1 37 Table of Contents 39 112

2022 Sustainable Business Report

38 | SAFARICOM SUSTAINABLE BUSINESS REPORT 2022 KPI SUMMARY OUR STAKEHOLDERS OUR BUSINESS OUR MATERIAL TOPICS ENSURING ACCOUNTABILITY AND TRANSPARENCY Our robust corporate governance framework ensures accountability and transparency, aligning the interests of all stakeholders and helping us to transform lives. Our strong governance structures include a governance code, an ethical culture and a risk management framework underpinned by our ethical practices. To strengthen our focus on Customer Obsession, we aim to build a strong reputation, enhance customer trust and provide 100% assurance on all our products, projects and systems to ensure we have a simplified, secure customer journey. We ensure the availability of our systems under our business continuity plan and continue to implement robust assurance programmes and platforms. Our priorities in terms of governance, business ethics and risk in FY22 were to: • Stay ahead of cyber threats: We build networks and infrastructure with security in mind and apply layers of security control to all applications and infrastructure. Our Cyber Defence Centre, which operates 24/7, reinforces strong cyber security controls and next-generation security technologies. In addition, we conduct regular reviews of the most significant security risks affecting our business and develop strategies to detect, prevent and respond to these. • Maintain data privacy: Our privacy statement as published on our website for our customers and tailored to our investors, suppliers and employees on their respective portals, explains how we manage privacy at Safaricom and uphold the rights of data subjects. Privacy by design is incorporated into 100% of our products before roll-out; a dedicated team deals exclusively with data protection and there are clear communication and complaints channels for customers to report any data protection concerns. In addition, we establish Data Processing Agreements with key partners who have access to any personal information. In FY22, we conducted an online teach and test data privacy training and awareness of staff (79%). Other stakeholders in the Safaricom ecosystem including suppliers, MPESA agents and dealers, as well as CSP partners were also trained on their responsibility to safeguard privacy (100% completed through bulletins, portals and SMS). In order to embed a culture of privacy across the business, we have trained over 80 Data Protection Champions who promote discussions, reinforce guidelines and seek advice for their teams from the data protection office, as necessary. Benchmarking across the Vodafone Group was conducted on data privacy practices to help ensure the maintenance of world-class standards. • Proactively manage fraud, particularly in the light of ever-changing social engineering schemes: We continued to conduct training for staff through fraud awareness sessions, together with fraud training for our M-PESA agents, dealers and suppliers. We also continued to help customers safeguard themselves from fraud by educating them on how to protect themselves on the network by safeguarding and protecting their data and sensitive information. In addition, we provided tips on common fraud schemes. We communicated through media campaigns on radio, TV and digital channels; as well as SMS broadcasts, fraud tips on USSD menus and the addition of a fraud awareness page to the corporate website. A highlight in FY22 was the introduction of the *106# service which aims to tackle identity theft. The service allows customers to confirm their numbers and report unknown numbers. It also helps with managing identity theft cases and provides fraud tips on one of the sub-menus. OPERATING IN A DYNAMIC RISK ENVIRONMENT The environment in which we operate is dynamic. The nature of the products and services we provide, particularly mobile money, requires that we comply with a wide range of laws and regulations. Our risk identification and mitigation processes are designed to respond to our ever-changing operating environment proactively. We classify our risks as strategic (regulatory, economic, market and political) and operational (data privacy and cyber threats). Our whistleblowing policy encourages anonymous and open reporting. It also prohibits retaliation and protects those making reports in good faith or after raising an issue on the basis of reasonable belief of a violation or unethical activity. www.safaricomethicsline.com

RkJQdWJsaXNoZXIy NTI0MzQ=