Risk Management at the Board Level

Governance Responsibility, Control Tools, and the Strategic Risk Framework

جدول المحتويات

First: Introduction

Risks are not enemies of business but constant companions to every strategic decision. Every investment opportunity, every expansion, every operational decision, carries within it probabilities of success and failure. The difference between successful and failed companies is not in the absence of risks but in how to manage them. Successful companies do not avoid risks — they understand them, assess them, and make conscious decisions about them. The board of directors, as the highest governance authority, bears ultimate responsibility for risk management.

In the Saudi system, risk management has become an explicit regulatory requirement, especially in regulated sectors such as banking and insurance. The Corporate Governance Regulations require the board to oversee the risk management system, and large companies typically form an independent risk committee. This regulatory development reflects advanced awareness of the importance of risks in corporate governance. This article reviews the board’s role in risk management, its tools, types of risks, risk appetite, control tools, and best practices.

💡 Key Insight

Risk management is not avoiding risks but making conscious decisions about them. A company exposed to no risks is a company that does not grow. A company exposed to risks exceeding its capacity is a company that collapses. The required balance: risks proportionate to opportunities, accurately calculated, and linked to the company’s capacity to bear and manage them.

Second: Risk Management Concept

1. Definition of Risks

Risks are the probability of events occurring that affect a company’s ability to achieve its objectives. These events may be:

Negative: Events harming objectives (reputational damage, financial losses).
Positive: Opportunities exceeding expectations (unexpected growth, investment opportunities).
Tangible: Visible and measurable events.
Intangible: Events affecting culture or reputation.

2. Risk Management Components

2.1 Risk Identification

Comprehensive inventory of potential risks.
Classifying by type.
Updating periodically.
Openness to emerging risks.

2.2 Risk Assessment

Probability of occurrence.
Severity of impact.
Speed of development.
Risk interdependence.

2.3 Risk Response

Avoidance: Not entering the activity.
Mitigation: Reducing probability or impact.
Transfer: To insurance or other parties.
Acceptance: Consciously bearing the risks.

2.4 Monitoring and Follow-up

Performance indicators for risks.
Periodic reports.
Reviewing responses.
Updating assessments.

Third: Board Responsibility in Risk Management

1. Ultimate Responsibility

The board bears ultimate responsibility for risk management:

Approving the risk management framework.
Determining risk appetite.
Overseeing implementation.
Receiving periodic reports.
Intervening when needed.

2. Difference Between Board and Management Roles

Responsibility	Board	Executive Management
Setting framework	Approves	Drafts
Risk appetite	Determines	Proposes
Policies	Approves	Drafts
Structure	Approves	Implements
Daily assessment	Oversees	Executes
Reports	Receives	Prepares and presents
Corrective actions	Approves	Executes
External communication	Oversees	Executes

3. Board Charter and Risk Management

The board charter must clearly specify:

Board responsibility for risk management.
Existence of risk committee (in large companies).
Communication with executive risk management.
Engaging external experts when needed.
Report frequency.

Fourth: Risk Committee

1. When Formed

Risk committee is mandatory in:

Banks and insurance companies.
Large listed companies.
Companies in regulated sectors.

In other companies, may be optional or merged with audit committee.

2. Committee Composition

Non-executive members only.
Independent majority.
Independent chair.
Risk management expert.
3-5 members typically.

3. Committee Duties

Proposing risk management framework.
Proposing risk appetite.
Reviewing major risk register.
Overseeing risk management function.
Reports to the board.
Communication with external and internal auditors.

4. Coordination with Other Committees

Audit Committee: On financial risks.
Governance Committee: On regulatory risks.
Nominations Committee: On human resource risks.
Board as a Whole: On major strategic risks.

Fifth: Types of Risks

1. Strategic Risks

Risks affecting achievement of strategic objectives:

Wrong strategy.
Competitive challenges.
Changing market conditions.
Technological transformation.
Social and demographic transformation.

2. Financial Risks

2.1 Market Risks

Interest rate fluctuations.
Exchange rate fluctuations.
Commodity price fluctuations.
Stock price fluctuations.

2.2 Credit Risks

Customer default.
Credit concentration.
Weak collateral.
Deterioration of parties’ credit standing.

2.3 Liquidity Risks

Cash shortage to fund operations.
Inability to meet obligations.
Weak access to financing.
Concentration of financing sources.

3. Operational Risks

Risks from procedures and systems:

Human errors.
System failures.
Internal and external fraud.
Business interruption.
Supply chains.
Natural disasters.

