The Saudi Tadawul Group has in place a systematic and integrated risk structure and methodology to ensure our preparedness to mitigate a broad range of existing and emerging risks with potential to impact our operations, systems and stakeholders.
Risk and Security Division remained responsible for approving, developing and enhancing standards and requirements for information security and business continuity during 2022, reflecting changes in market conditions as well as the Group’s evolving activities. It is also accountable for raising the level of awareness of risks and security across the Group as well as among our stakeholders.
As part of our Enterprise Risk Management (ERM) role, we have seamlessly integrated added responsibilities and continued to comply with new regulations resulting from the IPO during 2022. The Division’s ERM procedures and tools – which are reviewed and updated regularly – identify and address any emerging risks that might arise as result of our structural transformation. Additionally, our Business Continuity Management (BCM) function continuously monitors new Group responsibilities and functionality to identify potential threats, thereby establishing and monitoring a number of activities to enhance relevant resiliency.
The Risk and Security Division is also tasked with identifying emerging and probable risks that could impact the many new, diverse business operations, products and services offered by the Group and its differing subsidiaries. Such identified risks are logged in a constantly updated risk register, which acts as a risk management tool and a repository of information for regulatory compliance, with recorded details on nature of the risk, ownership, mitigation measures and other controls implemented. As a result, key risk indicators continue to be identified, with monitoring processes defined and implemented across the Group. Timely, scheduled and non-scheduled testing across different risk segments are carried out to ensure such risks are mitigated.
The widespread adoption of technology and digitalization post-pandemic has also seen a shift in demand for increased data privacy and cybersecurity, given the increased and very real possibility of cybercrime. As one of the risks we are most conscious of, it forms a particular challenge, requiring both intense vigilance and proactive action. Our controls in this dimension are comprehensive, sharply focused and constantly updated, ensuring a proactive and precise response to threats that may emerge within and outside our cyberspace.
We adhere to cybersecurity best practices, continually reviewing cybersecurity controls and effectiveness, monitoring all cybersecurity-related activities and events to ensure exact, effective handling of any cybersecurity threat. Our process is one of constant technological enhancement, extending our suite of cybersecurity controls to anticipate and keep up with all new threats, aware of the increased focus of adversaries towards financial sectors and entities worldwide. In terms of internal capacity development, we seek to constantly augment employee awareness and knowledge on cybercrime, and encourage them to follow security best practices, so that the needs of detection and response engage people throughout the Group.
With COVID-19 and its repercussions highlighting a range of new risks and dangers across the world, we swiftly integrated pandemic-related events in our risk-categorization as part of overall business continuity risk. In addition, risk registers were updated to cover the unprecedented and particular events related to COVID-19. This was followed by the tightening of relevant controls, and the development of necessary capabilities in terms of procedures, systems and people to better prepare for such risk anomalies.
We will continue to invest in enhancing the collective ability of our teams, divisions, subsidiaries and the Group as a whole to identify, understand, openly discuss, raise the maturity level and act on eliminating and mitigating any risks that might have a potential to impact our projected business outcomes as a Group in 2023 and beyond.
Through 2022 we have actively reviewed and updated all risk as well as cybersecurity policies and procedures, thereby formulating a more comprehensive risk appetite and tolerance framework for the Group and its subsidiaries. We have reviewed cybersecurity controls and measures within, and available to, the Division to ensure alignment with National Cybersecurity Authority (NCA)’s regulatory changes, which advanced the Group into achieving a high NCA compliance level.
We have focused on building awareness of the potential internal cybersecurity impacts resulting from increased remote working, while also understanding the assurance of physical health and safety for our employees. The Group developed physical security precautions aligned with the guidelines provided by the Ministry of Health and the Ministry of Human Resources. In addition, new cybersecurity controls, were introduced to mitigate threats that emerged from the activation of the remote set-up for staff, with the risk register updated to cover such potential events relevant to cybersecurity precautions.
The Risk and Security Division also played a crucial role in effectively identifying, mitigating, and monitoring risks relevant to the Group’s major projects and initiatives.
Nurturing a strong risk culture
At Saudi Tadawul Group, our strong risk culture remains a critical element to institutional resilience in the face of challenges. We adhere to cybersecurity best practices, continually reviewing cybersecurity controls and effectiveness, monitoring all cybersecurity-related activities and events to ensure exact, effective handling of any cybersecurity threat.