INTEROP Mumbai October 09, 2009
THE ROLE OF GRC
AND
CREATING A RISK ASSURED FRAMEWORK
AJAY K. DHIR
GROUP CIO
JSL LIMITED
ajay.dhir@jindalsteel.com

Governance, Risk & Compliance...
Governance - setting business strategy & objectives,
determining risk appetite, establishing culture &
values, developing internal policies and monitoring
performance.
Risk Management - identifying and assessing risk that
may affect the ability to achieve objectives, applying
risk management to gain competitive advantage and
determine risk response strategies and control
activities.
Compliance - operating in accordance with objectives
and ensuring adherence with laws and regulations,
internal policies & procedures, and stakeholder
commitments.

Governance, Risk & Compliance...
GRC provides a framework and a methodology to enable
those responsible for managing the business to give
confidence to those who are accountable to
shareholders and to regulators that corporate objectives
are being met.

Business drivers for an integrated
approach to Governance, Risk and Compliance
Increased
complexity due
to globalisation Increased
Increasing competitive
regulations pressures
Governance
New Ethical and
technologies Risk and financial
Compliance scandals
Integrity-driven Transparency and
performance accountability
expectations demands
Increased
demands from
stakeholders

Risk
•
In simplified Chinese the word risk is composed by
two characters; one represents danger, and the
other represents opportunity.

Definition of Risk
“Risk is a measure of future uncertainties in achieving
program performance goals and objectives within
defined cost, schedule, and performance
constraints.”[1]
“...an uncertain event or condition that, if it occurs,
has a positive or negative effect on a project
objective.” [2]
[1] Risk Management Guide for DoD Acquisition, Sixth Edition DoD, DAU, August
2006
[2] Project Management Institute PMBOK®, 2008, Fourth Edition
Likelihood of an event occurring. The consequence if such an event occurs.

Enterprise Risk and Compliance-Drivers and Trends
Drivers:
• Multiplicity of risk and regulations
• Distributed operations and relationships
• Interdependency of risk
• Increased accountability
• Fragmentation and duplication of effort
2009 – 2010 trends:
• Establishment of risk and compliance
architecture
• Development of risk intelligence
• Implementation of GRC platforms
• Centralized communication and training
on corporate policies and procedures
• Continued evolution of the CxO
responsible for GRC

Risk Sensors
Risk Sensors can provide automated inputs from low level data;
to demonstrate compliance to legislation and regulation (and
non-compliance)
to demonstrate working controls (and not working controls)
to highlight risks / threats
to identify incidents
to highlight possible data leakage
identify potential reputation damage
+ many more……

Example of Sensors
Sensors to detect events
System monitors
• Vulnerability assessment, configuration and policy compliance
Network traffic monitors
• Intrusion detection, Intrusion prevention, Firewalls, Routers,
Access and identity monitors
• Failed logins, privilege escalation, Bio-metric identities
Web site monitors
• Pages visited, referred from,
End point monitoring
• Data leakage
• Anti-virus, anti-phishing, Malware detection
Others
• Event and Audit log collection – OS, Infrastructure, applications
• CMDB systems
• Incident management
• Backup software, Business continuity management
• IT Security Information (intelligence feeds)
Emerging
• Virtualised environments / ‘Cloud’ computing

What Are the GRC Management Challenges?
Enterprise-Wide Responsibility
CFO // /VP
CFO VP
CFO VP Chief Compliance Chief Risk
Chief Risk CIO
Finance
Finance
Finance Officer (CCO) Officer (CRO)
Officer (CRO)
Reducing the total Increasing efficiency & Balancing the range of Ensuring Auditable
cost of GRC consistency of enterprise risks secure information
compliance processes
• Reducing regulatory
• Timely notification • Evaluating business • Automating GRC
actions by reducing
of control issues, requirements and information risk
compliance violations
material weaknesses technical risk management
and violations • Planning and oversight capabilities
• Eliminating multiple
of compliance
• Accurate and • Reducing internal GRC solutions
management resources
comprehensive organizational cost of
• Implementing IT
information on • Identifying and risk exposure and cost
platform for GRC
financial exposure, implementing optimal of mitigation or
standardisation,
compliance and detective & preventative acceptance
simplification &
audit. controls
security

What Are the GRC Management Challenges?
Enterprise-Wide Responsibility
CFO // /VP
CFO VP
CFO VP Chief Compliance Chief Risk
Chief Risk CIO
Finance
Finance
Finance Officer (CCO) Officer (CRO)
Officer (CRO)
C • Reducing the total • Increasing efficiency & • Balancing the range • Ensuring Auditable
E cost of GRC consistency of of enterprise risks secure information
O compliance processes
• Reducing regulatory
• Timely notification • Evaluating business • Automating GRC
actions by reducing
of control issues, requirements and information risk
compliance violations
material weaknesses technical risk management
and violations • Planning and oversight capabilities
• Eliminating multiple
of compliance
• Accurate and • Reducing internal GRC solutions
management resources
comprehensive organizational cost of
• Implementing IT
information on • Identifying and risk exposure and cost
platform for GRC
financial exposure, implementing optimal of mitigation or
standardisation,
compliance and detective & preventative acceptance
simplification &
audit. controls
security

