Table of Contents
One of the tools that contribute to an organization’s gaining a competitive advantage is enterprise risk management. Internal audit experts are often involved in the risk management to increase their practices positively. The research report “Risk Management Practices and the Role of Internal Audit” is a valuable contribution to the understanding of the phenomenon, as well as internal audit functions within UAE. The research investigates non-financial organizations in UAE. The main objectives of the research are collecting data as for the current risk management practices and recognizing opportunities for development. Online-based survey respondents are mainly CAEs of different organizations. In addition, face-to-face interviews have contributed to building a realistic picture.
The State of Risk Management in the UAE
Risk management maturity denotes the ability of an organization to cope with the risks. This section of the research is devoted to investigation of what obstacles managers face when managing risks and looking for ways to tackle the issues.
The survey has shown that 77% of organizations in the UAE have a developed program that enables them to manage risks fully or partially and 14% of them admit that they are planning to develop such a program. Another 9% do not have a program and do not plan to have one. Among these organizations, there are very large ones. Therefore, the majority of entities in the UAE recognize the importance of risk management process; however, many respondents claim that the programs in their respective organizations are not mature enough.
Sector-wise risk management maturity analysis discloses as the fact that formal risk management programs mostly exist in such sectors as aviation, energy, oil, gas and government institutions. Two possible reasons for such distinctions mentioned in the research report are the level of risks and the level of regulatory supervision.
Internal audit maturity is found to have an impact on the risk management process maturity. 62% of the companies who implement risk management programs are said to have had internal audit functions for at least six years. However, it is worth to mention that even though the maturity of internal audit functions has a positive effect on developing risk management programs, the latter should not be considered secondary.
Another factor influencing the risk maturity is an organization’s size. The survey shows that 47% of companies with mature risk management programs have revenues of over AED 1 billion. In addition over 50% of companies employing more than 1000 workers have some kind of risk management processes.
As for the challenges for risk management, the survey has found that the top challenge appears to be managers’ wrong perception of risks. They tend to believe that they can effectively manage the risks. Lack of sponsorship and executive management support is also a big problem, when dealing with risk management. Another major obstacle to implementing a risk management program is management’s assurance that such programs are costly and do not provide efficient results.
Overcoming the major challenges such as lack of executive management support is important and as the survey shows that the challenge arises from the fact that often the management is not aware of the risk management benefits. Consequently, they need to be educated about the importance of such programs. The role of educators may be taken by CAEs or as the post survey interview has shown it may be performed by some external experts.
Risk Management Framework and Governance
This part of the report provides the data gathered concerning the central motivating power to implement risk management programs and the way the programs are structured. In order to obtain the data all the respondents were divided into two categories: organizations that to some extent have implemented formal risk management programs, and the ones that do not have such programs or have a reactive nature to risks. Further analysis is based on responses of the first category comprised of 69 companies.
The three major motivating factors can be singled out. First, to initiate a risk management program, senior management support is required. Another factor influencing the implementation of such programs is internal audit’s efforts to do so. Finally, board’s acceptance and enforcement of risk management proves to be one of the key drivers of risk management program initiation.
As only a few sectors except for the financial one are exposed to strict regulations, the responses indicate that the regulation is not the main motivating power for risk management implementation. Correspondingly, only a few participants have pointed out that the financial crisis triggers risk management implementation. Although the absence of regulations is reasonable bearing in mind the surveyed respondents, the results, in general, indicate that external influences are of minor importance in UAE organizations.
Launching a risk management processes can be rather demanding. A successful risk program should have a robust basis and perfect description of the essential components such as:
- risk oversight authority;
- risk management outline, strategies & actions;
- risk appetite;
- effective communication on behalf of executive management;
- basic risk signals.
The aim of the survey is to determine whether the previously mentioned indicators have been thoroughly investigated by the companies of respondents and documented later on. About 64% of the organizations have officially recorded risk strategies and actions. Around 50% of the organizations have supervising authority clarified. One of the interview responses states that the strategic risks and the necessity of supervision need to be understood by both the executive management and all the departments of the organization.
Risk appetite statements usually serve to express what risks the company is going to identify as its goal to pursue; the scope at which the risks will be concentrated on; and the risks that will not be paid attention to. It is evident that the organizations are required to efficintly recognize and deal with the risks of priority. However, this is considered to be one of the biggest challenges in risk management.
One of the key ideas of the survey is that a small number of entities have risk appetite statements demarcated. This in turn showcases how difficult it is to define and renovate a risk appetite statement. This may be explained by the fact that there are no clear standards yet. The fact that this is the challenging area is supported by the survey results which show that only 36% of the companies have risk appetite statements. The report maintains that an organization should define risk appetite statements to face the strategic and principle risks rather than to address each kind of risks including operational risks.
The report authors emphasize the significance of developing a risk culture. They also claim that the risk management process is more about the way the organization perceives the business rather than about developing systems and processes. The scientists note that it is both important and time-consuming to implement. Building the risk management culture will require systematic and planned interaction with the executive management. The survey results show that only in 52% of organizations top management communicates about risk management. Therefore, researchers emphasize the importance of CAE’s support and education of boards about the significance of such programs. Besides, to effectively run such programs it is vital to guarantee a proper risk control system, write a code of ethics, and provide employee training programs as well.
Internal audit may be a vital part of estimating risk culture and counselling management on what should measures should be taken to stimulate proper risk culture. Yet auditing risk culture is an evolving idea in internal auditing that requires substantial efforts from internal audit employees to improve their skills in this sphere. The above statements are supported by the survey results, which indicate that 39% of companies define key risk indicators; 9% have all the components that have been surveyed and 54% have four out of five components. Thus, the researchers suggest that the CAEs help their executive management to popularize the risk management framework within the organization.
As previously mentioned the support of executive management means a lot to risk management programs. This survey covers such area as the choice of a governing body for such programs. The results have shown that in 69% of the companies, formal committee is responsible for the risk management programs (board of directors, board risk committee, and board of audit committee). The more active the participation of the board is the more superior it is and could have substantial progressive influence on the efficiency and maturity of risk practices. The survey results also show that management committee is responsible for monitoring risk management in 17% of the companies. This aspect has been perceived by the researchers as a valuable decision since risk management requires technical knowledge. On the other hand, they admit that generally, boards do a better job monitoring risk programs.
14% of organizations’ monitoring bodies are miscellaneous. They consist of different management committees, various executives and heads. Researchers suggest that the leading role in such cases should be given to a person who has an access to the board.
The post survey interview deals with such issue as the importance of boards in risk management. The responses obtained suggest that boards are the authorities that oversee and review the programs and set risk management appetites to address central business risks. It is also stated in the report that in order to take these actions organizations require employees with the right skills. CAEs’ role here is not only educating the board but also providing an impartial evaluation of the risks.
Another area investigated in the research is devoted to standards and frameworks followed by UAE companies. The results show that around 50% of the responding organizations have followed either COSO or ISO standard, whereas 25% of the organizations have applied COSO, while 26% have adopted ISO standards and 26% of organizations do not apply any definite standard. Although the traditional standards simplify the procedural and organized tactic in realizing risk management procedures, these companies have the right to follow both the COSO and ISO standards at a time. 15% of organizations adopt both COSO and ISO standards to improve their risk management program.
Risk Management Organization
This section is devoted to analyzing how 69% of the companies, which have full-flanged risk management programs, organize the risk management programs.
To effectively launch a risk management program, the companies need a certain level of managerial leadership to monitor the processes and to acquire a sufficient level of participation of the risk oversight authority.
One of the regular problems faced by the companies, especially in entities of moderate and small size, is a decision concerning what authority should be in charge of risk management procedures. To evaluate this, the research participants had to identify the driving force of risk management in their own entities.
According to the survey results, CAEs become the monitoring and overseeing risk management power in 35% of cases, while chief risk officers become thus in only 25% of organizations.
The researches emphasize that someone who is assigned to dealing with risks such as a chief risk officer is a better choice rather than CAE, who will have to deal with both tasks. Nevertheless, they claim that often the choice of the leader depends on a number of other aspects such as the organization’s size and the complexity of the problems or types of risks themselves. The survey also shows that 88% of the organizations employing chief risk officers report revenues of over AED 1 billion representing only larger companies and perhaps, companies with mature risk management procedures have a tendency to assign chief risk officers in charge of risk efforts.
Researchers also claim that the person in charge of risk management program should be proficient not only in risk management concepts but also in the present economic bacckground to rapidly respond to evolving risks; he/she has to have the wisdom to examine systemic risks and possess the leadership skills to encourage responsibility and transparency at all stages. According to the post-survey interview responses, the authority in charge of the risk management processes depends on the maturity of the given company. It often becomes the CAE’s responsibility at the initial stages and later on they decide how to better handle these programs.
The research indicates that in around 16% of cases CFOs are in charge of risk management programs Yet it is essential to distinguish the three lines of defense model here and the possible conflicts of uniting the responsibilities to oversee and monitor risks with the one that is mainly accountable for controlling risks. Respondents claim that the functional head of risk management program should be a person other than the head from the first line of defense such as CFO because risk programs are designed to challenge traditional business thinking. They also suggest that the person in charge should on the one hand have independence to some extent and on the other hand, he/she should regularly interact with the board committee to ensure that independence.
Another important area investigated in the research is the organization of risk management in terms of roles distributed to address the risks. It is well-known that today, there are a number of approaches to the organization of risk management programs and different companies distribute responsibilities among their employees not in the same way. The survey is aimed at finding the answers to the questions of how organizations cope with the tasks.
The best option would be to have a risk department as the previous results of the survey show. Nevertheless, from the results, it is also clear that a great number of companies prefer to use different resources to organize risk management processes since there is no enthusiastic risk function in 57% of the organizations that carry out risk management procedures. In this case, risk processes are assisted by internal audit function (59%), some other groups, or risk supporters from every business unit. Risk supporters (35%) are believed to be effective in small companies at early stages of development.
Survey results show that 47% of the companies have a special team working with risks, while 80% of companies claim that their revenues are over AED 1 billion. Except for independent risk management functions, ISO and compliance function may assist with the risk management programs within the organization; however, this is a prerogative of smaller companies with less complex risk profiles. The fact of whether a company belongs to public or private sector also affects the organization of risk management processes.
It is very uncommon for an organization in UAE to hire external support. Only 4% of the companies participating in the survey have reported to be using external services and this is done mainly to support existing teams within the organization. It is reported that risk management function’s role is to oversee, challenge the business, advise the management and educate staff about the risks.
Risk Management Implementation Practices
This section of the report is devoted to processes and activities connected with risk management. The results are based on the responses of 69% of the companies in UAE that reported to carry out risk management procedures. Risk management process involves a number of steps taken by the management (identification, assessment, mitigation and frequency of reporting). The results of the survey show that UAE companies are not very successful in implementing the risk management programs. While the activities of identification and assessment of risks are performed by 80% of the companies, other critical activities are not in place. It is also reported that only 20% of the companies carry out all the activities.
As for the frequency of risk assessment, only 17% indicate that assessment is done continuously, while 25% indicate that the procedure is done quarterly, 10% report to do it once per 6 months and 30% assess risks yearly. The need to assess risks with a different periodicity may be dictated by the analysis of the risk profile. It is maintained that risks emerge at a different rate in various business spheres; therefore, the frequency of reporting is adjusted to the fact.
The report also reflects exploration of the criteria of risk assessments. Between the two possible options, the companies in UAE chose to use a mix of both. Thus, the results of the research show that 6% of organizations use pure quantitative methods, another 10% use pure qualitative methods and the majority (84%) use a combination of qualitative and quantitative methods since pure quantitative methods will be problematic to apply and the consequences of pure qualitative method application might be subjective.
Risk reporting to the oversight authority needs to be transparent and cover a range of issues. This is the subject of the following investigated area. UAE companies indicate to report risks highlighting the top ones in 74%, while 48% also use heat maps and dashboards, whereas 35% report on key risk events and failures, and 29% use key risk indicators. However, aggregated quantitative risk exposures are reported quite rarely.
Despite increasing attention to risk management and the necessary skills to cope with the tasks, the majority of the organizations in UAE (60%) do not use external support to address the issues and assist their own risk management team. The unwillingness to resort to external service providers might be triggered by the fact that companies either form their own teams to cope with the emerging tasks or the financial position of the company is far from being able to allocate the resources to such needs.
The results of risk management integration processes are rather frustrating since a large number of organizations have not combined risk activities and related business processes such as strategic planning (only 45% did), project and change management (39%), critical decision making (38%), performance measurement and reward (14%). Only in three companies, risk management is rooted in all these essential corporate zones whereas in around 28% of organizations risk management events are not included in any of these spheres.