Material risks and opportunities

The main purpose of risk management is to adequately position the organisation to understand and respond to potential risks and opportunities that could materially impact the execution of our strategy and our ability to create value.

Blue Label's primary risks and opportunities are identified within the context of our strategy to proactively respond to ever-changing internal and external operating environments. In pursuing our goals toward creating, preserving and realising value for our stakeholders, we are strengthening the link between our strategy and the Group's risks and opportunities by applying our Enterprise-wide Risk Management (ERM) process within the context of key business requisites.

Our ERM process ensures the adequacy, appropriateness and effectiveness of our responses, mitigating potential significant negative business impacts in order to deliver on our business targets.

1

Description

Since the majority of the Group's inventory is of a virtual nature, defence against cybercrime will remain a top priority. Cyber-attacks can lead to reputational damage, business disruption and ultimately loss of revenue.

The Group is dependent on the systems and platforms that enable its products and services on which it manages its merchant base. Blue Label's technology spend has increased in recent years in support of its importance to both organic and inorganic growth, as well as simultaneously to improve system availability and resilience as the volumes of both the number and types of transactions increase.

Strategic response and mitigating measures

Blue Label places significant focus on the security of all systems, both production and enterprise to pre-emptively detect, prevent and manage security threats and recover expediently in the event of a cybersecurity breach.
Independent third parties continually conduct periodic vulnerability scans and penetration tests to ensure that Blue Label's systems are as secure as possible and that new threats are appropriately addressed.
A Security Operations Centre (SOC) has been implemented and is now fully operational. The SOC provides real-time threat detection and analysis of our environment and assists in countering cybercrime risks. The optimisation of the SOC is also currently ongoing. Furthermore, the SOC is being used for threat intelligence and is assisting in developing and rolling out assurance programmes that incorporate internal and external reviews of our data storage practices.
Our National Institute of Standards and Technology (NIST) Cybersecurity Framework is structured or aligned to the three lines of defence model. This allows for a dynamic approach focusing on assembling and arranging capabilities that allow for quicker response and optimising our cybersecurity initiatives.
We have appointed the appropriate skills set to manage our IT security. To bolster our cyber security, we have outsourced the entire function to a capable, highly skilled and adequately resourced service provider.

An advanced cloud-native platform has been implemented to counter malware threats.
A data loss prevention tool has been implemented, which provides real-time visibility, threat protection and data security for cloud services and websites.
All Blue Label staff members are mandated to participate in an ongoing cybersecurity awareness training programme, as part of cybersecurity culture and posture.
Adequate cyber insurance cover is in place to protect the Group in the event of a breach.
We monitor the Group's cyber incident response and containment in real time.
Blue Label has achieved full certification on ISO 27001:2022 for its main trading platform/system. ISO 27001:2022 provides a recognised framework for information security and outlines best practices for establishing, implementing, maintaining, and continually improving an ISMS. ISO 27001:2022 assists companies to achieve many benefits such as digital trust with clients and other key stakeholders. Achieving this certification demonstrates our commitment to maintaining stringent standards for information security. It represents a resounding endorsement for digital security in the highly competitive telecoms and fintech industries in which we participate.

2

Description

Unfavourable economic conditions and heightened inflation are negatively impacting on consumer disposable income. Consumers are forced to prioritise their buying habits based on needs, leaving less or no disposable income to buy products that are discretionary (e.g., gaming products and event tickets). Consumers are under pressure, considering alternate sources of power such as gas and paraffin, and thus moving away from our traditional core offerings that include, for example, prepaid electricity products.

Strategic response and mitigating measures

We have implemented a cost-savings programme across the Group to combat the effects of inflationary pressures on operating expenditure.

3

Description

Power outages on a national scale ramped up significantly during the first six months of 2024. It must be noted, however, that load shedding has reduced significantly since May 2024 but it is premature to conclude that the country's electricity issues are no longer a key strategic risk for Blue Label.

Electrical power is an essential input in all modern-day economies and a large part of Blue Label's business involves the vending of airtime and electricity products. The power crisis had a two-fold impact on our business; namely, many of our merchants do not have back-up power resources to continue to vend during power outages, and secondly, consumers no longer buy products at the same level due to the lack of electricity/back-up resources in their domestic environments.

At a head office level, erratic electricity supply results in increased running costs. Resources have to be allocated to back-up generators, an expensive alternative to grid electricity, which negatively impacted on profitability and carbon emissions.

Strategic response and mitigating measures

Business units continually seek to diversify products from our traditional core offerings of electricity and airtime. As an example, there was substantial growth in universal voucher revenue in 2024.

We will continue to maintain and enhance back-up power at our centres around South Africa for the medium to long term, until stability is restored to the national electricity grid.

4

Description

The failure of Cell C's strategy and execution of its business plan would not only negatively impact the investment, but would also have a knock-on effect on the Blue Label Group, in that there is substantial credit risk exposure and a significant portion of its profitability stems from its trading relationship with Cell C.

Strategic response and mitigating measures

The Cell C recapitalisation transaction has achieved the deleveraging of its balance sheet, providing it with liquidity with which to operate and enhance its businesses and to position itself to achieve long-term success for the benefit of its customers, employees, creditors, shareholders and other stakeholders.
Cell C has implemented a turnaround strategy, focusing on operational efficiencies, reducing operational expenditure and optimising traffic. This includes a significant reduction in capital expenditure and a conversion of a fixed-cost infrastructure-based network to a variable operational expenditure model. This, together with the recapitalisation of the debt structure, will result in a significant improvement of its liquidity and enable Cell C's long-term sustainability.
To contribute to the success of Cell C, Blue Label has representation on the Board of Directors, which will afford it complete oversight of the performance of the Company and the ability to ensure that the agreed strategy is implemented at Cell C. The above contributions, combined with the major reduction in interest-bearing debt and the elimination of foreign exchange exposure thereto, are all positive indicators for sustainable success and longevity.

