Risk Management

Enterprise Risk Management Framework

Dubai Taxi Company operates a structured Enterprise Risk Management (ERM) framework designed to identify, analyse, and manage risks in a consistent and integrated manner across the Group. The framework supports informed decision‑making, protects long‑term value, and strengthens organisational resilience.

DTC’s ERM framework is supported by a dedicated ERM Policy and ERM Process documents, which together demonstrate the Company’s internal capabilities, governance architecture, and risk‑aware culture. These documents promote a unified understanding of risk management by clearly defining governance principles, roles and responsibilities, and risk management processes across the organisation.

The ERM framework is aligned with leading international standards and regulatory guidance, including ISO 31000:2018, the COSO ERM 2017 Framework, and applicable Securities and Commodities Authority (SCA) risk management guidelines.

Three Lines Governance Model

DTC leverages the IIA’s Three Lines Model as part of its governance approach to ensure clear accountability, effective risk ownership, and independent assurance across the organisation. This model supports the systematic identification, management, and oversight of risks, while maintaining alignment with the Company’s risk appetite and governance framework.

Risk Management Process

DTC’s risk management process is a proactive and continuous set of coordinated activities used to identify, analyse, evaluate, treat, monitor, and report risks and opportunities across the Company. This approach enables early identification of emerging risks and supports timely mitigation actions.

DTC applies both top‑down and bottom‑up approaches to identify risks comprehensively which constitutes as the organisation risk profile.

Identified risks are classified into Level 1 risk categories to ensure consistent assessment and reporting across the Group:

• Strategic risks: Risks that may affect the Company’s long‑term objectives, business direction, or overall viability.

• Governance risks: Risks arising from weaknesses in governance structures, policies, controls, or compliance frameworks.

• Financial risks: Risks that may result in financial loss, including market, credit, liquidity, fraud, and capital management risks.

• Operational risks: Risks arising from failures in internal processes, systems, people, or technology.

• External risks: Risks originating outside the Company that may affect operations, reputation, or strategic objectives.

Once identified, risks are analysed by determining their likelihood and potential impact, considering the effectiveness of existing controls. Defined likelihood and impact matrices have been fully embedded into business processes, ensuring consistent evaluation and prioritisation of risks across the organisation.

Risks are then prioritised and monitored to ensure alignment with strategic objectives and operational requirements, enabling management to allocate resources effectively and implement timely mitigation measures where needed.

The risk heat map is a key visual tool used to support effective risk management across DTC. Following assessment, risks are plotted on a risk heat map based on their likelihood and impact ratings, providing clear visibility of exposure levels and priorities.

Risk mitigation is achieved through one or more of the following approaches: treat, tolerate, transfer, or terminate. Where risks with potentially significant impact on DTC’s objectives are identified, they are escalated in line with defined thresholds and governance requirements.

To support this process, DTC has implemented a dedicated Risk Acceptance and Escalation Policy, which outlines responsibilities, authority levels, and escalation timelines. This ensures appropriate oversight, timely decision‑making, and effective management of material risks.