4. Compliance and Adherence Risks

Violating regulations and laws.
Fines and penalties.
License withdrawal.

5. Reputational Risks

Negative media coverage.
Loss of customer trust.
Major incidents.
Inappropriate leader statements.
Accumulating errors.

6. Cyber Risks

System breaches.
Data theft.
Ransomware attacks.
Social engineering.
Sensitive information leakage.

7. Emerging Risks

7.1 Environmental and Climate Risks

Climate change.
Extreme weather events.
Environmental legislation.
Investor pressure on ESG.

7.2 Geopolitical Risks

Regional tensions.
Changing government policies.
Trade wars.

7.3 Emerging Technological Risks

Artificial intelligence.
Digital currencies.
Quantum computing.
Other emerging technologies.

Sixth: Risk Appetite

1. Risk Appetite Definition

Risk Appetite is the amount of risk a company is prepared to accept in pursuit of its objectives. It is a strategic document specifying:

Types of risks accepted.
Levels of risks accepted.
Unacceptable risks.
Flexibility in risk-bearing.

2. Appetite Statement Components

2.1 General Principles

Strategy alignment.
Company core values.
Shareholder expectations.
Regulatory obligations.

2.2 Quantitative Limits

Maximum annual losses.
Maximum profit volatility.
Capital ratios.
Concentration limits.
Liquidity rates.

2.3 Qualitative Limits

No acceptance of any legal violation.
No acceptance of material reputational damage.
No acceptance of material cyber risks.
Commitment to ESG standards.

3. Setting the Appetite

Setting appetite is board responsibility supported by management:

Management proposes based on studies.
Risk committee reviews.
Board discusses and approves.
Annual review or upon major changes.

4. Appetite Application

Distributing limits to departments.
Monitoring each department’s compliance.
Reports of deviations.
Corrective actions.
Linking to compensation.

📌 Note

The risk appetite statement is not a rigid document. It evolves with the company’s evolution, the market, and circumstances. A company in a growth phase may accept higher risks than a company in a sustainability phase. A company in crisis may temporarily lower its appetite. Periodic review is necessary, and flexibility in application is an advantage.

Seventh: Enterprise Risk Management (ERM) Framework

1. ERM Concept

Enterprise Risk Management is a comprehensive approach to managing all types of risks in an integrated manner, not in isolation from each other. Its advantages:

Holistic view of all risks.
Linking risks to strategy.
Using unified tools.
Clear accountability.
Risk culture throughout the company.

2. ERM Standards

2.1 COSO ERM Framework

The most globally common framework, including:

Governance and culture.
Strategy and objective-setting.
Review and revision.
Information, communication, and reporting.

2.2 ISO 31000

International standard for risk management, providing:

Risk management principles.
Applicable to all organizations.

3. Three Lines of Defense

A well-established model in risk management:

Line	Responsible	Role
First Line	Operational departments	Daily risk handling
Second Line	Risk management and compliance	Oversight and guidance
Third Line	Internal audit	Independent assurance

4. Distinct Roles

4.1 First Line

Operational departments face risks daily.
Apply basic controls.
Identify emerging risks.
Inform risk management.

4.2 Second Line

Risk management develops methodologies.
Compliance monitors regulatory adherence.
Risk manager reports to the board.
Guiding operational departments.

4.3 Third Line

Internal audit assesses system effectiveness.
Provides independent assurance to the board.
Separate reports to audit committee.
Complete independence from management.

Eighth: Control Tools

1. Risk Register

The basic tool in risk management:

Comprehensive list of all identified risks.
Assessment for each risk (probability and impact).
Response to each risk.
Responsible for each risk.
Indicators and limits.
Periodic update.

2. Risk Map

Visual display of risks on two axes:

Probability of occurrence.
Severity of impact.
Different colors for levels.
Easy to understand for the board.
Shows priorities.

3. Key Risk Indicators (KRIs)

Early warning indicators, including:

Financial Indicators: Liquidity, debt, profitability ratios.
Operational Indicators: Defect rate, delay, incidents.
Market Indicators: Price fluctuations, market share.
Technical Indicators: Hacking attempts, downtime periods.
Reputational Indicators: Media coverage, customer satisfaction.

4. Stress Tests

Applying negative scenarios to test the company’s capacity:

Pessimistic economic scenarios.
Sudden market shocks.
Failure of essential systems.
Major reputational crises.
Natural disasters.

5. Scenario Analysis

Multiple scenarios (optimistic, base, pessimistic).
Estimating impact in each scenario.
Response planning.
Periodic update.

