Governance of risk

STRUCTURE

The Board accepts its responsibility for the governance of risk, which includes the total process of risk management and the forming of its opinion on the effectiveness of the process. The Board forms its opinion on the process of risk management based on the recommendations of the ARCC and is satisfied with the effectiveness of the risk management process. The ARCC is responsible for ensuring that the Group has implemented an effective policy and plan for risk management and that the risk disclosures are comprehensive, timely and relevant. The Board and Committees’ responsibilities are documented in the Blue Label Enterprise Risk Management Framework Policy.

Management is accountable to the Board for designing, implementing and monitoring the process of risk management. The IRCC, established by management, supports the enterprise-wide risk approach by identifying, evaluating and measuring Group-wide risks and compliance in all functional areas of the Group, as well as maintaining adequate internal controls. The IRCC reports to the ARCC bi-annually.

PROCESS

Group-wide strategic risk assessments are conducted bi-annually. These assessments are facilitated by internal audit which plays an important role in evaluating the risk management process and guiding management to continuing improvement. Internal audit does not take any direct responsibility for making risk management decisions or managing the risk management function. The outcome of the risk assessments is integral in developing a plan for internal audit engagements for the forthcoming year. The risk assessments conducted involve risk identification and prioritisation at subsidiary and holding company level, followed by interviews with Senior Management at subsidiary level and key members of Executive Management to confirm risks, their descriptions and prioritisation. Each risk is evaluated in terms of potential impact, likelihood of occurrence and the perceived effectiveness of controls in place to manage the risks according to set criteria. The Group’s material risks are listed on pages 13 to 16.

A risk appetite and tolerance framework has been developed in line with the principles of King III and the framework was presented to the ARCC for consideration and has been approved/noted by the Board. In terms of the framework, priority risks will be considered in terms of risk appetite, which is defined as how much risk the Group is prepared to take in pursuit of its objectives. The Group has identified its strategic risks and acknowledges that its appetite to accept risk varies across these risks. The ARCC has elected to set risk tolerances in respect of each of the prioritised risks. This framework is refined during each reporting period.

TECHNOLOGY GOVERNANCE

The Board is responsible for the Group’s technology governance risk and compliance. The Board has delegated its responsibility for the implementation of IT governance to management. Management has developed an IT governance framework which has been adopted and the Information Security Officer is driving a number of programmes across the organisation to ensure it is effectively communicated and that all Group companies are informed of the framework and associated policies. Management is implementing a number of controls to ensure that the policies are effectively adopted and maintained across the organisation.

A number of areas relating to technology governance have progressed. There has been a significant drive to formalise controls in order to ensure consistent and adequate risk management. The operation’s environment has been assessed to ascertain the process requirements from both an enhancement as well as a compliance perspective. On the disaster recovery side, progress has been made to deal with multi-node failure and location outages.

On the project and system changes side, processes have been formalised to streamline work activity as well as ensure focus is maintained appropriately. With the growth in business there has been a marked increase in new requests for technology enhancements. A process has been implemented to ensure that the efforts are focused on developments that will assist our customers to meet their objectives, while maintaining acceptable performance levels from our systems.

In order to gear the technology function to support the growing business environment, a number of governance, risk and compliance objectives have been set. The governance framework was developed by initially identifying generic technology risks and the policies developed aligned to the framework are in some cases more Group specific. A policy framework has been implemented to manage these risks and an implementation plan is being executed to complete the roll-out of the policy framework.