Governance, business ethics and risk

We consider sound corporate governance, ethical behaviour, and robust risk management to be fundamental to our commercial sustainability. We must operate ethically, transparently, and accountably if we are to avoid legal and reputational risks and maintain the high stakeholder trust and confidence required to maintain our sustainability and success.

Corporate governance

We ensure that Safaricom is run in an ethical, transparent and accountable manner by having strong governance processes and structures in place, along with explicit guiding principles and clear lines of responsibility.

The Board of Directors of Safaricom is, ultimately, responsible for corporate governance throughout the organisation and the behaviour of members is governed by an explicit Governance Charter. Members of the board also undergo collective and individual performance assessments at least once annually. The board meets at least four times a year.

Our response to COVID-19

  • We activated the crisis management team in January when it became evident that we were dealing with a global pandemic. Scenario planning, testing and supply chain reviews were conducted, along with partner engagements, to ensure that we were well prepared to deal with the pandemic.
  • As part of supporting the continuity of business operations, arrangements were made to ensure staff would continue to deliver remotely while taking adequate IT security precautions.
  • We have ensured that our employees are continuously aware of the pandemic through various channels and that they are offered all the necessary support during this difficult period.

Please refer to the ‘Our Governance’ section of the 2020 Safaricom Annual Report for more information regarding our governance structures and reporting processes.

Ethical behaviour

We recognise that acting ethically, as an organization and as individuals, is the foundation upon which all of our governance and risk management processes and ambitions rely. We continue to take steps to cultivate awareness and put anti-corruption monitoring and corrective measures in place, and to drive behavioural change within society through collective action initiatives. We use an independent ethics perception survey and preventative measures like our continuous ethics awareness and employee anti-corruption training programmes to monitor and manage the ethical culture across all our operations. We use our supplier Code of Conduct and the Code of Ethics for Businesses in Kenya to manage the ethical culture of our business partners.




As part of our ongoing commitment to the SDGs, we continued to align our efforts regarding ethics, governance, risk and regulation with four of the goals that represent areas over which we are able to achieve significant impact in our own business and amongst our stakeholders: promoting ethical business practices and fighting corruption in all its forms within Safaricom (SDG16), our value chains and within the wider business community (SDG17) and pledging to create a non-hostile and secure workplace (SDG8) within which all employees are treated equally (SDG10).

Demographics of the board

Employee ethics training and awareness sessions

Anti-corruption preventative measures (% of total employees)

* Due to the nature of their work, these departments are more susceptible to fraud

We achieved a 98 per cent participation rate again this year. The slight drop to 96 per cent in the previous reporting period was due to the timing of the team building sessions and staff awareness events in FY19. If we are unable to plug into the main sessions and events, we follow up with e-learning sessions at an individual level instead, which can lead to a slower and lower response rate.

Ethics awareness sessions are conducted annually. Following feedback from our ethics perception survey, topics covered include Ethics risks, Data privacy & information risks, Cyber security rules, Anti-Money Laundering (AML) and Business Continuity Planning (BCP). These awareness sessions highlight policies such as the employee code of conduct, which outlines the importance of reporting any ethical issues in the business, and by which all staff and Board members are required to make a regular declaration against conflicts of interest.

Staff ethics training to promote an ethical culture within the organisation also takes place annually, supplemented by mandatory e-learning courses. These empower staff to successfully address any risks arising in their departments or roles.

Our ethics and compliance function was audited internally to ensure its continued efficiency in promoting ethical business practices and fighting corruption, both internally and among our partners.

Ethics training for our partners

KYC and ethics training for business partners

We continued to promote ethical business practices among our business partners during the year. We held ethics sessions and anti-fraud training with our M-PESA agents, dealers and suppliers. Topics covered included identifying fake currency, Anti-Money Laundering responsibilities, the duty to report and gift declarations We supplemented the sessions with ethicsrelated newsletters. We collect all Know Your Customer (KYC) documents to ensure compliance and introduced the Safaricom Jiandikishe app during the year, which makes the subscriber registration process simpler and, therefore, makes it easier for dealers to meet regulatory obligations.

We also continued to mandate that suppliers sign up to the Code of Ethics for Businesses in Kenya and their contracts are not renewed unless they do so. Ninety-seven per cent of our suppliers have signed up to date.

Monitoring corruption and fraud

Risk management

Our governance and business ethics objectives are supported by our robust risk management processes. We use a combination of risk assessments, audit and fraud reviews to monitor and manage risk throughout the company.

The decrease in the number of risk assessments conducted during the year reflects a change in strategy and approach. We now assess key processes from end-toend, rather than reviewing a specific function or division within the business. This new approach yields improved insights because it cuts across functions and divisions. It also reduces the volume of assessments undertaken during each cycle.

