ZAIN 2022 All Rights Reserved
12
Enterprise Risk Management
Zain’s operational landscape is changing at a fast pace largely due to the ever-evolving technologies and their adoption to meet customer needs. Achieving long-term strategic objectives set by the company have required adopting a robust, relevant, and agile Risk Management Framework that is continuously revised and aligned with international best practices such as COSO Framework and ISO 31000 guidelines. Figure 1 below depicts the Risk Management Framework adopted by Zain.
Figure 1: Zain Risk Management Framework (alignment to ISO 31000)
Enterprise Risk Management reports directly to the Board Risk Committee (BRC), exemplifying the importance of the long-term sustainability of the business. The BRC oversees compliance with risk management policies and procedures, and reviews the adequacy of the risk management framework in relation to the risks faced by the organization. Framework changes are reviewed and approved by the BRC on an annual basis, and changing risk trends occurs on a quarterly basis. Zain’s assurance functions such as Internal Audit and Corporate Governance departments, and their respective board committees, along with Group Risk Management, assist the BRC in its oversight.
Zain assesses its social, economic, and environmental impacts from a risk perspective and has continued to align them with the Corporate Sustainability strategy since 2019. These assessments take into account climate change-related risks and opportunities as well as the rights of children including child online safety and child labor. Risks that matter and have the most material impact on Zain are identified through proactive research and comprehensive engagement with stakeholders, so mitigation can be planned at a much earlier stage.
The Risk Management department engages with its top four stakeholder groups in the following ways:
- Employees: Group Risk Management continues to engage with and educate all users on various security threats and promotes a culture of reporting. The awareness campaign was launched in 2020 and continues to run across all operations.
- Government & Regulators: Engagement with governmental entities is done through the Corporate Governance and Regulatory teams.
- Shareholders: Group Risk Management reports to the Board Risk Committee on a quarterly basis.
- Executive Management: Group Risk Management and the operation’s Risk Management teams continually engage with executive management to ensure that risks are being identified, addressed and mitigated as per the direction of the Board of Directors.
Zain continues to utilize an impact-likelihood matrix to determine the risk rating of the events facing the company across its operations. The impacts are assessed across multiple parameters that include financial, reputational, climate change, markets, customers, employees, and others. The rating also takes into consideration the ‘pre’ and ‘post’ mitigated status of the risks, providing information on both the inherent and residual risk status of the organization.
Figure 2: Zain Risk Management Framework (alignment to COSO)
Mission, Vision & Core Values
Strategy Development
Business Objective Formulation
Implementation & Performance
Enhanced Value
Governance & Culture
Strategy and Objective-Setting
Performance
Review & Revision
Information, Communication, & Reporting
The table below illustrates some of the key risks across Zain Group and how they are being mitigated through various mitigation options:
Table 1: Key Risks for Zain
Description | Impact | Management Response | |
|---|---|---|---|
Regulatory Changes & Management of External Stakeholders | As our business is undergoing a digital transformation, the regulatory implications bring new challenges. | Increased cost of operations (license fees, cost of regulatory compliance) leading to lower profits; delay or rejection in launching new businesses and services to create new revenue streams. | Participate with market regulatory authorities and other stakeholders, engaging on market issues, with clear focus on common benefit.
Innovation in new products and services to enhance revenues and overcome increased regulatory costs. |
Cyber Security Risks | As technologies are rapidly advancing, cyber security threats are also evolving and need continuous monitoring. | Customer data breach, financial, reputational or regulatory consequences. | Continuous enhancement of our cyber security capabilities by updating: 1. Policies and procedures 2. Implementing the latest security tools 3. Training and awareness programs 4. Periodic security assessments |
Over the Top (OTT) applications | Disruptive technologies are being adopted at an extremely fast rate, where competitors are infringing into traditional voice and SMS revenue streams. | These OTT players continue to impact revenue for all mobile network operators without having to conform to regulatory requirements. | Transform our business from a pure telecommunications model to a digital service provider by creating innovative products and services and reinventing business models. |
Geopolitical & Macro-economic situation | Zain operates in multiple markets, and changes to macro-economic indicators such as inflation and currency devaluation impact operations enormously. | Reduced customer spending ability leads to reduced revenues impacting the execution of the company’s plan and strategy.
