In an exclusive conversation with TECHx Media, Imad Aldhfiri, Vice President of Governance, Risk, and Compliance at Aramco Digital, shares how GRC is evolving in Saudi Arabia amid digital transformation, AI adoption, and ESG expectations. He discusses real-time governance, fostering a risk-aware culture, managing third-party risks, and the rising importance of AI ethics and climate resilience in building trust, competitiveness, and long-term value.

How has your approach to Governance, Risk, and Compliance evolved over the years, especially in response to growing digital, geopolitical, and ESG pressures?

My GRC practice has shifted from compliance-focused checklists and audits to a forward-looking approach that prioritizes long-term value creation. GRC is now a company-wide practice connecting governance to strategy, risk management to innovation, and compliance to ethical leadership.

Digitalization has been the biggest driver. With cloud technologies, AI, and advanced analytics, risk has become more complex. In Saudi Arabia, AI is projected to contribute over US$235 billion to the economy by 2030, or more than 12% of GDP. This requires governance frameworks embedding privacy, cybersecurity, and digital ethics into every decision.

Geopolitical factors demand flexibility. The Personal Data Protection Law (PDPL), effective September 2024, mandates local data storage and limits cross-border data movements. Unlike the EU’s GDPR, which emphasizes portability, PDPL prioritizes national data sovereignty, requiring GRC to balance local laws with international standards. Other frameworks, such as the CMA Corporate Governance Regulations and SAMA’s Risk-Based Supervisory Framework, further shape risk and compliance practices.

ESG expectations have expanded GRC’s role. Sustainability and ethical governance now need to deliver measurable results. Anti-bribery regulations, like those led by Nazaha, broaden the accountability scope. GRC has become a strategic tool for trust, investment, and sustainable growth, aligned with Saudi Arabia’s economic transformation.

How are AI, automation, and predictive analytics reshaping GRC? Are we moving toward real-time governance?

GRC is moving from retrospective reporting to real-time governance. Manual reporting and audits delayed response times, but automation frees resources for strategy and foresight.

Saudi Arabia leads in AI adoption. The Cisco AI Readiness Index 2024 shows 54% of organizations use predictive AI, and 44% have adopted generative AI. Banks and regulators are testing AI-powered fraud detection, anomaly monitoring, and regulatory oversight, providing executives with 24/7 insight. Predictive analytics helps identify vulnerabilities before they escalate, enabling continuous compliance.

Challenges remain around ethical AI, algorithmic transparency, and regulatory trust. Still, AI-driven compliance strengthens trust, resilience, and competitiveness, aligning with the Kingdom’s digital ambitions.

How do you foster a risk-aware culture, especially when compliance feels like a box-ticking exercise?

Leadership must show that risk management drives competitiveness rather than bureaucracy. Saudi regulators, including CMA, SAMA, and NCA, are raising expectations for risk-aware performance.

Cyber risk is ranked above inflation as a top threat in Saudi Arabia, and Vision 2030 aims for US$100 billion in annual FDI, making robust risk management crucial. Embedding risk indicators into KPIs, scenario-based simulations, gamified compliance programs, and reward systems helps employees perceive risk management as a core responsibility. Aligning governance with Shariah principles reinforces culturally relevant values.

What are the key challenges in maintaining consistent compliance across different regulatory environments?

Balancing compliance across jurisdictions is challenging. The PDPL requires local data storage and authorizations for cross-border transfers, contrasting with the EU’s GDPR.

I rely on global compliance principles grounded in integrity, transparency, and accountability, then tailor them locally. This includes cybersecurity standards, anti-bribery laws, ESG reporting guidelines, Shariah-compliant practices, and financial regulations. Technology, such as RegTech, enables real-time anomaly detection, accurate reporting, and prompt filings. Compliance committees integrating global and local expertise harmonize practices while respecting cultural and legal obligations.

What is often overlooked in managing third-party or vendor-related risk?

Third-party risks are underestimated. Organizations often focus on contracts and financial stability, ignoring cybersecurity weaknesses, unethical labor practices, or subcontractor behavior.

Cybersecurity is critical. Over one-third of 2024 data breaches were linked to third-party access. ESG compliance is another blind spot, as many companies extend sustainability strategies internally but not across supply chains. Fourth- and fifth-party dependencies add complexity. Continuous monitoring, audits, ESG certifications, and accountability frameworks are essential for resilient, trusted supply chains, especially in Saudi Arabia’s globally integrated economy.

How is GRC driving ESG accountability beyond reporting?

GRC is shifting from oversight to active ESG leadership. In Saudi Arabia, ESG drives strategy, and GRC embeds sustainability, ethics, and accountability into business models. The Saudi Exchange requires boards to demonstrate how ESG goals integrate into operations.

Risk frameworks now include carbon exposure, supply chain ethics, and social responsibility. Continuous monitoring using integrated GRC platforms ensures sustainability is embedded in strategy and culture. Enhanced ESG disclosure is linked to better financial performance, higher ROA and ROE, operational effectiveness, and investor confidence. ESG is a strategic driver of long-term value, not just compliance.

How do you ensure simplicity, clarity, and agility in complex GRC systems?

Principle-based design is key. Governance should be grounded in honesty, responsibility, and accountability, rather than technical jargon. Technology translates regulations into real-time dashboards for leaders and employees.

Clear communication via training, scenario simulations, and gamification connects compliance to daily work. Continuous monitoring and scenario testing allow organizations to pivot quickly. This approach makes GRC simple, clear, and agile while guiding businesses confidently through complexity.

What area of GRC is underexplored but will be crucial in the next 5–10 years?

Digital ethics and AI governance are underexplored but vital. With Saudi Arabia leading in AI strategy, algorithmic fairness, data privacy, and explainability are essential to trust and competitiveness. Many organizations still focus on cybersecurity without embedding AI accountability, which can undermine public and regulatory confidence.

Climate and environmental governance is another critical area. Carbon risk, transition to renewables, and reputational risks like greenwashing must be integrated into risk frameworks. Embedding AI governance, digital ethics, and climate resilience into compliance and governance models will help Saudi businesses protect themselves and become global benchmarks for responsible, trustworthy innovation.

Related post

View all