GRC – What are the objectives?
Governance
• Ultimately, Governance determines what the Board is responsible
for and to what degree it entrusts day-to-day administration to
the CEO, the management team and perhaps below.
Knowledge Management
• In creating a shared governance, risk and compliance
environment, software supports performance objectives by
regulation, standards and policy to whatever degree the Board
wants.
Process
• Crucially, software enables linkage of roles, processes and assets.
Plan, Do, Check. Act (PDCA) processes should be effectively
managed in a single framework, so the organization as a whole is
better governed
Technology
• Convergence of data, status, actions and incidents must be easily
monitored, providing visibility and control to the business.

Today’s organizations are concerned about:
Risk Management
Governance
Control
Assurance

Enterprise Risk Management
PROTECT OPTIMIZE GROW
“How Do I Reduce Business “Is my current Risk level in “How Do I take more
Risk?” control?” Intelligent Risks ?”
Risk Analysis Business Risk Monitoring Disciplined Decision Making
Risk Assessment Risk Responsiveness Risk Timing
Business Continuity Planning Tolerance Business & Technology
Business Resilience •Controllable Risks Innovation
•Non-Controllable Risks Increased Shareholder Value
Industry Leadership
Corporate Strategy
ERM

Primary Drivers for Implementing ERM
Rank Driver Percent
Corporate governance
1 66%
requirements
Greater understanding of
2 60
strategic and operating risks
3 Regulatory pressures 53
4 Board request 51
5 Competitive advantage 41

Highest Priority ERM Objectives
Ensure risk issues are explicitly considered in
44%
decision making
Avoid surprises and “predictable” failures 40
Align risk exposures and
24
mitigation programs
Institute more rigorous risk measurement 19
Integrate ERM into other corporate practices
17
like strategic planning

The Growing Influence of Risk Management
A majority of companies are choosing ERM… …and ERM is seen as an increasingly
important responsibility
Have
Preparing/
rejected
Developing/ Board 29% 36% 35%
9% Implementing
CEO 39% 29% 32%
35% 56%
CFO 46% 38% 16%
Positively
disposed
Internal
50% 30% 19%
audit
Degree of Importance
Very high Significant Somewhat or less

Enterprise Risk Management — An Integrated Framework
An ERM framework defines essential components,
suggests a common language, and provides clear
direction and guidance for enterprise risk management.

The ERM Framework
Entity objectives can be viewed in the
context of four categories:
• Strategic
• Operations
• Reporting
• Compliance

The ERM Framework
ERM considers activities at all levels
of the organization:
Enterprise-level
Division or
subsidiary
Business unit
processes

The ERM Framework
The eight components
of the framework
are interrelated …

ERM Roles & Responsibilities
Management
• The board of directors
• Risk officers
• Internal auditors

Key Implementation Factors
1. Organizational design of business
2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review
by management

Getting glasses: how GRC software platforms help
organizations regain control
Frequently, individuals or departments get bogged down in one
area of compliance, such as Sarbanes-Oxley (SOX) or privacy
laws, but fail to realize that compliance is an octopus-like
challenge. Managing this many-tentacled beast requires that an
organization establish a technology architecture for
Governance, Risk, and Compliance (GRC).
What is the value of the GRC software platform?
• The GRC software platform enables an enterprise risk and
compliance strategy; the software is not a strategy itself. GRC
software platforms must be:
• Sustainable
• Consistent
• Efficient

What is a GRC software platform and what does it do ?
The GRC software platform is the technology heart of the GRC
architecture — it provides a single system of record for defining,
maintaining, and monitoring Governance, Risk and Compliance. GRC
platforms create centralized systems of record for the entire business
in four areas:
1. Policy, procedure, and control documentation
maintenance and communication
2. Risk and control assessment processes
3. Risk analytics, modeling, and reporting
4. Loss, event collection, and investigations management.

Usage varies across:
Business executives. Executives use the software to monitor the
state of risk and compliance, as well as to monitor corporate losses —
driving strategic decisions and management of the organization.
Risk and compliance officers/managers. These executives
typically represent the heaviest users of the software and are focused
on the day-to-day management of risk and compliance content and
processes.
Business unit and process managers. These executives must use
the software to answer risk and control assessments and monitor the
state of risk and compliance to individual areas of responsibilities.
Employees, contractors, consultants, and temporary workers.
The system helps every member of the firm read, acknowledge, and
receive training on policies and compliance issues that pertain to
their individual responsibilities.
Business partners. Business partners (e.g., suppliers, contractors,
outsourcers) work with the system in conducting contract and control
assessments to attest to their performance to contractual
requirements.

