GOVERNANCE AND RISK MANAGEMENT REPORT

Bupa Arabia remains committed to robust corporate governance structure, which will facilitate prudent management to deliver long-term success to the company.

Risk Governance and Internal Controls

Our Governance Framework

SAMA
Regulations

CMA
Regulations

CHI
Regulations

Other
Regulations

Best
Practice

BOARD OF DIRECTORS
Code of Corporate Governance
Board/Committee Charters
Management Committee Charters
Standards and Guidelines
Labor By-Laws
Procedures
Speak-Up
CEO Delegation of Authority
Board Delegation of Authority
Delegation of Authority
Code of Conduct
Enterprise Policies
SHAREHOLDERS

Line of Defence
Identify Manage Own

Line of Defence
Advise Support Challenge Oversight

Line of Defence
Independent Objective Assurance


Our Corporate Governance and Risk Intelligence

We remain committed to enhancing shareholders value by building and maintaining a risk intelligent organization, while increasing the transparency of our corporate governance practices, and strengthening the rights of our shareholders in alignment with the best-in-class governance standards. Our major shareholder Bupa Investment Overseas Limited (BIOL), is still one of the largest foreign strategic investors in the Saudi market. We continue to invest in our corporate governance, including further embedding the “Three Lines of Defence” (3LoD) risk management model within the ongoing recruitment and development of appropriate capabilities to ensure a world class governance environment with world-class controls.

Our Code of Conduct

The Company’s Code of Conduct has been further embedded across the Organization during 2022, and all employees have received regular communication keeping them informed and updated. The Code covers the following areas and alongside our values, is a key contributor to Bupa Arabia’s company culture.

Safeguarding Bupa Arabia’s assets:

  • we work to high professional standards
  • we declare conflicts
  • we represent Bupa Arabia
  • we prohibit insider trading and stock tipping
  • we manage risk
  • we protect our intellectual property

Thriving through regulatory excellence:

  • we play by the rules

Adhering to competition laws:

  • we respect competition laws
  • we speak up

Acting ethically and transparently with all our stakeholders:

  • we put our customers first
  • we act ethically
  • we keep information safe
  • we fight money laundering and terrorism financing
  • we know our suppliers

Preserving our community and our environment:

  • we celebrate diversity
  • we stay safe and well
  • we are prepared for anything
  • we take care of our planet

Our Enterprise Policies

The Company has reviewed, assessed, enhanced, revamped, approved, and rolled out the Enterprise Policies Management Framework (EPMF) for 2022. Our Enterprise Policies (EP) are an important part of how we manage risks within Bupa Arabia, by explaining how we are exposed to risks, why they need to be managed, and provide a consistent approach towards the management of the same. They also help ensure business objectives are met, in compliance with legal and regulatory requirements of the jurisdictions in which we operate, and help us protect our environment while giving back to our communities. Our policies sustain and support our risk appetite.

The current suite of 33 enterprise-wide policies also supports our intent:

  • To comply with the Saudi Central Bank (“SAMA”) requirements of the Insurance Corporate Governance Regulation;
  • To comply with the Saudi Arabian Capital Market Authority (“CMA”) requirements of the Corporate Governance Regulation;
  • To comply with legal and regulatory requirements of the jurisdictions in which we operate, including and not limited to the requirements of (Ministry of Commerce “MOC”, the Council of Health Insurance “CHI”, Ministry of Health “MOH”, Ministry of Investment “MOI”, Zakat, Tax and Customs Authority “ZATCA”, Ministry of Human Resources and Social Development “MOHRSD”, and Anti Money Laundering and Combating Terrorist Financing Laws and Regulations “AML and CTF”;
  • To comply with global best practices.

Our Delegation of Authority

The Delegation of Authority (DOA) is an integral part of the governance and the internal control system of Bupa Arabia.

