Rule 5: Establishing Sound Risk Management and Internal Control Systems
The board believes in understanding and analyzing the nature and size of risks faced by the company's activities, as well as sustainability risks (environmental, social, and governance) to minimize them as much as possible, identify appropriate actions to address them, and determine internal or external factors causing such risks. This understanding and analysis should be in line with the company's strategies and policies, especially its risk appetite, and the concept that proper risk management requires effective internal control systems that monitor the accuracy of financial data, operational efficiency, and compliance with regulatory controls.
The company has established a permanent risk committee, issuing regulations under the name "Executive and Risk Committee Regulations," prepared according to the CMA's Corporate Governance Regulations. These regulations clarify the appointment process, responsibilities, meeting protocols, legal quorum, and procedures for the committee's work.
The committee's responsibilities include:
- Reviewing operational plans, capital plans, and five-year business plans.
- Reviewing the company's environmental, health, and safety performance and compliance with related regulations.
- Establishing and maintaining technical and performance standards for water, wastewater, seawater cooling, and electricity sectors, and monitoring compliance.
- Setting and maintaining customer service standards, reviewing, and adjusting them as necessary.
- Approving and proposing amendments to technical systems.
- Reviewing and approving or recommending capital projects according to the authorized delegation.
- Monitoring the progress and implementation of capital projects.
- Developing a comprehensive risk management strategy and policies suitable for the company's activities, continuously reviewing the company's effectiveness in managing its risk systems, ensuring implementation, and updating based on internal and external changes.
- Determining an acceptable level of risk for the company, maintaining it, and ensuring the company does not exceed it.
- Overseeing the company's risk management system, evaluating the effectiveness of identifying, measuring, and monitoring risks, and identifying deficiencies.
- Periodically reassessing the company's risk tolerance (e.g., through stress testing).
- Ensuring sufficient resources and systems for risk management.
- Verifying the independence of risk management employees from activities that may expose the company to risks.
- Ensuring risk management employees understand the company's risks and promoting risk awareness.
- Reviewing the organizational structure of risk management and making recommendations before board approval.
- Reviewing issues raised by the audit committee that may affect the company's risk management.
- Preparing detailed reports on risk exposure and proposed management steps and submitting them to the board.
- Advising and making recommendations to the board on the risk management framework (including policies and procedures at the company level).
- Reviewing and approving information to be included in the annual report regarding risk management.