.makeinindia.com/eodb)

Fraud Risks in the Banking industry

Recent news items of cases of frauds and abuses in banks and financial institutions in India

  • Central Bureau of Investigation (CBI) had registered a case on March7, 2020 for alleged cheating, fraud, criminal conspiracy in sanctioning of loans by YES Bank and in exchange receiving kickbacks by Kapoor from DHFL promoter Dheeraj and Kapil Wadhawan.
  • Punjab and Maharashtra Cooperative Bank(PMC Bank) has been facing regulatory actions and investigation over alleged irregularities in certain loan accounts. The collapse of PMC bank exposed a harsh reality – poor regulation allowed the bank to flout rules for years. The bank is accused of lending money to a real estate company – Housing Development & Infrastructure Ltd (HDIL) – through dummy accounts in the name of dead

The Banks and Financial institutions in our country have witnessed several cases of fraudulent practices that are rampant from the top management level to being percolated down to the operational mid and lower management level. Only the tip of the iceberg gets into a national level debate – there are many more waiting to be discovered.

Why do you think that this is happening so often in the banking industry when people trust them and put their entire savings with these financial institutions?

The solution lies in taking a deep look into the internal processes and routines to find out whether there are enough checks and balances and controls – whether manual or software application controls – both are equally important.

It is a fact that vulnerabilities do and will exist in small or big, upcoming or established financial institutions. If the tell-tales signs are not recognised early enough, these organizations are sitting on a time bomb that could explode and damage their business, result in sanctions or even bankruptcy, temporary closure of offices and of course tarnished brand image. (See Annexure below for a sample checklist of fraudulent situations in banks / financial institutions that could result in losses, waste or abuse.)

Some of these early warning signals or “risk factors” should help in mitigation and avoid losses to the banks and financial institutions:

  1. Top management governance and oversight is poor, lacking or only ad-hoc – focus is on fire-fighting issues as and when they arise.
  2. There are only one or two officers in a bank / bank’s branch who have dominating control over all operations and decision-making.
  3. Records maintenance and documentation is inadequate, ineffective or even absent and the same is not questioned or given importance.
  4. Failure of periodic regulatory or compliance reports to the Central Bank of the country or other statutory bodies.
  5. Systems and applications have poor internal controls set up for critical transactions.
  6. By-passing systems through manual intervention is possible and policies and procedures are flouted.
  7. The above aberrations are not noticed because of poor audit programs or they are not reported by the audit team.
  8. Personnel working in critical areas like loan sanction, investment and treasury departments are not rotated and not sent on compulsory leave periodically due to weak vacation policies.
  9. Four-eye principle for approvals and authorizations not adequate or by-passed due to weak internal controls.
  10. Insufficient segregation of duties in processes.
  11. No background checks for new recruits and inefficiencies not addressed through proper training.
  12. Absence of continuous communication on important policies on ethics and business standards and evaluation of their practices.

 

ANNEXURE

This list is by no means exhaustive and it is the diligence of the banks’ audit (internal or external) that matters most. However, this may help in focussing for deeper analysis of fraudulent situations in several areas of banking operations.

  1. Loans:
    1. Forged or fictitious loans to non-existing parties,
    2. accommodation or helping round-tripping of loans,
    3. collusion with politically exposed persons,
    4. loans to insider-related shell companies,
    5. embezzlement of escrow accounts,
    6. commission or kickback on loans,
    7. diverted recoveries of charged-off loans.
  2. Collaterals for loans:
    1. Improperly valued or undervalued collaterals accepted,
    2. forged certificates issued by illegal offshore companies,
    3. round-tripping transactions for payments,
    4. taking collaterals and releasing them prematurely.
  3. Investment and trading in the securities market:
    1. Collusion between a bank employee and trader to transact at inflated prices,
    2. Unauthorized purchases and sales of securities and covering it up,
    3. Not disclosing trading losses to management,
    4. Placing personal trading contracts through accounts to take advantage of bank’s volume discounts on brokerage,
    5. Trades placed based on inside information by an employee for himself/ herself, thereby making personal gains.
  4. Deposits from customers:
    1. Dormant or inoperative accounts misused by personnel for unauthorized transactions like withdrawals or coverups,
    2. Fictitious charges not part of the authorized list of charges,
    3. Manipulating dormant account balances to balance Trial Balance,
    4. Unauthorized overdrafts granted to deposit accounts and covering up,
    5. Withholding checks without proper reason and manipulation of accounts where the bank personnel is acting in a fiduciary capacity,
    6. Setting up fictitious accounts and withdrawing embezzled amounts from the bank.
  5. Correspondent bank accounts:
    1. Unreasonable delay in recording funds transfer and keeping money in float,
    2. Fictitious debits and credits,
    3. Fraudulent letters of credit issued,
    4. Issuing drafts without corresponding recording of transactions,
    5. Fake collections recorded.
  6. Cashier’s desk and transactions
    1. Covering end of day cash shortage with receipts from next day,
    2. Repetitive excess and cash shortages,
    3. Theft of cash by teller – either singly or in collusion with another staff,
    4. Not reporting large currency transactions that are suspicious cash deposits or withdrawals.
  7. Accounting income and expenses
    1. Window dressing with inflated expenses,
    2. Fraudulent rebates and write-offs on loan interest to select clients,
    3. Hiding unreconciled accounts as suspense accounts in Trial Balance,
    4. Under evaluation or ignoring Non-Performing Assets (NPAs),
    5. Over or under provisions in the Profit and Loss Account.

