Swiss GRC, a leader in Governance, Risk, and Compliance (GRC) solutions, recently announced its partnership with Lawrbit, a global authority in Regulatory Intelligence. This alliance brings together Swiss GRC’s robust GRC Toolbox with Lawrbit’s curated regulatory content, empowering organizations to navigate the evolving landscape of compliance with confidence and precision.
Also read: Swiss GRC Ties up with Lawrbit for Regulatory Compliance Content
Along the same lines, Tech Achieve Media spoke with Jyant Kohli, Founder and CEO of Lawrbit, and Rajeev Dutt, General Manager – APAC & Middle East at Swiss GRC, during the official signing of the Memorandum of Understanding (MoU). In this exclusive interview, they discuss the vision behind this partnership, the value it brings to businesses in managing regulatory challenges, and the innovative solutions they are creating to simplify compliance for organizations across industries.
TAM: In your view, how has the GRC landscape evolved in India over the past couple of years?
Jyant Kohli: Quite a lot has changed. As I mentioned, my journey in the GRC (Governance, Risk, and Compliance) space in India began in 2012. That was when the Companies Act of 2013 was being introduced. This legislation specifically emphasized the need for organizations of a certain size and scale to adopt regulatory compliance solutions, triggering the demand for GRC platforms in India.
Even earlier, around 2004-2005, some high-profile scams in India brought renewed focus on best governance practices. These two key events—the Companies Act and the focus on governance post-scams—highlighted the importance of GRC. It became clear that managing risks effectively required technology and integration; manual methods simply couldn’t suffice.
Back in 2012, when we started approaching clients to discuss regulatory compliance technologies or GRC, these were still novel concepts. Only a few large organizations were seriously considering technology-driven solutions. But things have changed significantly since then.
Today, organizations across the board have realized that they cannot rely on manual processes. Boards, directors, and investors now understand that manual interventions are prone to manipulation and errors. They recognize the need for authenticated, collaborative data—not something pieced together in Excel sheets—to inform decision-making.
The adoption of GRC technology is not just about allocating a budget or buying a solution; it’s fundamentally a change management process. This involves shifting mindsets and ways of working, which requires the right partners who can guide organizations through this transformation.
A classic example of such a shift in India is the adoption of UPI (Unified Payments Interface). Initially, there was significant resistance. But real change happened at the ground level—when people began using UPI for everyday payments. Similarly, real transformation in GRC doesn’t happen in board meetings; it happens on the factory floor or in offices, with junior employees who are the custodians of risk and compliance. They must embrace these changes and integrate them into their daily work.
Today, boards have not only acknowledged the necessity of GRC but are also committed to driving this change. Over the past 12-13 years, we’ve seen a massive shift in the GRC landscape in India. While earlier, only large companies considered adopting compliance technologies, now even smaller businesses and startups recognize the need for technology intervention to manage compliance and risk effectively. Yes, we are progressively moving forward, and the momentum in the GRC space is stronger than ever.
TAM: What are some of the most pressing challenges that organizations face, especially in navigating the evolving regulatory landscape and how can they overcome them?
Rajeev Dutt: Regulatory changes are a hot topic today, with new rules being introduced rapidly across various regions and geographies. Often, these regulations differ significantly from one another. For instance, while the UK Operational Resiliency framework and DORA may seem similar, understanding their finer details—how they should be implemented and managed—is essential.
These fast-paced changes make it increasingly difficult for organizations to keep up. The traditional approach of simply ticking compliance checklists is no longer sufficient. Compliance efforts are shifting toward a more integrated, risk-focused perspective. Organizations now aim to move from being reactive to proactive, with systems that can anticipate potential risks, outline consequences, and suggest mitigation strategies.
Downloading regulatory content alone doesn’t solve the problem; a deeper understanding of the regulations is necessary. For example, a regulation might initially be issued as a document, followed by a circular a few months later, and then a notice after that. Only when these updates are reviewed collectively does the full picture emerge. Without tools that can consolidate and interpret these updates to provide a broader risk assessment, managing compliance becomes a challenge.
Consider the case of a bank operating across 15 countries. The compliance head doesn’t just have to adhere to the regulations of these countries or their central banks; they must also manage a range of local regulations, including labor laws, tax codes, and others. These regulations aren’t static—they evolve constantly, with sections or articles being updated and coming into effect. Monitoring and managing these changes effectively is no small feat.
This is where technology steps in. Advanced tools are now essential for navigating regulatory changes. Companies are recognizing this need and are allocating significant budgets to regulatory technology. This shift underscores the importance of a proactive, tech-driven approach to compliance in today’s rapidly changing regulatory landscape.
TAM: With constant changes in regulatory frameworks, how can businesses stay updated and compliant in real-time?
Jyant Kohli: Let me illustrate with some numbers specific to India. We built a regulatory intelligence system for India, and our lawyers analyzed over one million pages of law. This encompasses 2,100 regulations and resulted in a compliance obligation checklist with 65,000 distinct compliances, including 89,500+ definitions.
