Risk is a reality of doing business. Whether large or small, public or private,
domestic or international, companies today operate in a risk-filled world. In many
cases, risk is necessary for long-term operational success; however, failure to
control risk effectively can often lead to just the opposite, including damaged
reputation, loss of profits, disruption in productivity or, in severe cases, the
end of the entity altogether.
Enterprise risk management (ERM) is the leading approach to managing and optimizing
risks, enabling a company to determine how much uncertainty and risk are acceptable
to an organization. With a company-wide scope, ERM covers all types of risks and
cuts across business units and departments, and considers end-to-end processes.
It can provide organizations with a means of leveraging risks for greater performance,
building a foundation for competitive advantage and ultimately establishing themselves
as market leaders.
ERM is a forward-looking, process-oriented approach that provides business intelligence
to companies to help better plot the future and make more informed decisions.
The Institute of Internal Auditors (IIA) defines ERM as “a structured, consistent
and continuous process across the whole organization for identifying, assessing,
and deciding on responses to and reporting on opportunities and threats that affect
the achievement of its objectives.”
The insurance rating agency A.M. Best defines ERM as “a process by which companies
systematically identify, measure, and manage the various types of risk inherent
within their operations.”
Although other priorities in running a business may have trumped risk management
in the past, the planning and implementation of a formal program to better identify
and oversee risk is of particular importance today. Organizations must respond to
the increasing economic and competitive challenges proactively, taking the proper
steps to ensure they are assessing, prioritizing and managing all risks – both old
and new – in a strategic and consistent way.
Aldar’s Methodology:
As a first step towards the implementation of a comprehensive Enterprise Risk Management
system, and in order to identify and assess the risks and controls facing the organization,
Aldar's recommended methodology starts with the introduction of CRSA (Control and
Risk Self Assessment).
What is Control and Risk Self Assessment (CRSA)?
CRSA is a process through which internal control effectiveness is examined and assessed.
Within this process, key business objectives are reviewed, risks involved in achieving
these objectives are determined, and internal controls are designed to manage these
risks.
As the name implies, CRSA allows individual line managers and staff to participate
in reviewing existing controls for adequacy and recommending, agreeing and implementing
improvements to these controls, thereby ensuring the maintenance of an effective
set of control standards. The objective is to provide reasonable assurance that
all business objectives will be met.
How can Aldar assist in meeting the Risk Management Challenges?
Aldar methodology to provide Risk Management services is built around a software
package called CARE© (Control And Risk Evaluation). The software provides a systematic,
consistent and effective approach for recognizing risks, determining the effectiveness
of internal controls in mitigating those risks and measuring the Risk profile. It
provides numerous reports that enable the board and management of an enterprise
to measure the “Gaps” in the control environment and determine where improvements
and enhancements to the control environment are required, prioritize such changes
and follow-up on their implementation.
Aldar’s approach for implementing an Enterprise Risk Management System:
- Reviewing the enterprise’s structure to identify discrete risk units.
- Developing an implementation schedule for the enterprise.
- Conducting a series of workshops to train the enterprise’s staff on the identification,
classification and measurement of risks and the evaluation of controls, and on the
development of compliance tests for the periodical evaluation of controls.
- Training the Enterprise’s Risk Management team on the use of CARE and on conducting/
facilitating workshops.
- Developing an ERM policy and Loss Data Management framework.
- Developing the forms and procedures of work needed for capturing and analyzing loss
events and “near-misses”.
- Provide guidance on the use of CARE to record and monitor the implementation of
action plans for the improvement of the control environment.
- Developing a standard set of periodical reports to senior management and the board.
- Adjusting the Internal Audit Charter to utilize CARE results for the implementation
of a Risk-Based audit methodology.
- Training RM, Compliance and IA staff on the use of CARE.
- Provide guidance on the development and monitoring of Key Risk Indicators.
- Train Risk Management staff on conducting "scenario analysis" using CARE Loss- Prediction
module.
- Review the enterprise's needs in respect of external insurance coverage.
Advantages of Aldar methodology and related software (CARE):
- Leads to genuine improvements in the enterprise’s internal control environment in
a relatively short period of time.
- The adopted approach for building the units’ Risk Profiles (CRSA) requires the participation
of the units’ management and staff, which in turn facilitates consensus on the prioritization
of risks and the needed action plans.
- Is fully compliant with all the relevant regulatory requirements and best practices,
including Basel II ORM requirements.
- Creates a comprehensive database of all Risks and their mitigating controls and
allows for periodic testing of internal controls to ensure they remain working as
intended. Should any of the controls cease to operate as intended; the system will
identify the related risk(s) as a potential exposure.
- The “Risk” database is utilized by Risk Management, Compliance and Internal Audit
functions in discharging their Corporate Governance related responsibilities. This
ensures that the 3 functions work in harmony, and as a result, improves the efficiency
of Risk Management practices in the organization.
- It is not only “forward looking” in the sense that it gives an “early warning indicator”
in case the enterprise becomes exposed to one or more of the risks (i.e. before
a loss occurs), but also allows for tracking, analyzing loss events and “near-misses”,
and monitoring the implementation of the measures needed to prevent their recurrence.
- One of the unique features offered by CARE is its ability to quantify the strength
of a certain function’s control environment. This is referred to as the “Gap in
the Control Environment”. The bigger the Gap, the weaker the Control Environment.
CARE also differentiates between a weakness caused by lack of controls and controls
that do not work as intended.