If yes, then Overhaul Governance, Risk & Compliance (GRC) standards to avoid value erosion, low investor confidence & unexpected shocks or surprises
I read a book by Marshall Goldsmith “What Got You Here, Won’t Get You There”, and the title is apt for those who are ambitious and want to take their companies/business to the next level – before or after listing.
Of late, the Indian financial market has seen an unprecedented surge in IPOs by new age companies, exposing many Indian promoter driven companies to the new world. To make an IPO successful, many consultants work round the clock with the company’s management. But the majority consultants part ways with the management after the company’s listing leaving them in a very vulnerable zone.
Since I support many start-up companies pre & post listing, in my experience, the real work starts after successful IPO for remaining/existing stakeholders because maintaining success is the key after a successful IPO. Ideally, the GRC function should be set-up well before listing, but only a few companies proactively invest adequate resources in managing risks well before listing. A bitter fact is that the majority of the businesses in India consider it merely a compliance function and do only paperwork to satisfy auditors, regulators, stakeholders, etc. until the time a shock comes their way, which make them realize the importance of the GRC/Internal Audit function.
In this article, I would like to spread awareness about common pitfalls and mandatory requirements that mature start-ups / newly listed companies must understand for building a strong GRC function “prior to listing”. But before going into details, it is important to understand that why one should overhaul the GRC framework? Why should management invest in it?
I am sure that if Promoters, Co-Founders, CXOs, IA Heads follow this advice, they can focus more on the growth & operations of the business without getting surprises or losses and can sleep much better in the night without worrying about weak financial controls.
With the company going public, it becomes pertinent to implement robust processes & act more prudently, as you are handling public money and as they say “with great power comes great responsibility”.
My intention is not to exaggerate about the potential adverse impact, but to make you aware about some scenarios listed in the table below. In all leading companies, GRC is one of the most valued function among investors and founders, because it provides controls assurance and business consulting at the same time.
Have listed down some of the best practices from leading companies, differences between Listed/non-listed company and it’s potential impact:
| Parameter /Common pitfall | Listed company – Mandatory requirement | Non-listed company | Potential impact of non-adherence by listed company (Illustrative) |
| Existence of Standard Operating procedures (SOPs) | Company must have documented SOPs for all key functions which is relevant to existing business operations | Company of certain size (less than INR 200 Cr.) follow practices and have some verbal/written policies/guidelines which are outdated or employees not informed / aware | – Lack of standardization leading to inefficiencies/higher cost
– Operational/financial disruption in case of attritions or venturing into new territory – Surprises/shocks due to absence of benchmarks – Qualification in Internal financial controls requirement as Section 134(5)(e) Company’s Act 2013 |
| Statutory Compliance framework | Automated/manual compliance management for escalating/monitoring critical compliances in defined manner | Manual tracking with no formal responsibility leading to misses in deadlines/difficulty in retrieving information at a later stage | – Cancellation of license to do business
– Imprisonment of directors/KMPs – Financial penalties/loss – Reputation loss – Bared from trading in stock market – Legal issues leading to adverse impact on management bandwidth/ financials – Changes in management structure due to increased pressure from investors failing compliances |
| Internal Audit (IA) | Formal process where scope of IA is commensurate with the size of the company | Random process covering 3-4 areas once a year | – Revenue leakages
– Excess cost due to inefficiencies – Frauds may go undetected – Surprises/shocks due to inadequate assurance on controls (operational & financials) – Non-compliance with Section 138 Company’s Act 2013 and CARO requirements |
| Audit Committee update | Requirement to have quarterly update meeting with the board | No requirement to have quarterly meetings | – Non-compliance with section 177 of Company’s Act 2013
– Absence of management/ investor’s assurance may lead to adverse impact on valuations/reputation |
| Internal Financial Controls | Need to design & test financial controls as well as operating controls | Need to design & test only financial controls | – Non-compliance with Section 134 of Company’s Act 2013
– Absence of management/ investor’s assurance may lead to adverse impact on valuations/reputation |
| IT Controls | – Design & test IT controls including controls of in-house developed application
– Conduct Cyber security assessment. – Information Technology General Controls testing |
Need to design & test only financial applications | – Unreliable data for timely decision making
– Difficulty in scaling operations – Financial/operational disruption in case of cyber attack – Reputation loss – Non-compliance with section 134 of Company’s Act read with SA 315 |
With almost 2 decades of experience, I strongly recommend revamping governance standards before or immediately after listing by investing adequate & capable resources.
Disclaimer:
I have tried to capture some of the adverse impacts of non-compliances or weak internal controls. However it is difficult to provide insight without looking into specifics of each organization/sector. Views expressed are personal in nature and do not represent those of the publishing organization.
About the author:
Aashish Gupta comes with over 22 years of strong technical experience in Business Advisory Services, Corporate Governance, Business Process Transformation and Risk Consulting. He is contributing to nation building by supporting and advising Invest India (operating arm of Make in India initiative of Indian Government) in various projects from last ~5 years. He is leading Risk services (Forensics, Process risk advisory, IT risk) for cluster of sectors including FMCG, Retail, Pharma, Health-care (Hospitals/Diagnostics chain), Education, Consumer electronics, Hospitality including F&B. He specializes in Enterprise Risk Management, Sarbanes Oxley, Internal Audit, Operating Process Transformation, SOP development and Internal Financial Controls. He is also active speaks at business forums, ICAI webinars and seminars on risk management.