Hero MotoCorp Banks Upon GRC Tool

Summary:

When Vijay Sethi, VP-I.S. & CIO, Hero MotoCorp, decided to implement a G.R.C tool in 2009, implementations worldwide were scarce, so if he failed there was no back-up plan. But if it was going to make his company more secure, it was a risk he needed to take.

Highlights:

While most GRC implementations around the world take between four and eight months to implement (in India some have taken over 12 months), Hero Honda executed its GRC project in less than 12 weeks

Reader ROI:

How self effcicacy can help you view difficult tasks as something to be mastered rather than to be avoided.How GRC can help you combat process ineffeciencies

Every year, Vijay Sethi, VP-IS and CIO, Hero MotoCorp, takes time out to review the IT security strategy of the world’s largest two-wheeler manufacturer. In 2009, he saw the need for significant course correction. That’s because grappling with ever-increasing business complexities, he found Hero MotoCorp struggling to carry out its governance activities, including enterprise risk management, and compliance to all IT policies and procedures.

He was sure that automation would help solve their problems. “The idea was to automate some processes to minimize the impact of risks including processes like the on-boarding and off-boarding employees, and the risk analysis required before assigning roles to our ERP system. We also wanted to create dashboards and reports around the company’s governance activities,” says Sethi. His answer was a GRC (governance, risk and compliance) software implementation. 

The problem was that in 2009, GRC was a concept with very few implementations worldwide, and even fewer in the APAC region. Analysts, consultants, industry peers, and even early adopters that Sethi spoke with dissuaded him. “They said that GRC was a novel concept. And that GRC products were not mature enough. They also warned that it was a tough and time consuming implementation that could take between 12 to 18 months to execute. Everyone agreed that the project should be deferred by a year or two,” says Sethi.

Sethi heard them all out but kept his own counsel.

The Road Less Traveled Despite the prevailing skepticism Sethi remained optimistic. He knew that GRC was a tool whose time had come with Hero MotoCorp; it was what the company needed and he wasn’t willing to wait. “In my mind, it was very clear that GRC was a tool that would be useful in the long run, so why dilly dally? If it made business sense, why wait and watch?” he asks.

The fact that practically everyone he spoke to shot down the idea didn’t bother Sethi too much. “One man with courage of conviction is a majority,” he says. “And my gut instinct told me that I could see the implementation through,” he says.

Not every bullet hits the target. The question is: Can you shoot again? If the project had not hit the bull’s eye, I would have stalled it for a month and then embarked on it again

That confidence—and a track record of over 20 years of steering difficult projects—ensured that his management agreed to back the risky undertaking. It also helps that Sethi has a trait called self-efficacy. Self-efficacy is a term used in psychology, it roughly corresponds to a person’s belief in their own competence and the ability to accomplish a task or to deal with the challenges of life. In his seminal 1977 paper, Self-Efficacy: Toward a Unifying Theory of Behavioral Change, psychologist Albert Bandura, says that people with self-efficacy are more likely to view difficult tasks as something to be mastered rather than to be avoided.

Sethi quickly got on to the job of scouting for a GRC package that best suited to his organization’s needs. He says he evaluated GRC solutions all the way from top-of-the-heap organizations to niche players. That process led him to a small US firm, one that he had bumped into many years ago. The company, says Sethi, had stuck in his head because it was one of the first in the world to create a GRC package, one that was so useful SAP bought out the company. Later, its founders started a new company, which had an office in India—but not a single customer outside the US.

Placing his bets on a fledgling company increased his risk exposure dramatically, but Sethi says he thought it was worth taking the gamble. “I saw their demos and a proof-of-concept and felt that their solution would be a good fit in our scheme of things. Also, the credentials of the team behind the product were good. That gave me the courage to choose them over other seasoned players. I knew they could pull it off,” he says. 

The risks Sethi took are not to be coughed at. His decision would make Hero MotoCorp one of the first companies, if not the only company, in India, at that time, to implement a GRC product. That meant that if things went awry, he wouldn’t have the references to help see him to the other end of the tunnel. Worse, Sethi was backing a relatively unknown vendor. It’s not hard to imagine Sethi worried by his vendor’s ability to provide unflinching support.

Not every bullet hits the target. The question is: Can you shoot again? If the project had not hit the bull’s eye, I would have stalled it for a month and then embarked on it again

De-risking Security Not to be reckless, Sethi created a risk mitigation strategy. He put together a governance committee that reviewed the project on a weekly basis. Sethi made the project a priority and ensured that it remained on track. He also ensured that it was a priority for all the parties involved, including the nine-member vendor team and his three-man in-house team. He recalls them staying back late, working overnight, working on weekends, and going out of their way to meet the requirements of the project.

“Work on the project went on 24 hours a day, with the US team taking over when the Indian team left and that helped us reduce timelines. Like any other product implementation, we had our set of technical challenges but both teams worked really hard to resolve these issues at the earliest. And they proactively circumvented almost all the problems that cropped up,” says Sethi.

All the financial transactions of Hero MotoCorp are captured in SAP, Sethi’s first objective was to improve the process of identifying and managing risks with respect to authorizations assigned to various users in SAP. Prior to the implementation, authorization was done manually based on experience or on reports from periodic audits. Sethi and team built capabilities to ensure that the entire process was done systematically.

“As part of this implementation, we redesigned roles to further reduce the risks related to the segregation of duties. We also integrated the software with our Lotus Notes System and our Active Directory—both these integrations were aimed at helping improve compliance especially at the time when a user enters or leaves a system,” he says.

In the end, the project went through smoothly. In fact, it went better than planned. While most GRC implementations around the world take between four and eight months to implement (in India some have taken over 12 months), Hero MotoCorp executed its GRC project in less than 12  weeks—including integrating it with e-mail systems and Active Directory, a process other companies take up in phase-II of their GRC implementations.

But what if he had failed? Sethi says he wouldn’t have given up. “Not every bullet hits the target. The question is: Can you shoot again? If the project had not hit the bull’s eye, I would have stalled it for a month and then embarked on it again,” he says.