Weakening currencies impacts the profitability of Zain’s operations and asset valuation. Geopolitical difficulties lead to reduced access to capital and technology. | Ensure cost optimization initiatives and access to long- and short-term capital options through varied sources of funding.
Employ various hedging instruments to prevent value erosion of assets.
Continuous improvement of our business continuity capabilities across our operations. |
Price Wars & Irrational Competition | Unrestrained competitors or irresponsible operators with low value and market share could lead to market erosion through price pressures. | Impacts revenue, profitability, and metrics of customer experience. | Observe the competitor landscape in all markets, and counter suitably in product offerings. Ensure the market is fair and competitive, while trying to create value propositions to maintain customer loyalty. |
Precautionary Principle
As a precautionary principle, Zain complies to applicable environmental requirements in the design of our products and delivery of services. Rapid advancements in technology is one of our principal risks, monitored by the BRC, Climate Action Committee, and the Board. Our business depends on technology to develop and deliver low carbon products and services our customers require. Our product design and procurement teams engage with our suppliers to develop products with lower eco footprints. The checklist used as part of the design process includes climate-related considerations such as energy use and end of life disassembly for repair or reuse.
Business Continuity Management
Zain Group is committed to ensuring the continuity of its businesses in the event of an incident or disaster that could cause major disruption. In response to the COVID-19 pandemic, Group Risk developed a framework for seamless work from home. The exercise, coordinated with several business units, involved identification and prompt deployment of tools, assets, and trainings for our staff to continue offering services to customers.
Group Risk developed critical continuity indicators to monitor the pandemic response situation at the operations. The indicators are presented and reviewed by the COVID Crisis Committee at Zain Group.
Further, Group Risk developed the Safe Return to Work plan for gradual resumption of staff to offices. This year, the company started to operate with full capacity in some of operations. As such, Zain continued to follow the guidelines set by the COVID Crisis Committee in addition to following the country-specific COVID-related rules and regulations.
Branch Dividers
Collection Office Dividers
Always
Remember to keep your mask on
Always
Remember to Sanitize your workspace
wash
your hands
Stay
Positive
Process for identifying, assessing, and responding to climate-related risks and opportunities
We recognize that climate change poses physical risks (i.e. caused by the increased frequency and severity of extreme weather events) and transition-related risks (i.e. economic, technology or regulatory challenges related to moving to a greener economy) for our business.
The process to assess the materiality of climate-related risks and opportunities follows industry and sectoral relevant benchmark data and takes into consideration our principal risks.
We adopted three scenarios in line with the Task Force on Climate-related Financial Disclosure (TCFD) guidance. We conducted the required assessments to quantify the business impacts of all material climate-related risks under each scenario and over different time horizons to better understand the financial value at risk across service revenue and EBITDA.
Key risk and opportunity areas arising from the scenario base climate risk and opportunity assessment are as follows:
- Physical Risk: Rising mean temperatures that could negatively impact our margins and operating costs.
- Physical Risk: Increase in frequency and impact of extreme weather events (e.g. excessive precipitation) to disruption of services.
- Transition Risk: Increase in unit economics of energy costs
Opportunity 1:
During the assessment of climate change opportunities for our telecom sites, we noticed that we could achieve some savings in energy consumption by reducing our dependency to fossil fuels, which could lead to a reduction in CO2 emissions and opex reductions. The driver for such an initiative was the erratic availability and pricing of diesel in our markets, especially in Sudan and South Sudan, where we incur cost drivers such as fuel.
To capitalize on this opportunity, we deployed green power solutions such as battery-hybrid solutions, solar systems, outdoor equipment, connection of base station sites to the grid, and performed site sharing with other mobile network operators. The strategy followed by Zain is to transform the identified physical and transition risks into opportunities by responding in a way that helps reduce our operating costs with payback periods that do not exceed three years. The implementation of energy efficient solutions has led to a reduction of our opex by USD 1.771 million in 2020. The benefits of such initiatives will continue for at least and additional three years (during the lifetime of the equipment that were deployed). The initiatives have also helped Zain reduce its CO2 emission by 3.984 metric tons in 2020.
