Internal Control

1. Internal Control System
2. Establishing Independent Units or Departments within the Company for Internal Audit, CG, and RM
1. Internal Audit Department
2. CG & Compliance Department
3. Risk Management

1) Internal Control System:

The Board shall approve an internal control system for the Company in order to assess the policies and procedures relating to risk management, implementation of the provisions of the Company's governance rules approved by the Company and compliance with the relevant laws and regulations. Such system shall ensure compliance with clear accountability standards at all executive levels in the Company, and that Related Party transactions are implemented in accordance with the relevant provisions and controls.

2) Establishing Independent Units or Departments within the Company for Internal Audit, CG, and RM:

1. For purposes of implementing the approved internal control system, the Company shall establish units or departments for the assessment and management of risks, internal auditing and governance and compliance.
2. The Company may utilize external entities to perform the duties and competencies of the units or departments of risks assessments and management and internal control without prejudice to the Company's responsibility for those duties and competencies.
3. Segregation of duties of departments of risk management and internal audit shall be made to ensure independence.

a) Internal Audit Department:

a-1) Internal Audit Department Duties

The internal audit unit or department shall assess and supervise the internal control system and verifies the extent to which the company and its employees comply with applicable regulations and instructions and the Company’s policies and procedures. The internal audit unit or department shall consist of at least one internal auditor who shall be recommended by the Audit Committee and reporting to it. In composition and operation of the internal audit unit or department, the following shall be considered:

1. The staff shall be competence, independent and appropriate training, and shall not be charged with any other work other than internal audit and internal control;
2. The unit or department shall report to and be associated with the Audit Committee;
3. The compensations of the Director of the Audit Unit or Department shall be determined on the proposal of the Audit Committee in accordance with the Company's policies; and
4. The Unit or Department shall have access to the information and document without restriction.

a-2) Internal Audit Plan

The internal audit unit or department shall operate pursuant to a comprehensive audit plan approved by the audit committee. Such plan shall be updated annually. Key activities and operations, including the activities of risk management and compliance departments, shall be reviewed at least annually.

a-3) Internal Audit Reporting:

1. The internal audit unit or department shall prepare and submit a written report on its activities at least quarterly to the Board and the audit committee. Such report shall include an assessment of the Company's internal control system and the final opinion and recommendations of the unit or department. Such report shall also specify the procedures taken by each department for addressing the findings and recommendations from the previous audit, and any remarks thereon, particularly failures to promptly address such findings and recommendations and the reasons for such failure;
2. The internal audit unit or department shall prepare a general written report to be submitted to the Board and the audit committee on the audit activities it carried during the fiscal year compared to the approved plan. Such report shall explain the reasons for any deviation from the plan, if any, during the quarter following the end of the relevant financial year;
3. The Board shall specify the scope of the report of the internal audit unit or department, based on recommendations from the audit committee and the internal audit unit or department. The report shall include the following in particular:
   • procedures for monitoring and overseeing the financial affairs, investments and risk management;
   • assessing the development of risk factors threatening the Company and the existing systems, in order to confront radical or unexpected changes in the Exchange;
   • an assessment of the performance of the Board and the Senior Management with respect to the implementation of internal control systems, including specifying the number of times the Board has been informed of control issues (including risk management) and a description of the method followed to address such issues;
   • failures or weaknesses in the implementation of internal control, or emergency situations that have affected or may affect the Company's financial performance, and the measures taken by the Company to address such failures (particularly the issues disclosed in the Company's annual reports and its financial statements);
   • the extent to which the Company has complied with the internal controls when determining and managing risks; and
   • information describing the Company's risk management operations.

a-4) Maintaining Internal Audit Reports:

The Company shall keep records of the audit reports and business documents, which shall clarify its accomplishments, findings and recommendations, and all actions taken in their regard.

b) CG & Compliance Department:

The CG & Compliance Department shall be responsible for the effective implementation of the Company's CG Framework and shall report to the CEO or Managing Director (if any), submits its performance report thereto and report to the CG Committee (if any). Also, the CG & Compliance Department shall:

