Restricted- Internal #_x000D_

16-Jul-25
Risk Register

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

Contents
1 Risk Category & Subcategory (RC&S)
2 Risk Exposure Rate (RER)
3 Risk Treatment Strategy (RTS)
4 Control Rating (CR)
5 Codes & Definitions (C&D)
6 Risk Register Dashboard (RDB)
7 Enterprise Risk Register
8 Departments Risk Register

_x000D_ Restricted- Internal

#
S. No Risk Category S. No Risk Subcategory
1 Credit Risk 1 Default Risks
2 Operational Risk 2 Concentration Risks
3 Market Risk 3 Collection Risk
4 Liquidity Risk 4 Interest Rate Risk
5 Reputational Risk 5 Commodity Risk
6 Regulatory Risks 6 Equity Risk
7 Strategic Risk 7 Cash availability Risk
8 Mismatch Risk
9 Cashflow Risk
10 Repayment Risk
11 Securitization Risks
12 Covenant Risk
13 Non compliance Risk
14 Regulatory change Risks
15 Non Approval Risks
16 General IT Risks
17 Cyber Security Risk
18 System Obsolescence Risk
19 Project Risk
20 Business Continuity Risk
21 Innovation Risk
22 Procurement Risk
23 Resource Risk
24 Turnover Risk
25 Compensation Risk
26 Training Risk
27 Competency Risk
28 Marketing Risk
29 Negative publicity Risk
30 Other Risk
 Restricted- Internal #_x000D_

Risk Exposure Rate = Impact * Likelihood

Impact: the potential consequences or effects of a risk event on objectives
Likelihood: chance of something happening
Risk Matrix
Risk Exposure Rate Marix = Inherent risk
Inherent risk refers to the level of risk that exists in the absence of any controls or mitigation efforts.
Inherent risk: represents the natural level of risk before any actions are taken to manage it. .
Impact Criteria Likelihood
Reputational
Level Name Financial Impact Operational Impact Level Name Criteria
Impact
Delays and
no negative
inefficiencies in the
publicity or damage Not likely to happen over
1 Insignificant No Financial Loss Company’s non-critical 1 Rare
to the Company’s at least the next 2 years.
functioning, operations
reputation
and processes.
1-Petty fraud or theft
of the Company’s
Little or no negative
property
publicity or damage
2- attempts of
to the Company’s Likely Occurance 1 event
2 Minor Below SAR 10,000 cyberattack; 2 Unlikely
reputation with the every 2 years
3-Incident resulting in
Company’s
minor injury to staff or
employee level.
member of public

value external fraud,

bribery or cyber-
attack.
2-Incident resulting in
major injury to staff or
member of public. Limited negative
Equal to or More High employee damage to the
than SAR 10,000 but attrition or high Company’s Likely Occurance 1 event
3 Significant 3 Possible
less than SAR number of disciplinary reputation with few every 1 years
25,000 actions. external
3-Inability to perform stakeholders.
critical processes and
functions and inability
to provide support
services and key
systems
1-High not available
value or
widespread and
systematic internal or
external fraud or
cyber-attack.
2-Incident (such as
fire) resulting in death negative publicity
Equal to or More
or incapacitation of and damage to the
than SAR 10,000 but Likely Occurance 1 event
4 Severe staff or member of Company’s 4 Likely
less than SAR every 6 months
public. reputation at local
50,000
3-Inability to perform level.
critical processes and
core functions and
inability to provide key
support services and
systems not available
for extended period). widespread negative
publicity and
damage to the
Equal to or More Company’s Likely Occurance 1 event
5 Catastrophic Total Halt of operation 5 Almost Certain
than SAR 50,000 reputation at a every quarter
global and national
level resulting in
inquiries from the