Opportunity 2:
Zain’s operations are continuously working on improving the customer experience and ease their journey through the introduction of new digital channels that offer truly digital, personalized experiences with full control over purchase, usage, and interaction with Zain anytime and anywhere. Examples of initiatives include chatbots that incorporate AI technology over our digital channels on Facebook, Messenger and website applications to assist customers with common inquiries, social media and smart branch navigation. These efforts are coupled with the back-end internal transformation of system automation and processes. We are witnessing steady growth in the adoption of digital channels and look to achieve 85% of recharge transactions over digital by 2025 for the above markets. Implementing these initiatives in the shadow of a global pandemic was a challenge, but the ongoing pandemic has only accelerated digital transformation.
In certain markets such as Saudi Arabia, we registered 60% market share for digital channels in 2020. For instance, top up transactions have increased 55% by Q4-20. In Bahrain, we saw 34% share of top ups via digital channels, reflecting a 36% increase in usage as compared to Q1-20.
The measures helped sustain Zain Group EBITDA margin at 39%, which was 200 basis points higher than budget estimates of 37% despite a 600-basis points reduction in total revenue.
Our operation in Saudi Arabia engaged with Apple and Google to run campaigns to educate users on how to make purchases on both mobile stores over the Zain line. As for ICT services, we are working with our partner Ding to promote offers to encourage subscribers to complete credit transfers. We are also running social media campaigns to promote such services and spreading awareness on performing international credit transfer.
Zain Saudi Arabia established direct customer billing relationships with digital brands such as with Amazon Prime (includes Amazon Prime Video), Sony (Play Station Store), Likee, and Uber. There are no current regulations that require us to transition to digital registration, however, we proactively initiated this step to fulfill climate-related changes and achieve operational costs through a paperless process . In addition, customer behaviors are gradually shifting to digital channels, and these measures helped sustain Zain Group’s EBITDA margin at 39%.
Opportunity 3:
E-waste disposal contributes to climate change due to the chemicals released when it is burned.
Harmful chemicals such as polybrominated diphenyl ethers (PBDE) and polybrominated biphenyls (PBBs) are the principal toxins released when electronics are burned. PBDEs are used as flame retardants in electronics, and during combustion release CO2. Collectively, these various chemicals – when burned for disposal – cause harm both to humans and the environment.
In our industry, typical e-waste consists of decommissioned radio base stations, network cards that have been replaced after maintenance, old servers, and legacy antenna equipment.
Our operations in Jordan have initiated recycling of e-waste and is being implemented quarterly. An agreement with ISTINARA, a Jordanian company is in place for quarterly collection and recycling with an objective of offsetting negative environmental, social, and financial impacts of the growing e-waste challenge facing the world.
ISTINARA transforms e-waste’s overlooked potential into economic opportunities for marginalized communities with a focus on women and youth by producing luxury handicrafts made from from recycled e-waste by-products. ISTINARA’s pilot project was launched in Jordan in 2020 and aims to swiftly expand its reach into neighboring countries.
As of 2020 in Jordan, 90% of electronic waste in the technical warehouse is responsibly disposed of through the recycling process, generating USD 150,000 in revenues.
Our operations in Sudan commenced a project in January 2021 to commission the responsible disposal of electronic waste. A list of suppliers (telecom, solar energy and recycling companies.) approved by Telecommunications and Post Regulatory Authority has been finalized.
The project is targeted to release battery waste where a total of 8,976 batteries amounting to 329,600 Kilograms have been sourced from four different warehouses – Dilala W.H, Algazafi W.H, Alghaba W.H, Wad Algabal.
Zain Sudan is still awaiting TPRA approval to release more telecom waste.
On an annual basis, risks are checked and measured to align to tolerances, with quarterly checks of any management and assurance results, with any material changes to the risk profile being updated accordingly.
At Zain, we believe our approach to business resilience will mitigate the short-to-medium term physical impacts of climate change, and we will continue to monitor longer-term trends. Our priority, however, is to prepare ourselves to face the challenges and seize the opportunities posed by the move to a lower carbon economy and the policy changes required to achieve it. The overall aim is to provide the Board with reasonable assurance of the sustainability of our business in meeting the challenges of an ever-changing global economy. Our Risk assessment process consists of four steps:
- Risk Identification: Identifying relevant risks that can adversely affect the achievement of Zain’s objectives.
- Risk Analysis: Understanding the impact and likelihood of risks as well as their root causes and the level of control that Zain can exert over them.
- Risk Evaluation: It involves comparing the risk found during risk analysis and need of risk treatment according to Zain’s risk priorities.
