Risk management policy and control

Tadawul (through its Risk and Security Division) has a systematic and integrated risk structure as well as a consistent risk methodology with all the relevant procedures in place ensuring the Company's preparedness to deal with the emerging risks which can surface instantly and unpredictably.

The Risk and Security Division of the Exchange follows the “Three Lines of Defence” methodology, which is considered the best according to international standards. It also helps to define the responsibilities of each of the general departments in the Company, the Executive Management and the Board Committees accurately and effectively with regard to risks. One of the important roles of the Management is to approve and develop standards and requirements for information security and business continuity for all market members and data providers in proportion to the accompanying and surrounding changes to the market; in addition to raising the level of awareness of risks, security and business continuity in line with changes in the market and the vision of the Company.

The following are the types of risks identified and approved by Tadawul:

Operations risks

These are the risks arising from the inefficiency or failure of internal and external processes, individuals, systems, or external events, and it includes the risks arising from issuance operations, clearing company transactions, market deals, asset and deposit transactions, market regulation, human resources and physical assets. The Risk and Security Divison reviews all sources related to operational risks in cooperation with the concerned departments in order to reduce these risks.

Technical risks

These are the risks associated with information technology that result from the possibility of malfunctions in information systems or errors in the technical structure or communications. Risk prevention and mitigation strategies must take into account human factors, especially the possibility of intentional harm, as well as collateral damage. These strategies include limiting Company's liability for any risks, avoiding them altogether, mitigating their harmful effects, or absorbing their consequences in whole or in part.

Organizational risks

This is the risk resulting from the Company's management making wrong decisions, wrong implementation of organizational decisions, or failure to take timely decisions, which may lead to losses or loss of alternative opportunities. These risks may arise due to the Company's violation of regulations and standards established by the regulatory authorities or the absence of an appropriate strategy to achieve goals in the short term and the long term.

Financial risks

These are the current or future risks that could affect the Company's revenues or reduce the efficiency of operating expenses. One example of this is the volatile nature of the trading commission which constitutes a large proportion of the revenue. Other risks include variation in interest rates, exchange rates and the market value of stocks that may affect the rate of return on investment, in addition to the risks of the main risk mitigation strategies in increasing income, liquidity, investment, insurance and financial analysis. One of the main risk mitigation strategies is to increase non-trading income, in order to mitigate risks arising from market volatility. Financial risks also include risks related to procurement and support services for which a strategy has been developed to limit their potential impacts.


Information security risks

It is the risk arising from technical gaps and threats to the information assets used by the Company that affect the achievement of business objectives. Information security risks include internal and external threats, risks of data privacy and confidentiality, and risks of correctness and availability of information. The Risk and Security Division determines the level of data confidentiality to ensure the effectiveness of tools, procedures and mandatory controls to access it, in addition to evaluating the Company's ability to protect confidential data in the face of all threats arising from any unauthorized disclosure or access.

Business continuity risks

It is the risk that leads to a catastrophic and effective suspension of the Company's operations, which leads to large losses in the technical structure and level of services provided. These risks include infrastructure breakdown, natural disasters, problems faced by logistical support providers, and threats targeting individuals.

The Risk and Security Division determines the requirements for effecting reinforcement of service in the wake of major breakdowns and ensuring the Company's ability to maintain the services provided in a manner that ensures preserving the integrity and credibility of the market and investors. The Division is also working on setting controls and plans to reduce the risks of system or public facilities breakdowns to ensure business continuity in line with the requirements of raising market efficiency.

External risks

This is the potential risk or loss resulting from a number of external factors that shape the surrounding environment and affect the performance and business of the Company such as economic, political, and environmental conditions, and include market members' risks, legal risks, data providers' risks, and the risks of vendors and suppliers.

Major challenges of 2020

Tadawul, as many other entities did, nationally and internationally faced many challenges due to the pandemic. These were either to prevent the operations from being disrupted or to prevent any further impact from the new risks that have arisen. One of the main difficulties was to keep the operations functioning as usual while aiming to prevent the spread of the virus. It was also necessary to keep Tadawul's plans and projects on track while managing the financial and operational risks that could have an impact on the Exchange's operations.

With the emergence of the COVID-19 outbreak every organization had to face unexpected disruption. Our immediate response and resilience were the key to ensuring the business continuity; focusing first on people's safety and then on how to continue operating the market efficiently. The crisis management process was immediately activated to successfully leverage all possible solutions to manage the COVID-19 pandemic.

