Significant forces of change in Saudi Arabia are being created by the oil price shock, new responsibilities as a member of the Group of 20 and the appointment of deputy crown prince Mohammad bin Salman al-Saud as chairman of the country's new Council for Economic and Development Affairs. In particular, the government has introduced a series of bold reforms over the past year or so, including its Vision 2030 programme to reform the Saudi economy towards a more diversified and privatised structure.
There are high-profile changes, such as the council taking control of the state-owned Public Investment Fund, which it plans to turn into a $2 trillion sovereign wealth fund (seeded with assets of state petroleum company Aramco). But restructuring is also taking place across many government departments, including at the Saudi Arabian Monetary Authority (Sama). This was part of the reason former Sama governor Fahad Almubarak embarked on a project in 2014 to activate a risk and compliance department to implement enterprise-wide risk management, with a strong focus on operational, compliance and reputational risks in addition to financial risk – a project his successor, Ahmed Abdulkarim Alkholifey, has continued to support.
Creating a risk management culture is a major undertaking for an institution that is in charge of government banking affairs, including: minting and printing the national currency; stabilising the currency's external and internal value; managing foreign exchange reserves; maintaining price stability; promoting the growth and soundness of the financial system; and supervising banks, dealers, finance companies, credit information companies and insurers.
There is also the matter of embedding risk management into everyday thinking at an institution employing 3,000 staff, most of whom have only limited experience outside of the public sector.
"In the past year, we have faced a big cultural challenge," says Abdulaziz Alkhaldi, Sama's director of risk management and compliance, who reports to vice-governor Abdulaziz Saleh al-Furaih. "People asked if we represented audit or compliance – or even if we were going to manage their risks. But risk management is a function. We can help to identify the risks and to help build risk registers – but in the end, the departments need to be responsible for managing the risks."
The risk team introduced multiple projects and programmes to establish a risk philosophy, with an overarching aim to minimise operational and financial losses while maintaining Sama's good reputation. The work has centred on three main streams: developing a risk management framework, tools and procedures; reviewing policies from a risk and compliance prospective; and implementing a risk communication plan and awareness programme.
People asked if we represented audit or compliance – or even if we were going to manage their risks. But risk management is a function. We can help to identify the risks and to help build risk registers – but in the end, the departments need to be responsible for managing the risks
Abdulaziz Alkhaldi, Sama
Developing the framework, tools and procedures initially required a high-level understanding of each department's objectives, strategy and governance. After this, the risk team performed ‘diagnostic reviews' to obtain a detailed understanding of business functions and then performed benchmarking studies. The aim was to create a framework for policies and procedures that confirmed relevant staff responsibilities, set out risk management requirement and met regulatory requirements.
Another essential element was to ensure the full involvement of internal stakeholders. This required a separate effort to build communications and training so staff could understand, help to review and improve policies. It also monitored feedback to improve its future work.
The risk management framework, tools and manual were developed by the risk and compliance department, and reviewed by an external consultant for quality perspectives and benchmarking with other central banks. The framework was communicated to staff, and after working first with priority departments, Sama's 'risk register' is about 70% complete, according to Alkhaldi.
While there is still a lot of work to be done, Alkhaldi believes the project has already yielded results across a range of risks – both internal and external. For example, Sama has improved the video monitoring of its security trucks that it uses to transport cash to its branches, and has also moved to tackle non-compliance of insurance companies regarding Islamic insurance products.
Compliance standards central in 2016
Central to its efforts during the past year was the 'compliance standards activation project'. The aim was to activate compliance standards that have been identified as 'not activated' or only 'partially activated', while ensuring Sama's 'compliance standards manual' includes local and international rules, regulations and best practices.
The project, which tackled both 'specific' and 'general' standards, was sustained throughout 2016, and involved self-assessment and knowledge testing. The results for the self-assessment were categorised as 'compliant', 'partially compliant' and 'non-compliant'. The knowledge test measurement results were categorised as 'excellent knowledge', 'partial knowledge' and 'poor knowledge'.
Workshops held to assess the activation of 75 'general and specific standards' (40 general and 35 specific) found that in the first quarter of 2016, just 71% of the compliance standards had been activated, with 12% partially activated and 17% not activated. Once the action plan was implemented by the end of the third quarter of 2016, the activation of the standards had increased to 94%, with knowledge rising to 89%.
Sama still has plenty of work to do to ensure risk pervades the thinking of its thousands of staff, but efforts such as its compliance standards activation project represent a strong effort to improve risk management.