The DOA Matrix, governed by its own respective framework, outlines guidelines for the authorization and empowerment at appropriate levels of decisions having financial implications or impacting the interests of Bupa Arabia.

The DOA Framework and Matrix have been enhanced during 2022, consolidating the entirety of Bupa Arabia’s activities with the appropriate approval levels. The documents have been endorsed by the Audit Committee (AC) and Risk Management Committee (RMC), and approved by Bupa Arabia’s Board of Directors.

The purpose of setting limits of authority is to establish the financial commitments and operational decisions that various authorized bodies or personnel make on behalf of Bupa Arabia in the discharge of their responsibilities. Such authority limits are necessary to ensure that:

  • Financial commitment and expenditures are only made by authorized bodies or personnel and such commitments/expenditures are within the approved limits;
  • Authority given is consistent with duties and responsibilities assigned to management personnel;
  • Adequate authority is given to the relevant individuals or group of individuals to facilitate business operations efficiently; and
  • Clear understanding exists within Bupa Arabia of the authorities vested in each position, including those matters that are strictly reserved for the Board of Directors (BOD) and the Chief Executive Officer (CEO)

Our Speak-Up (Whistleblowing) Policy

We are committed to maintaining the culture of governance and ethical behavior in the workplace. We, as a company and as its employees, comply with all rules and regulations further reinforced by the professional standards we set ourselves at Bupa Arabia. To achieve this, employees are encouraged to share any concerns, and doubts regarding inappropriate behavior, through the channels specified for this purpose.

We aim for Bupa Arabia to become a place where our employees feel safe to share their concerns in case of any inappropriate or unethical behavior in the workplace, without the fear of retaliation.

Our Shariah Compliance

Bupa Arabia maintains its Shariah compliance. Bupa Arabia received the approval from the Shariah Review Bureau on its compliance and status as per the 2021 annual Shariah Audit Report (reference BPA-832-11-02-12-21) on 28 December 2022. The functions are as follows:

  • Separation of accounts (shareholder and policyholder)
  • Compliance of shareholder and policyholder investments with Shariah Guidelines, in support of achieving overall Shariah compliance in the future, the Company continues to develop its policies and evaluate its contracts

Corporate Governance and Bupa Arabia Commitment

Bupa Arabia is fully committed through all levels of the Company hierarchy, including its Board and its Board Committees, to the implementation of world-class corporate governance standards, and to implementing the provisions contained in the Corporate Governance Regulations issued by the Capital Market Authority, Saudi Central Bank, and thereafter adhering to the Corporate Governance Regulations of all Saudi regulators. Bupa Arabia is developing and instituting corporate governance structures, frameworks, codes, policies, procedures, and standards to support its achievement of best practices and adherence to the regulations. Bupa Arabia continues to update the relevant policies and procedures and ensures they are aligned with all the regulatory requirements.

This will ensure Bupa Arabia succeeds in fulfilling the five key elements of corporate governance:

  • Strong commitment to corporate governance
  • Strong commitment to world-class board practices
  • Strong regime of disclosure, transparency, fairness, accountability, and responsibility
  • Appropriate control of environments and processes
  • Protection of all shareholders’ rights, including minority shareholders

Bupa Arabia affirms its commitment to the implementation of the highest professional standards and best international practices for the prevention of bribery, corruption, fraud, financial crimes, and its commitment to preventing anti- competitive practices.

Bupa Arabia affirms its commitment to maintaining and developing its formal Corporate Governance Framework (CGF), including its Code of Corporate Governance (CCG), in alignment with international best practices, and in adherence to the regulators’ corporate governance regulations. Bupa Arabia is planning to further enhance its key governance documents for the approval of the shareholders, during 2023.

