CA Inter FM + SM — Question Paper — May 2022

Enterprise Information System (EIS) is an integrated information system that consolidates, processes, and manages business data across all departments and functional areas of an organization into a unified platform. An EIS provides real-time access to integrated information, enabling informed decision-making at all hierarchical levels. It typically encompasses modules for finance, sales, inventory, human resources, and manufacturing, creating a single source of truth for organizational data and facilitating seamless information flow across boundaries.

Categories of Business Processes are classified into the following:

1. Primary/Core Processes: These are the main value-creation processes that directly contribute to organizational objectives and revenue generation. Examples include sales order processing, production/manufacturing, service delivery, and customer relationship management. These processes are directly visible to customers and impact business performance.

2. Secondary/Support Processes: These are enabling processes that support primary processes and organizational operations. Examples include human resource management, financial accounting, information technology support, procurement, and administrative functions. While not directly contributing to revenue, they are essential for the smooth functioning of primary processes.

Alternatively, business processes may also be categorized as Operational Processes (execution of core activities), Management Processes (planning, monitoring, and control activities), and Support Processes (provision of infrastructure and resources). The primary-secondary classification is most commonly used in EIS context as it clearly delineates between customer-facing value creation and internal support functions.

Note: Operating Systems is not part of the CA Intermediate curriculum under ICAI. However, providing a general technical answer: An operating system (OS) is a system software that acts as an intermediary between the user and the computer hardware. It manages all hardware resources and provides services and an environment for application programs to execute. Four key activities performed by an operating system are: (1) Process Management — Creating, scheduling, and managing processes/tasks, allocating CPU time to different processes, and handling process synchronization and inter-process communication. (2) Memory Management — Allocating and deallocating memory space to processes, maintaining virtual memory systems, implementing paging/segmentation, and preventing unauthorized memory access. (3) File System Management — Organizing, storing, retrieving, and protecting files on secondary storage devices through directory structures, managing file access permissions, and ensuring data integrity. (4) Device and I/O Management — Managing peripheral devices (printers, disks, terminals), handling input/output operations, managing device buffers, and coordinating device interrupts.

Risks and Controls in Loans and Advances Process in Banking Systems

The Loans and Advances process is the core revenue-generating activity of banks. However, it is fraught with inherent risks that, if uncontrolled, can lead to significant financial losses and even systemic failure. The major risks and their associated controls are as follows:

1. Credit Risk (Default Risk)
Credit risk is the risk that a borrower will fail to repay the principal or interest as per the agreed terms, leading to Non-Performing Assets (NPAs).

*Controls:* Banks must conduct thorough credit appraisal before sanctioning loans, including evaluation of the borrower's creditworthiness, repayment capacity, financial statements, and collateral. Credit scoring models and credit rating of borrowers are employed. Exposure limits (per borrower, per sector) are set to avoid concentration risk. Regular post-disbursement monitoring and loan review mechanisms are implemented. The Reserve Bank of India (RBI) mandates Income Recognition, Asset Classification and Provisioning (IRACP) norms to classify and provide for stressed assets.

2. Interest Rate Risk
This is the risk that changes in market interest rates will adversely affect the bank's net interest income or the value of its loan portfolio — especially when assets and liabilities have mismatched maturities.

*Controls:* Banks use Asset-Liability Management (ALM) frameworks to match the duration of loans with funding sources. Interest rate sensitivity analysis and gap analysis are performed periodically. Fixed vs. floating rate loan portfolios are balanced as per RBI guidelines.

3. Liquidity Risk
Liquidity risk arises when banks lend long-term but fund through short-term deposits, creating a maturity mismatch that can cause a liquidity crunch.

*Controls:* Maintenance of Statutory Liquidity Ratio (SLR) and Cash Reserve Ratio (CRR) as prescribed by RBI. Banks maintain a Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR) as per Basel III norms. Contingency funding plans are prepared.

4. Operational Risk
Operational risk encompasses risks arising from inadequate internal processes, systems failures, human errors, or fraud — such as incorrect documentation, disbursement without proper sanction, or manipulation of loan accounts.

*Controls:* Segregation of duties between the loan origination, sanction, disbursement, and monitoring teams. Maker-checker controls in the Core Banking System (CBS) ensure dual authorisation for all transactions. Regular internal audits and concurrent audits of the loan portfolio. Loan documentation checklists and standardised processes reduce errors.

5. Collateral / Security Risk
This is the risk that the security offered against the loan (mortgage, hypothecation, pledge) is inadequate, over-valued, or legally defective, making recovery difficult upon default.

*Controls:* Independent valuation of collateral by empanelled valuers at the time of sanction and periodically thereafter. Legal verification of title documents. Maintenance of adequate margin (difference between loan amount and collateral value). Periodic re-valuation of securities, especially for large accounts.

6. Concentration Risk
This arises when a bank's loan portfolio is heavily concentrated in a single borrower, group, industry, or geography, making the bank vulnerable to sector-specific downturns.

*Controls:* Sectoral exposure limits and single/group borrower exposure limits as per RBI guidelines. Diversification of the loan portfolio across sectors, geographies, and borrower types. Regular portfolio review reports submitted to the Board/Risk Committee.

7. Compliance and Regulatory Risk
Non-compliance with RBI guidelines on KYC, Anti-Money Laundering (AML), priority sector lending, and IRACP norms can attract regulatory penalties and reputational damage.

*Controls:* A dedicated Compliance Department ensures adherence to all regulatory requirements. KYC/AML checks are mandatory before loan sanction. Statutory auditors conduct Long Form Audit Reports (LFAR) covering compliance aspects. Regular reporting to RBI through CRILC (Central Repository of Information on Large Credits).

In summary, effective risk management in the Loans and Advances process requires a combination of robust credit appraisal, strong internal controls, ALM practices, regulatory compliance, and continuous monitoring — all governed under the bank's Board-approved Credit Risk Management Policy.

The integration of modules with the Financial and Accounting System is critical to ensure seamless flow of data and consistency across the ERP ecosystem. The important points for successful integration are:

Real-time Data Synchronization: All modules (Sales, Purchase, Inventory, Payroll, Fixed Assets, etc.) must synchronize transaction data with the Financial and Accounting System in real-time or near real-time to ensure accuracy and timeliness of financial records. This eliminates manual data entry and reduces errors.

Standardized Chart of Accounts: All modules must map their transactions consistently to a standardized and unified Chart of Accounts. Every transaction from any module must automatically post to the correct GL account, ensuring that the financial statements reflect all business activities without duplication or omission.

Data Integrity and Validation Rules: Robust validation rules must be embedded at the point of transaction entry in each module. These rules ensure that only valid, complete, and authorized transactions are allowed to flow into the Financial System, maintaining data quality and preventing corrupt data from affecting financial records.

Comprehensive Audit Trail: A complete audit trail of all transactions must be maintained, documenting the source module, originating user, timestamp, and any modifications. This is essential for compliance, fraud detection, and investigation of discrepancies during audits.

Master Data Consistency: Master data such as customer codes, vendor codes, product codes, cost centers, and GL accounts must be maintained consistently across all modules. Inconsistencies in master data lead to transaction posting failures and reconciliation issues.

Exception Handling and Error Management: Clear procedures must be defined for handling transactions that fail validation or integration checks. Exception logs must be reviewed regularly, and a formal mechanism for correction and reversal of erroneous entries must be established.

Reconciliation Framework: Regular reconciliation procedures must be built into the system to match module-level data with Financial System records. Period-end (monthly, quarterly, yearly) reconciliation ensures no transactions are lost and all balances are accurate.

Segregation of Duties and Access Controls: Access to the Financial and Accounting System must be restricted based on roles and responsibilities. Critical functions like posting, modification of GL accounts, and period closing must have appropriate authorization levels to prevent fraud and ensure compliance.

Tax and Regulatory Compliance: The integration must ensure that all tax implications (GST input-output, TDS, Income Tax provisions) are accurately captured at the transaction level and flow correctly to financial records for compliance reporting.

Period-end Closing Coordination: Integration must support coordinated period-end closing procedures, ensuring that all transactions are posted, accruals and provisions are recorded, and inter-module reconciliations are completed before financial statement generation.

Logical Access Control refers to the mechanisms and policies that restrict access to computer systems, data, applications, and programs based on the identity and authorisation of users. Unlike physical access controls that prevent unauthorised physical entry, logical access controls operate at the software and system level to ensure that only authorised individuals can access specific resources, perform certain functions, or view particular data.

Logical access controls are designed to achieve the following objectives:

1. Identification and Authentication: Every user must be uniquely identified (through user IDs) and authenticated (through passwords, PINs, biometrics, tokens, or multi-factor authentication) before gaining access to any system resource. This ensures accountability and traceability of all user actions.

2. Authorisation: Once authenticated, the system grants access rights based on the user's role, responsibilities, and need-to-know principle. This determines what resources a user can access and what operations (read, write, modify, delete) they can perform.

3. Access Control Lists (ACLs): These are matrices or tables that define the access privileges of each user or group of users to specific system resources, files, programs, and data.

4. Audit Trails and Logs: Logical access controls maintain logs of all access attempts — successful and unsuccessful — enabling monitoring, detection of suspicious activities, and forensic investigation.

5. Principle of Least Privilege: Users are granted only the minimum level of access required to perform their job functions, thereby reducing the risk of accidental or intentional misuse.

---

User Access Management Controls for Technical Exposures are specific controls implemented to manage user access and mitigate technical vulnerabilities. These include:

1. Password Controls: Passwords must meet minimum length and complexity requirements (combination of letters, numbers, and special characters). Passwords should be encrypted during storage and transmission. Systems should enforce periodic password changes and prevent reuse of old passwords. Account lockout policies should be enforced after a defined number of failed login attempts to prevent brute-force attacks.

2. User Registration and De-registration: A formal process must exist for granting and revoking access. When an employee joins, transfers, or leaves the organisation, access rights must be promptly updated or revoked to prevent unauthorised access by ex-employees or misuse of dormant accounts.

3. Review of User Access Rights: Periodic review (e.g., quarterly or half-yearly) of user access rights should be conducted to ensure that access privileges remain appropriate. Excessive or outdated privileges should be revoked promptly — this is known as access recertification.

4. Segregation of Duties (SoD): Access controls should enforce segregation of duties to prevent any single individual from performing incompatible functions. For example, the person who initiates a payment should not also be the one who authorises it. SoD reduces the risk of fraud and errors.

5. Use of System Utilities: Access to powerful system utilities (e.g., those that can bypass normal application controls, modify data directly in the database) must be strictly restricted and monitored. Such utilities should only be accessible to authorised system administrators and only for legitimate purposes.

6. Time-Based Access Controls: Access to certain systems or sensitive data may be restricted to specific time windows (e.g., business hours only). Access outside these windows triggers alerts, reducing the risk of after-hours unauthorised access.

7. Remote Access Controls: For users accessing systems remotely (e.g., through VPNs or remote desktop), additional controls such as multi-factor authentication, encrypted connections, and session timeouts must be enforced.

8. Privileged Access Management (PAM): Privileged accounts (such as system administrators or database administrators) have elevated access rights and therefore pose higher risk. These accounts must be subject to enhanced monitoring, dual authorisation, and regular review.

9. Dormant Account Management: Accounts that have been inactive for a defined period (e.g., 30 or 90 days) should be automatically disabled or flagged for review, as dormant accounts are a common target for exploitation.

10. Audit and Monitoring: All access activities — especially privileged access, failed login attempts, and access to sensitive data — must be logged and regularly reviewed by an independent security team or internal auditor to detect anomalies and policy violations.

In conclusion, logical access controls combined with robust user access management controls form the first line of defence in protecting an organisation's IT environment against technical exposures such as unauthorised data access, data theft, system manipulation, and fraud.

Interpretation of Voucher in Computerized Accounting: In a computerized accounting system, a voucher refers to an electronic transaction record that serves as the primary evidence and basis for recording transactions. It is a digital document that captures the essential details of a transaction with built-in authentication, authorization, and control mechanisms. Unlike paper vouchers, computer vouchers maintain an automatic audit trail, include timestamp records, user identification, and digital validation controls. The voucher system ensures data integrity through mandatory field validations, prevents duplicate entry through system controls, and provides complete traceability of who entered the transaction and when. It also facilitates seamless integration with other modules like inventory, payroll, and fixed assets management.

Three Types of Accounting Vouchers:

1. Receipt Voucher (Cash Receipt Voucher): This voucher is used to record all cash inflows and receipts into the organization. It captures transactions such as cash received from customers, debtors, loans taken, capital contributions, and any other sources of cash or bank deposits. The voucher documents the source of receipt, amount, date, and whether it is banked or retained as cash. In computerized systems, receipt vouchers automatically update the cash and bank account balances and create corresponding audit trails.

