risk management

Overview

In 2025, the Risk Group continued to strengthen its role in safeguarding the bank’s sustainability, resilience, and profitability by further embedding risk thresholds aligned with the bank’s risk appetite. These thresholds support the timely identification, measurement, monitoring, and management of risks and their potential impact on the bank’s value creation process, enabling informed decision-making and the delivery of sustainable returns to shareholders.

The Risk Group is headed by the Chief Risk Officer and operates within the bank’s enterprise-wide risk policies approved by the Board of Directors. The Group provides comprehensive and independent risk oversight across all of the bank’s activities. Its reporting to the Board and relevant committees covers a broad spectrum of risk types, including but not limited to portfolio asset quality, operational risk, liquidity risk, market risk, Counter Fraud risk, as well as technology, and cybersecurity risks.

The Board Risk Management Committee (BRMC) supports the Board of Directors by overseeing the bank’s risk profile and monitoring performance against the approved risk appetite. As part of its mandate, the Committee reviews emerging risks, including ESG-related risks, in line with regulatory expectations and evolving external developments. ESG considerations are addressed through existing Board governance and risk oversight structures, while the integration of ESG risks into the Enterprise Risk Management (ERM) framework remains under review, pending further regulatory guidance and internal alignment. ESG-related matters are considered by the BRMC on an ad-hoc basis when relevant developments or risk considerations arise. The BRMC operates under a formal charter in accordance with the bank’s Corporate Governance Manual, which incorporates the Principles of Governance for Banks issued by SAMA, the Corporate Governance Regulations issued by the Capital Market Authority, and recognised market best practices.

The bank’s risk management policies remain underpinned by the Internal Capital Adequacy Assessment Process (ICAAP), which articulates the bank’s risk appetite, risk management approach, stress-testing practices, and key risk controls. The ICAAP is reviewed by the BRMC, approved by the Board of Directors, and submitted annually to SAMA. The BRMC concurrently reviews the Internal Liquidity Adequacy Assessment Plan (ILAAP) and provides its recommendations to the Board prior to submission to SAMA. In addition, the BRMC reviews and recommends for Board approval all risk-related policies, including but not limited to the Expected Credit Loss Policy, Operational Risk Policy, Counter Fraud Policy, Market and Liquidity Risk Policies, Cybersecurity Policy, and other relevant risk governance documents, ensuring a comprehensive and consistent approach to risk management across the bank. In addition, the Risk Group has designated the Director of Economic and Strategy Research to actively engage with regulatory authorities and national initiatives, including SAMA-led working groups and industry committees, to monitor regulatory developments and support the future alignment of ESG risk management practices with applicable regulatory guidance and disclosure standards.

At management level, the Risk Management Committee (RMC) continues to play a central role within the bank’s risk governance structure. The Committee oversees the effectiveness of risk management practices across business lines and support functions, monitors emerging and evolving risks, and provides strategic and tactical guidance to management. The RMC reports to the Board Risk Management Committee (BRMC) on key risk matters, developments, and recommendations, supporting effective oversight and timely escalation.

Top risks

The bank reviewed the Top 10 risks and Key Emerging Risks for the year 2025. The objective of the review is to ascertain the factors that will influence the bank’s Risk Profile and to respond appropriately to lessen the impact of emerging risks. In order to assess the top emerging risks and to rank the order of these risks, the bank would use a scorecard-based approach taking into consideration the financial impact of these emerging risk and their likelihood of occurrence. The top 10 risks thus identified based on the scoring approach as listed below:

Emerging risks

In addition to the top 10 risks identified as part of the risk ranking process, the bank viewed the below 5 risk types as the emerging risks for 2025:

Credit risk

To enhance focus, independence, and objectivity in credit decision-making, the bank segregated the Credit Risk function from the broader Risk Management function. The Credit Group is now headed by the Chief Credit Officer and operates within the bank’s Board-approved credit risk framework and policies, overseeing credit risk across the entirety of bank’s operations.

The Credit Group reports to the Board of Directors and relevant Board committees on the bank’s credit risk profile, portfolio performance, and asset quality. The Board Risk Management Committee supports the Board by overseeing credit risk performance against the approved risk appetite. Currently, ESG-related risk considerations are addressed through existing credit and risk governance processes, while dedicated ESG escalation protocols remain under review and are expected to develop as frameworks continue to mature.

