Enterprise Risk Management

… continues to serve as a central engine to manage uncertainties and drive performance and resilience.

As the biggest urban hub for tourism and business in the Gulf, Dubai is a city that rarely sleeps. Tourists and business executives, as well as the Emirate’s approximately 4.7 million daytime residents, rely on Dubai being open and accessible 24 hours a day, 365 days a year.

As Dubai’s exclusive toll operator, Salik is aware of and committed to its obligation to provide seamless, barrier‑free, uninterrupted motion through its ten automatic toll gates running through the heart of the Emirate, where 638.2 million vehicles passed during 2024.

As Salik embarks on its growth trajectory by diversifying its revenue streams while ensuring continued disruption‑free operations of the Dubai tolling systems, Salik’s Enterprise Risk Management (ERM) framework continues to serve as the central engine for all risk management activities across the organisation.

In 2024, Salik adopted a Risk Maturity Model (RMM) in its pursuit towards enhancement of the culture and maturity of its ERM practices and has conducted an initial assessment of the maturity level against the RMM. The Risk Maturity Model (RMM) serves as a benchmark of practices against an umbrella framework that covers ISO 31000, OCEG Red Book and COSO standards. An Internal Audit was conducted in 2024 on the ERM processes and it’s maturity levels using the RMM and prioritized action plan has been developed for enhancing the ERM practices. ERM serving as the central engine for all risk management activities was also audited by an External Certification Body, as part of the ISO 37301 Compliance Management System Certification in 2024.

Salik has designed and adopted its risk management practices at all levels as an integrated tool for decision‑making. This encompasses strategic and other emerging risks, operational risks and project‑specific risks which included application of the risk criteria while developing new services such as parking payment solutions for Dubai Mall and cooperation with Liva Group.

At Salik, we have not only designed technologies with built‑in continuity capabilities, but have developed an organisational culture where risk management, business continuity, response and recovery protocols, and financial resilience are embedded in everything we do. Implementing a culture and philosophy of reliability and resilience at all levels of the organisation has helped the Company to realise virtually no customer‑facing systems downtime and close to zero revenue losses.

Salik’s integrated approach to ERM, business continuity management and crisis management underpins its ability not only to respond to operational disruptions but to deliver on its long‑term growth objectives. Contextualised risk appetite statements have been approved by Salik’s Board of Directors, setting out limits on acceptable risks for all business units to follow in pursuit of opportunities and growth. These support risk‑based decision‑making at all levels. Awareness sessions are conducted on the ERM & BCM framework for decision makers across Salik which supports culture building. Moreover Emerging Risks are also discussed on an yearly basis to understand the proximity, materiality and knock‑on effects of these risks on Salik’s Strategy and Operations. The key risks summarized in this report incorporates the impacts of the Emerging Risks on Salik.

Salik’s ERM Policy drives common language and protocols for identifying, documenting and communicating risks. The deployment of the ERM Policy across the organisation at all levels ensure identification and management of risks, within the overarching appetite levels set out by the Board of Directors. These risks, along with their mitigation plans across all levels of the organisation, are monitored by the management level committee established at Salik. This ensures that a cross‑functional management team is always on top of all risk‑management activities, including critical vendor and third‑party relationships, driving Salik’s readiness and resilience to disruptions across value chains.

Top risks affecting Salik’s ability to achieve its strategy and ensure disruption‑free operations are aggregated and communicated to the Salik Board of Directors, having already been reviewed and endorsed by Salik’s management committees. The top risks are also independently endorsed by Salik’s Audit Committee. This exercise is carried out on a quarterly basis to ensure that the Salik Board of Directors is aware of and informed on the top risks for their timely attention and instruction.

Salik’s best‑in‑class roadside tolling technology is designed to deliver continuity and resilience. It was built on high‑availability and high‑redundancy designs that produce 99%+ uptimes across all toll gates as well as back‑end processes. Disaster recovery plans support the fundamentally robust technical framework, which in 2024 continued to support seamless notification, monitoring, communication, resolution of incidents and resumption of services.

