In 2023, the Risk Group continued to establish risk thresholds derived from the Bank’s risk appetite, accurately identifying risks and their impact on the Bank’s value creation process, and managing such risks with prudence and pragmatism in order to remain profitable and provide shareholders with sustainable returns.

The Risk Group is headed by the Chief Risk Officer, and functions within the Bank’s risk framework and policies approved by the Board of Directors to manage risk across the entirety of the Bank’s operations. The Group’s reporting scope to the Board and related committees span credit risks and portfolio asset quality, operational risks, liquidity risks, market risks, reputational risks, technology and cybersecurity risks among others.

Al Rajhi Bank’s Board Risk Management Committee (BRMC) supports the Board of Directors in their role of overseeing the Bank’s performance in line with its risk appetite. The BRMC Charter is updated as per the Bank’s Corporate Governance Manual, which applies the Principles of Governance for Banks issued by SAMA as well as the Corporate Governance Regulations issued by the Capital Market Authority, alongside market best practices.

The Bank’s risk management framework is covered by the Bank’s Internal Capital Adequacy Assessment Process (ICAAP), and details the Bank’s risk appetite, risk management approach and primary risk controls. The ICAAP is submitted to SAMA on an annual basis following its review by the BRMC and approval by the Board. The BRMC then reviews and provides recommendations to the Board on the Internal Liquidity Adequacy Assessment Plan (ILAAP), which is also submitted to SAMA on an annual basis. The BRMC also reviews the Credit and Provisioning Policy, Operational Risk Policies, Risk Appetite Statements, Market and Liquidity Risk Policies, Cyber Security Policy and other risk related policies, submitting recommendations for the Board’s approval.

The Asset and Liability Committee (ALCO) in its advanced role as a steering committee for the Primary Dealership Committee (PDC) and Valuation Accounting Committee (VALCOM), continued to provide oversight on related activities, decisions and recommendations of PDC/VALCOM during the reporting period.

Types of risk

By the nature of its operation, Al Rajhi Bank is exposed to a number of risks conventionally, which it manages through a robust risk management framework. Various other external and internal factors also affect the Bank’s risk profile on an ongoing basis, with the Risk Group identifying emerging risks and uncertainties with potential to increase the unpredictability of the operating environment. Aside from the conventional risks, cyber risk and financial crime continue to be the top concerns of the Risk Group during the reporting period.

Credit risk

Operating primarily as a Retail bank providing credit facilities to customers on-balance sheet and off-balance sheet, credit risk remained the largest and most common risk source for Al Rajhi Bank in 2023. However, given the solid nature of its portfolio, which has a bigger concentration of public sector customers with salary assignment, the credit risk also remained lowest among its peers during the reporting period.

Due to the potential a retail portfolio comprising a large number of individual customers with small loans has to hurt the Bank when in collective default, Al Rajhi Bank continued to conduct regular data integrity and portfolio monitoring in 2023, providing fair evaluation of individual borrowers and their capacity to repay the Bank.

A change in the retail portfolio mix initiated in December 2021 and continued throughout into 2023, saw a shift toward big-ticket loans such as mortgages, which posed a higher risk concentration per customer. Regular portfolio monitoring was conducted to build feedback loops and aid the retail business and Risk Group to implement effective mitigates and controls to minimise impacts.

This also led to a re-evaluation of the Bank’s target markets, with the Risk Group shifting focus from high-risk segments where defaults and delinquency rates are higher than the Bank’s risk appetite, towards low risk groups by targeting the higher income, salary aligned segment with stable employers.

The business verticals along with Risk and Compliance Groups worked together throughout the reporting period to ensure prompt compliance of all new and altered regulations and governing rules issued during 2023.

Accelerated digital banking posed credit risk from a customer acquisition perspective during the reporting period, which the Bank addressed by adopting a phased approach to manage credit risk at origination level, and ensure compliance of approved risk acceptance criteria. Stakeholders were consulted in the conceptualisation and implementation of the digitization process.

