Category: Strategic Risks

Ease of Doing Business in India

A perspective on the risks and challenges

As most people are aware, India is a multi-cultural, multi-lingual society governed by a Federal system of governance – where the Central Government and several State Governments have their own jurisdiction and freedom in prescribing regulatory compliances.

Shri K.V. Subramanian, Chief Economic Advisor to the Finance Ministry at a press conference at New Delhi, said that if you want to start a restaurant business in New Delhi you need 45 documents to obtain just one of 26 licences—one for getting a clearance from the Delhi Police. But if you want to own a gun, you need only 19 documents to get the go-ahead from the police. And these number of licences differs from city to city depending on which State it is located. He was making the case for doing away with unnecessary controls.

While India has jumped up in the World Bank ranking for Ease of Doing Business (EoDB) to the 63rd position among 190 countries studied by it, there is still a long way to go for India. To understand what “Ease of Doing Business” (EoDB) means please read the Appendix given below.

In my opinion, the following are the top 5 risks and challenges that have to be addressed:

  1. Understanding the local language and geography of India: Any new venture’s first step is to understand the local culture, language where it wants to set up business. If you want to set up a manufacturing unit in Tamil Nadu and employ local labour, guidance is required on all the nuances of how to deal with Trade Unions affiliated to different political parties. You could end up in major labour disputes and lockdowns if you do not have a strong top and middle management who knows the ground reality. There are various religious, ethnic and annual holidays to consider – State-wise variations included – that one needs to consider even for business meetings or working days.
  2. Stability in Government policies: Every five years, when Central and State Governments in India face change of political parties at the helm of affairs, a trend has been witnessed to ditch the previous regime’s policies and initiatives or stall several projects.

One political party (DMK), when in power, sanctioned the extraction of hydrocarbon project in Tamil Nadu. When a change in Government took place, the same political party (DMK) that sanctioned it earlier opposes it tooth-and-nail – there is no logic or reason behind this except opposing for opposition sake – a case where “ease of business” is not considered.

Several such examples can be given across many States where the ruling party is against the Central Government. Unless there is decency and decorum in governance for the benefit of people and businesses, powerful to petty politicians and boot-licking bureaucrats have a field day with their own interpretations of rules and regulations to harass applicants and make money.

  1. Reach of “real” education: Societal reforms begin with influencing community on major issues confronting them and what they could do to resolve them. This begins by emphasizing on communal harmony, cooperation, voice against bribery and corruption. Continuous awareness campaigns and education must pervade at all levels – from the super-rich celebrities (who don’t care a damn about anything other than their own careers) to the lowest level of poverty-stricken masses (who don’t care a damn about anything other than day-to-day existence). Unless the divisive tactics for vote-bank politics is shunned by the society, there will always be dissent and roadblocks to any improvements to “ease of doing business”.
  2. Prevention of bribes and corruption: Let’s face facts on ground. Although e-filing for building permits has shortened the time for sanction, the grim fact is that at the penultimate or final stage it reaches an officer-in-charge who has to approve sanction and in the pretext of calling for clarifications there are many instances of underhand dealings (more so in high value properties). Unless there is decency and decorum in governance for the benefit of people and businesses, powerful to petty politicians and boot-licking bureaucrats have a field day with their own interpretations of rules and regulations to harass applicants and make money.

New companies, existing companies wanting to expand operations, foreign investors – all of them face high risk of being subject to corruption in many forms. It is a serious issue, despite the Prevention of Corruption Act and the Companies Act, and is prevalent in the police, politicians, judiciary, public services and public or private procurement sectors. Measures like e-filing, single window processing, e-auctioning, etc. may help to some extent, but ultimately the human interface process at some stage needs to be efficient and effective.

  1. Start effective implementation, not just streamlining statutory regulations:

There are many confusions and a maze of laws in force in India (including archaic ones from the British regime). But the implementation is haphazard and not effective, some of these laws are irrelevant in current times but the statute still exists and have not been repealed.

This makes investment in Indian business complex and a risky one – here are a few examples:

  1. Existing industries must have easy singular access to compliance and regulations that are relevant for them. Currently one needs a legal expert to wade through several laws to end up with a compliance checklist.
  2. Clarity must be provided to NRIs and foreign investors in easily understandable language about the various options available for them to invest and “make in India”. Impact of the option chosen in the short and long term must be provided, depending on the nature and size of business– whether one should have a Representative office, Branch office, liaison office, private limited company, limited liability partnership, etc.
  3. Industry specific regulations are plentiful – whether it is the services sector or the banking and financial services or the telecom industry or any other – with each one of them having to be complied with different agencies – TRAI for telecom, RBI for banks and financial institutions, IRDA for insurance, FIPB for foreign investments and so on.
  4. Manufacturing sector has a plethora of laws that will bewilder a new start up business and existing ones have to be constantly vigil on whether they are compliant with all applicable ones.
  5. Taxation laws are complex and do not enable businesses to do long-term business planning on the likely outgo and keeps changing every fiscal year or even ad hoc at times.

