Risk Management and Internal Control Framework
Almarai has defined its risk management process according to the COSO Framework principles, which define industry best practice. Almarai’s Board of Directors and Senior Management use these principles in the course of setting the strategy and making decisions. Management then plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that the Company’s objectives, stated below and articulated as per the COSO Framework, can be achieved while ensuring that associated risks are kept within an acceptable risk level. The Company’s internal controls and risks are grouped within the COSO
Framework categories:
Senior Management and oversight
Senior Management is responsible for Almarai’s Internal Control System, while the Audit Committee is responsible for oversight of the effectiveness of Almarai’s internal controls over financial reporting. To this end, Senior Management relies primarily upon the finance function and various second line of defense functions disseminated throughout Almarai, assurance providers such as the quality audit team, the risk champions and the operational reporting lines (by business locations, regions, business units and/or subsidiaries).
Corporate Finance Department
The Corporate Finance Department is responsible for the finance function within the Company, both directly through centralized functions (Financial Planning and Analysis; Financial Policy and Regulatory Compliance Consolidation; Treasury and Financing; Tax; Corporate Legal) and through functional ties with the financial controllers of the various business locations, regions, business areas and subsidiaries.
The Corporate Finance Department’s additional responsibility regarding risk management and internal control consists of a direct oversight over regulatory and compliance-related matters. The Chief Financial Officer (CFO) chairs monthly meetings of the Finance Executive Committee, which comprises of Corporate and Divisional Finance; Legal, Business Systems Department, Investor Relations, Treasury and Risk Management, and Internal Control.
Risk Management
Almarai’s risk identification and risk management system adopts the COSO-based enterprise risk management framework geared to achieving an entity’s objectives. The Risk Management function comprises a dedicated corporate team as well as one assigned risk champion in each business area. The function is overseen by the Executive Management Team and the Risk Committee. The process of identifying and managing Almarai’s risks is described below under the subheading ‘Risk identification and assessment’.
Internal Control Department
The Internal Control Department comprises a dedicated central team, which is supported by a network of local Finance Managers who report to the Corporate Managers of the business areas, but who are ultimately answerable to the CFO. The role of these Finance Managers is to ensure, through close and recurrent controls, that the Company policies and procedures are properly applied within their area of the Company. The Internal Control Department’s main responsibilities are as follows:
Internal Audit Department
Almarai has a fully developed and independent Internal Audit Department reporting directly to the Audit Committee on all functional matters. The Internal Audit Department develops a risk-based audit plan that the Audit Committee reviews and approves annually. All control gaps identified during the audits are discussed with the Senior Management and remediation plans along with expected timelines are agreed. The Internal Audit Department independently follows up to ensure gaps are closed as expected. The Head of Internal Audit reports quarterly to the Audit Committee on all key matters and provides the Committee (and, through the Committee, the Board and the shareholders) overall assurance of the effective operation of internal control systems.
Other internal control participants
Apart from the financial governance in place within Almarai, the following departments perform regular internal reviews to ensure operational effectiveness and compliance with industry benchmarks and standards (ISO3 9001:2015, 14001:2015, 22000:2005 and 27001:2013, FSSC 22000, 45001:2018):
Internal control and Risk management process
The internal control and Risk management processes consist of the following five closely related components:
Control environment
The aim of the control environment is to make staff aware of the usefulness and necessity of internal control. Such awareness is the foundation of all other components of internal control. Almarai’s control environment is based on the following:
Risk identification and assessment
Almarai defines risk as ‘the possibility of an event occurring that will have an impact on its essential business processes and activities or the compliance, reporting or strategic objectives of the Company’. Risks are evaluated via a combination of the consequences of an event and the likelihood of its occurrence.
Almarai’s approach to risk
Almarai has developed a methodology to manage potential business risks. This is aligned with recognized industry standards and best practices, based on: the COSO Enterprise Risk Model – Integrated Framework; and ISO 31000:2018, Risk Management – Principles and Guidelines.
The methodology is reviewed regularly and, where necessary, adapted to ensure it evolves with the Company’s business needs, thereby allowing Almarai to manage risks effectively and efficiently, supporting the achievement of short and long term objectives.
The Almarai Risk Management framework is aligned to the COSO model components and the process defined in ISO 31000:2018. This cyclical process is supported by Almarai’s Enterprise Risk Management Function through the provision of education, training and monitoring, review and assessment through guidance to business management teams and the use of an ancillary toolset for recording, analyzing and reporting on risks.
Almarai Risk management process
Risk Governance model
Aligned with industry recognized and adopted best practice, Almarai operates a three lines of defense model to ensure accountability across the Company for governance, management and reporting of risks and the control environment.
Almarai Crisis Management Structure (CMT)
Almarai has developed a major incident and crisis management protocol, that can be activated if an abnormal or unstable event threatens the Company’s strategic objectives, reputation, or ongoing viability. The approach to these types of incidents is based on industry standards and best practice. It incorporates a three-tiered response system to ensure rapid decisionmaking and action:
Risk monitoring
Almarai’s business risk register is reviewed quarterly by the risk champions and respective Executive Vice Presidents of each business area. It is then consolidated and challenged by the Enterprise Risk Management (ERM) Department at Almarai’s corporate head office. The Enterprise Risk Management Department presents the most significant risks that Almarai faces to the Company’s CEO, CFO, and all other Executives. A map of Almarai’s major risks and risk mitigation plans is reviewed and assessed and this work serves as the basis for the presentations made to Almarai’s Audit Committee and Risk Committee.
Other elements of risk identification and analysis
Procedures such as competitive monitoring, training, risk prevention and protection, along with the initiatives of specialized departments such as the Quality, Regulatory, Health, Safety and Security Department and Information Security, all contribute to the identification, analysis, and management of risks.
The Quality, Regulatory, Health, Safety and Security Department also helps to identify threats against Almarai’s employees and assets. Almarai’s Business Continuity function uses information in risk maps to identify potential crises and to prepare appropriate responses in all cases.
Control activities
Control activities are intended to ensure the application of the standards, procedures and recommendations that contribute to the implementation of financial policies. All business areas use a quarterly self-assessment process and send the results to the Internal Control Department, which analyzes them and sends summaries to relevant stakeholders. Appropriate action plans are put in place by the entities under the supervision of the Internal Control Department with the aim of facilitating continuous improvement. Internal reviews are subsequently carried out to validate that corrective measures have been taken. In addition, the performances, and results of each operating unit in the area of internal control are regularly and systematically monitored by the management committee of the relevant entity.
Transmission of information
Appropriate information is identified, collected, quantified, and disseminated in a manner and within a time frame that enables each person to discharge their responsibilities. To this end, Almarai relies upon:
Almarai also uses an intranet site and various documentation database systems that enable information to be shared within the Company. This information includes not only financial information but also non-financial information that meets the needs of the various operating and administrative departments. Since 2011, Almarai has used social media to help transmit information and develop communication and experience sharing.
Continuous monitoring
The internal control system’s performance is ensured by the Internal Control Department, which reviews, updates, and reports regularly on the operation and effectiveness of the established control structure. In addition, corporate and business finance Managers at a corporate level obtain reasonable assurance through various layers of review and monitoring.