Control Functions

Bupa Arabia ensures the implementation of robust practices of legal affairs and corporate governance, internal controls, risk management which also includes cybersecurity and technology risk management, in adherence to the relevant Saudi Arabia regulatory requirements of insurance companies. The Company has established the below detailed control functions in addition to any other regulatory or supervisory requirements that the principal duties and responsibilities of these functions include, but are not limited to:

The Legal Affairs and Corporate Governance Department (LACGD)

The LACGD is responsible for the frameworks, codes, policies, and procedures governing the management. This includes the sharing of associated information in accordance with the laws and regulations to and from the Company’s management, shareholders, stakeholders, and further includes its regulators and employees. The LACGD reports to the CGRCO and is responsible for ensuring the Company complies and adheres to the laws and relevant regulations and responsible for ensuring the Company is protected from any conflict of interest. The LACGD also manages the Company’s relationships with the Capital Market Authority (CMA) and Saudi Stock Exchange (Tadawul).

Senior Director – Legal Affairs and Corporate Governance, General Counsel: Mr. Nasser AlQawas

Mr. Nasser AlQawas joined Bupa Arabia in May of 2016 and has over 25 years of substantial legal, compliance, corporate governance, and board secretariat experience. Throughout his career he has managed to build a solid acumen in driving organizations to act with the highest level of integrity in compliance with the local and international prevailing laws in the different regions of operation, in addition to administering efficient and transparent legal processes and documentation. Having begun his professional career in Arent Fox law firm, where he worked for six years, followed by his 20-year tenure at NCB, Mr. Nasser was responsible for a variety of different roles and responsibilities, which include Head of the Legal Enforcement Section, Manager of Legal Advisory and Research, General Board Secretary, the Group Chief Compliance Officer, and the Chief Legal Advisor.

Mr. Nasser was appointed by a Royal Decree to be a reserve committee member in the Banking Dispute Committee in Jeddah. He is also a board and committee member in a variety of companies.

Mr. Nasser holds a Master’s Degree in Law, a Diploma in Regulation, Compliance and Anti-Money Laundering (from the University of Reading, England), a Certified Compliance Officer from the Financial Academy, and he holds Leadership Executive Certificates from INSEAD and IMD.

The Risk Management Department (RMD)

The Risk Management Department is responsible for the overall risk management process across Bupa Arabia. They coordinate the development and implementation of the risk management framework and strategy, monitor the risk database/register, and report on material risks and action plans.

Senior Director – Risk Management Department: Mr. Ahmed Jaber

Mr. Ahmed Jaber joined Bupa Arabia during 2016. He holds a Bachelor’s degree in Industrial Engineering from King Fahd University of Petroleum and Minerals and has over 21 years of experience in engineering, risk, credit control, operational risk, fraud prevention and investigations, and internal audit.

Prior to joining Bupa Arabia, Mr. Ahmed was Head of Investigations and Fraud Prevention at the National Commercial Bank (NCB) and previously, Head of Operational Risk Management and Acting Head of Retail Banking Audit. He was also the Western Regional Head of Country Credit and Risk Control in SAMBA and worked as a field engineer in Schlumberger Middle East.

Mr. Ahmed has an International Diploma in Risk Management (American Academy of Financial Management), an Executive Certificate from the London Business School and other certifications [Certified GRC Professional (GRCP), Certified GRC Auditor (GRCA) Certified Fraud Examiner (CFE), Certified Risk Analyst (CRA), Certified Operational Risk Manager (CORM), Project and Contract Risk Specialist (PCRS), and Certified Compliance Officer (CCO)].

The Cybersecurity and Technology Risk Department (CSTRD)

The CSTRD is a second line of defense and is responsible for the overall cybersecurity and technology risk monitoring processes across Bupa Arabia. It focuses on coordinating the development of the related policy and frameworks, and assessing and monitoring the IT, cybersecurity and technology risks, and reporting on the associated material risks and mitigation plans.

The CSTRD is responsible for the alignment of the Company with the regulatory mandated cybersecurity and BCM frameworks, issued by the Saudi Central Bank and the National Cybersecurity Authority.