Salik’s business continuity management system, based on a BCM Policy approved by the Board of Directors, ensures that business impact analyses are regularly carried out. Furthermore, business continuity plans are prepared and tested to ensure resilient operations.

Salik’s ERM seamlessly aligns with the ‘Three Lines of Defence’ Governance model, with the Board of Directors providing executive decisions on the key risks faced by Salik. In addition, its Audit Committee, which has visibility and oversight over the Risk Management and control activities across Salik, provides assurance on all the Governance practices adopted by Salik.

Key Risks & Salik’s Risk Management Approach

The following summarises Salik’s Key Risks and its management approach with the aim of enhancing stakeholder value and achieving sustainable performance.

Risk Area	Description	Risk Management Approach
Operational	Technology or process outages which could result in disruption in roadside tolling infrastructure, back‑end processing and/or customer facing services. While the ongoing strategic projects and revenue diversification initiatives do introduce change management complexities, historically disruptions have been minimal and have not materially impacted Salik.	Salik’s best‑in‑class roadside tolling technology is designed to deliver continuity and resilience. It was built on high‑availability and high‑redundancy designs that produce 99%+ uptimes across all toll gates as well as back‑end processes. Disaster Recovery arrangements support the fundamentally robust technology supported by seamless notification, monitoring, communication, resolution of incidents and resuming services.
Operational	Dependency on key sub‑contractors for Toll operations and other revenue diversification initiatives could result in operational continuity difficulties, if any of the key sub‑contractors discontinue their relationship with Salik, with no precedence of such scenarios.	Appropriate contractual protections along with access to necessary intellectual property rights on continued usage of the technology for the Dubai Tolling Operations and other revenue diversification initiatives form the cornerstone for continuity. Moreover, revenue diversification initiatives are being de‑leveraged from dependency on the same sub‑contractor.
Strategic	As Salik seeks to pursue growth opportunities, it encounters operational, technology and regulatory readiness risks, while ensuring timely implementation and ongoing success of these strategic initiatives and other revenue diversification initiatives.	Embedding robust project‑management principles into every project in Salik ensures effective project‑level risk management leading to project success. Salik’s cross‑functional project teams and for toll‑related projects, including RTA stakeholders, ensure complete contextual understanding of readiness including operational, technology and regulatory aspects. Approved risk‑appetite considerations are embedded within the decision‑making approach for growth opportunities and strategic initiatives. Keeping abreast of regulatory developments for other revenue diversification initiatives and reaching out to regulators for early understanding and approvals ensure that project success is not restricted by regulatory compliance matters.
Strategic	Economic downturns and resultant reduction in traffic volumes can lead to declining revenues for Salik.	Salik focuses on strategic monitoring of triggers and emerging factors which could assist in identifying early signs of potential downturns. Salik is committed to fostering relationships with government bodies to remain informed about upcoming initiatives or projects that could spur growth. Additionally, maintaining operational efficiency and cost‑control measures serve as additional measures to tone down the impact of revenue fluctuations. Salik’s strategic initiatives aim at de‑risking revenue and geographical concentration risk through innovative projects and by diversifying its service offerings. Salik has already embarked on its journey to diversify revenue streams and support long‑term sustainability of its business. Regular financial disclosures are made to stakeholders, ensuring transparency regarding the company’s operational performance and financial health.
Climate Change and Extreme Weather Events	Extreme weather events triggered by climate change can lead to asset damages.	At Salik we recognise that climate change can lead to extreme weather events at a higher frequency, and understanding and managing this is inbuilt into our operational resilience mechanisms. Protection measures are in place as part of the design criteria of our toll gates and data centres. This is operational and supported by well‑established crisis management protocols in coordination with RTA for timely identification and mitigation of event impacts. Adequate insurance coverages are also in place for any physical damage to the assets and resultant business interruption losses. There was no material impact from the last extreme weather event of excessive rain and flooding in Dubai.