Meeting DGA’s regulatory requirements and controls for risk management
Established in 2021, Saudi Arabia’s Digital Government Authority is a qualitative leap towards enhancing digital performance within government agencies, raising the quality of services provided and improving customers’ experience with government agencies, in line with the Kingdom’s ambitious vision 2030.
One of the domains the Digital Government Authority (DGA) monitors and oversees is risk, setting out regulatory requirements around risk management for all government entities in the Kingdom that provide digital services. Three experts from ECOVIS Al Sabti – Arif Siddique, Junaid Ahmed and Wasif Shahzad – outline what these requirements are and how government entities can achieve compliance.
The Risk Management Guidelines
DGA has issued the ‘Risk Management Guidelines for Digital Government’ and ‘Controls of Risk Management for Digital Government’ to serve as a reference and guidance for government entities to help comply with the regulatory controls and implement Risk Management initiatives to improve their Risk Management practices.
Who needs to Comply?
All government entities that offer services and products through digital platforms, regardless of their type, size, or nature.
Who is Responsible?
The Steering Committee of the government agencies are responsible for ensuring the effectiveness of their Risk Management Program and the extent to which they are meeting their defined Risk Management objectives.
Who will Assess?
DGA will assess and measure the extent to which government agencies are committed to applying these regulatory controls in accordance with the mechanism approved by the authority.
When implementing the regulatory requirements, there are five key factors to consider to ensure success and lasting change and compliance:
1) Critical Success Factors
DGA lays down a total of 17 critical success factors that will help the entities ensure effective contribution of their Risk Management.
- Integrate Risk Management into all activities
- Risk-based decision-making and prioritize treatment plans
- Enhance transparency
- Empower the Risk Management department
- Ensure leadership commitment
- Activate risk committees
- Organize Risk Management
- Assess internal and external risks
- Develop a Risk Management methodology
- Foster a risk-aware culture
- Engage stakeholders in decision-making
- Advance Risk Management maturity
- Create a framework
- Appoint risk representatives
- Develop programs to raise awareness
- Adopt international standards
- Automate Risk Management processes
2) International Frameworks & Standards
DGA suggests following International Standards for Risk Management, specifically mentioning, ISO 2018 :31000, COSO ERM Framework, Australian Standard (AS/NZS 4360:2004), and the Institute of Risk Management (IRM:2002).
3) Risk Management Methodology
DGA prescribes Risk Management (RM) methodology as follows:
Building Risk Management
- RM Policy & Governance
- RM Strategy
- Risk Appetite & Tolerance
- RM Framework & Procedures
Risk Assessment & Treatment
- Risk Identification, Assessment, and Analysis
- Risk Treatment
- Review, Monitor, and Follow-up
Training and Improvement
- Training & Awareness
- Monitoring & Improvement
4) Steps for Establishing Risk Management Governance
DGA mentions the following steps to establish Risk Management Governance:
- Understand the entity's mandate and main responsibilities
- Define the Roles and Responsibilities Matrix of the main stakeholders
- Clearly define the scope and objectives of the Risk Management function
- Design Key Performance Indicators (KPIs)
- Adopt an effective reporting and communication mechanism
- Align with the Governance Frameworks of other stakeholders
- Understand the needs and expectations of other stakeholders
5) Specific Risk Management Controls
DGA has listed specific controls that are required for risk management, and has divided these controls into three broad categories:
- 18 Controls for Building Risk Management Department
- 8 Controls for Risk Assessment and Treatment
- 9 Controls for Risk Management Training and Improvement
Plan of Action
Every government entity engaged in offering products and services through digital platforms are required to immediately initiate their DGA compliance journey as per the following roadmap:
Step one should revolve around performing a comprehensive Gap Assessment Exercise. The second step is to develop a Mitigation Plan against the identified gaps. Then ensure the implementation of the Mitigation Plans and establish Compliant Risk Management within the organization. The final step is ensuring continuous improvement and monitoring of regulatory changes.
The above step-plan should include incorporating critical success factors specified by the DGA in risk management activities, aligning the Risk Management methodology with international standards and frameworks, complying with the prescribed Risk Management methodology, and ensuring the implementation of specific Risk Management controls mandated by the DGA, among others.
Disclaimer: The logos, trademarks, and references used in this article are the property of their respective organizations. Their inclusion is for informational purposes only and does not imply any affiliation, endorsement, or sponsorship by the respective organizations.