Risk Governance and Internal Controls

Our corporate governance and risk intelligence

We remain committed to enhancing shareholders value by building and maintaining a risk intelligent organization, while increasing the transparency of our corporate governance practices, and strengthening the rights of our shareholders in alignment with the best-in-class governance standards.

Our major shareholder Bupa Investment Overseas Limited (BIOL), is still one of the largest foreign strategic investors in the Saudi market. We continue to invest in our corporate governance, including further embedding the “Three Lines of Defence” (3LoD) risk management model within the ongoing recruitment and development of appropriate capabilities to ensure a world class governance environment with world-class controls.

Our code of conduct

The Company’s Code of Conduct has been further embedded across the Organization during 2023, and all employees have received regular communication keeping them informed and updated. The Code covers the following areas and alongside our values, is a key contributor to Bupa Arabia’s company culture.

Safeguarding Bupa Arabia’s assets:

• we work to high professional standards
• we declare conflicts
• we represent Bupa Arabia
• we prohibit insider trading and stock tipping
• we manage risk
• we protect our intellectual property

Thriving through regulatory excellence:

• we play by the rules

Adhering to competition laws:

• we respect competition laws
• we speak up

Acting ethically and transparently with all our stakeholders:

• we put our customers first
• we act ethically
• we keep information safe
• we fight money laundering and terrorism financing
• we know our suppliers

Preserving our community and our environment:

• we celebrate diversity
• we stay safe and well
• we are prepared for anything
• we take care of our planet

Our enterprise policies

The Company has reviewed, assessed, enhanced, revamped, approved, and rolled out the Enterprise Policies Management Framework (EPMF) for 2023. Our Enterprise Policies (EP) are an important part of how we manage risks within Bupa Arabia, by explaining how we are exposed to risks, why they need to be managed, and provide a consistent approach towards the management of the same. They also help ensure business objectives are met, in compliance with legal and regulatory requirements of the jurisdictions in which we operate, and help us protect our environment while giving back to our communities. Our policies sustain and support our risk appetite.

The current suite of 33 enterprise-wide policies also supports our intent:

• To adhere to the requirements of the Insurance Authority’s Insurance Corporate Governance Regulation;
• To comply with the Saudi Arabian Capital Market Authority (“CMA”) requirements of the Corporate Governance Regulation;
• To comply with legal and regulatory requirements of the jurisdictions in which we operate, including and not limited to the requirements of (Ministry of Commerce “MOC”, the Council of Health Insurance “CHI”, Ministry of Health “MOH”, Ministry of Investment “MOI”, Zakat, Tax and Customs Authority “ZATCA”, Ministry of Human Resources and Social Development “MOHRSD”, and Anti Money Laundering and Combating Terrorist Financing Laws and Regulations “AML and CTF”;
• To comply with global best practices.

Our delegation of authority

The Delegation of Authority (DOA) is an integral part of the governance and the internal control system of Bupa Arabia.

The DOA Matrix, governed by its own respective framework, outlines guidelines for the authorization and empowerment at appropriate levels of decisions having financial implications or impacting the interests of Bupa Arabia.

The DOA Framework and Matrix were implemented and enhanced during 2023, consolidating all of Bupa Arabia’s activities with the appropriate approval levels. These documents were endorsed by the Audit Committee (AC) and Risk Management Committee (RMC), and approved by Bupa Arabia’s Board of Directors.

The purpose of setting limits of authority is to establish the financial commitments and operational decisions that various authorized bodies or personnel make on behalf of Bupa Arabia in the discharge of their responsibilities. Such authority limits are necessary to ensure that:

• Financial commitments and expenditures are only made by authorized bodies or personnel and such commitments/expenditures are within the approved limits;
• Authority given is consistent with duties and responsibilities assigned to management personnel;
• Adequate authority is given to the relevant individuals or group of individuals to facilitate business operations efficiently; and
• Clear understanding exists within Bupa Arabia of the authorities vested in each position, including those matters that are strictly reserved for the Board of Directors (BOD) and the Chief Executive Officer (CEO)

Our Speak-Up (whistle-blowing) Policy

We are dedicated to preserving ethical behavior and governance culture in the workplace. Both as a business and as individual employees, we adhere to all laws and regulations, further supported by the high standards we uphold at Bupa Arabia. To achieve this, staff members are encouraged to use designated channels to voice any concerns or questions they may have about improper behavior.

