Rationalising risk: Adapting to the MENA region’s regulatory surge

Regulatory reforms can be good for business by strengthening rule of law, harmonising commercial frameworks across borders and evening the playing field to create a more competitive business environment. However, the speed of reform poses a challenge for businesses in keeping up with their obligations without spending inordinate time and resources on compliance. So, how should organisations in the region approach the current wave of reform? This article outlines best practices to prioritise effort and sequence reforms.

There are three key challenges facing organisations in MENA’s current regulatory transition.

Some organisations struggle to know exactly where their ‘borders’ lie in terms of compliance - for example, the degree to which they need to monitor and stress test third parties’ policies and procedures. Similarly, many businesses have undertaken expansions and acquisitions, and continue to do so, raising questions about compliance across jurisdictional authorities (where expansion is across borders) and between agencies within a country, where they are entering a different sector.

Assembling and maintaining a continually updated repository of compliance obligations - and adaptations and amendments - is a challenge that most businesses face today. It is critical that every organisation maintains its own such tracker capturing relevant sources for their industry and business though, for instance, monitoring the websites of regulators, signing up to mailing lists of relevant regulators, subscribing to reliable legal databases and/or taking up membership of professional groups. But this is a labour-intensive process that needs to be done comprehensively and continuously to be a dependable resource.

Compliance is an emerging profession in the region, with a surge in candidates seeking certification. However, there is a shortage of experienced professionals who can support and drive compliance processes in-house.

Here’s what some of our clients have highlighted as their top compliance management concerns:

  • “How do we ensure that our current compliance mechanism can stand regulatory scrutiny or a full on inspection?”
  • “Our business is spread across eight different jurisdictions and exposed to regulations from different regulators and it is very difficult for a central team to ensure compliance across geographies?”
  • “Is there a way we can get updates to all regulatory developments through a single reliable source?”
  • “We have four different business units catering to a completely different set of activities. How do we know which compliance operating model would work best for a business as diversified as ours?”


Tangible actions organisations can take to progress - focus strategically and prioritise their efforts

  • Establish the context: Organisations should systematically identify their compliance obligations across their activities, products and services. In effect, you need to plan before you start taking action. If an organisation is assembling an inventory, for example, they need to understand and define what their business is. Some firms have expanded their risk landscape through deals and contracts with different parties, such as an organisation operating in multiple sectors or a family business with diversified business operations. Where is the line for compliance risk on, say, health and safety?  Companies need to set the boundary of what they want to be responsible for. While there is no Middle East-based standard or guideline on how to achieve this, there is an international standard - ISO 37301- Compliance management systems - that you can consider when defining your landscape and designing compliance programs based on the principles of good governance, proportionality, transparency and sustainability. The standard is a useful benchmark for organisations that wish to implement a compliance management system or are looking to standardise their practices.
  • Focus on key risk - and be practical: A phased approach is better than a big bang compliance reform. By prioritising the obligations into high, medium and low risk, organisations with a large portfolio of activities can prioritise based on the likelihood of non-compliance - and its impact. If the impact of non-compliance is bearable and not threatening to the business, say, or to safety and wellbeing of staff, customers or the public, they might opt to focus on it later. A useful distinction might be the example of a healthcare company having unlicensed doctors, for instance, a risk that cannot be borne, versus failing to have an updated registry, which might result in a modest fine. It is key to keep the compliance universe manageable and practical by monitoring key requirements. Some clients want to try and achieve everything in their compliance reforms and as a result, do not make the process practical. 
  • Interpret with diligence: Make sure you are interpreting laws and requirements diligently and seeking relevant support from experts or external subject matter experts. When new laws and regulations are released, it can sometimes be challenging to interpret and understand them correctly - for example with the new suite of data protection laws being introduced across the Middle East, you need to understand what relates to those who store data, versus those who also process it. Do not take action on a regulation before knowing what exactly you are expected to be compliant with, otherwise you could be over or under-compliant
  • Handling legacy issues. It is important to make sure that previous trends and legacy issues with recurring non-compliances, or intentional management decisions, are considered while defining this landscape. So if an organisation has previously been fined or penalised for not complying with a specific requirement, it has to prioritise this requirement and focus on becoming compliant going forward to avoid further issues.

Developing the right capabilities and solutions

Risk management looks to put controls in place to protect the organisation, its resources and operations. However, there are often risks that may not be considered or controls that may not be possible or effective in preventing threats from materialising. BCM complements risk management by preparing for possible disruption if threats do materialise. It does this by developing resilience solutions for the resources the organisation requires, together with response capabilities if things go wrong.

In developing BCM capabilities, organisations should integrate various components relating to threat response and recovery and ensure they work holistically. This requires the formation of teams and plans to guide the responses to incidents, recover critical resources and manage impacts on the organisation. Those core components are:

  • Emergency response (where physical incidents impact the safety of people and assets)

  • Incident management and crisis management (tactical and strategic coordination, decision-making and communications)

  • Business recovery (where operations, functions and third party supply are disrupted)

  • Technology recovery (where information and communications infrastructure, systems and data are interrupted)

BCM aims to ensure the viability of the organisation by protecting against physical threats to operations as well as threats of a strategic nature. The latter may include, for example, legal or regulatory challenges that put operating licenses at risk, the emergence of disruptive technologies and business models, and pressures relating to sustainability.

Although many organisations have BCM programmes in place, they are often unprepared when real incidents occur. This is usually due to a siloed approach and limited integration of the core components outlined above. In many cases it will result from treating BCM as purely a box-ticking requirement instead of an integrated, holistic approach.


Regulatory reforms in the Middle East are modernising the business environment, encouraging international investment and helping domestic companies build global businesses by aligning with best practices. Yet the speed and scope is unprecedented in recent years. Organisations need to invest resources in a dedicated compliance team, be practical about what to prioritise, and seek expert guidance to avoid over or -under complying. 

There is no one size fits all approach to compliance so it is best to follow a tailored approach that addresses your business specific challenges and helps mitigate compliance risks.

Contact us

Adnan Zaidi

UAE Risk Leader and Middle East Assurance Clients & Markets Leader, PwC Middle East

Tel: ​+971 56 682 0630

Disha Rustagi

Senior Manager, PwC Middle East

Tel: +971 56 413 1861

Follow us