Al Rajhi Bank revamped its credit policy to serve the growth in non-retail business, aligning its risk appetite to expand into preferred and targeted industries under its corporate business. The Bank integrated a Loan Origination System (LOS) and revamped its rating models to automate the evaluation of customer credit worthiness using unique quantitative and qualitative criteria, alerting the Bank of any changes in the counterparty’s credit risk profile. The Early Warning System (EWS) model geared to detect any weaknesses in the quality of portfolios was utilised to enable the Bank to proactively engage appropriate remedial measures through relationship teams or the Special Assets Management Unit to rectify any credit risk issues.

These actions resulted in non-performing loans (NPL) of the non-retail portfolio being contained at the same level during the reporting period, despite significant year-on-year portfolio growth. The Bank has developed a vigorous portfolio monitoring mechanism by proactively managing its portfolio delinquencies, which enabled corporate banking to reduce the number of past due obligations and Expired Credit Applications (ECA) well below expected risk appetite thresholds.

Different strategies were executed to ensure lower inflows going to late buckets, and address issues related to systems and logic to assess genuine defaults and find solutions. The Bank also introduced a full ecosystem to manage any potential default in the retail book, supported by a task force to oversee all related legal cases.

2023 saw a significantly reduced error rate and improved turnaround time through continued automation as well as policy and control function enhancements. With all credit decisions that will be executed via the Bank’s credit decision engine, the error rate is expected to be further reduced towards an ambitious zero error rate once the phased implementation is completed by 2024.

Liquidity risk

During the year under review, Al Rajhi Bank continued to strengthen its liquidity risk management framework, ensuring robust controls and monitoring systems are in place. The Bank’s proactive liquidity management has maintained a solid liquidity position, underpinned by a diversified funding mix and strong balance sheet. This has been achieved by exploring and introducing new funding solutions such as syndicated Murabaha, senior unsecured Sukuk and other funding tools. The Bank plans to continue enhancing its liquidity management strategies for balance sheet optimisation and to remain well-positioned to meet future challenges and opportunities.

Operational risk

Al Rajhi Bank reviews its Operational Risk Management Policy annually, in order to adhere to the new Basel and SAMA requirements to govern all significant aspects of operational risk management in a systematic and consistent manner. To further enhance the performance of its Enterprise Operational Risk Management System, the automation of a number of operational risk tools and activities were carried out during 2023; the automation of Risk Control and Self-Assessment (RCSA), reporting and monitoring of Key Risk Indicators (KRI), incident logging and Root Cause Analysis (RCA), action plans logging and monitoring, new products and services risk assessment, risk register maintenance as well as risk reporting.

The Bank is committed to strengthening its control environment and improving its operating platform efficiencies proactively, increasing reliance on the use of technology, and improving the Bank’s collective knowledge and awareness of risk controls through various communication channels and training sessions.

To ensure a robust and consistent approach; operational risk coordinators have been assigned from all departments of the Bank and are responsible for implementation of the framework in coordination with the Operational Risk Management Department. The Group Operational Risk Management Committee (GORC) monitors and oversees operational risk issues.

The Bank’s operational risk profile is regularly shared with Senior Management and the Board Risk Management Committee, which ensures a robust and consistent approach to operational risk management at all levels of the Organisation.

Market risk

In 2023, Al Rajhi Bank continued to enhance its risk measurements and reporting system to ensure compliance within a rapidly evolving regulatory landscape. The Bank most notably complied with recent Basel regulatory requirements and successfully implemented the new Not defined before Fundamental Review of the Trading Book (FRTB) framework for minimum capital requirement of market risk. This included defining policies and procedures to establish clear boundaries between the Trading and Banking books.

Concentration risk

The Bank’s geographical diversity and loyal patronage of its varied customer base mitigates concentration risk by providing greater stability in the face of external impacts. In 2023, corporate banking enjoyed the advantage of a well-diversified portfolio across different emerging business segments, industries and wallet sizes, despite rising interest rates that may have impacted customer debt servicing capabilities. The Bank reviewed certain predefined financial parameters across its entire portfolio in order to assess rate hike impacts, and adopted a detailed action plan to resolve such a situation.