Our goal is for Bupa Arabia to foster an environment where employees feel free to raise concerns about any improper or unethical activity at work, without the fear of facing consequences.

Our Shariah compliance

Bupa Arabia maintains its Shariah compliance. Bupa Arabia received the approval from the Shariah Review Bureau on its compliance and status as per the 2022 annual Shariah Audit Report (reference BPA-1162-12-01-12-22) on 28 December 2023. The functions are as follows:

• Separation of accounts (shareholder and policyholder)
• Compliance of shareholder and policyholder investments with Shariah Guidelines, in support of achieving overall Shariah compliance in the future, the Company continues to develop its policies and evaluate its contracts

Corporate governance and Bupa Arabia commitment

Bupa Arabia is fully committed through all levels of the Company hierarchy, including its Board and its Board Committees, to the implementation of world-class corporate governance standards, and the provisions contained in the Corporate Governance Regulations issued by the Capital Market Authority, Saudi Central Bank, The Insurance Authority, and thereafter adhering to the Corporate Governance Regulations of all Saudi regulators. Bupa Arabia is developing and instituting corporate governance structures, frameworks, codes, policies, procedures, and standards to support its achievement of best practices and adherence to the regulations. Bupa Arabia continues to update the relevant policies and procedures and ensures they are aligned with all the regulatory requirements.

This will ensure Bupa Arabia succeeds in fulfilling the five key elements of corporate governance:

• Strong commitment to corporate governance
• Strong commitment to world-class Board practices
• Strong regime of disclosure, transparency, fairness, accountability, and responsibility
• Appropriate control of environments and processes
• Protection of all shareholders’ rights, including minority shareholders

Bupa Arabia affirms its commitment to the implementation of the highest professional standards and best international practices for the prevention of bribery, corruption, fraud, financial crimes, and its commitment to preventing anti- competitive practices.

Bupa Arabia affirms its commitment to maintaining and developing its formal Corporate Governance Framework (CGF), including its Code of Corporate Governance (CCG), in alignment with international best practices, and in adherence to the regulators’ corporate governance regulations. Bupa Arabia is planning to further enhance its key governance documents for the approval of the shareholders, during 2024.

Control functions

Bupa Arabia ensures the implementation of robust practices of legal affairs, internal controls, risk management which also includes cybersecurity and technology risk management, in adherence to the relevant Saudi Arabia regulatory requirements of insurance companies. The Company has established the below detailed control functions in addition to any other regulatory or supervisory requirements that the principal duties and responsibilities of these functions include, but are not limited to:

The Legal Affairs

The Legal Affairs reports to the CGRCO and is responsible for ensuring the Company complies and adheres to the laws and relevant regulations and responsible for ensuring the Company is protected.

Senior Director – Legal Affairs, General Counsel: Mr. Nasser AlQawas

Mr. Nasser AlQawas joined Bupa Arabia in May 2016 and has over 25 years of substantial legal, compliance, corporate governance, and Board secretariat experience.

Throughout his career he has managed to build a solid acumen in driving organizations to act with the highest level of integrity in compliance with the local and international prevailing laws in the different regions of operation, in addition to administering efficient and transparent legal processes and documentation. Having begun his professional career in Arent Fox law firm, where he worked for six years, followed by his 20-year tenure at NCB, Mr. Nasser was responsible for a variety of different roles and responsibilities, which include Head of the Legal Enforcement Section, Manager of Legal Advisory and Research, General Board Secretary, the Group Chief Compliance Officer, and the Chief Legal Advisor.

Mr. Nasser was appointed by a Royal Decree to be a reserve Committee Member in the Banking Dispute Committee in Jeddah. He is also a Board and Committee Member in a variety of companies.

Mr. Nasser holds a Master’s degree in Law, a Diploma in Regulation, Compliance and Anti-Money Laundering (from the University of Reading, England), a Certified Compliance Officer from the Financial Academy, and he holds Leadership Executive Certificates from INSEAD and IMD.