The bank operates primarily as a retail-focused institution and credit risk remained the largest risk category during 2025. However, the overall credit risk profile remained comparatively low versus peers, supported by a strong portfolio composition with a significant concentration in public-sector salaried customers with salary assignments and stable employment profiles.

Given the inherent nature of retail portfolios, which comprise a large number of individual borrowers with relatively small exposures but heightened collective default risk, the bank continued to perform detailed reviews of credit applications and comprehensive portfolio monitoring during 2025. These measures supported fair and consistent assessment of borrowers’ repayment capacity and early identification of emerging risks.

A strategic shift in the retail portfolio mix, initiated in December 2021 and continued through 2025, resulted in increased exposure to larger-ticket products such as mortgages. While this introduced higher single-obligor concentration, enhanced portfolio monitoring and feedback mechanisms were implemented to support the Retail Business and Credit Group in deploying appropriate mitigants and controls to manage concentration and credit risk.

This evolution in portfolio composition also led to a reassessment of target customer segments. The Credit Group continued to steer origination away from higher-risk segments where default and delinquency levels exceeded the bank’s risk appetite and toward lower-risk customer groups, particularly high-income salaried customers employed by stable and approved employers.

Throughout the reporting period, the Business, Credit Risk and Compliance functions worked closely to ensure timely implementation of new and amended regulatory requirements issued during 2025, ensuring continued compliance with applicable laws and supervisory expectations.

The acceleration of digital banking introduced additional credit risk considerations at the customer acquisition stage. These risks were mitigated through a phased implementation approach, ensuring adherence to approved risk acceptance criteria and involving key stakeholders in the design and rollout of digital credit journeys.

Targeted strategies were executed to reduce delinquency inflows into late buckets, address system and logic gaps affecting default identification and strengthen collections effectiveness. A comprehensive retail default-management ecosystem was established, supported by a dedicated task force overseeing legal and recovery actions.

The bank also accelerated growth in non-retail segments and revamped its Wholesale Credit Policy to support expansion into preferred and targeted industries. This included growth in MSME financing and selective expansion of Private Banking lending, aligned with the bank’s approved credit risk appetite.

A strengthened portfolio monitoring framework was implemented across non-retail portfolios, including enhancements to internal rating models to automate creditworthiness assessments using tailored quantitative and qualitative factors, particularly for MSMEs. The bank is also automating its Early Warning System to proactively identify emerging weaknesses and enable timely remedial action through relationship teams or the Special Assets Management Unit.

As a result of these initiatives, non-performing loans within the non-retail portfolio remained stable during the reporting period despite strong year-on-year portfolio growth.

In 2025, continued automation and enhancements to policies and control frameworks resulted in a significant reduction in processing errors and improved turnaround times across all credit segments. With all credit decisions expected to be executed through the bank’s unified credit decision engines, error rates are projected to decline further toward an ambitious zero-error target following full phased implementation by 2026.

Concentration risk

The bank’s geographically diversified presence and broad customer base contribute to portfolio stability and mitigates concentration risk by providing greater stability against the impact of any material external development.

During 2025 the Corporate Banking portfolio remained well diversified across emerging business segments, industries and exposure sizes. Concentration levels were actively monitored by the Credit Group against Board approved risk appetite limits, with regular reporting to senior management and relevant governance committees.

The Retail portfolio also remained diversified across customer segments, products and income profiles. As inflationary pressures posed potential affordability risks for lower income customers, the bank implemented targeted portfolio management and customer support measures, providing multiple options especially across its growing mortgage portfolio.

Liquidity risk

During the year in review, alrajhi bank continued

to strengthen its liquidity risk management framework, ensuring robust controls and monitoring systems are in place. The bank’s proactive liquidity management has maintained a solid liquidity position to pay off its obligations when they become due by a diversified funding mix and strong balance sheet. This has been achieved by exploring and introducing new funding solutions such as certificate of deposits, syndicated Murabaha, senior unsecured sukuk and other funding tools. The bank plans to continue enhancing its liquidity management strategies for balance sheet optimisation and to remain well-positioned to meet future challenges and opportunities.

Market risk

Alrajhi bank ensures maintaining a robust market risk framework complying with Basel regulatory requirements. The bank has clearly defined policies, procedures and limits to identify, measure, monitor, and control market risks arising from its trading and banking activities. Market risk exposures are actively monitored on an ongoing basis using quantitative metrics and limits with regular reporting enabling timely identification of potential vulnerabilities. Through this disciplined approach, alrajhi bank ensures prudent management of market risks while supporting sustainable business growth.

