The Saudi Arabian Monetary Authority first embarked on overhauling its risk management systems, practices and procedures in 2015 under the direction of its governor, Ahmed Abdulkarim Alkholifey. After closely studying the approaches of nine other central banks and seeking advice from leading consultants, the Group of 20 central bank developed a new risk management framework catering to Sama’s specific needs. This included the creation of risk and control self-assessment (RCSA), key risk indicator (KRI), and incident and loss data management (LDM) procedures and policies, as well risk governance, information risk assessment, risk appetite and reputational risk policies.
Sama’s framework drew on both qualitative and quantitative methodologies, including estimates related to reputational, financial, operational and compliance risk tolerances. Overall risk limits were devised to represent an amount of financial losses expressed as a percentage of Sama’s annual operating surplus – over a range, with low risks representing less than 0.25%, and extreme risks in excess of 5%. Importantly, the framework included a reputational risk policy approach seeking to maintain a robust and proactive assessment mechanism to enable managers to take prompt action to prevent an event that may result in reputational loss.
The architect of Sama’s new approach – a hybrid of other approaches with a proprietary overlay – is Abdulaziz Alkhaldi, director of risk management and compliance. Alkhaldi, who previously worked at private-sector banks, tells Central Banking that, because of the unique nature of Sama’s risks, it was impossible to purchase an ‘off-the-shelf’ risk management system that met all the central bank’s requirements. As a result, his department created a customised version of SAP’s governance, risk and compliance (GRC) system.
For the system to work, however, the risk department had to automate RCSAs, KRIs and LDM and feed them directly into the customised GRC system.
This was no easy task. But the implementation was made possible by an ongoing and multi-pronged effort to raise risk management awareness among Sama’s employees. This was done using the philosophy that “risk management is the responsibility of all”, rather than being the sole responsibility of the risk management department, says Alkhaldi.
The risk management department held a number of workshops to help each business lines to conduct its own risk control self-assessments. This involved departmental managers reformulating their strategies, objectives, policies and operations in collaboration with risk department through a review process to ensure the risks they faced are appropriately processed and managed.
The effort was assisted by business line risk ‘champions’, who were trained by risk management department staff, and could pass on their know-how to their colleagues. Through these efforts, Alkhaldi believes the concept of risk management is now firmly embedded in virtually all of Sama activities: “The role of the risk management department is to facilitate and simplify the activities of all departments by identifying risks and risk indicators that could affect the achievement of their objectives, which in turn could negatively affect Sama’s overall strategy.”
The result of these efforts is that directors and other authorised individuals now have real-time access to risk profiles. And by connecting the customised SAP GRC with other systems, KRIs have become “more accurate and timely”, says Alkhaldi. A simple example is that the system would immediately show the head of human resources if there has been a noticeable rise staff turnover.
Expenses and losses
One cultural element that needed particular attention was related to what constitutes an ‘expense’ and what constitutes a ‘loss’. In the past, many Sama officials had “claimed everything as expenses”, says Alkhaldi: “There was no clear definition of a loss.”
Some of the items that are now viewed as ‘losses’ that previously were ‘expenses’ include damaged assets; vendor-completed projects that produced no tangible value; the cost of replacing a newly replaced vault door that did not meet safety and security requirements; the purchase of equipment that did not comply with business requirements; losses related to court cases; insurance claims related to Sama cars involved in traffic accidents; employees not attending paid-for training programmes or returning from college scholarships; and employees not repaying loans after leaving Sama.
Now risk profiling is fully operational at Sama, any breach or near misses of risk appetite regarding risk levels or KRI inputs will trigger automatic alerts to the risk owner, the risk department and senior management with responsibility for that business.
The possible dangers are displayed on a risk profile ‘heat map’ that will also show the causes of any breakdown as well as the most common cause of losses/incidents in a pie chart. There are KRI thresholds and event timelines, as well as displays for the highest residual risk per risk owner, action plans to tackle residual risks and the threat level by individual risks.
All this automated reporting of risk incidences and loss data allows the Saudi central bank to establish responses to certain incident types in a bid to contain a risk incident and any related losses, including reputational damage. Ultimately, its system enables Sama’s governor – who has monitored the progress of risk culture, and made sure all extreme and high risks are mitigated by effective controls – vice-governor and top management to assess all risks, losses and risk indicators through their personalised dashboards, and be better prepared to take timely action to address problems as and when they emerge.
The Central Banking Awards were written by Christopher Jeffery, Daniel Hinge, Dan Hardie, Rachael King, Victor Mendez-Barreira, Joel Clark, William Towning and Tristan Carlyle