The CSTRD reports directly to the CGRCO, with access to the AC and RMC as required and its structure covers cybersecurity, information systems resilience, technology risk, data privacy, and BCM.

Senior Director – Cybersecurity and Technology Risk Department (The Chief Information Security Officer – CISO): Mr. Feras I. Alsubaihi

Mr. Feras Alsubaihi joined Bupa Arabia in 2020. He has over 18 years of experience in cybersecurity and information technology, which includes several assignments in the financial and banking sector most notably as the Head of IT Security and then Head of Security Operations Center (SOC), during his period at AlJazira Bank.

Additionally, he was appointed as the Chief Information Security Officer at Abdul Latif Jameel Financial Group and also served as Chairman of the Cybersecurity Committee of the Financial Sector at SAMA. The International Data Corporation “IDC Summit” also elected him as one of the top three Chief Information Security Executives for the 2020 edition in the Kingdom.

Mr. Feras holds a Bachelor’s Degree in Computer Science from King Abdulaziz University, and is a Certified Chief Information Security Officer accredited by the EC-Council Headquarters in the United States. In addition, he holds a number of technical and management certificates accredited in the field of cybersecurity management and information technology, the most significant of which is the Lead Implementer of ISO 27001, Microsoft Certified Systems Engineer, Cisco Certified Network Associate.

Finance Pricing, Actuarial, Asset Management and Business Advisory Departments

The finance pricing and actuarial capabilities of the Company are essential control functions to ensure the accuracy of the Company’s pricing and the claims reserving, in accordance with both international best practice and Saudi regulations. These roles further report to the Finance function, headed by the Deputy CEO and CFO, except for the Actuarial, who report to the CEO based on SAMA regulations. Additionally, the Asset Management and Business Advisory Department perform a key control function in relation to the management of investment assets, in accordance with the Board approved Investment Policy Statement (IPS), risk appetites, and in adherence to the SAMA regulatory investment guidelines.

Senior Director – Commercial Finance: Mr. Hatim Jamal

Mr. Hatim Jamal has over a decade of experience in several fields such as financial analysis and planning, accounting, tax, product/program development, strategy development, and operational excellence. Prior to joining Bupa Arabia, Mr. Jamal was a partner at Strategic Gears Management Consultancy, as an advisor within both the private and public sectors. He has covered multiple projects related to strategy development, economic impact assessment and operational excellence. Previously having worked at Procter & Gamble, he was also involved in different finance related assignments such as forecasting and planning, commercial finance, finance strategy, and finance control in the Saudi office covering all markets in Arabian Peninsula and in the Switzerland office covering India, Middle-East, and Africa markets.

Mr. Jamal joined Bupa Arabia in the first quarter of 2021. He holds a Bachelor’s Degree in Finance and Economics from King Fahd University of Petroleum and Minerals, and is a candidate for Master of Business Administration from London Business School.

Director – Actuarial and Financial Analysis: Mr. Mahmoud Almalki

Mr. Mahmoud Almalki joined Bupa Arabia in 2015, and since then has held several managerial positions within actuarial, pricing, and commercial finance. His responsibilities include; claims reserving and monitoring, product development, setting pricing strategy, mega accounts renewal, and provider control. Mahmoud is an associate of the society of actuaries (ASA), and is a proficient actuary, expected to be an FSA in 2023. He also holds a Bachelor’s Degree from KFUPM in Actuarial Science and Financial Mathematics with Honors.

Senior Director – Asset Management and Business Advisory: Mr. Ahmed Bajunaid

Mr. Ahmed Bajunaid has more than 16 years experience in investment management. He joined Bupa Arabia in 2018 to lead transformation activities related to the investment management function, and to assist with company-wide key strategic initiatives as part of the Business Advisory function. He was appointed as Director – Asset Management and Business Advisory in 2019. Mr. Ahmed has also previously worked at Sanabil Investments, where he was responsible for investing and managing its global private equity program. Prior to this, he spent nine years at the Saudi Aramco Investment Management Department conducting strategy analysis and as a fund manager, conducting due diligence and reporting for private and public equities, and hedge funds. Mr. Ahmed has also worked with Cambridge Associates as an investment consultant within the private equity research team between Boston and London.

