➤ Introduction 

Most UAE companies believe they have a delegation of authority UAE framework in place. What they actually have, in many cases, is a document — often a spreadsheet or a legacy policy drafted years ago — that describes authority as it once existed, not as it currently operates. The organisation has grown, roles have changed, entities have been added, and the executives who signed the original framework may no longer be in their positions. But the document remains, quietly out of date, while the business makes daily financial and operational commitments under authority structures that no one has formally reviewed.

A DOA framework UAE — when properly designed — is not an administrative formality. It is the mechanism by which a board translates its governance and risk appetite into enforceable decision-making rights and decision rights across the organisation. It defines who can commit the company to financial obligations, at what thresholds, under what conditions, and with what evidence. Under the UAE's UAE Commercial Companies Law (Federal Decree-Law No. 32 of 2021, as amended by Federal Decree-Law No. 20 of 2025), this is not merely a governance best practice. It has direct legal implications for personal liability, contract enforceability, and the board's ability to demonstrate that it governed the organisation with the diligence the law requires.

The consequences of getting the delegation of authority wrong fall into four categories — each with a quantifiable cost that most boards do not see until it has already materialised.

➤ Failure Mode 1 — Legal Liability That Travels Upward

Under Federal Decree-Law No. 32 of 2021, directors and managers of UAE companies who abuse their powers, act outside the limits of the company's constitutional documents, violate the law, or engage in gross negligence may be held personally liable for any damage suffered by the company, its shareholders, or third parties. Where the wrongful act results from a board decision, liability is joint and several among all directors who voted in favour or failed to record their dissent in the meeting minutes. Limited liability protects shareholders — it does not protect directors and managers from the consequences of their own governance failures.

Article 154 of the CCL defines specific reserved matters for Joint Stock Companies that require either board approval or a special resolution from the General Assembly. These include entering into loans for periods in excess of three years, selling or pledging the company's property or stores, mortgaging movable and immovable assets, discharging debtors from obligations, and agreeing to arbitration. Any manager or executive who commits the company to one of these categories without the required board authority has acted outside the legal limits of their delegation — and the board that failed to define those limits in writing has contributed to the conditions that allowed it.

A further risk that UAE companies routinely underestimate: when a manager or director who operated under a Power of Attorney leaves the organisation, that Power of Attorney remains legally effective until it is formally revoked and removed from the commercial register. Transitions without formal PoA revocation mean that a former executive may technically retain authority to bind the company — a gap that a properly maintained DOA and PoA register eliminates.

The cost: Acting outside documented delegation limits under UAE law is not a procedural issue. It creates enforceable personal liability for the individual and potential joint liability for the entire board — regardless of intent.

➤ Failure Mode 2 — Fraud and Control Failure Find the Gaps

The Association of Certified Fraud Examiners' 2024 Report to the Nations — drawing on 1,921 cases across 138 countries — found that organisations lose an estimated 5% of annual revenue to occupational fraud annually. The median loss per case is US$145,000. More than half of all fraud cases occurred because of a lack of internal controls or management override of existing controls. These are precisely the conditions that an absent, outdated, or unenforced delegation of authority framework creates.

A delegation of authority gap is not just an approval process problem. It is a fraud enablement problem. When financial commitments can be made — or have historically been made — outside defined thresholds, without documented approval, or through informal channels that bypass the authority matrix, the organisation has no reliable basis for detecting that an unauthorised commitment has occurred. The absence of a clear corporate authority matrix Dubai that is embedded in procurement, finance, and contracting workflows means that exceptions become indistinguishable from standard process.

The SCA's Decision No. 2/R.M of 2024 — effective January 16, 2024 — mandates that listed PJSCs establish a stringent internal control framework aligned with the COSO model, with external auditors now required to issue a separate opinion on internal control effectiveness. A delegation of authority framework that is not documented, not current, and not embedded in the company's operational systems is a COSO control deficiency that an external auditor will flag — publicly, in a listed company's annual report.

The cost: Over 50% of fraud cases globally exploit absent or overridden authority controls. A DOA framework that exists only as a document — not enforced through systems and training — provides no protection against the fraud it was designed to prevent.

➤ Failure Mode 3 — Authority Drift Silently Erodes Decision Quality

Authority drift is the gradual divergence between documented decision rights and the authority that people actually exercise in practice. It happens continuously as organisations evolve — through restructurings, role changes, acquisitions of new entities, system workarounds, and temporary delegations that become permanent arrangements. Drift is rarely deliberate. But it is always measurable in its consequences once someone looks.

