Navigating GRC challenges and opportunities in India: Rajeev Dutt, Swiss GRC

Navigating Governance, Risk, and Compliance (GRC) challenges and opportunities in India requires a nuanced understanding of the market dynamics and regulatory landscape. With the Indian market presenting a unique set of circumstances, Rajeev Dutt, General Manager MEA and APAC at Swiss GRC, sheds light on the intricacies involved. From the disparity in risk management maturity levels between larger conglomerates and smaller organizations to the importance of stakeholder engagement and transparency, Dutt emphasizes the need for tailored approaches. He advocates for a phased implementation strategy, emphasizing the significance of addressing specific concerns such as regulatory compliance before expanding into other GRC domains.

Moreover, he highlights the pivotal role of technology, particularly AI and automation, in streamlining control assessments and enhancing decision-making processes. By leveraging technological advancements and fostering a culture of compliance and transparency, organizations can effectively manage geopolitical risks and bolster their operations in the dynamic Indian business landscape.

DQ: How does the Indian market's approach to risk management differ from that of other regions?

Rajeev Dutt: I believe that in comparison to India's market, others are more matured in terms of risk management practices. While India has some corporates and organizations implementing risk management, the maturity level isn't as advanced. I wouldn't categorize it as zero, but it certainly has room for improvement. This gap presents us with an opportunity to enhance our focus in this area.

DQ: What are the unique challenges and opportunities for implementing effective GRC strategies in India?

Rajeev Dutt: Firstly, it's crucial to have a clear understanding of the requirements. Secondly, adopting a phased approach is advisable instead of opting for a big bang approach. By phased, I mean addressing one issue at a time rather than attempting to tackle all challenges simultaneously. For instance, if regulatory compliance is your primary concern, start there. Once you've addressed that, you can move on to other areas such as ITGRC, BCM, or EHS.

Going step by step allows you to demonstrate the return on investment to your top management, who are keen on seeing tangible results. Faster implementation leads to a better ROI. Moreover, implementing Governance, Risk, and Compliance (GRC) initiatives requires fostering a culture of compliance within the organization, which is typically driven from the top.

By approaching it in phases, you can gradually instill this culture and gain the trust of your teams at various levels. Once the foundation is laid, implementing additional modules becomes much smoother and more efficient.

DQ: Challenges with implementation of DPDP Act in India?

Rajeev Dutt: We offer a solution that stems from Switzerland, ensuring compliance with GDPR regulations. However, navigating through GDPR, Swiss, Italian, and other local data privacy regulations can be intricate. Thus, it's essential to adhere to GDPR while also understanding and complying with local data privacy laws.

Our solution is robust and comprehensive, particularly in terms of data protection. It's vital to understand where data resides, who has access to it, and how to prevent breaches. Utilizing data discovery tools is crucial to identifying where customer data is stored, whether in CRM, accounting, invoicing, or support systems. Responding to data removal requests within specific timelines requires accurate data identification. Our tools aid in conducting data protection impact analyses, essential for GDPR compliance, considering its numerous articles.

While GDPR serves as a foundation, each country has its own regulations, slightly modified from GDPR. We tailor our approach to address these variations, conducting thorough assessments to ensure compliance. With India's regulations, for instance, we've conducted detailed analyses.Moreover, we simplify compliance procedures, providing concise, two-page summaries for compliance heads instead of overwhelming them with lengthy documents. Our tools assist in understanding the necessity of a Data Protection Officer (DPO) and delineate what falls under data protection regulations. This approach ensures simplicity, clarity, and effectiveness in compliance efforts.

DQ: How do you see the role of technology, such as AI and automation, shaping GRC initiatives in India?

Rajeev Dutt: Let me provide an example of how AI can assist in control assessments. Imagine a scenario in which an organization subscribes to an Information Security or ITUCF framework containing over 10,000 control libraries. Now, the challenge arises in identifying the most suitable controls for the organization's needs. Here, AI can delve into these vast libraries, analyze them, and present a refined selection of, say, 15 to 50 controls that are most relevant.

This process significantly reduces the burden of manually sifting through thousands of controls. While AI streamlines the initial selection, human intervention remains crucial. Compliance professionals still need to review and confirm the suitability of the identified controls. However, with AI's assistance, the compliance process becomes far more manageable.

Instead of feeling overwhelmed by the sheer volume of controls, compliance officers can now focus on a concise list of options that align closely with the organization's requirements. In essence, AI complements the Governance, Risk, and Compliance (GRC) framework by facilitating more efficient and informed decision-making.

DQ: How important is stakeholder engagement and transparency in building trust and credibility within the Indian business community?

Rajeev Dutt: Yes, I believe that some level of consulting, advisory, and selling will be necessary in India regarding GRC (Governance, Risk, and Compliance) practices. While larger conglomerates and corporate entities are familiar with GRC concepts, smaller organizations at the tier 2, tier 3, and tier 4 levels often lack understanding and implementation of GRC frameworks.

Therefore, there's a need for an approach that emphasizes the significance of governance and transparency within organizations. It's crucial to convey the importance of GRC and the risks associated with neglecting it. Providing guidance and raising awareness about these aspects will be essential in bridging the knowledge gap and encouraging adoption of GRC practices across organizations in India.

DQ: What strategies do you recommend for effectively managing geopolitical risks and their impact on business operations in India?

Rajeev Dutt: Understanding your risk exposure is paramount. Let's say you're operating on a global scale and you're aware that certain regions are at risk of conflict or heading towards a conflict zone, which could result in geopolitical tensions, civil unrest, or even war. These situations don't arise overnight; they provide warnings. Therefore, it's crucial to have a tool that proactively alerts you to potential risks.

A robust risk management tool should flag high-risk situations, indicating when certain regions are entering a "red zone" where the probability and impact of adverse events are significant. This allows you to take preemptive measures to mitigate these risks effectively.

Unlike relying on manual methods like Word and Excel, which lack the ability to provide such proactive warnings, a dedicated risk management tool can guide you and prompt you to take necessary actions. Additionally, by continuously monitoring minor incidents, you can prevent them from escalating into major catastrophes. Thus, investing in the right tools and processes for risk management is essential for safeguarding your organization against potential threats.