The Risk Management Department (RMD)

The Risk Management Department is responsible for the overall risk management process across Bupa Arabia.

They coordinate the development and implementation of the risk management framework and strategy, monitor the risk database/register, and report on material risks and action plans.

Senior Director – Risk Management Department: Mr. Ahmed Jaber

Ahmed Jaber is a seasoned Governance, Risk, and Compliance (GRC) Leader with over 20 years of experience. He holds certifications including Certified Fraud Examiner (CFE), Certified GRC Professional (GRCP), Certified GRC Auditor (GRCA), and a diploma in Risk Management.

Prior to joining Bupa Arabia, Mr. Ahmed was Head of Investigations and Fraud Prevention at the National Commercial Bank (NCB) and previously, Head of Operational Risk Management and Acting Head of Retail Banking Audit at NCB. Additionally, he held the position of Western Regional Head of Country Credit and Risk Control in SAMBA and worked as a field engineer in Schlumberger Middle East.

With over two decades of experience in enterprise risk management and internal controls, Ahmed currently leads the Risk Management function as Senior Director at Bupa Arabia. He also serves on Board Risk and Audit Committees in various industries, leveraging this governance experience to advise Boards and leadership on risk strategies and emerging regulatory issues.

The Cybersecurity and Technology Risk Department (CSTRD)

The CSTRD is a second line of defence and is responsible for the overall cybersecurity and technology risk monitoring processes across Bupa Arabia. It focuses on coordinating the development of the related policy and frameworks, and assessing and monitoring the IT, cybersecurity and technology risks, and reporting on the associated material risks and mitigation plans.

The CSTRD is responsible for the alignment of the Company with the regulatory mandated cybersecurity and BCM frameworks, issued by the Saudi Central Bank, the Insurance Authority and the National Cybersecurity Authority.

The CSTRD reports directly to the CGRCO, with access to the AC and RMC as required and its structure covers cybersecurity, information systems resilience, technology risk, data privacy, and BCM.

Director – Cybersecurity and Technology Risk Department (The Chief Information Security Officer – Ciso): Mr. Sami Alsubhi

Mr. Sami Alsubhi joined Bupa Arabia in 2020. He has over 19 years of experience in cybersecurity and information technology, which includes leading the cybersecurity teams in different sectors, most notably as the Head of Information Security, during his period at Petro Rabigh company.

Mr. Sami holds a Master’s degree in software engineering from The University of Queensland, Australia, and he won the “GBST Best Software Project” prize during his Master’s study. Sami’s Bachelor’s degree was in Computer Engineering from King Fahd University for Petroleum & Minerals. In addition, he holds a number of technical and management certificates accredited in the field of cybersecurity management and information technology, the most significant of which are SANS: GIAC Cyber Threat Intelligence and GIAC Certified Incident Handler certificates, ISO/IEC 27032 Lead Cybersecurity Manager certificate, Cisco Certified Network Professional.

Finance Pricing, Actuarial, Asset Management and Business Advisory Departments

The finance pricing and actuarial capabilities of the Company are essential control functions to ensure the accuracy of the Company’s pricing and the claims reserving, in accordance with both international best practice and Saudi regulations. These roles further report to the Finance function, headed by the Deputy CEO and CFO, except for the Actuarial, who report to the CEO based on Insurance Authority regulations. Additionally, the Asset Management and Business Advisory Department perform a key control function in relation to the management of investment assets, in accordance with the Board approved Investment Policy Statement (IPS), risk appetites, and in adherence to the Insurance Authority regulatory investment guidelines.

Senior Director – Commercial Finance: Mr. Hatim Jamal

Mr. Hatim Jamal has over a decade of experience in several fields such as financial analysis and planning, accounting, tax, product/program development, strategy development, and operational excellence. Prior to joining Bupa Arabia, Mr. Jamal was a partner at Strategic Gears Management Consultancy, as an advisor within both the private and public sectors. He has covered multiple projects related to strategy development, economic impact assessment and operational excellence. Previously having worked at Procter & Gamble, he was also involved in different finance related assignments such as forecasting and planning, commercial finance, finance strategy, and finance control in the Saudi office covering all markets in Arabian Peninsula and in the Switzerland office covering India, Middle-East, and Africa markets.

