A Complete Guide to Risk Management Saudi Arabia
Risk management in Saudi Arabia is operating in a regulatory environment of rising sophistication and consequence.
The Saudi Central Bank's supervision of the Kingdom's financial sector has been formally assessed by the International Monetary Fund through its 2024 Financial Sector Assessment Program, which evaluated SAMA's observance of the Basel Core Principles for Effective Banking Supervision and identified both the genuine strengths of SAMA's regulatory framework — its robust capital requirements, its active onsite inspection programme, and its strong prudential ratios across the sector — and areas for continued development, particularly around qualitative risk culture assessment and the management of concentration risk in Vision 2030-related exposures.
The banking sector's total assets reached SAR 4,494 billion at the end of 2024, materially exceeding the 2025 target of SAR 3,515 billion, confirming the extraordinary pace of credit expansion that Vision 2030's development programme is generating and the risk management demands that accompany it.
Alongside Basel compliance, SAMA levied over SAR 20 million in penalties across more than fifty cybersecurity violations in 2025 alone — signalling an enforcement posture that is moving from guidance-based to consequence-based with a directness that concentrates the mind of every risk professional working within SAMA-regulated institutions.
Model Risk Management guidelines are expected from SAMA in the near term, reflecting the growing complexity and digitisation of Saudi banking. IFRS 9's expected credit loss framework is reshaping provisioning practices. And the Personal Data Protection Law, fully enforceable from September 2024, has created a new axis of operational risk compliance that did not exist at scale two years ago.
For risk professionals who develop the technical expertise, regulatory fluency, and Islamic finance risk literacy that the Saudi market demands, the career opportunity is genuine, the compensation is among the highest in the region on a tax-free basis, and the institutional significance of the work — protecting a financial system whose stability underpins the retirement savings, deposits, and insurance of thirty-six million people — is real and growing.
The Saudi Central Bank and its regulatory architecture
SAMA is the primary prudential and conduct regulator for Saudi Arabia's banking, insurance, finance company, and payment services sectors. Its supervisory mandate is comprehensive — covering capital adequacy, liquidity, credit risk, market risk, operational resilience, governance, remuneration, and AML/CFT compliance — and its regulatory framework is built on the Basel Core Principles for Effective Banking Supervision, adapted to the specific characteristics of the Saudi banking system.
SAMA's onsite inspection programme is among the most active in the Gulf, with regular examinations of each supervised institution that assess both quantitative compliance with regulatory ratios and qualitative governance practices.
The IMF's 2024 FSAP assessment found that SAMA's inspections were thorough and useful at the compliance level and recommended extending them to more systematically assess qualitative dimensions such as overall risk culture. This recommendation shapes the current trajectory of SAMA's supervisory approach — risk professionals at major Saudi banks can expect increasing regulatory attention to how risk culture is embedded in business practices, not merely whether risk frameworks are technically compliant with prescribed standards.
The Capital Market Authority's risk oversight extends across securities firms, asset managers, and listed company governance, creating a dual-regulator environment for institutions that conduct both banking and capital markets activities. The CMA's strategic plan for 2024-2026 emphasises enhanced market surveillance, better investor protection, and the governance standards that listed companies must maintain — each of which creates risk management obligations for the firms operating within its regulatory perimeter.
Saudi Arabia's financial regulatory framework is also shaped by the Insurance Authority — which assumed responsibility for health and commercial insurance regulation from SAMA — and the National Anti-Money Laundering and Counter-Terrorism Financing Committee, which coordinates the Kingdom's financial crime risk framework across all sectors. The interaction between these multiple regulatory authorities creates a complex compliance environment at major financial institutions, and the risk professionals who can navigate it credibly are among the most commercially valuable in the Saudi financial services market.
Basel III and SAMA's capital adequacy framework
Saudi banks consistently exceed Basel III capital adequacy requirements — a structural feature of the Saudi banking sector that reflects both SAMA's conservative regulatory standards and the commercial resilience of institutions whose balance sheets are ultimately underpinned by the sovereign wealth of one of the world's richest states.
SAMA requires banks to maintain capital adequacy ratios above the Basel III minimums, and the sector's common equity Tier-1 ratios — typically above 14 percent — sit materially above the Basel III minimum of 4.5 percent plus the capital conservation buffer of 2.5 percent. This strong capitalisation reflects the prudent credit culture that SAMA has fostered, the historically low non-performing loan ratios below two percent that characterise the sector, and the conservative provisioning policies that have insulated Saudi banks from the credit quality deterioration that less well-regulated banking systems have experienced.
The IFRS 9 expected credit loss framework — requiring banks to provision against anticipated future losses rather than waiting for actual loss events — has been one of the most significant technical risk management changes of recent years for Saudi banks. Credit risk professionals who develop deep understanding of ECL modelling, the selection of forward-looking macroeconomic scenarios for provisioning purposes, and the governance frameworks that SAMA expects around ECL model validation are among the most technically in-demand in the Saudi credit risk market. KPMG's December 2024 publication on Model Risk Management explicitly identified SAMA's forthcoming MRM guidelines as one of the key strategic and regulatory imperatives for Saudi banks, signalling that model governance is the next major area of regulatory focus after IFRS 9 implementation.
The concentration risk dimension identified by the IMF's FSAP is particularly relevant to credit risk professionals at major Saudi banks. Vision 2030's development programme has generated enormous credit exposure to government and government-linked entities — PIF subsidiaries, giga-project companies, and the major state-linked corporations driving the economic transformation. These exposures are exempt from SAMA's large exposure limits, creating concentration risk positions that the IMF has encouraged SAMA to monitor more actively. Credit risk professionals who develop the analytical frameworks to assess, monitor, and govern these concentrated government-linked exposures — understanding how they interact with the bank's capital position under stress scenarios — are working at the most strategically consequential level of Saudi credit risk management.
The disciplines of Saudi risk management
Credit risk is the dominant risk discipline across Saudi banking, reflecting the scale of the domestic lending book and the breadth of credit activity that Vision 2030 is generating. The SAR 2,780 billion in credit extended to the private sector by year-end 2024 — exceeding SAMA's own target — represents a credit portfolio of enormous scale managed across retail mortgage lending, consumer credit, corporate lending, project finance, and the structured finance that Vision 2030's infrastructure programme requires. Credit risk professionals at Saudi National Bank, Al Rajhi Bank, Riyad Bank, Banque Saudi Fransi, and the other major domestic banks manage the analytical frameworks, approval processes, portfolio monitoring systems, and regulatory reporting that this credit activity demands.
Credit risk in the Islamic banking context adds specific technical requirements. Saudi Arabia's fully Sharia-compliant banks — Al Rajhi Bank, Alinma Bank, Bank AlJazira, and others — extend credit through Islamic financing structures including murabaha, ijara, musharaka, and istisna. The credit risk assessment of these structures requires understanding both the conventional creditworthiness of the borrower and the specific characteristics of the Islamic financing contract — the asset backing, the profit-rate structure, and the default and recovery provisions — that differ from conventional loan documentation. Credit risk professionals who combine conventional ECL modelling expertise with Islamic finance product knowledge are genuinely differentiated in the Saudi credit risk market.
Operational risk has grown substantially in scope and strategic importance across Saudi financial institutions, driven by three concurrent forces. The first is SAMA's Cybersecurity Framework — a mandatory set of controls applying to all SAMA-regulated institutions covering governance, risk management, information asset protection, third-party security, and operational resilience. The framework draws on global benchmarks including NIST CSF, ISO 27001, and Basel Committee guidelines, adapted to the Saudi regulatory environment. Its enforcement has become materially more active: SAMA levied over SAR 20 million in penalties across more than fifty violations in 2025, establishing that cyber risk management failures carry genuine financial consequences for regulated institutions.
The second is the Personal Data Protection Law, fully enforceable from September 2024, which has significantly elevated expectations around data governance, cross-border data transfers, and vendor oversight across all PDPL-subject organisations including financial institutions. Operational risk professionals who understand the intersection between cybersecurity risk, data privacy obligations, and SAMA's cyber governance requirements are among the most sought-after specialists in the Saudi operational risk market.
The third is the extraordinary pace of digital transformation across Saudi banking and financial services. Saudi Arabia is targeting 525 fintech firms by 2030, SAMA's Open Banking Framework is creating new competitive dynamics across the sector, and digital banking adoption is growing rapidly across the population. Each of these developments expands the operational risk surface that institutions must govern — from technology failure and third-party dependency risk to the fraud and financial crime risks that digital channels introduce. Operational risk professionals with genuine technology risk competence are consistently among the most actively recruited across the Saudi financial services sector.
Market risk is concentrated in the treasury operations of major Saudi banks and in the trading and capital markets activities of the investment banking firms operating in Riyadh. Saudi banks manage significant foreign exchange exposures arising from the SAR's peg to the US dollar, which transmits Federal Reserve rate decisions directly into Saudi funding costs and asset yields. Treasury professionals and market risk managers at major banks develop specific expertise in managing interest rate risk across a dollar-pegged currency environment — where SAMA's benchmark repo rate moves in lockstep with Fed rate decisions rather than responding to domestic Saudi economic conditions.