Digital risks and Cyber risks -are they the same?

There are many definitions floating around digital risk management and cyber security risk management. The words “digital risks” and “cyber risks” are sometimes loosely used as synonyms by many.

Here are my thoughts and perspectives on the understanding of these terms:

Digital risks are those risks involved in adopting Digital initiatives or bringing in “digital transformation”. As against a manual approach, digital transformation uses electronic systems, tools, resources and methods to transact, communicate, record, approve, report and analyse data of any organization. This entails users and employees accessing software solutions such as email systems, in-house business applications, 3rd party application software, other tools, etc. using front-end devices like desktop computers, laptops, emails, mobile phones, tablets, etc. These could be supported either locally on the devices on the client-side or on back-end Servers, “cloud” Servers (public or private) and service providers who provide SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) or IaaS (Infrastructure-as-a-Service).

Cyber Security risks are those that arise mostly from the environment external to an organization and could result in a potential loss, breach of data or harmful disruption to business.  A few examples are ransomware, phishing mails, virus attacks, hostile hackers, competitors, social engineering, poor configuration controls in systems in applications and in cloud environments – these arise from external attacks and takes advantage of internal security lapses. These risks have to be dealt with as close to real-time as possible, and may require the use of threat intelligence tools backed by a comprehensive security program.

A quick overview on the various stages of digital transformation an organization may adopt. Each of those levels requires a different set of actions for managing both digital and cyber security risks. There is no “one-size-fits-all” possibility answer to managing different types of risks. However, keep in mind the big picture that poor controls (in whatever form – physical, digital technology, application or software solution security flaws, device-dependant issues, people related insider or outsider frauds, process flaws) needs to be addressed in order to mitigate both digital and cyber security risks.

  1. Level 1: The digital adoption or transformation journey for an organization (especially a newly set up business or an upcoming small and medium business) can start from the implementation of a basic financial accounting software (may be even a client-server or a desktop version) that reduces manual activities in finance and accounting processes.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, insider frauds.
    2. Cyber security risks: Minimal, if not exposed to the internet.
  2. Level 2: The evolution of large enterprise software can be traced to its humble beginnings that point to their roots in financial accounting software. The “Enterprise Resource Planning” software (ERPs) encompasses digitizing almost all business functions and operations with tight integration to different business processes. They may also provide good process controls that can be implemented as per the organizations’ requirements. The digital transformation journey started with many companies benefitting greatly with the adoption of a good ERP system. This was generally implemented using in-house resources and managed internally with their own IT departments.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, absence of testing automated, semi-automated and manual controls, insider frauds.
    2. Cyber security risks: If access is limited to only on-premise authorized employees of the organization, then the risk can be perceived as limited. However, if exposure via WAN /LAN is enabled, then cyber risks require monitoring.
  3. Level 3: Some small organizations took to “cloud solutions” that were available on a pay-as-per-use method, SaaS (Software-as-a-Service) saving them time and budget.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, absence of testing automated, semi-automated and manual controls, insider frauds.
    2. Cyber security risks: Risk in security offered by CLOUD solutions.
  4. Level 4: As technology took leaps and bounds, and with the explosion of the internet and the possibilities it offered for collaboration internally with workflow tools and externally with vendors, customers, partners and other supply chain entities, there opened up new business models such as B2B, B2C scenarios that made agile business processes and decisions possible. Providing a window for business partners to complete the supply chain visibility became a possibility.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, insider frauds.
    2. Cyber security risks: Risk of exposure of part of the business application processes to partners, customers and suppliers. payment gateways interfaces and integration.
  5. Level 5: Outsourcing business functions became a worthwhile option for many large conglomerates who wanted to focus on their key strategic business processes. This led to what is known as “Business Process Outsourcing” or BPO model. Boundaries extended beyond countries, where you could find examples of companies outsourcing its operations to other countries across Continents making it truly a borderless operation.
    1. Digital risks: Risk of information leakage, excessive authorization rights, sufficiency of internal controls, the choice and security aspects of the BPO’s software for processing and transmission of data.
    2. Cyber security risks: Risks arising out of phishing, hacking, virus attacks, etc. of BPO’s systems and software.
  6. Level 6: Technology saw a boom in the electronic and telecommunication industry where several devices such as mobile phones, iPad, etc. became tools for remote controlling your business processes wherever you were physically present. Many emerging (and still evolving) authentication factor mechanisms like the One Time Password (OTP), two-way authentication with password and OTP, biometric devices and facial recognition software made this possible for being adopted by businesses in their digital transformation journey.
    1. Digital risks: Risks associated with log-in, password policies and authentication mechanisms for providing access to remote applications.
    2. Cyber security risks: BYOD (Bring Your Own Device) policies requires periodic checks on the devices (updates, virus checks, etc.), phishing, hacking, external cyberattacks.
  7. Level 7: With the green environment revolution taking roots, investing in more hardware and software and server “farms” exclusively for one organization became not only costly but also unmanageable and environment unfriendly. The PUBLIC / PRIVATE CLOUD options and the HYBRID option (having some processes within in-house systems and the rest on cloud environment) became attractive. The maintenance of in-house infrastructure was seen as an expendable activity wherever possible and the resultant cost savings benefitted the businesses.
    1. Digital risks: Private cloud – all digital risks mentioned in Level 2, 3, 4
    2. Cyber security risks: Adequacy of security in public cloud and hybrid environments.
  8. Level 8: The “Internet of Things” (IoT) (a system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention), the “Industrial Internet of Things” (IIoT) (using IoT for industrialsectors and applications, including robotics, medical devices, and software-defined production processes), Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), etc. that has redefined the way businesses (and even individuals at home) on how they could interact with devices that used these technologies.
    1. Digital risks: Risk related to extent of data exposed by the devices and the access controls related to the same.
    2. Cyber security risks: Risk of misuse of remote access by the manufacturers of devices, data privacy breaches, hacking of devices.
  9. Level 9: Increased use of social media and open platforms brought about an explosion of BIG DATA that was continually being generated, examined and utilized by business providers and one had to look to Data Scientists to provide the means for analysis using tools for predictive analysis and behaviour, consumer analytics and intelligent push mechanisms using AI and ML, etc.
    1. Digital risks: Risk of improper modelling techniques that gives wrong results, risk of exposure of data and sensitive information.
    2. Cyber security risks: Misuse of Social media footprints, breach of private information, hacking of sensitive data, etc.

