We are thrilled to announce that peer-to-peer business software review platform G2 has again placed VComply as a High Performer in the GRC Platform category in their Winter 2021 announcement. Organizations rely on research firms like G2 to help them analyze and compare business software products, and we are excited about the recognition.
We are thankful to our valued customers for this validation. We consider user feedback as a great technique to stay in close contact with our customers and get up to speed on improvements and provide value.
In case you missed it, here’s the score that our customers have given us:
Besides this, VComply also stands out in the following areas:
VComply received 8.7 score on a scale of 1-10 for ease of use, outranking many competitors in the GRC category and became a preferred choice for customers.
At VComply, we take great pride in serving our customers. We talk to our customers and help them find the quickest way to solve their problems. And the results speak for themselves! VComply received a score of 8.7 in the quality of support category.
VComply scored 8.7 in the ease of setup category. VComply is intuitive and it is very easy to create an account on VComply. On an average, our customers have gone on-live in less than 2 weeks.
At VComply, our goal is to make the easiest and the most useful GRC software for organizations. Ever since we started in 2019, we have adopted a customer-centric approach. We have made meaningful changes to our compliance, risk, and audit product range to meet the evolving requirements of our customers. Now, VComply helps teams across compliance, risks, audit, human resources, and legal in varied industry sectors to manage their individual responsibilities, while making it easier for leadership to coordinate organization wide compliance activities.
It was simple, it was easy to engage with, and it had a little bit of light-heartedness as well as a very easy to use Dashboard and reports. With VComply, our teams can quickly and easily comply with responsibilities, and our ability to provide oversight across the agency, in one central location is achieved.
CHD
We recognize that there is a lot of work ahead. And, we are committed to the vision of making the world’s most trusted GRC platform for our customers. We continue to add robust features and enhance existing features in our platform to help you strengthen the compliance and integrity of your organization.
Read our reviews here on G2!
A remote audit or virtual audit came as a boon to audit teams during the unprecedented covid 19 crisis. It is a method of conducting an audit remotely using technology. Just like an onsite audit, it covers interview with management and employees, verification of documents and reports.
Remote audit can be internal or external. It can be at any stage of the certification process, and can provide many advantages.
Unlike the widespread belief that only onsite audits yield results, the remote audits can bring in plenty of advantages. It forces auditors to think out of the box and come up with creative resolution to critical issues. Remote audits can enable active participation from people with different skills and expertise, and helps analyze the issues and come to resolution cost effectively.
Remote audits allow auditors to interview a global network of employees with out travelling. It also helps them to remain on schedule even with travel restrictions. By using technology and effective tools, stakeholders can perform large amount of work asynchronously. It allows them to work in their space and increase the effectiveness of audit efforts.
Remote audits can be less costly. All the money associated with travelling and time saved can bring in significant cost reduction. Communication at the starting of audit, before or after also can also be recorded. It provides better visibility to the leadership teams and improve the quality of audits.
The remote audit is a dynamic process with auditors engage in technology to audit. The phases in audit processes are:
Define the audit scope first. Then, develop a remote audit plan. The audit plan should cover the criteria, checkpoints that will be audited remotely, and the technology used during remote auditing. Once the methodology and approach is confirmed, schedule the audit date with the firm.
Conduct a kick-off meeting with the management explaining the procedures of the audit. Take a record of the opening session attendees, and identify if there is any changes in the audit plan after the initial meeting with the management.
The remote audit includes the review of internal controls, documents, evidence and proofs, and conducting remote interviews with employees. The proof, documents will be reviewed to support the findings. The team can conduct a closing meeting with the management and convey the findings.
The audit team can create an audit report, also document the methodology and techniques used in the audit and report whether audit was effective in achieving its goals.
Any type of audits involve review, analysis and evaluation of processes, documents, evidences, systems, and organizations. Auditors assess the accuracy, validity, reliability, verifiability and timeliness of information, as well as the sources and processes by which that information is obtained. An integrated software like VComply helps automate processes and workflows, conduct methodological audits, report incidents, and resolve issues promptly. Using VComply, it is easy to collaborate with stakeholders. It also keeps employees responsible for their obligations, and facilities oversight in executing compliance obligations. Documents, and proofs are made available and accessible. It also provides powerful reports and intuitive dashboards to help auditors gain real-time insights into the organization’s compliance data and risk exposure.