 

APPENDIX

What is Ease of Doing Business? – www.makeinindia.org which is an Indian Government website has published the below information on the same:

The Ease of Doing Business (EoDB) index is a ranking system established by the World Bank Group. In the EODB index, ‘higher rankings’ (a lower numerical value) indicate better, usually simpler, regulations for businesses and stronger protections of property rights.

The research1 presents data for 190 economies and aggregates information from 10 areas of business regulation:

  1. Starting a Business
  2. Dealing with Construction Permits
  3. Getting Electricity
  4. Registering Property
  5. Getting Credit
  6. Protecting Minority Investors
  7. Paying Taxes
  8. Trading across Borders
  9. Enforcing Contracts
  1. Resolving Insolvency

Rankings and weights on each of the mentioned parameters are used to develop an overall EoDB ranking. A high EoDB ranking means the regulatory environment is more conducive for starting and operating businesses.

Since assuming office in 2014, the Narendra Modi-led National Democratic Alliance government has pledged to improve the ease of doing business in India.  Many action points have been completed by the Central Government regarding various factors like starting a business, getting construction permits, trading across borders, enforcing contracts, getting electricity, registering property and paying taxes, there are still some underway and state reforms have to also step up their initiatives in this regard. (More details at //www.makeinindia.com/eodb)

Assessing Cyber security risks

Technology is permeating all aspects of business at an increasing rate. New ways of conducting business processes, – remote access, BYOD (bring your own device) and now WFH (work from home) – are bringing about an incredibly broad and diverse domain of cyber risks that are here to stay.

An Enterprise Risk Management (ERM) program has to include cyber security risks as one of its key strategic risk components to be assessed and managed regularly, just as how financial or other business process related risks are measured, monitored, mitigated and reported.

This approach is really the crux of bringing in what is called as a new approach – IRM (Integrated Risk Management). There are a lot of proponents who have backed this and other three-letter acronyms pointing out the benefits of each and opining how the others have gone out of existence. In my opinion, a truly integrated view (call it by whatever acronym – ERM, GRC, IRM) of Enterprise Risk Management must consider all risk factors and different risk domains.

This brings us to the next question on how to assess, measure, monitor and report on cyber security risks.

Traditionally, a financial, regulatory or operational risk is classified and defined based on its “causes and effects”.  Examples such as these are well known – what happens if the bank lending rate increases, what would be the impact on imported materials if the exchange rate fluctuates, where to source in the event of a critical supplier bankruptcy, why is our stockyard not insured for theft, what if there is a new regulation the imposes restrictions on trade, etc.

This leads to the next step of assessing, measuring and calculation of that risk. Normally risk managers with the help of business, measures the “impact” of that risk – either in monetary terms or qualitatively – and multiply this by the factor called “probability of occurrence”, “likelihood”, “odds of happening” – either in terms of percentage (0-100%) or in terms of risk scores.  Low-impact events with high probability are given lower ranking as compared to high-impact events with low probability and can be represented in what are called “heat maps” to draw attention to the red areas requiring immediate attention.

Cyber security risk assessment challenges:

