Almarai, a Saudi multinational food and beverages conglomerate listed on the Tadawul stock exchange, was struggling with its fragmented, siloed, and manual approach to risk management. This resulted in limited risk visibility, which in turn adversely impacted the company’s decision-making capabilities.
The company started looking for a solution that focused on enterprise risk management and the business continuity function as it was managing these areas primarily using spreadsheets. Almarai chose to implement MetricStream products built on the MetricStream Platform and running on the MSI cloud to overcome these challenges. With the implementation, the customer has enhanced speed and agility in risk mitigation, business continuity, and issue resolution. There is also increased visibility into risks, key issues, and business continuity plans with end to end accountability.
The Old and the Obsolete
Prior to MetricStream, Almarai had a fragmented, siloed, and manual approach to managing risk and issues. Each business unit and division had its own approach to risk management with separate risk registers maintained in various spreadsheets. The risk teams spent more time updating the spreadsheets than analyzing the risks and their potential impact.
This traditional approach to risk management led to a number of problems. There was an inconsistent understanding of risks across the enterprise, lack of consistency and accuracy of data, limited visibility into key risks, duplication of efforts, inefficient risk reporting, assessment, and prioritization, and many more.
The company sought a solution that could facilitate:
- Risk management in compliance with the ISO 31000 standard to manage risks across the company
- The business continuity function for identifying its risk of exposure to internal and external threats and ability to effectively respond to threats to its key business activities
MetricStream emerged as the preferred choice to meet these requirements.
The Implementation
The company implemented MetricStream products, namely Enterprise Risk Management and Business Continuity Management, out-of-the-box. The Enterprise Risk management (ERM) product was deployed within 4 months and went live in August 2020 while Business Continuity management (BCM) went live in Sep 2020. The products seamlessly integrated with existing workflow and structures.
With the implementation, Almarai has successfully moved forward on the ERM maturity journey. MetricStream provided a platform to register risks along with a common risk language and taxonomy with common definitions across the organization. This improved accuracy of data with clear and faster reporting. In addition, Almarai now has a consistent approach to risk assessment and prioritization, a better understanding of its risk appetite, and a systematic process to escalate risks to the appropriate level. The automated workflows have improved its ability to monitor and mitigate risks.
Common Risk Taxonomy and Centralized Database
Earlier, the company did not have a common risk language which led to different understanding and interpretations of risks and related issues by different business units and divisions. With MetricStream, Almarai not only has a common risk taxonomy that facilitates consistent understanding of risks but also a centralized risk repository that has replaced the disparate risk registers of individual divisions. The centralized risk repository has enabled the company to dynamically link risks on a many-to-many basis, meaning risks are now mapped to controls, processes, functions, and more, so that there is less duplication and confusion among the line management.
In addition, MetricStream’s reporting and dashboarding capabilities provide Almarai with a single view into the key data, facilitating better visibility and analysis.
Efficient Risk Assessment And Prioritization
Previously, due to multiple risk registers, varying risk assessment methodologies, and lack of aggregation, Almarai was unable to have complete visibility into risks at the enterprise level.
With MetricStream, the company has a unified and integrated system in place where it can upload risk data and conduct multi-dimensional risk assessments to establish its risk profile. This also helps in prioritizing various risks and hence devising mitigation strategies in an efficient manner.
The implementation has also enabled the company to effectively monitor Key Risk Indicators (KRIs) based on thresholds to mitigate potential threats. MetricStream allows sending alerts and notifications on any breach to relevant personnel for faster decision-making.
Well-defined Roles and Accountabilities
Even before the implementation, the company had a risk governance model with three lines of defense. However, the line separating the roles and responsibilities of the first and second lines became blurred over time. The second line was essentially trying to do the job of self-assessment for the first line, which made it difficult to put the right ownership in the latter. The first line, in turn, felt overwhelmed with the effort from the second line to check the controls.
The company identified the need for a tool that could scale right across all these various areas of the first and second line of defense. With MetricStream, the risk owners are much more knowledgeable about what is expected from them and their accountabilities. It has resulted in efficient and harmonized ways of working between the first and the second lines.
Effective Business Continuity Management
The company wanted to make sure that business continuity was a part of the product implementation at a foundational level. With MetricStream Business Continuity Management, the risk committees and management now get the quarterly risk assessments based on the continuity risk that they have identified. It also has a digitized system that provides comprehensive visibility into current disaster recovery plans, business impact analysis for a particular sub-area of a manufacturing site, and more. Crisis simulations and summary reports are all available online now and can be viewed by anyone with appropriate access. The product’s mobile capabilities and mass notification feature in case of any disaster have strengthened Almarai’s resilience to potential future crisis. MetricStream has also made it easier to follow up on mitigation plans and get the status reports.
Expedited Issue Resolution
Before MetricStream, Almarai used to take at least 2 weeks to report issues and resolve them. However, following the implementation, it is able to expedite the process considerably and save time and resources with streamlined workflows and automated email notifications and reports.
Overall, MetricStream has streamlined risk management processes across the enterprise and empowered the company to make more data-driven, risk-based decisions. Heat maps and powerful reports and dashboards provide the top management with actionable and real-time insights for efficient decision-making. In addition, MetricStream’s scalable modular concept has enabled the food and beverages giant to become future-ready as it can extend the system to more specialized areas, such as compliance, going forward.
“With MetricStream, we’re now better at prioritizing our risks and making them consistent when we assess them. This has helped us improve our risk mitigation capabilities and even use risk appetite to make sure that we’re consistently escalating risk to the appropriate level. That was probably not a strong point about a year ago.”
- Scott MacKinlay, Head of Enterprise Risk Management, Almarai