Islamic risk management encompasses the specific risk governance requirements that apply to Sharia-compliant financial institutions — requirements that go beyond conventional Basel prudential standards in several important dimensions. Sharia compliance risk — the risk that a product or transaction is found retrospectively to be non-compliant with Islamic principles — is managed through dedicated Sharia supervisory boards, product approval processes, and ongoing transaction monitoring. Displaced commercial risk — specific to profit-sharing investment account structures at Islamic banks — requires specific capital treatment under SAMA's Islamic banking regulations. Rate of return risk — the risk that profit rates paid to investment account holders become uncompetitive — is a specific liquidity and reputational risk managed alongside conventional ALM frameworks. Risk professionals at Saudi Islamic banks who develop competence across these specific Islamic risk dimensions are genuinely distinctive and genuinely valued.
Model risk is emerging as the next major regulatory focus in Saudi risk management, following KPMG's explicit identification of forthcoming SAMA MRM guidelines as a key strategic imperative. Saudi banks are increasingly dependent on quantitative models — for credit scoring, IFRS 9 ECL calculation, market risk measurement, and increasingly AI-driven customer analytics and fraud detection — and the governance frameworks required to validate, challenge, and control the use of these models are not yet as systematically developed as comparable frameworks in UK or Australian regulatory contexts. Risk professionals with model validation expertise and the ability to design MRM governance frameworks that meet SAMA's evolving expectations are entering a specialisation whose demand curve is strongly upward.
What risk professionals do in Saudi Arabia
The practical responsibilities of risk professionals in Saudi financial services combine the universal disciplines of risk framework design, quantitative analysis, and regulatory engagement with the specific Saudi dimensions described above.
Risk framework design at Saudi institutions encompasses the development of risk appetite statements approved by boards, policies and procedures governing each risk discipline, limit structures that translate risk appetite into operational constraints, and the governance processes — risk committees, reporting lines, escalation procedures — that ensure risk information reaches decision-makers with the accuracy and timeliness it requires. SAMA's onsite inspections assess the quality of these frameworks directly, and risk professionals who can design, implement, and defend well-governed risk frameworks under regulatory scrutiny are the most valued contributors to their institutions' risk functions.
Regulatory engagement is a significant and growing component of risk work at major Saudi institutions. SAMA conducts regular bilateral supervisory meetings, thematic reviews focused on specific risk topics, and the periodic SREP-style assessments that combine quantitative analysis of capital and liquidity positions with qualitative assessment of governance and risk culture. Risk professionals who can prepare for, manage, and follow up from regulatory engagements — presenting complex risk analysis clearly, responding credibly to SAMA's questions, and demonstrating genuine remediation of identified weaknesses — are among the most institutionally valuable risk practitioners in the Saudi market.
Stress testing is a growing requirement across SAMA-supervised institutions, with the IMF's FSAP assessment having identified the need for more systematic macroeconomic stress testing programmes. Risk professionals who can design and execute stress tests — modelling the impact of oil price shocks, real estate price declines, and global financial market stress on Saudi bank capital positions — and translate the results into credible capital planning strategies are developing skills that will become regulatory requirements rather than institutional best practices over the coming years.
Types of employers
Saudi National Bank — the largest bank in the Middle East by assets, with over SAR 300 billion in total assets and operations in multiple countries — maintains the largest and most complex risk management function in the Kingdom. Its credit risk, market risk, operational risk, and model risk teams collectively manage the risk governance of an institution whose systemic importance to Saudi Arabia is singular. SNB's strong focus on enterprise-wide risk governance, identified in industry commentary on its risk management function, makes it the most institutionally substantial risk management employer available in the Saudi market.
Al Rajhi Bank — the world's largest Islamic bank by market capitalisation, with assets nearing SAR 1.3 trillion — employs risk professionals across credit risk, Islamic finance risk, operational risk, and Basel compliance. Its combination of massive retail presence, Sharia-compliant product range, and the specific risk governance requirements of a fully Islamic institution makes it one of the most technically distinctive risk management environments in the Kingdom.
Riyad Bank, Banque Saudi Fransi, Arab National Bank, Alinma Bank, and the other major domestic institutions each maintain risk functions that are growing in scope and sophistication as SAMA's regulatory expectations advance. International banks with Riyadh operations — HSBC, Citi, Deutsche Bank, and their peers — operate risk teams aligned to global frameworks with Saudi-specific adaptations, and offer risk professionals the combination of global methodology access and local market application that distinguishes international bank environments.
PIF and its portfolio companies represent a growing employer segment for risk professionals, particularly in investment risk, portfolio risk, and the enterprise risk governance frameworks that the sovereign fund's expanding domestic and international investment activities require. The giga-project companies — NEOM, Red Sea Global, Qiddiya, and Diriyah — each require project risk management professionals capable of governing the construction, financial, regulatory, and operational risks of infrastructure development programmes of unprecedented scale.
SAMA itself, along with the CMA and the Insurance Authority, employs risk professionals in supervisory and analytical roles that provide unparalleled insight into risk management practices across the entire regulated sector and direct engagement with the institutions and regulatory developments that shape the profession.
