Corporate Governance in Saudi Arabia — The Practical Guide

Under Vision 2030 and the structural transformations in Saudi Arabia, corporate governance is no longer a regulatory luxury — it has become an essential requirement for sustainability, growth, and attracting investment. Listed companies that adhere to CMA governance regulations enjoy noticeably higher institutional trust compared to their peers — which directly impacts their market valuation and ability to attract capital.

Many Saudi organizations have written governance policies. But the fundamental question is not whether you have a policy — it is whether it is actually implemented. Is your board exercising real oversight or merely signing off? Are your committees working effectively or meeting ceremonially? Is board performance evaluated annually with a clear methodology?

The gap between written policy and actual practice is exactly where organizations face risk — regulatory risks including penalties from supervisory authorities, financial risks from weak internal controls, and reputational risks that can be more costly than any monetary fine.

Organizations with effective governance achieve measurable results. First: attracting investment — institutional investors place governance standards at the top of their evaluations, and no institutional investor enters a new investment without a comprehensive governance assessment. Second: robust risk management that detects risks early before they escalate into crises. Third: operational efficiency through clear roles and responsibilities that reduce authority overlap.

Saudi Arabia has a comprehensive regulatory ecosystem governing corporate governance. The Companies Law issued by Royal Decree No. M/3 of 1437H, updated in 2022, represents a paradigm shift in business environment regulation — defining requirements for board formation, shareholder rights, and financial disclosure. CMA issues detailed regulations for listed companies including the Corporate Governance Regulation and the Continuous Disclosure Regulation. SAMA requires financial institutions to meet stringent governance standards covering risk management and compliance.

SDAIA — the Saudi Data and AI Authority — issued the Personal Data Protection Law (PDPL) which added a new layer of governance requirements. Every organization processing personal data is now obligated to appoint a Data Protection Officer, maintain processing activity records, and provide clear mechanisms for data subject requests. Penalties reach 5 million SAR and imprisonment for unlawful disclosure of sensitive data.

Saudi Arabia has two distinct governance regimes that many confuse. The first is CMA's regime for companies listed on Tadawul — imposing a detailed governance regulation including independent board members, continuous disclosure, and mandatory committees. The second is the Ministry of Commerce (MCI) regime for unlisted companies — requiring minimal organization: forming a board, holding general assemblies, and filing financial statements. Overlap occurs when a private company prepares for listing or when it is partially owned by a government entity. Understanding which regime applies to your organization is the first step — applying CMA requirements to a small private company creates unnecessary bureaucracy, while ignoring MCI governance creates legal risk.

Governance of unlisted companies is the largest gap in the Saudi market. Most family businesses, holding companies, and mid-size enterprises are not under direct CMA supervision, creating the illusion that governance is not required. The reality is that the Companies Law requires all company types to meet basic requirements, and their absence exposes the organization to real operational risks: partner disputes with no resolution mechanism, investment decisions without board oversight, and undisclosed conflicts of interest leading to financial losses. Governance in an unlisted company is not less important — it is often more important because market protection mechanisms (public disclosure, institutional shareholder oversight) are unavailable.

Common governance failures in Saudi family groups follow a clear pattern. First: mixing ownership with management — the founder chairs the board and manages daily operations, which eliminates the oversight function. Second: absence of a clear shareholders' agreement — partners rely on personal trust until a disagreement arises that personal relationships cannot resolve. Third: failure to separate group assets from individual assets. Fourth: inheriting positions instead of competencies — the board's role transforms from oversight to distributing family positions. Remediation starts with three steps: drafting a detailed shareholders' agreement, appointing at least one independent board member, and establishing a clear family employment policy.

The distinction between a shareholders' agreement and articles of association is fundamental yet overlooked by many organizations. The articles of association are a public document filed with the Ministry of Commerce governing the company's relationship with the outside world. The shareholders' agreement is a confidential document between owners regulating what the articles don't cover: exit mechanisms, preemptive rights, minority protection, and dispute resolution. The common problem: governance relies solely on the articles of association — and when a partner needs to exit or founders disagree, there is no agreed mechanism. Saudi commercial courts see a growing number of partner disputes that could have been avoided with a robust shareholders' agreement.

The gap between written policy and actual practice is exactly where organizations face risk — regulatory, financial, and reputational.

A governance framework is not a single document — it is an integrated system consisting of three layers. Layer one: the General Assembly of shareholders as the supreme authority for appointing the board and approving financial statements. Layer two: the board of directors and specialized committees — the audit committee for financial oversight and compliance, the nominations and remuneration committee for managing compensation and selecting leadership, and the risk committee for monitoring institutional risks. Layer three: executive management and internal audit.

The audit committee holds a special position in the governance system. According to the Saudi Companies Law, it must consist of at least 3 members who are not executive board members, with at least one specialist in financial and accounting affairs. Its authorities include: reviewing financial statements before presenting them to the board, supervising the external auditor, reviewing the internal control system, and evaluating risk management.