- Risk Prioritization: Prioritizing risks based on their level of importance or strategic value to Zain as defined by their ability to adversely impact the achievement of Zain’s strategic objectives. It should also consider the severity of risk compared to risk appetite.
Climate change risks are considered in Zain’s Risks Universe as defined in our Risk Management Policy and included in the company’s risks assessment and evaluation. Our Risk Management and Sustainability chiefs are part of the Climate Action Committee (CAC) and regularly engage on the evolving climate change related risks.
For the identified risks, executive management assigns risk owners who are assisted by risk champions who perform detailed root cause analysis of their respective risk, build actionable steps considering the following risk mitigation strategies as detailed in the risk management policy:
- Accept – No action is taken to change the severity of risk and is assumed when the risk is already covered in the risk appetite.
- Avoid – Risk avoidance involves taking the decision not to engage in any activity that may result in the risk event, i.e. usually ceasing the activity that may lead to the risk event.
- Transfer – Risk transfer involves shifting the impact of a risk event and the ownership of the risk mitigation to a third-party.
- Mitigate – Risk mitigation reduces the probability and / or impact of a potential risk to a more acceptable level. Mitigation could involve adopting a less complicated process, conducting additional tests on the product, designing redundancy into a system, or incorporating a quality control or reconciliation.
Physical Risks
As per TCFD guidelines, we observed that our sites are vulnerable to the rise in mean temperatures as 90% of our sites in respective operations are situated outdoor with cooling provisions for the active components, namely electronic equipment (radio base station, microwave indoor unit) and power equipment (rectifiers for DC power and DC battery bank). The equipment is vulnerable to high temperatures particularly in summer where temperatures can reach 55 degrees Celsius, hence the increase in cooling requirements.
Fuel and electricity consumption patterns are analyzed to see whether there are variations. In case the energy consumption increases by more than 10% from one quarter to another, the concerned operation is required to provide the details and the justifications for the increase. In 2020, our operations in Kuwait, Saudi Arabia and South Sudan reported increases in energy consumption by 16%, 22% and 110% that were justified by the expansion of the access network as 5G network was rolled out in Kuwait and Saudi Arabia. South Sudan added 4G sites.
We took the reference of Coupled Model Intercomparison Project, Phase 5 (CMIP5) models included in the IPCC’s Fifth Assessment Report (AR5) to assist our Climate Action Committee understand the projections of future climate change and related impacts.
As per RCP 8.5 Ensemble we have prepared projections for the following two scenarios:
Increase in mean annual temperature by 2°C in 2040
Increase in mean annual temperature by 3°C in 2059 (RCP 8.5, Ensemble)
Further, the International Energy Agency (IEA) has updated its 450 scenario, which describes an energy pathway consistent with the goal of limiting the average global temperature increase to 2°C.
We have extended the first scenario to our long-term horizon of 2035. Knowing the total cooling energy requirement for the previous year, we can estimate the total energy consumption increases that would result from the impact of that physical risk. When mapped to our risk criteria, this risk falls in the moderate to high category as it is more than 1% of our EBITDA and hence is classified as a risk material to operations.
*The risk is said to manifest across all six countries of operation as the underlying energy consumption data is an aggregate from these countries.
Transition Risks
Energy costs are one of the most significant operating costs for our company as they represent 30-40% of our sites’ total operating costs. In 2020, the energy cost for our offices, data centers and base station sites was approximately USD 201 million, up by 46% compared to USD 137.71 million in 2019. The increase is due to a sharp rise in consumption and increase in unit grid and diesel costs in Jordan, Iraq and diesel costs in Sudan. Therefore, an increase in grid power and diesel costs would have a significant impact on our operating costs. Because the macro-economic situation of some of our operating countries is characterized by a de-growth in GDP due to lower oil prices and lower non-oil-based revenue sources, we have foreseen hikes in energy costs based on our estimates in 2019 from government-owned utility providers. Energy prices are subsidized in our oil rich operations in Kuwait and Saudi Arabia.
As per the IMF ‘s Future of Oil and Fiscal Sustainability in the GCC Region and Kuwait Energy Outlook 2020 reports, the current rates in Kuwait are substantially below the USD 0.07 per kWh average tariff rates for other GCC countries. Kuwait witnessed the last hike in 2017 to USD 0.033 per kWh. Our operations in other countries that do not have such oil reserves have been subject to steadily rising fuel prices (Sudan and Jordan witnessed fuel price increases of 167% and 56% respectively in 2020).