2. Payment Voucher (Cash Disbursement Voucher): This voucher is used to authorize and record all cash outflows and payments made by the organization. It includes payments to suppliers, employees, creditors, loan repayments, utility bills, and other operational expenses. Each payment voucher requires appropriate authorization levels and captures the payee details, purpose, amount, and mode of payment. The system maintains controls to prevent unauthorized payments and ensures cheque sequencing and reconciliation.

3. Journal Voucher: This voucher is used for non-cash transactions, accounting adjustments, accruals, depreciation provisions, inter-departmental transfers, and year-end adjustments. Unlike receipt and payment vouchers, journal vouchers do not involve actual movement of cash or bank funds. They are critical for maintaining the accuracy of accounts through entries that affect debit and credit balances without corresponding cash flow. Examples include recording accrued expenses, provision for doubtful debts, and depreciation.

The Enterprise Risk Management (ERM) framework, as conceptualised by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), consists of eight interrelated components derived from the way management runs an enterprise and integrated with the management process. Any six components are explained below:

1. Internal Environment: The internal environment encompasses the tone of an organisation and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. It forms the foundation for all other ERM components and influences how strategies and objectives are set.

2. Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. Objectives are categorised as strategic, operations, reporting, and compliance.

3. Event Identification: Management identifies potential events that, if they occur, will affect the entity. Events with negative impact represent risks, while those with positive impact represent opportunities. Opportunities are channelled back into strategy or objective-setting processes. Event identification involves identifying internal and external factors that influence how events may affect strategy implementation.

4. Risk Assessment: Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Risks are assessed on two dimensions — likelihood (probability of occurrence) and impact (magnitude of effect). Risk assessment is performed on both an inherent basis (without considering management's response) and a residual basis (after considering risk responses).

5. Risk Response: Management selects risk responses — avoiding, accepting, reducing, or sharing risk — developing a set of actions to align risks with the entity's risk tolerances and risk appetite. Risk response options include: Risk Avoidance (exiting activities that give rise to risk), Risk Reduction (reducing likelihood or impact), Risk Sharing (transferring or sharing a portion of risk), and Risk Acceptance (no action taken).

6. Control Activities: Control activities are the policies and procedures that help ensure risk responses are effectively carried out. They occur throughout the organisation, at all levels and in all functions, and include approvals, authorisations, verifications, reconciliations, performance reviews, security of assets, and segregation of duties. They are implemented to ensure that management's risk responses are properly executed.

7. Information and Communication *(additional component for reference):* Relevant information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

8. Monitoring *(additional component for reference):* The entire ERM process is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

In summary, these six core components — Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, and Control Activities — collectively form the backbone of the ERM framework and ensure that risks are managed in a structured, integrated manner aligned with organisational objectives.

Three-Tier Architecture in E-Commerce

Definition of Three-Tier Architecture:

Three-tier architecture is a client-server architecture in which the user interface (presentation), business logic (application processing), and data storage (database) are developed and maintained as independent modules on separate platforms. Unlike two-tier architecture where the client directly communicates with the database, three-tier architecture introduces a middle layer (application server) that acts as an intermediary between the client and the database server.

The three distinct tiers are:

Tier 1 — Presentation Tier (Client Tier): This is the topmost layer of the application. It is the user interface through which end-users interact with the application. It can be a web browser, mobile application, or desktop interface. It sends requests to the middle tier and displays results received from it. It does NOT directly communicate with the database.

Tier 2 — Application Tier (Middle Tier / Business Logic Tier): This is the heart of the architecture. It is also called the logic tier or business tier. It processes the client requests, applies business rules and logic, and communicates with the data tier to fetch or store data. It acts as a bridge between the presentation tier and the data tier. Examples include application servers such as web servers running PHP, Java EE, or .NET.

Tier 3 — Data Tier (Database Tier): This is the backend layer where the database servers reside. It stores, retrieves, and manages data. It receives requests only from the application tier and returns the processed data back to it. Examples include MySQL, Oracle, MS SQL Server.

Advantages of Three-Tier Architecture:

1. Scalability: Each tier can be scaled independently based on the load. If the application server is overloaded, additional application servers can be added without disturbing the presentation or data tiers. This makes three-tier architecture highly scalable for large e-commerce platforms.

2. Improved Security: Since the client never directly accesses the database, the data tier is protected from direct external attacks. Business logic in the middle tier acts as a security filter, validating all requests before they reach the database. This significantly reduces the risk of SQL injection and unauthorized data access.