 CHECK WHICH LEVEL YOUR ORGANIZATION IS IN AND DELVE DEEP INTO THE VARIOUS DIGITAL AND CYBER SECURITY RISKS FOR EFFECTIVE RISK MITIGATION TECHNIQUES.

Assessing Cyber security risks

Technology is permeating all aspects of business at an increasing rate. New ways of conducting business processes, – remote access, BYOD (bring your own device) and now WFH (work from home) – are bringing about an incredibly broad and diverse domain of cyber risks that are here to stay.

An Enterprise Risk Management (ERM) program has to include cyber security risks as one of its key strategic risk components to be assessed and managed regularly, just as how financial or other business process related risks are measured, monitored, mitigated and reported.

This approach is really the crux of bringing in what is called as a new approach – IRM (Integrated Risk Management). There are a lot of proponents who have backed this and other three-letter acronyms pointing out the benefits of each and opining how the others have gone out of existence. In my opinion, a truly integrated view (call it by whatever acronym – ERM, GRC, IRM) of Enterprise Risk Management must consider all risk factors and different risk domains.

This brings us to the next question on how to assess, measure, monitor and report on cyber security risks.

Traditionally, a financial, regulatory or operational risk is classified and defined based on its “causes and effects”.  Examples such as these are well known – what happens if the bank lending rate increases, what would be the impact on imported materials if the exchange rate fluctuates, where to source in the event of a critical supplier bankruptcy, why is our stockyard not insured for theft, what if there is a new regulation the imposes restrictions on trade, etc.

This leads to the next step of assessing, measuring and calculation of that risk. Normally risk managers with the help of business, measures the “impact” of that risk – either in monetary terms or qualitatively – and multiply this by the factor called “probability of occurrence”, “likelihood”, “odds of happening” – either in terms of percentage (0-100%) or in terms of risk scores.  Low-impact events with high probability are given lower ranking as compared to high-impact events with low probability and can be represented in what are called “heat maps” to draw attention to the red areas requiring immediate attention.

Cyber security risk assessment challenges:

  1. Security experts and the CISO’s office are mostly caught up with measuring technical exposures, discovering vulnerabilities and evaluating tools, that they hardly spend time to see the connect with the business impact. The security teams and business – do not align their risk definitions in order to have their understanding at the same level.
  2. “Threats”, “Vulnerabilities and “risks” are many a times used interchangeably.
    1. “Threats” represent something that might happen. Natural threats like floods, earthquakes or tornadoes can be acted upon in advance based on weather forecasts or previous learnings. However, cyber security threats (conducted by threat actors or hackers) that aim to steal or destroy data or disrupt business operations are real fears that organizations have to be concerned about. Examples of such threats are very many and keep growing in different forms – viruses, ransomware, malware, phishing, social engineering, denial of service attack, data breaches, complete shutdown of assets, etc.
    2. “Vulnerabilities” (in the context of systems) represent weaknesses in hardware, networks or software. In business and other applications these vulnerabilities are normally patched up periodically by the vendor/ manufacturer and applied by the security organization. Other examples like unsolicited emails or phishing attempts also can make the system vulnerable to attacks. Unauthorized access (whether intentional or unintentional, whether by insiders or outsiders) to applications and data centers violates and bypasses security policies and the person/s can take advantage of the vulnerability.
    3. “Risks” are considered as those that can potentially harm the IT systems and business. Risk is a function of both “threat” and “vulnerability”, meaning that the higher the likelihood of the threat against a known vulnerability is seen as a high risk factor, as against a low level threat for a less vulnerable asset can be classified with a lower risk rating.
  3. Quantifying the business impact of a cyber security threat event is a very difficult task bordering on the impossible. Estimating the probability of its occurrence is even harder because of the evolving technological advances and new ways in which breaches can occur. Cyber security has always been considered as a tactical response to threats – either a security breach occurred or it did not. Thinking about what is the business impact of the risk of a threat occurring requires putting on a different thinking cap. Currently the majority thinking is that if a cybersecurity breach does not occur then it is not a risk to be addressed on priority.
  4. A big challenge today is that the technically-oriented CISO’s office understands the need for preventing security attacks but not how to express the ramifications of those attacks in business terms. Security experts understand and articulate that if, for example, a vulnerability in the network or an application is not patched up, there could be a threat of theft of database or network downtime. However, they are not able to put up in front of the Board or the CFO, a business-focused description like “setting up preventive measures will reduce the risk of exposure to the customer database, which if exposed will cost an estimated “x” amount of money in lost business, expenses and litigation” or “critical enterprise wide applications hacked through social engineering techniques have to be monitored as close to real-time to identify the attacker and the employee/s involved to prevent the risk of loss of financial results that could swing the stock market adversely by x%”.
  5. The above subjective assessment is only a starting point and can have many holes pointed in it. It is not straight forward like financial transactions that have honed the metrics for calculations – every cybersecurity breach is different, unprecedented and unpredictable with ever-changing technology.
  6. Many vendors offer their scorecards and applications that promise nice and jazzy scorecards. But behind all that there are tons of work to be done for ensuring meaningful data – identifying risk factors, classifying and documenting all the assets and feed it into one of theses systems.