Operational risk

alrajhi bank reviews and updates its Operational Risk Management Policy on an annual basis to ensure ongoing alignment with the latest Basel standards and SAMA regulatory requirements, and to effectively govern all material aspects of operational risk management in a structured, consistent, and forward-looking manner.

As part of its continued enhancement of Operational Risk Management practices, the bank accelerated the digital transformation of key operational risk tools and activities. This included the automation and integration of Risk Control and Self-Assessments (RCSA), Key Risk Indicator (KRI) monitoring and reporting, operational loss event logging and Root Cause Analysis (RCA), action plan tracking, new products and services risk assessments, risk register maintenance, and enterprise-level operational risk reporting. These enhancements support improved data quality, timeliness, and management oversight.

The bank remains committed to proactively strengthening its control environment and improving operational efficiency through increased reliance on technology and data-driven risk management. This is complemented by ongoing efforts to enhance risk awareness and control ownership across the bank through targeted communication, training programmes, and continuous engagement.

To ensure that all Operational Risks aspects are effectively managed, Operational Risk champions have been designated across all departments and business units. These champions work in close collaboration with the Operational Risk Management Department to support execution, monitoring, and issue escalation. Oversight of material operational risk matters is provided by the Group Operational Risk Committee (GORC).

The bank’s operational risk profile, including emerging risks and key trends, is regularly reported to Senior Management and the Board Risk Management Committee. This ensures informed decision-making, effective challenge, and a robust operational risk governance structure across all levels of alrajhi bank.

Fraud risk

Fraud Risk is the likelihood that an individual or organisation will intentionally deceive others for personal or financial gain, potentially causing financial, reputational, or legal harm. alrajhi bank’s Counter Fraud strategic approach is to ensure comprehensive coverage of fraud trends both internally and externally, enabling the bank to proactively protect its customers and its business operations.

As part of the rapid growth in fraud trends and fraudster techniques, the Counter Fraud Department has dedicated its full efforts and resources to ensure the following:

• Enabling a culture of awareness of counter fraud risks and fraudulent techniques for both our

• customers and the bank’s business areas;
• Minimising fraud losses by utilising cutting edge technologies, techniques, and conducting deep analysis of transactions to identify unknown or suspected fraud trends and threats;
• Engaging counter fraud professionals to ensure a clear baseline is developed and implemented in order to further enable the Kingdom’s 2030 Vision;
• Engaging with law enforcement to ensure criminal activity is apprehended and that both customer and bank losses are recovered.
• Establishing awareness of the international, regional, and local fraud landscape to gain insight on international trends and techniques ahead of time; and
• Further developing alrajhi bank’s counter fraud resources by conducting both technical and non-technical training to allow for enhanced fraud detection internally and externally, and clear view of the fraud trends and techniques.

Cybersecurity risk

In 2025, the continued acceleration of digital transformation, along with the increasing interconnectivity across financial ecosystems, further expanded the cybersecurity threat landscape. In response, alrajhi bank continued to operate a comprehensive and resilient cybersecurity framework that integrates preventive, detective, and incident response capabilities to proactively mitigate, detect, and respond to evolving cyber threats.

As part of its cybersecurity strategy, alrajhi bank has defined a set of forward-looking strategic initiatives aligned with its business and technology ambitions. These initiatives focus on open banking enablement, third-party cybersecurity risk management, cloud computing security, cybersecurity technology optimisation, and the secure adoption of artificial intelligence. Implementation of these initiatives is planned over the next three years and is designed to enhance cybersecurity maturity while maintaining a robust security posture, governance model, and risk tolerance currently in place.

To sustain a strong cybersecurity posture, alrajhi bank continued to apply advanced, multi-layered cybersecurity principles and controls. The bank adheres to the highest cybersecurity standards and regulatory requirements issued by the National Cybersecurity Authority (NCA), SAMA, CMA, and other relevant regulatory bodies. This ensures effective governance and the ongoing protection of the confidentiality, integrity, and availability of customer data, as well as critical business and technology processes.

