We recognise that the identification and prioritisation of the risks we face is an essential part of continual creation of value and long-term sustainability for our business. As such, the management of risk is a central part of our intellectual and financial capitals. In defining and implementing our risk management process, we not only take into consideration the challenges faced by key economic sectors but also the enablers and the interdependencies. We understand that the market within which we operate, connectivity, technology and agility are of particular importance, and carry with them very particular risks, challenges and opportunities.*

*For more on the global and domestic operating environment, click here.

Our Enterprise Risk Management (ERM) process

Our commitment to robust risk management practices as an integral part of good management is evident in our top-down approach, with the Board assuming overall responsibility for the management of risk.

From this level, appropriate support for risk management is disseminated throughout the Company, driving a positive risk culture across the organisation. Our risk management framework is aligned to the ISO 31000 Enterprise Risk Management Standard, allowing us to identify, measure, manage and monitor strategic and operational risks across the business.

The Enterprise Risk Management Framework (ERMF) provides our management with a clear line-of-sight over risk and enables informed decision-making.

In addition, we continuously review our framework to ensure the effective provision of the appropriate foundational and organisational arrangements for identifying, treating, reporting, monitoring, reviewing and continually improving the management
of risk.

Our risk management process includes:

  • Establishing the risk context and scope
  • Identifying risks
  • Measuring risks
  • Managing risks
  • Monitoring and reporting risks

Establishing the context

We classify our risks into two categories – Strategic Risk and Operational Risk. We then proceed with defining the requisite external and internal parameters for managing risk and setting the scope and risk criteria for the risk management policy.

Our external context includes:

  • Our external stakeholders
  • The local, national, and international environment
  • Other external factors that influence our objectives

Our internal context includes our:

  • Internal stakeholders
  • Approach to governance
  • Contractual relationships
  • Capabilities, culture, and standards

Our Three Lines of Defence

For effective risk management across the organisation, we have adopted the Three lines of Defence system (3LoD). 3LoD ensures distribution of risk management responsibilities throughout the Company, enhances risks ownership and ensures that there are adequate checks and balances.

Categories of risk

To facilitate the management of the risks we identify and their associated opportunities, we classify them into two categories:

  • Strategic risks
  • Operational risks

Monitoring and management of risk and opportunity

We undertake and plan the monitoring and review of risks as part of our risk management process. This involves regular checking and surveillance of the risk landscape.

We have established an extensive monitoring and review regime one that clearly defines and allocates responsibilities. Our monitoring process ensures that appropriate and timely corrective measures are taken and that any weaknesses in the process are addressed. The monitoring process involves regular review and update of the respective risk registers based on the existing Key Risk Indicators (KRIs).

The KRIs enable the organisation to respond to threats at an early stage and to take appropriate action. Monitoring and review determine whether:

  • Risk measures adopted have resulted in what was intended
  • Procedures adopted and information gathered have been appropriate
  • Improved knowledge would have helped to reach better decisions
  • There are lessons to be learned for future assessments and management of risks

Our principal risks and how we manage them

During the year under review year our principal risks have largely remained the same as for the prior year, with only their likelihood and impact having either increased or reduced depending on various risk factors.

For full details of our risk management, including context, mitigation and associated opportunities, see the Directors’ Report.

Our risk heat map

Our risk heat map sets out the principal risks as identified through the risk management process that covers strategy and operations. It depicts the residual risk rating after the institution of mitigating controls. The rating is obtained as an interaction between the probability of the risk and its impact rating.

Looking ahead

In the short term we anticipate that the ever-evolving regulatory landscape will pose a growing a risk, with compliance requirements increasing in complexity.

In the medium- to long-term, the increased cost of living will remain a concern, and despite an improvement in forex and oil processes, the short-term outlook continues to be highly uncertain. Lack of economic opportunity has been recognised globally as a top risk.

Sovereign debt levels are also a growing concern, and while public debt is assessed as sustainable, there remains a high risk of debt distress. With the increase of approximately 30% of GDP being spent to service debt repayments, current and fiscal balances will be more vulnerable to external shocks.