 Make a start in addressing the challenges

  1. Ensure that you present the importance of cyber security to the Board level executives, not by scary stories that happened recently at a different organization, but by articulating clearly the specific business objective that would be impacted if a particular threat is not addressed to mitigate or lower the risk, how this would be done and what would be the cost of mitigation. This would bring about clarity to both IT and business on why the budget needs sanction.
  2. Bring your IT team resources on the same page on understanding the context in which risk management has to be aligned at the enterprise level.
  3. Make sure everyone understands the various terms like threats, vulnerabilities and how risks can be rated or calculated – whether subjectively at first and then gradually move up the ladder to more complex metrics to quantify the same.
  4. Invest time in making and checking an inventory of all system and IT resources and document them for risk and control assessment plans. Make sure that acquired or merged organizations are included in the overall landscape assessment.
  5. Do not just focus on the “perimeter” risks (such as firewalls, sniffers, etc.) – there are already a host of tools that address these well at the technical level.
  6. Make sure to look at vulnerabilities in internal home-grown applications, legacy systems, ERP applications, user access controls, physical access controls to server rooms, etc. Addressing potential insider threats is equally important as identifying and preventing external attacks.
  7. Various logs streaming in from applications and audit logs carry a lot of information on activities and their patterns. Look out for tools and solutions that can help you collate and analyse them as close to real-time in a meaningful human readable form, so that actions can be taken.
  8. Performing what-if scenarios for possible breaches, use of artificial intelligence and machine learning algorithms applied on various log databases can help a lot in reporting and prevention, but it still requires human interpretation to make decisions.
  9. Conduct periodic penetration testing by third parties and ethical hackers to assess and measure the areas and level of vulnerability present in the system landscape.
  10. Be realistic in assessing how long it would take to mitigate newly discovered threats, rank them in the order of risk priority before committing to bring the risk down to an acceptable level.

To sum up, assessing cyber security risks, identifying threats and vulnerabilities is a continually evolving subject and is not an exact science. It is a new discipline that requires a strategic thinking and cooperation between top management, finance experts and the IT / CISO’s office.

Assessing Business Resilience

Business resilience determines to a great extent whether a business can continue or not. The risk of failure to forecast and build business resilience to weather out a disaster is the most significant risk that could affect the continued existence of an organization.

What is Business Continuity?

Business continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

A “Crisis” is an abnormal situation which threatens the operations, staff, customers or reputation of the organisation and many business crisis situations can be foreseen (example a supply disruption or logistics crisis or a financial crunch). One can handle a crisis situation through emergency response or recovery plans for a particular incident.

On the other hand, a “Disaster” can be defined as an unplanned interruption of normal business process and cannot always be foreseen. Disasters can be natural disasters or man-made ones. They can interrupt business processes to threaten the continuance and viability of an organization.

Over the years, man-made and natural disasters have unveiled the vulnerability of businesses on a global scale. Many well laid out, documented and executed Business Continuity Plans during normal times do not hold good during times of disasters.

Disasters, by their very definition, do not happen at a convenient time and is always unpredictable, making it difficult to forecast its impact. There is no way of knowing the time it would strike, the form it will take and the damage that it can cause.

Take for example the current COVID19 pandemic – is it a natural disaster or man-made? Many differing opinions exist on this subject.

COVID 19 pandemic and its severity across the world has thrown into disarray all business, trade, commerce and logistics operations. Even the best laid crisis management / disaster recovery / business continuity planning could not have forecast the severity of this threat and impact.

However, that does not mean that one should not attempt to understand the impact of various disaster scenarios and plan for effective response as this is key to business continuity and resilience building.

