The Board is ultimately accountable for the risk management process and system of internal control within Remgro. The Board has reviewed the comprehensive Risk Management Policy and plan which has been implemented by management. This incorporates continuous risk identification and assessment and internal control embedment as well as risk reduction and insurance strategies.
The Audit and Risk Committee is mandated to monitor the effectiveness of the risk management process and systems of internal control and is supported in this regard by its subcommittee, the Risk and IT Governance Committee. The Group’s internal and external auditors, along with management and certain external consultants, are tasked to render combined assurance reports to the Audit and Risk Committee.
Ethical leadership and human capital are the cornerstones of Remgro’s risk management philosophy as these ensure entrepreneurial flair, sound corporate reputation and effective governance.
The risk management process in Remgro comprises the arrangement of resources to ensure the achievement of strategy and business plans, including the exploitation of available opportunities that meet the risk appetite criteria set by the Board. Risk profiles inherent to existing activities and investments are furthermore maintained within the approved risk tolerance levels, thereby optimising the risk return parameters for the creation of sustainable growth and value for shareholders and other stakeholders.
Strategic risk assessment includes the consideration of probable future scenarios taking cognisance of inter alia, political, environmental, social, technological, economical and legislative developments in both the Remgro environment as well as the markets that it invests in.
Due to the nature and magnitude of Remgro’s investment portfolio, this report focuses on the activities of the Company and its subsidiaries, save where such entities are JSE-listed entities and the relevant information is readily available to stakeholders, or the materiality of such information is deemed insufficient to warrant detailed disclosure. As a result, this report contains risk management information of the Company, Remgro Management Services Limited (Remgro’s service company) and V&R Management Services AG*.
|*||A wholly owned subsidiary, registered and managed in Switzerland, rendering bookkeeping and treasury services for Remgro’s foreign subsidiaries and third parties.|
RISK MANAGEMENT PROCESS
The Risk Management Policy is based on the principles of the international COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management – Integrated Framework and complies with the recommendations of King III. This policy defines the objectives, methodology, process and responsibilities of the various risk management role players in the Company. The Risk Management policy is subject to annual review and any proposed amendments are submitted to the Audit and Risk Committee for consideration and recommendation to the Board for approval.
Remgro is an investment holding company and as such the risk management process takes cognisance of risks and
opportunities within the Company as well as the risksand opportunities inherent to its investment portfolio.
The table below summarises the salient control objectives and related controls included in the Remgro risk register:
|*||As stated in the “Group Profile“ section of this report, Remgro is not involved in the day-to-day management of investee activities but does havenon-executive representation on these autonomous boards via shareholder agreements. These bodies are responsible for risk managementat investee level.|
Material external risks include uncertainty on government ability to deliver on its mandate and the sustained global economic downturn impacting on market confidence and global, regional and local stability.
Remgro, being a responsible investor, ensures that proper corporate governance is implemented and maintained in all entities it invests in via the above processes.
Risk Management Structure
The following structure has been implemented in the Company to ensure the effective and efficient management of risk within the Company.
In the structure below the function of the Chief Risk Officer is shared amongst the following individuals:
- The Chief Executive Officer reports directly to the Board on an ongoing basis as regards the risks that may impact the effective and efficient execution of its strategy.
- The Chief Financial Officer, as chairman of the Risk and IT Governance Committee, is responsible for the induction of risk management into the daily activities of the Company, including the drafting, review and maintenance of the Risk Register and Risk Management Policy and plan.
- The head of internal audit attends meetings of the Risk and IT Governance Committee and renders independent assurance regarding the effectiveness of this committee’s activities as well as the system of internal control.
Risk Tolerance Levels
The Remgro Board has formalised and approved the risk tolerance levels to define the Board’s risk appetite and to ensure that all risks within the Group are managed within the limits so defined.
Remgro, due to the nature of its core activities, deals with risk tolerance levels in the following three risk categories using dedicated and bespoke methodologies:
Risk tolerance levels are set in accordance with the cost of funding the investments (WACC) as adjusted with a risk weighting (Beta) to ensure a sustainable and positive risk return environment.
Given the liquidity requirements to support performing investments and to seize new investment opportunities, the risk tolerance levels and linked returns for cash held in South Africa and internationally are measured in terms of lending rates achieved by major banks in the money market, including but not limited to STeFI (Short Term Fixed Interest) or LIBOR (London Interbank Offered Rate), as well as compliance with minimum credit ratings set
for approved counterparties. This is continuously monitored and reassessed given prevailing market volatilities, risk and, at times, negative returns on cash in certain international money markets.
Foreign currency risk and capital preservation risk in an adverse economic climate are mitigated by means of conservative policies regarding hedging strategies and counterparty vetting.
The treasury funds are invested as per a Board-approved Treasury Policy which deals with counterparty (credit) risk, liquidity risk, interest rate risk, currency risk, instrument risk and commercial risk (terms of trade), as well as the policies deployed to safeguard cash and liquid assets.
The Treasury Committee is furthermore tasked to assess liquidity requirements, considering the identified investment opportunities, and to recommend funding instruments to the Board if so required.
This category includes risks associated with unplanned loss to assets, exposure to liabilities, fidelity, business interruption and other operational risk.
