Red Button with a Question MarkAcross the Middle East, Enterprise Risk Management (ERM) is becoming a prevalent practice, with many organizations eyeing its importance.

Firstly, let us define what ERM is… in basic terms, it is the aim of bringing a holistic organization-wide and standardized risk management process for institutions, providing them with an integrated view of the risks they face. Potential risks are therefore identified and planned for, to be avoided or overcome.

Now, in order for ERM practices to be most efficient, there needs to be an assigned professional or team in place to oversee it.

As such, the positioning of corporate risk managers and defining their reporting lines is one of the critical success factors of an ERM program. Whilst there is not fast and hard rules the define the positioning of the risk manager / chief risk officer, it widely accepted that the Head of Risk Manager / Chief Risk Officer needs to be positioned highly within the organizational hierarchy. This is required in order to avail it the clout and respect it needs to make its mission success. The most ideal positioning for the Chief Risk Officer is to report into the CEO of the organization. Placing this position under the CFO is an option but carries with it also certain limitations.

The Board of Directors also have fiduciary duties and a responsibility to ensure that the management of their organization is identifying critical risks and putting in motion plans to treat these risks. Therefore, it is also important to define the reporting lines and protocols into the Board. There is an emerging trend where a number of organizations have designated their Audit Committee to play that additional oversight role over risk management.

Yet, due to the complexity of ERM, companies and organizations across the Middle East have been resorting to help from professional firms that specialize in the ERM space and are expanding their search beyond traditional re-insurance companies.

The importance of setting up effective ERM practices should not be overlooked, as risks that are not planned for can greatly harm the company.

By Hani Mounir Khoury
Enterprise risk services partner at Deloitte Middle East