Risk management policy and control

Tadawul (through its Risk and Security Division) has a systematic and integrated risk structure as well as a consistent risk methodology with all the relevant procedures in place ensuring the Company's preparedness to deal with the emerging risks which can surface instantly and unpredictably.

The Risk and Security Division of the Exchange follows the “Three Lines of Defence” methodology, which is considered the best according to international standards. It also helps to define the responsibilities of each of the general departments in the Company, the Executive Management and the Board Committees accurately and effectively with regard to risks. One of the important roles of the Management is to approve and develop standards and requirements for information security and business continuity for all market members and data providers in proportion to the accompanying and surrounding changes to the market; in addition to raising the level of awareness of risks, security and business continuity in line with changes in the market and the vision of the Company.

The following are the types of risks identified and approved by Tadawul:

Operations risks

Technical risks

Organizational risks

Financial risks

Information security risks

Business continuity risks

External risks

Major challenges of 2020

Tadawul, as many other entities did, nationally and internationally faced many challenges due to the pandemic. These were either to prevent the operations from being disrupted or to prevent any further impact from the new risks that have arisen. One of the main difficulties was to keep the operations functioning as usual while aiming to prevent the spread of the virus. It was also necessary to keep Tadawul's plans and projects on track while managing the financial and operational risks that could have an impact on the Exchange's operations.

With the emergence of the COVID-19 outbreak every organization had to face unexpected disruption. Our immediate response and resilience were the key to ensuring the business continuity; focusing first on people's safety and then on how to continue operating the market efficiently. The crisis management process was immediately activated to successfully leverage all possible solutions to manage the COVID-19 pandemic.

The COVID-19 Committee was formed to review and monitor the situation and adapt proactively as the crisis evolves. COVID-19 Committee members are three CEOs and six concerned chiefs to ensure the best level of alignment. The Committee is chaired by Tadawul's CEO to ensure that the mitigating actions initiated from the highest level are implemented without any obstacles. The Committee responded to the crisis with both short-term measures and long-term actions to increase resilience against future disruptions and prepare for recovery.

The efforts included, but were not limited to; supporting the market operations' continuity effectively while not compromising people's safety; rapid internal processes and staff communication; compliance with regulations and government instructions; managing the impact of COVID-19 on corporate strategy and financial structure and gradually executing the return to the office with appropriate plans.

The COVID-19 pandemic had a direct and significant potential impact on operational, financial, strategy, technology, cybersecurity, and business continuity risks of the Company which needed to be responded to in a very limited time frame. Tadawul's risk categorization and methodology were already covering pandemic related risks as part of the exogenous risks and disasters family of the business continuity risks. Furthermore, risk and control categorizations and their assessments were revisited with more intense focus leading to sensitive updates on the likelihood and impact ratings. Handling these risks by ensuring timely and appropriately embedded controls was a major challenge.

Fortunately, a very good level of business continuity was assured without any disruption in the critical services as result of the risk management efforts. We were glad to see that there was not even a momentary disruption in the availability of the mission critical systems as the result of the business functions efforts supported by effective risk management activities as a second line.

Major initiatives of 2020

In 2020, the Risk and Security Division;

  • Ensured 24/7 monitoring of pandemic related risks and assured effective controls were embedded in a timely and appropriate manner
  • Provided remote access to all employees in a timely manner and ensured the healthy transition with all the cybersecurity controls in place.
  • Implemented new cybersecurity measures mainly to mitigate the increased exposure resulting from remote working as well as initiation of the new products and services.
  • Proactively contributed to the major initiatives such as Post Trade Technology Program (PTTP) and introduction of Derivatives Market both from pre-trade and post-trade perspective in terms of business continuity, risk management and cybersecurity.
  • Actively managed the business continuity plans of Tadawul and its subsidiaries taking into account appropriate contingency scenarios and also by facilitating appropriate testing and rehearsals to ensure successful deployment.
  • Actively monitored the cybersecurity framework with regular assessments to prevent vulnerabilities.
  • Despite scope limitations caused by the pandemic, effectively completed risk and control self-assessment (RCSA) activities for Tadawul, Edaa, and Muqassa without any disruption in the services.
  • Initiated physical security measures related to controlled and healthy access to the building and other premises.
  • Actively monitored the key risks of the Company and reported them to the Risk Management Committee regularly with intense focus on the emerging risks and their impact.
  • Actively worked collaboratively with the technology provider Nasdaq through regular discussion sessions and reconciliations to align the efforts from a risk management perspective.
  • Actively participated and contributed to World Federation of Exchanges (WFE) committee meetings regarding the most serious risks for the stock exchanges and necessary mitigating actions during the pandemic.
  • Actively contributed to the improvement of Edaa and Muqassa risk functions to ensure the handling of the risks with effective alignment at the enterprise level.
  • Conducted and managed readiness sessions with all the members in terms of PTTP transition and obtained structured feedback from all members in terms of incidents that occurred at their levels.

Governance efforts of 2020

The Enterprise Risk Management (ERM) Framework was reviewed effectively and relevant amendments were made to be aligned with the new products, new projects, and the pandemic situation. Furthermore, regular meetings were held with the technology provider Nasdaq to ensure the harmonization of the risk management efforts with a collaborative approach. Risk Assessment (RA) approach and guidelines were reviewed during the year and new procedures were developed to ensure mitigating of the emerging risks and 2020 requirements in terms of products, projects and governance.

Key Risk Indicator (KRI) guidelines were reviewed and updated to govern the roles, responsibilities and processes related to preparing, calculating, validating, monitoring, and reporting the KRIs. This enabled ensuring an effective process to identify appropriate KRIs and KRI thresholds. Furthermore, in addition to the current Company KRIs, potential KRIs were identified to ensure readiness for timely reacting to the changes in corporate strategy.

Challenges ahead

In the past few years, Tadawul has become a major player in the world through its massive initial public offerings, introducing new products and entering new markets in line with Vision 2030 and the necessities of the competition with the largest stock exchanges. The main challenge that lies ahead for Tadawul will be to ensure the continued success and maturity of these initiatives, thus maintaining the consistency of the sensitive and effective risk management methodology while working to continuously improve it.