|The board accepts responsibility for risk governance and is committed to managing risks to ensure that the company achieves its mission and key objectives. The ARCC has been mandated to assist the board in carrying out its risk responsibilities. Management has formed an IRCC with the mandate to support the enterprise-wide risk approach by identifying, evaluating and measuring group-wide risks and compliance in all functional areas of the group and maintaining adequate internal controls. The IRCC reports to the ARCC bi-annually.
Blue Label continues to develop and enhance its enterprise-wide risk management programme (ERM). The objective of the ERM is to provide a proactive and comprehensive programme for group wide risk identification, prioritisation of key risks, the assessment of perceived control effectiveness, development of operational responses, action plans and monitoring progress. Internal audit plays an important role in evaluating the risk management process and guiding management to continued improvement. The internal audit function does not take any direct responsibility for making risk management decisions or managing the risk management function.
Internal audit facilitates strategic risk assessments. The outcome of the risk assessments are integral in developing a plan for audit engagements for the forthcoming year. The audit plan is tabled for approval by the ARCC and implementation progress is reviewed on a quarterly basis, ARCC ensures that the plan remains relevant to the business, with changes agreed as appropriate.
The strategic risk assessment conducted involved risk identification interviews with key members of executive management, non-executive directors and senior management at subsidiary level. This was followed with workshops to confirm risks and ratings assigned. This bottom-up approach ensures the determination and development of risk profiles at subsidiary and holding company levels. The governance of risk at subsidiary level is considered through the achievement of business strategies that are aligned to the group strategy. At holding company level, risk governance is considered through the management of top risks that impact on the group’s ability to achieve its strategic objectives. The group’s top strategic risks are listed in the Annual report 2012.
Management recognises the importance of the risk assessment process and has identified and implemented mitigating measures and controls as deemed appropriate. Risk owners, middle and senior managers are responsible for the implementation of the mitigating measures in their respective areas. The information flowing from the risk assessment, including mitigating measures and controls, will be summarised into a meaningful risk map for presentation to the board. The risk map will be utilised by the board to determine the specific risk appetite and tolerance in the pursuit of its objectives.