The Retail portfolio, too, remained highly diversified. The bank proactively created an ecosystem to support low-income segments whose disposable income may be affected by higher inflation, providing multiple options especially across its growing mortgage portfolio, which the Risk Group continued to monitor closely.

Cybersecurity risk

The rapid pace of digitalisation continued to expand the threat landscape in 2023, paving way for a consequential increase in cybersecurity risks. Al Rajhi bank currently employs multiple dynamic defences with a variety of preventive, detective, and incident response measures to proactively combat, detect, and address arising cybersecurity threats.

To ensure the effectiveness of its overall cybersecurity posture, Al Rajhi Bank introduced a number of advanced cybersecurity measures, by applying multi-layered cybersecurity principles. Compliance with the highest cybersecurity standards including those issued by the National Cybersecurity Authority (NCA), SAMA, CMA, and other regulatory bodies, has strengthened the Bank’s current cybersecurity governance practices to ensure the confidentiality, integrity, and privacy of all customer information as well as business and technology processes.

Furthermore, the Bank is continuously improving its cybersecurity culture by implementing various training and awareness initiatives for both customers and employees to enhance their understanding of the cyberthreat landscape and guide them on ways to minimise their exposure to cyberthreats. To ensure the reliability and security of all business services, the Bank also continuously conducts cybersecurity assessments of its systems, applications, and networks.

Additionally, the Bank regularly engages its independent Internal and External Auditors to confirm the efficacy of the cybersecurity controls and assurance over compliance with national and international standards, including the Payment Card Industry Data Security Standard (PCI DSS), SAMA, SWIFT, SARIE, and the NCA. Furthermore, the Bank’s cyber security operations centre works on a 24/7 basis to continuously monitor and promptly respond to cybersecurity threats and attacks. By employing advanced cybersecurity measures, the Bank has demonstrated resilience against cyberattacks, with no cybersecurity-related failures or operational impacts to date.

Fraud risk

Fraud risk is the likelihood that an individual or organisation will intentionally deceive others for personal or financial gain, potentially causing financial, reputational, or legal harm. Given its continuous compliance with SAMA’s Counter Fraud Framework, Al Rajhi Bank’s counter fraud strategic approach is to ensure comprehensive coverage at Group level, enabling the Bank to proactively protect its customers and its business operations.

As part of the rapid growth in fraud trends and fraudster techniques, the Counter Fraud Department has dedicated its full efforts and resources to ensure the following:

• Enabling a culture of awareness of counter fraud risks and fraudulent techniques for both our customers and the Bank’s business areas;
• Minimise fraud losses by utilising cutting edge technologies, techniques, and conducting deep analysis of transactions to identify unknown or suspected fraud trends and threats;
• Engage counter fraud professionals to ensure a clear baseline is developed and implemented in order to further enable the Kingdom’s 2030 Vision;
• Establish awareness of the international fraud landscape to gain insight on international trends and techniques ahead of time; and
• Further develop Al Rajhi Bank’s counter fraud resources by conducting both technical and non-technical training to allow for enhanced fraud vision internally and externally, and clear view of the international market fraud trends and techniques.

Information technology risk

In the dynamic landscape of Saudi and global financial institutions, technology risks have evolved to become a critical focal point as the dependence on various technologies has become highly pervasive, which necessitates the adoption of a highly comprehensive approach to managing IT risks. As the bank and its group members increasingly develop and integrate with advanced technologies to transform its operations, the spectrum of potential risks broadens, encompassing a variety of events with unintended impacts. These include sophisticated cyber-attacks, systemic failures, data breaches and compliance lapses, each carrying significant implications for business continuity, customer trust, and financial stability. Therefore, effectively managing technology risks in financial institutions is a complex yet essential endeavour. It requires a balanced approach that emphasises resilience, trust, agility, and the enablement of business, while ensuring that these institutions can not only navigate the challenges of the rapidly evolving technological landscape but also capitalise on its opportunities.

