You are on page 1of 45

Integrated Risk and Compliance

Management at Microland

Version 1.0

1
1 Background.............................................................................................................................................................................. 5
2 Overview .................................................................................................................................................................................. 5
3 Challenges at Microland........................................................................................................................................................... 6
4 Objective of the framework....................................................................................................................................................... 6
5 Compliance Management Framework at Microland .................................................................................................................. 7
6 ICRM Governance ................................................................................................................................................................... 8
6.1 Microland’s Compliance Policy ....................................................................................................................................... 8
6.2 Governance Structure .................................................................................................................................................... 9
6.3 Roles & Responsibilities ................................................................................................................................................. 9
7 Integrated Risk and Compliance Management (ICRM) procedure .......................................................................................... 15
7.1 Identification of Compliance Obligations ....................................................................................................................... 17
7.2 Risk & Compliance Assessment ................................................................................................................................... 18
7.3 Compliance Risk Mitigation .......................................................................................................................................... 19
7.4 Compliance Monitoring ................................................................................................................................................. 20
7.5 Compliance Reporting .................................................................................................................................................. 20
8 Appendix A - Compliance Requirements ................................................................................................................................ 21
8.1 Legal and Regulatory Universe .................................................................................................................................... 22
8.2 Contractual Requirements ............................................................................................................................................ 29
 Clifford Chance Contractual Requirements........................................................................... Error! Bookmark not defined.

 Deutsche Bank Contractual Requirements ........................................................................... Error! Bookmark not defined.

 Ernst & Young Contractual Requirements ............................................................................ Error! Bookmark not defined.

 Serco Contractual Requirements.......................................................................................... Error! Bookmark not defined.

 Waste Management Contractual Requirements ................................................................... Error! Bookmark not defined.


8.3 Data Protection and Privacy requirements .................................................................................................................... 30

 ISO|IEC 29100:2011 ......................................................................................................................................................... 30

 HIPAA - 1996 .................................................................................................................................................................... 30

 HITECH ACT - 2009 ......................................................................................................................................................... 30

 PCI - DSS V2.0 ................................................................................................................................................................. 30

 UK Data Protection Act - 1998 .......................................................................................................................................... 30

 European Union Data Protection Directive - 1995 ............................................................................................................. 30

 USA - THE PRIVACY ACT - 1974 ..................................................................................................................................... 30

 USA - Texas State Privacy Laws ....................................................................................................................................... 30

 Canada - PIPEDA - 1995, 2007......................................................................................................................................... 30

 Germany Data Protection Act - 2003 (Amendment, 2009) ................................................................................................. 30

 Singapore Data Privacy Act - 2012.................................................................................................................................... 30

 USA - EU Safe Harbor Principles ...................................................................................................................................... 30

 USA - California State Laws (S.B. 1386) ........................................................................................................................... 30


8.4 Information Security requirements ................................................................................................................................ 30

 ISO|IEC 27001:2005 ......................................................................................................................................................... 30

2
 ISO|IEC 27001:2013 ......................................................................................................................................................... 30

 Her Majesty's Government - Information Security Policy ................................................................................................... 30


8.5 Business Continuity requirements ................................................................................................................................ 30

 ISO 22301:2012 ................................................................................................................................................................ 30


8.6 Others .......................................................................................................................................................................... 31

 Graham-Leach-Bliley Act (GLBA)- 1999 ............................................................................................................................ 31


9 Appendix B – Risk Assessment Methodology......................................................................................................................... 31
9.1 Introduction .................................................................................................................................................................. 31
9.2 Objective of the Risk Management Methodology .......................................................................................................... 31
9.3 Risk management methodology ................................................................................................................................... 32
10 Appendix C – Glossary .......................................................................................................................................................... 44

3
Revision History

Revision Name Department Date Description

Reference Documents

Document Name Version Location

4
1 Background
Organizations globally are finding that their stakeholders (particularly senior management)
are seeking both greater assurance regarding risks and compliance adherence within the
organization. Traditionally in organizations, the governance, risk and compliance functions
or frameworks each have a separate operation and focus. The employees who operate or
have oversight of these functions are located in different divisions, locations with different
reporting structure. This has resulted in -

 A disconnect between governance, risk and compliance functions themselves and


their interaction with relevant organizations (Internal/External)
 Duplication of effort and multiple approaches to manage similar risk and controls.
 Inconsistent approach to governance, risk and compliance
 Lack of transparency and uniformity in approach across compliance activities.
 Increased risk of unidentified gaps in the organization.
 Lack of a single view of the overall compliance across the organization.

To overcome such challenges organizations are looking towards an integrated approach to


manage risk and compliance and increase efficiencies.

2 Overview
Microland (hereafter referred to as the “company” or “organization”) deals with various
compliance requirements arising out of legal, statutory bodies and other internal policy such
as information security, business continuity, privacy and contractual requirements. Currently
Microland’s compliance activities are handled by different areas within the organization with
individual departments/functions/projects handling their respective compliance activities and
reporting. A consolidated view of all such compliance requirements, gaps and overall
compliance reporting mechanism was non-existent.

Corporate compliance adherence is critical to the organization and needs to be addressed


with high importance. With the current state, the organization has intended to implement a
strategic approach to form an integrated compliance and risk management framework as the
first step to improve compliance management and reduce duplication of activities. This
framework ensures that Microland’s compliance requirements are managed, monitored and
projected with an integrated view. Microland believes that by embedding robust internal
controls across organization’s people, process and technology boundaries, it will be
successful in achieving both compliance and improved business process performance.

This document mentions the Integrated Compliance and Risk Management (ICRM)
framework implemented at Microland. To further support the integrated approach, Microland

5
has deployed a GRC solution. e-GRC assists the organization in managing and monitoring
enterprise GRC requirements.

3 Challenges at Microland
Each legal and regulatory requirement is complex and requires significant organizational
planning and effort to achieve compliance. The challenge Microland faces was exacerbated
by a number of factors:

• Geographically disbursed locations around India(Bangalore, Mumbai, Chennai,


Gurgaon) as well as Global(USA, Canada, UK)
• Lack of available personnel to focus on internal control requirements and completing
the operational mission of the agency
• Lack of an Internal Audit function within the organization.
• Compliance efforts are decentralized, limiting the ability to share information and
coordinate efforts
• High dependence on manual control compliance procedures with limited use of
technology
• Lack of technology to support documentation, testing, and reporting of compliance
activities
• Lack of policy and procedures around compliance management.

4 Objective of the framework


The aim of the Compliance and Risk management framework is to:

Provide a system and structure within which the board, management and
employees operate to ensure compliance
 Establish a risk based approach that provides assurance to the board that
Microland is complying with all applicable laws, regulations and contractual
requirements.
 Establishing an integrated approach for compliance management
 Inculcate a compliance culture throughout organization
The compliance framework is aimed at enhancing value for all of Microland’s stakeholders.

6
5 Compliance & Risk Management
Framework at Microland
The purpose of the Compliance & Risk management Framework is to implement an
integrated approach to effectively manage organizational compliance and risk with the
identified laws, regulatory, statutory and contract requirements. This document establishes
an appropriate strategic framework that defines the responsibilities of both management and
employees and facilitates the implementation of robust practices for the effective
management of compliance obligations.

The Framework specifically consists of the policies, processes; tools and structures that help
identify and manage the risks around meeting objectives. The following are considered for
designing the framework.