6. Crisis Response Plans

Specific plans for each type of crisis.
Crisis management team.
Communication protocols.
Periodic testing.
Update based on lessons learned.

Ninth: Risk Culture

1. Importance of Culture

The best systems do not succeed in a culture that does not support them. Risk culture:

Awareness of risk importance.
Willingness to report.
Learning from mistakes.
Respect for controls.

2. Building Culture

2.1 From the Top

Visible commitment from board and management.
Role model in handling risks.
Continuous discourse on importance.
Allocating sufficient resources.

2.2 At All Levels

Training for all employees.
Linking risks to responsibilities.
Encouraging reporting.
Protecting whistleblowers.

2.3 In Systems

Linking compensation to risk management.
Performance evaluation includes risks.
Promotions consider risks.
Penalties for transgressors.

Tenth: Risk Reports to the Board

1. Periodic Reports

1.1 Quarterly Report

Summary of risk status.
Indicator development.
Deviations from appetite.
Emerging risks.
Actions taken.

1.2 Annual Report

Comprehensive analysis of all risks.
Framework development.
Appetite review.
Stress tests.
Priorities for coming year.

2. Exceptional Reports

Material events upon occurrence.
Limit violations.
Negative results of stress tests.

3. Disclosure to Shareholders

In annual report, disclosure of:

Risk management methodology.
Major risks.
Actions taken.
Stress tests (in regulated sectors).
Governance structure.

Eleventh: Common Challenges

1. Cultural Challenge

Difficulty building risk culture:

Employee resistance.
Considering risk management a burden.
Focus on growth at expense of risks.
Weak reporting from first lines.

2. Cognitive Challenge

Board difficulty understanding risk complexities:

Need for specialized members.
Regular training.
Simplifying reports without losing depth.
Engaging external experts.

3. Technical Challenge

Technology creates new risks rapidly:

Difficulty keeping pace with development.
Shortage of specialized cadres.
Cost of technical solutions.
Balance between speed and security.

4. Balance Challenge

Balance between risks and opportunities:

No excess in risk avoidance (weakens growth).
No negligence in risk acceptance (threatens sustainability).
Balance in every decision.
Constant dialogue in the board.

Twelfth: Best Practices

1. At the Governance Level

Independent Risk Committee: In large companies.
Clear Charter: For the board and committee.
Documented Appetite: For risks.
Regular Reports: Quarterly and annual.
Annual Review: Of the framework.

2. At the Operational Level

Integrated ERM Framework: Per COSO or ISO.
Updated Risk Register:
Warning Indicators: For each major risk.
Response Plans: For crises.
Stress Tests:

3. At the Cultural Level

Commitment from the Top: Visible and continuous.
Comprehensive Training: For all levels.
Encouraging Reporting: With whistleblower protection.
Linking with Compensation: And performance evaluation.
Learning from Mistakes: Without accusations.

4. At the Disclosure Level

Transparency to Shareholders: In annual report.
Immediate Updates: For material events.
Communication with Regulatory Authorities: In regulated sectors.
Communication with External Auditor:

Conclusion

Risk management at the board level is not an additional function but a pillar of sound governance. A board that does not understand its company’s risk system is a board leading in darkness. A board that understands risks, defines its appetite for them, oversees their management, and intervenes when needed, is a board effectively protecting its company and shareholders. This responsibility is heavy but essential.

Saudi companies today, with the evolving regulatory framework and accelerating challenges, face a necessity not choice in developing their risk management system. Investing in an independent risk committee, integrated ERM framework, advanced information systems, and entrenched risk culture, is an investment that pays dividends in protecting the company from crises and enabling it to seize opportunities. A board managing risks wisely is a board building a company capable of survival and prosperity in a world that does not stop transforming.

🎯 Essential Points to Remember

(1) Risks are constant companions to every decision, and what is required is managing not avoiding them. (2) The board bears ultimate responsibility for risk management. (3) Risk committee mandatory in regulated sectors, optional in others. (4) Risk types: strategic, financial, operational, compliance, reputational, cyber, emerging. (5) Risk appetite defines what the company accepts and what it rejects. (6) ERM framework manages all risks in an integrated manner. (7) Three lines of defense: operational, risk management, internal audit. (8) Control tools: risk register, risk map, indicators, stress tests, response plans. (9) Risk culture built from the top, spreads at all levels, entrenched in systems. (10) Periodic and exceptional reports to board, with appropriate disclosure to shareholders.

Frequently Asked Questions

What is the board's responsibility in risk management in Saudi Arabia and when is a risk committee mandatory?