Business Resilience (BR in short) is dependent on many factors:

  1. Financial resilience: This is a no-brainer, as any organization that is strapped for cash and liquidity during the crisis is likely to succumb faster than companies with reserves to see through the difficult times.
    1. Receivable management and avoidance of bad debts should be the focus of primary concern to strengthen cash and liquidity positions.
    2. During a crisis of the nature of a world-wide pandemic, suppliers, their stability and supply availability would directly impact working capital, raw materials and ideal stock levels to be maintained.
    3. Bank loans, interest moratoriums and other debt facilities will have to be re-looked and restructured.
    4. Inability to adhere to existing agreements like lease, rentals, customer commitments on agreed due dates, operational restrictions brought in by regulatory authorities for the common good, etc.
    5. Top management will face challenges in estimating reasonably possible future cash flows in uncertain conditions.
    6. Unlike traditional budgeting methods, relying on historical data to project future business is not going to be of use.
    7. There is a big question mark on what is the “new normal” and how it would be for each industry and within organizations.
    8. As estimations becomes complex, it would be difficult to show adherence to the existing audit and accounting standards and convince Audit Committee on the underlying assumptions behind such estimations.
    9. Last but not the least, is the criteria of “going concern” met? Assumptions underlying the certification may be complex and difficult and will have to pass the test of the auditors before reporting and disclosures to the key stakeholders.
  2. Physical resilience: How deeply affected are an organizations’ locations / premises / access to facilities and how long can it take to restore normalcy? This is an important factor to assess how quickly the business can spring back to normalcy. Is there an adequate insurance cover for such contingencies?
  3. Data Protection Plan: Is there a plan in place that ensures your existing data is retained and protected? The company’s computing resources such as server, networks, firewalls, access authorizations, hardware and software, etc. need to be protected and safe guarded. This is a must for the continued availability of the Information Systems to function at basic levels during the crisis and without losing critical business information.
  4. Customer retention: Brand loyalty and assured customer retention makes it easier to estimate potential earnings when normalcy is expected to return to the economy. This factor is more pronounced in retail and FMCG industries where customers can easily switch between brands. However existing revenue contracts may need to be revisited, reviewed and revised in the light of the shutdown.
  5. Employee retention: An organization that lays off employees during a pandemic or crisis is going to take a longer time finding replacements or skilled people when it wants to get back to business. Migrant workers who have attained skills in many industries may not desire to shift locations but find better alternatives in their own home locations. The shortage of adequate and appropriate human resources may impact resilience of the organization in the long run.
  6. Workplace transformation: During a pandemic (such as the COVID 19), all essential operations cannot come to a sudden standstill. It is important to ensure that basic activities go on without endangering the employees to infectious diseases. Organizations that can quickly bring in, enable and encourage “Work from Home” alternatives can adapt to the situation and show more resilience than those that are not ready with the infrastructure to adopt such measures.
  7. Digital transformation and adoption: Resilient organizations will always be at the forefront in being flexible and adaptable to new technology and embrace digital transformation. However, this adoption and transformation would be dependent on the financial readiness and budget allocation during times of crisis.
  8. Emotional / psychological resilience: It is finally the human psyche that matters – whether the key stake holders are mentally resilient and steadfast – in the continuance of business, the form in which it can be carried out in future. Small and medium businesses may fold up in current locations, larger organizations may look at mergers and amalgamations, start-ups may see a bleak future in the near-run.

What is Business Continuity Management (BCM)?

Organizations lay down Business Continuity Plans at various business processes and with emphasis on Information Systems and execute and audit them at regular intervals to ensure preparedness of the organization to handle any event, incident or crisis.

Business continuity management (BCM) enables organisations to restore their businesses to normal operations following an unanticipated disaster or business interruption.  To date, however, the corporate BCM capabilities necessary to establish that resiliency generally have ranged from absent to insufficient. 

Can a disaster (except probably the weather forecast for a cyclone or typhoon) be predicted to near accuracy? Can one predict if the business will be resilient after the effects of the disaster – say economic downturn, depression, catastrophic effects on humans, country-wide regulations and lockdowns?

Assessing the operational / financial resilience on the Business Continuity Plans is not just limited to Information Technology risks (or protecting information assets and financial information). There is a lot of difference between executing BCM audits in normal times and during unexpected natural or man-made disasters like the pandemic we are currently facing.

Is your information really secure?

Cyber security risk management is no longer confined to solid firewalls and state of the art Virtual Private Networks. A video that recently caught my attention may make you re-think cyber security programs that you have (or intend to have). Have a look …. Video credit: CNA Insider.

Here are factors that one should focus on and strategize before embarking on building/strengthening cyber security risk assessments. Break them down into segments based on users, data, location and devices. Security risk assessments must have a holistic approach to include human vulnerabilities as well – not just focus on machines and devices.

  1. What is the kind of data you want to protect – your business assets (physical, financial and information), employees’ data, client/customer information?
  2. Where is your data located? In the cloud or on premise? Think and evaluate your cloud security concerns, whether you are in a shared tenancy or private cloud. Even if your cloud service provides the basic risk management techniques, you are still responsible if your data in the cloud gets leaked.
  3. Do the applications your run (or intend to run) have basic security in-built? Do they provide a context-based sign-in before granting access? Do the applications provide the flexibility to set up multi-factor authentication on different devices like mobiles, tablets and laptops?
  4. Have you categorized your users? (like how many are temporary / contractual / permanent etc.) Who needs to have privileged access to critical data and transactions?
  5. What kind of devices do users use for performing their tasks – whether within the perimeter or firewall of the company or from the outside?
  6. Should you use a “zero-trust” security policy? When employees are allowed to “bring-your-own-device (BYOD)” (as some companies do), can you take the risk of an infected device that may share information with a hacker or subject your organization to a malicious attack?

