Risk & Compliance Department


Risk Management Division


Core Values

The Organization’s Enterprise Risk Management Framework (ERF) reflects the core values of KFSH&RC (Gen. Org.) by embracing a risk-aware culture and holding itself accountable for the performance of the organization and cultivating open communication and transparency about risk and risk-taking expectations.



• Develop, implement, and monitor the Enterprise Risk Management Framework (ERF) and operational plan and ensure alignment to the Organization’s strategic plan.

• Embedding risk awareness in the Organization’s culture to manage risk-cost effectively on an enterprise-wide basis.

• Develop policies and procedures, competencies, accountabilities and reporting structures to execute the Enterprise Risk Framework effectively.

• Ensure that risks are identified, analyzed, evaluated, treated effectively and efficiently across the Organization.

• Monitor the progress on the completion of risk assessment plans across the organizations and support when needed to ensure that any delays and challenges are adequately acknowledged and rectified and that risk treatment strategies are in line with the Risk Appetite and review their effectiveness in reducing the risk exposure levels to the accepted limits set in the Risk Appetite.

• Monitor Key Risk Indicators (KRIs) to ensure effective measures are in place to limit risk exposures and continuously adjust risk exposure levels accordingly.

• Enable technological developments, methods, tools, and systems that will increase the Enterprise Risk Management Framework’s operational efficiency.

• Prepare periodic reports for the performance of the Division and monitor the achievement of Division’s Key Performance Indicators.

• Annually evaluate the effectiveness of the Enterprise Risk Management implementation.

• Prepare periodic risk reports to ensure that risk information is reported in an accurate, relevant, and objective representation of the risk profiles of the organization.

• Ensure all policies and procedures, plans, documents, and records of the Division are maintained in accordance with Organizational standards.


Organizational Relationship

• Risk Management Division is under Risk and Compliance, Headquarters headed by Director level.

• The Director of Risk Management Division reports directly to the Chief, Risk & compliance Headquarters at KFSH&RC (Gen. Org.).


Compliance Division Vision

The Compliance Division is committed to ensuring that the Hospital is compliant with all the established laws, rules, and regulations to support the Hospital to achieve the best healthcare environment.




• Assisting KFSH&RC to achieve a high level of compliance with all applicable compliance obligations.

• Protect the Hospital from consequences resulting from non-compliance with applicable laws and regulations such as (fines, penalties and/or reputational damages) and prevent and detect non-compliance with policies.

• Establish, monitor, and update an electronic database that contains a copy of all governmental laws and regulations along with their information (Compliance Library).

• Maintaining strong and healthy relationships with regulators.

• Improving the culture of compliance in KFSH&RC.

• Develop unified procedures for identifying, recording, evaluating, prioritizing, and monitoring the Hospital’s compliance obligations.


Organizational Relationship

• The Compliance Division is under Risk & Compliance, Head Quarter headed by Director level.

• The Director of the Compliance Division reports directly to the Chief of Risk & Compliance Head Quarter at KFSH&RC.

Scope of Service

Why Compliance Is Important?

Compliance inspires leadership as it helps to define what the Hospital does, how it’s done, and why it’s done. It is important to note that Codes of Conduct stem from values, which, when in alignment, drive Hospital growth. Compliance is the reference point against which ethics, values, policies, and Codes of Conduct are measured, making the right decisions easy.


Compliance Directory 

Alaa Fageeh


Claudyne Leonardo


Tahani Bin Afif


Samar Turkistani


Maha Alzraiee


Yousef AlEssa


Abduhlkarim Aldhayyaf



Compliance Awareness Campaign Presentation

Frequently Asked Questions




What is compliance?

The process to ensure that the Hospital and employees follow external laws, regulations, policies, and procedures. 


What is the role of the Compliance Division?

We ensure that all the Hospital divisions, departments, sections, and employees are compliant with all applicable external & internal compliance obligations.


What are the consequences of non-compliance?

Non-compliance leaves the Hospital at risk for financial losses, security breaches, license revocations, poor patient care, lawsuits, and a damaged reputation. It affects the quality of care we provide to patients.


What is the difference between the Compliance Division and Internal Audit Department?

Compliance is about meeting legal and regulatory obligations. If the Hospital doesn’t meet its compliance obligations, it may face significant penalties such as fines or even lawsuits and reputational damage. In addition, Compliance is a leading action and prevent potential risk from future event/circumstances.


Internal Audits are impartial and look at what the Hospital has done to ensure they are in line with what they state they have done. The audit function provides the Hospital with the assurance that intentions are being followed through. Internal audit is a lagging action that detects issues and deviations.


What is the difference between complaints and compliance?

A complaint is a statement showing that you are not satisfied with something or somebody’s action/behavior within your business environment whereas compliance means the practice of following rules and regulations set within the Hospital along with external governmental laws.



Information Security


• To ensure that a proactive approach is taken to protect data/information and to ensure the security data are protected by overseeing the implementation of the necessary standards, controls, and arrangements to secure data.

• To reduce downtime for critical systems.

• To ensure security policies are set and integrated into standard processes.

• To ensure that disaster recovery systems are properly implemented, monitored and adherence to government and industry standards.



Duties & Responsibilities

• Draft and communicate information security and disaster recovery policies and standards across KFSH&RC (Gen. Org.) in alignment with government mandates and best practices.

• Aid the business in participating in the security processes (application assessments, product certifications, connectivity to the intra and internet).

• Develop and maintain the Segregation of Duties (SoD) matrix and manage updates to the matrix in alignment with the application and business owners.

• Coordinate all responses to technology audits and audit–related activities.

• Work with the Information Technology infrastructure services to identify and arrange for the deployment of appropriate compensating controls to address security and risk gaps, and disaster recovery infrastructure.

• Work closely with the Enterprise Architecture Section and other Healthcare Information Technology Affairs (HITA) resources to design security arrangements across the five (5) layers of the architecture.

• Consult with businesses on disaster recovery needs.

• Develop and maintain disaster recovery plans with the application and business owners.

• Work with the application and business process owners, and internal HITA resources to identify and prioritize potential risks and formulate risk mitigation plans, namely the Disaster Recovery and Business Continuity plans.

• Work with outside vendors to perform security audits and select best practices.


Organizational Relationship

The Information Security and Disaster Recovery is a “Department” under the Risk & Compliance Department headed by the Director level.

The Director of Information Security reports directly to Chief Risk & Compliance Officer


Information Security Policies

Information Security

Access control

Asset management

Acceptable use

Business Continuity


Physical and Environmental Security

Risk Management

Cookies help us improve your website experience.
By using our site, you agree to our use of cookies.

Beta Version