Interestingly, only three of the top seven risks identified featured in last year’s report, indicating that the perceived risks for directors and officers have changed quite significantly over the past year. This is, perhaps, reflective of the dynamic legal and regulatory environment in the region, as the individual countries (in particular, the UAE and KSA) are undergoing a period of significant legal reform linked to local government visions to attract foreign investment.
The results of the survey demonstrate an increased focus on the ‘S’ and ‘G’ in ‘ESG’, with four of the top five risks being related to these categories of risk: Systems and Controls, Breach of Human Rights, Health and Safety and Supplier Business Practices. Notably, the ‘E’, featured in the top seven risks last year (climate change), has not made the cut this year.
The ranking of Systems and Controls at number two is likely to reflect the significant legal reforms and regulatory changes that are being introduced thick and fast, including in respect of corporate governance. For example, the UAE has introduced several significant changes to the Corporate Governance Code in recent years, aiming to enhance transparency, accountability, and overall corporate governance standards within the UAE. These include, for the first time, female representation on the Boards of both public and private companies. There is also a steady increase in the number of cases against directors and officers for poor governance, most recently in Oman in June 2024, where the former directors of a cement company were ordered to pay USD 130M in compensation.
The health and safety ranking is likely to be directly linked to the significant volume of construction work being carried out across the region. Whilst there have been no recent significant legislative changes relating to this area, Health and safety protection is a high risk to businesses as well as to individuals as, depending on the circumstances, the liability for any employee accident in the workplace can rest with the individual who ‘caused’ the accident. This can sometimes include the injured employee for their failures to follow safety instructions and may also extend to the injured employee’s direct supervisor or health, safety and environment (HSE) officer (which can often be a director or officer of the organisation) for failure to implement safe work processes. As there is no concept of corporate liability, prosecution for health and safety breaches can lead to both financial penalties and / or criminal prosecution for D&Os. This may also, in part, explain Human Rights being ranked at number 3 for the Middle East as, otherwise, there have been no significant legislative changes which would heighten the risk for D&Os.
Supplier business practices has moved from the seventh to the fifth risk. The increased concern is likely to relate to the continuing increase in customer demand across the region resulting from the ambitious government visions to attract foreign investment, and the ongoing geopolitical tensions which continue to cause supply chain disruption.
In relation to cyber-related risks, whilst data loss has moved to the number one concern, artificial intelligence, which was an outlier in last year’s report, and cyber attack no longer appear as top seven concerns at all. The latter is particularly surprising given the cyber threat landscape in the region and the fact that the Middle East reportedly has the second highest average cost per data breach globally (second only to the US).
However, it is unsurprising that data Loss is listed as the number one risk by directors and officers in the Middle East. Data protection has come into sharp focus recently as the Gulf Cooperation Council (GCC) countries are at varying stages of implementing standalone personal data protection laws for the first time or modernising current laws to align with international standards, in particular with the EU General Data Protection Regulation. Historically, the data protection and privacy laws have been limited and spread across a patchwork of different legislation, with next to no enforcement. This means that organisations are now having to act quickly to ensure compliance and have become more aware of the risks involving data. We suspect that whilst cyber attack is not listed in the top seven this year, it is still a key concern and overlaps with the data loss category since the two often go hand in hand.
Regulatory breach was not flagged as a top seven risk by directors and officers in the Middle East last year. However, it now appears at number seven. This is consistent with the increase in regulatory enforcement action across the region, though it appears to be a lower concern for directors and officers in the Middle East than in other jurisdictions. This is likely to be a product of the fact that the onshore regulators have historically been relatively hands-off. However, over the past year they have started to ramp up their activities and adopt a more proactive approach to enforcement, particularly in the area of anti-money laundering and sanctions, which is connected with the UAE’s successful exit from the FATF grey list in February 2024. We are expecting this upwards trajectory of regulatory investigations and related claims to continue.
