The Board is ultimately accountable for the risk and opportunities management process and system of internal control within Remgro. The Board has reviewed the comprehensive Risk and Opportunities Management Policy and plan, which has been implemented by management. This plan incorporates continuous risk and opportunity scanning, identification and assessment, and embedding internal control as well as risk reduction and insurance strategies.
The Audit and Risk Committee is mandated to monitor the effectiveness of the risk and opportunities management process and systems of internal control and is supported in this regard by its subcommittee, the Risk, Opportunities, Technology and Information Governance Operational Subcommittee (ROTIG). The Strategic ESG Committee plays an important role in supporting the Audit and Risk Committee by overseeing and monitoring Remgro’s Environmental, Social and Governance (ESG) performance and stewardship through policies, frameworks, standards, guidelines and approved goals. The internal and external auditors, along with management and certain external consultants, are tasked to render combined assurance reports to the Audit and Risk Committee.
Ethical leadership and human capital are the cornerstones of Remgro’s risk and opportunities management philosophy as these ensure operational competence, entrepreneurial aptitude, sound corporate reputation and effective governance. The financial, manufactured, intellectual, human, social and relationship, and natural capital furthermore form part of the Six Capitals concept comprising financial, manufactured, intellectual, human, social, relationship, and natural resources, referred to in the King IV Report on Corporate Governance for South Africa (2016) (King IV). These categories of capitals, their interrelations and utilisation, to varying degrees, form an intricate part of the risk and opportunities process within the Company.
The risk management process in Remgro comprises the arrangement of resources to ensure the achievement of the Company’s stated objectives along with its purpose, strategy and aligned business plans, including the seizing of available opportunities that meet the risk appetite criteria set by the Board. Risk profiles inherent to existing activities and investments are furthermore monitored against expected investment performance criteria, thereby managing the risk-return parameters for the creation of sustainable growth and value for shareholders and other stakeholders.
Remgro’s ESG Risk Management Framework which guides responsible investment is also relevant for this purpose as it ensures that the consideration of ESG risks and opportunities, as well as impact and sustainability considerations, are integrated and embedded into the risk and opportunities management processes. Remgro’s sustainability ambitions are therefore integrated as an integral part of its investment management processes. Its focus is on realisation of suitable opportunities and the consideration of salient risk aspects in setting sustainable value generating strategies. Principles and evaluation criteria include ESG risks, impact considerations, value creation opportunities and sustainability for its current and potential investments. To support implementation of this ESG Investment Framework, Remgro has developed Standard Operating Procedures (SOP) to enable the various governance structures and investment teams to apply the Framework consistently and efficiently. The Operational ESG Committee oversees the continuous enhancement of the ESG risk and opportunities register, which is being designed to underpin purpose driven decision-making.
Emerging risk assessment, which informs strategy setting, includes the consideration of probable future scenarios taking cognisance of, inter alia, political, environmental, social, technological, economic and legislative developments in both the Remgro environment as well as the global environment and market sectors that it invests in. Given the ongoing escalation in ESG challenges faced locally and globally, the Group is responding with commensurate escalation of ESG structures and initiatives in addition to the sound processes adopted in prior years.
Due to the nature and magnitude of Remgro’s investment portfolio, this report focuses on the activities of the Company and its subsidiaries, save where such entities are separately operated listed subsidiaries with autonomous boards and adequate external reporting, or the materiality of such information is deemed insufficient to warrant detailed disclosure. As a result, this report contains risk and opportunities management information of the Company, Remgro Management Services Limited (Remgro’s service company) and V&R Management Services AG(1). These external reporting parameters are being reviewed to ensure alignment with international developments in this regard.
The structure has been implemented and maintained to ensure the effective and efficient management of risk and opportunities within the Company.
The function of the Chief Risk Officer is shared amongst the following individuals:
- The Chief Executive Officer (CEO) reports directly to the Board on an ongoing basis with regards to the risks that may impact the effective and efficient execution of its strategy and opportunities submitted to the Investment Committee, including risks and opportunities identified in the investment portfolio.
- The Chief Financial Officer (CFO), as Chairman of the ROTIG Committee, is responsible for the induction of risk and opportunities management into the daily activities of the Company, including the drafting, review and maintenance of the Company risk register and Risk and Opportunities Management Policy and plan.
