Introduction
India’s public sector undertakings sit at the foundation of the national economy. They build the highways, generate the power, anchor the banking system, underwrite critical infrastructure, and collectively deploy assets exceeding ₹50 lakh crore — a figure that places Indian PSUs among the largest concentrations of productive capital in any emerging economy.
And yet, by most credible assessments, nearly 90% of these institutions continue to manage risk through manual processes. Spreadsheets. Email threads. Periodic reports assembled by hand and submitted under time pressure. A governance infrastructure that would be recognisable to compliance officers working in the mid-2000s.
The cost of this gap is not abstract. Conservative estimates place the annual toll of operational inefficiencies, regulatory penalties, compliance failures, and strategic decisions degraded by poor risk intelligence at ₹25,000 crore across India’s public sector. That figure does not account for the systemic risks transmitted through connected sectors when a major PSU’s risk management fails — a calculus that extends far beyond any single institution’s balance sheet.
The sharpening irony: PSUs are among India’s most vocal advocates for Digital India, Industry 4.0, and technology-led transformation. Many have led the adoption of digital payments, electronic governance, and public infrastructure digitisation. Their own GRC infrastructure, in most cases, remains frozen in the spreadsheet era.
The Scale of the Governance Gap
The numbers are stark. When a PSU’s risk report takes 45 or more days to compile, it is not delivering risk intelligence — it is delivering a historical document. By the time the report reaches leadership, the risks it describes have evolved, the regulatory landscape may have shifted, and the window for proactive intervention has closed.
This is not a criticism of the professionals involved. The problem is structural. Risk data is dispersed across incompatible legacy systems, owned by different departments, and extracted manually at each reporting cycle. Each extraction introduces errors. Each hand-off between teams introduces delays. Each formatting exercise for regulatory submission introduces further points of failure.
The result is a compliance calendar driven by deadlines, not by risk intelligence. Regulatory submissions become last-minute scrambles. Audit findings repeat year after year because the underlying data infrastructure that would support systematic remediation does not exist. Digital transformation projects stall because leadership cannot get reliable risk visibility to make investment decisions with confidence.
This is the PSU GRC crisis — and it is systemic across sectors.
What’s Actually Happening Inside India’s Largest PSUs
A consistent pattern emerges when examining GRC operations across Indian public sector institutions:
Risk reports take 45 or more days to compile. In an environment where regulatory expectations are measured in days and operational risks materialise in hours, a 45-day risk reporting cycle is not a compliance tool — it is a historical archive. Leadership is making decisions about capital allocation, project risk, and regulatory exposure based on data that is already six weeks stale.
Regulatory submissions are chronically last-minute. When data lives in silos and must be extracted, reconciled, and reformatted for each submission, the compliance function cannot build buffer into the process. Every cycle is a sprint against the deadline. The sprint leaves no time for data validation, cross-checking, or error correction — which is precisely where regulatory queries originate.
Audit findings repeat year after year. This is perhaps the most damaging symptom of the governance gap. When internal audit operates without a live view of the control environment, it identifies the same structural weaknesses in successive cycles without the underlying cause being addressed. The finding is documented. The remediation plan is filed. And twelve months later, the same finding appears again because the data infrastructure required to track remediation progress in real time does not exist.
Digital transformation projects fail due to poor risk visibility. PSUs investing in large-scale technology transformation — ERP upgrades, cloud migration, digital service delivery — often find that risk visibility is the hidden constraint. Without an integrated view of operational risk, project risk, and regulatory risk, transformation programmes are approved without adequate risk assessment and managed without the early warning signals that would allow leadership to intervene before failures become costly.
The Regulatory Complexity PSUs Navigate
The GRC challenge facing Indian PSUs is compounded by a regulatory environment with few parallels in complexity. Consider a single PSU bank: it operates simultaneously under the oversight of the Reserve Bank of India, Securities and Exchange Board of India, Ministry of Corporate Affairs, and the Indian Computer Emergency Response Team — each with distinct data formats, submission requirements, validation rules, and reporting timelines.
Across these four regulators alone, a mid-sized PSU bank may manage 200 or more discrete regulatory requirements in a given year. Manual tracking of these obligations — ownership assignment, deadline management, data preparation, submission, query handling, and evidence retention — is not merely inefficient. It is an organisational liability that accumulates risk with every missed deadline and every re-submission.
The challenge intensifies at the intersection of regulators. Many compliance obligations require the same underlying data to be structured entirely differently for different submissions. Exposure data that informs an RBI return must be reformatted for an MCA filing and restructured again for a SEBI disclosure. Without an automated data layer that can transform a single source of truth into multiple regulatory-ready outputs, each reformatting cycle is a fresh opportunity for inconsistency.
| Regulator | Representative Compliance Areas | Reporting Frequency |
|---|---|---|
| RBI | Capital adequacy, credit risk, liquidity, PMLA compliance | Monthly / Quarterly |
| SEBI | Market risk, investor disclosures, trading data | Weekly / Quarterly |
| MCA | Corporate governance, financial statements, board filings | Annual / Event-based |
| CERT-In | Cybersecurity incidents, compliance posture reporting | Event-based / Periodic |
This is the regulatory environment that PSU compliance teams are navigating with spreadsheets.
When PSU Risk Management Fails, India Feels It
The consequences of inadequate GRC infrastructure inside PSUs do not stay inside PSUs. India’s public sector drives approximately 40% of national infrastructure spending. When risk management within these institutions fails, the failure propagates through connected sectors in ways that are difficult to contain and expensive to remediate.