5

Description

Risk of inadequate management of third parties in the Blue Label value chain introduces further risks such as cybersecurity, financial, compliance, reputational and operational risks to the Group.

Strategic response and mitigating measures

Blue Label defined and implemented a third-party risk management process.
We implemented a business relationship management (BRM) capability within IT. This function will be responsible for ensuring that all third-party service providers have adequate controls, which are monitored to ensure they are operating effectively.

The Group implemented and currently operates third-party management controls that are aligned to best practice standards such as International Organization for Standardization (ISO) 27001.
Implemented an automated contract management system that enhanced controls surrounding our third-party contracts.

6

Description

Due to the nature of its digital inventory, the Group is vulnerable to fraudulent activities. Blue Label maintains zero tolerance for fraud and irregularities. All incidents are investigated, irrespective of the size or value.

The ongoing rollout of new products/solutions increases our exposure to potential fraud-related activities.

E-tokens are a form of electronic cash utilised for secure transactions. The Group relies on the high-volume, low-margin distribution and sale of these e-tokens of value. Blue Label, therefore, needs to protect its virtual stock from theft and cybercrime.

Strategic response and mitigating measures

We continue to refine operational controls, security and our infrastructure to mitigate the risk of fraud.
Fraud and ethics are discussed at Board level by both the Social, Ethics and Transformation Committee (SETC) and the Audit, Risk and Compliance Committee (ARCC).
Our ethics hotline, hosted by Deloitte, remains available for anonymous reporting of any instances or suspicions of fraud.
Staff are mandated to participate in digital programmes that enhance awareness relating to fraud and ethics. A code of conduct, disciplinary and fraud policies are in place.

We have developed a Fraud Management Framework that addresses the risk of fraud within the Group.
The confidentiality, integrity and availability of virtual stock is managed through role-based access control, secure transfer of supplier/customer files and encryption with hardware security modules.
Independent assurance on the design adequacy and effectiveness of these controls are performed by the Internal Audit function.
A robust set of automated internal controls assists in timeous detection and prevents the theft of voucher pins and related digital products.
Sufficient insurance coverage is in place.

7

Description

Business continuity management plans (BCM) and disaster recovery plans (DRP) ensure that the business is prepared for severe interruptions and that business processes continue with minimum downtime during cases of emergency or disaster.

If the business continuity plans (BCP) are misinterpreted or not properly in place, the potential breakdown of critical business processes could harm the Group's profitability and reputation.

Strategic response and mitigating measures

Blue Label's business continuity management steering committee meets bi-annually to ensure the Group is prepared to counter any risk.
We are currently reviewing the effectiveness of our business continuity management system to ensure that we manage our continuity risks effectively.
The pandemic offered a unique opportunity to test our DRP, which proved to be resilient. Employees could operate remotely with minimal disruption to operations.

These included DRP testing in 2024 to ensure that all applicable staff, in the event of disruption, are aware of their roles and responsibilities.
We have engaged with an external service provider to review the content of our BCP and they will be tested during 2025 via practical scenario tests.

8

Description

Certain prominent financial institutions and retailers rely on Blue Label to process their substantial transaction volumes. A lapse in the Group's service delivery to these stakeholders could result in a major negative impact on its profitability and/or reputation.

Strategic response and mitigating measures

Blue Label maintains long-standing relationships with these parties and has an impressive track record of service delivery.
Mature failover and business continuity mechanisms provide a high degree of certainty that we maintain uptime beyond 99%, even as transaction volumes continue to grow.

Continue to monitor and enhance business continuity and DRP.

9

Description

A significant portion of South Africa's population is underserved in its ability to access formal financial services. Following the significant increase in access to cellular phones and data, Blue Label can offer access to low-cost digital means of e-commerce transactions to consumers and informal businesses. This connects businesses with consumers to transact in a more convenient and efficient manner as well as enabling informal businesses to cost-effectively leverage off digital e-commerce trading platforms.

Strategic response and mitigating measures

Creating financial inclusion for communities through our innovative products and services that digitally connect consumers to anywhere-anytime products and services that would ordinarily be out of reach to many consumers.

Increase connectivity to drive economic participation within underserved communities.

10

Description

Blue Label has an opportunity to play a role in climate change mitigation, both in terms of its own carbon footprint efficiency and decarbonising the supply chain for products and services that are digitally distributed.

Strategic response and mitigating measures

Integrate climate risks and opportunities into the risk management framework, including consideration of renewable energy sources for our own operations.
Digitally connecting consumers and businesses in the supply chain significantly reduces carbon associated with travel and maintaining physical retail establishments. The more volumes built and products and services transacted through our digitised distribution channels, the greater the positive impact made.

Reaching out to our material suppliers, via questionnaires, to gauge the extent of their environmental responsibilities, including:
- Greenhouse Gas (GHG) emissions;
- Energy efficiency;
- Renewable energy;
- Water quality, consumption and management;
- Sustainable resources management;
- Waste reduction; and
- Reuse and recycling.

11

Description

The implementation of artificial intelligence (AI) technologies that help drive efficiencies and improve business performance and decision intelligence has been progressing at a gradual pace. This risk also includes considering AI's ethical implications, with respect to utilising data in a responsible manner.

Strategic response and mitigating measures

Define and implement a generative AI governance framework and policy to manage the adoption and implementation of AI.
Implement robust data governance policies that comply with privacy regulations in line with the Protection of Personal Information Act, 2013 (POPIA).

Define and implement an AI adoption roadmap and plan for the business.
Define and implement security measures which include data protection, continuous monitoring and detection of threats.