When evaluating security solutions keep in mind

  • Solutions that offer to protect the “perimeter” of the company (like firewalls, anti-virus / malware software, anti-phishing devices, network sniffers, etc.) – which is mainly the border around its physical locations and intranets – are not sufficient. Most of such security solutions are not capable of understanding application security breaches and proactively inform the CISO’s office of the risks in order to plug the breach immediately.
  • Large companies having a geographical spread have a different set of requirements to deal with as compared to small or mid-size companies.
  • Companies that still rely on old / legacy systems that are not amenable to the latest technology upgrades, that are proprietary in nature make the security scenario complex.
  • Look for solutions that helps you centralize the various types of log information in real-time (or close to real-time) from multiple systems. They must be capable of tracking inventory of multiple devices (like networks, servers, terminals, mobile devices, laptops, access and audit logs, wireless access from extranets, etc.)
  • They should be able to track users, their roles and the usage of the various actions / tasks within the system. They should ensure that context-based risk assessment is done periodically. Ensure you have up-to-date information about everyone (including employees, customers and suppliers) who has access to your systems and about the devices they use.
  • Placing your single sign-on outside of your perimeter (on the internet) may require a lot of thought, not only due to the complexity of scenarios, but also due to legal compliance requirements (like data privacy laws).
  • Migrating to the cloud environment requires you to evaluate and assess security risks carefully and whether your cloud service provider is experienced enough to look at the larger security aspects – not just employee access but also B2B or B2C scenarios used by your organization.
  • Do not make security risk assessments a quarterly or annual affair, it should be an on-going exercise. It is best implemented as part of a daily operation, so that you are proactively alerted to react to breaches before severe damage is done.

My take on IRM and GRC

The next buzzword after GRC (Governance, Risk and Compliance) is now IRM (Integrated Risk Management). (Not to be confused with another acronym “IRM” which denotes “Information Rights Management” which is a form of IT security technology for protecting access to sensitive documents and emails.)

Why are we emphasizing so much on new acronyms and confuse practitioners of risk, control and compliance? Why debate on whether GRC is dead and IRM is the new norm? Would it not be better to get down to basics and understanding the importance of and concepts that each of those words denote? (People generally like to put old wine in new bottle to keep the interest going.)

Technology -when properly deployed – has and is always capable of giving an integrated view of things in an organization.

But jumping into a technology approach without proper understanding by all stakeholders concerned leads to quick disillusionment and project failure.

It is a fact that silos exist is several organizations. This is mainly because different departments (such as finance, internal audit, risk committee, operational heads) cocoon themselves into their own departmental priorities and have a short-sighted approach. Their reasons and defences are many – inertia to collaborate with other stakeholders, ego issues on whose approach is better, having a “get-it-done-with” approach, citing shortage of staff, insufficient budget that makes them adopt sub-optimal solutions, etc. The top reason could also be that the C-level is not apprised of the benefits or they do not consider these initiatives adding to their top line revenues!

Quoting Gartner’s definition – Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.

Since the summer of 2018, Gartner has been moving away from GRC (Governance, Risk and Compliance) towards IRM (Integrated Risk Management).

In my perspective, if one forgets the acronyms – GRC and IRM – and look at what are the concepts that are being espoused, one can very well see that the fundamentals have not changed, but the emphasis is on a holistic approach towards a better management of risks arising out of poor governance, failed business controls, non-compliance, weak IT security leading to data breaches, external threats, etc.

To elaborate further, what all of us (or most of us) understand / agree at a high level are the following points

  • There is no “business” or “for-profit” organizations without taking calculated risks. Managing those risks intelligently and on time ensures business continuity and success. That is why “Risk Management” is ideal in all decision-making processes.
  • In the long run, only integrity pays and ethical practices in business help its brand value and survival – others simply vanish. This is what we understand as the “Governance” standards set by the entrepreneurs, promoters and expected to be followed and communicated by the top management to the operational teams.
  • The “Governance” has two aspects to it – one set of internal practices and policies set up by the management and the other set of operational, tax and statutory compliances set up with respect to any or specific industries, countries and communities. This broadly comes under the “Compliance” umbrella.

On a deeper level, one can see that all the above points are intertwined and one cannot exist without the other –

  • Governance cannot be enforced without proper policy formulation and communication of the internal policies (corporate specific procedures and ethical practices) that the management envisions and laying emphasis on external compliances to ensure business continuity. It is a failure of governance if business risks are not identified, assessed and mitigated on time. Governance also implies that proper internal controls are in place and working effectively.
  • Compliance does not stand alone – failure to comply – whether with internal policies (such as purchase or pricing policies) or with external statutes (such as taxation, etc.) – is a reflection of poor business controls.
  • Risk awareness is the overarching umbrella that recognises threats to the business continuity – whether arising from poor governance, improper compliance, inadequate IT security measures to protect data and ineffective business controls in its processes that could lead to frauds.

