How do you approach managing legal aspects during periods of instability or crises, and how does your legal strategy align with the broader business strategy to ensure the organisation’s resilience?

The following has been important for me to help businesses navigate crises. I like to utilise this framework, because it helps me to not get distracted on what to do next and allows me to remain focused on teasing out the facts to find a solution.

Crisis preparedness —by establishing a robust crisis management plan that includes legal considerations, you avoid jumping to conclusions and missing critical pieces of information. This covers potential legal risks, communication strategies, and a framework for decision-making during crises.

Legal risk assessment — continuously assess and identify legal risks specific to the crisis. This involves evaluating contracts, regulatory requirements, and potential liabilities that may arise due to the instability. But most importantly you cannot ask too many questions. A lack of information is one of the biggest challenges during any crisis.

A dynamic legal framework — the legal frameworks and policies must be flexible enough to adapt to rapidly changing circumstances. If you can adapt during difficult times, rather than being overly rigid, you will be able to get through to the other side of the problem much faster. This involves a robust muscle involving change management, which can often be very difficult for businesses.

Regulatory engagement — if necessary, maintaining open lines of communication with regulatory bodies. Staying informed about regulatory changes and seeking guidance can help navigate legal uncertainties during a crisis. I try to leverage outside counsel and technology to ensure that I can remain on top of the current regulatory landscape.

Crisis response team —having a dedicated legal crisis response team with clear roles and responsibilities. This team should include legal experts, compliance officers, and external legal advisors who can provide specialised knowledge. The internal team should at least practice a crises response at least one time per year to ensure that they can work efficiently and effectively.

Communication and documentation— ensure clear and documented communication throughout the organisation. This helps to ensure that all stakeholders are aligned, and that the facts are being accurately and clearly gathered.

Stakeholder management — a robust plan for engaging with key stakeholders, whether internal or external helps to manage expectations and communicate legal positions. Transparency is crucial to maintaining trust during periods of uncertainty.

Post-crisis review — after the crisis, it is very helpful to conduct a comprehensive legal review to assess the effectiveness of the legal strategies implemented. This review should inform future crisis management planning and legal frameworks.

What are the main cases or transactions that you have been involved in recently?

I have spent a lot of time building a strong governance framework across our companies. There has been tremendous growth and evolution of our companies in recent years, and at the beginning of 2023 began a new era where a head office was implemented that provides oversight, strategy, and guidance to four different companies, that are each an independent group of companies. Each operates in different markets, offers different services, and consists of more than 50 entities. To achieve this, I put the following into place: robust delegations of authority, with clear signatory matrices; a digitised process for raising requests and obtaining approvals; amendments to constitutional documents to ensure that the signatory and approval rights are embedded into the DNA of the companies, thereby ensuring that the delegation of authority is followed without a need for constant oversight. This also included the issuance of shareholders’ resolutions and directors’ resolutions; digitising governance – I onboarded compliance as a service tool, that allows us to manage and monitor all aspects of our governance function, including automatic notifications when license renewals are due or there is an AML concern related to one of our suppliers or customers; contracts and digitisation – I went through the process of redrafting all of our commercial contracts for our trade finance business. The purpose of this was to ensure that they were easier to understand for clients and to digitize them through a contract lifecycle management system. This allowed our sales team to shorten their sales cycle because the contract component of closing a deal was now easier and more efficient; KYC and AML framework with digitisation – I redesigned our KYC and AML framework to ensure that it was smoother, more effective, and could be digitised. Ultimately this has allowed us to be able to onboard suppliers and clients faster, to audit those files quicker, and to establish notifications if any of the documents become expired or if an AML concern arises with one of the files.

What do you see as the major legal challenges for businesses in the region over the next five years, and how are you preparing to address them?

The region’s regulatory and enforcement landscape has been maturing in recent years to be closer aligned with other mature global markets, and with the regional economies further. This includes the introduction of new regulations related to data protection and cyber security, foreign ownership, labour laws, and environmental standards. As a lawyer who has worked primarily in the technology sector, I believe that the laws particularly in that area will have a drastic impact on how businesses are operating. As we saw with the issuance of GDPR, this change the business landscape in Europe and is a key consideration that all businesses have when it comes to their operations. Countries like the UAE and Saudi Arabia are implementing stricter data protection laws, modelled after the EU’s GDPR. Businesses must navigate these regulations while ensuring that their data handling and processing practices are compliant or the businesses will risk fines, suspension or loss of license, and reputational damage. Similarly, the rise in cyberattacks globally, coupled with increased digitalisation in the region, has made cybersecurity a topic at the forefront of consumers’ minds, and therefore a real concern for businesses. Preparing for data protection and cybersecurity risks requires a comprehensive and multi-faceted approach, which can be resource intensive, thus businesses need to begin planning to adopt a robust framework for their business before the risks materialise. To do this I have been engaging in years’ worth of planning, to slowly embed good practices at a pace that the business can tolerate and is palatable from a cost perspective. Building strong governance policies is in my view a great place to begin because it is cost effective, and it plays a role in building a culture of compliance in the business. It is also important to understand what data your business has, why it has it, who’s data you have, where it is being stored, and how it is being stored. After understanding these, you can perform an effective risk assessment and make the necessary adjustments. Having this baseline also allows me to audit the practices when necessary, and to adjust as the regulatory requirements evolve. We have also built an incident response team that is designed to manage data related crises. The team is trained to handle data breaches and cyber incidents. Ensure that they are familiar with local legal requirements regarding breach notifications. This team has strong technical knowledge both of the systems and the laws. They also practice mock crises to ensure that they have a high level of preparedness. The last key preparation is in my view, the most important, and that is employee training and awareness. The majority of data-related incidents are rooted in an event involving an employee or employees. To mitigate this risk, it is very important to have a culture of compliance and strong ethics. This can be achieved through conducting regular training sessions to educate employees about data protection regulations, phishing attacks, and best practices for cybersecurity. This helps to ensure that all employees understand their role in maintaining data security. These challenges will require businesses in the Middle East to be proactive, flexible, and well-informed to navigate the evolving legal landscape successfully.