It is tempting to review the trend suggested in the preceding table as a positive indication of how well our ethics awareness training, and corruption and fraud detection processes are working, and this may indeed be partly the case, but the nature of disciplinary cases remains dynamic. The change in statistics indicates neither an improvement nor a worsening of environment. We recognise that it is unlikely a business the size of ours will ever be free from fraud entirely and that, to an extent, the better we become at detecting it, the more effectively it will be concealed. Overall, our main goal remains to have procedures in place that show that we are proactively detecting, investigating, and penalising wrongdoing.

Addressing corruption and fraud

Risk management systems

GRC

The Governance, Risk and Compliance System (GRC) implemented is a solution which is enabling the business to manage regulations and compliance while tracking risks and the related controls environment across the enterprise. The system has ensured easy integration of Governance, Risk and Compliance activities into existing process as well as automation of monitoring activities. It also has a case management module which is used in tracking fraud cases and managing their investigation and closure of the cases effectively.

RAS

The Revenue Assurance System (RAS) implemented has ensured automation of all end to end assurance processes. It has also ensured timely detection of billing anomalies.

The move from manual to automation has enabled more focus to improvement of business processes.

Helping our customers tackle fraud

During the year, we continued with our road shows and local language campaigns in televisual, digital, print and radio media to raise awareness of the social engineering attacks that criminal syndicates may use to exploit M-PESA users, such as Jichanue and the 333 fraud reporting hotline. Radio and TV campaigns achieved a reach of 60 per cent of our customer base, and 5.5 million customers were reached through SMS broadcasts.

We also continued to promote awareness of our voice biometric security measure, Jitambulishe, through which your voice is your password.

We also continued to work closely with the Directorate of Criminal Investigations (DCI) and through our collaborative efforts, 54 individuals were apprehended and prosecuted for various offences, ranging from irregular SIM registration to electronic fraud and identity theft.

Customer and data privacy

We created a Customer Privacy Department that reports to the Chief Corporate Security Officer during the year. The creation of this department reflects how important we consider this aspect of our business. The purpose of this department is to review our processes and policies and ensure that we are compliant with all regulations in this regard, such as the Data Protection Act of 2019 and the European Union (EU) General Data Protection Regulations (GDPR).

The department has already benchmarked the company against other members of the Vodafone Group and borrowed best practices from them, conducted a company-wide data protection impact assessment of employee awareness and published a Data Protection Policy that guides employees on the use and management of the personal information of customers.

It has also conducted customer privacy and data protection awareness sessions with key business partners, including dealers and agents. The department has also published a Data Protection Statement on our website that describes the legal rights of customers in this regard, and how these rights can be exercised.

Staying ahead of cyber threats

In order to reduce the risk exposure for the company, we have taken bold steps to combat cyber threats through our 24/7 Security Operations Centre, which has enhanced visibility to enable proactive response through monitoring, analytics and prompt detection. Our Security Operations Centre is built on a strong foundation for operational excellence driven by welldesigned and executed processes, a multidisciplinary team of experienced engineers, strong governance, and a constant drive for continuous improvement to stay ahead of the cyber adversaries.

In addition, we are partners in fulfilling the business goals of our customers through a highly responsive and flexible engagement model to deliver quality Managed Cyber Security products and services at optimal costs, allowing our customers to stay focused on their core business. Our team of security engineers are highly qualified and skilled with the business and technical acumen to deliver value to our customers.

We also held quarterly sessions with Banks and Sacco Societies (savings and credit co-operatives) to raise awareness of cyber security risks and empower them to introduce effective prevention controls on their mobile money platforms.

Standards and certifications

To safeguard the security and quality of the services and products we offer our customers, we continue to benchmark our systems, processes and structures against applicable international standards. Among the recertifications we have attained are the following:

ISO 14001 :2015 Re-certification

During the year, we were audited by the BSI group and achieved ISO 14001:2015 re-certification for Safaricom PLC for a period of three years. The comprehensive audit included evaluations of the upgrades to our Environmental Management System (EMS) and our successful transition to the new ISO 14001:2015 standards. As part of the process, we trained 10 internal auditors from our internal audit function to maintain our ISO system and a team of 15 ISO 14001 implementers from across the business.

Looking ahead

  • We will intensify our data privacy initiatives and awareness across the business.
  • We will continue our customer awareness initiatives to protect them from identity theft and social engineering fraud.
  • We will continue taking an active role in collaborative advocacy action that promotes ethics and integrity.
  • We will continue with initiatives to ensure KYC compliance across the business and partners, such as the rolling out of our KYC App, Jiandikishe, to our dealers to improve the convenience and accuracy of the SIM registration process.
  • We shall continue to promote ethical business practices and a culture of integrity within Safaricom and its business partners and support any efforts by other organisations that have pledged to abide by the same.