The Board is ultimately accountable for the risk and opportunities management process and system of internal control within Remgro. The Board has reviewed the comprehensive Risk and Opportunities Management Policy and plan, which has been implemented by management. This plan incorporates continuous risk and opportunity scanning, identification and assessment, and embedding internal control as well as risk reduction and insurance strategies.
Remgro’s Environmental, Social and Governance (ESG) Risk Management Framework which guides responsible investment is also relevant for this purpose as it ensures that the consideration of ESG risks and opportunities, as well as impact and sustainability considerations, are integrated and embedded into the risk and opportunities management practices. Its focus is on realisation of suitable opportunities and the consideration of salient risk aspects in setting sustainable value-generating strategies.
The Audit and Risk Committee is mandated to monitor the effectiveness of the risk and opportunities management process and systems of internal control and is supported in this regard by its subcommittee, the Risk, Opportunities, Technology and Information Governance Operational Subcommittee (ROTIG). The Strategic ESG Committee plays an important role in supporting the Audit and Risk Committee by overseeing and monitoring Remgro’s ESG performance and stewardship through policies, frameworks, standards and guidelines. The Group’s internal and external auditors, along with management and certain external consultants, are tasked to render combined assurance reports to the Audit and Risk Committee.
Ethical leadership and human capital are the cornerstones of Remgro’s risk and opportunities management philosophy as these ensure operational competence, entrepreneurial aptitude, sound corporate reputation and effective governance. The financial, manufactured, intellectual, social and relationship and natural assets furthermore form part of the Six Capitals concept referred to in the King IV Report on Corporate Governance for South Africa (2016) (King IV). These categories of capitals, their interrelations and utilisation, to varying degrees, form an intricate part of the risk and opportunities process within the Company.
The risk and opportunities management process in Remgro comprises the arrangement of resources to ensure the achievement of the Company’s stated objectives along with its purpose, strategy and aligned business plans, including the seizing of available opportunities that meet the risk appetite criteria set by the Board. Risk profiles inherent to existing activities and investments are furthermore maintained within the approved risk tolerance levels, thereby optimising the riskreturn parameters for the creation of sustainable growth and value for shareholders and other stakeholders.
The incorporation of an ESG Investment Framework that intentionally provides for ESG considerations has embedded Remgro’s sustainability ambitions as an integral part of its investment decision-making. Principles and evaluation criteria include ESG risks, impact considerations, value creation opportunities and sustainability for its current and potential investments. To support implementation of this ESG Investment Framework, Remgro has developed Standard Operating Procedures (SOP) to enable the various governance structures and investment teams to apply the Framework consistently and efficiently.
Strategic risk assessment includes the consideration of probable future scenarios taking cognisance of, inter alia, political, environmental, social, technological, economic and legislative developments in both the Remgro environment as well as the global environment and market sectors that it invests in. Given the ongoing escalation in ESG challenges faced locally and globally, the Group is responding with commensurate escalation of ESG structures and initiatives in addition to the sound processes adopted in prior years. The ESG Operational committee will also oversee the continuous enhancement of the ESG risk and opportunities register being designed to underpin purpose driven decision making.
Due to the nature and magnitude of Remgro’s investment portfolio, this report focuses on the activities of the Company and its subsidiaries, save where such entities are separately operated listed subsidiaries with autonomous boards and adequate external reporting, or the materiality of such information is deemed insufficient to warrant detailed disclosure. As a result, this report contains risk and opportunities management information of the Company, Remgro Management Services Limited (Remgro’s service company) and V&R Management Services AG(1). These external reporting parameters are being reviewed to ensure alignment with international developments in this regard.
The structure below has been implemented and maintained to ensure the effective and efficient management of risk and opportunities within the Company.
The function of the Chief Risk Officer is shared amongst the following individuals:
- The CEO reports directly to the Board on an ongoing basis with regards to the risks that may impact the effective and efficient execution of its strategy and opportunities submitted to the Investment Committee.
- The CFO, as Chairman of the ROTIG Committee, is responsible for the induction of risk and opportunities management into the daily activities of the Company, including the drafting, review and maintenance of the Company risk register and Risk and Opportunities Management Policy and plan.
- The Chief Audit Executive (CAE) attends meetings of the Management Board, the Operational ESG Committee and ROTIG Committee and renders value-adding considerations and independent assurance regarding the effectiveness of these committees’ activities as well as the risk management process and system of internal control.
Board and Governance Structure
The Risk and Opportunities Management Policy is based on the principles of the international COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management – Integrated Framework and complies with the recommendations of King IV. This policy defines the objectives, methodology, processes and responsibilities of Board and Governance Structure the various risk and opportunities management role players in the Company. The Risk and Opportunities Management Policy is subject to annual review and any proposed amendments are submitted to the Audit and Risk Committee for consideration and recommendation to the Board for approval.
Remgro is an investment holding company and as such, the risk and opportunities management process takes cognisance of risks and opportunities within the Company as well as the risks and opportunities inherent to its investment portfolio.
Material external risks include ongoing and escalated uncertainty on the government’s ability to deliver on its mandate and the sustained global economic downturn intensified by the impacts of the Russia-Ukraine War impacting on market confidence and global, regional and local stability.
Remgro, being a responsible investor, ensures that proper corporate governance is implemented and maintained in all entities it invests in via the above processes.
Remgro deploys dedicated processes to timely identify and effectively mitigate disruption risk and realises opportunities associated with future developments.
Emerging risk and opportunities, integrated with a sound corporate and entrepreneurial culture, inform strategy and investment mandate considerations.
The table below summarises the salient operational objectives and related risk mitigation processes included in the Remgro risk register:
The Remgro Board has formalised and approved the risk tolerance levels to define the Board’s risk appetite and to ensure that all risks within the Group are managed within the limits so defined.
Remgro, due to the nature of its core activities, deals with risk tolerance levels in the following three risk categories using dedicated and bespoke methodologies:
Investments
Risk tolerance levels are set in accordance with the cost of funding the investments (WACC) as adjusted with a risk weighting (Beta) to ensure a sustainable and positive risk-return environment, taking cognisance of the investment portfolio.
Treasury
Given the liquidity requirements to support performing investments and to seize new investment opportunities, the risk tolerance levels and linked returns for cash held in South Africa and internationally are measured in terms of lending rates achieved by major banks in the money market, including but not limited to STeFI (Short Term Fixed Interest) or LIBOR (London Interbank Offered Rate), as well as compliance with required credit ratings set for approved counterparties. This is continuously monitored and reassessed given prevailing market volatilities, risk and, at times, negative returns on cash in certain international money markets. Given the prevailing low interest rate environment during the first quarter of the reporting period, the Treasury Committee was furthermore tasked to recommend suitable investment instruments for cash at the centre to the Investment Committee or Board for consideration. Given the continuing trend in interest rate increases during the remainder of the reporting period consideration was also given to the cost of funding and adjusting the debt at the centre.
Foreign currency risk and capital preservation risk in an adverse economic climate are mitigated by means of conservative policies regarding hedging strategies and counterparty vetting.
The treasury funds are invested as per a Board-approved Treasury Policy which deals with counterparty (credit) risk, liquidity risk, interest rate risk, currency risk, instrument risk and commercial risk (terms of trade), as well as the policies deployed to safeguard cash and liquid assets.
Other
This category includes risks associated with unplanned losses to assets, exposure to liabilities, fidelity, business interruption and other operational risk.
In these instances the Board has, in addition to stringent internal controls, adopted a conservative approach by taking sufficient insurance cover to mitigate the anticipated maximum loss should risk realise in these categories.
Risk appetite is defined as the risk that the Company is prepared or willing to accept without further mitigating action being put in place or the amount and nature of risk the Company is willing to accept in pursuit of objectives. This is also defined as the risk propensity of the Board in pursuing the creation of sustainable wealth.
The following qualitative and quantitative factors are considered by the Board in evaluating risk appetite:
- risk-return profile of the current investment portfolio;
- availability of cash resources and other liquid assets that could easily be converted into cash;
- available funding opportunities;
- risk-return profile of prospective opportunities;
- ESG profile of the current portfolio and investment sectors;
- financial metrics relevant to measuring performance, including:
- intrinsic net asset value (INAV);
- return on INAV relative to comparable risk investments;
- dividend policy;
- free cash flow; and
- gearing ratios;
- international and local economic cycles and trends;
- foreign currency rates and trends;
- materiality of risks with reference to the INAV of the Group;
- risk management capability and maturity;
- resource allocation and strategy; and
- risk scenarios on black-swan and future scanning methodologies.
Risk-bearing capacity is defined as a monetary value which is used as a yardstick, measuring the maximum loss the Company can endure without exposing it to the point where its existence and going concern status is under threat, given an equivalent loss.
Given the nature of Remgro’s INAV composition, i.e. equity investments, net excess cash and the conservative size of debt at holding company level, there are no known current exposures that could jeopardise the going concern status of the Group.
The risk and opportunities management process is furthermore also externally focused to ensure the timely identification of new emerging risks and opportunities and the assessment of the effectiveness of timely responses thereto. Scenarios are furthermore used to assess the adequacy of the Company’s business resilience.
The Company reviews its technology policies annually. The Technology and Information Governance Policy defines the scope, roles and responsibilities of technology and information governance to ensure technology and information supports and enables the achievement of Remgro’s business objectives and articulates and gives effect to Remgro’s direction on the employment of technology and information. This policy is further supplemented by governance-based policies such as the Technology and Information Acceptable Use Policy, the Information Security Policy and information confidentiality policies that are defined in alignment with POPIA.
The technology and information risk management process is fully integrated with the combined assurance process of the Company and aligned to COBIT (Control Objectives for Information and Related Technologies).
