Governance/ Risk management

Risk management

The AECI Board recognises that risk management is an integral part of the Group strategy-setting process and is accountable for risk management. This is embodied in AECI's risk philosophy which recognises that managing risk is fundamental to the generation of sustainable shareholder value and the enhancement of stakeholder interests. Risk management is integrated into the culture of the organisation and is driven by the Board's mandate, leadership and commitment.

By understanding and properly managing its risks, AECI provides greater certainty and security for its employees, customers, suppliers and other stakeholders and its decisions are better informed, more decisive and geared at moving the Company with greater confidence towards the achievement of its goals. The alignment of risk management and strategic decision-making increases the probability that AECI will be able to minimise its downside risks and also capitalise on the upside of risks. This is enhanced by maintaining an appropriate balance between risk and reward in the business.

It is acknowledged that risk can never be fully eliminated. Management has designed and implemented processes to identify, assess, manage, monitor and report on the significant risks faced by individual businesses and the Group as a whole on a continual basis. This involves the assessment and monitoring of the broader context in which the Group operates in terms of the political and economic landscape, industry, labour and financial market trends. Work includes the analysis of research materials and industry benchmarking studies by institutions such as the World Economic Forum, the World Bank and Control Risk. These serve as an early warning system or a mechanism for the identification of future risks and opportunities.

In 2017 specific attention was given to understanding and managing risk in new territories and markets, informing the Group's expansion into countries like Senegal, Madagascar and Germany. The objective is to optimise the Group's positioning in terms of its ability to capitalise on opportunities. This is in line with the philosophy of focusing not only on downside risk but also identifying upside risk and benefiting from identified opportunities. The Risk Management function is optimally geared to continue providing support in this regard.

All related activities and processes are underpinned by the Group Risk Management Policy and the Group Enterprise Risk Management Framework ("Framework"). The latter is based on the principles of the International Guideline on Risk Management (ISO 31000) and King IV, where guidelines are provided for the systematic, consistent and professional approach required to ensure successful and effective risk management. AECI's risk management process is supported by a software application that has been implemented Group-wide.

The following key methodology elements have been embedded in the Framework:

LEVEL OF RISK MATURITY

AECI's maturity level, determined through an assessment based on its adopted Risk Intelligence Maturity Model, is on the border between "semi-integrated and change driven" and "intelligent, integrated and optimised", with the desired future maturity level being "intelligent, integrated and optimised". The characteristics of the various states of maturity, as self assessed, are detailed in the schematic below.

AECI will continue its pursuit of its desired risk maturity level. To this end, greater focus in 2018 and in future years will be on:

EMBEDDING A RISK-INTELLIGENT AND RESILIENT ORGANISATION

Establishing the context of risk management at AECI is the foundation of good risk management and is vital to the successful implementation of the risk management process. Important considerations when determining context are illustrated in the framework diagram below.

Given the Group's competitive and rapidly evolving external environment, contextual analysis is crucial for the provision of proactive and informed risk information that supports timeous decision-making and leads to effective strategy execution. Scanning the external environment involves a multi-dimensional assessment of key elements that shape and are shaped by the Group's actions, also as illustrated below.

In line with the aspiration to continually improve the AECI Governance and Assurance service offering, a review by the Internal Audit function was undertaken in 2017. This review followed the Process Element Approach contained in the Institute of Internal Auditors' Practice Guide - Assessing the Adequacy of Risk Management Using ISO 31000.

The review concluded that, at a technical level, the AECI Enterprise Risk Management process contains the required elements of ISO 31000, both in design and in operation, and that the process is considered to be fit for purpose.

RISK INTELLIGENCE MATURITY MODEL

RISK INTELLIGENCE MATURITY MODEL

INITIAL   INFORMAL
 
STANDARDISED AND
GOVERNANCE- DRIVEN
 
SEMI-INTEGRATED
AND CHANGE-DRIVEN
  INTELLIGENT,
INTEGRATED
AND OPTIMISED
  • Ad hoc/chaotic
  • No formal risk management (“RM”)strategy
  • No use of standards, tools and techniques
 
  • RM predominantly “risk specific”
  • Limited focus on integration
  • Risk viewed solely as an event with a negative consequence
  • Aware of techniques without the formal application of standards
  • No differentiation between “risks” and “hazards”
 
  • Reporting focus
  • Common framework, programme statement and policy
  • High level risk assessments
  • Management of all risk types is not approached uniformly
  • Risk viewed largely as an event with a negative consequence
  • Use of standards
 
  • Change management approach to RM
  • Coordinated RM across businesses and activities
  • All types of risks are managed through a uniform system
  • Risk is viewed as uncertainty and linked to objectives
  • Driven by performance-based standards
 
  • Enterprise-wide approach to RM
  • RM drives proactive and informed decision-making
  • Company and RM processes are fully integrated
  • RM is embedded in culture
  • RM is a strategic advantage
  • Sound understanding
    of standards and use
    of tools and techniques

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Management INTERNAL
CONTEXT
SETTING
  EXTERNAL
CONTEXT
SETTING
  RISK
MANAGEMENT
CONTEXT SETTING

The internal environment in which the entity seeks to achieve its objectives:

  • GOVERNANCE
  • STRUCTURE
  • CULTURE
  • CAPABILITY
  • POLICIES, PROCEDURES, IT SYSTEMS ETC.
 

The external environment in which the entity seeks to achieve its objectives:

  • POLITICAL
  • ECONOMIC
  • SOCIAL
  • TECHNOLOGICAL
  • LEGAL
  • ENVIRONMENTAL
 

The approach and boundaries are defined and applied to the risk assessment at hand:

  • SCOPE AND BOUNDARIES
  • DEFINE RISK CRITERIA
  • RISK ASSESSMENT METHODOLOGY

BUSINESS ENVIRONMENT ASSESSMENT

BUSINESS ENVIRONMENT ASSESSMENT