Given that context, Zain is likely to face a double-side problem which is the increase in fuel and electricity prices. We estimate that current subsidies on energy prices in our operations which are oil dependent will not be prevalent as this will further impact their existing fiscal deficit.
For the transition risks, mainly historical data of fuel and electricity prices are collected, extrapolated, and used to calculate the possible impact of energy tariff increases on our operating costs.
Our total energy consumption in 2020 was 1,031 MWh up by 11% from 929 MWh from grid power and 153.4 million liters of diesel, up by 8% from 141.8 million in 2019. The 2020 overall energy cost including diesel was USD 201.69 million.
With our long-term planning process of 15 years, we have estimated that energy operating costs could increase by over 107% by 2035 to USD 418.16 million, which is an upward revision of 38% from USD 301. 30 million as per 2019 forecasts. The estimated figures factor in the underlying per unit grid power and diesel fuel hikes as per macroeconomic indicators.
We have estimated a 5% average increase in per unit tariff based on 2016-2020 price movements to arrive at 2x of existing unit cost by 2035. We also factored in the cost for additional cooling to arrive at USD 33.18 million, and a total energy cost of USD 418.2 million up by 38% as per previous estimate in 2019 at USD 301.36 million in 2035. This would translate to a 108% rise from our 2020 energy costs. This could affect our operating margins, which led us to put in place action plans to reduce this cost estimate. Hence, fuel and electricity tariffs potential increase would lead to a transition to more energy efficient solutions.
Data Privacy
The company values personally identifiable information (PII) entrusted by its customers, employees, suppliers and other stakeholders. Therefore, Zain is committed to the collection, usage, retention, and non-disclosure of PII in a transparent and secure way to comply with applicable legal and regulatory requirements for processing such information.
Zain’s operations present an individual with the choice to allow the processing of their PII except where applicable law based on the specific countries’ rules and regulations specifically allows the processing of PII without the person’s consent. Our customers are also provided with a privacy notice through various channels such as the website and sales contract on processing their personal data.
Our operations established technical and procedural controls for the implementation of the principles as outlined in Zain’s Data Privacy Policy. However, new data privacy related regulations are being introduced at a rapid pace and as such we need to ensure their alignment with new developments. Zain recognizes the recent EU General Data Protection Regulation (GDPR) legislation and other region-specific data protection laws as an opportunity to further enhance its data responsibilities and oversight. In light of these changing privacy laws and regulations, Zain Group is currently working on updating its privacy policy as well as the privacy notice that will be uploaded on to Zain websites in the near future. Existing privacy notices on the website provide the below in addition to any other information as required by applicable local law:
- The use(s) to be made of the operations data.
- Whether the information will be shared with or disclosed to third parties or other Zain Group companies; and
- Where legally required, how individuals can exercise their rights of access to their personal data.
The following are the privacy policies available on the respective web portals of Group and our operations:
https://www.zain.com/en/policy
https://www.kw.zain.com/ar/privacy-policy
https://sa.zain.com/en/privacy-policy
https://www.jo.zain.com/english/Pages/terms.aspx#privacyPolicy
https://www.bh.zain.com/en/copyright/privacy-policy
https://www.sd.zain.com/English/Pages/privacypolicy.aspx
Customer information for secondary purposes
As per SASB definition of secondary purpose, our operations process data for designing products to enhance the quality of services offered to our customers. However, customer information and the usage of data is not transferred or shared to a third-party unless requested by law enforcement in which case it takes place via a judiciary order.
Data Security
In 2021, Zain Group and operating companies have not experienced any data security breaches involving customers’ personally identifiable information (PII). We have been able to protect Zain Group from multiple phishing attacks. Zain Group has also enabled a new feature making it easier for users to report phishing and spam emails with the click of a button, thereby making the investigation process more efficient and allowing immediate action to be taken.
Approach to identifying and addressing data security risks
The telecommunications industry is categorized as critical national infrastructure, processing and storing highly confidential and valuable information and as such is prone to being targeted heavily by cybercriminals. As technology evolves globally, so do cyber threats that have a variety of impacts on individuals, enterprises, and societies. Telcos continue to be susceptible to the following types of incidents (non-exhaustive list):
- Theft of competitive data/competitive intelligence, including corporate espionage,
- Theft of intellectual property or trade secrets, misappropriation of assets,
- Advanced Persistent Threats (APT),
- Fraud (financial or otherwise),
- Personally Identifiable Information (PII) theft,
- Data breach or loss,
- Information related extortion,
- Operational downtime.