The core policies that any Saudi governance framework must include comprise seven essential documents: First, the board charter defining the board's authorities, responsibilities, and operating mechanisms. Second, the conflict of interest policy regulating member disclosure and preventing position exploitation. Third, the disclosure and transparency policy ensuring timely publication of material information. Fourth, the remuneration policy linking compensation to performance and preventing excess. Fifth, the risk management policy. Sixth, the whistleblower policy providing safe reporting channels. Seventh, the personal data protection policy for PDPL compliance.

The board of directors is the cornerstone of any governance system. An effective board features four essential characteristics. Diversity of expertise: the board should combine experts in finance, law, technology, and the organization's industry sector. Genuine independence: at least one-third of members are independent — not employees, business partners, or relatives of executive management. Meeting discipline: minimum 4 meetings annually with agendas distributed 7 days in advance and minutes approved at the next meeting. Regular evaluation: annual assessment of the board as a whole and each member individually.

The Saudi Companies Law stipulates that board membership ranges from 3 to 11 members. For family and mid-size companies, a minimum of 5 members is recommended to ensure diversity. For large and listed companies, 7–9 members with specialized sub-committees for each domain is recommended.

The cost of governance absence is not theoretical. In the Saudi market, several institutions have experienced direct consequences: delayed IPOs due to CMA governance observations, financial losses from lack of investment decision oversight, credit rating downgrades due to weak institutional governance, and difficulty attracting international institutional investors.

The Personal Data Protection Law (PDPL) has added a new and binding dimension to the governance ecosystem. It is no longer sufficient to govern only financial and administrative decisions — data governance has become a legal requirement. Key requirements include: comprehensive inventory of processed personal data classified as ordinary and sensitive, determining a legal basis for each processing activity — whether consent, legitimate interest, or legal obligation, drafting a clear and published privacy policy, and appointing a Data Protection Officer (DPO).

Building a governance system follows four practical phases. Phase zero — immediate actions within 2 weeks: form the project team, obtain formal authorization from senior management, and define scope and required resources. Phase one — diagnosis and design over 4–8 weeks: assess current state against best practices and regulatory requirements, identify gaps, draft policies and define committee structure. Phase two — implementation over 8–12 weeks: formally constitute committees, train members, launch meeting schedules, and activate reporting and follow-up mechanisms. Phase three — maturity and continuous improvement: annual review of all policies, board and member performance evaluation, updates based on regulatory changes.

Case study: A Saudi holding company was preparing to attract an international institutional investor. During due diligence, the investor requested comprehensive governance documents: board charter, committee bylaws, meeting minutes, conflict of interest policy, and internal audit reports. The organization operated on a "we know how we work" basis without formal documentation. Result: investment was delayed 6 months to build a complete governance framework. A 7-member board with 3 independent members was formed, audit and remuneration committees established, and 7 core policies drafted within 30 days. Outcome: the organization secured the investment at a 20% higher valuation than the initial offer — because effective governance reduced the risk premium calculated by the investor.

Worked example — Governance gap assessment for a 3-entity holding group: A Saudi group owning a technology company, a real estate company, and a consulting unit. The assessment revealed: the parent company has a 4-member board — all family members, no independents. The technology company operates without a formal board and the general manager makes all decisions. The real estate company has a board but no audit committee. There is no shareholders' agreement at group level. There is no corporate secretary in any entity. Investment decisions between entities happen via phone calls without documentation. Remediation plan: appoint one independent board member at the parent (month 1), form a formal board for the technology company (month 2), create an audit committee for the real estate company (month 2), draft a comprehensive shareholders' agreement (months 3-4), and appoint a group corporate secretary (month 3). Cost: under 200,000 SAR. Return: investor readiness within 6 months instead of 18.

FAQ: Is governance only required for listed companies? No — the updated Saudi Companies Law requires all company types to meet basic governance requirements including forming a board of directors and holding regular meetings. Listed companies face additional CMA requirements.

What is the difference between governance and management? Governance is oversight and direction — it defines "what" and "why." Management is execution — it defines "how" and "when." The board governs; executive management manages. Confusing the two is the most common governance problem in family businesses.

How long does it take to build an effective governance system? The first phase from diagnosis to implementation typically takes 6–9 months. But governance is not a project with an end — it is a system that evolves with the organization. Annual review and continuous improvement are integral parts of institutional maturity.

References: (1) Companies Law — Royal Decree No. M/3 of 1437H (updated 2022) — boe.gov.sa. (2) Corporate Governance Regulation — Capital Market Authority CMA — cma.org.sa. (3) Personal Data Protection Law PDPL — Saudi Data & AI Authority SDAIA — sdaia.gov.sa. (4) Essential Cybersecurity Controls ECC — National Cybersecurity Authority NCA — nca.gov.sa. (5) Financial Institution Governance Principles — Saudi Central Bank SAMA — sama.gov.sa.