Governance, Risk and Compliance (GRC) management is an integral part of an organization's management strategy. Once the management identifies the benefit of adopting a GRC platform, the next question that comes up is that how to choose the best GRC platform suitable to your organization? Not all platforms are the same. The key is to set the right expectations and perform the due diligence before you choose your vendor.
We have highlighted 5 questions you should ask your vendor:
Companies opting for SaaS applications are on the rise. It is vital to know where your vendor is hosting your data in times of data sovereignty and GDPR. If you are opting for a SaaS GRC platform, which is a great choice of organizations, including small and mid-tier companies, you need to ask your vendor where they are hosting your data. Your vendor is your data processing application, make sure that you choose the best vendor who host the data in a secure virtual server. VComply is hosted in cloud, and makes sure that your data is secure and compliant at all the times.
Evaluate the features that the vendor offers. Compare the features with other vendors in the same price range. Analyze your organization's GRC goals, whether the proposed application provides a structured approach to achieve your organizational goal, minimize your risks, and manage your compliance requirements.
The basic features that you can look out for in a GRC platform are:
VComply is tailor-made to meet the demands of compliance professionals by helping them perform risk assessments and implement controls. It comes with built-in compliance frameworks that enables you to automate the implementation of compliance controls. VComply's workflow automation makes creating, assigning, and monitoring compliance responsibilities easier. It sends reminders to stakeholders who are entrusted to complete a responsibility. Automation can drastically improve compliance oversight, coordination, and collaboration.
A GRC platform should be intuitive and easy to use. Many of the legacy applications available in the market are complex and pose difficulties in using. When there is a gap in the customers' expectations from a great GRC platform, it turns into bad UX costs. For example, if the user experience does not allow the user to create and assign a control quickly after a risk assessment, it fails the purpose of an effective GRC platform. Suppose the compliance team cannot collaborate on a document or a compliance obligation, or the leadership team do not get enough insights from the reports or dashboards. In that case, it can lead to wasted efforts, time, and frustration. In some cases, it can even add up to your tasks. Analyze the application based on these factors, and it should be easy for the platform to fit for your needs.
Compliance is considered an on-going process, and your tools should also embody that attribute. VComply evolves and proactively adapt to provide you enjoyable user experience. When it comes down to the nitty gritities of risk and compliance management, the dashboards and report should provide at-a glance information. The VComply suite is equipped to address this need and does so seamlessly to successful compliance efforts.
A modern and integrated GRC software can help predict and mitigate risks, streamline compliance with regulations and the organization's policies. The flexibility to extend applications' capability to allow employees to access a policy library, upload compliance evidence, and proofs, and file and archive documents help to a great extent to avoid compliance mistakes and omissions.
VComply offers a federated approach to GRC wherein audit, risk, policy, and compliance management activities are integrated. A centralized view of risks, internal controls, and compliance responsibilities are available to the leadership teams. A holistic view of GRC is transformational.
More broadly than simply selecting a tool, consider how exactly the vendor plans to onboard you onto the platform. How long does it take to operationalize and reap benefits out of the GRC platform? First, identify your success criteria for implementing the system and convey it to your vendor and tie it with your onboarding process. It takes only 5 days to fully onboard with VComply. It is easy to set up VComply and set up organizational settings for managing your compliance and risk programs. The implementation team is with you at every step of the implementation process from kick-off, configuration, and workshops. VComply equips your team to shorten audit cycles and eliminate the cost of non-compliance meaningfully. By automating workflows, processes, and mapping of frameworks, VComply can generate faster ROI for you.
If you're looking for a better way to manage governance, risk, and compliance in your organization, take a look at GRC software by VComply. VComply offers a complete GRC management solution to help you streamline everyday compliance processes with a centrally managed, cloud-hosted system.
Growth is something that organizations have their eyes fixed on. They are cautious of wasting precious time and money in costly lawsuits, compliance risks resulting in penalties, or reputational damage. Internal controls help establish procedures and policies to keep the organization compliant, prevent employees from committing fraud, and improve the organization's operational and financial efficiency.
COSO defines internal control framework as the following:
A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Internal Controls are made up of steps, procedures, policies, and rules designed to ensure that an organization meets its objectives in the most efficient manner and prevent, detect, and mitigate risks facing organizations. Internal Controls aim at operational efficiency and effectiveness through the control of risks. Many experts even comment that internal controls are part of day-to-day operations.