Mr. Ahmed holds a Bachelor of Arts Degree in Business Finance from Durham University and an MBA from Columbia Business School.

Independent Functions

In line with best practice corporate governance, and as a key part of the Bupa Arabia “Three Lines of Defence Model”, the Company has independent functions reporting directly to the AC, with a dotted line reporting to the CEO for day-to-day administration, and both functions are completely accessible to the Board, and Board Committees when required. The Compliance Department forms part of the Company’s Second Line of Defence and the Internal Audit Department is the Third Line of Defence.

The Compliance Department (COD)

The COD is considered as an essential factor for Bupa Arabia’s success and leading position in the health insurance market of the Kingdom of Saudi Arabia, due to the critical role it plays in effectively managing compliance risks, integrating a strong compliance culture into daily business activities and strategic planning of Bupa Arabia, maintaining the Organization’s reputation, and protecting its stakeholders.

The COD is an independent function that reports directly to the Audit Committee (AC) and its structure, roles and responsibilities are authorized by the AC.

Director – Compliance Department: Mr. Luay Abumansour

Mr. Luay Abumansour joined Bupa Arabia in December 2019, bringing more than 15 years of experience in the area of compliance, Anti-Money Laundering (AML), Counter Terrorist Financing (CTF), and corporate governance. Prior to joining Bupa, Mr. Luay was the Head of Compliance and AML/CTF at Abdul-Latif Jameel United Real Estate Financing Company for five years, where he established and built the compliance and AML/CTF function. Prior to that, he spent seven years in Bank Aljazira, where he played several roles in the area of AML/CTF compliance, with his last role being the Head of AML/CTF Investigations Division. Throughout his career, he has managed to build an effective and robust relationship with Saudi regulators.

The Internal Audit Department (IAD)

The Internal Audit Department (IAD) provides independent and objective assurance and consulting services designed to add value and improve the operations of Bupa Arabia. IAD assists Bupa Arabia in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of systems of governance, risk management, and internal controls.

IAD Senior Director reports functionally to the Audit Committee, and operationally and administratively to the CEO, in order to maintain independence and objectivity. Furthermore, IAD executes the assurance and advisory activities in accordance with the risk-based annual plan approved and monitored by the Audit Committee.

IAD is currently aligning and collaborating with Risk Management and Compliance functions to ensure that Bupa Arabia’s overall assurance activities are conducted more effectively and efficiently than in the previous periods.

Senior Director – Internal Audit: Mr. Omar Bahathiq

Mr. Omar Bahathiq has over 10 years of experience in internal audit. Throughout his career, he built a solid acumen in governance, risk management, internal controls, project management, and investment activities.

Prior to joining Bupa Arabia, Mr. Omar was leading the Internal Audit function at Vision International Invest Company, a leading Saudi Arabian investment holding company at the forefront of public and private sector partnerships. He has also previously worked at Saudi Aramco and held several positions in the Projects Division under the Internal Audit function. Mr. Omar is an active member of the Audit Committee at Saudi Cable and has served as a member of the Audit and Risk Committee at Miahona Company.

Mr. Omar holds a Bachelor of Science in Accounting from the King Fahd University of Petroleum and Minerals.

Risk Culture

In addition to the significant regulatory requirements changes, the medical insurance industry is going through a drastic shift in its consumer and competitive behavior. Our objective is to continuously monitor and anticipate current and emerging risks that may affect our business, operations, and customers. Our risk management framework is designed to enable a culture of business management accountability over day-to-day risks while being supported by control functions that monitor the Company’s overall risk profile and the controls mitigating these risks.