1. Ensure that the Company complies with the CG requirements by applying the regulations and instructions issued by the CMA and other relevant regulatory bodies and the company bylaw;
2. Develop internal regulations, rules and policies related to CG and compliance in a manner that does not conflict with the regulations issued by regulators, and ensure the Company's compliance with them, and propose amendments and updating them in accordance with regulatory requirements and best practices as needed;
3. Take preventive measures to ensure that the Company achieves compliance and assess their appropriateness on an ongoing basis.
4. Provide the necessary advice to the Board, its Committees and Executive Management in the field of governance and its applications.
5. Keep the Board and its Committees informed about the developments in CG and best practices.
6. Prepare the necessary responses to the inquiries received from the regulatory bodies related to governance and compliance;
7. Preparing and coordinating with local and international agencies that are interested in evaluating the company's efforts in the field of CG and give rating and awards, which enhance the company's reputation in the field of CG and transparency.
8. Develop a related parties’ transactions register for Board members, Executives, their relatives and major shareholders, and update it on a continuous basis in cooperation with the Group's management, OpCos and “Concerned Persons”;
9. Develop the annual report (CG and compliance Part) as well as the related periodic reports and ensure their compliance with regulatory standards and requirements;
10. Arrange for the Ordinary and Extraordinary GA in light of the provisions of Chapter II of the CG Regulations issued by the CMA and the Company's Bylaws that related to the Shareholders Assemblies.
11. Review the minutes and resolutions of the Board and Committees to make any observations thereon (if any) in light of the CG requirements, relative regulations and the LoA approved by the Board to confirm compliance;
12. Review all material disclosures that may affect security price before it is publication, including periodicals, newsletters and publications issued by the company as well as the company's website and social media sites to ensure their compliance with the laws and regulations of the listed companies, so that the company avoids any violations that may occur as a result of that;
13. Manage the operating online systems and Company’s account with the CMA and (Tadawul) and update them periodically.
14. Prepare the Company’s announcements, and ensure their compliance with rules and standards and supervise their publication on Tadawul website and circulate them to the Board members and the executives. In addition, the department shall notify/update the Board members and executives regularly about relevant announcements issued by CMA and other listed companies published in Tadawul and CMA websites through the CG and Compliance Officer.

The Company, from time to time, may seek consultation from a specialized external entity to assist it to update and enhance its CG framework and standards to regularly match the leading international practices in the field of CG and compliance.

c) Risk Management:

c-1) Risk Management policy

The objective of this policy is to ensure having an effective and efficient risk management for the Group and its subsidiaries. To achieve this goal, the Board of Directors and the Company's committees, including the Risk Management Committee (if any), AC, IC, RNC Committee and the Executive Management, supervise the risk management activities and work (each in its area). The Board is responsible for ensuring that the risk management procedures and measures are being implemented effectively and efficiently. As this leads to the achievement of the Company's strategic, operational and commercial objectives. The Board may take the appropriate measures and mechanisms to help achieving this objective, including the establishing of a special risk management unit.

The Group, like any other economic entity, may be affected by risks through the nature of its commercial activities in basic food commodities, retail, and other investments. These risks may be summarized in the possibility of Group operations being exposed to geopolitical risks that result from its operations outside the Kingdom, as well as fluctuations in raw material prices, currencies, speculation, and unfair price competition in the local and international markets where it operates. There are also economic and political risks in the countries where it operates and risks pertaining to new markets in the region, in line with the Group’s geographic expansion strategy. Further risks include fluctuation in foreign currency, exchange rates against the Saudi riyal, or other currencies of the countries that the Group operates in, and inflation in the economies of countries where the Group operates; risks related to entering into new investments; and risks that might be associated with the current economic conditions and political situation in countries where the Group operates or exports its products. The Group faces other risks from its various investment shareholdings in different companies and funds, locally and internationally

As part of the Company's policy in managing these risks, is to establish effective mechanisms and procedures to closely monitor the risks which the Company is exposed to through its Board, the Company Committees, the Executive Management, the relevant team members in the subsidiaries, the Risk Management Unit (if any) and the Risk Management Committee (if any). Also the subsidiaries have policies, plans, procedures and measures in this regard. The company continuously develops and updates its existing risk management systems. The Group also discloses annually the overall perception of potential risks through the annual directors’ report.

The most important types of risk faced and managed by the Group through the mechanisms mentioned in this policy are credit risk, currency risk and fair value cash flow interest rate risks, Liquidity risk, and price risk as well as risks of human resources, compliance with laws and regulations, investments and others.

Within the framework of risk management mechanisms and procedures, the company develops an integrated (Enterprise Risk Management “ERM”) program for itself and operating companies and it will be activated by a GRC system developed by the company with the assistance of a specialized consultant in this field under the supervision of the Executive Management. The objective of this system is to effectively enhance the participation of the Board and the Executive Management Team in the risk management process to ensure a unified vision of the risks faced by the Group.

c-2) Risk Management Department

The Risk Management Department reports to the CEO, the Managing Director (if any) or any other executive, submit its performance reports thereto and report to the Risk Committee (if any). It is a completely independent Function of Internal Audit Function. The Executive Management shall provide regular report on risk management activities to the Board in the light of their risk management competencies set out in this Manual. Also, the Risk Management Department shall:

1. Develop an effective strategy, plans, policies, procedures and measures for Savola Group’s and OpCos’ risk management and systems to assess risks to identify and address deficiencies;
2. Implement risk management plans and strategy;
3. Monitor the risks to which the Savola Group and its OpCos may be exposed, and the extent to which they are exposed to such risks and conduct ongoing assessments in this regard;
4. Develop a plan for crises and emergencies;
5. Coordinate with the Executive Management of Savola Group and its OpCos to ensure that the risk management system is efficient and effective and that is implemented;
6. Develop risk exposure reports and proposed steps to manage these risks and submit them to the Board; and
7. Study and review issues raised by the Audit Committee that may affect the Company's risk management.

The Company may from time to time appoint a specialized consultant or expert to assist in the development/updates and effective implementation of risk management systems and plans.