Salary and compensation
Risk management compensation in Saudi Arabia combines the tax-free advantage that applies across the professional market with the premium that genuine risk expertise commands in a regulatory environment of growing sophistication.
Risk analysts and junior risk professionals at major Saudi banks typically earn total compensation of SAR 100,000 to SAR 180,000 annually at entry to early career level — all retained in full due to zero personal income tax. The standard Saudi salary structure — approximately sixty-five percent basic salary, thirty percent housing allowance, five percent transport allowance — means that package negotiation focuses on total monthly value rather than base salary alone.
Risk managers with five to ten years of experience earn total compensation of SAR 194,563 to SAR 347,089, with the average confirmed at SAR 284,033 by ERI salary survey data. In Riyadh specifically — where the concentration of major financial institution headquarters commands a ten to fifteen percent premium over other cities — the average risk manager total compensation is SAR 314,766, with the range running from SAR 215,615 to SAR 384,644. PayScale confirms average base salary for risk managers in Saudi Arabia at SAR 144,000, consistent with base salary being approximately sixty-five percent of total compensation in the standard Saudi package structure.
Risk Management Directors earn total compensation averaging SAR 318,800 annually, with the range running from SAR 152,000 at the lower end to SAR 498,000 at the upper end — the wide range reflecting the significant variation between mid-sized domestic institutions and the most complex major banks. The median for Risk Management Director roles sits at SAR 330,900, with the top risk management executives in the Kingdom earning total compensation of SAR 476,000 per ERI data. Chief Risk Officers at major Saudi financial institutions earn base salaries of SAR 1,000,000 as confirmed by PayScale data, with total compensation including performance bonuses extending well above that figure at the most systemically significant institutions.
The tax-free multiplier transforms these figures' comparative value materially. A risk director earning SAR 400,000 annually in Riyadh — approximately USD 107,000 — retains every riyal. Achieving equivalent net take-home in the United Kingdom, accounting for income tax and national insurance at this level, would require gross earnings approaching USD 180,000 to USD 190,000. The cumulative savings advantage over a multi-year Saudi career assignment is financially substantial and directly relevant to the career decisions of internationally mobile risk professionals weighing Saudi Arabia against comparable roles in London, Sydney, or other high-tax centres.
Career progression
Risk management careers in Saudi Arabia begin at analyst or associate level within a specific discipline — credit, market, operational, or Islamic risk — and follow progression paths shaped both by the individual's technical development and by the Saudization dynamics that create specific career tailwinds for Saudi national risk professionals in a sector where SAMA's regulatory requirements demand well-qualified local practitioners.
From analyst, the career moves through risk manager, senior risk manager, and director levels, with each step reflecting deepening technical expertise, broader governance responsibility, and growing engagement with SAMA supervisors and senior institutional leadership. The Chief Risk Officer role represents the apex of the Saudi risk management career — a position of board-level visibility, direct regulatory accountability, and compensation that reflects the genuine scarcity of individuals who combine the technical depth, the regulatory credibility, and the Islamic finance knowledge that the Saudi CRO role demands.
Professional credentials valued across the Saudi risk management community include the Financial Risk Manager qualification from GARP, the Professional Risk Manager qualification from PRMIA, and in credit-focused roles the CFA charter for its investment analysis depth. Our Investment Risk and Taxation credential provides structured coverage of investment risk frameworks and the interaction between risk management and the financial instrument environment within which Saudi institutions operate — directly relevant to risk professionals working with the sukuk, Islamic finance products, and equity exposures that constitute major components of Saudi bank balance sheets and investment portfolios. Our Derivatives credential addresses the complex financial instruments used in Saudi treasury management, project finance structuring, and the capital markets activities of CMA-licensed institutions — knowledge directly applicable to the market risk and treasury risk functions at major Saudi banks. Our Core Regulatory Programme for Saudi Arabia provides the jurisdiction-specific regulatory foundation that risk professionals need — from SAMA's capital adequacy requirements and cybersecurity framework to the CMA's market risk governance standards and the Islamic finance regulatory principles that apply across the Saudi financial sector's unique dual framework of conventional and Sharia-compliant institutional supervision.
Risk management in Saudi Arabia is a profession of genuine consequence. The institutions whose risk frameworks are adequate will participate fully in the Kingdom's most significant economic transformation in a generation. Those whose frameworks are inadequate face SAMA's increasingly active enforcement posture — and the personal professional consequences that regulatory action against named senior executives creates. The risk professionals who build the frameworks, govern the processes, and engage the regulators that ensure the former outcome rather than the latter are not back-office support staff. They are among the most consequential contributors to a financial system on which the economic ambitions of thirty-six million people and the Vision 2030 transformation of an entire nation depend.