 Centralizing internal controls documentation development, maintenance, and testing

 Adopting a program management approach to risk and compliance

 Understanding and leveraging the organization’s efforts towards disparate


compliance and internal control requirements, thereby minimizing the need for
repetitive activities

The Compliance & Risk management framework at Microland is depicted in the figure below.
The top layer focuses on the governance of the entire Compliance and Risk management
activities through policies and a governance structure to oversee and drive the compliance
management activities. The layers below focus on the procedures, identification and
implementation.

7
Figure 1 – Compliance Management Framework

6 ICRM Governance

6.1 Microland’s Compliance Policy


 Microland will endeavor to comply with all applicable laws, regulations in order to
achieve its vision, mission and key objectives, and to protect its core values.
 The management of Microland obligates the company to compliance and recognizes
its responsibility to comply with all applicable laws.
 Microland will actively engage the senior executive in the identification and
management of compliance issues and risks.
 The risk and compliance process requires a team-based approach for effective
implementation at Microland. Microland will allocate appropriate resources to
manage compliance obligations.

8
 Each employee at Microland has an important part to play in the effective
implementation of the compliance framework.
 The Integrated risk and compliance framework is, of necessity, an evolving
document.

6.2 Governance Structure


The accountability of approving the compliance management framework lies with the Risk
and Compliance committee. The CEO has the ultimate responsibility for ensuring effective
compliance management within the organization.

The compliance management structure is mentioned in the figure below. The details of the
roles and responsibilities are defined in the section below.

Figure 2 – Compliance & Risk Management organization

6.3 Roles & Responsibilities


The roles and the compliance responsibility of various groups and individual as part of
organizational compliance are mentioned below.

9
6.3.1 Board Members Compliance obligations
The Board members of Microland provide reasonable oversight over the organizational
compliance program. Board members have explicit fiduciary and related obligations with
respect to the implementation, operation and effectiveness of compliance programs.

The Board member’s informed and attentive exercise of their duties can contribute
materially to lowering the organization’s compliance risk profile. In other words,
compliance oversight is one area of governance responsibility where Microland’s board
of directors makes a real, positive contribution to the organization and its mission.
Directors have considerable latitude, as a matter of governance, in how they organize to
carry out their compliance oversight responsibilities.

One of the key changes in an organization is to clarify and emphasize the role of
directors for corporate compliance programs. The responsibility of directors is to provide
oversight, not manage day-to-day affairs. The Board should also establish that it has
access to sufficient information and that it has asked appropriate questions that are
most critical to meeting its duty of care. The board of directors is responsible for -

 Reviewing and monitoring the leadership and commitment given to compliance


through active promotion of the organization’s Compliance Policy.
 Reviewing compliance management objectives and plans for legislative
compliance. Compliance objectives and plans will be prepared by the CEO,
approved by the Board, and held on file.

 Monitor compliance performance by way of periodic management reports and


assurances.
 The Board will, at least once a year, feature as an agenda item the monitoring of
compliance performance.

6.3.2 CEO’s Compliance Obligations


The CEO of the organization is primarily responsible for all compliance
management activities within the organization and also ensuring that Microland
adheres to the required laws and regulations. The CEO primarily is responsible for
the following.

 Ensure compliance with all applicable legal and regulatory requirements

 Prepare compliance objectives and plans for review and consideration by the
Board.

10
 Monitor performance against compliance objectives and plans, and report to the
Board on progress toward accomplishment of objectives.

 Where appropriate, delegate responsibility for compliance to officers with


responsibility for particular functions.

 Taking appropriate decisions for any compliance incident or occurrence thought


or known to constitute a breach of any legal requirement

 Review and report annually to the Board on the effectiveness of the


management systems established to deliver legislative compliance.

 Analyze material breaches and identified compliance system weaknesses for


systematic trends and ensure that any adverse trends are addressed.

 Promote a culture of effective compliance across the organization


.
 Provide formal assurance to the Board as to the state of compliance of the
organization.

6.3.3 Risk & Compliance Committee


The Risk & Compliance committee at Microland should fulfill the Board’s obligation to
become knowledgeable about the content and operation of the compliance and risk
management program and to exercise reasonable oversight with respect to the
implementation and effectiveness of the same. The committee is constituted with
representations from Finance, legal, HR, CIS and Risk and Compliance.

The Committee receives periodically, compliance reports prepared by the Risk and
Compliance department in consultation with operational, Finance, legal and other
control function personnel. The overall responsibilities of the Risk and Compliance
committee are -

 Reviewing whether Microland has in place a current and appropriate


‘enterprise risk management’ process, and associated procedures for
effective identification and management of compliance risks.

 Reviewing the effectiveness of the system for monitoring Microland’s


compliance with applicable laws and regulations, and associated policies.

 Investigate potential violations of law and then to take appropriate


remedial action once the facts and legal exposure have been analyzed.
Remedial action may include system enhancements, disciplinary action,
and disclosures to regulators, clients, counter-parties or other key
stakeholders.

11
 The compliance committee should regularly receive reports concerning
the company’s key compliance-related investigations and the remedial
actions undertaken in response to them.

6.3.4 Risk & Compliance Manager


The Risk and Compliance manager is responsible for the overall design of compliance
management framework, implementation and operationalizing the same. The manager
is responsible for providing compliance reports to the Risk and Compliance committee
and the senior management.

 Liaise with other Risk Management functions as well as Legal, department heads,
employees, management to ensure an integrated approach to compliance and risk
management and reduce duplication of work.

 Identifying compliance requirements and obligations

 Keep abreast of regulatory and industry trends to manage Compliance Risk and
advise relevant stakeholders and the compliance risk management function;

 Ensure accurate and timely reporting to the Risk & Compliance Committee, CEO,
and Board of directors. The compliance function of the corporation should provide
sufficient data to the compliance committee relating to the effectiveness of key
controls to enable the committee to exercise reasonable oversight.

 Manage internal and external reporting on the status of compliance risks.

 Ensure compliance risk management communications and training support to the


business lines as required

 Drive the ongoing evolution of the framework to ensure relevance and strategic
competitive advantage

 Developing and communicating the annual compliance plan.

 Ensuring that staff are trained and have the necessary knowledge and
understanding to perform their duties in compliance with the policy and all relevant
requirements of the law

 Conforming to and applying relevant requirements of the Law and regulations within
the workplace

12
 Ensuring that systems and procedures established to make the policy effective are
operational

6.3.5 Compliance Analyst


The Compliance Analyst assists the Risk and Compliance manager in performing day to
day compliance management activities. The various activities include scheduling
compliance assessments across the organization, assisting the Compliance SPOCs in
performing compliance assessments, Identifying internal reporting and dashboard
requirements and communicating the same to the GRC administrator.

 Prepare the assessment schedule based on discussion with the Compliance


SPOCs and R&C Manager.

 Identify Reporting and dashboard requirements and communicate the same to the
GRC Administrator.

 Liaise with the GRC administrator for e-GRC management and administration.

 Initiate assessments based on the assessment schedule.

 Monitor assessment progress and provide reports.

 Perform compliance control analysis and rationalization activities.

 Participate in meetings related to compliance matters within the organization.

 Organize Risk and Compliance committee meetings.

 Monitoring of compliance reports submission to external bodies.

 Tracking identified Compliance gaps for closure.

6.3.6 GRC Administrator


The GRC administrator is responsible for the overall administration of the e-GRC
solution used at Microland for Compliance Management. The responsibilities of
the GRC administrator are mentioned below.

 Configuration of the e-GRC tool based on the organization’s requirements.

 Maintenance and update of documentation pertaining to the GRC tool.

13
 Administration activities such as liaising with the service provider for issues and
resolution

 Liaise with the Compliance Analyst to understand dashboard and reporting


requirements and configure the same in the tool.

 Design workflows and notifications in the GRC tool based on the Compliance
analyst requirements.

 User access management (Addition and removal of users)

6.3.7 Compliance SPOCs


The compliance SPOCs are individuals from each of the function/sub-function
appointed by the business unit head. The Compliance SPOCs are responsible for
compliance management and reporting for their specific applicable laws and regulations
and also any other dependency for other compliance requirements. The Compliance
SPOCs liaise with the Risk and the Compliance function for overall reporting and
compliance management. The responsibilities of the Compliance SPOCs are mentioned
below.

 Interacts with the compliance Manager on compliance matters.

 Support the Risk and Compliance department in all compliance activities and / or
delegated responsibilities applicable to their respective function.

 Ensure that Compliance requirements are identified by interaction with the


respective business head.

 Ensure that respective line of business within which they operate comply with all
applicable laws.

 Ensure that compliance reports are published to external bodies in time.

 Supports the compliance function in performing Compliance assessments.

 Highlights compliance related gaps and issues to the Risk and Compliance function
as well as the Business unit head.

 Participate in meetings related to compliance matters within the organization.

14
 Promote compliance culture within their business unit.

 Maintain an ongoing relationship with regulators relevant their functions.

 Identify and manage the Compliance risks of the corporation and implement
appropriate systems and procedures to mitigate such risks.

 Designing and implementing system enhancements to correct weaknesses that


could result in a breach of such a requirement.

6.3.8 Employees
Complying with applicable laws, regulations and standards in business conduct is the
responsibility of every employee. Management is responsible to identify and
communicate minimum compliance requirements that each employee must fulfil in day-
to-day business activities (established at the departmental or organizational level)

Microland employees are key players in the process of complying with all applicable
laws.

 Employees must find out what compliance obligations impact their day-to-day
business activities and must make sure they understand and meet them.

 Employees are responsible for ensuring compliance with all the regulatory,
legislative and internal policies and procedures associated with the activities at their
respective level.

 Report any Non-Compliance immediately to the respective Compliance SPOCs.

Consultants and Contractors working for Microland are also responsible to ensure
compliance requirements are adhered to.

7 Integrated Compliance & Risk


Management (ICRM) procedure

The Integrated Compliance and Risk Management operating procedure is a key component
of the compliance management framework and articulates how compliance management is
to be implemented and how compliance management processes are to be carried out and
the associated responsibility for carrying out each stage of the process.

15
The ICRM procedure is primarily divided into 5 phases with each phase having unique sets
of activity. The details of the phases are given below in the next sections.

Figure 3 – ICRM Framework

a. Identification of Compliance obligations – This phase deals with identifying the


various compliance requirements for Microland.

b. Risk and Compliance assessment – This phase deals with performing Compliance
risk assessment and identifying gaps with respect to the compliance requirements.

c. Compliance Risk Mitigation - The compliance Risk mitigation phase deals with taking
appropriate decisions and relevant action for closure of the risks identified in the
previous section.

d. Compliance risk Monitoring – This phase deals with monitoring the identified gaps for
closure.

e. Compliance reporting – Compliance reporting deals with reporting on compliance


activities and results at appropriate forums and bodies as relevant.

16
7.1 Identification of Compliance Obligations

Organizational compliance requirements are identified during this phase. Compliance


requirements can either be:

 Regulatory compliance requirements (legal, regulatory, Statutory, license,


contractual).

 Business compliance requirements (Internal Policy)

Steps

a. The compliance SPOCs identifies the compliance obligations in their respective


functions or departments. The compliance requirements are identified through.

 Knowledge of the business environment


 Communication from regulatory bodies
 Communication with industry bodies
 Professional associations and memberships
 Research
 Internally liaison from other departments such as Legal, Finance.
 Manually monitor key information sources such as government, regulatory
and legal websites

The same are communicated to the R&C Analyst, Department head and R&C
Manager. The department, Business unit head provides consent on the same. Any
new/changes to the compliance requirements needs to be communicated to the Risk
and Compliance Department and follow the subsequent process.

b. The Risk and Compliance Department maintains the compliance requirements for
the organization. The scope of the ICRM compliance is decided by the Risk and
Compliance Manager in consultation with the R&C Committee. A signoff is taken on
the same from all the stakeholders – Business Unit head, R&C Manager and R&C
Committee. The Master requirements library is updated accordingly by the
Compliance Analyst.

The Entire ICRM framework master document is maintained in the form of


an Excel record and forms the master document for the ICRM framework at
Microland. The details of the process to be followed for updating the
document are mentioned in the process flows tab of the same.

17
c. Once the Compliance requirements are finalized, individual controls required for the
same are identified by the Compliance SPOCs. The details are provided to the
Compliance Analyst for updating the Knowledge base section of the ICRM
framework master document.

d. The GRC solution is updated with the necessary question sets by the GRC
administrator.

Modulo (IT GRC tool) is used for managing the ICRM framework compliance at
Microland. The solution is managed by the Risk and Compliance department.
Compliance management Workflows and assessment objectives and
dashboards are configured in the tool.

The list of compliance requirements of Microland is mentioned in the Appendix section.


The Compliance requirement is dynamic and will evolve over time as new compliance
requirements are identified and others cease to exist. To support this evolution, the
Compliance list should be reviewed on an annual basis to incorporate any emerging
areas of compliance or any areas that are no longer required by the organization.

7.2 Risk & Compliance Assessment


The risk and compliance assessment deals with identifying compliance risks and performing
compliance assessment. The first step towards compliance assessment is risk assessment
to ascertain potential risks and criticality of such risks arising out of non-compliances to the
identified laws, regulations.

The Risk assessment is performed based on the Risk assessment methodology defined at
Microland. It takes into consideration various threats and probability of occurrence for
performing risk assessment.

The risk assessment methodology is mentioned in the Appendix Section of the


document. The compliance risk assessment should be performed using the
processes outlined in the document.

18
Steps

a. The assessment Knowledge bases and Surveys are designed by the Compliance
Analyst and approved by the Risk and Compliance manager and shared with the
GRC administrator.

b. The Compliance Analyst defines the Risk assessment parameters which are
Probability, Severity and Relevance with respect to each control question. The same
is shared with the GRC administrators for configuration in the GRC tool. This is a
one-time activity and changes to the questions and parameters are performed based
on changes to compliance requirements.

c. Once the tool is configured the Compliance analyst initiates the Risk assessment
targeted to different business units based on the control target. The assessments are
targeted to the identified Compliance SPOCs.

d. Compliance for different business functions is calculated based on the risk


assessment questionnaires. The compliance scores are calculated and reported
through dashboards.

7.3 Compliance Risk Mitigation


Gaps identified as a part of the compliance assessment must be reported and managed.
Gaps are reported and managed based on the risk and severity.

Mitigation plans involve selecting one or more options for reducing the risk and implementing
those options. Once implemented, treatments provide or modify the controls that will either
reduce the likelihood of a risk occurring or reduce the consequence or impact if it does
occur. Decisions for further action are taken at appropriate levels as mentioned in the chart
below.

R&C Department Compliance


Involvement> Board CEO Legal
Committee Head SPOCs
Risk level

Very High C, I C, I, R R, C, A C R R
High C, I C, I, R R, C, A C R R
Medium I C, I C, I C, I R, A R
Low / Very R
I I C, I C, I R, A
Low

Table 1 – RACI Chart

19
R- Responsible

A - Approval

C - Consulted

I - Informed

Identified Gaps and the mitigation is allocated to a person who would be responsible for
ensuring that the gaps are closed within the time frame decided. Risk treatment plans should
be developed and implemented for all risks rated Medium, High, Very High and where these
are legal and statutory requirements.

7.4 Compliance Monitoring


For compliance management to be effective, performance of the compliance management
processes should be continually monitored and measured. This includes the performance of
individuals Business units in managing their own compliance obligation Performance can be
measured through monitoring of achievement against defined key performance indicators
(KPIs) or through internal or external assurance activities such as audits or reviews.

A sample list of such KPIs are mentioned below

 Compliance index / score


 Risk index / score
 Top 10 Risks
 Risk distribution
 Compliance index / score trend
 Risk index / score Trend
 Overdue Risks

7.5 Compliance Reporting


7.5.1 Internal Reporting
Internal reporting consists of reports that are provided to the Risk and Compliance
committee, CEO and the board of directors. These reports are prepared by the risk and
compliance department based on compliance activities and the results. At a minimum, the
following reports needs to be designed and communicated.

 Quarterly reports to the Risk and Compliance Committee.


 Annual Reports to the board of directors

20
7.5.2 External Reporting
Each manager is responsible for completing and lodging the reporting requirements for
compliance obligations which fall under their area of responsibility, by the required date, to
required party with the appropriate level of internal approval.

Report Name Responsibility Authorities Frequency

Table 2 – Report Details

7.5.3 Dashboards
A sample of possible dashboards is provided here:

Microland - GRC -
Dashboard Samples V1.1.pptx

8 Appendix A - Compliance
Requirements
As a geographically spread organization Microland has a significant number of compliance
obligations, at both regional and global level. To ensure that the organization can comply
with all of its obligations, it is important to identify laws and regulations which impose a
compliance obligation. These obligations may arise because Microland is, for example, an
employer, a provider of services and its location of operations.

The compliance requirements at Microland have been categorized into 5 different groups.

a. Regulatory & legal universe


b. Contractual requirements
c. Data Protection and Privacy requirements
d. Information Security requirements
e. Business Continuity requirements

The details of the laws, regulations and standards are mentioned in the sections below.

The Risk and Compliance Manager compiles and updates the master requirement library by
discussion with:

21
• CEO
• Head of divisions who indicate that the is applicable to their specific
operations
• Representatives of delivery operations

The Master requirement library is present in the ICRM Master document under the
sheet Master requirments Library.

8.1 Legal and Regulatory Universe

The term “regulatory and legal universe” denotes a complete list of Indian laws, regulations,
rules, codes (“all applicable laws”) that Microland must comply with. The list all such
requirements along with the responsible department is mentioned in the table below.

Sl No. Name of the Law, Regulations, Codes Responsibility

A INDUSTRY SPECIFIC LAWS

1 STP Scheme rules Finance

B GENERAL BUSINESS LAWS

2 Companies Act, 2013 Finance

3 The Foreign Exchange Management Act, 1999 Finance

4 The Competition Act, 2002 Legal

5 Prevention of Corruption Act, 1988 Legal

6 The Arbitration And Conciliation Act, 1996 Legal

7 Transfer of Property Act, 1882 Legal

8 The (Indian) Contract Act, 1872 and The Specific Relief Act, 1963 Legal

9 The Negotiable Instrument Act, 1881 Finance

10 Prevention of Money Laundering Act, 2002 Finance

11 Collection of Statistics Act, 1953, and Collection of Statistics (Central) Rules, Finance
1959

22
12 Foreign Trade (Development and Regulation) Act 1992 and The Foreign Finance
Trade (Development and Regulation) Amendment Act, 2010 and Foreign
Trade (Regulation) Rules, 1993

13 Information Technology Act, 2000, Amendment (2000/2008) CIS

C SAFETY & ENVIRONMENT LAWS

14 The Environment (Protection) Act, 1986 and The Environment (Protection) Admin
Rules, 1986 and The Environment (Protection) Amendment Rules, 2004

15 Noise Pollution (Regulation And Control) Rules, 2000 Admin

16 The National Environment Tribunal Act, 1995 Admin

17 DG Set Rules Admin

18 E-Waste (Management and Handling) Rules 2011 CIS

D INTELLECTUAL PROPERTY LAWS

19 Trade Marks Act, 1999 Legal

20 Copyright Act 1957 Legal


Copyright Amendment Act 2012
Copyright Rules 2013

E EMPLOYMENT LAWS

21 Fatal Accidents Act , 1855 HR

22 Children (Pledging of Labour) Act, 1933 HR

23 Employers' Liability Act, 1938 HR

24 Employment Exchanges (Compulsory Notification Of Vacancies) Act, 1959 HR


and Employment Exchanges (Compulsory Notification Of Vacancies) Rules,
1960

25 The Employees Provident Funds and Miscellaneous Provisions Act, 1952 HR


Employees' Provident Fund Scheme, 1952
Employees' Deposit Linked Insurance Scheme, 1976
Employees' Pension Scheme, 1995

26 Payment Of Bonus Act, 1965 and Payment Of Bonus Rules, 1975 HR

27 The Apprentices Act, 1961 and the Apprenticeship Rules,1991 HR

23
28 Employees State Insurance Act, 1948 and Employees State Insurance HR
(General) Regulation, 1950

29 Child Labour (Prohibition and Regulation) Act, 1986 and HR


The Child Labour (Prohibition and Regulation) Rules, 1988

30 The Children Pledging of Labour Act 1933 HR

31 Bonded Labour System (Abolition) Act, 1976 HR

32 The Sexual Harassment of Women at Workplace (Prevention, Prohibition and HR


Redressal) Act, 2013

33 Emigration Act, 1983 and the Emigration Rules 1983 HR

F TAXATION LAWS

34 Income-tax Act, 1961 Finance

35 Service Tax (Finance Act, 1994) and Service Tax Rules, 1994 Finance

36 Customs Act 1962 and Customs Tariff Act, 1975 Finance

37 Registration Act, 1908 Legal

38 Indian Stamp Act, 1899 Legal

39 Wealth-tax Act, 1957 & Wealth Tax Rules 1957 Finance

State Specific Laws - Karnataka

A GENERAL BUSINESS LAWS

Karnataka Shops and Commercial Establishment Act, 1961 and Karnataka HR


40
Shops and Commercial Establishment Rules,1963

B EMPLOYMENT LAWS

Payment Of Gratuity Act, 1972 and Karnataka Payment Of Gratuity Rules, HR


41
1973

42 Payment Of Wages Act, 1936 and Karnataka Payment Of Wages Rules, 1963 HR

43 Minimum Wages Act, 1948, Minimum Wages (Karnataka) Rules, 1958 HR

44 Maternity Benefit Act, 1961 & Maternity Benefit (Karnataka) Rules,1966 HR

Industrial Employment (Standing Orders) Act, 1946 & Industrial Employment HR


45
(Standing Orders) Karnataka Rules, 1961

24
Industrial Disputes Act 1947 HR
Industrial Disputes Amendment Act 2010
46 Industrial Disputes Karnataka (Amendment) Act 1987

Employees' Compensation Act 1923 HR


47 The Workmen's Compensation Rules, 1924
Karnataka Workmen's Compensation Rules, 1966

Karnataka Industrial Establishments (National & Festival Holidays) Act, 1963 HR


48 and Karnataka Industrial Establishments (National & Festival Holidays)
Rules,1964

Karnataka Labour Welfare Fund Act, 1965 and Karnataka Labour Welfare HR
49
Fund Rules, 1968

Contract Labour (Regulation and Abolition) Act, 1970 and The Contract HR
50
Labour (Regulation & Abolition) (Karnataka) Rules, 1974

51 Karnataka Payment of Subsistence Allowance Act, 1988 HR

C STATE TAXATION LAWS

52 Karnataka Tax on Professions, Trades, Callings and Employments Act, 1992 HR

Karnataka Value Added Tax Act, 2003 and Karnataka Value Added Tax Finance
53
(Amendment) Act 2013 and Karnataka Value Added Tax Rules

State Specific Laws - Tamil Nadu

A GENERAL BUSINESS LAWS

54 Tamilnadu Shops and Establishment Act, 1947 and Tamilnadu Shops and HR
Establishment Rules, 1948

B EMPLOYMENT LAWS

55 The Tamilnadu Industrial Establishments (National and Festival Holidays) Act, HR


1958 and The Tamilnadu Industrial Establishments (National and Festival
Holidays) Rules, 1959

56 Industrial Disputes Act 1947 HR


Industrial Disputes Amendment Act 2010
Tamil Nadu Industrial Dispute Rules, 1958
The Industrial Disputes Tamil Nadu (Amendment) Act, 1963

57 The Tamilnadu Labour Welfare Fund Act, 1972 and The Tamilnadu Labour HR
Welfare Fund Rules, 1973

25
58 Maternity Benefit Act 1961 & Tamil Nadu Maternity Benefit Rules 1967 HR

59 Minimum Wages Act 1948, Minimum Wages (Tamilnadu) Rules, 1953 HR

60 Payment Of Wages Act, 1936 and The Tamilnadu Payment Of Wages Rules, HR
1937

61 Payment of Gratuity Act 1972 HR


Payment of Gratuity Central Rules 1972
Tamilnadu Payment Of Gratuity Rules, 1973

62 Employees' Compensation Act 1923 HR


The Workmen's Compensation Rules, 1924
The Tamilnadu Workmen's Compensation Rules 1924

63 Industrial Employment (Standing Orders) Act, 1946 and The Tamilnadu HR


Industrial Employment (Standing Orders) Rules, 1947

64 The Tamil Nadu Payment of Subsistence Allowance Act, 1981 HR

65 Contract Labour (Regulation and Abolition) Act, 1970 and Tamil Nadu HR
Contract Labour (Regulation and Abolition) Rules, 1971

C STATE TAXATION LAWS

66 Tamil Nadu Tax on Professions, Trades, Callings and Employments Act, 1992 HR
(City and Town Panchayats)

State Specific Laws - Maharashtra

A GENERAL BUSINESS LAWS

67 Bombay Shops and Establishment Act, 1948 and The Maharashtra Shops HR
and Establishments Rules 1961

B SAFETY & ENVIRONMENT LAWS

68 Non-biodegradable Garbage (Control) Act, Maharashtra 2006 Admin

C SAFETY LAWS

Maharashtra Fire Prevention & Life Safety Measure Act, 2006 and Admin
69
Maharashtra Fire Prevention and Life Safety Measures Rules, 2009

D EMPLOYMENT LAWS

70 Bombay Labour Welfare Fund Act, 1953 and Bombay Labour Welfare Fund HR
Rules, 1988

26
71 Maternity Benefit Act, 1961 & The Maharashtra Maternity Benefits Rules, HR
1965

72 Maharashtra Workmen’s Minimum House Rent Allowances Act, 1988 HR

73 Industrial Disputes Act , 1947 HR


Industrial Disputes Amendment Act 2010
Industrial Disputes Bombay Rules 1957

74 Industrial Employment (Standing Orders) Act, 1946 and Bombay Industrial HR


Employment (Standing Orders) Rules, 1959

75 Payment of Wages Act 1936 & Maharashtra Payment Of Wages Rules, 1963 HR

76 Minimum Wages Act 1948 & Maharashtra Payment Of Wages Rules, 1963 HR

77 Payment of Gratuity Act 1972 HR


Payment of Gratuity Central Rules 1972
Payment Of Gratuity (Maharashtra) Rules, 1972

78 Employees Compensation Act, 1923 HR


The Workmen's Compensation Rules, 1924
Maharashtra Workmen's Compensation Rules, 1934

79 Contract Labour (Regulation and Abolition) Act, 1970 and HR


Maharashtra Contract Labour (Regulation and Abolition) Rules, 1971

80 Maharashtra Industrial Establishments (National and Festival Holidays) Act, HR


1963
Maharashtra Industrial Establishments (National and Festival Holidays) Rules,
1964

81 Child Labour (Prohibition and Regulation) Act, 1986 and HR


The Child Labour (Prohibition and Regulation) Rules, 1988
The Maharashtra Child Labour (Prohibition and Regulation) Rules, 1997

D STATE TAXATION LAWS

82 Bombay State Tax on Professions, Trades, Callings and Employments Act, HR


1975

State Specific Laws - Haryana & (Punjab wherever Applicable)

A GENERAL BUSINESS LAWS

27
The Punjab Shops and Commercial Establishments Act, 1958 and The HR
83
Punjab Shops and Commercial Establishments Rules, 1958

B SAFETY & ENVIRONMENT LAWS

84 The Haryana Non-bio degradable Garbage Control act 1998 Admin

C EMPLOYMENT LAWS

85 Punjab Labour Welfare Fund Act,1965 HR

Payment of Wages Act, 1936 & Punjab Payment of Wages Rules, 1937 HR
86

The Punjab Industrial Establishments (National and Festival Holidays and HR


Casual and Sick Leave) Act, 1965 and
87
The Punjab Industrial Establishments (National and Festival Holidays and
Casual and Sick Leave) Rules, 1965

88 Maternity Benefits Act 1961, Punjab Maternity Benefit Rules, 1967 HR

Minimum Wages Act, 1948 and The Punjab Minimum Wages (Haryana) HR
89 Rules, 1950

Payment of Gratuity Act 1972, HR


90
the Haryana Payment of Gratuity Rules 1972

Industrial Employment (Standing Orders) Act, 1946 and Industrial HR


91 Employment (Standing Orders) Punjab Rules 1949 and Industrial
Employment (Standing Orders) Punjab (Haryana Amendment) Rules 2012

Industrial Disputes Act , 1947 HR


Industrial Disputes Amendment Act 2010
92 Industrial Disputes Punjab Rules 1958

Contract Labour (Regulation and Abolition) Act, 1970 and HR


93 Haryana Contract Labour (Regulation and
Abolition) Rules, 1975.

Employees Compensation Act, 1923 HR


94 The Workmen's Compensation Rules, 1924 (With Haryana Amendment)

State
Specific
Laws -
Andhra
Pradesh

28
A STATE TAXATION LAWS

95 Andhra Pradesh Tax on Professions, Trades, Callings and Employments Act, HR


1992

State
Specific
Laws -
West
Bengal

A STATE TAXATION LAWS

96 West Bengal Tax on Professions, Trades, Callings and Employments Act, HR


1992

State
Specific
Laws -
Gujarat

A STATE TAXATION LAWS

97 Gujarat State Tax on Professions, Trades, Callings and Employments HR


Act,1976

Table 3 – Laws and Regulations

8.2 Contractual Requirements


The contractual requirements are based on various contracts with clients and requirements
outlined in the contract documents,

29
8.3 Data Protection and Privacy requirements
 ISO|IEC 29100:2011

 HIPAA - 1996

 HITECH ACT - 2009

 PCI - DSS V2.0

 UK Data Protection Act - 1998

 European Union Data Protection Directive - 1995

 USA - THE PRIVACY ACT - 1974

 USA - Texas State Privacy Laws

 Canada - PIPEDA - 1995, 2007

 Germany Data Protection Act - 2003 (Amendment, 2009)

 Singapore Data Privacy Act - 2012

 USA - EU Safe Harbor Principles

 USA - California State Laws (S.B. 1386)

8.4 Information Security requirements


 ISO|IEC 27001:2005

 ISO|IEC 27001:2013

 Her Majesty's Government - Information Security Policy

8.5 Business Continuity requirements


 ISO 22301:2012

30
8.6 Others
 Graham-Leach-Bliley Act (GLBA) - 1999

9 Appendix B – Risk Assessment


Methodology

9.1 Introduction
Risk influences the way an organization operates. An understanding the risks that Microland
faces and managing them appropriately will enhance our ability to make better decisions,
safeguard assets, and enhances the ability to provide services to customers
Microland considers Risk management for its assets and operations as an important
responsibility. The organization has committed to ensure its moral, ethical and legal
obligations by implementing and maintaining a level of risk management which protects and
supports these responsibilities.
An effective Risk Management Framework is not only good business practice but provides
organisational resilience, confidence and benefits, including:
 Provides a framework for efficient decision-making and proactive planning
 Empowers Microland to respond to unexpected threats
 Provides competitive advantage over others
 Effective coordination of regulatory and compliance management
 Improved focus and perspective on risk across the organization.
 Provides reasonable assurance to stakeholders that critical risks are being managed
appropriately within the organization.

9.2 Objective of the Risk Management


Methodology
The objective of Risk management methodology is to
 Identify the various Compliance & Regulatory risks to organization and criticality of the
same.

 Assist the organization is understanding the implications of risk and take appropriate
decisions and actions for mitigation

31
 Ensure that risks are identified, assessed against accepted criteria and that appropriate
mitigation measures are implemented

9.3 Risk management methodology


The risk management methodology at Microland is based on the ISO 31000 standard and is
mentioned below. The details of the activities under each step are also mentioned below.

Establish
context

Risk Identification

Risk Analysis

Risk
RISK Evaluation
ASSESSMENT

Risk
Treatment

Risk Risk monitoring


communication Treat Accept Avoid Transfer and review
risks risks risks risks

RISK TREATMENT

Figure 4 – Risk Management procedure

9.3.1 Establish context

Risk management takes place within the goals and objectives of Microland. Therefore it
is essential that risk management must be placed into both at external and internal
context.

External Context

External context involves identification of relationship between Microland and the broad
environment/community. A range of issues should be considered in examining the
strategic content, including:

32
 Opportunities and threats associated with the local, regional, state and
global economic, social, political, cultural, environmental, regulatory and
competitive environments;
 Key drivers and trends having an impact on Microland’s corporate
objectives

Internal Context

Internal context involves identification and understanding of the organisation’s


capabilities, goals, objectives, strengths and weaknesses by considering:

 Organisational structure and culture


 Geographic/demographics
 The identity and nature of interaction with key stakeholders
 The existence of any operational constraints
 Objectives and key performance indicators
 Business resilience vulnerabilities
 Relevant issues relating to recent change management risk, performance
or audit reviews
 Relevant stakeholder community concerns or requirements
 Regulatory and contractual requirements and constraints
 Business management systems.

Risk management scoping

Scope of the assessment in Microland involves assets which could be the following –
People, Process, Technology, and Environment.

Microland at a broader level, considering the compliance requirements at local, regional


or global level and other internal requirements has outlined the following objectives at
strategic level.
 Compliance to Information Security Requirements
 Effective BCM
 Compliance to Privacy Requirements
 Compliance to Legal & Statutory Requirements

33
The strategic objectives are decided by the Risk and Compliance manager in consultation
with the Risk and Compliance committee.

Risk level criteria

This value denotes the risk profile of the asset in consideration. This risk for a given asset
is calculated for each and every control applicable to the asset. The risk level of the asset
is calculated based on the various possible risk values as outlined below.

Risk Level Possible Risk Values Action Required


Very Low 1, 2, 3, 4, 5, 6, 8, 9, 10, 12, 15, 16 Low Risk: Manage by Standard
Procedures
Low 25, 27, 18, 20, 24, 30 Moderate Risk: Manage by
Standard Procedures
Medium 50, 60, 64, 32, 36, 40, 45, 48 Significant Risk: Senior
Management attention needed
High 75, 80 High Risk: Risk and Compliance
committee attention needed
Very High 100, 125 Extreme Risk: Immediate Action
Required, for CEO attention

Table 4 – Risk Criteria

9.3.2 Risk Assessment


9.3.2.1 Asset Identification

The first step towards risk assessment is to identify the organizational assets. Assets within
the organization are categorized as – People, Process, Technology & Environment. The
table below describes the type of assets along with examples.

Asset Category Examples

People Employees, senior managers in key knowledge management roles, software


architects/developers/testers, system/application owners, security
administrators, operators, legal and regulatory compliance people, temporary
workers, external consultants/specialist advisors, suppliers and business
partners.
Process Information Security, Data Privacy, Legal & Statutory, Business Continuity
Management, Personnel, financial, legal, customer, research and development,
strategic and commercial, email, voicemail, databases, application data, shared
drives, backup data, digital archives, encryption keys, Contracts, customer,
organisational records, minutes, certificates, insurance documents, sensitive
hardcopy documents, training records, personnel records

34
Technology Desktops, laptops, PDAs, portable storage, smart phones, servers, backup
media, mainframes, modems/routers, network appliances,
printers/scanners/copiers, digital cameras, video conferencing equipment
In-house/custom-written applications, commercial off-the-shelf (COTS),
SaaS/cloud/hosted IT services, utilities/tools, operating system software,
software licences, security software.
Environment IT processing facilities, offices, physical storage, biometric scanners, CCTV,
physical access control systems, ID/access cards, UPS, fire suppression, air
conditioning, generators, utilities, telecommunications, equipment maintenance
contracts, cleaners, data destruction services

Table 5 – Asset Category

Asset Identification covers the following activities:

 Identify all important Assets of Microland within the scope of Risk Management and
register them in Asset Registers.
 Keep all extra information on particular assets/asset types in Asset Registers to facilitate
Asset Identification; and
 Review and update Asset Registers on a regular basis as defined.

All the assets are classified according to their Criticality understood as the importance of
assets to fulfilment of the organization’s business objectives. The level of importance of the
asset to the Microland's business determines its Relevance. This is also calibrated on a
five-level scale: Very Low, Low, Medium, High, and Very High. This parameter is important
as this information is used to generate risk metrics for the asset.

In order to determine the appropriate level of protection for particular information assets, it is
necessary to assess their value in terms of their existing and potential value to the business.

From the Information Security perspective, the five factors that are the basis for Asset
Valuation are:

 Confidentiality

 Integrity

 Availability

 Legal

 Privacy

35
All Microland assets are assigned appropriate values of confidentiality, integrity, availability,
legal and privacy.

The input for Asset Valuation is provided by the asset owners, who are aware of the
importance of assets to the organization and its business.