A Bain & Company study published in Harvard Business Review found that a single company's weekly executive committee meeting consumed more than 300,000 hours of organisational time annually — across preparation, attendance, and the downstream meetings required to service it. That is not a strategy problem. It is an authority problem. Decisions escalate to executives who should not need to make them because the authority matrix below them is ambiguous, outdated, or simply not trusted by the people expected to use it. The authority matrix and the operating reality diverge, and the gap fills with delay, duplication, and hierarchy.

For UAE companies operating across multiple entities — mainland subsidiaries, free zone companies, and offshore holding structures — authority drift is compounded by jurisdictional complexity. A group-level DOA that does not explicitly address which authorities apply at entity level, and which require group approval, creates a governance framework UAE companies in name but not in substance. The SCA Governance Code's requirement that parent companies establish and monitor group governance frameworks across subsidiaries makes this not only a risk issue but a regulatory compliance obligation for listed groups.

The cost: Deloitte research shows companies with clearly defined decision rights are 1.3x more likely to meet their financial targets. Authority drift costs the same companies those financial targets — one deferred decision at a time.

➤ Failure Mode 4 — Due Diligence and Capital Events Expose What Was Never Fixed

Every M&A transaction, IPO preparation, lender due diligence, or regulatory inspection eventually arrives at the same question: can the company demonstrate that its financial and operational commitments were made by the right people, at the right authority level, with the right documented approvals? An acquirer's due diligence team, an IPO sponsor, or a CBUAE examiner will request the DOA framework, the approval records for material transactions, and evidence that the framework has been actively maintained. What they find — or fail to find — determines how they price the governance risk they are inheriting.

Research across more than 700 organisations found that companies lose an estimated 9.2% of annual revenue due to poor contract management — a significant proportion of which traces to approval bottlenecks and commitments made outside formal authority. In a UAE due diligence context, these historical approval gaps become contingent liabilities — contracts signed without the required authority may not be enforceable by the company, and commitments made at values exceeding the signatory's documented threshold may be challenged by counterparties or regulators after a transaction closes.

An EY and Society for Corporate Governance study found that while nearly 90% of organisations have implemented DOA policies, nearly half lack a formal materiality threshold — meaning the policy does not specify the financial and operational levels above which escalation is required. A policy without materiality thresholds is not a control. It is a statement of intention that cannot be operationally enforced or externally verified.

The cost: A DOA framework that cannot survive due diligence scrutiny does not just fail the governance test. It fails the valuation test — reducing the price a buyer will pay or the terms a lender will offer, on the basis of control risk that the seller treated as a documentation formality.

➤ What a Board Governance UAE Framework for Delegation of Authority Actually Requires

A legally sound, operationally enforceable delegation of authority framework for a UAE company is not a single spreadsheet with approval limits. It is a structured governance instrument with five components that must work together.

Reserved matters at board level. The framework must explicitly define which decisions cannot be delegated — including the Article 154 CCL reserved matters for JSCs (loans over three years, asset pledges, mortgages, debt forgiveness, arbitration), and any additional matters the board chooses to retain. These must be documented in the board charter and reflected in the DOA.

Financial authority thresholds by role and entity. Every approval limit must be expressed in AED values, assigned to a specific role (not a named individual), and calibrated by entity — with explicit rules governing which thresholds apply within subsidiaries and which require group-level approval. The 49% of organisations without formal materiality thresholds have a control gap that an auditor or regulator will find.

Signatory authority and Power of Attorney register. Every PoA granted to a manager, director, or authorised signatory must be logged, maintained, and reviewed against the DOA for consistency. Former executives' PoAs must be revoked and removed from the commercial register as part of any exit process — a step that is routinely skipped and routinely creates post-departure legal exposure.

System-embedded enforcement. A DOA that exists only in a document is not enforced. Authority thresholds must be built into ERP, procurement, and payment systems — so that an approval at the wrong level triggers a workflow exception, not a conversation. This is the difference between a control and a policy.

Scheduled review and version control. Every material change to the organisation — a new entity, a restructuring, a leadership change, a regulatory update — should trigger a formal DOA review. The Federal Decree-Law No. 20 of 2025 amendments to the CCL, effective January 1, 2026, introduced new entity migration and group structure provisions that may require corresponding DOA updates for affected UAE companies.

