Governance of Internal Control and Risk Management

Dubai Taxi Company maintains a strong internal control environment and a disciplined approach to risk management as core elements of its governance framework. The Company recognises that effective controls, proactive risk oversight, and a culture of integrity are essential to safeguarding assets, ensuring regulatory compliance, and supporting sustainable long‑term performance.

In FY 2025, DTC continued strengthening its governance foundations by reinforcing the independence of its assurance functions, enhancing control processes, and promoting organisation‑wide awareness of ethical conduct, compliance responsibilities, and risk‑informed decision‑making. This culture is supported by the Board, the Audit, Risk and Compliance Committee, and the Company’s independent governance functions, which work collectively to ensure sound oversight and continuous improvement.

Enterprise Risk Management (ERM)

During FY 2025, DTC continued strengthening its ERM framework to ensure risk considerations are embedded into strategic planning, decision‑making, and oversight processes, supported by clear governance, defined accountability, and regular reporting to the Board and the Audit, Risk and Compliance Committee (ARCC).

ERM Framework and Governance

In 2025, the Enterprise Risk Management framework was formally updated to enhance clarity, consistency, and alignment with international standards and regulatory expectations. The updated ERM Policy and Processes establish a structured methodology for risk identification, assessment, mitigation, monitoring, and reporting across the organisation.

The ERM framework aligns with:

• ISO 31000:2018 Risk Management Guidelines
• COSO ERM Framework (2017)
• Risk management requirements set out in the SCA Governance Guide

Risk Oversight and Reporting

The ERM function provides periodic risk updates to the ARCC and the Board, drawing on the enterprise risk portfolio, updated risk documentation, and assessments of emerging and evolving risks. These updates support informed oversight and enable the Board to evaluate risk exposure in the context of strategy, performance, and sustainability objectives.

Risk assessments conducted during the year considered:

• Strategic and operational risks
• Financial and compliance‑related risks
• ESG‑related risks
• Emerging risks arising from market dynamics, cyber and technological developments

Key Risk Themes and Emerging Risks

During FY 2025, the ERM function initiated the identification and assessment of a range of evolving risk themes relevant to DTC’s operating environment. These included, among others, risks associated with technological disruption, alternative mobility solutions, and increased competition within the broader transportation and last‑mile delivery landscape.

Mitigation strategies and management actions were reviewed as part of the ongoing risk portfolio refresh, with oversight maintained through regular reporting to Management and the ARCC.

Risk Incidents and Red Flag Matters

In line with the requirements of the SCA Governance Guide, DTC confirms that no major risk incidents or red‑flag matters requiring escalation to the Board were identified during FY 2025. Minor operational incidents were managed within established control frameworks and did not have a material impact on the Company’s operations or financial position.

Enhancements to ERM Tools and Integration

Enhancements to ERM tools and reporting continued during FY 2025. This included progress towards automating the enterprise risk register to improve data accuracy, consistency, timeliness, and transparency in risk reporting.

Risk integration with strategy, budgeting, ESG, and Internal Control over Financial Reporting (ICFR) has been flagged as a key area of importance to ensure that risks are evaluated and managed as part of strategic planning, financial decision‑making, sustainability initiatives, and control design.

Compliance

During FY 2025, DTC continued strengthening its Compliance framework by embedding compliance considerations into business processes, enhancing monitoring mechanisms, and promoting a culture of integrity and transparency across all levels of the organisation.

Compliance Framework and Activities in 2025 and beyond

Whistleblowing and Ethical Reporting

DTC maintains a confidential whistleblowing mechanism (Aman) to encourage the reporting of concerns in a safe and protected manner. During FY 2025, no material whistleblowing cases were reported. Matters received were addressed in coordination with the relevant departments in accordance with established procedures.

As part of its commitment to ethical governance, DTC relaunched the Aman programme during the year and continued work on strengthening its non‑retaliation framework.

Policies, Procedures, and Training

• Regular reviews of compliance‑related policies and procedures were conducted to ensure ongoing alignment with regulatory requirements and best practices.
• The Compliance function assumed a broader role in overseeing policy governance and lifecycle management at the Company level.
• Targeted awareness sessions were delivered on the Code of Conduct and Conflict of Interest, with additional training initiatives planned for insider trading and other key compliance areas.

Internal Control over Financial Reporting (ICFR)

Internal Audit

During FY 2025, the Internal Audit function continued to operate as the third line of defence, supporting the Board and Executive Management through a risk‑based audit approach, broad audit coverage, and structured follow‑up mechanisms.

Mandate, Independence, and Reporting Lines

Internal Audit operates in accordance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA) and the Global Internal Audit Standards.

The independence of the Internal Audit function was formally confirmed to the ARCC during FY 2025.

Audit Coverage and Activities in 2025

Internal Audit executed the ARCC‑approved risk‑based audit plan for FY 2025, covering key operational, financial, IT, compliance, and governance areas. Engagements included assurance reviews, advisory assignments, and targeted reviews requested by Management and the ARCC.

Audit coverage during the year included, among others:

• Core operational and commercial activities.
• Procurement, contract management, and asset‑related processes.
• Information technology and cybersecurity controls.
• Internal Control over Financial Reporting (ICFR).
• Compliance and risk management practices.
• Business continuity and organisational resilience.

Red Flag Matters and Escalation

In line with SCA governance requirements, Internal Audit confirms that no major red‑flag issues requiring immediate escalation to the Board were identified during FY 2025.

Internal Audit maintains a structured escalation framework whereby significant matters, should they arise, are promptly reported to senior management, the ARCC, and the Board, as appropriate.

Follow‑up and Continuous Improvement

Internal Audit applies a formal follow‑up process to monitor the implementation of management action plans arising from audit engagements. Progress is tracked and reported periodically to the ARCC to ensure accountability and timely remediation.

Enhancements to the Internal Audit Function in 2025

During FY 2025, Internal Audit continued to enhance its effectiveness through:

• Increased use of audit automation, data analytics, and permitted AI tools.
• Preparation of a multi‑year Internal Audit strategy aligned with DTC’s risk profile and strategic priorities.
• Updates to audit methodologies and procedures in line with evolving professional standards.

Reporting to the ARCC and the Board

The Head of Internal Audit provides regular reports to the ARCC covering audit plan execution, key observations, and the status of corrective actions, supporting effective oversight of the Company’s internal control environment.