risk management
The board regards risk management as a key business discipline which:
- balances risk and reward within both existing and new initiatives;
- protects the group against uncertainties and hazards, which could prevent the achievement of business objectives; and
- focuses not only on strategic, financial and operational risks.
The board is accountable for the risk management process and is assisted by the risk committee in discharging this responsibility. Operating under a written terms of reference, the risk committee reports to the board and evaluates any risks which it deems necessary for discussion and evaluation by all directors. The Chairman of the risk committee reports progress on the key risk issues to the board and the risk profile is tabled annually at the board meeting. The day-to-day responsibility for identifying, evaluating and managing risks resides with management.
The risk management framework is regularly reviewed to ensure it remains dynamic enough to accommodate the fast changing economic and political climate. The process ensures that management identifies emerging risks and updates the key risk profile on a regular basis; appropriately prioritises the key risks based on their inherent impact and likelihood of occurrence; continuously improves the control framework in place to manage the key risks in line with the board’s risk appetite; monitors the ongoing risk exposure by reviewing objective metrics, performing control self-assessments and reviewing the reports of independent assurance providers; and responds timeously to any significant changes in risk exposure.
The key risk profile, which sets out the top risks for the group, is reviewed and updated by the executive directors throughout the year, is revised annually and approved by the risk committee and tabled at the board. The status of the key risks and the management thereof is reported to and discussed at the risk committee meeting on a quarterly basis.
For certain specialist risk areas, management forums have been established to ensure that the risks in these areas are reviewed and considered by management with the required specialist skills and experience. These management forums include the treasury committee, tax committee, project investment committee and information technology governance committee. An operational risk report setting out progress in business continuity, occupational health and safety, crime prevention and detection and providing an update on legal compliance is also reported to the risk committee quarterly.
Risk management has become a standard business discipline and is applied consistently throughout the group. The risk management process is integrated with the strategic and business planning process and is embedded through our management reporting and performance management system. The future focus is to:
- enhance the level of integration of risk thinking within the business strategy to allow for a regular update on emerging risks and the impact they may have on achievement of strategy; and
- conduct regular six monthly reviews of the risk register at business unit level to allow for a more proactive risk escalation should the metrics indicate a deterioration in risk exposure.
key risks
The key risks of the group, together with the mitigation strategies, can be found on pages 63 and 64 of the 2009 annual report. The risk management process is designed to identify, manage and mitigate these risks to ensure both the short-term and long-term sustainability of the group.
legal compliance
Regulatory and legal compliance is an important area due to the frequent amendments to the regulatory framework in South Africa and Australia. We have a dedicated legal compliance officer and have implemented and embedded an appropriate, best practice, risk-based compliance framework methodology.
In addition to the general monitoring of the applicable regulatory requirements in accordance with generally accepted compliance practice, the compliance function is involved in implementing requirements of recently enacted legislation.
crime prevention and detection
We remain committed to the implementation of effective processes to reduce the level of crime
Throughout the business, including shrinkage, burglary, armed robbery, fraud, theft and corruption.
With respect to fraud and corruption, we continue to build on our existing processes, which include a rewards-based independent and confidential tip-off service. Our policy is to prosecute all cases and dismiss offending employees where needed.
insurance
Insurance is a key element in the risk management process and is designed to protect us financially against the negative consequence of risk. There is a comprehensive asset and liability insurance programme in place which includes appropriate levels of self-insurance. Our external insurance cover is provided by A-rated South African and international insurance companies. The completeness of our insurance cover as well as our policy wording is regularly reviewed and benchmarked by external experts to ensure that it takes into account new requirements and external developments.
Information technology and governance
Given the dependence of the business on its systems, information technology (IT) governance is an ongoing focus area. Our yearly assessment of the IT governance processes benchmarked to COBIT (Control Objectives for Information and related Technologies), the internationally accepted best practice governance framework, confirmed that the maturity of our IT processes are in line with our desired maturity levels. A dedicated IT governance team is responsible for managing the governance aspects of IT, including compliance, continuity management and risk.