The following are the basic features required for a robust internal control system:
The most important principle of internal control is establishing and entrusting the responsibility to specific individuals. Many times, teams fail because of the lack of clarity on one's responsibilities. Controls work the best when individuals are made responsible for executing tasks. Establishing responsibility includes authorizing the power to execute certain actions to these individuals.
Separating duties involve bifurcating a task into a series of small tasks and sharing them among various employees. Separation of tasks (SOD) is the basic building block of internal controls and risk management and helps prevent fraud and errors. When parts of a task are divided and distributed to two or more employees, it reduces wrong doings, errors, and swindling. The SOD promotes shared responsibilities and prevents just one person from accessing company's critical assets. The concept of SOD is derived from the notion that giving complete control of critical systems and vulnerable processes to one single individual can increase risks.
Documentation is a critical component of any internal control. Maintaining appropriate records enables storing and safeguarding of documentation, and includes destroying any tangible obsolete records. A GRC platform like VComply helps organizations maintain a central repository of records, and associate proofs or evidence for a control. It also facilitates role based access to records and restricts unauthorized access. A backup of the data ensures that there is no data loss.
Independent internal verification or audits ensure that that controls are working as intended. They also assure the organization that it complies with rules and regulations, performance of operations are effective, and financial reporting is accurate.
Physical as well as digital safeguards help protect company's assets. They can be physical e.g. locks or intangible e.g. – passwords and pins . Irrespective of the methods, they are an important feature of the company's internal control plan. Documents such as blank checks, company letterhead and signature stamps are items that require safeguarding. One may commonly overlook this.
Thus, to ensure good governance and compliance, a company should have effective internal controls in place.
VComply is a leading GRC platform that helps meet the demands of compliance professionals by helping them perform risk assessment and implement controls. It comes with built-in compliance frameworks that helps you automate the implementation of compliance controls.
When the internet and technology are the lifeblood of modern business operations, it is no wonder that data privacy has taken the center stage. According to a Pew Research Center report, 79% of consumers have raised concerns about personal data that organizations collect. These concerns have as much to do with discrimination and law as they do with ethics and policy. Across the EU, UK, USA, China, Singapore, and virtually every other location on the planet, the regulatory landscape for data privacy has changed and continues to evolve. In the EU, the General Data Protection Regulation (GDPR enforceable in 2018) and its policies have effected change worldwide.
EU regulators and legislators indicated that businesses' almost laissez-faire approach toward data protection compliance had gone on for far too long and that the GDPR would rectify this. And it did. Today, the cost of data privacy infractions can amount to a hefty penalty of up to €20 million or 4% of the company's annual global turnover. Moreover, on account of the GDPR's broad territorial scope, it is regarded as a standard globally, and businesses invest heavily to keep up with the compliance regulations.
However, despite efforts, a report published by DLA Piper states that data breach fines and notifications between January 2020 and 2021 increased by 40% and 19%, respectively. Naturally, this double-digit growth isn't conducive to healthy business operation and implores the question, 'What can or should companies do to mitigate losses due to data privacy non-compliance?' For insight on the matter, read on to know how companies can prepare for the inevitable progression of GDPR or any other such data privacy laws and regulatory guidelines.
The first approach companies could take is to hire a data protection officer or DPO. This is a relatively new role for most institutions and should exist, especially considering how quickly regulatory reforms can occur. A data protection officer is a professional tasked with doing all the heavy lifting in ensuring that the organization remains compliant with the GDPR. As a matter of fact, it is a mandatory requirement by the GDPR that a company must hire a DPO if it handles personal data of EU residents.
Ideally, companies should look inwards at personnel working within the IT or legal departments for the role of DPO. A DPO's responsibilities often overlap with those of a Chief Data Officer and these professionals serve as viable candidates for the job. However, to be effective, it is important that the DPO receives formal training on GDPR. Organizations such as the Association of Data Protection Officers and the International Association of Privacy Professionals (IAPP) offer courses on data privacy and security. There is a talk that the GDPR will likely create entities that offer certification for such courses in the near future.
In a bid to save on costs, it is quite common for companies to take legacy systems forward with every passing year. While this may have worked a decade ago, it definitely won't in today's environment. Legacy systems used to track, enter, and monitor data make staying compliant difficult, especially when dealing with a breach. The solution here is to evaluate the efficacy of existing data management tools with today's standards.
A good starting point would be to get rid of systems that don't easily integrate with workflow automation. Manual inputs and processes increase the risk of noncompliance, and new-age tools can help address this problem. One smart and effective solution is the VComply GRC software suite. VComply allows you to establish a centralized data model, where a single repository of all critical documents may be maintained. This enables easy management, tracking and can aid quick breach redressal when dealing with risk data.
An effective way to stay ahead of GDPR changes is ensure that the current documentation is maintained with maximum accuracy and as per requirements. Under the GDPR, all data-intensive projects must have privacy impact assessment (PIA) documentation, which must be accessible to everyone involved in a project. This is non-optional as it is a process that accounts for all the privacy risk present with any data a company collects from consumers.
Ideally, a comprehensive PIA should be able to document all key data-related information. Here is a table that highlights the main verticals and the type of data that should be documented.
It comes as no surprise that data security is a key part of the GDPR compliance journey. To stay ahead of the ever-changing environment, companies should design all security measures with privacy as a priority. Common measures include creating workflows that govern data access, both on-site and remotely. As per the GDPR, an external data breach can even be a situation where an unvetted temporary employee is granted full access to data through a generic log in.
Such cases of unsecured data access can be solved by implementing clearly defined user access controls. Besides these, security measures extend to monitoring and logging. This is another branch of data collection, albeit internal, and should be handled in keeping with the GDPR.
Before the GDPR took hold, data privacy may have not been a key part of the risk assessment and management strategy. This needs to change in order to adapt to the modern-day requirements and data privacy should be given its fair share of importance within these protocols. This includes designing specific risk assessment models, having controls to mitigate risks, and understand the impact of these risks and the extent of their exposure.
Considering that the GDPR guidelines will continue to evolve with every passing year, it is safe to assume that companies will soon have to learn to adapt on the fly. These 5 measures should help prepare for many reforms, especially if the company has the right tools at its disposal. The VComply GRC software suite offers such a solution to organizations to map their data and efficiently implement controls to track and manage compliance with GDPR regulation. To address any queries or know more about the provision, contact us online.
A holistic GRC management is incomplete without policy management. In an ideal world, policies guide an organization to follow the rules and regulations, prepare for internal and external audits, and finally keep the organizations away from risks. However, the reality seems to be different. Many of the organizations seem to have only very basic policy management system in place. It can cause severe consequences as it leaves you at the risk for financial losses, security breaches, and overlook the improvement initiatives.
Let's see the major risks companies can face not implementing a full-blown policy management system, and how to avoid them.
Is the policy document approved? Who approved it? Are we distributing the approved version of the policy to employees? These are some of the common questions that we hear in organizations. Policies usually require multi-level approvals. There could be occurrences that the organizations' performance improvement initiatives can get delayed due to a missed approval.
VComply helps you set up workflows for multi-level approvals. Instead of manually sending a policy and wait at every turn for a manager to approve a policy and then send it to another level for approval, you can automate the whole approval process and configure parallel, round-robin, or sequential level of approval.
The lack of having a central repository can create chaos when it comes to working with multiple policies. The employees find it difficult to choose which version of the policy is to be followed in a manual set up. VComply encourages efficient policy management as all the policies are centrally located, saving employees' time retrieving the policy. VComply's policy portal helps ensure that your organization complies with laws and regulations, and helps share policies with your stakeholders for attestation or reference.
Organizations using disparate and disconnected systems for risk, compliance and policy management miss the integrated system's benefits. Compliance, Risks management, and Policy management share interrelated tasks and common objectives. Combining these processes, and establishing transparency and accountability requires an integrated and linked system.
VComply's GRC management is tightly coupled with policy management and helps implement proactive and risk-based policy management. It saves time, effort and money – and streamline the efforts required for managing risks, compliance, and policy management.