To mitigate and reduce the possibility of above incidents, Zain has developed cyber resilience, which is the ability to effectively identify, protect, detect, respond and recover from potentially catastrophic cybersecurity threats. To achieve cyber resilience, Zain must effectively identify the risks, design robust controls and continuously measure effectiveness to be able to create a sustainable and safe operating environment.
Following is an illustration of a framework referenced in Zain’s cyber resilience strategy
Identify
- Threat vectors, assets, data, and actors
- Cross validate with risk assessment studies
Protect
- Install technology controls, i.e. point solutions
- System/device hardening
- Access control mechanism
Detect
- Monitoring infrastructure
- Analytics & threat hunting
- External subscriptions
Respond
- Incident response and management plans
Recover
- Resilience to resume from ‘normal state’ at the earliest
- Crisis management protocols
Approach to identifying and addressing data security risks
Bahrain:
Conducting vulnerability and penetration testing (VAPT) for new and existing applications, annual security audits in addition to generating and implementing minimum security baseline assessments to available platforms.
When a risk is identified, related security rules are configured on the applicable security devices to address it.
Security information and event management (SIEM)solutions are in the exploration and assessment phase.
We are required to report all security related incidents and breaches to the Telecom Regulatory Authority in Bahrain including the incident notification and RCA details.
Zain Bahrain is also working with the National Cyber Security Center (NCSC) to onboard and integrate our critical systems with the national SIEM and Security Operations Center (SoC). Defense-in-depth firewall setup and other general controls have been applied using multiple technologies such as firewalls, web application firewalls (WAF), active directory policies and terminal access controller access-control system (TACACS+).
Sudan:
The security environment is continuously monitored and enhanced through Zain Sudan’s Risk Management, Business Continuity, Information Security, and the internal and external ISO audit reports submitted to management.
Saudi Arabia:
Zain Saudi Arabia follows the ISO 31000 framework in identifying, assessing and mitigating risks for the current operation and the new projects, products and services.
Jordan:
Zain Jordan strives to ensure effectiveness of the security program through the following:
- Continuous monitoring of SIEM solution by information security team
- Continuous monitoring of Distributed Denial of Services attacks by SoC team
- Vulnerability assessments performed on a quarterly basis
Kuwait:
Zain Kuwait identifies information security risks via VAPT conducted on the network periodically and as and when new applications are introduced. Security controls are configured and hardened based on latest versions of MSB for the systems in place.
Iraq:
Zain Iraq’s management strives to ensure that the entirety of the systems are always protected and up to date with the most advanced security systems. The operator also invests in the SoC. Internet facing applications and mission critical internal applications are integrated with the security information monitoring tool, which is monitored 24*7 by security engineers at the SoC. Any unauthorized web event is promptly reported and investigated by the team.
Managing Systemic Risks from Technology Disruptions
A mission critical service requires continuous availability where breaks in service are intolerable and immediately and significantly damaging. Zain has designed availability required at almost any price.
Zain Group
System | Availability |
|---|---|
ERP | 100% |
Oracle Hyperion | 99.99% |
Website zain.com | 99.999% |
Zain Kuwait
System | Availability |
|---|---|
Billing/CRM Service | 100% |
CS Core | 100% |
PS Core | 100% |
Website kw.zain.com | 100% |
Zain Bahrain
System | Availability |
|---|---|
Billing/CRM Service | 100% |
CS Core | 99.99% |
PS Core | 100% |
Website bh.zain.com | 100% |
Zain Iraq
System | Availability |
|---|---|
Billing/CRM Service | 100% |
CS Core | 100% |
PS Core | 100% |
Website iq.zain.com | 100% |
Zain Jordan
System | Availability |
|---|---|
Billing/CRM Service | 100% |
CS Core | 100% |
PS Core | 100% |
Website jo.zain.com | 100% |
Zain KSA
System | Availability |
|---|---|
Billing/CRM Service | 99.7% |
CS Core | 99.9% |
PS Core | 99.9% |
Website sa.zain.com | 99.9% |
Description of systems to provide unimpeded service during service interruptions
- Zain ERP – Enterprise Resource Planning Tool Monitor – uptime in seconds/Month (30*24*60*60 seconds)
- Oracle Hyperion – Primary financial planning & budgeting tool Monitor – uptime in seconds/Month (30*24*60*60 seconds)
- Zain website channel – Primary digital channel Monitor – Website running uptime in seconds/Month (30*24*60*60 seconds)
- Billing/CRM: The internal billing system used to process and validate billing records, invoices, integration & reconciliation with other accounting systems.
