aRea fOCus: dubaI fIndIng a hOME-gROWN SOLUTIOn luciAno mortulA / shutterstocK In OUR LATEST REGIOnAL AnALySIS, LYNNSTRONGIN DODDS ExPLORES THE CHALLEnGES fACInG RISk PROfESSIOnALS InTHEEMIRATE Of DUBAI B efore the financial crisis of 2008, risk management was not high on the agenda in Dubai. When stock markets started to spiral downwards, however, and property prices followed suit, the vulnerabilities in the Emirates economy were exposed. Progress has been made particularly, and not surprisingly, in financial services but there is still room for improvement across the corporate spectrum. The first comprehensive review by the Dubai Financial Services Authority (DFSA) last year showed that there was a good level of corporate compliance from institutions licensed by the Dubai International Financial Centre. Governance structures and provisions also reflected the nature, scale and complexity of the businesses assessed. The report focused on 12 themes, including management structures and practices, systems and controls, internal audit, management information flows, and risk management. Overall, it found that institutions fell short of their own stated policies, with governance arrangements and responsibilities often not aligned to business plans and strategies. In addition, few firms conducted structured, periodic reviews of their governing bodies and their committees, or their effectiveness. Equally as important was the lack of personal development and ongoing training for directors and governing bodies. The specific area of risk management suffered from the same issues. TAP TO nAVIGATe PAGeS 1 2 3 4 5 6 7 8 Dubai, though, is not alone in its shortcomings. The EY Global GRC (Global Risk Transformation & Internal Audit) Survey for 2015 revealed that 84 per cent of the 1,196 participants canvassed around the world and across sectors believed risk management was critical to their organisation but they did not think their risk activities were closely linked with corporate objectives. Simply put, an organisation strategy that does not consider the risk elements only includes half the truth, and so exposes the organisation to unnecessary risks as well as discounting opportunities that can be capitalised on, says Raddad Ayoub, partner, EMEIA advisory board, Risk Transformation Centre of Excellence, EY. As for specific risks in the region, many are the same as those in developed countries. They range from the macro regional and local economic, geopolitical, security, governance and business environment to the more micro quality of financial reporting and understanding of important accounting standards. Antimoney laundering, cyber-security fraud, and regulatory and compliance risks are also on the list. new rules Regulation has been a main driver, with a host of new rules being introduced since 2008. For example, firms listed on the Abu Dhabi Exchange and the Dubai Financial Market are now required to: establish mandatory, independent and nonexecutive board directors; hold bi-monthly board meetings; and appoint audit, nomination and remuneration committees, as well as the mandatory compliance officers. A new commercial companies law came into effect in July, with the aim of improving corporate governance and the protection of shareholders, while promoting firms social responsibilities. Banks are at the forefront because of the more stringent rules of Basel III, the international regulatory framework. The general consensus is that this will force those in the region to adopt a more calculated and strategic approach to decisions and risk management. It will also prompt them to allocate capital towards opportunities that fit their actual risk and return profiles. New rules though are not the only factors. Market forces are also at work. The increasing focus on national security, fluctuating oil prices, higher government public spending and growth plans for citizen services have all contributed to a heightened sensitivity to risk in the region, says Ayoub. Risk management is now front and centre for government and public sector, as well as private enterprises, in the UAE. Ayoub believes that the constantly evolving socio-economic landscape has helped bring risk management to the direct attention of decision-makers and executives who are keen to avoid unnecessary risk and, therefore, cost. At the same time, they want to exploit opportunities within the emerging market, with the UAE a hub for the region. Traditionally, regulated sectors such as the financial services institutions, as well as critical national infrastructure and the oil industry have been a few steps ahead. Risk management, however, is becoming a key topic across all economic sectors. In the boom times, everyone was talking about risk, but there werent formal practices in the region, says Harikrishnan Janakiraman, director, consulting, at KPMG in the UAE. Regulation is driving the banks, but we are also seeing other sectors including retail, real estate and tourism focusing on risk management. This is because some may want to raise additional funding, for example, and need to demonstrate strong corporate governance to attract investors, as well as to remain competitive. Others, such as multinationals, will not procure products in the region unless suppliers can show best practices, while retailers such as H&M and Armani have their own sets of rules because they do not want their brand to be mis-used. Analysts are also seeing healthcare, telecomms and some manufacturers strengthening their frameworks, and