Mr. Jamal joined Bupa Arabia in the first quarter of 2021. He holds a Bachelor’s degree in Finance and Economics from King Fahd University of Petroleum and Minerals, and is a candidate for Master of Business Administration from London Business School.

Director – Actuarial and Financial Analysis: Mr. Mahmoud Almalki

Mr. Mahmoud Almalki joined Bupa Arabia in 2015, and since then has held several managerial positions within actuarial, pricing, and commercial finance. His responsibilities include; claims reserving and monitoring, product development, setting pricing strategy, mega accounts renewal, and provider control. Mahmoud is an Associate of the Society of Actuaries (ASA), and is a proficient actuary, expected to be an FSA in 2023. He also holds a Bachelor’s degree from King Fahd University of Petroleum and Minerals in Actuarial Science and Financial Mathematics with Honors.

Senior Director – Asset Management and Business Advisory: Mr. Ahmed Bajunaid

Mr. Ahmed Bajunaid has more than 16 years experience in investment management. He joined Bupa Arabia in 2018 to lead transformation activities related to the investment management function, and to assist with company-wide key strategic initiatives as part of the Business Advisory function. He was appointed as Director – Asset Management and Business Advisory in 2019. Mr. Ahmed has also previously worked at Sanabil Investments, where he was responsible for investing and managing its global private equity program. Prior to this, he spent nine years at the Saudi Aramco Investment Management Department conducting strategy analysis and as a fund manager, conducting due diligence and reporting for private and public equities, and hedge funds. Mr. Ahmed has also worked with Cambridge Associates as an investment consultant within the private equity research team between Boston and London.

Mr. Ahmed holds a Bachelor of Arts degree in Business Finance from Durham University and an MBA from Columbia Business School.

Independent functions

In line with best practice corporate governance, and as a key part of the Bupa Arabia “Three Lines of Defence Model”, the Company has independent functions reporting directly to the AC, with a dotted line reporting to the CEO for day-to-day administration, and both functions are completely accessible to the Board, and Board Committees when required. The Compliance Department forms part of the Company’s Second Line of Defence and the Internal Audit Department is the Third Line of Defence.

The Compliance Department (COD)

The COD is considered as an essential factor for Bupa Arabia’s success and leading position in the health insurance market of the Kingdom of Saudi Arabia, due to the critical role it plays in effectively managing compliance risks, integrating a strong compliance culture into daily business activities and strategic planning of Bupa Arabia, maintaining the Organization’s reputation, and protecting its stakeholders.

The COD is an independent function that reports directly to the Audit Committee (AC) and its structure, roles and responsibilities are authorized by the AC.

Director – Compliance Department: Mr. Luay Abumansour

Mr. Luay Abumansour joined Bupa Arabia in December 2019, bringing more than 15 years of experience in the area of compliance, Anti-Money Laundering (AML), Counter Terrorist Financing (CTF), and corporate governance. Prior to joining Bupa, Mr. Luay was the Head of Compliance and AML/CTF at Abdul-Latif Jameel United Real Estate Financing Company for five years, where he established and built the compliance and AML/CTF function. Prior to that, he spent seven years in Bank AlJazira, where he played several roles in the area of AML/CTF compliance, with his last role being the Head of AML/CTF Investigations Division. Throughout his career, he has managed to build an effective and robust relationship with Saudi regulators.

The Internal Audit Department (IAD)

The Internal Audit Department (IAD) provides independent and objective assurance and consulting services designed to add value and improve the operations of Bupa Arabia.

IAD assists Bupa Arabia in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of systems of governance, risk management, and internal controls.

IAD Senior Director reports functionally to the Audit Committee, and operationally and administratively to the CEO, in order to maintain independence and objectivity. Furthermore, the IAD executes the assurance and advisory activities in accordance with the risk-based annual plan approved and monitored by the Audit Committee.

IAD continues to align and collaborate with risk management and compliance functions to ensure that Bupa Arabia’s overall assurance activities are conducted more effectively and efficiently and to streamline assurance reporting to the Audit Committee.

Senior Director – Internal Audit: Mr. Omar Bahathiq

Mr. Omar Bahathiq has over 10 years of experience in internal audit. Throughout his career, he built a solid acumen in governance, risk management, internal controls, project management, and investment activities.