- The Chief Audit Executive (CAE) attends meetings of the Management Board, the Operational ESG Committee and ROTIG Committee and renders value-adding considerations and independent assurance regarding the effectiveness of these committees’ activities as well as the risk management process and system of internal control.
Board and Governance Structure
The Strategic ESG Committee and Social and Ethics Committee merged to form the Remgro Social and Ethics and Sustainability Committee with effect from 1 July 2024.
The Risk and Opportunities Management Policy is based on the principles of the international COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management Framework and complies with the recommendations of King IV. This policy defines the objectives, methodology, processes and responsibilities of the various risk and opportunities management role players in the Company. The Risk and Opportunities Management Policy is subject to annual review and any proposed amendments are submitted to the Audit and Risk Committee for consideration and recommendation to the Board for approval.
Remgro is an investment holding company and as such, the risk and opportunities management process takes cognisance of risks and opportunities within the Company, its investment mandate as well as the risks and opportunities inherent to its investment portfolio.
Remgro, being a responsible investor, through its representation on the autonomous boards of investee companies, oversees the implementation and maintenance of proper corporate governance in all entities it invests in via the above processes.
Remgro deploys dedicated processes to timely identify and effectively mitigate disruption risk and realises opportunities associated with future developments.
Emerging risk and opportunities, integrated with a sound corporate and entrepreneurial culture, inform strategy and investment mandate considerations.
Key focus areas during the year under review included, inter alia, the extended and ongoing wars in Ukraine and Gaza and related exposures, political stability levels during elections in various countries being major global economic contributors, local politics pre-and post the election and policy changes, economic trends, adverse weather events, social stability associated with service delivery and escalating crime and infrastructure challenges.
The table below summarises the salient operational objectives and related risk mitigation processes included in the Remgro risk register:
(1) | As stated in the “Group structure“ section of this report, Remgro is not involved in the day-to-day management of investee activities but does have non-executive representation on these autonomous boards via shareholder agreements. These bodies are responsible for risk management at investee level. |
The Remgro Board has formalised and approved the risk tolerance levels to define the Board’s risk appetite and to ensure that all risks within the Group are managed within the limits so defined.
Remgro, due to the nature of its core activities, deals with risk tolerance levels in the following three risk categories using dedicated and bespoke methodologies:
Investments
As a long-term, strategic investor, Remgro’s investment risk tolerance is not mathematically defined, but a function of portfolio composition, shareholder rights and protections, stakeholder engagement and capital structure. Remgro seeks to have its portfolio appropriately balanced in terms of growth and maturity cycles, supported by a robust capital position and appropriate shareholder protections to mitigate the risk of large adverse portfolio impacts.
Treasury
Given the liquidity requirements to support the investment portfolio and pursue new investment opportunities, the risk tolerance levels and linked returns for cash held in South Africa and internationally are measured in terms of lending rates achieved by major banks in the money market, including but not limited to STeFI (Short Term Fixed Interest) or LIBOR (London Interbank Offered Rate), as well as compliance with required credit ratings set for approved counterparties. This is continuously monitored and reassessed given prevailing market volatilities, risk and, at times, negative returns on cash in certain international money markets. In addition to the typical investment instruments that are used for Remgro’s cash at the centre, like call deposits and deposit notes, the Treasury Committee is tasked to continuously scan the savings market and recommend suitable investment instruments to the Investment Committee or Board so that the cash returns can be optimised. In light of the continuing trend in high level of interest rates during the reporting period, consideration was also given to the cost of funding and reducing the level of debt at the centre.
Foreign currency risk and capital preservation risk in an adverse economic climate are mitigated by means of conservative policies regarding hedging strategies and counterparty vetting.
The treasury funds are invested as per a Board-approved Treasury Policy which deals with counterparty (credit) risk, liquidity risk, interest rate risk, currency risk, instrument risk and commercial risk (terms of trade), as well as the policies deployed to safeguard cash and liquid assets.
Other
This category includes risks associated with unplanned losses to assets, exposure to liabilities, fidelity, business interruption and other operational risk.
In these instances the Board has, in addition to stringent internal controls, adopted a conservative approach by taking sufficient insurance cover to mitigate the anticipated maximum loss should risk realises in these categories.
Risk appetite is defined as the risk the Company is prepared or willing to accept without further mitigating action being put in place or the amount and nature of risk the Company is willing to accept in pursuit of objectives. This is also defined as the risk propensity of the Board in pursuing the creation of sustainable wealth.