Progress in 2022

During the year 2022, as a response to our business growth and the increased regulatory requirements, we have enhanced our risk framework by accomplishing the following:

  • Enhancing our risk profile and mitigation controls through extensive enterprise-wide risk assessments associated with new regulations and emerging market strategic risks.
  • Capturing and analyzing operational and financial impact of risks associated with the implementation of new regulations, migration of talent, and digitization of the market landscape.
  • Developing, approving, and rolling-out the Delegation of Authority Framework and the Enterprise Policy Framework across Bupa Arabia.
  • Monitoring regulatory requirements and ensuring all issues are addressed in an effective and timely manner.
  • Enhancing information security, business continuity, and data privacy controls.
  • Completing an internal controls review by a third-party against the COSO framework receiving a “Generally Satisfactory” rating.

Risk Management Approach

Governance

The Board Risk Management Committee (RMC) supervises a structured governance model supported by the Executive Risk Committees (ERC) and Cyber Security Committee (CSC). These committees recommend risk appetite to the RMC and the Board for approval. Moreover, periodic reports from the Chief Governance, Risk and Control Officer (Chief GRCO) and minutes from relevant committees are shared with the RMC.

Implementation

A structured process is constructed to identify risks as well as define and monitor strategies to mitigate the impact of these risks. This framework is underpinned by solid principles and activities that are central to Bupa Arabia’s purpose of longer, healthier, and happier lives. To ensure consistency and conformity, the Risk Management Department (RMD) has implemented the Risk and Control Self-Assessment (RCSA) system. RCSA reports are shared with senior management, risk management committees, regulators, and when necessary, the Board of Directors.The RCSA aims to build an enterprise-wide risk profile.

Risk Management works very closely with stakeholders providing assurance by identifying, escalating, managing, and mitigating significant risks that encircle Bupa Arabia. Detailed reviews and in-depth analyses are carried out on key risks to measure operational and financial impacts. Consolidated reports are provided to the CEO and several governance bodies within the organizations, highlighting the Management Team strategies and actions in managing its risk universe. Among those are the Audit Committee, Risk Management Committee, and the Board.

The table below reflects the themes of the most significant risks currently facing Bupa Arabia.

Risk Theme Description Impact
Economic Inflation Material increases in the claims costs to the insurance companies due to regulatory changes (i.e., the new policy coverage of COVID-19, including the MOH providers under the Insurance Companies Coverage, the implementation of the new table of benefits, and adaptation of NPHIES.) May lead to a pressure on premiums and underwriting pricing which could impact client’s affordability. Consequently, this could impact the Company’s retention rates and market share.
Geopolitical Volatility Geopolitical pressure along with other economic changes pose direct and/or indirect impact on our business. The current Russian-Ukrainian war, the unprecedented energy crisis, employment cost to name a few, is increasing the pressure among major clients and insurance companies. Possibility of increased erosion of profit margins.
Market and Competitive Landscape The growth of large and premium medical providers. May lead to inflation of medical/claims cost by members switching from lower and medium tiers to large providers.
Talent Management Meeting the required Saudi zation recruitment target set by the Regulator. Attrition of experienced non-Saudi talent and difficulty to secure Saudi talents in specific medical and digital disciplines.
Cybersecurity and Business Continuity Risks of increased dependency on digital platforms and automation and regulatory pressure to implement measures of data privacy and cyber security. Increased exposure to information security breaches and/or business disruption, potentially causing financial losses and reputational damage.

In summary, Bupa Arabia Management Team is taking all steps necessary to manage these risks. Continuous engagement with customers through different business channels, ongoing monitoring and optimization of claims settlement in collaboration with providers, fine-tuning controls for cost management, analyzing vast amounts of data through technology for improved tailored services, prevention of system abuse, eradication of fraud, and identifying cost-effective solutions in healthcare are all measures to ensure that high-end quality services are consistently being delivered and overall risks are mitigated.