By Hadi Jaafarawi, Regional VP – Middle East & Africa at Qualys
2025 has already proved to be one of the most volatile years for global business in recent memory. From intensifying trade disputes and new tariffs to escalating regional conflicts, the sheer unpredictability of today’s operating environment is forcing business leaders to revisit their risk playbooks. In the Middle East especially, geopolitical shocks are being felt, not just at the boardroom level, but right across supply chains, investment flows, and technology strategy.
While it may be tempting to hope for a return to stability, the more pragmatic view is this: volatility is here to stay. Risk is no longer a sporadic challenge, it’s a defining feature of the modern business landscape. And in a world where the unknown is constantly knocking at the door, the real differentiator isn’t how little risk you have, but how well you define and manage it.
That’s why forward-thinking enterprises are now investing in capabilities that help to operationalize risk management. The most promising model emerging today is the Risk Operations Center (ROC). This is not simply another dashboard or reporting function. It is a centralized function dedicated to tracking, contextualizing, and continuously managing risk across the enterprise.
Proactive Risk Management Before the Breach
Since every business today involves digital applications or technology, cyber risk is business risk. Despite this, it’s important to recognize that the ROC is fundamentally different from a Security Operations Center (SOC). Where a SOC is event-driven and technical – monitoring systems and reacting to threats in real time – the ROC offers a broader, more strategic view of risk, aligned to business priorities.
Instead of focusing solely on alerts and incidents, the ROC seeks to answer higher-order questions: What risks are most likely to impact our business? What is our overall exposure? What vulnerabilities are truly material to business operations? What are our options? Do we mitigate, accept, or transfer this risk? Crucially, it ensures that answers to these questions are not siloed within IT, but collaborated on across business functions – with compliance leaders, CFOs, and boards alike.
The ROC is a convergence point. It brings together cyber risk, operational risk, regulatory risk, and even reputational risk into one actionable framework. And to do this effectively, it must be grounded in data. This is where many organizations begin to feel the strain. SOCs can generate immense volumes of data, far more than most teams can contextualize. A 2021 estimate suggested the average global enterprise uses upwards of 70 security tools, each generating its own telemetry. CISOs may find themselves in the ironic position of having to incorporate past security investments into their current risk profile.
Industry Leaders Are Already Making the Shift
Some of the region’s most respected institutions are already moving in this direction. KPMG Lower Gulf, for instance, launched a dedicated “risk hub” in the UAE in late 2024. Designed around a modern governance, risk, and compliance (GRC) model, this hub demonstrates how ROCs can serve as proactive centers for risk intelligence, rather than reactive reporting lines.
It is not hard to see why this model is gaining traction. As businesses grow more complex, their ‘risk surface’ inevitably increases. Without a strategic function dedicated to monitoring and managing this surface, organizations are essentially flying blind. And in a region as dynamic as the Middle East, that’s simply no longer tenable.
Laying the Groundwork for a ROC Today
Approaches to the construction of a ROC are still in their infancy, but if each company assesses its own realities against its goals and empowers the right teams to take action, progress could be rapid. Collaboration between CISOs, CFOs and compliance officers will be of particular importance, as will partnerships with peers and vendors.
As cybersecurity risk grows in intensity, quantification will be of great help in the mitigation battle. The ROC will be pivotal in bringing the right data and know-how together to shield the enterprise from the worst its adversaries can throw at it. As we move through a turbulent 2025, one thing is clear: companies that make risk operations a core capability today will be the ones best positioned to lead tomorrow.