The COVID-19 Committee was formed to review and monitor the situation and adapt proactively as the crisis evolves. COVID-19 Committee members are three CEOs and six concerned chiefs to ensure the best level of alignment. The Committee is chaired by Tadawul's CEO to ensure that the mitigating actions initiated from the highest level are implemented without any obstacles. The Committee responded to the crisis with both short-term measures and long-term actions to increase resilience against future disruptions and prepare for recovery.

The efforts included, but were not limited to; supporting the market operations' continuity effectively while not compromising people's safety; rapid internal processes and staff communication; compliance with regulations and government instructions; managing the impact of COVID-19 on corporate strategy and financial structure and gradually executing the return to the office with appropriate plans.

The COVID-19 pandemic had a direct and significant potential impact on operational, financial, strategy, technology, cybersecurity, and business continuity risks of the Company which needed to be responded to in a very limited time frame. Tadawul's risk categorization and methodology were already covering pandemic related risks as part of the exogenous risks and disasters family of the business continuity risks. Furthermore, risk and control categorizations and their assessments were revisited with more intense focus leading to sensitive updates on the likelihood and impact ratings. Handling these risks by ensuring timely and appropriately embedded controls was a major challenge.

Fortunately, a very good level of business continuity was assured without any disruption in the critical services as result of the risk management efforts. We were glad to see that there was not even a momentary disruption in the availability of the mission critical systems as the result of the business functions efforts supported by effective risk management activities as a second line.

Major initiatives of 2020

In 2020, the Risk and Security Division;

  • Ensured 24/7 monitoring of pandemic related risks and assured effective controls were embedded in a timely and appropriate manner
  • Provided remote access to all employees in a timely manner and ensured the healthy transition with all the cybersecurity controls in place.
  • Implemented new cybersecurity measures mainly to mitigate the increased exposure resulting from remote working as well as initiation of the new products and services.
  • Proactively contributed to the major initiatives such as Post Trade Technology Program (PTTP) and introduction of Derivatives Market both from pre-trade and post-trade perspective in terms of business continuity, risk management and cybersecurity.
  • Actively managed the business continuity plans of Tadawul and its subsidiaries taking into account appropriate contingency scenarios and also by facilitating appropriate testing and rehearsals to ensure successful deployment.
  • Actively monitored the cybersecurity framework with regular assessments to prevent vulnerabilities.
  • Despite scope limitations caused by the pandemic, effectively completed risk and control self-assessment (RCSA) activities for Tadawul, Edaa, and Muqassa without any disruption in the services.
  • Initiated physical security measures related to controlled and healthy access to the building and other premises.
  • Actively monitored the key risks of the Company and reported them to the Risk Management Committee regularly with intense focus on the emerging risks and their impact.
  • Actively worked collaboratively with the technology provider Nasdaq through regular discussion sessions and reconciliations to align the efforts from a risk management perspective.
  • Actively participated and contributed to World Federation of Exchanges (WFE) committee meetings regarding the most serious risks for the stock exchanges and necessary mitigating actions during the pandemic.
  • Actively contributed to the improvement of Edaa and Muqassa risk functions to ensure the handling of the risks with effective alignment at the enterprise level.
  • Conducted and managed readiness sessions with all the members in terms of PTTP transition and obtained structured feedback from all members in terms of incidents that occurred at their levels.

Governance efforts of 2020

The Enterprise Risk Management (ERM) Framework was reviewed effectively and relevant amendments were made to be aligned with the new products, new projects, and the pandemic situation. Furthermore, regular meetings were held with the technology provider Nasdaq to ensure the harmonization of the risk management efforts with a collaborative approach. Risk Assessment (RA) approach and guidelines were reviewed during the year and new procedures were developed to ensure mitigating of the emerging risks and 2020 requirements in terms of products, projects and governance.

Key Risk Indicator (KRI) guidelines were reviewed and updated to govern the roles, responsibilities and processes related to preparing, calculating, validating, monitoring, and reporting the KRIs. This enabled ensuring an effective process to identify appropriate KRIs and KRI thresholds. Furthermore, in addition to the current Company KRIs, potential KRIs were identified to ensure readiness for timely reacting to the changes in corporate strategy.

Challenges ahead

In the past few years, Tadawul has become a major player in the world through its massive initial public offerings, introducing new products and entering new markets in line with Vision 2030 and the necessities of the competition with the largest stock exchanges. The main challenge that lies ahead for Tadawul will be to ensure the continued success and maturity of these initiatives, thus maintaining the consistency of the sensitive and effective risk management methodology while working to continuously improve it.