Risk and compliance committee report
Report to shareholders on the activities of the risk and compliance committee for the 12 months ended 31 March 2018.
The board has considered it appropriate to allocate oversight of risk and compliance governance to the risk and compliance committee. This committee's main objectives are to:
- Ensure sustainable growth in all our businesses
- Promote a proactive approach to identify, evaluate, manage and monitor risks in the business
- Ensure compliance with applicable laws and adopted non-binding rules, codes and standards
These objectives are supported by the underlying policy statement:
To ensure the protection of shareholder value through the establishment of an integrated risk management framework/system for identifying, assessing, mitigating, monitoring, evaluating and reporting risks.
Following the departure of Mr Darryll Castle from the board, Mr Johannes Claassen was appointed to the committee. Mr Tim Ross, chairman of the audit committee, is an ex-officio member of this committee to ensure effective collaboration through cross-membership between committees and to avoid duplication or fragmented functioning of the committee.
On 31 March 2018, members of the committee were:
|T Leaf-Wright (chair)||Chartered Institute of Secretaries||Independent|
|C Naude||BSc (hons), MBL||Independent|
|J Claassen||BEng, EDP||Executive|
The committee held two meetings during the financial year:
|29 May 2017||All present|
|12 October 2017||All present|
Responsibility for risk in the PPC group is clearly mapped. In summary:
- The board is accountable to shareholders for risk governance and ensuring the company's strategy and business plans have properly considered and evaluated associated risks
- The board has delegated responsibility to evaluate the risk management process, effectiveness of related activities, key risks facing the company and appropriate responses to the risk and compliance committee
- The responsibility to implement and execute effective risk management is delegated to management by the board
Enterprise risk management
In fulfilling management's responsibility, a risk management plan is compiled, implemented and monitored to ensure the underlying policy is implemented and risk management processes are embedded in PPC's business processes. Key activities in the review period included:
- Management reviewed the risk management framework, which is being updated in line with changes to the international standard ISO 31000 risk management guideline
- The committee reviewed a management report on executing the risk management plan against targets and is satisfied with progress
- Group risk register was reviewed and approved by the exco
- The committee noted management's remedial action plans to reduce the group's inherent risk exposure
- The committee is satisfied with progress in embedding risk management processes as part of day-to-day management in the group
- The revised business continuity management policy and crisis communication policy were approved and communicated throughout the group
- Phase 1 of the business continuity management (BCM) programme was completed and rolled out across the group. Phase 2 is under way, comprising readiness reviews to ensure all recommendations made in phase 1 have been implemented and to determine each operation's level of readiness for testing BCM plans
- The risk matrix was reviewed and approved with risk appetite and tolerance indicators
- A status update of all risk self-assessments and verifications during the period, together with significant findings and management action plans to address these findings, was given to the committee for its endorsement
- Incidents of theft, robberies, fraud, etc are reported to the group compliance and risk division and management actions are monitored to ensure controls are implemented to prevent similar incidents in future. A consolidated report, including trend analysis, is presented to the committee for deliberation
- Insurance underwriting surveys were conducted at eight PPC operations in South Africa and five operations in Africa. Management's progress in addressing these recommendations is monitored
During the review period, risk registers in the PPC group were reviewed. For detail on the group's material risks, please refer to page 34.
As a governance principle, the board ensures PPC complies with applicable laws and considers adhering to non-binding rules, codes and standards. This responsibility has been delegated to the risk management and compliance committee, which monitors compliance issues, approves the compliance policy, ensures it is observed and compliance risk is reported.
Management is responsible for implementing the compliance policy and day-to-day management of compliance risks. This includes responsibility for ensuring appropriate remedial or disciplinary action if non-compliances are identified. Key activities undertaken by the compliance division over the year included:
- The committee approved the revised compliance management framework
- The compliance manual was updated in line with the approved framework
- Governance structures for compliance were revised
- Roles and responsibilities for compliance were defined and related job profiles updated
- The regulatory universe for South Africa is reviewed each quarter and an update provided to the committee. Country-specific regulatory universes are being compiled for all operations in the rest of Africa, and will be presented to the committee for review and approval
- Workshops are being conducted across the group to compile compliance risk management profiles for each operation and division. Results will be provided to the committee
- A non-compliance standard was developed and appropriate monitoring tools and indicators established to ensure non-compliances are reported to the group compliance and risk division. A non-compliance register is maintained and updated by this division and presented to the committee
- The current policy management system was reviewed and improved by automating the process, with implementation in the new financial year A fraud-prevention programme was initiated which includes training, a communication plan and rolling out new guidelines
The threshold for disclosure of significant fines and penalties is R30 million. Management has confirmed that there were no significant fines and penalties.
Key future focus areas
The following strategic focus areas were identified for the 2019 financial year and beyond:
Enterprise risk management
By continuously reviewing and improving enterprise risk management, we ensure PPC's risk management processes and systems remain relevant, add value and are embedded in the business process of all operations and divisions. Risk reviews ensure issues are identified and adequately defined. All risks are rated in line with the risk matrix and response strategies, and actions are recorded and implemented to effectively mitigate risks.
Business continuity management
Readiness reviews (phase 2) will be completed, followed by phase 3 (simulations and testing of business continuity plans).
Risk self-assessment and verification process
PPC is integrating the risk self-assessment and verification tool into the SHERQ system. This will be implemented in 2019 and rolled out across the group.
Insurance underwriting survey recommendations
There will be increased focus on implementing recommendations.
Combined assurance model
Management will drive roll-out of combined assurance models throughout the group.
Key activities we embarked on in the review period will continue, focusing on:
- The compliance policy will be reviewed, updated and submitted to the committee for approval
- Workshops will continue across the group to embed the revised framework and compile compliance risk management profiles for each operation and division
- A regulatory universe for each operating country in Africa will be established and compliance risk management profiles compiled for each operation
- A risk-based approach will be followed in developing and implementing compliance risk management plans across the group
- Compliance monitoring tools and indicators will be continuously improved and implemented
- The compliance division will drive adoption of a group compliance issue register
In 2019, this committee will be integrated into the audit committee, and the combined entity will continue to oversee implementation of these objectives and report on management performance to the board.
For the review period, the committee is satisfied it has complied with its responsibilities as set out in its terms of reference.
On behalf of the risk and compliance committee
12 July 2018