Risk Matrix Likelihood

Rare Unlikely Possible Likely Almost Certain
Impact Rating 1 2 3 4 5
Insignificant 1 1 2 3 4 5
Minor 2 2 4 6 8 10
Significant 3 3 6 9 12 15
Severe 4 4 8 12 16 20
Catastrophic 5 5 10 15 20 25

Risk Expouser Rate

Inherent Risk
Inherent Risk Level Criteria
Score Range Exposure dose not
have a major impact
on the department
Low Risk (1-2) in which risk falls
but should be
addressed due
course
Exposure dose not
has an impact that is
limited to the
Moderate department in which
(3-4)
Risk the risk is identified
and containable by
department risk
owner
Exposure is unlikely
to have a major
impact on the
Significant
(5-9) department in which
Risk
this risk falls but
should be addressed
as soon as possible
key Exposure has a
potential of a major
impact on the
department or the
company in which
this risk falls and
High Risk (10-15) should be resolved
immediately. This
risk will be reported
to senior
management and
may be reported to
risk committee
key exposure has a
potential of major
impact on the
department or the
Extreme Risk (16-25) company and should
be resolved
immediately this
risk will be reported
to risk committee

_x000D_ Restricted- Internal

#
Risk-reward analysis helps determine whether to implement mitigation measures or accept a risk b

Risk Treatment

Reduce/Mitigate

Avoid

Transfer

Accept
alysis helps determine whether to implement mitigation measures or accept a risk by comparing the potential b

Definiton

Seeks to reduce the probability and/or impact of a risks threat to below an acceptable threshold.

Involves changing the project plan to eliminate the risk threat or to protect the project objectives from

Allocates all ownership of a risk threat to another party who is best able to minimize the impact and/o

Indicates that the Taajeer team has decided not to change the project plan to deal with a risk, or is un
other suitable response strategy. It should be noted, that mitigation or transference is not necessary
particularly those with a small severity rating. Judgment must be used as to whether a more rigorous
costly) response should be implemented.
nst the costs and impact of the risk.

of the risk
 Restricted- Internal #_x000D_

Control effectiveness measures how well risk management controls reduce risk to acceptable level
Residual risk is the level of risk that remains after controls and mitigation measures have been impl
Residual risk = Inherent Risk−Impact of Controls

control effectiveness Rating

ß Adequate à

Excellent (9-10)

Good (7-8)

Satisfactory (5 - 6)
ß Inadequate à

Weak (3-4)

_x000D_ Restricted- Internal

#
ß Inade
Restricted- Internal #_x000D_

Unsatisfactory (1-2)

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

management controls reduce risk to acceptable levels. It assesses the efficiency and adequacy of these control
ter controls and mitigation measures have been implemented.

Definition

Systems and processes exist to manage the risk and

management accountability is assigned. The systems are
well documented and the system is effective in mitigating
the risk.

Systems and processes exist which manage the risk. Some

improvement opportunities have been identified but not
yet actioned.

Systems and processes exist to manage the risk. Recent

changes in operations require confirmation that
accountabilities are in place and understood and that the
risk is being actively managed.

The system and process for managing the risk has been
subject to major change or is in the process of being
implemented and its effectiveness cannot be confirmed.

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

No system or process exists to manage the risk. Controls

do not exist or else are ineffective.

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

sesses the efficiency and adequacy of these controls in addressing identified risks.

Characteristics

• Effectiveness of controls are formally reviewed and monitored by

responsible management on a regular basis.
• In ALL instances the control is:
1. Effective
2. Communicated
3. Documented
4. Understood or owned
5. Cost effective or
6. Monitored

• Risk response management action plans are identified and

management ensures that controls are operating as defined, although
no formal measurement of effectiveness of controls.
• Management actively promotes a strong control environment.
• In MOST instances the control is:
1. Effective
2. Communicated
3. Documented
4. Understood or owned
5. Cost effective or
6. Monitored
• Promotion of control environment is informal. Risk management
action plans are informal.
• The control is GENERALLY:
1. Effective
2. Communicated
3. Documented
4. Understood or owned
5. Cost effective or
6. Monitored
• Staff are not fully aware of nor understand controls to manage risk.
• The control is RARELY:
1. Effective
2. Communicated
3. Documented
4. Understood or owned
5. Cost effective or
6. Monitored

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

• No controls exist to manage risks or else are ineffective.

