In: Accounting
The Saudi Arabian Monetary Authority first embarked on overhauling its risk management systems, practices and procedures in 2015 under the direction of its governor, Ahmed Abdulkarim Alkholifey. After closely studying the approaches of nine other central banks and seeking advice from leading consultants, the Group of 20 central bank developed a new risk management framework catering to Sama’s specific needs. This included the creation of risk and control self-assessment (RCSA), key risk indicator (KRI), and incident and loss data management (LDM) procedures and policies, as well risk governance, information risk assessment, risk appetite and reputational risk policies. Sama’s framework drew on both qualitative and quantitative methodologies, including estimates related to reputational, financial, operational and compliance risk tolerances. Overall risk limits were devised to represent an amount of financial losses expressed as a percentage of Sama’s annual operating surplus – over a range, with low risks representing less than 0.25%, and extreme risks in excess of 5%. Importantly, the framework included a reputational risk policy approach seeking to maintain a robust and proactive assessment mechanism to enable managers to take prompt action to prevent an event that may result in reputational loss. The architect of Sama’s new approach – a hybrid of other approaches with a proprietary overlay – is Abdulaziz Alkhaldi, director of risk management and compliance. Alkhaldi, who previously worked at private-sector banks, tells Central Banking that, because of the unique nature of Sama’s risks, it was impossible to purchase an ‘off-the-shelf’ risk management system that met all the central bank’s requirements. As a result, his department created a customised version of SAP’s governance, risk and compliance (GRC) system. Culture club For the system to work, however, the risk department had to automate RCSAs, KRIs and LDM and feed them directly into the customised GRC system. This was no easy task. But the implementation was made possible by an ongoing and multi-pronged effort to raise risk management awareness among Sama’s employees. This was done using the philosophy that “risk management is the responsibility of all”, rather than being the sole responsibility of the risk management department, says Alkhaldi.