  1. Security experts and the CISO’s office are mostly caught up with measuring technical exposures, discovering vulnerabilities and evaluating tools, that they hardly spend time to see the connect with the business impact. The security teams and business – do not align their risk definitions in order to have their understanding at the same level.
  2. “Threats”, “Vulnerabilities and “risks” are many a times used interchangeably.
    1. “Threats” represent something that might happen. Natural threats like floods, earthquakes or tornadoes can be acted upon in advance based on weather forecasts or previous learnings. However, cyber security threats (conducted by threat actors or hackers) that aim to steal or destroy data or disrupt business operations are real fears that organizations have to be concerned about. Examples of such threats are very many and keep growing in different forms – viruses, ransomware, malware, phishing, social engineering, denial of service attack, data breaches, complete shutdown of assets, etc.
    2. “Vulnerabilities” (in the context of systems) represent weaknesses in hardware, networks or software. In business and other applications these vulnerabilities are normally patched up periodically by the vendor/ manufacturer and applied by the security organization. Other examples like unsolicited emails or phishing attempts also can make the system vulnerable to attacks. Unauthorized access (whether intentional or unintentional, whether by insiders or outsiders) to applications and data centers violates and bypasses security policies and the person/s can take advantage of the vulnerability.
    3. “Risks” are considered as those that can potentially harm the IT systems and business. Risk is a function of both “threat” and “vulnerability”, meaning that the higher the likelihood of the threat against a known vulnerability is seen as a high risk factor, as against a low level threat for a less vulnerable asset can be classified with a lower risk rating.
  3. Quantifying the business impact of a cyber security threat event is a very difficult task bordering on the impossible. Estimating the probability of its occurrence is even harder because of the evolving technological advances and new ways in which breaches can occur. Cyber security has always been considered as a tactical response to threats – either a security breach occurred or it did not. Thinking about what is the business impact of the risk of a threat occurring requires putting on a different thinking cap. Currently the majority thinking is that if a cybersecurity breach does not occur then it is not a risk to be addressed on priority.
  4. A big challenge today is that the technically-oriented CISO’s office understands the need for preventing security attacks but not how to express the ramifications of those attacks in business terms. Security experts understand and articulate that if, for example, a vulnerability in the network or an application is not patched up, there could be a threat of theft of database or network downtime. However, they are not able to put up in front of the Board or the CFO, a business-focused description like “setting up preventive measures will reduce the risk of exposure to the customer database, which if exposed will cost an estimated “x” amount of money in lost business, expenses and litigation” or “critical enterprise wide applications hacked through social engineering techniques have to be monitored as close to real-time to identify the attacker and the employee/s involved to prevent the risk of loss of financial results that could swing the stock market adversely by x%”.
  5. The above subjective assessment is only a starting point and can have many holes pointed in it. It is not straight forward like financial transactions that have honed the metrics for calculations – every cybersecurity breach is different, unprecedented and unpredictable with ever-changing technology.
  6. Many vendors offer their scorecards and applications that promise nice and jazzy scorecards. But behind all that there are tons of work to be done for ensuring meaningful data – identifying risk factors, classifying and documenting all the assets and feed it into one of theses systems.

 Make a start in addressing the challenges

  1. Ensure that you present the importance of cyber security to the Board level executives, not by scary stories that happened recently at a different organization, but by articulating clearly the specific business objective that would be impacted if a particular threat is not addressed to mitigate or lower the risk, how this would be done and what would be the cost of mitigation. This would bring about clarity to both IT and business on why the budget needs sanction.
  2. Bring your IT team resources on the same page on understanding the context in which risk management has to be aligned at the enterprise level.
  3. Make sure everyone understands the various terms like threats, vulnerabilities and how risks can be rated or calculated – whether subjectively at first and then gradually move up the ladder to more complex metrics to quantify the same.
  4. Invest time in making and checking an inventory of all system and IT resources and document them for risk and control assessment plans. Make sure that acquired or merged organizations are included in the overall landscape assessment.
  5. Do not just focus on the “perimeter” risks (such as firewalls, sniffers, etc.) – there are already a host of tools that address these well at the technical level.
  6. Make sure to look at vulnerabilities in internal home-grown applications, legacy systems, ERP applications, user access controls, physical access controls to server rooms, etc. Addressing potential insider threats is equally important as identifying and preventing external attacks.
  7. Various logs streaming in from applications and audit logs carry a lot of information on activities and their patterns. Look out for tools and solutions that can help you collate and analyse them as close to real-time in a meaningful human readable form, so that actions can be taken.
  8. Performing what-if scenarios for possible breaches, use of artificial intelligence and machine learning algorithms applied on various log databases can help a lot in reporting and prevention, but it still requires human interpretation to make decisions.
  9. Conduct periodic penetration testing by third parties and ethical hackers to assess and measure the areas and level of vulnerability present in the system landscape.
  10. Be realistic in assessing how long it would take to mitigate newly discovered threats, rank them in the order of risk priority before committing to bring the risk down to an acceptable level.

To sum up, assessing cyber security risks, identifying threats and vulnerabilities is a continually evolving subject and is not an exact science. It is a new discipline that requires a strategic thinking and cooperation between top management, finance experts and the IT / CISO’s office.

Assessing Business Resilience

Business resilience determines to a great extent whether a business can continue or not. The risk of failure to forecast and build business resilience to weather out a disaster is the most significant risk that could affect the continued existence of an organization.

What is Business Continuity?

Business continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

A “Crisis” is an abnormal situation which threatens the operations, staff, customers or reputation of the organisation and many business crisis situations can be foreseen (example a supply disruption or logistics crisis or a financial crunch). One can handle a crisis situation through emergency response or recovery plans for a particular incident.

On the other hand, a “Disaster” can be defined as an unplanned interruption of normal business process and cannot always be foreseen. Disasters can be natural disasters or man-made ones. They can interrupt business processes to threaten the continuance and viability of an organization.

Over the years, man-made and natural disasters have unveiled the vulnerability of businesses on a global scale. Many well laid out, documented and executed Business Continuity Plans during normal times do not hold good during times of disasters.

Disasters, by their very definition, do not happen at a convenient time and is always unpredictable, making it difficult to forecast its impact. There is no way of knowing the time it would strike, the form it will take and the damage that it can cause.

