We sat down with Mark Scott to hear his insights into the nuance of risk management, with a focus on control testing.
Thank you for joining us today, Mark. To kick things off, could you please introduce yourself and provide a brief overview of your role?
Thank you. I moved to the UAE two years ago. Previously, I worked within Europe but mostly in Risk Management for nearly 20 years. My background is in enterprise and operational risk. Currently, I am the Director of Risk for j.awan & partners, which is essentially a global role but predominantly in the MENA region (UAE and KSA). We do a variety of work – it is a combination of risk advisory, risk assurance and providing outsourced risk management arrangements to various firms, including banks, credit providers, asset and fund managers, as well as firms operating in the retail and wholesale sectors in this market.
Let us delve into the field of risk management. In your experience, what key challenges do firms in the UAE typically encounter when it comes to managing risks?
It is about recognising that this is a developing market. Whilst people will have different views on that term and what it means, in a risk management context, risk management in the UAE is continuing to mature. Risk management is on a journey in terms of what it will look like in the next 10-20 years. There has been a lot of change here over several decades, so the way risks are understood, measured and monitored is absolutely a part of that.
In terms of priorities for clients, the regulators themselves are also evolving and continuing to develop and, whilst progressive, are enhancing their own supervisory approaches in terms of risk management, something we are hearing more of from our clients. As part of the inspections and reviews being conducted; regulators are asking more challenging questions, and we are seeing more in the sense of firms asking more about ‘how we can get more from our risk management’ and ‘how can we prove its effectiveness.’ In areas, for example, relating to risk registers and risk reporting and whether accountable persons are getting appropriate visibility to the key risks in their business. That needs to come through the reporting to ensure things are sufficiently clear and transparent.
Some of the regulatory inspections that are being conducted have highlighted how often risk registers can be extremely cluttered with far too many risks. Equally, the way the controls are described really does not provide clarity in terms of how risks are being mitigated. The same is true of risk assessments that are too subjective, and it means the true risk profile of a firm cannot be clearly understood.
We have these conversations with different clients, but we are starting to see more requests from the regulators around improving the quality of reporting, and to start looking at controls in terms of how they should be tested as part of a formal program of control testing.
Could you please tell me a little bit about control testing and why it is so important?
Control testing comes in many forms, and we need to break down what we truly mean by that. But when people start talking about control testing, they often talk about internal audit because the role the function plays in providing independent assurance against a firm’s control environment. For many firms, internal audit is something that happens maybe once a year or sometimes only every couple of years. Whilst those reviews are important and cover a wide scope, there is a period of time where essentially nothing happens between internal audit reviews. It then places a reliance on the first line of defense to ensure the controls they are responsible for really do work.
Where control testing comes in it represents an opportunity for the second line, in particular, for the Risk function and the Risk Officer, sometimes with the support of Compliance, to conduct control testing that provides assurance against the effectiveness of these controls, both in term of their design and operating effectiveness.
By performing this testing, it can be a chance to identify gaps and weaknesses so that senior management have visibility as to where those gaps are, and that they are able to take action to close those areas and strengthen the control environment.
There is obviously a big focus on controls, as you pointed out. How would a good control be designed?
There is always a big distinction between processes and controls, and for many people, I am sure that is obvious. But I think when we work with clients, I do not think people are making that distinction enough, so let us break it down. A process is essentially a series of linear steps that allow kind of an activity to be completed, and those steps can vary based on the person or team(s) assigned responsibility to complete those steps. But throughout those processes, there should be controls, as controls are the things that actually mitigate risks. They are like micro steps or points within the process that allow a potential risk to be detected, prevented or remediated in some way.
Control types will always vary in terms of what they need to be, but it is important that people are clear on what the controls are because if we just focus on process, well, we are not really mitigating risk, and that is what is going to cause issues. So, I think it is always about breaking that down.
In terms of anyone who might be thinking about the record-keeping or the compliance element of this – when they are documenting controls, essentially, you need to capture the control description, and that is about being clear on what the control’s objective actually is, the task or activity that is being completed to mitigate the risk, and also thinking about things like who is the control owner i.e. the person who has responsibility for performing the control.
What makes a good control test?
When we look to begin control testing, it is important we work with the management team to define what the control tests will consist of. This means understanding the control in more detail – for example – if it relates to a control that is a part of a processing activity – it is probably going to require a sample-based check where we check a series of transactions to ensure that the controls were performed correctly as part of the processing of that payment. But if we are testing a management control – that is probably going to require a review of some documentation linked to the control or walkthrough of a control being performed. Either way, what is important is that in advance of the test, the control test is documented so that it is clear for everybody. Additionally, there needs to be clear criteria in terms of what is going to make the test pass or fail. If we do not have that, then the testing becomes potentially unfair to people, and it should not be about that. What is always important is that testing should promote buy-in to both risk management and good control management. If people do not trust the process or feel that it is there to catch them out, then it will not get the buy-in.
So having clear control test documentation in place is important. It is also something that regulators will also expect.
How can j.awan & partners support clients in this area?
For a few of the clients we have worked with who have had the regulator come to them and ask them more about control testing, we are in a place where we can actually conduct that control testing on behalf of our clients. This can be useful in the sense that if a business is challenged with its own capacity and wants an independent party to conduct the testing for them, then we can help. Secondly, the fact that we complete work with such a diverse range of clients – sometimes just having that independent view in terms of understanding what good controls look like – can be really helpful. Again, we can provide that view with our support. Control testing can also be incorporated into outsourcing engagements we have with our clients.
Before we conclude, are there any final thoughts or messages you would like to share with our audience?
We recognise the challenges of getting things right. Risk management is continuing to mature, and with that, not everyone will get everything right the first time. Everyone is learning in the region – we are all learning together – but that is why we are here as a firm, to provide support to our clients and lend our expertise, providing assurance to what firms are doing.
I encourage anyone who is facing challenges with this to get in contact and speak to us, and even join the UAE Risk Management Group on LinkedIn which is an independent network we have established with some other firms and professional service providers who work in the risk management arena and for those with a vested interest in risk management. You can also get in contact with us about any of these things via the form on our website, and our team would be happy to talk to anyone who requires support in this area.
