STG, through its Risk and Security Division (‘Division’), has implemented a systematic and integrated risk structure and methodology to ensure the Group’s preparedness to mitigate a broad range of risks. The Division follows the “Three Lines of Defense” methodology, which is considered the best according to international standards. It also helps to define the responsibilities of each of the general departments in the Group, the Executive Management, and the Board Committees with regard to risks. One of the important roles of the Division is to approve and develop standards and requirements for information security and business continuity for all market members and data providers in proportion to the accompanying and surrounding changes to the market. Additionally, the Division is tasked with raising the level of awareness of risks, security and business continuity in line with changes in the market and the vision of the Group.
The following are the types of risks identified and approved by STG:
These are the risks arising from the inefficiency or failure of internal and external processes, individuals, systems, or external events, and it includes the risks arising from issuance operations, clearing Group transactions, market deals, asset and deposit transactions, market regulation, human resources and physical assets. The Division reviews all sources related to operational risks in cooperation with the concerned departments in order to reduce these risks.
These are the risks associated with information technology that result from the possibility of malfunctions in information systems or errors in the technical structure or communications. Risk prevention and mitigation strategies must take into account human factors, especially the possibility of intentional harm, as well as collateral damage. These strategies include limiting Group’s liability for any risks, avoiding them altogether, mitigating their harmful effects, or absorbing their consequences in whole or in part.
These are risks resulting from wrong decisions made by the Group’s management, wrong implementation of organizational decisions, or failure to take timely decisions, which may lead to losses or loss of alternative opportunities. These risks may arise due to the Group’s violation of regulations and standards established by the regulatory authorities or the absence of an appropriate strategy to achieve goals in the short-term and the long-term.
These are the current or future risks that could affect the Group’s revenues or reduce the efficiency of operating expenses. One example of this is the volatile nature of the trading commission, which constitutes a large proportion of the revenue. Other risks include variation in interest rates, exchange rates and the market value of stocks that may affect the rate of return on investment, in addition to the risks involved in increasing income, liquidity, investment, insurance and financial analysis. One of the main risk mitigation strategies is to increase non-trading income, in order to mitigate risks arising from market volatility. Financial risks also include risks related to procurement and support services for which a strategy has been developed to limit their potential impacts.
Information security risks
These are risks arising from technical gaps and threats to the information assets used by the Group that affect the achievement of business objectives. Information security risks include internal and external threats, risks of data privacy and confidentiality, and risks of correctness and availability of information. The Division determines the level of data confidentiality to ensure the effectiveness of tools, procedures and mandatory access controls in addition to evaluating the Group’s ability to protect confidential data in the face of all threats arising from any unauthorized disclosure or access.
Business continuity risks
These are risks that lead to a catastrophic and effective suspension of the Group’s operations, which, in turn, can result in large losses in the technical structure and level of services provided. These risks include infrastructure breakdown, natural disasters, problems faced by logistical support providers, and threats targeting individuals.
The Division determines the requirements for effecting reinforcement of service in the wake of major breakdowns and ensuring the Group’s ability to maintain the services provided in a manner that ensures preserving the integrity and credibility of the market and investors. The Division is also working on setting controls and plans to reduce the risks of system or public facilities breakdowns to ensure business continuity in line with the requirements of raising market efficiency.
BUSINESS ENVIRONMENT risks
These are potential risks or losses resulting from a number of external factors that shape the surrounding environment and affect the performance and business of the Group such as economic, political, and environmental conditions, and include market members’ risks, legal risks, data providers’ risks, and the risks of vendors and suppliers.
New Developments in 2021
The Formation of STG AND GOING PUBLIC
In 2021, the Division extended its activities to cover all changes that emerged following the formation of STG and listing of its shares. The Division actively worked with all other functions to enhance policies and procedures to meet the new requirements triggered by the changes. The Division also actively contributed to the successful listing of STG’s shares by proactively working to identify, assess, mitigate and monitor the potential threats and opportunities also by classifying the potential events probable to be realized before, during and after the STG IPO. In addition, the Division served to subsidiaries by providing all the required information and resources while also representing on behalf of them in the relevant Board Level Committees.
CAPITAL MARKET INFRASTRUCTURE
STG maintains a capital market infrastructure that mandates the continued availability and stability of trading, market operations and surveillance, and post-trade operations.
In 2021, fulfilling this mandate became increasingly challenging due to the increased load on systems and on people caused by a spike in price volatility and transaction volumes. Additionally, potential risk events related to the introduction of derivatives are actively identified, assessed and managed in alignment with STG’s risk and security framework.
Navigating the COVID-19 Pandemic
COVID-19 continues to have implications on organizations around the world. However, STG was able to maintain the upwards trend in its financial and operational performance. The Group’s proven resilience was supported by a well-established risk and security management function that helped in the effective control of uncertainties through a challenging period. Since 2020, STG's risk categorization has been covering pandemic-related events as part of the business continuity risks. During 2021, risk registers were updated to cover unprecedented events related to COVID-19 with the relevant controls. In addition, the Division helped develop procedures that adhered to physical health and safety guidelines announced by the Ministry of Health and the Ministry of Human Resources and Social Development. Furthermore, attracting and retaining proficient human resources was difficult considering the high demand prompted by changes in working environments and methodologies locally and globally.
The Division paid close attention to the growing frequency and sophistication of cyber-attacks, especially since the activation of the remote set-up for staff has increased vulnerability points for technology and cybersecurity risks, posing a potential major threat to the Group. In 2021, new cybersecurity controls, which align with the Telework Cybersecurity Controls issued by the National Cybersecurity Authority (NCA), were introduced to mitigate these emerging risks. Furthermore, relevant risk registers were updated to cover potential events relevant to security precautions. In addition, the Division promoted awareness among staff on the new threats that could emerge from the remote set-up.
Risk and Governance
The Enterprise Risk Management (ERM) Framework was reviewed effectively and relevant amendments were made to align with new products, new projects, and the pandemic situation. Furthermore, regular meetings were held with the technology provider Nasdaq to ensure the harmonization of the risk management efforts with a collaborative approach. The Risk Assessment (RA) approach and guidelines were reviewed during the year and new procedures were developed to ensure mitigating of the emerging risks and 2021 requirements in terms of products, projects and governance.
Key Risk Indicator (KRI) guidelines were reviewed and updated to govern the roles, responsibilities and processes related to preparing, calculating, validating, monitoring, and reporting the KRIs. This enabled ensuring an effective process to identify appropriate KRIs and KRI thresholds. Furthermore, in addition to the current Group KRIs, potential KRIs were identified to ensure readiness for timely reacting to the changes in corporate strategy.
Over the past few years, STG has become a major player as a result of its massive initial public offerings and the introduction of new products; the Group has also entered into new markets in line with Vision 2030 and in order to compete with the largest stock exchanges in the world. Now restructured as a Group, this heightened pace and volume of activity will bring strategic, operational, and financial challenges that need to be managed. While the Group’s existing risk and security framework is robust and comprehensive, the Division understands the need to be vigilant in constantly assessing and updating the Group’s approach to emerging risks.