The primary goal in managing IT risks within Al Rajhi Bank is not merely to address these threats reactively but to proactively establish a resilient and trustworthy IT ecosystem. This involves a multifaceted strategy that ensures continuous agility and integration of processes while aligning them with the Bank’s broader business objectives and regulatory requirements. By doing so, the Bank can leverage technology not only as a tool for operational efficiency but also as a strategic asset that drives innovation and competitive advantage. The concept of resilience extends beyond mere technical robustness. It encompasses the ability to anticipate, prepare for, respond to, and adapt to both gradual changes and sudden disruptions in the technological landscape. This resilience is underpinned by a culture of continuous improvement and learning, where lessons from past incidents inform future risk mitigation strategies. Hence, trust as a foundation for the Bank’s customer relationships, operations, and services is based on its own safeguards set around sensitive financial data, protection of customer privacy, and assurance of the integrity of financial transactions.

In 2023, the Bank continued to employ robust cybersecurity frameworks, regular audits, and compliance with evolving regulatory standards to ensure the maintenance of a highly trustworthy environment for both customers and Bank employees.

Emerging risks

Apart from the conventional risks inherent in financial intermediation, a number of emerging risks were identified during the reporting period based on internal assessments and external market trends.

Emerging risk type	Description
Cyber risk and financial crime	Financial crime and fraud are increasing as online activity intensifies
Funding risk	Net interest margin (NIM) compression due to higher interest rates if the Bank needs to tap the market due to lack of diversification of funding sources and deficiencies in funding plans.
Credit risk	Financings booked in 2020 to 2022 will start to season in 2023 and 2024 including exposures to higher risk segments such as lower income and NST mortgage, as well as SME lending. In addition, accelerating growth in Emkan and Malaysia may further increase the credit risk profile of the Group.
Business digitalisation risk and change management	Inadequacy of selection of digital enablers for the Bank’s digital agenda such as cloud computing, AI, and block chain, in the context of business objectives.
Disaster Recovery and Business Continuity Management (DR/BCM)	Given the increasing reliance on subsidiaries Tanfeeth and Neoleap with less mature DR/BCM capabilities, the Bank may not have the ability to respond immediately to disruptive events such as man-made, natural disasters or health emergencies that can affect the normal course of business.
Fixed long-term assets risk	Unanticipated change in market interest rates leading to an opposite change in the value of a mortgage.
Data Governance and Privacy	Inadequate data governance and private security procedures would limit the ability to acquire, store, transform, move, and use data assets. Banks should effectively address long-lasting deficiencies and have adequate and efficient risk data aggregation and reporting frameworks in place in order to support efficient steering by management bodies and to address supervisors’ expectations, including in times of crisis.
Talent risk	Organisation’s succession challenges and ability to attract and retain top talent in a tightening talent market may limit ability to achieve operational targets.
Regulatory changes risk	As implementation of Basel regimes continue, which will lead to tighter numerator and risk-weighted asset (RWA) requirements, tightening of prudential rules emanating from macro-prudential or financial stability concerns remain, e.g. LTV, and concentration and sector caps.
Macroeconomic risk	Global and domestic market conditions including inflationary pressures would reduce customer demand and restrict growth opportunities leading to lower non-oil activity and lower oil revenues. Global Supply Chain Pressures and World Commodity Prices would pressure even more consumers’ purchasing power and companies’ capacity to repay their debts.

Credit rating

Al Rajhi Bank continued to strengthen its repute among international rating agencies by receiving stable to positive credit ratings for the year under review:

Rating agency	Rating (Long term)	Short term	Outlook
Standard and Poor	A-	A-2	STABLE
Moody’s	A1	P-1	STABLE
Fitch	A-	F2	STABLE