➤ Conclusion

A delegation of authority framework that has not been formally reviewed since it was drafted is not a governance asset. It is a governance liability waiting for a triggering event — an audit, a transaction, a fraud incident, or a regulatory inspection — to reveal the gap between what the document says and how the organisation actually operates.

The costs are predictable and quantifiable: personal liability exposure for directors, fraud losses that find the gaps in the authority matrix, decision-making inefficiency from authority drift, and valuation discounts applied by buyers and lenders who discover the control gaps during due diligence. None of these consequences are difficult to prevent. All of them are difficult to reverse once they have occurred.

In a UAE regulatory environment that has raised the governance floor with amendments to the CCL effective January 2026, and SCA internal control requirements that mandate external auditor reporting on control effectiveness, a delegation of authority framework that is current, legally aligned, and operationally embedded is no longer a governance enhancement. It is the minimum standard the environment demands.

➤ Frequently Asked Questions

Q1. Is a formal Delegation of Authority framework legally required for UAE companies?

For listed Public Joint Stock Companies (PJSCs), the SCA Governance Code and the CCL together require that boards define and document their reserved matters and governance frameworks — making a formal DOA a regulatory obligation rather than a voluntary practice. For all UAE companies — LLCs, PJSCs, free zone entities, and holding structures — the CCL's personal liability provisions mean that operating without a documented DOA creates direct legal risk for directors and managers who make commitments outside their lawful authority. While there is no single article that mandates a 'DOA document', the combination of reserved matter requirements, personal liability provisions, and COSO internal control obligations effectively makes a formal, maintained DOA framework an essential legal safeguard.

Q2. What are the board-reserved matters under the UAE Commercial Companies Law that cannot be delegated?

Under Article 154 of Federal Decree-Law No. 32 of 2021, the following matters for Joint Stock Companies require board approval or a special General Assembly resolution before they can be executed: entering into loans for periods exceeding three years; selling or pledging the company's property or commercial stores; mortgaging the company's movable and immovable properties; discharging debtors from their obligations to the company; and agreeing to compromises or arbitration. These matters must be explicitly included in a company's DOA as board-reserved, with written board approval required before any executive can commit the company.

Q3. What is authority drift and how does it affect a UAE company's governance framework?

Authority drift is the gradual divergence between documented decision rights and the authority that individuals actually exercise in practice. It occurs as organisations grow, restructure, and add entities without updating the delegation of authority framework to reflect new roles, thresholds, and reporting lines. In UAE group structures — where authority must be clearly defined across mainland, free zone, and offshore entities — authority drift creates a governance framework that exists on paper but does not reflect operational reality. The practical consequences include fraud enablement gaps, compliance failures in procurement and contracting, and inability to demonstrate effective internal controls during audit, due diligence, or regulatory inspection.

Q4. How do the 2025 amendments to the UAE Commercial Companies Law affect existing DOA frameworks?

Federal Decree-Law No. 20 of 2025, effective January 1, 2026, introduced several material changes to the CCL — including new re-domiciliation provisions (Article 15 bis) allowing companies to migrate between Emirates or between mainland and free zone without losing legal personality, expanded private placement options for private joint stock companies, and new shareholder arrangement tools such as drag-along and tag-along rights. Companies that have undertaken or are planning entity migrations, structural reorganisations, or new group arrangements under the amended law should formally review their DOA frameworks to ensure that authority thresholds, signatory rights, and reserved matter definitions remain aligned with the new entity structure.

Q5. What should a UAE company do if it discovers its DOA has not been reviewed in several years?

The first step is a formal DOA gap assessment — comparing the existing framework against the current organisational structure, entity map, regulatory requirements, and risk appetite. This will typically identify authority gaps, thresholds that no longer reflect commercial reality, missing materiality definitions, and PoA records requiring revocation or renewal. Following the gap assessment, a revised DOA should be drafted, approved by the board, embedded in relevant operational systems, and communicated with documented training to all relevant stakeholders. The review cycle should then be formalised — at minimum annually, and triggered automatically by any material organisational, regulatory, or leadership change. ASC Group's Corporate Governance practice conducts DOA gap assessments and framework implementations for UAE entities across all sectors.

ASC Group UAE  |  One by Omniyat, Business Bay, Dubai  |  www.ascglobal.ae  |  info@ascglobal.ae  |  +971 50 328 7722  |  https://wa.me/971503287722

© 2026 ASC Group. All rights reserved. This content is for informational purposes only and does not constitute legal or professional advice.