Chapter
10
The ERM function reports directly to the Board Risk Committee (BRC), which supervises the adherence to the risk management policies and procedures and the effectiveness of the Risk Management framework. The BRC reviews and approves the framework on an annual basis, and risk trends are reviewed on a quarterly basis. Other functions such as Internal Audit and Corporate Governance departments, and their respective Board committees, along with Group Risk Management, assist the BRC in its oversight.
Zain’s ERM function, in close alignment with the company’s Corporate Sustainability strategy, evaluates the company’s social, economic, environment, and human rights impacts from a risk standpoint through proactive research and extensive engagement with its stakeholders. Since 2019, the key considerations have been the risks and opportunities associated with climate change and its material impact, allowing for early-stage planning of mitigation strategies across Zain’s operating markets.
Climate-Related Risks and Opportunities are explained in depth in the Task Force on Climate-Related Financial Disclosures (TFCD) report.
Zain Group has various memberships to global associations that ensure the company is in sync with industry standards and global best practices, including:
Zain continues to utilize an impact-likelihood matrix to determine the risk rating of the events facing the company across its operations. The impacts are assessed across multiple parameters that include financial, reputational, climate change, markets, customers, employees, and others. The rating also takes into consideration the ‘pre-’ and ‘post-’ mitigated status of the risks, providing information on both the inherent and residual risk status of the organization.
When Zain designs its products and delivery of services, as a precautionary principle, all applicable environmental requirements are taken into consideration. Zain’s business focuses on developing and delivering low carbon products and services as customers require to align to the company’s Net-Zero ambition. Climate-related considerations such as energy use and end-of-life disassembly for repair or reuse are some of the key conisderations included in the checklist when it comes to designing products and services.
The company’s product design and procurement teams engage with suppliers to develop products with lower eco footprints. The checklist used as part of the design process includes climate-related considerations such as energy use, and end-of-life disassembly for repair or reuse. Through such engagements, the Board Risk Committee, Climate Action Committee (CAC) and the Board monitor key risks such as rapid advancements in technology.
Zain considers data privacy as a crucial part of controls to avoid data leakage. In order to comply with legal and regulatory governing bodies and their requirements, Zain regards the personally identifiable information (PII) entrusted by its customers, employees, suppliers, and other stakeholders highly, and processes involved in the collection, use, retention, and non-disclosure of this information.
In 2023, Zain updated its Data Protection and Privacy Policy to ensure that it continues to meet the highest standards of data protection and privacy for all of its stakeholders. The policy was approved by the Board, and ensures Zain remains compliant to all relevant data protection and privacy laws and regulations. The revised policy covers a range of topics including how the company collects, uses, and stores personal data and the rights of individuals to access and control their personal data.
The policy can be found here.
Policies and practices related to collection, usage, and retention of customer information and personally identifiable information for each Zain operating company:
Please refer to the link below for more details:
https://www.bh.zain.com/en/copyright/privacy-policy
Zain Iraq implemented several security controls and follows best practices to ensure that all data processed is secure. In 2023, Zain Iraq was ISO 27001 certified, providing further assurance on the implemented controls to safeguard data.
A new law for data protection was launched and an analysis was conducted by the Legal and Regualtory team to set workshops with all involved parties to assess the risk for PII data and to set policies and corrective actions accordingly.
CITRA’s data privacy protection regulation is applicable to both public and private sectors that collect, process and store PII. Zain appointed a Data Privacy Officer responsible for overseeing appropriate technical and regulatory controls to comply with the regulations.
Zain has a data privacy policy that is established and approved by the Saudi Data and AI Authority (regulating authority).
Zain ensures customer information and PII is protected through policies such as its Code of Conduct.
Zain is continuously enhancing its security controls to improve its security maturity and to defend against threats and safeguard data from such threats. Several security control assessments are carried out to identify potential improvements that can be implemented.
As per the Sustainability Accounting Standards Board’s (SASB) definition of secondary purpose, Zain’s operations process data for designing products to enhance the quality of services offered to customers. However, customer information and the usage of data is not transferred or shared to a third-party unless requested by law enforcement, in which case it takes place via a judicial order.
Further information on Zain’s Data Privacy governance and policies can be found in the ‘Products and Services’.
As of 2023, there have been no reports or complaints from external third-parties and regulatory bodies, or the identification of leaks or losses of customer data.
Zain continued its commitment to safeguarding its employees and customers against phishing attacks, where the company facilitated a user-friendly reporting system, allowing individuals to report such attacks and spam emails with a simple click. This initiative streamlines the investigation process, significantly enhancing operational efficiency, and enabling the prompt implementation of corrective actions.
Zain stores and processes information that is highly confidential and can be very valuable in the hands of cyber criminals. This is why the company’s infrastructure is considered extremely critical. The threat landscape is ever evolving, which requires a continuous and rigorous enhancement of security controls.
Zain has in-place the necessary security controls and processes aligned with best practices to mitigate and reduce the possibility and impact of cyber attacks. The company has developed cyber resilience, which is the ability to effectively identify, protect, detect, respond and recover from potentially catastrophic cyber security threats. To ensure a safe and secure environment, Zain must protect its infrastructure with the necessary policies, procedures, and continuous monitoring activities to defend against threats.
Following is an illustration of a framework referenced in Zain’s cyber resilience strategy.
Some examples of cyber security initiatives across Zain’s markets include:
Mission critical services require continuous availability where breaks in service are intolerable and can result in immediate and significant damage. Zain monitors for any disruptions that occur throughout its major systems.
Description of systems to provide unimpeded service during service interruptions
Core: Includes PS Core and CS Core (previously mentioned in prior Zain Sustainability Reports).
CS Core: Circuite Switch, handling voice calls and containig functionaities such as mobile switching center (MSC) and gateway MSC (GMSC).
PS Core: Packet Switch, handling data sessions and containig functionalities such as: S+H9erving GPRS support node (SGSN), gateway GPRS support node (GGSN), domain name server (DNS), dynamic host configuration protocol (DHCP) server, packet charging gateway, etc.
Charging: Ericsson – System for customers to recharge their accounts with credit and maintain balance information. Used by prepaid and postpaid customers.
Training and awareness is a continuous process required to defend against threats that are evolving at a rapid pace. As part of the PAUSE.THINK.ACT Cyber Security Awareness Program at Zain, the company raises awareness regarding the do’s and don’t’s of information security as well as how to report suspicious activity.
Additionally, Zain is aware that threat intel plays a crucial role in defending against growing threats and continues its subscriptions to notifications and alerts that are generated from GSMA’s Telecommunications Information Sharing Analysis Center’s Malware Information Sharing Platform. These alerts help Zain to be proactive in taking necessary defensive steps in a timely manner to repel cyber attacks.
The following list consists of the cyber security training courses taken by entreprise risk management employees across Zain’s operations.