Railway project delays attributed to poor risk monitoring cascade into supply chain disruptions that affect manufacturing output across multiple states. Power sector financing decisions made without adequate credit risk intelligence contribute to stressed assets that constrain the banking system’s lending capacity. Banking system stress in public sector banks — often rooted in credit risk management gaps that persisted across multiple annual audit cycles — carries consequences for credit availability across the economy.
These are not hypothetical scenarios. They are patterns visible in India’s recent economic history. The connecting thread in many of them is a risk management infrastructure that was not equipped to provide the early warning signals that would have allowed intervention before stress became crisis.
The argument for upgrading PSU GRC infrastructure is therefore not only an institutional efficiency argument. It is a national economic resilience argument.
The Case for AI-Powered GRC in the Public Sector
The solution to the PSU GRC crisis is not more compliance officers. Scaling manual processes with additional headcount addresses symptoms rather than the structural cause. The answer is an automated GRC infrastructure designed specifically for the regulatory complexity, data environment, and scale of the Indian public sector.
AI-native GRC platforms offer capabilities that manual processes cannot replicate at the required speed or coverage:
Continuous Risk Monitoring
Rather than compiling risk assessments on a 30–45 day cycle, AI-powered platforms monitor risk indicators continuously across operational, financial, and compliance dimensions. Threshold breaches, anomaly patterns, and emerging risk clusters surface in real time — giving leadership the intelligence to act while intervention is still effective.
Automated Multi-Regulator Compliance
Pre-built connectors and regulatory data maps allow a single extraction from source systems to generate submission-ready outputs for RBI, SEBI, MCA, and CERT-In simultaneously. What previously required parallel manual workstreams for each regulator becomes a single automated process with built-in validation against each regulator’s rules before submission.
Integrated Audit Trail
Every data point — from source extraction through transformation to submission — is recorded in an immutable, timestamped audit trail. When a regulator raises a query, the institution can reconstruct the complete evidence chain without assembling documents from multiple systems and teams. The audit trail exists as a byproduct of the process, not as a separate documentation exercise.
Remediation Tracking and Closure
AI-driven GRC platforms track audit findings through to verified closure, with evidence attached at each remediation milestone. The structural problem of repeat findings is addressed at its root: leadership can see, in real time, whether remediation is progressing or stalling, and intervene before the same finding appears in the next audit cycle.
What Progressive PSUs Are Already Doing
A cohort of forward-looking public sector institutions has already moved beyond the spreadsheet era. Their approach shares several common characteristics.
They are not implementing technology as an isolated project. They are building GRC infrastructure as a strategic capability — one designed to serve not just today’s regulatory requirements but the next generation of oversight frameworks that regulators are already signalling.
They are starting with their highest-risk, highest-frequency compliance obligations — the RBI returns, the SEBI disclosures, the MCA filings that consume the most compliance capacity — and automating the data pipeline beneath those processes first. Early wins reduce operational friction and build institutional confidence in automated GRC before extending the infrastructure to more complex requirements.
They are treating GRC data as strategic intelligence, not administrative overhead. When risk data is accurate, current, and integrated across operational, financial, and regulatory dimensions, it informs capital allocation decisions, transformation programme design, and board-level risk appetite conversations in ways that historical reports cannot.
And critically, they are building the regulatory relationship advantage that comes from consistent, accurate, timely submissions. Institutions that demonstrate data quality and compliance reliability to regulators over successive cycles develop credibility that materially reduces the cost and disruption of regulatory examinations.
The Path Forward: Intelligent GRC for India’s Public Sector
India’s regulatory environment is not becoming simpler. RBI’s supervisory risk-based examination model increasingly expects proactive risk identification and continuous control effectiveness. SEBI is expanding the scope and precision of market risk monitoring requirements. CERT-In’s cybersecurity compliance framework is deepening. MCA’s digital filing evolution — as examined in our recent article on updated filing requirements — continues to raise the bar for data accuracy and audit trail standards.
PSUs that continue to manage this expanding regulatory complexity with manual infrastructure will face a compounding cost: not just the annual ₹25,000 crore toll of inefficiency, but the accelerating cost of a compliance function perpetually in catch-up mode.
The institutions that build intelligent GRC infrastructure now will enter the next phase of India’s regulatory evolution with a structural advantage:
- Faster regulatory response — automated data pipelines compress submission timelines from weeks to days
- Higher data accuracy — validation at source eliminates the human error that generates regulator queries
- Real-time risk visibility — leadership makes decisions based on current intelligence, not historical snapshots
- Compliance bandwidth — freed from manual data assembly, compliance professionals contribute strategic analysis rather than administrative output
- Institutional credibility — a track record of consistent, accurate submissions builds the regulatory relationship that reduces examination friction
Conclusion
Digital India deserves digitally intelligent risk management. The gap between what India’s public sector institutions contribute to the national economy and the governance infrastructure they use to manage that contribution is not a minor operational inefficiency. It is a systemic risk that has real consequences for sectors, for growth, and for India’s ability to sustain the infrastructure investment trajectory that its economic ambitions require.
The technology to close this gap exists. AI-native GRC platforms designed for India’s multi-regulator environment can replace the spreadsheet-era infrastructure that currently governs ₹50 lakh crore in public sector assets. The question is one of institutional will and strategic priority — not technological availability.
For PSU leadership, the choice is increasingly clear: build the GRC infrastructure that India’s public sector scale demands, or manage the consequences of not having it. The cost of transformation is fixed. The cost of inaction compounds with every regulatory cycle, every repeat audit finding, and every strategic decision made without adequate risk intelligence.
India’s public sector has driven transformations in digital payments, healthcare delivery, and infrastructure development. The transformation of GRC intelligence is not only achievable — it is overdue.
AugIx AIGovern is purpose-built for this challenge: an AI-native GRC platform designed for the regulatory complexity, data environments, and institutional scale of India’s public sector and large enterprises.