The bottom line for all organizations wishing to set up a framework for Governance, Risk Management and Compliance may need to consider the following:

  • have a holistic understanding and approach of the proposed integrated framework, include all functions and processes – not just finance or internal audit or SOX compliance. External threats such as legal risks, brand risks, cyber security, IT risks, conflict of interest that results in abuse and fraud, environment, health and safety risks deserve equal importance when we talk about a sustainable business in the long run.
  • bring all stakeholders on one page – workshops, discussions, whitepapers, surveys, opinions, etc.,
  • don’t jump into a technology solution without assessing preparedness and maturity of all functions,
  • as far as possible avoid siloed programs (that are focussed only on a particular function or department),
  • even if you have to start small (if there are budget or resource constraints), never compromise on the big picture of where you want to be at the end of the program,
  • keep in mind an integrated approach that ties together all types of internal or external risks to the enterprise.

My random thoughts on societal risks

A certain heart-wrenching and gruesome event that happened very recently and the subsequent findings by the police / investigation agencies (read here: //timesofindia.indiatimes.com/city/hyderabad/accused-returned-to-spot-to-ensure-body-was-burnt/articleshow/72323219.cms will touch the hearts of any good person (of whichever country / religion / caste / creed or colour). What is more shocking is that out of the four accused persons, one of them is a minor boy aged about 15 years.

Another 35-year-old woman was also burnt alive and the body found in a couple of days after the above incident and close to the same venue.

It makes me wonder where we are going wrong all the time in preventing tortures and crimes against women. In my opinion, “women at risk” is a topic today than even discussions about mitigating business risks should take a back seat for some time.

Catching the culprits and snuffing out their lives through capital punishment is only momentary solace and will seem quick justice to the parents and loved ones of the deceased. There are and there will be many more offenders lurking for an opportunity to assault women for whatever reasons. This is true because after the shocking “Nirbhaya rape and murder” that shook the nation a couple of years ago, such an incident has happened again.

  • Is it the victim’s fault that she was a good-looking young girl?
  • Is it wrong that she was in a profession that required her to work late evening?
  • Can you lay the blame that she was unaccompanied by a chaperon at that time?
  • Is it right to say that women should never venture out alone after sunset?

Societal and family values play a major factor in bringing in awareness about how and why you should respect women. It might seem that too much advice by parents and teachers will not work with young minds. But just remember the good old days when children had enough attention at home (either parents, grandparents, uncles and aunts, etc.). The effect of strong familial values goes a long way into the development of the human psyche.

We are living in a fast-paced society where working parents and nuclear families have little or no time to devote to child development (and I mean all-round development – not just academics and scoring high ranks).  In such a situation, teaching fundamental values of life begins at schools and educational institutions. Parental guidance / counselling on raising children should start at the grassroots at all levels – irrespective of which economic strata they belong to.

We also need to strongly question why some common risk factors are not taken seriously by the Government / local administration and police, such as

  • desolate places without enough lighting,
  • no vigorous night police patrolling at such places,
  • no quick response mechanism or follow-up by the local police when incident is reported,
  • poor enforcement of the law and delayed justice in courts,
  • biased opinions by media based on religion and politics that subverts the very motive of the crime.

We, as responsible citizens, owe it to ourselves to deal with the issue of why women are at risk and what we could do to mitigate the same to prevent such dastardly crimes from happening. There is no use expecting the Government to come to the rescue since this is a fabric woven by the society in which we live and education must start in each and every home.

A Primer on AI/ML/DL/NN etc.

Today, many of us non-technical people feel quite left out of conversations that are buzzing around in companies, social media, webinars, presentations, etc.

Yes – I am talking about the most talked about acronyms – Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), Neural Networks (NN) and so on that also includes Big Data, Statistical methods, Data Science, Predictive Analytics and so forth.

My attempt to facilitate understanding of the basics.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

  1. Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. If a system or a device can do “smart” things like humans do, then it is said to be artificially intelligent.
  2. It is an umbrella concept that includes image processing, natural language processing, robotic process automation, machine learning, neural networks and many more.
  3. There is a wrong impression that AI is a system, but it is implemented in a system. Particular applications of AI include expert systemsspeech recognition (Natural Language Processing (NLP) and machine vision.
  4. These processes include learning (the acquisition of information and rules for using the information), reasoning (using rules to reach approximate or definite conclusions) and self-correction.

WHAT IS MACHINE LEARNING (ML)?

  1. To put it very simply, machine learning is defined as “the ability (for computers) to learn without being explicitly programmed.” Machine Learning deals with making your computers (or machines) learn from external environment data being provided – like connections to sensors, electronic components in devices, storage devices, etc. It also crunches huge input data sets that are provided to it to come up with patterns and predictions – like Amazon suggesting what your buying preferences are or Netflix offering options based on your previous viewing history, etc.
  2. Machine Learning is simply a way of achieving Artificial Intelligence. The main objective of ML is to allow the computers to learn automatically without human intervention, assistance or programming and adjust actions accordingly.
  3. ML builds models and inbuilt algorithms that it keeps constantly updating and fine- tuning based on what inputs you provide on an on-going basis.
  4. Machine learning enables analysis of massive quantities of data.

WHAT IS DEEP LEARNING (DL)?