Rajiv rightly emphasized the complexity of these regulations. Let me give a simple, everyday example to make this clearer. When regulators draft legal content, they often define specific terms. However, the same term can have different definitions depending on the law or regulator. For instance, the word “employee” is defined differently in the Income Tax Act, the Shop and Establishment Act, the Provident Fund (PF) Act, the POSH Act, and the Labour Welfare Act. All these definitions exist within the same country, yet they vary significantly.
Now imagine trying to manage 89,500 definitions across different laws. A legal expert or compliance officer must understand all of them, determine their relevance, and apply them correctly to specific scenarios. The challenge becomes even greater when you consider that these regulations are constantly evolving.
On average, there are 15 to 20 notifications from various regulators in India every day. Each one introduces changes or updates that must be carefully tracked and understood. The sheer volume and pace of these changes make regulatory compliance incredibly complex.
In the pre-industrial era or even the 1980s and 1990s, the pace of regulatory change was much slower. Today, it’s a different story. If a regulation is introduced in the EU, you can be sure that regions like Asia-Pacific (APAC), China, and the US are monitoring it closely and often drafting similar regulations in response. For example, when GDPR was introduced in Europe, over 100 countries either enacted their own data protection laws, drafted them, or are in the process of doing so.
The globalization of regulatory frameworks now happens in a matter of years, not decades. This rapid evolution has made it nearly impossible for any organization to manage compliance manually. Anyone claiming they can handle it without technological intervention is either exaggerating or attempting the impossible.
Effective compliance management today requires technology. But it’s not enough to rely on just any technology—it must be thoughtfully crafted by experts, including skilled lawyers who understand the nuances of the regulations. Without this careful craftsmanship, technology cannot be fully trusted.
Think of it like Google Maps. Behind the scenes, thousands of hours and countless people have gone into meticulously mapping every street, lane, and turn. That’s why we can confidently rely on it to guide us accurately. Similarly, organizations need regulatory intelligence systems built with the same precision and expertise to navigate the complexities of compliance successfully.
This is what organizations must understand: without the right tools and expertise, managing today’s compliance landscape is unmanageable.
TAM: What are some of the key success factors that organizations need to factor in while considering GRC solutions?
Rajeev Dutt: The first thing I’d recommend is this: don’t try to boil the ocean. Focus on understanding your company’s primary objective and identifying the key pain points that need immediate attention.
Start by addressing those pain areas. Roll out and implement the relevant modules first, ensuring they directly target the identified challenges. Once these are in place and yielding results, showcase the returns to your management. This helps build confidence in the GRC (Governance, Risk, and Compliance) solution and its value to the organization.
After demonstrating success in the initial areas, you can gradually add and implement other modules as needed. This phased approach ensures clarity and measurable progress, avoiding the pitfalls of attempting a “big bang” rollout.
A big bang approach often requires significant time and resources and is prone to risks. For example, if key team members driving the project leave the organization midway, it can disrupt timelines and force a restart, leading to frustration and delays.
To avoid such setbacks, it’s crucial to have a clear objective and a focused plan addressing your most pressing needs first. This is the guidance we offer to our clients, and it’s proven effective in driving successful implementations.
TAM: How does the partnership between Lawrbit and Swiss GRC’s aim to address region-specific compliance challenges, especially in highly regulated industries?
Jyant Kohli: One key point I’d like to make is that we need to move beyond the idea that only highly regulated industries require compliance interventions. Compliance is applicable to everyone. The difference lies in the resources available. For instance, banks often have large teams of lawyers to manage compliance. However, smaller organizations, such as IT companies or GCC setups, may have just one person managing compliance—but they still face the challenge of adhering to around 80 applicable laws. This highlights the need for intervention, as the volume and complexity of compliance requirements make it impossible to handle manually, regardless of team size.
To explain this further, let me offer an analogy: today, everyone seeks integrated solutions. Imagine you want to buy a house. You would prefer to hire someone to build, design, and furnish it, allowing you to move in seamlessly without additional hassle. Businesses face similar expectations. If they invest in software, they don’t want to spend years figuring out how to use it, only to discover it doesn’t meet their needs and then start over with an alternative.
In today’s competitive landscape, where time is of immense value, businesses need quick, integrated solutions. That’s where Lordpade brings value. Our team of legal experts has meticulously reviewed millions of pages of laws across 70 countries, including regions like the Americas, Europe, Africa, the Middle East, Pakistan, Australia, and India (where we excel as the home team). This effort has resulted in a database of over 5,000 regulations, simplified into a regulatory intelligence system that’s easy to understand and act upon.
When integrated with Swiss GRC’s comprehensive GRC platform, this solution provides tremendous value for end-users. As Rajiv mentioned, compliance is no longer just a checklist. It involves understanding complex regulations and fulfilling various obligations that vary by jurisdiction and regulator.
For example:
- Some regulators require periodic approvals that expire after two years. Organizations must track and renew these on time.
- Others mandate monthly or quarterly filings.
- Certain regulators expect companies to follow specific processes and policies, with compliance touching every individual in the organization.