Value 1 - Very Low 2 – Low 3 – Medium 4 – High 5 – Very High

Confidentiality No impact if the Insignificant Some impact if Significant impact Severe / the
asset is impact if the the asset is if the asset is highest impact if
compromised. asset is compromised, compromised the asset is
compromised. may result in would result in a compromised,
some level of significant would result in a
business / business/financial very high
financial loss, or loss to Microland. business/financial
may cause loss, which may
damage to the be catastrophic to
reputation of Microland
Microland.

Integrity No impact if the Insignificant Some impact if Significant impact Severe / the
accuracy of impact if the accuracy or if the unauthorized highest impact if
information is information is completeness of alteration or the integrity of the
not maintained altered or the information is deletion of the information is
or information is deleted by an breached. It may information takes impacted. It could
not up-to-date. unauthorized result in some place. It could lead to a very high
source. level of business/ result in significant business or
financial loss or business, financial financial loss or
may cause or reputation loss may cause very
damage to the to Microland. severe damage to
reputation of the brand value,
Microland. which could be
catastrophic to
Microland.

Availability No impact if the Minimal / Non-availability Significant impact Very serious


asset is insignificant of asset may to Microland. consequences
unavailable or impact on have some Impact could be in and would lead to
outage occurs. Microland. impact on relation to a severe loss to
Microland, if financial, business Microland in
prolonged for a or brand value. relation to the
long time. financial, business
or brand value.
Legal &
Regulatory Little or no Minor impact Moderate Serious failure to Sustained non-
impact to code to code of regulatory comply with legal compliance to
of ethics/conduc breaches /non- or regulatory legislation that
ethics/conduct t or accepted compliance requirements that has funding
or accepted industry resulting in may result in fines impact and/or
industry practices. comments in and/or curbing of “duty of care”
practices. relevant business/suspensi impact.
inspections/repor on/public
ts and/or admonishment
ministerial and/or
enquiries. Breach parliamentary
of code of enquiry
ethics/conduct or
accepted • Failure to comply

36
Value 1 - Very Low 2 – Low 3 – Medium 4 – High 5 – Very High
industry with legal or
practices. regulatory
requirements in
some instances
that may result in
warning
letter/admonishme
nt to senior
management
• Potential for
significant
restrictions on
business activities
Privacy
The asset does The asset The outcome Loss of PII would Loss of PII
not contain any contains parts could have cause information would
information of PII, data moderate impact considerable cause significant
related to PII. Privacy on an individual, damage to an damage to a
Privacy requirements such as the individual's number of
requirements may not be exposure of reputation or individuals’
are not applicable some sensitive finances and/ or reputation or
applicable. hence this information but emotional distress. finances and/or
asset may not further exposure Breach of these emotional
lead to non- is limited. assets are distress. Breach
Compliance, Repetitive breach unacceptable as it of these assets
these of these assets may lead to non- are unacceptable
requirements may lead to Compliance and as it will lead to
are mostly Privacy breach / possible penalty non-Compliance
supporting non Compliance of multiple
requirements requirements and
recovering from
such loss might
not be possible

Table 6 – Asset Rating Criteria

The asset value of the identified assets will be computed using the following formula:

Type of Asset Applicable Rating Final Asset Criticality


Value or Relevance
Information Asset Information Security rating C+I+A

Data Asset containing PII Privacy Rating Px3

37
Information asset that may Legal & Statutory Lx3
cause potential legal and
regulatory impact

Table 6 – Asset Value Calculation

C = Confidentiality Rating | I = Integrity Rating | A = Availability Rating

Information Security Rating (Range) Relevance Rating

12 - 15 5

09 - 11 4

06 - 08 3

04 - 05 2

03 1

Table 7 – Asset Relevance Calculation

Relevance = Highest of all the Values (Information Security rating, Privacy Rating, Legal &
Statutory)

The assets can be found in the ICRM framework master document under the Org
structure tab Column - M

9.3.2.2 Risk Identification


Risk identification is a key step in the risk management process to ensure a complete list of
risks is identified.

Identifying all risk elements provides a better understanding of the risk and assists when
considering current controls and identifying further treatment actions. It also reduces risk
duplication and minimizes confusion as to risk meaning.

Risk owners should be identified for all the risks. The risk owner should be a person or entity
with the accountability and authority to manage the risk. The risk owners should be identified
by the business units.

38
Risks are identified based and recorded in the ICRM framework Excel sheet tab
“Risk Register”. The tab mentions the type of risk, category and risk owners.
Risk owners should be identified for all the risks mentioned. The sheet should
be approved by the Risk and Compliance manager.

This risk register report is only produced at completion of the annual risk review process
unless otherwise specifically requested by the Board, Audit and Risk Committee or change
in operating environment.

Information included

 Type of Enterprise Risk


 Name
 Category
 Description
 Risk Owner
 Inherent Impact
 Inherent Probability

The inherent Impact and Probability is defined during the risk analysis phase.

9.3.2.3 Risk Analysis


Risk analysis involves:

 Identifying the likelihood of the risk occurring by identifying threats and probability

 Identifying the potential consequence or severity that would result if the risk was to
occur.

Threat & Probability & severity identification

A threat is a danger that has the potential to harm Microland’s assets and consequently the
organization itself. The Threat agent can be anyone or anything aiming at an intentional
exploitation of asset vulnerability. Threats are identified for considering various compliance
environment of the organization. All such threats are groups into various categories

The threat database can be found in the ICRM framework master document
under the threats and groupings tab.

39
The threats are applied to various compliance controls identified. Probability and severity of
each of the threats are ranked based on a scale of 1 – 5 with 5 being the highest and 1
being the lowest. Probability or likelihood estimations are established giving due
consideration to the effectiveness of existing control measures

Likelihood that
Probability (P) Rating Risk will take Description
place (in
Percentage)
Is almost certain
(P > 95%)  The event is expected to occur in most circumstances
Very High (1:1  Definite probability
Chance) /or may  Has happened in the past and nil compensating
occur every 5 (Environmental) controls have been implemented
week/or No  Unavoidable – it will happen
Controls  Without additional controls the event is expected to
occur in most circumstances

Is very likely
High (1:2 (65% < P ≤ 95%)
chance) /or may  The event will probably occur in most circumstances
occur every 4  With existing controls in place this event will probably
month /or Weak occur with some certainty
Controls

Is likely
Medium (1:10 (35% < P ≤ 65%)
chance) /or may  The event should occur in some circumstances
occur every six 3  The event has occurred in different
months /or industries/companies within the vicinity
Minimal controls

Is not very likely (5%


Low (1:100 < P ≤ 35%)
chance) / or may  The event could occur in some circumstances
occur every 9
2  A small chance of event occurring that would be caused
months / or by stressed economic, market and operating conditions
Effective / or events not previously seen
strong controls

Is unlikely
Very Low (P ≤ 5%)
(1:1000 chance)  The event could occur in some circumstances or in
exceptional circumstances
/or may occur
every one year
1  A very small chance of event occurring that would be
caused by stressed economic, market and operating
/or Effective /
conditions or events not previously seen
strong Controls

Table 8 – Probability Rating

Severity Identification
The severity (S) scores signify the level of impact on the organization if a risk takes place.
That is, if the incident occurs, the severity scores the degree to which the performance,
reliability, or quality of the asset will be impaired. Severity is scored from 1 to 5.