The following qualitative and quantitative factors are considered by the Board in evaluating risk appetite and related tolerance levels:
- risk-return profile of the current investment portfolio;
- availability of cash resources and other liquid assets that could easily be converted into cash;
- available funding opportunities;
- risk-return profile of prospective opportunities;
- ESG profile of the current portfolio and investment sectors
- financial metrics relevant to measuring performance, including:
- intrinsic net asset value (INAV);
- return on INAV relative to comparable risk investments;
- dividend policy;
- free cash flow; and
- gearing ratios;
- international and local economic cycles and trends;
- foreign currency rates and trends;
- materiality of risks with reference to the INAV of the Group;
- risk management capability and maturity; and
- resource allocation and strategy.
Risk-bearing capacity is defined as a monetary value which is used as a yardstick, measuring the maximum loss the Company can endure without exposing it to the point where its existence and going concern status is under threat, given an equivalent loss.
Given the nature of Remgro’s INAV composition, i.e. equity investments, net excess cash and the conservative size of debt at holding company level, there are no known current exposures that could jeopardise the going concern status of the Group.
The risk and opportunities management process is furthermore also externally focused to ensure the timely identification of new emerging risks and opportunities and the assessment of the effectiveness of timely responses thereto. Scenarios are furthermore used to assess the adequacy of the Company’s business resilience.
Approach
Remgro follows a structured approach to manage Technology and Information risks and to evaluate and pursue technology related opportunities. Remgro Business areas are represented by senior management at the Technology and Information Steering Committee. This committee, chaired by the Head of Technology and Information, provides direction and support for Technology and Information-related matters, and reports to and advises the ROTIG Committee (through to the Audit and Risk Committee) on significant operational, project and other technology-related issues. The roles and responsibilities of the respective committees are articulated in the T&I Governance Policy.
Methodology
Risks and controls are evaluated with reference to generally accepted frameworks such as the Information Technology Infrastructure Library (ITIL), Information Systems Audit and Control Association‘s (ISACA) COBIT, and the Center for Internet Security (CIS) Critical Security Controls (CSC). This is integrated into the combined assurance process of Remgro Internal Audit (RIA).
In general, Remgro follows a conservative approach, striving to eliminate avoidable exposures, and to minimise risk within practical constraints. Remgro has a keen awareness of privacy expectations, both over its own confidential information as well as corporate and private information of stakeholders.
The role of the Innovations and Portfolio Manager within the Technology and Information department is specifically focused on the evaluation of Technology-related opportunities, both surfaced internally as well as identified by Remgro‘s business areas. This function is used to vet and advise on the impact of pursuing potential opportunities to Remgro‘s Technology and Information Risk profile. Technology and Information has steadily shifted from a support only function, increasingly valued as a business enabler and even opportunity in itself across Remgro‘s business areas.
Preventative technologies
Remgro has implemented a comprehensive set of technologies to protect the environment and users. This includes physical and logical access controls, network firewalls, Endpoint Detection and Response (EDR), data encryption, strong identities with expanding use of multi-factor authentication, Intrusion Prevention Systems, Security Incident and Event Monitoring (SIEM) and Continuous Vulnerability Management.
These technologies are supplemented by operational monitoring and ongoing user awareness campaigns.
Monitoring
Adequacy and effectiveness of controls are monitored at several levels. The incumbent Technology service provider tracks and provides regular feedback to the Head of Technology and Information on the performance of key controls, including the outcome of changes to the environment, activities performed using privileged identities, security infrastructure performance and the outcome of recovery tests.
Independent assurance is sourced via Remgro Internal Audit in the form of recurring annual reviews covering IT General Controls, Cybersecurity and Systems. In addition, annual external penetration tests are commissioned. The outcome and recommendations of independent assurance activities are reviewed by management. In most cases the application of mitigations is favoured over risk acceptance.
Besides the above monitoring activities, 24×7 operational security monitoring is provided by a third party. Security-related alerts and security infrastructure logs are forwarded in real time to the service provider for analysis and response. Remgro (supported through the incumbent primary technology service provider) remains accountable for incident response management.
Third parties play a significant role in supporting Remgro‘s Technology and Information systems. The maturity of Third-Party Risk Management is increasing, and supply chain risks are well understood. Supplier performance and supplier risk profiles are subject to initial and periodic monitoring, with more frequent oversight for key suppliers.