• No clear ownership for managing the risk
• The control is NOT:
1. Effective
2. Communicated
3. Documented
4. Understood or owned
5. Cost effective or
6. Monitored

_x000D_ Restricted- Internal

#
 Restricted- Internal #_x000D_

_x000D_ Restricted- Internal

#
 Risk Category Code
Credit Risk CR
Operational Risk OPS
Market Risk MAR
Liquidity Risk LR
Reputational Risk REP
Regulatory Risks REG
Strategic Risk STG

Department Department Manger

Finance Department
Human Resources Department
Credit Department
Customer care Department
Cyber Security Department
Information Technology Department
Operations Department
Retail Sales Unit
SME Sales Unit
Collection Unit
Used and Insurance Unit
Customer service Unit
Marketing Unit
Business Continuity Unit
Audit Department
Compliance Department
Risk Champion
 A B C D E F G H I J K L M N O P Q R S T U V

1
Risk Identification Risk Assessment Risk Monitor

2
Ref. Initiate Date Business Unit Risk Category Risk Subcategory Risk Description Risk Trigger Likelihood Impact Inherent Risk Mitigation Plan Control Description Control Effectiveness Residual Risk Response Strategy KRI Status Review Frequency Tracking Comments

3
5 5 25Extreme Risk 7Good 18Extreme Risk
4
0
5
unique code date Drop list Drop list Drop list text text Drop list Drop listCalculationCalculation based text text Drop listCalculationCalculation based Drop list Drop list drop list drop list text
Purpose: Provides a actions to reduce the Purpose: Details existing
detailed explanation of the Purpose: Identifies events likelihood or impact of a controls that help manage
risk itself. or conditions that could risk. or monitor risks.
Focus: What the risk is and initiate the risk. Focus: Proactive measures Focus: Current systems or
6
its potential impact. Focus: What might cause to manage the risk. processes in place.
Example: "Data breach the risk to occur. Example: Implementing Example: Regular audits,
leading to loss of sensitive Example: "Unauthorized training programs to reduce security systems, or
Risk Main Category Risk Subcategory customer information." access to the database." human error. automated alerts. Remarks about the risk
7

9
Finance Department Credit Risk Default Risks 1 1 Low Risk 0 Low Risk Reduce/Mitigate Yes Open Monthly
10
Human Resources Department Operational Risk Concentration Risks 2 2 Moderate Risk 1 Moderate Risk Avoid No Closed Quarterly
11
Credit Department Market Risk Collection Risk 3 3 Significant Risk 2 Significant Risk Transfer In progressSemiannually
12
Customer care Department Liquidity Risk Interest Rate Risk 4 4 High Risk 3 High Risk Accept Annualy
13
Cyber Security Department Reputational Risk Commodity Risk 5 5 Extreme Risk 4 Extreme Risk
14
Information Technology DepartmRegulatory Risks Equity Risk 5
15
Operations Department Strategic Risk Cash availability Risk 6
16
Retail Sales Unit Mismatch Risk 7
17
SME Sales Unit Cashflow Risk 8
18
Collection Unit Repayment Risk Excellent (9-10) 9
19
Used and Insurance Unit Securitization Risks Good (7-8) 10
20
Customer service Unit Covenant Risk Satisfactory (5 - 6)
21
Marketing Unit Non compliance Risk Weak (3-4)
22
Business Continuity Unit Regulatory change Risks Unsatisfactory (1-2)
23
Audit Department Non Approval Risks no Control 0
24
Compliance Department General IT Risks
25
Cyber Security Risk
26
System Obsolescence Risk