using analytical processes and risk indicators in their business. The same is true of family-owned businesses, which continue to dominate the local economy, but which are looking at different ways to grow their companies. They are learning from the mistakes of 2008 and do not want to fall into the same trap, says Ozge Gurgur, senior managing consultant at Marsh. They are applying risk management structures to preserve capital, as well as to retain and sharpen their competitive edge. Gurgur believes that, in general, two of the biggest obstacles are management buy-in, as well as limited risk management capabilities. It is improving, but the majority of people who carry out risk management activities are from the ex-pat community. We need to see a cultural shift taking place. There is always a learning curve, but it takes time in a developing country to build risk management to the same level as you would find in a developed country. You need to be patient. Another challenge that is shared by many in the west is the need to adopt an enterprise risk management (ERM) model. Some market participants note that the positive aspect of the siloed structure is that the finance department can oversee credit, interest, market and liquidity risks, while the information technology department can handle security and privacy concerns. The negative, though, is that these risk specialists are working in isolation and develop their own risk cultures and systems. The other issue is about where risk sits within an organisation. In some, we have seen the risk management element being implemented in different functions, such as audit, strategy or finance, says Gurgur. Others may have a chief risk officer, but if you take them out of the equation the risk management committees are at sub-level, and removed from the board level. In developed countries, risk is typically a stand-alone function, with a CRO reporting directly to the CEO. Sayantan Banerjee, head of risk management practice at SAS, also believes that silos need to be broken down. The banks in the Middle East have been working on this over the past five to six years and have achieved a great level of success in addressing this. In the non-financial sectors, however, the phenomena of addressing risk management as an important, and a single, vertical have just started in the past couple of years. The senior management have started to understand the importance of having an enterprise view, but there is still a considerable amount lacking in the process of identifying, measuring, reporting and monitoring risk. Banerjee believes things are changing, however, and that on the technology front companies are increasingly looking for an end-to-end framework. They start with a consultative process and move on to the solutions that best cater to the need of the organisation, he says. For example, in a bank, that would mean being compliant with Basel III and IFRS9 regulations, and ensuring that the technology covers all the aspects of thekey material risks credit, market, liquidity, operational, and so on and measures, mitigates and reports them accurately. Tools for the job Ayoub points out that there are several tools and technologies in the risk management realm, and they are generally classified as governance risk and compliance (GRC) enabling applications. As well as automating manual operations, such as auditing and risk assessment, integrated risk and reporting management tools are becoming prevalent. These include process automation, single version of truth, enablement and enforcement of a unified control framework, and instituting controls inside the day-to-day operations to report on, or prevent, transactions that maybe suspect. Some of the leading tools and technologies in the marketplace here in the region are SAP GRC, RSA Archer, SAS, among others, he adds. Ayoub also notes that big data has caused a major shift in risk management tools, with data mining and analytics capabilities becoming increasingly important in creating lines of defence for an organisation. Another emerging topic is predictive risk analytics the enablement of tools to digest massive sets of information and predict events based on statistical hypothesis and correlation related to risk events or control failures. The visualisation layer, that sits on top of risk management enablement tools, and analytics tools, allows for a user friendly and dynamic platform for seeing into the data to obtain relevant and timely information that supports an informed decision-making process, he says. Despite the tools and technology being in place, it will take time for companies to embrace a risk management framework. Lessons have certainly been learned from the financial crisis and the recent DFSA review highlights the gaps but management needs to take greater ownership of the process. They have to help break down the barriers and build enterprise views in order to mitigate the risks, as well as leverage the opportunities. The top executives also need to draw upon a skilled talent pool and, to this end, there needs to be greater education at university level, as well as ongoing trainingfor employees across the board. This is not onlyto adopt best practices, but also to develop home-grown solutions. Its an area that IRM is looking to support as it establishes stronger links in the region. It is currently in discussion with the Dubai Electricity and Water Authority about establishing joint ways to improve risk management education and training for emirates.