40
Categories of risk Severity Category
Insignificant Minor Moderate Major Catastrophic
Severity Value 1 2 3 4 5

Compliance Oversight on Minimal non- Non- Non-compliance with Non-compliance


with reporting activity compliance to compliance legislation affecting with legislation
Legislation. that is under relevant with legislation Group or Divisions affecting closure
control. No legislation, affecting other activities. Closure of of core Group or
penalty or within Group or Group or several non-core Divisions
imprisonment. Divisions. Divisions. operations. High operations or key
Breaches by an Possible possibility for business
individual staff closure of a individual/corporate activities and/or
member. course or penalty and/or large penalty
Penalty may be Research imprisonment. (individual/corpor
incurred. Centre, penalty ate) and/or
and/or imprisonment.
imprisonment.
Damage to Minimal adverse Adverse Extended Longer-term Extended
Reputation. publicity in local publicity in negative nationwide and negative national
press. Letters local/state local/state, international and international
received and press. plus national coverage. Need to wide coverage.
printed but no media increase focus on Requirement to
further action coverage. management of a implement a
Letters to the
taken. Requirement broader group of communication
Editors, with
to manage key stakeholders. plan for all
follow up
stakeholders. stakeholders.
Corporate

comments from
the readership
or interested
parties.
Disruption to No interruption Some disruption Disruption to a Several key Disruption to
Established to service. manageable by number of operational areas services causing
Routines and altered operational closed. Disruption campus closure
operations. operational areas/campus. to teaching / course or key business
routine. Closure of an schedules or key closure for more
Reduction in operational business activities than one week.
Inconvenience for up to one week.
operational area/campus
to localised
routine. for up to one
operations.
day.
General No lasting Short term, Serious, Long term Extensive
Environmenta detrimental detrimental discharge of detrimental detrimental long
l & Social effect on the effect on the pollutant or environmental or term impacts on
Impacts. environment environment or source of social impact i.e., the environment
social impact, community chronic &/or and community
annoyance significant discharge i.e., catastrophic
within general of pollutant. &/or extensive
i.e., harm, E.g. Minor neighbourhood discharge of
nuisance, noise, discharge of that requires persistent
fumes, odour or pollutants within remedial hazardous
dust emissions local action. pollutant.
of short-term neighbourhood.
duration.

41
Workplace Incident – no Injury – no lost Injury – lost Fatality or serious Multiple fatalities
Health and lost time. No time. First aid time injury/stress (not natural
Safety injury. required. compensable resulting in causes).
injury. Medical hospitalisation.
treatment
required.

Project <1% of project 1 to 5% of 5 to 10% of 10 to 25% of project >25% of project


Budget # budget project budget project budget budget budget
Program Little or no Short delay Significant Major delay Project halted
Major Project

delays delay delay major delay

Duration Duration Duration increased Duration


increased >2% increased >25% increased >50%
>10%
Relationship - Either party is Resolved at Resolved at Departmental Head Legal recourse
Managing irritated but no working level senior intervention initiated.
Contractor formal management
complaints level

Table 9 – Severity Rating

9.3.2.4 Risk Evaluation


Risk evaluation involves comparing the level of risk found with risk criteria established when
the context was considered. Based on this comparison, the need for treatment can be
considered.

The risk value is calculated based on the following formulae

Risk value = Probability x Severity x Relevance.

This value denotes the risk profile of the asset in consideration. This risk for a given asset
is calculated for each and every control applicable to the asset. The risk level of the asset is
calculated based on the various possible risk values as outlined in the risk criteria section.

9.3.3 Risk Treatment

Risk treatment involves examining possible treatment options to determine the most
appropriate action for managing a risk. Treatment actions are required where the current
controls are not managing the risk within defined tolerance levels. Treatment options could
involve improving existing controls and implementing additional controls.

42
Microland will develop and implement specific risk treatment plans including funding
considerations based on the type of the risk and the implication. Risk treatment decisions
are taken by the Risk and Compliance committee. When determining the preferred
treatment option, consideration should be given to the cost of the treatment as compared to
the likely risk reduction that will result (cost benefit analysis).

Possible risk treatment options are mentioned in the table below.

Avoid the risk Not to proceed with the activity or choosing an alternative approach to
achieve the same outcome.
Aim is risk management, not aversion.
Treat Risk Reduce the likelihood - Improving management controls and procedures.

Reduce the consequence - Putting in place strategies to minimise adverse


consequences, e.g. contingency planning, Business Continuity Plan, liability
cover in contracts.
Transfer the risk Shifting responsibility for a risk to another party by contract or insurance. Can
be transferred as a whole or shared.

Accept the risk Controls are deemed appropriate.


These must be monitored and contingency plans developed where
appropriate.

Table 10 – Risk Mitigation Option

To facilitate the implementation of the mitigation plan, a task list may be made and
responsibility will be assigned for implementing the recommended controls. The Plan will
have clear expected closure date.

9.3.1 Risk Communication

Risk management reporting is a key element of the ‘Monitor and Review’ phase of the risk
management process, and needs to occur at each step of the process. A Risk Treatment
involving prioritization, evaluation and implementation of appropriate controls shall be
prepared for each grouping of assets where residual risk is high or very high. Appropriate
stakeholders are consulted based on the table below.

R&C Department Compliance


Involvement> Board CEO Legal
Committee Head SPOCs

43
Risk level

Very High C, I C, I, R R, C, A C R R
High C, I C, I, R R, C, A C R R
Medium I C, I C, I C, I R, A R
Low / Very R
I I C, I C, I R, A
Low

Table 10 – Risk Communication Matrix

R- Responsible

A - Approval

C - Consulted

I – Informed

9.3.2 Risk Monitoring and Review


Risk information requires regular monitoring and review to ensure compliance. The
environment in which Microland operates is constantly changing which impacts the risk
posture. Therefore Risk Owners have key risk and control review and update
responsibilities to ensure continued accuracy of information pertaining to their particular
risks. Implementation of the controls are monitored from time to time by the compliance
analyst and reported at appropriate levels within the organization.

In addition, the risk management framework itself will be reviewed annually, with results
being reported to the Risk & Compliance Committee. As risk management developments
are constantly occurring, this review mechanism will provide us with information on current
risk management developments, facilitating us making continuous risk management
improvements

10 Appendix C – Glossary
ICRM Integrated Risk & Compliance management framework

GRC GRC stands for Governance Risk and Compliance.

Governance Governance consists of the set of Policies, processes, custom laws


affecting the way an organization is managed. This includes the
relationships among the various stakeholders and the corporate

44
objectives and goals.

The principal stakeholders include the shareholders, management, and


the board of directors. Other stakeholders include employees, suppliers,
customers, banks and other lenders, regulators, the environment and
the community at large.
Risk Assessment A systematic approach to identify risks to an organization from various
external factors and proactively mitigating the same.
Compliance Compliance describes the goal that organizations aspire to achieve in
their efforts to ensure that they are aware of and take steps to comply
with relevant laws and regulations and internal policies or any other
requirements such as contracts.
ISO International Standards Organization

HIPAA Health Insurance Portability and Accountability Act of 1996

HITECH Health Information Technology for Economic and Clinical Health Act,

PCI DSS Payment Card Industry Data Security Standard – A standard governing
payment card industry

PIPEDA Personal Information Protection and Electronic Documents Act is a


Canadian law pertaining to Data Privacy

45