3. Maintainability and Flexibility: Each tier is independent, so changes made to one tier do not necessarily require changes in the others. For example, the database can be upgraded or changed without affecting the user interface. This separation of concerns makes maintenance easier and less risky.

4. Reusability: The business logic in the middle tier can be reused by multiple types of clients — web browsers, mobile apps, or desktop applications — without rewriting the logic. This promotes code reuse and reduces development effort.

5. Better Performance: By distributing processing across three layers, the workload is balanced. The application server handles computationally intensive business logic, reducing the burden on both the client and the database server, thereby improving overall system performance.

6. Easier Development and Specialization: Different development teams can work simultaneously on different tiers. Frontend developers handle the presentation tier, backend developers handle the application tier, and database administrators manage the data tier. This parallel development speeds up the overall development process.

7. High Availability and Fault Tolerance: In case of failure of one tier, the impact on other tiers is minimized. Load balancers can be used at the application tier to route requests to available servers, ensuring the system remains operational even if one server goes down.

8. Centralised Business Logic: All business rules are centrally located in the application tier. Any change in business policy or rule needs to be updated only in one place, ensuring consistency across the entire application.

Conclusion: Three-tier architecture is the preferred architecture for modern e-commerce applications because it provides a clean separation of concerns, enhanced security, scalability, and flexibility, making it suitable for handling large volumes of transactions and users typical in e-commerce environments.

Characteristics of Core Banking System (CBS)

Core Banking System (CBS) is a networked banking platform where a bank's branches access applications from centralized data centres, enabling customers to perform banking transactions from any branch of the bank irrespective of where they have their account.

The key characteristics of Core Banking System are as follows:

1. Centralised Database: CBS operates on a centralised database where all customer data, account information, and transaction records are stored at a central server. All branches access this single, unified database, eliminating data redundancy and ensuring consistency of information across the bank.

2. Real-Time Processing: CBS enables real-time or online transaction processing (OLTP). Every transaction — whether a deposit, withdrawal, or fund transfer — is processed and updated instantaneously in the central database, ensuring that account balances and records reflect the most current position at all times.

3. Anytime, Anywhere Banking: Since data is centralised, customers can perform banking transactions from any branch of the bank, from ATMs, or through internet/mobile banking channels. The customer's account is linked to the bank rather than a specific branch, enabling seamless banking experience.

4. Multi-Channel Delivery: CBS supports multiple delivery channels such as branch banking, ATMs, internet banking, mobile banking, phone banking, and point-of-sale (POS) terminals. All these channels interface with the same core system, providing a unified and consistent experience to the customer.

5. Integration and Interoperability: CBS integrates various banking modules such as deposits, loans, trade finance, treasury, general ledger, and customer information systems into a single unified platform. This integration eliminates data silos and enables smooth information flow across all departments and functions.

6. Scalability and Flexibility: CBS is designed to be highly scalable, allowing banks to add new branches, products, services, and customers without significant changes to the core infrastructure. It can accommodate the growing transaction volumes and business complexity of modern banks.

7. Enhanced Security: CBS incorporates robust access controls, user authentication mechanisms, audit trails, and encryption to ensure data security and integrity. Role-based access ensures that users can access only the information and functions relevant to their job responsibilities, thereby reducing fraud risk.

8. Automation of Processes: Routine banking processes such as interest calculation, account statement generation, cheque clearing, NEFT/RTGS settlements, and regulatory reporting are automated within CBS. This reduces manual intervention, minimises errors, and improves operational efficiency.

9. Straight-Through Processing (STP): CBS facilitates straight-through processing where transactions initiated by customers are automatically processed end-to-end without manual intervention, significantly reducing processing time and operational costs.

10. MIS and Reporting: CBS generates comprehensive Management Information System (MIS) reports and regulatory reports for internal management as well as for submission to regulators like the Reserve Bank of India (RBI). Decision-makers have access to accurate, timely data for strategic and operational decisions.

11. Disaster Recovery and Business Continuity: CBS infrastructure includes robust backup systems, disaster recovery sites (DR sites), and business continuity plans to ensure that banking operations continue without disruption even in the event of technical failures or disasters.

Conclusion: The characteristics of CBS collectively enable banks to offer superior customer service, operate more efficiently, manage risks better, and comply with regulatory requirements — making CBS an indispensable backbone of modern banking operations.

Mobile websites for electronic transactions typically comprise four key functional modules:

1. User Interface and Navigation Module — This module provides the frontend layer optimized for mobile devices, featuring responsive design that adapts to various screen sizes and resolutions. It includes touch-friendly controls, intuitive navigation structures, and streamlined user workflows to facilitate easy access to transaction services. This module ensures a seamless user experience across different devices and browsers.

2. Security and Authentication Module — This critical module implements comprehensive security protocols to protect electronic transactions. It encompasses user authentication mechanisms (username/password, biometric authentication, two-factor authentication), encryption of data in transit and at rest, SSL/TLS protocols, fraud detection systems, and compliance with data protection regulations. It ensures that sensitive customer information and transaction details remain secure from unauthorized access.

3. Payment Gateway Integration Module — This module enables actual transaction processing by integrating with external payment processors and financial institutions. It manages multiple payment methods including credit/debit cards, digital wallets, net banking, and UPI. The module handles payment authorization, transaction verification, status tracking, and settlement processes while maintaining secure communication with payment service providers.

4. Data Management and Synchronization Module — This module manages data storage, retrieval, caching, and consistency across the mobile platform. It handles user data persistence, transaction history storage, offline data synchronization, and database operations. The module ensures data availability even during connectivity issues and maintains data consistency when synchronizing with backend servers.

Internet of Things (IoT) Applications

Part (i): Smart City Applications

IoT in Smart Cities leverages interconnected sensors and devices to optimize urban infrastructure and services:

• Traffic Management: IoT sensors embedded in roads and traffic signals enable real-time monitoring of vehicle flow, automatic signal optimization, and congestion detection. This reduces travel time and emissions.

• Smart Parking Systems: IoT-enabled parking spaces use sensors to detect occupancy and guide drivers to available spots through mobile applications, reducing time spent searching and fuel consumption.

• Energy Management: Smart grids use IoT devices to monitor electricity distribution, enable demand-response mechanisms, and reduce wastage. IoT-controlled street lighting adjusts brightness based on traffic and ambient light, lowering energy consumption.

• Water Management: Sensors monitor water distribution pipelines to detect leaks immediately, track consumption patterns, and optimize supply. This prevents water loss and enables better resource planning.

• Waste Management: IoT-enabled waste bins communicate fill levels to collection vehicles, optimizing collection routes and reducing operational costs. Smart recycling systems segregate waste efficiently.

• Environmental Monitoring: Air quality sensors, noise level monitors, and weather stations deployed across the city provide real-time data for pollution control and public health alerts.

• Public Safety: IoT-integrated surveillance systems with intelligent analytics enhance crime prevention, emergency response coordination, and citizen security through connected monitoring networks.

Part (ii): Healthcare Applications

IoT in healthcare enables continuous monitoring, early diagnosis, and improved patient outcomes:

• Remote Patient Monitoring: Wearable IoT devices continuously track vital signs (heart rate, blood pressure, glucose levels, oxygen saturation) and transmit data to healthcare providers, enabling early detection of abnormalities without hospital visits.

• Smart Medical Devices: Connected medical equipment such as infusion pumps, ventilators, and diagnostic machines share real-time data with hospital management systems, ensuring timely maintenance and reducing device-related errors.

• Telemedicine Platforms: IoT sensors integrated with telecommunication systems enable physicians to provide remote consultations and monitor patient conditions in real-time, improving accessibility in underserved areas.

• Patient Activity Tracking: IoT-enabled wearables monitor physical activity, sleep patterns, and movement, helping in rehabilitation management and chronic disease prevention.

• Smart Hospital Systems: Hospital beds, medication dispensers, and patient location systems use IoT to streamline operations, reduce medication errors, and improve workflow efficiency.

• Drug Adherence Monitoring: Smart pill dispensers and wearable patches track medication intake, sending alerts to patients and healthcare providers if doses are missed, improving treatment compliance.

• Emergency Response Systems: IoT-enabled ambulances with real-time patient data transmission and GPS tracking ensure faster response and appropriate pre-hospital care, potentially saving lives.

(a) Strategic Tool: Benchmarking

The strategic tool to be used by Paramount Group of Companies is Benchmarking. Benchmarking is a continuous process of measuring products, services, and practices against the toughest competitors or those companies recognized as industry leaders, in order to identify performance gaps and set improvement goals based on best-in-class practices.

The case clearly indicates this because Paramount is: (i) studying trade publications and public domain information, (ii) comparing its practices against acknowledged industry leaders, (iii) measuring its own productivity to identify gaps, and (iv) setting goals based on best practices — all of which are characteristic features of benchmarking.

(b) Common Elements Involved in Benchmarking

1. Identify the Subject of Benchmarking: The first element is to determine what is to be benchmarked — products, processes, or service levels. Paramount identifies its products, processes, and service levels across its diverse segments (Aviation, Healthcare, FMCG, Home Appliances, Electronics) as the subjects for benchmarking.

2. Identify the Best-in-Class / Benchmark Partners: The company must identify acknowledged leaders in each relevant industry or function whose practices will serve as the benchmark standard. Paramount studies industry leaders across each of its business verticals to find the best comparators.

3. Data Collection: Information is gathered through trade publications, consumer surveys, supplier interactions, and other public domain sources. This forms the evidentiary base for comparison. Paramount is already engaged in this step by studying trade publications and meeting with suppliers.

4. Determine the Performance Gap: After collecting data, the company compares its own current performance levels against those of the benchmark leaders. This comparison reveals the gaps — areas where the company is underperforming relative to best practices. Paramount measures its own productivity and identifies these gaps across its business operations.

5. Set Goals and Develop Action Plans: Based on the identified gaps, the company sets realistic improvement goals aligned with best practices and formulates action plans to achieve them. Paramount intends to set goals for improvement in products, processes, and services on a regular basis — moving away from conventional brick-and-mortar approaches.

In summary, benchmarking enables Paramount to gain sustained competitive advantage by systematically comparing its performance with industry best practices, identifying gaps, and driving continuous improvement across all its diverse business segments.

Bargaining Power of Suppliers — Impact on Industry Attractiveness and Profitability

Porter's Five Forces framework identifies bargaining power of suppliers as one of the key competitive forces that shapes the long-run profitability of an industry. When suppliers hold high bargaining power, they can demand higher prices, impose unfavourable terms, or reduce the quality of inputs — all of which squeeze the profit margins of firms in the industry, making it less attractive.

When is Supplier Power HIGH?

1. Supplier concentration: When the supply market is dominated by a few large suppliers (oligopoly), each buyer has limited alternatives. The supplier can dictate terms, raising input costs for the industry.

2. Absence of substitutes for the input: If the raw material or component supplied has no viable substitute, buyers are locked in and must accept the supplier's price and conditions.

3. Low importance of industry to the supplier: If the industry being supplied represents only a small fraction of the supplier's total sales, the supplier has little incentive to offer concessions or preferential pricing.

4. High switching costs for buyers: When changing from one supplier to another involves significant cost, time, or disruption (e.g., re-engineering products, retraining staff), buyers are reluctant to switch, strengthening the supplier's hand.

5. Threat of forward integration: If a supplier can credibly threaten to enter the buyer's industry itself (forward integration), it gains additional leverage in negotiations.

6. Differentiated inputs: When suppliers offer highly differentiated or unique products (e.g., patented components, proprietary technology), buyers cannot easily shop around, giving suppliers pricing power.

7. Buyer's inability to backward integrate: If the buying firms lack the capital, technology, or expertise to manufacture the inputs themselves, they remain dependent on existing suppliers.

Impact on Industry Attractiveness and Profitability

High supplier power directly erodes profitability — suppliers capture a larger share of the value created in the industry. Firms are forced to either absorb higher input costs (reducing margins) or pass them on to customers (risking loss of demand). In either case, Return on Capital Employed (ROCE) and overall industry attractiveness decline.

Conversely, when supplier power is LOW — multiple competing suppliers, standardised inputs, easy switching — firms can negotiate better terms, keep input costs under control, and sustain healthy margins, making the industry more attractive for investment.

Strategies to Counter Supplier Power

Firms can reduce supplier power by: (i) backward integration — acquiring or developing in-house supply capability; (ii) developing multiple suppliers to increase competition among them; (iii) standardising inputs to reduce dependence on proprietary supplies; and (iv) forming purchasing consortia with other buyers to increase collective bargaining power.

Conclusion: The bargaining power of suppliers is thus a critical determinant of industry structure. An industry with powerful suppliers faces structural cost disadvantages that persistently limit profitability, reducing its long-run attractiveness to investors and new entrants.