The technical support GRC software platforms need
to succeed
Achieving integration across the four capability areas that is
considered essential for governance, risk, and compliance
software platforms — policies/controls, assessment, analytics,
and loss/investigations — requires that GRC software platforms have
four integrated areas of technical functionality to deliver on these
features
Enterprise content management. GRC starts as a content problem. As
organizations struggle to manage an assortment of risk assessment and
compliance examination documentation, organizations first look for content
management capabilities to categorize, store, retain, and manage access to
this sensitive information.
Business process management. After gaining control of content,
organizations then look to drive efficiency into their GRC processes through
process management and workflow technologies. Specifically, they require a
platform that provides collaboration and automation of risk and compliance
processes.
Enterprise applications. Next, organizations look for further automation
of control monitoring and enforcement alongside the monitoring and
measurement of risk by gathering information directly from enterprise
applications.
Business intelligence/business analytics. Finally, after solving the
content, process, and enterprise integration challenges of risk and compliance
comes the reporting and communication requirements delivered through
business intelligence and analytic features.

GRC software platforms — four capability areas

Recommendations
Define your risk and compliance architecture.
• A GRC software platform is not a silver bullet to
manage risk and compliance — no technology is.
• Start with defining your GRC vision.
• Develop your long-term strategy for GRC.
• Be selective in the platform you choose.
• Get your feet wet first ! ! !

Common Pitfalls
Unclear or ‘moving goalpost’ objectives
Different ‘agendas’
Too much detail to analyse
Too much effort or insufficient knowledge
Insufficient resource, takes too much time
Answers lead to more questions
Can’t articulate benefits to the business

Risk and compliance landscape

About JSL
JSL Limited, set up in 1970 by the steel visionary Mr. O.P. Jindal, has
grown from an indigenous single-unit steel plant in Hisar, Haryana
to the present multi-billion, multi-national and multi-product steel
conglomerate. The organization is still expanding, integrating,
amalgamating and growing
A ISO: 9001 & ISO: 14001 company, it is the flagship company of
the Jindal Organization.
Total Revenue (FY 2008- 2009) : USD 2 billion
Manufacturing Plants
• Hisar (Haryana)
• Vizag (Andhra Pradesh)
• Indonesia
• Kalinganagar, Orissa – the largest, integrated, green field
project in Stainless Steel, globally
Hisar Plant : At Hisar, JSL has India's only composite stainless steel
plant for the manufacture of Stainless Steel Slabs, Blooms, Hot
Rolled and Cold Rolled Coils, 60% of which are exported worldwide.
• Slabs
• Blooms
• HR & CR Coils
• Precision Strips
• Blade Steel
• Coin Blanks
The present production capacity of plant is 6,00,000 TPA which is
expanded to 7,20,000 TPA. With the commissioning of the Plant in
Orissa in 2010, the capacity will be approximately 12 million tpa.
An exclusive complex for manufacturing stainless steel for razor and
surgical blades has been created. A coin blanking line has also been
installed. The major export destinations are China, Bangladesh,
Vietnam, South Africa, Russian Federation, Ukraine, Belgium, Italy,
Greece, UK, and USA

JSL’s Integrated ERM Framework
Integrate ERM in Corporate Compliance and
Governance Activities
Internal Controls
• Integrate key risk processes (ICS)
and systems
• Understand our risk appetite
• Sustain a risk-based approach to Sarbanes Risk
improving and managing Corporate Oxley Management
compliance and governance (SOX) (RM)
• Use Risk Review Group to increase
multi-disciplinary risk education,
awareness and information sharing Finance Planning
and Analysis
(FP&A)

JSL’s ERM Process
Determine priorities for ERM via Risk Review Group and Board
Identify Executive Sponsor in area to be assessed
Interview key executives in multiple functional areas re: their
perceptions of key risks facing the company and their quantification of
the probability, severity and current management effectiveness at
managing the risk – the discussion is the most important aspect
Consolidate interview results, identify key risks and report back to
Executive Sponsor and collect feedback
Share final report with Corporate Executive Sponsors and Audit
Committee
Facilitate discussions/workshops with risk owners wrt decisions re:
identified key risks
Track progress via Ops Reviews, Risk Review Group, Internal Audit
Schedule and integrate with business planning

FY 2009 - 2010 ERM Objectives
Enhance understanding of risks affecting the Group
& the drivers of those risks
Raise the level of ERM awareness & education
within JSL & externally
Integrate risk management with existing processes
– investment management, strategic planning &
business development
Continue to integrate risk management with line
management processes

Thank You