The board bears ultimate responsibility for the entire risk management system across five functions: approving the risk management framework, determining the risk appetite, overseeing implementation by executive management, receiving and reviewing periodic reports, and intervening directly when risks exceed approved limits. The board's role is distinct from management's — the board approves while management drafts and executes, the board determines risk appetite while management proposes it, and the board receives reports while management prepares and presents them. The risk committee is mandatory in banks, insurance companies, all large listed companies, and any company operating in a regulated sector. In other companies it may be optional or merged with the audit committee. When formed, the committee must consist exclusively of non-executive members with an independent majority, an independent chair, and at least one member with specialized risk management expertise, typically three to five members in total. Its core functions are proposing the risk management framework and risk appetite for board approval, reviewing the major risk register, overseeing the executive risk management function, reporting to the full board, and coordinating with the external and internal auditors on risk matters.

What is risk appetite and how is it defined and applied in Saudi listed companies?

Risk appetite is a strategic document defining the amount of risk the company is prepared to accept in pursuit of its objectives, covering what risks are acceptable, at what levels, what is categorically unacceptable, and how much flexibility exists. It consists of three layers. General principles aligning the appetite with company strategy, core values, shareholder expectations, and regulatory obligations. Quantitative limits setting ceilings on annual losses, profit volatility thresholds, minimum capital ratios, concentration limits, and liquidity rates. Qualitative limits establishing absolute prohibitions such as no acceptance of any legal violation, no material reputational damage, no material cyber risks, and commitment to ESG standards. The setting process begins with management preparing a proposal based on analytical studies, which the risk committee reviews and refines, and the full board then discusses and approves. The document is reviewed annually and immediately whenever major changes occur in company strategy, market conditions, or financial position. Application involves distributing the limits across business units, monitoring each unit's compliance, reporting deviations promptly, implementing corrective actions, and in some companies linking adherence to compensation structures. The risk appetite statement is not a rigid document — a company in a growth phase accepts higher risks than one in a sustainability phase, and temporary reduction during a crisis is both appropriate and expected.

What are the three lines of defense in risk management and what control tools does the board rely on?

The three lines of defense model provides the structural foundation for risk oversight. The first line consists of operational departments that face risks daily, apply basic controls, identify emerging risks, and report to the risk management function. The second line consists of the risk management and compliance functions that develop risk methodologies, monitor regulatory adherence, guide operational departments, and report directly to the board through the risk manager. The third line consists of the internal audit function which operates with complete independence from management, assesses the effectiveness of the entire risk system, and provides independent assurance directly to the audit committee and board. The board relies on six control tools to exercise its oversight. The risk register lists every identified risk with probability and impact assessments, assigned response, named responsible owner, and indicators. The risk map provides a visual display plotting risks on probability-versus-impact axes showing priorities clearly. Key risk indicators provide early warning signals across financial, operational, market, technical, and reputational dimensions. Stress tests apply pessimistic scenarios to test the company's resilience to economic shocks, system failures, and major crises. Scenario analysis compares optimistic, base, and pessimistic cases with response planning for each. Crisis response plans specify pre-prepared actions, a named crisis management team, and communication protocols tested periodically.

References and Sources

Saudi Companies Law (Royal Decree M/132).
Corporate Governance Regulations issued by the Capital Market Authority.
Saudi Central Bank (SAMA) Risk Management Regulations.
COSO Enterprise Risk Management Framework.
ISO 31000 — Risk Management Guidelines.
Basel III — Banking Risk Management.
ICGN Global Governance Principles — Risk Oversight.
OECD Principles — Board Role in Risk Management.
Three Lines of Defense Model — Institute of Internal Auditors.
Deloitte / PwC / KPMG — Risk Management Reports.

Planning the Effective Meeting

Planning the Effective Meeting Defining Objective, Participants, Time, and Expected Outcomes First: Introduction Meetings are the most time-consuming activity for executives and board members. Recent studies indicate that executives spend 23 hours weekly in meetings, many of which are

June 22, 2026

Disclosure of Committee Activities

Disclosure of Committee Activities Annual Report Sections, Transparency Levels, and Regulatory Requirements First: Introduction Committees may operate behind closed doors during the year, but their activities must be transparent to shareholders, regulators, and the broader market. Disclosure of committee activities

June 17, 2026

Committee Performance Evaluation

Committee Performance Evaluation Methodologies, Indicators, Tools, and Continuous Improvement First: Introduction Board committees, as the specialized arm of the board, deserve separate and structured evaluation of their performance. Evaluating committees as part of the overall board evaluation is insufficient —

June 17, 2026