Preventative technologies and practices are in place across the respective layers of technology and information security, including physical intrusion prevention, infrastructure intrusion prevention and monitoring, platform controls, applicationlayer security, and process controls. The Security Operations Centre (SOC) service provider monitors and alerts against cyber activity and patterns. Weekly vulnerability assessments are included in the Standard Operating Procedures on top of which independent vulnerability scanning and penetration tests are conducted periodically. Security controls are also extensively scrutinised during the annual NIST-based (National Institute of Standards and Technology) cyber insurance reviews and our cyber security strategy is extended through the cyber insurance support processes.
There were no incidents of information security or cyber protocol breaches recorded during the year under review and continuous strengthening of the cyber security posture remains a high priority.
A business continuity plan has been formalised and successful tests performed on the back-up and disaster recovery process.
All technology-related incidents, including potential security incidents, are reported through the service desk from where the appropriate escalation process is triggered.
Third-party risk assessments are aligned with industry-related exposures and developments. Opportunity assessment forms part of the annual technology and information strategy review. Emerging technologies and innovations are monitored, selected and deployed as appropriate to improve performance of the organisation through information, communication, and digital technologies.
The Board, as part of its ethical leadership commitment, approved a Legal Compliance Policy and confirmed that there are sufficient management capacity and controls in place to ensure compliance with all relevant laws and salient industry practices.
The administration of the Legal Compliance System is vested in an official with the appropriate legal qualifications. Members of senior management of the Company are informed on a regular basis of all relevant new legislation and amendments.
Compliance controls also vest with senior management who are required to report to the Social and Ethics Committee on a regular basis regarding their compliance using a control self-assessment methodology. This process is incorporated into the annual combined assurance plan. The outcomes of compliance assessments are reported to the Board, via the ROTIG Committee and no incidents of non-compliance or fines incurred due to non-compliance were recorded.
The Group has implemented and maintained a sound control environment, including a comprehensive system of internal controls to mitigate the risks in the enterprise and to ensure that the Group’s objectives are consistently achieved. Internal controls are based on the principle of acceptable risk being inherent to the design and implementation of a cost-effective system of internal control. The system includes monitoring mechanisms and mitigation processes to timely augment deficiencies when they are detected. This system is benchmarked against the COSO Internal Control – Integrated Framework.
The internal audit function is employed by Remgro Management Services Limited and the CAE, Mr Deon Annandale, reports to the chairman of the Audit and Risk Committee and functionally to the CFO. The department complies with the requirements of King IV and the International Standards for the Professional Practice of Internal Auditing. The department maintains a three-tier Quality Assurance and Improvement Programme as prescribed by the Institute of Internal Auditors. This comprises a continuous self-assessment process with Independent External Assessments being performed by an international external audit firm, other than the Group’s external auditors, every three years.
The internal audit plans, as approved by the Audit and Risk Committee, are designed following a risk-based assurance approach and are focused on adding value to the control environment while rendering independent assurance to the Audit and Risk Committee and to the Board on, inter alia: the effectiveness of internal financial control; the effectiveness of internal control over operational and compliance activities; the adequacy of governance systems, including the “tone at the top“; the effectiveness of the combined assurance process and risk and opportunities management process.
The function is furthermore strategically aligned to the creation and preservation of value and rendering insight into emerging risk.
The internal audit department also renders independent internal audit and risk and opportunities management services to certain Group companies who elect to outsource the function. In these instances dedicated processes are maintained to ensure the independent functioning of the department, including its fiduciary duty to the respective Group companies and the safeguarding of their proprietary information.
When required, specialist skills are insourced to assist with information technology and forensic services.
The Board, via the Audit and Risk Committee, has considered the documented policies, procedures and independent assurance reports and is satisfied that the control environment along with the internal control and risk and opportunities management processes implemented in the Group are effective.
The Board is not aware of any exposure or position that could culminate in the residual risk profile of the Group exceeding the risk-bearing capacity limits set by the Board.
The following comprised focus areas during the year under review:
- The Russia-Ukraine War, and related implications, including business resilience;
- Emerging risks including global and local political and socio-economic developments and trends including crime, corruption and infrastructure and electricity stability;
- Robustness of fraud prevention and detection processes given the magnitude and prevalence of non-Remgro reported irregularities in the press;
- Developments in international financial reporting standards and ESG reporting frameworks;
- Auditor rotation developments and reputation damage suffered by certain audit firms;
- Material transactions in the financial year;
- Effectiveness of the risk and opportunities and combined assurance processes;
- Opinions on the effectiveness of the control environment and internal financial control;
- External benchmarking of the Treasury Policy against international best practice;
- Terms and assurance plans of both internal and external audit;
- External reporting, both financial and non-financial;
- Assessment of the CFO, finance department and CAE;
- Technology and information governance, including Cyber risk; and
- ESG and sustainability-related factors.
The above aspects will be repeated in the agenda as regards focus areas given the Group’s Governance Standards and aligned committee mandate.