ANNUAL REPORT 2018

Our risk management framework

We have a clear framework for identifying and managing risk, both at an operational and strategic
level. Our risk identification and mitigation processes have been designed to be responsive to the everchanging
environments in which we operate.

Our risk management framework that is aligned to the ISO 31000 in our Risk Management Framework, allows us to identify, measure, manage and monitor strategic and operational risks across the business. The framework provides our management with a clear line of sight over risk to enable informed decision making. We continuously review our risk management framework which provides the foundation and organizational arrangements for identifying,
treating, reporting, monitoring, reviewing and continually improving risk management
throughout the organization. The key components of the framework are outlined below;

 

Establishing the context

We begin by defining the external and internal parameters to be taken into account when managing risk and setting the scope and risk criteria for the risk management policy.
Our external context includes our external stakeholders, local, national, and international environment, and other external factors that influence our objectives. The internal context on the other hand includes our internal stakeholders, our approach to governance, our contractual relationships, our capabilities, culture, and standards.

 

Identify

Risk assessments are conducted twice every year, in conjunction with the business units and other stakeholders. We undertake ad hoc risk assessments that are necessitated by the ever changing environment we operate in.

Measure

We have a standardized risk scoring and categorization process that makes reference to our risk appetite that has
been set by the Board. The measurement takes in to account both the probability of occurrence and potential impact should the risk crystalize.

Manage

We manage risk by implementation of appropriate mitigations and controls to eliminate the risk or reduce the impact of likelihood of the risk. Effectiveness of control and oversight is tested across the “three lines of defence”