Governance of risk

The Board accepts its responsibility for the governance of risk, which includes the total process of risk management and the forming of its opinion on the effectiveness of the process. The Board forms its opinion on the process of risk management based on the recommendations of the ARCC and is satisfied with the effectiveness of the risk management process. The ARCC is responsible for ensuring that the Group has implemented an effective policy and plan for risk management and that the risk disclosures are comprehensive, timely and relevant. The Board and committees’ responsibilities are documented in the Blue Label Enterprise Risk Management Framework Policy.
Bi-annual risk reporting to the Board is being formalised.

Management is accountable to the Board for designing, implementing and monitoring the process of risk management. The IRCC has been formed by management to support the enterprise-wide risk approach by identifying, evaluating and measuring Group-wide risks and compliance in all functional areas of the Group as well as maintaining adequate internal controls. The IRCC reports to the ARCC bi-annually.

Group-wide strategic risk assessments are conducted bi-annually. These assessments are facilitated by internal audit which plays an important role in evaluating the risk management process and guiding management to continuing improvement. Internal audit does not take any direct responsibility for making risk management decisions or managing the risk management function. The outcome of the risk assessments is integral in developing a plan for audit engagements for the forthcoming year. The risk assessments conducted involve risk identification and prioritisation at subsidiary and holding Company level, followed by interviews with senior management at subsidiary level and key members of executive management to confirm risks, their descriptions and prioritisation. Each risk is evaluated in terms of potential impact, likelihood of occurrence and the perceived effectiveness of controls in place to manage the risks according to set criteria. The Group’s material risks are listed on pages 15 to 18.

A draft risk appetite and tolerance framework has been developed in line with the principles of King III and the draft framework was presented to the ARCC for consideration and has been approved by the Board. In terms of the framework priority risks will be considered in terms of risk appetite, which is defined as how much risk the Group is prepared to take in pursuit of its objectives. The Group has identified its strategic risks and acknowledges that its appetite to accept risk varies across these risks. The ARCC elected to set a risk appetite operating tolerance in respect of each of the prioritised risks. This framework is expected to be refined going forward.

Technology governance

The Board is responsible for the Group’s technology governance risk and compliance as detailed on page 35. The Board has delegated its responsibility for the implementation of IT governance to management. This has been formalised by the formation of a department to oversee and co-ordinate the activities relating to governance, risk and compliance. Over the past few years, there has been a maturing of this capability within technology with the implementation of a number of key initiatives to ensure sustainable business operations. The formalisation of the function now further enhances the technology function.

A number of areas relating to technology governance progressed. There has been a significant drive to formalise controls in order to ensure consistent and adequate risk management. The operation’s environment has been assessed to ascertain the process requirements from both an enhancement as well as compliance perspective. On the disaster recovery side, resilience has been added to key platforms that are able to continue operations in the event of single-node failures. The next phase has been initiated to consider multi-node failure as well as location outages.

On the project and system changes side processes have been formalised to streamline work activity as well as ensure focus is maintained appropriately. With the growth in business there has been a marked increase in new requests for technology enhancements. We are confident that we have adequate controls to assist our internal customers to meet their objectives while maintaining acceptable performance levels from our systems.

In order to gear the technology function to support the growing business environment, a number of governance, risk and compliance objectives have been set. We have compiled a governance framework by initially identifying generic technology risks. A policy framework has been implemented to manage these risks and an implementation plan is in place to complete the rollout of the policy framework. A compliance analysis plan will be compiled to enhance the governance mechanisms as well as address gaps in implementation. Key enterprise and business risks have been identified in terms of disaster recovery and business continuity. There are plans in place to address these risks over the next year, with further enhancements expected thereafter.

Useful links

View our corporate website

Smart devices

This report can be viewed on all smart devices.



Select your areas of interest from the list below and submit your selection to create a PDF ready for you to download.