Year CMA was created2004
Year of major cyberattack on Saudi Aramco2012
Risky business in Saudi ArabiaJanuary 26, 2016
Saad Al Sabti, managing partner at Protiviti, speaks to TOGY about the shortcomings in the auditing sector and the need for qualified auditors. He also calls on oil and gas companies to look more closely at the ways they manage information technology and cyber security. Protiviti is a global risk and business consulting company that operates across multiple sectors, including finance, operations, litigation and auditing.
How have recent regulatory changes impacted risk assessment for listed companies in Saudi Arabia?
Improvements to the basic regulations implemented in the 1980s have been made. The Saudi government has been looking to increase its control over corporate governance since the creation of state-run Capital Market Authority (CMA) in 2004. CMA is in charge of regulating and developing the Saudi Arabian Capital Market as well as reinforcing transparency and standards to ensure good practices. Since oil and gas companies have a major impact on Saudi Arabia’s economy, the government ensured it has additional rules and regulation for safety and environmental matters.
Today, 16 companies related to the oil and gas industry, such as energy and utility companies, are listed on the Saudi Stock Exchange, also known as the Tadawul. All these companies must have an audit committee and an internal audit department that contribute to their organisation’s continuous improvement strategies. These teams of auditors aim to show a company’s real risk exposure. They also enable the company to find new areas where costs can be cut and efficiency improved.
The government encourages control and risk assessments for listed companies and prioritises internal monitoring in the private sector. The government is looking to develop a similar system to those in Europe or the US.
What are common risk management practices for the industry?
People are important. Good management makes a company strong and resilient. Selecting board members, employees and the CEO are big tasks for oil and gas companies in Saudi Arabia. Changing people’s mindset in this industry is hard, as they are sometimes working in a closed circuit environment. More importance should be given to the selection process. Companies need to select a good group of employees who complement each other and hire younger, more adaptable personnel who can change current management methods.
Some companies have had the same CEO for 30 years. However, there should be a change with fresh blood and new ideas after 10 years or so. Every company should implement succession planning.
How can oil and gas companies improve their business performance in an environment of low oil prices?
The hydrocarbons industry needs controls to prevent fraud and misuse of company assets. Multinational oil and gas companies usually spend a lot of time and money on preventing fraud. Anti-fraud controls and business activity regulations should be balanced, as too much control hinders business. Companies need adequate control to prevent fraud and misuse of the company’s assets.
Companies should review and improve their control processes to shorten their product development phase. Oil and gas companies have a tendency to implement a lot of controls in all their processes to avoid the slightest risk. Controls can be implemented in a more efficient way, starting with selecting properly trained people to implement these controls. The qualified workforce needs consultants to guide them towards enforcing these controls more efficiently.
Oil and gas companies should concentrate on optimising and adding value to their assets and products. At the same time improving the efficiency of the measures enforced in the company is one important aspect of reducing costs. Internal audits can improve this process and help department heads and managers achieve their quantified financial objectives. This subsequently helps the company reach its general objectives. Audits can also help prevent fraud, which brings added value to the industry.
To what extent has the industry improved its management of IT and cyber security?
Older companies do not like to change their traditional ways of conducting business. The industry is slowly developing an awareness about IT management. Saudi Aramco has implemented very advanced cyber security requirements after a major cyberattack in 2012.
A handful of oil and gas companies do not have good security systems, which might lead to confidential information falling into the wrong hands. To prevent this, authorisation access should be monitored and controlled. That said, companies rarely review and update their authorisations information.
For more news and features on Saudi Arabia, click here.