- IN: Intelligent Network allows functionality to be distributed flexibly at a variety of nodes on and off the network and allows the architecture to be modified to control the services. These networks can separate extra services from the call switching system, making it easier to add new user services such as (call screening or call waiting), as well as more complex services like (variable charging, caller ID services and international messaging).
- CS Core: Circuit Switch, handles voice calls and contains functionalities such as mobile switching center (MSC) and gateway MSC (GMSC).
- PS Core: “Packet Switch”, handles data sessions and contains functionalities such as Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN), Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP) server, and packet charging gateway.
Security Risk Training
In 2021, Zain Group Risk Management continued to share content to Group employees as part of the PAUSE.THINK.ACT cybersecurity awareness program that was initiated in 2020. In addition to the essential security related topics that were identified in 2020, new topics were added based on the current cyber security trends and the changing threat landscape. The materials shared with all employees not only provided information on evolving cyber attack techniques but also provided tips to remain vigilant and protect themselves as well as Zain from being compromised. Additionally, as and when new vulnerabilities are discovered, Zain issues alert notifications to raise awareness. Zain operating companies also utilized other channels and methods to raise awareness such as phishing simulations and awareness games.
Zain maintains subscription to notifications and alerts that are generated from GSMA T-ISAC, Telecommunications Information Sharing Analysis Center’s Malware Information Sharing Platform. As cyber attacks are continuously evolving and increasing in sophistication and volume, the threat intel that is available to us via this platform helps to be proactive and take the necessary steps to protect Zain and its operating companies from being compromised.
Information security topics covered and planned for 2021
- Physical Security
- Removable Media
- Backups
- Vishing
- Suspicious Websites
- SMShing
- Password & 2 Factor Authentication
- Bluejacking & Bluesnarfing
- Remote Connection Security
- Social Media Privacy
- Password Protection of Files
- Juice Jacking
- Incident Reporting
- Insider Attacks
- QR Code Attacks
- Safe Usage of OneDrive & SharePoint
- Clean Desk Clear Screen
- Mobile/ laptop Security
- Evacuation Instructions
- BCM Policy
- Key person risk
- Business Impact Analysis
- Clearview & BCP
- Information Classification
- WhatsApp hacking and prevention
Awareness Updates | Total Staff | Total number of staff that received awareness content | Total number of channels utilized |
|---|---|---|---|
Group | 199 | 199 | 2 |
Kuwait | 1,500 | 1,500 | 2 |
Iraq | 1,853 | 1,200 | 1 |
KSA | 1,757 | 506 | 4 |
Jordan | 1,279 | 1,279 | 3 |
Bahrain | 185 | 185 | 4 |
Initiative | Date of Adoption | OpCos in Scope | Nature of Initiative (Binding/Voluntary) | Range of Stakeholders involved |
|---|---|---|---|---|
Stamp of Approval for Maintenance & Operations | 20-May-19 | Zain Kuwait | Voluntary | Uptime Institute Professional Services |
Information Security Management System
ISO 27001:2013 | 10-Jan-21 | Zain Bahrain | Binding | Telecommunication Regulatory Authority |
2-Feb-21 | Zain Kuwait | Voluntary | DNV-GL | |
15-Jan-20 | Zain Jordan | Voluntary | SGS | |
5-Apr-18 | Zain Sudan | Voluntary | DNV-GL | |
Business Continuity Management System
ISO 22301:2012 | Feb-20
28-Jan-20 | Zain Kuwait | Voluntary | DNV-GL |
Environmental Management System
ISO 14001:2015 | 03-Feb-21 | Zain Kuwait | Voluntary | DNV-GL |
Quality Management System
ISO 9001:2015 | 16-April-18 | Zain Sudan | Voluntary | DNV-GL |
03-Feb-21 | Zain Kuwait | Voluntary | DNV-GL | |
15-Jan-21 | Zain Bahrain | Voluntary | DNV-GL |