Prior to joining Bupa Arabia, Mr. Omar was leading the internal audit function at Vision International Invest Company, a leading Saudi Arabian investment holding company at the forefront of public and private sectors partnerships. He has also previously worked at Saudi Aramco and held several positions in the Projects Division under the internal audit function. Mr. Omar served as an independent member of the Audit Committee at Saudi Cable Company and the Audit and Risk Committee at Miahona Company.

Mr. Omar holds a Master of Business Administration from IESE Business School and a Bachelor of Science in Accounting from King Fahd University of Petroleum and Minerals. He is also a Certified Internal Auditor (CIA), Certified Management Accountant (CMA) and Certified Risk Based Auditor (CRBA).

Risk culture

In addition to the significant regulatory requirements changes, the medical insurance industry is going through a drastic shift in its consumer and competitive behavior. Our objective is to continuously monitor and anticipate current and emerging risks that may affect our business, operations, and customers. Our risk management framework is designed to enable a culture of business management accountability over day-to-day risks while being supported by control functions that monitor the Company’s overall risk profile and the controls mitigating these risks.

Progress in 2023

We have made significant advancements in enhancing Bupa Arabia’s risk management capabilities this year:

• Enhanced our risk profile and mitigation controls through extensive enterprise-wide risk assessments associated with new regulations and emerging market strategic risks.
• Captured and analyzed the operational and financial impact of risks associated with the implementation of new regulations, migration of talent, and digitization of the market landscape.
• Revamped our Risk Tolerance/Acceptance Criteria, Unified Risk Assessment Methodology, and Appetite Framework for improved consistency in risk handling.
• Developed new Scenario and Stress Testing, and Risk Intelligence Methodologies to deepen our understanding of potential risks.
• Elevated the maturity and sophistication of our Board Risk Committee’s reporting, significantly improving the quality of discourse and decision-making.
• Successfully implemented the agreed-upon risk assessment plan across the Organization.
• Assisted compliance in identifying operational gaps.
• Conducted comprehensive analyses of regulatory frameworks to ensure compliance and preparedness.
• Achieved excellent ratings in internal audits and compliance reviews, efficiently resolving any identified issues.
• Participated in senior management team meetings to identify and analyze critical business issues.

These achievements have supported Bupa Arabia’s mission while advancing the RMD’s goals. We remain committed to anticipating risks affecting our business and customers.

Risk management approach

our objective is to continuously monitor current and emerging risks. Our framework enables accountability over day-to-day risks while being supported by control functions monitoring the overall risk profile.

Governance

The Risk Management Committee supervises our governance model supported by Executive Risk Committees and the Cybersecurity and Resilience Committee. These committees recommend risk appetite for approval and provide periodic risk reporting. Moreover, periodic reports from the Chief Governance, Risk and Control Officer (Chief GRCO) and minutes from relevant committees are shared with the Risk Management Committee.

Implementation

A structured process is in place to identify risks and define mitigation strategies.

Our Risk and Control Self-Assessment (RCSA) system identifies and manages bottom-up business risks through structured reporting to governance bodies.

Complementing this, our ERM reporting focuses on identifying and managing top-down and external risks. In-depth analyses of key risks measure operational and financial impacts. Consolidated ERM reporting highlights management strategies for our risk universe to governance stakeholders including the Audit Committee, Risk Management Committee, and Board.

Key risk themes currently facing Bupa Arabia that our ERM process focuses on include:

• Economic Inflation: Regulatory changes may increase claims costs, impacting premium affordability and retention rates
• Geopolitical Volatility: Global instability could exert pressure on major clients and lead to erosion of profit margins
• Market and Competitive Landscape: Changes in the market landscape and increased competition
• Talent Management: Meeting Saudization targets presents risks to talent retention, thereby impacting growth
• Cybersecurity and Business Continuity: Increased digital reliance raises risks related to information security and disruption.

Looking ahead

Bupa Arabia proactively manages these risks through customer engagement, claims optimization, cost control, data analyzis, fraud prevention, and cost-effective healthcare solutions. We remain committed to mitigating risks while delivering excellent service and promoting longer, healthier, happier lives.