Every policy management workflow should define the policy owner and with whom the policy is intended to be shared and not. VComply's Workflow Management System should allow you to customize what each user can see and edit. It enables business-level control of access rights by using roles to match user permissions to the organization
A comprehensive policy management tool can alleviate the difficulties in creating and implementing policies. Cloud-based solutions like VComply’s Policy Management Software give you a powerful way to create, modify, distribute, and test policies. For instance, with VComply, you can create questionnaires to gauge the effectiveness of a policy, assign privileges to give proper access, have a convenient audit trail, get real-time alerts, and more. Policy is a crucial component of GRC and VComply offers a range of tools for governance, risk, and compliance management.
Having considered what a policy management process looks like and some reasons to invest in a policy management solution, deliberate on how to better govern your organization. Remember, the cost of bad policy management may far exceed that of investing in a policy management solution. So, when the time is right, do not think twice about using a smart software to empower your efforts!
The primary role of auditors is to help the organization remain compliant and meet its objectives efficiently. The growing and changing needs of stakeholders, crisis management requirements, and uncertainty have widened the scope of internal audits. In response to these requirements, new trends have emerged in the field of internal audit that will add value to the organization and guide it through the landscape of risks.
Here are some of the new trends in Internal Auditing:
Disruptions, threats, uncertainty, and changes are part of today's organizations. Starting from cyber-attacks, climate change to supply chain disruptions, organizations face numerous challenges. They need a resilient approach, frameworks, and mechanisms to bounce back when dealt with unexpected risks. Internal auditing should assume bigger responsibilities beyond just evaluating the company's compliance challenges, fraud detection, and reporting in this environment. Internal auditing should take on a central strategic role in an organization and provide insights to the management to run the organization efficiently. It should provide guidance to govern risks, stays compliant, and implement an operational resilience strategy.
The pandemic has forced companies to go remote. And, at least for some companies, the trend is remote from now on. Similar to other functions, audit functions need to resort to tools that overcome communication and availability challenges. The adoption of communication technologies enable audit evidence collection, review of records, and report generation to support audit conclusion. The companies must conduct risk assessment and document the outcomes achieved through remote auditing. Internal audit must take up a proactive role by giving insights concerning different risks, challenging practices, processes, and the organization's overall risk landscape.
Audit teams need to agile to keep up with the increasing pressures of the organizations. They should let go of their rigid practices and long audit cycles, instead, focus on the organization's present needs, respond to quickly to changing risks, adopt short and accelerated audit cycles, and fewer documentation requirements. Agile auditing empowers auditors to prioritize audits based on its importance and provide long standing value.
While many companies are looking at technology specific to audit function, others already invested in technology are expanding the role of automation and analytics. Audit automation simplify the process of constructing new audits and creating new checklists. It ensures that non-compliances and weak areas are properly addressed. Thanks to advanced machine learning techniques, auditors are gaining invaluable insights by accurately analyzing mass amounts of information, saving time and money. Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.
Organizations use GRC tools such as VComply to conduct audit programs, schedule audit checklists, and issue audit report. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more. Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business process!
According to an analysis by Atlas VPN, credit card fraud cases surged by 104.7% when you compare Q1 of 2019 and 2020. Likewise, Julie Conroy, a research director at Aite Group, reported that by the end-2020, credit card fraud losses in the US amounted to a staggering $11 billion! These facts make it clear that the digital payment ecosystem is rife with vulnerabilities. After all, security gaps can emerge at various points of handling, storage, and transmission, such as at POS devices, e-commerce apps, Wi-Fi hotspots and personal computers.
To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.
If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic.
Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS.
PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more.
Document a security policy: Protecting sensitive data is the responsibility of all employees and to set the right tone, PCI DSS requires that you establish, publish, maintain, and disseminate a security policy that educates personnel on what is needed from them.
Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.
Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.
If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS. Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.
Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.
Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future. So, take steps towards securing your cardholder data environment and use VComply to accelerate your compliance efforts manifold!
Risk management is the process of identifying, assessing, and managing risks in an organization. In times of uncertainties, the organization looks to risk managers to make crucial decisions about risk management and mitigation. Risk officers are required to bring all stakeholders on the same page and decide on the organization's risk appetite. Risk appetite and risk tolerance are the two essential concepts in risk management around which misconceptions and confusion are prevalent.
Risk appetite is referred to as the degree of uncertainty or the level of risk an organization or individual is willing to accept in pursuit of achieving its objectives. If the organization is ready to take on significant risks, then its risk appetite is considered high. If an organization does not want to confront a situation that will affect the company's revenue and want to play safe, then the organization's appetite is supposed to be low.
