Currently viewing: Governance of risk / Next: Compliance report
Governance of risk
The Board accepts its responsibility for the
governance of risk, which includes the total
process of risk management and the forming
of its opinion on the effectiveness of the
process. The Board forms its opinion on the
process of risk management based on the
recommendations of the ARCC and is satisfied
with the effectiveness of the risk management
process. The ARCC is responsible for ensuring
that the Group has implemented an effective
policy and plan for risk management and
that the risk disclosures are comprehensive,
timely and relevant. The Board and committees’
responsibilities are documented in the Blue
Label Enterprise Risk Management Framework
Policy.
Bi-annual risk reporting to the Board is
being formalised.
Management is accountable to the Board for
designing, implementing and monitoring the
process of risk management. The IRCC has
been formed by management to support the
enterprise-wide risk approach by identifying,
evaluating and measuring Group-wide risks
and compliance in all functional areas of the
Group as well as maintaining adequate
internal controls. The IRCC reports to the
ARCC bi-annually.
Group-wide strategic risk assessments are
conducted bi-annually. These assessments
are facilitated by internal audit which plays an
important role in evaluating the risk
management process and guiding management
to continuing improvement. Internal audit does
not take any direct responsibility for making risk
management decisions or managing the risk
management function. The outcome of the risk
assessments is integral in developing a plan for
audit engagements for the forthcoming year.
The risk assessments conducted involve risk
identification and prioritisation at subsidiary and
holding Company level, followed by interviews
with senior management at subsidiary level and
key members of executive management to
confirm risks, their descriptions and
prioritisation. Each risk is evaluated in terms of
potential impact, likelihood of occurrence and
the perceived effectiveness of controls in place
to manage the risks according to set criteria.
The Group’s material risks are listed on
pages 15 to 18.
A draft risk appetite and tolerance framework
has been developed in line with the principles of
King III and the draft framework was presented
to the ARCC for consideration and has been
approved by the Board. In terms of the
framework priority risks will be considered in
terms of risk appetite, which is defined as how
much risk the Group is prepared to take in
pursuit of its objectives. The Group has
identified its strategic risks and acknowledges
that its appetite to accept risk varies across these risks. The ARCC elected to set a risk
appetite operating tolerance in respect of each
of the prioritised risks. This framework is
expected to be refined going forward.
Technology governance
The Board is responsible for the Group’s
technology governance risk and compliance as
detailed on page 35. The Board has delegated
its responsibility for the implementation of
IT governance to management. This has been
formalised by the formation of a department to
oversee and co-ordinate the activities relating
to governance, risk and compliance. Over the
past few years, there has been a maturing of
this capability within technology with the
implementation of a number of key initiatives
to ensure sustainable business operations.
The formalisation of the function now further
enhances the technology function.
A number of areas relating to technology
governance progressed. There has been a
significant drive to formalise controls in order
to ensure consistent and adequate risk
management. The operation’s environment has
been assessed to ascertain the process
requirements from both an enhancement as
well as compliance perspective. On the disaster
recovery side, resilience has been added to key
platforms that are able to continue operations
in the event of single-node failures. The next
phase has been initiated to consider multi-node
failure as well as location outages.
On the project and system changes side
processes have been formalised to streamline
work activity as well as ensure focus is
maintained appropriately. With the growth in
business there has been a marked increase in
new requests for technology enhancements.
We are confident that we have adequate
controls to assist our internal customers to
meet their objectives while maintaining
acceptable performance levels from our
systems.
In order to gear the technology function to
support the growing business environment,
a number of governance, risk and compliance
objectives have been set. We have compiled
a governance framework by initially identifying
generic technology risks. A policy framework
has been implemented to manage these risks
and an implementation plan is in place to
complete the rollout of the policy framework.
A compliance analysis plan will be compiled to
enhance the governance mechanisms as well
as address gaps in implementation. Key
enterprise and business risks have been
identified in terms of disaster recovery and
business continuity. There are plans in place
to address these risks over the next year, with
further enhancements expected thereafter.
|