The Board, as part of its ethical leadership commitment, approved a Legal Compliance Policy and confirmed that there are sufficient management capacity and controls in place to ensure compliance with all relevant laws and salient industry practices.
The administration of the Legal Compliance System is vested in an official with the appropriate legal qualifications. Members of senior management of the Company are informed on a regular basis of all relevant new legislation and amendments.
Compliance controls also vest with senior management who are required to report to the Social and Ethics Committee on a regular basis regarding their compliance using a control self assessment methodology. This process is incorporated into the annual combined assurance plan. The outcomes of compliance assessments are reported to the Board, via the ROTIG Committee and no incidents of non-compliance or fines incurred due to noncompliance were recorded.
The ROTIG and Operational ESG Committees also guide and monitor compliance with current and emerging global and local ESG and sustainability standards and guidelines, both voluntary and mandatory.
The Group has implemented and maintained a sound control environment, including a comprehensive system of internal controls to mitigate the risks in the enterprise and to ensure the Group’s objectives are consistently achieved. Internal controls are based on the principle of acceptable risk being inherent to the design and implementation of a cost-effective system of internal control. The system includes monitoring mechanisms and mitigation processes to timely augment deficiencies when they are detected. This system is benchmarked against the COSO Internal Control – Integrated Framework.
The internal audit function is employed by Remgro Management Services Limited and the CAE, Mr Deon Annandale, reports to the chairman of the Audit and Risk Committee and functionally to the CFO. The department complies with the requirements of King IV and the International Standards for the Professional Practice of Internal Auditing. The department maintains a three-tier Quality Assurance and Improvement Programme as prescribed by the Institute of Internal Auditors. This comprises a continuous self-assessment process with Independent External Assessments being performed by an international external audit firm, other than the Group’s external auditors, every three years. The function has successfully maintained its Generally Compliant rating since inception.
The internal audit plans, as approved by the Audit and Risk Committee, are designed following a risk-based assurance approach and are focused on adding value to the control environment while rendering independent assurance to the Audit and Risk Committee and to the Board on, inter alia: the effectiveness of internal financial control; the effectiveness of internal control over operational and compliance activities; the adequacy of governance systems, including the “tone at the top“; the effectiveness of the combined assurance process and risk and opportunities management process.
The function is furthermore strategically aligned with the creation and preservation of value and rendering insight into emerging risk and opportunities.
The internal audit department also renders independent internal audit and risk and opportunities management services to certain Group companies who elect to outsource the function. In these instances dedicated processes are maintained to ensure the independent functioning of the department, including its fiduciary duty to the respective Group companies and the safeguarding of their proprietary information.
When required, specialist skills are insourced to assist with information technology and forensic services.
The Board, via the Audit and Risk Committee, has considered the documented policies, procedures and independent assurance reports and is satisfied that the control environment along with the internal control and risk and opportunities management processes implemented in the Group are effective.
The Board is not aware of any exposure or position that could culminate in the residual risk profile of the Group exceeding the risk-bearing capacity limits set by the Board.
The following comprised focus areas during the year under review:
- The Russia-Ukraine and Gaza wars, and related implications, including business resilience;
- Emerging external risks and opportunities emanating from the global and local political, economic, social, technological, legislative and environmental trends and developments;
- Robustness of fraud prevention and detection processes given the magnitude and prevalence of non-Remgro reported irregularities in the press;
- Incorporating ongoing developments in international financial and non-financial sustainability reporting standards and ESG reporting frameworks;
- Auditor rotation developments and reputation damage suffered by certain audit firms;
- Material transactions in the financial year;
- Effectiveness of the risk and opportunities and combined assurance processes;
- Opinions on the effectiveness of the control environment and internal financial control;
- External benchmarking of the Treasury Policy against international best practice;
- Terms and assurance plans of both internal and external audit;
- External reporting, both financial and non-financial;
- Assessment of the CFO, finance department and CAE;
- Technology and information governance, including cyber risk; and
- Further development of ESG and sustainability risk and opportunity management processes, including the development of an ESG risk and opportunity register and maturity model to navigate the progress of Remgro in this space.
The above aspects will be repeated in the agenda as regards focus areas given the Group’s Governance Standards and aligned committee mandate.