Take for example the current COVID19 pandemic – is it a natural disaster or man-made? Many differing opinions exist on this subject.

COVID 19 pandemic and its severity across the world has thrown into disarray all business, trade, commerce and logistics operations. Even the best laid crisis management / disaster recovery / business continuity planning could not have forecast the severity of this threat and impact.

However, that does not mean that one should not attempt to understand the impact of various disaster scenarios and plan for effective response as this is key to business continuity and resilience building.

Business Resilience (BR in short) is dependent on many factors:

  1. Financial resilience: This is a no-brainer, as any organization that is strapped for cash and liquidity during the crisis is likely to succumb faster than companies with reserves to see through the difficult times.
    1. Receivable management and avoidance of bad debts should be the focus of primary concern to strengthen cash and liquidity positions.
    2. During a crisis of the nature of a world-wide pandemic, suppliers, their stability and supply availability would directly impact working capital, raw materials and ideal stock levels to be maintained.
    3. Bank loans, interest moratoriums and other debt facilities will have to be re-looked and restructured.
    4. Inability to adhere to existing agreements like lease, rentals, customer commitments on agreed due dates, operational restrictions brought in by regulatory authorities for the common good, etc.
    5. Top management will face challenges in estimating reasonably possible future cash flows in uncertain conditions.
    6. Unlike traditional budgeting methods, relying on historical data to project future business is not going to be of use.
    7. There is a big question mark on what is the “new normal” and how it would be for each industry and within organizations.
    8. As estimations becomes complex, it would be difficult to show adherence to the existing audit and accounting standards and convince Audit Committee on the underlying assumptions behind such estimations.
    9. Last but not the least, is the criteria of “going concern” met? Assumptions underlying the certification may be complex and difficult and will have to pass the test of the auditors before reporting and disclosures to the key stakeholders.
  2. Physical resilience: How deeply affected are an organizations’ locations / premises / access to facilities and how long can it take to restore normalcy? This is an important factor to assess how quickly the business can spring back to normalcy. Is there an adequate insurance cover for such contingencies?
  3. Data Protection Plan: Is there a plan in place that ensures your existing data is retained and protected? The company’s computing resources such as server, networks, firewalls, access authorizations, hardware and software, etc. need to be protected and safe guarded. This is a must for the continued availability of the Information Systems to function at basic levels during the crisis and without losing critical business information.
  4. Customer retention: Brand loyalty and assured customer retention makes it easier to estimate potential earnings when normalcy is expected to return to the economy. This factor is more pronounced in retail and FMCG industries where customers can easily switch between brands. However existing revenue contracts may need to be revisited, reviewed and revised in the light of the shutdown.
  5. Employee retention: An organization that lays off employees during a pandemic or crisis is going to take a longer time finding replacements or skilled people when it wants to get back to business. Migrant workers who have attained skills in many industries may not desire to shift locations but find better alternatives in their own home locations. The shortage of adequate and appropriate human resources may impact resilience of the organization in the long run.
  6. Workplace transformation: During a pandemic (such as the COVID 19), all essential operations cannot come to a sudden standstill. It is important to ensure that basic activities go on without endangering the employees to infectious diseases. Organizations that can quickly bring in, enable and encourage “Work from Home” alternatives can adapt to the situation and show more resilience than those that are not ready with the infrastructure to adopt such measures.
  7. Digital transformation and adoption: Resilient organizations will always be at the forefront in being flexible and adaptable to new technology and embrace digital transformation. However, this adoption and transformation would be dependent on the financial readiness and budget allocation during times of crisis.
  8. Emotional / psychological resilience: It is finally the human psyche that matters – whether the key stake holders are mentally resilient and steadfast – in the continuance of business, the form in which it can be carried out in future. Small and medium businesses may fold up in current locations, larger organizations may look at mergers and amalgamations, start-ups may see a bleak future in the near-run.

What is Business Continuity Management (BCM)?

Organizations lay down Business Continuity Plans at various business processes and with emphasis on Information Systems and execute and audit them at regular intervals to ensure preparedness of the organization to handle any event, incident or crisis.

Business continuity management (BCM) enables organisations to restore their businesses to normal operations following an unanticipated disaster or business interruption.  To date, however, the corporate BCM capabilities necessary to establish that resiliency generally have ranged from absent to insufficient. 

Can a disaster (except probably the weather forecast for a cyclone or typhoon) be predicted to near accuracy? Can one predict if the business will be resilient after the effects of the disaster – say economic downturn, depression, catastrophic effects on humans, country-wide regulations and lockdowns?

Assessing the operational / financial resilience on the Business Continuity Plans is not just limited to Information Technology risks (or protecting information assets and financial information). There is a lot of difference between executing BCM audits in normal times and during unexpected natural or man-made disasters like the pandemic we are currently facing.