In addition, the bank engages independent internal and external auditors to assess the effectiveness of cybersecurity controls and verify compliance with national and international standards, including PCI DSS, SAMA, SWIFT, SARIE, and NCA requirements. The bank’s 24/7 cybersecurity operations centre provides continuous monitoring and rapid response to cyber threats, reinforcing operational resilience and incident readiness. To date, no cybersecurity-related failures or material operational impacts have been recorded.

The Bank remains committed to fostering a strong cybersecurity culture through targeted training and awareness programmes for both employees and customers. These initiatives are designed to enhance awareness of evolving cyber threats and promote best practices to reduce cyber risk exposure. Ongoing cybersecurity assessments are conducted across systems, applications, and networks to maintain the resilience, reliability, and security of the Bank’s services. Cyber risk oversight operates under a coordinated model, with the Risk Department responsible for governance, risk oversight, and reporting frameworks, while IT Security manages the implementation, monitoring, and day-to-day operation of cybersecurity controls, supported by regular reporting to senior management.

Trust remains central to the bank’s relationships with customers and stakeholders. This trust is underpinned by robust safeguards that protect sensitive financial information, preserve customer privacy, and ensure the integrity of financial transactions. In 2025, alrajhi bank continued to strengthen its cybersecurity frameworks, advance strategic initiatives, and comply with evolving regulatory requirements, reaffirming its commitment to maintaining a secure, resilient, and trustworthy operating environment.

Information Technology (IT) Risk

In 2025, the accelerating pace of digital transformation, combined with increasing geopolitical, regulatory, and technological complexity, has further elevated technology risk as a board-level priority for Saudi and global financial institutions. As reliance on cloud computing, artificial intelligence, open banking ecosystems, advanced data analytics, and third-party digital platforms continues to deepen, financial institutions face a broader and more interconnected risk landscape.

With alrajhi bank and its group entities continuing to modernise core banking platforms, expand digital channels, adopt AI-enabled capabilities, and strengthen ecosystem integrations, the nature and scale of technology risks in 2025 evolved beyond traditional boundaries. These risks now include heightened cyber threats driven by AI-enabled attacks, supply-chain compromises, cloud service disruptions, data privacy and sovereignty challenges, and technology resilience risks linked to complex system interdependencies. At the same time, regulatory expectations have intensified, increasing the potential impact of compliance failures and supervisory findings.

Collectively, these risks carry material implications for business continuity, financial stability, regulatory standing, and customer trust, especially in an environment where service availability, data integrity, and digital trust are critical differentiators.

alrajhi bank’s overarching objective in managing IT risks is to proactively maintain a resilient, secure, and trustworthy technology ecosystem that supports sustainable growth. This is achieved through a holistic IT risk management strategy that balances resilience, agility, regulatory compliance, and business enablement, while remaining aligned with the bank’s strategic priorities. This approach increasingly emphasises proactive risk identification, forward-looking risk assessments, scenario-based resilience testing, and continuous monitoring of emerging technology risks. By positioning technology as a strategic enabler rather than solely an operational function, the bank strengthens operational efficiency, supports innovation, and enhances competitiveness in a rapidly evolving financial landscape.

A culture of continuous improvement remains central, ensuring that lessons learned from incidents, audits, regulatory feedback, and industry events are systematically embedded into the IT risk framework, strengthening the bank’s preparedness for future challenges.

Credit rating

alrajhi bank has solidified its reputation among international rating agencies by consistently achieving stable to positive credit ratings for the current year:

It’s worth to highlight Fitch Ratings has upgraded alrajhi bank’s Long-Term Issuer Default Ratings (IDRs) to ‘A’ from ‘A-’ with a Stable Outlook. Fitch has also upgraded the Short-Term IDR to ‘F1’ from ‘F2’ and affirmed the bank’s Viability Rating (VR) at ‘a-’.

The upgrade reflects Fitch’s view of alrajhi bank’s higher systemic importance than domestic peers, resulting in an upgrade of the bank’s Government Support Rating (GSR) to ‘a’ from ‘a-’.

Fitch has also upgraded alrajhi bank’s senior unsecured sukuk and Tier 2 sukuk following the upgrade of the IDRs.

Furthermore, Fitch assigned a Long-Term IDR (xgs) of ‘A-’ and Short-Term IDR (xgs) of ‘F2’ as alrajhi bank’s IDRs would be lower if assumptions of government support were excluded.

The bank’s National Rating reflects its creditworthiness relative to other Saudi Arabian issuers, such as: