Credit risk is defined as the risk of financial loss resulting from the other party to a credit transaction not meeting (or not meeting completely) their financial obligations. Accordingly, the Bank developed various credit risk management policies that encompass all financing programs to ensure the Bank minimizes the overall risk in its credit portfolio and reduces losses incurred by financing activities.

Riyad Bank operates in accordance with a stringent framework of credit policies and procedures, which are reviewed regularly, taking into account latest updates and regulations of SAMA. Credit limits should be set commensurate with the level of risk. Excessive concentration of lending in geographical regions, business activities or economic sectors should be avoided, in both retail and corporate lending. Existing liabilities too need to be evaluated for potential risks of non-payment and tools have been developed for this.

Riyad Bank’s credit rating system conforms to international benchmarks. The Bank, while having its own credit rating system, also incorporates the ratings of external agencies. The process is executed through standardized measurement tools. This provides a comprehensive picture of the Bank asset quality and its distribution on the internal rating table: this in turn enables accurate calculation of the capital adequacy ratio using sophisticated techniques. In addition, it measures the potential for default which is a prerequisite for calculating credit losses in accordance with IFRS 9 accounting standards.

The Bank’s processes are constantly evolving in line with requirements of both local and international regulators. It is a process of continuous improvement. The Bank initially complied with all Basel requirements in measuring the capital adequacy ratio required to cover credit risk according to the standard method (Standardized Approach), which is one of SAMA’s requirements. It then moved to the Internal Credit Risk Assessment Standard (Internal Rating Based/IRB) after successfully upgrading its credit rating models to be in conformance with the requirements of Basel. These models were not simply adopted and used. Instead a process of verification was done through a special system to ascertain their validity and completeness. Subsequently several independent periodic tests were carried out to ensure the reliability of the results of the credit rating models and their quantitative and qualitative aspects.

For the results of the capital adequacy ratio to be accurate the results of the Risk-weighted assets need to be accurate. In a parallel process the Bank put in place the infrastructure necessary to develop and use models for credit decision making by relying on an accurate measurement of the risks and their likely impact. Simultaneously a review of approved risk policies to demonstrate their compliance with credit rating systems was carried out, while applying the Internal Credit Risk Assessment Standard.

The process of assessing credit risk is also based on accounting standards, which is another area where the Bank needs to stay updated. As of the beginning of 2018, Riyad Bank used IFRS 9 as an alternative to IAS 39. Calculating the possibilities of default includes taking both a long term and a short term perspective. The credit rating system was further refined to take this into account. The COVID-19 pandemic with its impact on the macro-economic scenario, both local and global, created an unprecedented situation in credit risk assessment. The Bank developed a statistical model to help with the calculation of the forward-looking component. The model used varied assumptions and scenarios of forecasted macro-economic conditions (locally and internationally) and then adjusted expected credit losses accordingly.

The Bank also adopted the process of calculating default credit risk rates with respect to business rules and controls. The Bank also reviewed the fundamentals of evaluating assets, activity flows and the appropriate governance structure, with appropriate mechanisms, financial and technological, to calculate and approve expected credit losses in accordance with IFRS 9 and the directives of SAMA. These mechanisms have undergone several previous and subsequent quantitative and qualitative tests to verify the new standard to ensure the reliability and accuracy of factors used in calculating the risk of default and credit losses.

The systems and processes referred to above are relevant not only for the corporate sector; they are also relevant for individual financing, including mortgage financing. The Bank also established internal credit evaluation standards pursuant to the frameworks approved by the Board of Directors and in line with the requirements of SAMA, enabling the implementation of the initiatives of the Ministry of Housing and the Real Estate Development Fund. In addition, quantitative models for measuring default and collection rates were used to calculate and approve the expected credit losses in accordance with IFRS 9.

Market risk is the risk of losses resulting from fluctuations in market prices, of relevant instruments such as special commission rates, stock prices, foreign exchange rates, and any changes in the fair value of financial instruments and securities held by the Bank.

Riyad Bank continuously measures and monitors risks pertaining to assets and liabilities resulting from fluctuations in fair values or future cash flows of financial instruments due to changes in market prices. This is achieved using risk structure, limits, and metrics approved by the Board of Directors and monitored by the Market and Liquidity Risk Management Department.

The Bank seeks to achieve the highest level of efficiency in liquidity management, as it is necessary to achieve an appropriate balance in all operations leading to increased profits with potential risks, while maintaining a strong liquidity position to increase customer confidence and improve the cost of funding. Additionally, periodic reports on market and liquidity risks are submitted to the Asset and Liability Management Committee and the Investments Committee. Such reports are then submitted to the Board’s Risk Management Committee.

The Bank adopts the value at risk (VaR) standard, which is a tool to measure and quantify the level of financial risk in a firm or a portfolio. Thereby the Bank can monitor the changes and volatility of market prices and the relationship between these changes to one another as a basic standard for measuring market risks. Moreover, several other advanced standards are used to improve analytical capabilities in managing market risks, including stress tests and analysis of market risk sensitivity.

The Bank continues to enhance its processes and systems to manage market and liquidity risks effectively and to implement the latest regulatory standards as per the requirements of SAMA.

In recent times financial crimes have emerged as a serious threat and challenge to financial institutions and their employees. Riyad Bank realizes the gravity of such crimes and their consequences. Therefore, efforts were made to take preventive measures of a strategic nature to combat and prevent financial crimes, which helped eliminate the prevalence of such crimes to a great extent.

Based on these principles, during 2020, the Bank was keen on incorporating the best international practices to execute its strategy to combat and monitor suspicious transactions, including controls designed to combat embezzlement and financial fraud and monitor bank accounts.

The nature of the risks is dynamic subject to changes in the financial environment, types of crimes, and banking industry technology. Therefore, our strategy is subject to periodic reviews and quick updates. In addition, a risk assessment review is also carried out periodically that encompasses the functions, departments, policies, and procedures for addressing risks of internal and external fraud, and determining the level and nature of those risks. Since they may pose special risks, all new financial products and services are subject to a risk assessment process before they are launched.

Riyad Bank sought to raise employee awareness by launching an awareness program throughout the year to boost commitment to combating financial crimes. The customer and the concerned authorities play an important role in helping the Bank detect fraud. Accordingly, awareness and advertisement campaigns are launched to make customers aware of the types of fraud and how to disclose them.

Maintaining control of risks of this nature requires constant vigilance. The Bank continues to revitalize its supervisory role by receiving all incoming reports, from employees or customers, conducting analysis, examination and urgent evaluation, identifying all violations, identifying causes of accidents and malfunctions and introducing appropriate plans to ensure non-recurrence in the future.

Operational risks are losses resulting from errors or inefficiencies in the implementation of internal operations, failure to follow policies and procedures, or system malfunctions or losses incurred due to extraordinary external events. These risks arise in all activities undertaken by various business divisions and support functions. They may also arise due to risks from third party service providers. The identification and analysis are important factors that help monitor and successfully address them. In addition, these risks change when the Bank’s systems, policies and procedures change.

Riyad Bank has developed well-knit policies and standards, in addition to an analytical methodology to monitor these risks, enhance the capabilities to analyze them, and provide the necessary recommendations to mitigate them or reduce their impact on the Bank's operations. The human factor plays a key role here; training the Bank employees on means of detecting risks and setting up appropriate programs to prevent their occurrence is vital in combating operational risk. Also, the Bank has an integrated risk-based approach that is compatible with Bank’s activities and includes:

1. Identifying operational risks, including emerging risks, by means of improving various tools to manage operational risks.
2. Measuring operational risks using a standardized methodology for risk assessment in cooperation with the second line of defence departments.
3. Evaluating operational risks and their impact on the Bank’s strategic and executive operational objectives.
4. Continuously monitoring the impact of operational risks to ensure that priorities are set in taking the corrective actions necessary to address risks.
5. Submitting periodic reports to the Executive Management and the Operational Risk Management & Compliance Department on important operational risk cases to obtain guidance on corrective action and approvals as needed.
6. Formulating and implementing an annual integrated plan to manage operational risks that takes into account the Internal Control Governance Policy and the annual plans of the Bank’s supervisory authorities.
7. Identifying and sharing leading practices with the management and competent officers in Risk Management Department.
8. Enhancing awareness and knowledge of risks in the Bank.

Riyad Bank continuously strives to identify operational risks by evaluating the ongoing processes and practices, and ensuring this task is performed more effectively by taking preventive and appropriate measures to manage and control these risks in accordance with the best international practices in order to reduce, avoid and hedge potential losses.

Technology risk is one of the key components of the overall risk that is related to the adoption and certification of business technology in the Bank, its users, operations, participation, and its importance on the activities and performance of the Bank. Business technology is considered one of the main operational elements that support the vision and mission of the Bank. Therefore, the Bank pays great attention to this risk, and works to limit it, to know its impact on the business, and to put in place the relevant measures and controls to take appropriate decisions to limit the impact if it occurs, by developing a policy to ensure that the technology risk is managed and handled appropriately. The Bank adopts several practices to effectively analyze and monitor risks through a variety of methods, which include:

• Define and monitor technology risk measures according to the risk tolerance framework.
• Developing the technology risk register at the Bank’s level to be in line with the Bank’s risk register in coordination with the relevant sectors/departments.
• Review points of high technology risks with documenting controls and work mechanisms, identifying potential gaps and recommending proposals for improvement and development.
• Submit an annual risk assessment, control testing and annual verification plan.
• Conduct an assessment of high-risk systems and applications in coordination with the concerned departments.
• Submit periodic reports on the performance of business technology risk activities within the framework of risk tolerance to the relevant committees.

Supervise the review of all relevant technology policies to ensure the application of best practices and compliance with the requirements of SAMA.

The term “cyber and information security risks” refers to risks arising from the possibility of breaching the necessary regulatory, technical and procedural measures put in place to protect the Bank’s information from unauthorized access, disclosure, reproduction, as well as from use, modification, transfer, loss, theft, or misuse thereof in a deliberate and subversive, or accidental manner.

Riyad Bank manages cyber and information security risks through a comprehensive practical framework via which the security governance is applied, practical procedures are organized, and implementation of the regulatory requirements and necessary rules are facilitated. This ensures the protection of the Bank’s information assets and reduces various types of cyber and information security risks. Moreover, cyber and information security legislations issued by the relevant authorities are enforced in addition to the implementation of cyber and information security controls including but not limited to the continuous evaluation and monitoring of information systems for the purpose of identifying security risks and taking the necessary measures and procedures to immediately and promptly mitigate the impact of those risks, and commitment to implementing legislation related to cybersecurity and information security issued by the competent authorities.

Riyad Bank is constantly seeking to design and develop awareness programs to raise awareness of this type of risk for all people dealing with the Bank’s informational assets directly or indirectly, employees, contractors or customers inside and outside the Kingdom.