A SURVEY OF MANAGERS AND EXECUTIVES FROM MORE THAN 100 BUSINESSES IN DUBAI, UAE, ASSESSES THE CURRENT STATE OF RISK MANAGEMENT IN DUBAI AND OUTLINES AN ERM STRATEGY COMPANIES CAN EMPLOY TO BETTER MANAGE THEIR RISK.
EXECUTIVE SUMMARY Every organization is in the business of risk management whether it knows it or not. There is a growing demand for businesses to find ways and means to minimize risk, but many lack the knowledge of how to systematically manage the various types of business risks. In this article, based on a paper presented at the Institute of Management Accountants' International Conference in Dubai, UAE, on May 10, 2006, the authors evaluate the current status of enterprise risk management (ERM) in business organizations in Dubai and suggest some guidelines to help the businesses alleviate business risks.
Uncertainty abounds in today's economy. Every organization is in the business of risk management to some extent. It is impossible to "create a business that doesn't take risks."1 Thomas Stewart aptly summarizes the implication of risk in business: "Risk-let's get this straight upfront-is good. The point of risk management isn't to eliminate it; that would eliminate reward. The point is to manage it-that is, to choose where to place bets, where to hedge bets, and where to avoid betting altogether."2
Historically, risk management in even the most successful business tended to occur in silos-the insurance risk, the technological risk, the financial risk, the operational risk, the environmental risk-all managed independently in separate compartments or departments. Coordination of risk management was usually nonexistent, and the identification of new risks was sluggish.3 As a business continually changes, so do the risks. In today's business environment, stakeholders increasingly want companies to identify and manage their business risks.
The mismanagement of risk can carry an enormous price. The business community has witnessed a number of risk debacles in recent years that resulted in considerable financial loss, decreased shareholder value, damaged company reputations, the dismissal of senior management, and, in some cases, the destruction of the business. Consider the impact of companies selling defective products or unnecessary services, coupled in some cases with severe mishandling of the product recall or service problem; environmental disasters and inadequate attention to the resulting crisis; rogue traders lacking oversight and inadequate controls assuming enormous risks; organizations trading in complex derivative instruments without understanding the risks involved; mergers destroying shareholder value; insurance salespeople churning customers' accounts; sexual harassment of employees; and racial slurs by management and discrimination against employees.
This risk environment, in which a debacle can have major and far-reaching consequences, requires that senior management adopt enterprise risk management (ERM). The value of ERM is that it makes managers and employees at all levels sensitive to and concerned about risk management. Table 1 identifies three key aspects of ERM that are distinct from traditional risk management.
ERM is also referred to as integrated, strategic business-wide risk management. Here we use these risk terms interchangeably. In general, the term "risk" includes any event or action that will adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully. The scope of risk covers all events, internal and external, that may prevent an organization from achieving its objectives. Adding the word "management" to integrated, business, or enterprise-wide risk implies a "structured and disciplined approach" that "aligns strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing uncertainties that the enterprise faces as it creates value."4
The business climate in the United Arab Emirates (UAE) in general-and Dubai in particular-is similar to that in other countries globally. …