In these instances the Board has, in addition to stringent internal controls, adopted a conservative approach by taking sufficient insurance cover to mitigate the anticipated maximum loss should risk realise in these categories.
Risk appetite is defined as the risk that the Company is prepared or willing to accept without further mitigating action being put in place or the amount and nature of risk the Company is willing to accept in pursuit of objectives. This is also defined as the risk propensity of the Board in pursuing the creation
of sustainable wealth.
The following qualitative and quantitative factors are considered by the Board in evaluating risk appetite:
- risk and return profile of the current investment portfolio;
- availability of cash resources and other liquid (available for sale) assets;
- available funding opportunities;
- risk return profile of prospective opportunities;
- financial ratios relevant to measuring performance, including inter alia:
- Intrinsic Net Asset Value (IAV)
- return on IAV relative to comparable risk investments
- dividend policy;
- international and local economic cycles and trends;
- foreign currency rates and trends; and
- materiality of risks with reference to the IAV of the Group.
Risk-bearing capacity is defined as a monetary value which is used as a yardstick, measuring the maximum loss the Company can endure without exposing it to the point where its existence and going concern status is under threat, given an equivalent loss.
Given the nature of Remgro’s intrinsic net asset value composition, i.e. equity investments, net excess cash and the size of debt at holding company level, there are no known current exposures that could jeopardise the going concern status of the Group.
UNEXPECTED OR UNUSUAL RISK EXPERIENCES
The risk management process is furthermore also externally focused to ensure the timely identification of new emerging risks and the assessment of the effectiveness of risk responses thereto.
The Company reviews its IT Governance Policy annually, which is aligned with the limited technology needs of an investment holding company. This policy is further supplemented by governance-based policies such as the Acceptable IT Use policy and information confidentiality policies.
The head of IT reports to the Group Financial Manager and IT-related matters are addressed by an IT Steering Committee comprising of senior management. The IT risk register is considered by the Risk and IT Governance Committee and progress on IT- and control-related projects are monitored
via the Risk and IT Governance Committee by the Audit and Risk Committee.
The Company has outsourced its IT operations to a credible service provider via a comprehensive Service Level Agreement. The Service Level Agreement of the operator, which deals with, inter alia, key deliverables such as system and user support, system availability, cyber risk management, virus protection, telephony and other general controls, is reviewed annually and compliance monitored.
The IT risk management process is included into the combined assurance process of the Company. A business continuity plan has been formalised and successful tests performed on the back-up and disaster recovery process.
The Board, as part of its ethical leadership commitment, approved a Legal Compliance Policy and confirmed that there are sufficient management capacity and controls in place to ensure that all relevant laws and salient industry practices are complied with.
The administration of the Legal Compliance System is vested in an official with the appropriate legal qualifications. Members of senior management of the Company are informed on a regular basis of all relevant new legislation and amendments. Compliance controls also vest with senior management who are required to report to the Risk and IT Governance Committee on a regular basis regarding their compliance using a control self-assessment methodology. This process is incorporated into the annual combined assurance plan.
INTERNAL CONTROL AND INTERNAL AUDIT
The Group has implemented and maintained a comprehensive system of internal controls to mitigate the risks in the enterprise and to ensure that the Group’s objectives are consistently achieved. Internal controls are based on the principle of acceptable risk being inherent to the design and implementation of a cost-effective system of internal control. The system includes monitoring mechanisms and mitigation processes to augment deficiencies when they are detected. This system is benchmarked against the COSO (Committee of Sponsoring Organisations of the Treadway Commission) Internal Control – Integrated Framework.
The internal audit function is employed by Remgro Management Services Limited and the head of internal audit, Mr Deon Annandale, reports to the chairman of the Audit and Risk Committee and functionally to the CFO. The department complies with the requirements of King III and the International Standards for the Professional Practice of Internal Auditing. The department maintains a three-tier Quality Assurance and Improvement Programme as prescribed by the IIA. This comprises a self-assessment process with Independent External Validation being performed by an international external audit firm, other than the Group’s external auditors, over a three-year rotational cycle.
The internal audit plans, as approved by the Audit and Risk Committee, are designed following a risk-based assurance approach and are focused on adding value to the control environment whilst rendering independent assurance to the Audit and Risk Committee and to the Board on, inter alia:
the effectiveness of internal financial control; the effectiveness of internal control over operational and compliance activities; the adequacy of governance systems, including the “tone at the top“; the effectiveness of the combined assurance process and risk management process.
The internal audit department also renders independent internal audit and risk management services to certain Group companies who elect to outsource the function. In these instances dedicated processes are maintained to ensure the independent functioning of the department, including its fiduciary duty to the respective Group companies and the safeguarding of their proprietary information.
When required, specialist skills are insourced to assist with information technology and forensic services.
EFFECTIVENESS OF RISK MANAGEMENT PROCESS AND SYSTEM OF INTERNAL CONTROL
The Board, via the Audit and Risk Committee, has considered the documented policies, procedures and independent assurance reports and is satisfied that the internal control process and risk management process implemented in the Group are effective.
The Board is not aware of any exposure or position that could culminate in the residual risk profile of the Group exceeding the risk-bearing capacity limits set by the Board.