Risk has always been part of running a large business, but the way it behaves has changed. Regulatory shifts, cyberattacks, geopolitical disruption and technology failures do not arrive in isolation. They compound, often faster than organisations are structured to respond.
In telecom, that reality is more exposed than in most sectors. Operators make long-term infrastructure investments in markets where the rules governing that infrastructure can change with little notice. At the same time, the expectation of uninterrupted service has only strengthened. When connectivity fails, the impact extends well beyond telecom itself.
The business reality
As an ever-evolving and fast-growing TechCo, Zain Group carries that pressure across eight markets, Kuwait, Bahrain, Iraq, Jordan, Saudi Arabia, Sudan and South Sudan (plus UAE), serving more than 51 million customers across a geography where the operating conditions are rarely consistent and sometimes extreme for its core mobile, data and B2B operations as well as for its fintech and digital entities. Similar challenges are also faced by its three ICT enterprise focused entities headquartered in the UAE and operating regionally, namely ZainTECH, Zain Omantel International (ZOI) and TASC Towers.
To accelerate the business and overcome challenges, Zain launched its ‘4WARD–Progress with Purpose’ corporate strategy to bolster its evolution from a predominantly mobile-centric operator into a purpose-driven, customer-centric, future-ready regional Technology and Investment Group (TechCo) focusing on four key strategic pillars: Customer Delight, Digital Zain, Purpose & Action, and Collaborative Growth.
In compliance with the 4WARD strategy, managing risk across that footprint requires something more deliberate than a centralised compliance function. It requires risk to be present at the point where decisions are made, not brought in afterwards to review them.
“Zain’s goal is not to have a risk-free business, that would be the wrong objective entirely,” says AbdulGhaffar Setareh, Zain Group Chief Risk Officer. “What we are trying to do is take decisions with a clear understanding of the exposure we are carrying. Risk management is an independent function that reports to the board on governance matters, and the Risk department’s role is to make sure the company is well protected, with clearly defined risk appetites across every category of risk we face, and that those appetites guide how we make business decisions.”
That applies whether Zain is acquiring a company, backing a new technology, or moving into a new market. Due diligence is not the last step before a decision, it shapes the decision itself. “The board sets the thresholds for our risk appetite, and the team’s job is to assess whether the exposure sits within those thresholds before the business commits.”
Those thresholds get tested in markets where the ground shifts in ways that no framework fully anticipates. Each of Zain’s eight markets is assessed individually, because the risks in one country bear little resemblance to those in another. Iraq is a good example.
“The country is a challenging but rewarding environment to operate in, the macroeconomic pressures are significant, the geopolitical situation is complex, and these are not background conditions that you manage around. They shape how the business operates on a daily basis and you need to be agile there to succeed.”
Regulatory instability presents a different kind of strain. In South Sudan, import duties on equipment rose drastically in a short window, immediately forcing a reassessment of investments planned under different assumptions.
“Regulatory environments across our markets are becoming increasingly unpredictable,” Setareh says. “You can build a five-year investment plan on a set of informed data, and then find that a key variable has shifted within months. That is the reality we plan against.”
Operating across eight markets means that when instability strikes anywhere within that footprint, it lands inside the business almost immediately. For Zain, the early months of 2026 brought that reality into sharp focus, with staff across multiple markets, infrastructure running through affected corridors, and customers depending on connectivity that could not simply be switched off while the situation resolved itself.
The first call was about people. “Employees are the most important asset we have, more important than any system or piece of infrastructure we operate,” explains Setareh. “When the security situation became serious, the decision was straightforward: people should not be required to come into the office. We moved to working from home, and we did it quickly. Safety has to come first, and everything else follows from that.”
With the workforce protected, attention moved to the network. When subsea cables were impacted and connectivity degraded across parts of the region, ZOI rerouted traffic through alternative routes across its networks, managing customer communications throughout. The response drew on strong contingency measures built well before the disruption arrived.
“Reliable and secure connectivity has become essential for people and society at large, they depend on it for work, for financial transactions, for accessing public services. That means the obligation to keep services running does not pause because the conditions around us are difficult. We have to find a way to maintain continuity, and that requires preparing for scenarios that are hard to predict in advance,” he says.
The technology layer
The disruptions Zain navigates in the field, regulatory shifts, regional instability, infrastructure failures, are visible and immediate. The risks that sit beneath them are quieter but no less demanding. Cyber-attacks on critical infrastructure have grown in frequency and sophistication globally, with telecoms among the most consistently targeted sectors given the volume of sensitive data their networks carry.
“Cybersecurity is not something you solve and move past, it is a risk you have to live with and manage continuously. Even the largest and most sophisticated organisations in the world are being attacked regularly, and the sophistication of those attacks is increasing year on year. The threat does not diminish as your defences improve; it evolves alongside them,” Setareh says adding that ZainTECH is well primed to support the company’s many entities and its customers.
AI has added a layer of complexity that is still being mapped in real time. Zain introduced an AI centre of excellence and an internal security policy for AI use, but found it needed updating within months of being written. “The technology is moving faster than the governance around it, and the maturity simply is not there yet. The risks are still taking shape, and our frameworks have to keep pace with how people are actually using these tools,” explains Setareh.
The pressure point is data. “A great deal of information and data flows into AI systems, and that can become very alarming when you think about it at scale. The moment you make a tool available across the organisation, thousands of people can be sending company data through it, and the consequences of that are not always visible until the damage is done,” he says.
Finding and keeping the people capable of managing all of it has become one of the most persistent pressures across the business. “The talent gap in technical and security roles is a real challenge, finding the right people is hard enough, but keeping them is harder. The market is competitive, and when you lose someone with years of experience on your systems, you are not just filling a position, you are rebuilding knowledge that took a long time to accumulate.”
Addressing those gaps is not something the business can do alone. In areas where skills are scarce and systems are complex, external expertise becomes part of the operating model. “Partners like Huawei and other trusted global solution providers bring deep technical knowledge and experience delivering across complex environments, they understand how to build and maintain resilience at scale, and that expertise is genuinely valuable when you are trying to keep critical systems running across multiple markets simultaneously,” he adds.
The risks Zain navigates are not going to simplify. Regulatory environments will keep shifting, cyber threats will keep growing in sophistication, and AI will keep outpacing the governance built around it. What Setareh returns to is not removing that complexity, but understanding the exposure it creates before decisions are made.
Discussion about this post