  1. Deep learning is a specialized form of machine learning – for example – a machine learning starts with relevant features being manually extracted from images. The features are then used to create a model that categorizes the objects in the image.
  2. Whereas with a deep learning approach, relevant features are automatically extracted from images. In addition, deep learning performs “end-to-end learning” – where a network is given raw data and a task to perform, such as classification, and it learns how to do this automatically.
  3. Deep Learning is also sometimes referred to as “Artificial Neural Network”. Another key difference is deep learning algorithms scale with data, they often continue to improve as the size of your data increases.
  4. Deep learning is applied in many areas of artificial intelligence such as speech recognition, image recognition, natural language processing, robot navigation systems, self-driving cars etc. Some examples that we see in our daily lives are virtual assistants like Alexa, Siri, Cortana, driverless trucks, drones and automated cars, automatic machine translation, Character text generation, facial recognition, behavioural analysis, etc.
  5. Big Data is required for Deep Learning. Massive data is to be fed into models – however the bottleneck remains in cleansing and processing the data into the required format for powering the DL models.

WHAT ARE NEURAL NETWORKS?

  1. A neural network is a type of machine learning which models itself after the human brain. Neural networks with their deep learning cannot be programmed directly for the task. Rather, they have the requirement, just like a child’s developing brain, that they need to learn the information.
  2. They have become important and standard tools for data mining. Neural network is an adaptive system that changes its structure on external or internal information that flows through the network during the learning phase.
  3. A neural network usually involves a large number of processors operating in parallel and arranged in tiers. The first tier receives the raw input information — analogous to optic nerves in human visual processing. Each successive tier receives the output from the tier preceding it, rather than from the raw input — in the same way neurons further from the optic nerve receive signals from those closer to it. The last tier produces the output of the system.
  1. Handwriting recognition is an example of a real-world problem that can be approached via an artificial neural network. The challenge is that humans can recognize handwriting with simple intuition, but the challenge for computers is each person’s handwriting is unique, with different styles, and even different spacing between letters, making it difficult to recognize consistently. Handwriting recognition has various applications, as varied as automated address reading on letters at the postal service, authorization signatures on documents, reducing bank fraud on checks, etc.
  1. Technology uses have expanded to many more areas such as chatbots, stock market prediction, delivery route planning and optimization, drug discovery and development and many more.

WHAT IS DESCRIPTIVE, PREDICTIVE AND PRESCRIPTIVE ANALYTICS?

  1. Descriptive – based on insights into historical data – What has happened?
  2. Predictive – based on statistical tools and forecasting techniques to answer – What could happen?
  3. Prescriptive – use simulation and optimization algorithms to advise on possible outcomes and answer – what should be done?

WHAT IS DATA SCIENCE AND WHAT CAN YOU DO WITH IT?

  1. Data Science is a study which deals with identification, representation and extraction of meaningful information from data sources.
  2. Some of the tasks you can do with Data Science include: Coming up with conclusive research and open-ended questions, extracting large volumes of data from external and internal sources, deploying statistical, machine learning and analytical methods, clean, prune and get data ready for processing and analysis, looking at data from various angles to determine hidden patterns, relations and trends, etc.
  3. If you are wondering what is the difference between Data Analyst and a Data Scientist, there are quite apart from the goal or objective with which they work. A Data Analyst starts by aggregating, querying and mining data for reporting on various functions. A Data Scientist starts by asking the right questions and therefore the Data Scientist needs substantive expertise and non-technical skills.

“Fox minding the hens” – Interesting snippet

Imagine a situation when somebody at the C-level is responsible and in-charge of ensuring ethical standards and setting policies on insider trading is himself accused and punished of that very same prohibited action.

Yes – this is what CFO.com titled the news “At Apple, the Fox was minding the Hen house”. Very strong words but very apt criticism of non-compliance in the top echelons of the company.

The tech giant’s former Global Head of Corporate Law, Gene Daniel Levoff, was charged by the Securities and Exchange Commission with trading Apple securities ahead of three quarterly earnings announcements in 2015 and 2016.

Before the public announcement of Apple’s earnings, Levoff sold off all his personal holdings worth about $10 million Apple stock from personal brokerage accounts. By doing so, he avoided personal losses of about $345,000. Apple’s share prices dropped by more than 4% when it publicly disclosed quarterly financial data.

“Levoff’s alleged exploitation of his access to Apple’s financial information was particularly egregious given his responsibility for implementing the company’s insider trading compliance policy,” said Antonia Chion, associate director of the SEC’s division of enforcement.

As a senior Director, Levoff reported to Apple’s general counsel, and reviewed and approved the company’s insider trading policy. Not only that, he was the one who notified employees regularly about blackout periods around earnings announcements.  He also managed the company’s corporate subsidiaries structure and was a Director in several Apple subsidiaries.

The SEC’s complaint, filed in federal district court in Newark, New Jersey, charges Levoff with fraud and is seeking the return of his trading profits plus interest and penalties. It is also seeking to bar Levoff from serving as an officer or director. In a parallel action, the U.S. attorney’s office for the district of New Jersey announced criminal charges against Levoff.

Levoff, of San Carlos, Calif., was let go by Apple in September 2018.

News: Courtesy Vincent Ryan, -Feb 13 2019 CFO.com/US