Without an integrated GRC platform, it’s nearly impossible to manage this complexity. Swiss GRC offers a unified solution built by legal experts, incorporating real-time change management. This platform not only simplifies compliance but also delivers significant time savings and ensures a faster return on investment.
This partnership is an excellent example of how regulatory intelligence and an integrated GRC solution can bring immense value to organizations, helping them navigate compliance efficiently and effectively.
TAM: How do you envision this partnership with Swiss GRC growing and shaping the GRC landscape in India?
Rajeev Dutt: When we came to India, we observed that the regulatory landscape here is incredibly complex. As Jayant mentioned, there are multiple layers to navigate—federal, state, shop and establishment regulations, employee-related laws, and company-specific requirements. It’s chaotic and overwhelming.
This complexity is precisely why we decided we needed a strong content provider. India, being such a challenging environment for regulatory content, required a solid partner who truly understands the nuances of the local landscape. After evaluating various options, we recognized the unparalleled quality that Lawrbit offers. We assessed other products as well, but Lawrbit stood out.
It’s not just about India, though. Lawrbit covers regulatory requirements across 70+ countries, making it an excellent fit for organizations with global operations.
Now, with an integrated solution, clients have access to everything they need in one place:
- Comprehensive content to address regulations
- Tools to manage ongoing changes
- Insights into risks, including third-party risks, information security risks, data protection, and data privacy
This unified approach brings all these elements together under a single solution, enabling clients to scale and grow with ease. For instance, a client who initially only wants to address compliance can start with the compliance module and the content. Over time, they can expand to other modules as needed.
The value lies in simplicity and convenience. Clients no longer need to juggle multiple systems or providers—they get everything in one package, supported by local expertise and offered at a competitive price. This all-in-one solution takes the burden off clients, allowing them to focus on their core business while we handle their regulatory headaches.
With our strong local presence in India and our comprehensive offerings, it’s a win-win for everyone involved. We aim to alleviate these challenges and provide seamless solutions to our clients.
TAM: The DPDP Draft rules are out, and it’s soon set to become an act. If you had to deliver one message to the organisations watching this interview, regarding the DPDP Act 2023, what would it be?
Jyant Kohli: Change in Mindset. India has a fast-paced culture where workarounds are common. However, this approach often compromises the quality and security of solutions. Let’s consider a simple example: someone from a travel agency asks for your Aadhaar card to book a ticket. Without hesitation, you send it via WhatsApp. Similarly, at a hotel, if you forget your Aadhaar card, you may WhatsApp it to the receptionist or let them take a picture with your phone.
This casual attitude toward sharing sensitive information highlights a significant challenge—our mindset around data privacy needs to change. Such actions constitute breaches of data privacy, which can occur at any level.
Compliance with traditional regulations, like the Companies Act, is relatively straightforward. These rules primarily impact specific teams, such as legal professionals, who are trained to handle them. However, the Digital Personal Data Protection (DPDP) Act is different. It affects every single transaction across every department.
The Importance of “Why”
Organizations must now ask:
- Why am I collecting this information?
- Is it necessary?
- What will I do with it?
Understanding the “why” is critical, and this mindset must permeate throughout organizations.
Today, large organizations might operate 25–30 software applications, while highly regulated banks could run as many as 300. Each of these applications stores personal data—be it from vendors, clients, employees, or others. The challenge lies in identifying what constitutes personal data, how to handle it, and pinpointing potential leakage points.
Technology Must Align with Regulation
The problem is compounded by the fact that software developers often create applications without consulting legal experts. As a result, many solutions fail to address regulatory requirements. Moving forward, developers must ask themselves:
- Should I collect this data?
- Is it legally permissible to ask for this information?
A generic disclaimer won’t suffice anymore. The DPDP Act applies not only to new technology but also to all existing systems. If your organization has 30 applications, each one must be updated to ensure compliance. This involves a significant technological overhaul, a steep learning curve, and the implementation of checkpoints at every touchpoint.
Bigger Than GST
In India, GST was considered one of the most significant regulatory changes. However, the DPDP Act is far more extensive. While GST impacted businesses filing taxes, the DPDP Act affects everyone—from sales teams in banks and insurance companies to credit card companies collecting customer data. Thousands of employees must now understand why they are collecting data and ensure compliance at every step.
Building a Compliance Ecosystem
Organizations must create a robust framework to prevent unauthorized data collection and usage. Processes will need to be overhauled, technologies upgraded, and secure systems implemented. It’s also crucial to ensure that this compliance is demonstrable. For instance:
- If a bank employee collects personal data on their phone, it can be recorded and shared on social media.
- If regulatory bodies like the RBI discover such breaches, the penalties could amount to crores of rupees.
One audit point can uncover multiple violations, making non-compliance extremely costly.
A Unified Effort
To meet DPDP Act requirements, organizations can no longer operate in silos:
- The legal team can’t stop at drafting policies.
- The tech team must go beyond implementing SMS or app-based solutions.
- Functions like HR, finance, sales, marketing, and procurement must collaborate.
Every department must work together to ensure compliance within the given timeline and establish a system to prove adherence. Non-compliance isn’t just a regulatory risk—it could be one of the most expensive mistakes an organization makes.