Governance of risk
Structure
The Board accepts its responsibility for the governance of risk, which includes the total process of risk management and the formation of its opinion on the effectiveness of the process. The Board forms its opinion on the process of risk management based on the recommendations of the ARCC and is satisfied with the effectiveness of the risk management process. The ARCC is responsible for ensuring that the Group has implemented an effective policy and plan for risk management and that the risk disclosures are comprehensive, timely and relevant. The Board and Committee’s responsibilities are documented in the Blue Label Enterprise Risk Management Framework Policy.
Management is accountable to the Board for designing, implementing and monitoring the process of risk management. The IRCC, established by management, supports the enterprise-wide risk approach by identifying, evaluating and measuring Group-wide risks and compliance in all functional areas of the Group, as well as maintaining adequate internal controls. The IRCC reports to the ARCC bi-annually in this regard.
Process
Group-wide strategic risk assessments are conducted bi-annually. These assessments are facilitated by internal audit which plays an important role in evaluating the risk management process and guiding management to continuing improvement. Internal audit does not take any direct responsibility for making risk management decisions or managing the risk management function. The outcome of the risk assessments is integral in developing a plan for internal audit engagements for the forthcoming year. The risk assessments conducted involve risk identification and prioritisation at subsidiary and holding company level, followed by interviews with Senior Management at subsidiary level and key members of Executive Management to confirm risks, their descriptions and prioritisation. Each risk is evaluated in terms of the potential impact, the likelihood of occurrence and the perceived effectiveness of controls in place to manage the risks according to set criteria. The Group’s material risks are listed on understanding material matters.
A risk appetite and tolerance framework has been implemented in line with the principles of King III. In terms of the framework, priority risks will be considered according to risk appetite, which is defined as how much risk the Group is prepared to take in pursuit of its objectives. The Group has identified its strategic risks and acknowledges that its appetite to accept risk varies across these risks. The ARCC has elected to set risk tolerances in respect of each of the prioritised risks. This framework is refined during each reporting period.
Technology governance
The Board is responsible for the Group’s technology governance risk and compliance. The Board has delegated its responsibility for the implementation of IT governance to management, which in turn, has adopted an IT governance framework. The Information Security Officer continues to drive a number of programmes across the organisation in order to ensure the framework is effectively communicated and that all Group companies are informed of the framework and associated policies.
Management has implemented controls to ensure that the policies are effectively adopted and maintained across the organisation.
A number of areas relating to technology governance have improved over the prior year. In particular, controls have been formalised to ensure consistent and adequate risk management has been applied. The operation’s environment has been assessed to ascertain the process requirements from both an enhancement as well as a compliance perspective. Progress has been made in disaster recovery in dealing with multi-node failure and location outages.
On project and system changes, processes have been formalised to streamline work activity as well as to ensure that focus is appropriately maintained. Congruent with growth in business, there has been a marked increase in new requests for technology enhancements. A process has been implemented to ensure that efforts are focused on developments that will assist customers to meet their objectives, while maintaining acceptable performance levels from the systems.
In order to gear the technology function to support the growing business environment, a number of governance, risk and compliance objectives have been set. The governance framework was developed by initially identifying generic technology risks and the policies developed aligned to the framework are in some cases more Group specific. A policy framework has been implemented across the Group to manage these risks.