Risk tolerance is the degree of risk that an organization can withstand. For example, if the management decides that the organization can take the financial risk up to 250, 000 USD, then the tolerance level is agreed about that much amount. Once the risk appetite and tolerance level has been defined, the risk managers can evaluate whether the existing risk framework is adequate. They need to adjust risk management strategies to keep the risks within the risk appetite.
A great understanding of risks and understanding about effectiveness of controls can add value to an organization. VComply’s risk management software provides a centralized system to determine and maintain a register of potential risks for the organization, and evaluate the impact of the risks, and implement controls for the treatment and mitigation of risks. Contact us to learn more about how VComply can help you manage your risks.
The importance of good corporate governance for an organization's success has been a topic discussed across. However, even though organizations keep in mind the principles, the different models and all the aspects of good governance, there is always scope for error and that is why issues in corporate governance are in abundance. Especially accountability issues. By now, we know how important accountability and transparency is in corporate governance. Let us look at some of the steps you could take against potential issues that you may have to face.
It is now well established that the board in any corporation plays a pivotal role in its governance, which is why care should be taken to not put undeserving, inexperienced people who are incapable of handling crucial situations and forming suitable solutions. So that everyone’s point of view is represented in the board, it is important to have a diverse group of people in the group with a healthy mix of ethnicities and men and women. Besides the board managing everything, it is important that the seriousness of the entire corporate governance business is ingrained in the corporate culture. Complying on paper is not enough; there should be visible, tangible compliance and subsequent results. Board appointments should be done by voting only and on the basis of talent and experience and not because of family contacts or influence. This will make sure that the board comprises of people who are dedicated towards working for the company’s cause and not just there for the sake of it.
The board also needs to be evaluated on the basis of their performance. The performance of directors as a group as well as individual performance need to be considered by elaborating on both qualitative aspects and quantitative aspects how they achieve objectives, how they handle ethical issues. Usually, these evaluations are called to be made public such that the results actually have an impact on the directors. However, such evaluations can become sensitive in nature and full public disclosure may turn out to negative impact on the organization.
Independent directors are accused for maintaining a passive stand regarding the board’s decisions. However, in cases where these directors have protested against promoter decisions, they have been removed for non compliance with the promoter and this is by law as it is stated that an independent director can be easily removed by promoters or majority shareholders. This inherent conflict has a direct impact on independence. Therefore, to make sure that directors are not just simply removed from the board, there needs to be a better evaluation system in place to justify the removal and the decision of the majority should be taken into account.
Directors have duties not only towards the corporation that they head and its stakeholders but also towards its employees, the community and the environment’s protection. These general duties need to be carried out by all directors, however the independent ones come across as complacent. This may be due to the lack of actual implementation. Therefore, to further propagate accountability, the entire board must be mandated to be present for all meetings with stakeholders to incite healthy camaraderie.
In some countries, the founder’s identity is often merged with the company’s identity in the sense that they identify as one and the same. The founder has immense control over the working of the company and can make or break any aspect of governance. There is a lack of succession planning and founders keep exercising their power to influence crucial decisions regarding the company. It is important that the founders chalk out a succession plan and implement it.
A risk management policy has always been imperative and has gained more importance over the years, especially in today’s world where big businesses are under the scrutiny of the media and other competitors. A proper risk management strategy needs to be chalked out and inculcated in the day to day workings of the company. The independent directors are mandated to assess the risk management systems of the company.
Today, everything is digitalized, and as much as it has an immense number of advantages, it also poses a great risk to the privacy of data. The board must be familiar with at least the basics of cyber security to protect the company against a potential data scandal. The board must invest a reasonable amount of time and money in order ensure the goal of data protection is achieved.
Companies that meet the specific criteria/thresholds are required to constitute a CSR committee from within the board. This committee goes on to frame a CSR policy. Companies are required to spend at least 2% of the average net profits of last three financial years on CSR activities. In case the expenditure is not carried out, proper justification needs to be provided. CSR is important and CSR projects should be managed by board with as much interest and vigor as any other business project of the company.
A good corporate governance system ensures transparency, fairness, and accountability. VComply offers a complete GRC management solution to help you streamline everyday compliance processes with a centrally managed, cloud-hosted system.