Introduction

The Board is ultimately accountable for the risk management process and system of internal control within Remgro. The Board has reviewed the comprehensive Risk Management Policy and plan, which have been implemented by manage­ment. This incorporates continuous risk and opportunity identification and assessment and internal control embedment as well as risk reduction and insurance strategies.

The Audit and Risk Committee is mandated to monitor the effectiveness of the risk management process and systems of internal control and is supported in this regard by its subcommittee, the Risk and IT Governance Committee. The Group’s internal and external auditors, along with management and certain external consultants, are tasked to render combined assurance reports to the Audit and Risk Committee.

Ethical leadership and human capital are the cornerstones of Remgro’s risk management philosophy as these ensure entrepreneurial flair, sound corporate reputation and effective governance.

The risk management process in Remgro comprises the arrangement of resources to ensure the achievement of strategy and business plans, including the exploitation of available opportunities that meet the risk appetite criteria set by the Board. Risk profiles inherent to existing activities and investments are furthermore maintained within the approved risk tolerance levels, thereby optimising the risk return parameters for the creation of sustainable growth and value for shareholders and other stakeholders.

Strategic risk assessment includes the consideration of probable future scenarios taking cognisance of inter alia, political, environmental, social, technological, economical and legislative developments in both the Remgro environment as well as the market sectors that it invests in.

REPORT PARAMETERS

Due to the nature and magnitude of Remgro’s investment portfolio, this report focuses on the activities of the Company and its subsidiaries, save where such entities are JSE-listed entities and the relevant information is readily available to stakeholders, or the materiality of such information is deemed insufficient to warrant detailed disclosure. As a result, this report contains risk management information of the Company, Remgro Management Services Limited (Remgro’s service company) and V&R Management Services AG*.

* A wholly owned subsidiary, registered and managed in Switzerland, rendering administrative, accounting and treasury services for Remgro’s foreign subsidiaries and third parties.

RISK MANAGEMENT PROCESS

The Risk Management Policy is based on the principles of the international COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management – Integrated Framework and complies with the recommendations of the King Report on Governance for South Africa 2009 (King III). This policy defines the objectives, methodology, process and responsibilities of the various risk management role players in the Company. The Risk Management policy is subject to annual review and any proposed amendments are submitted to the Audit and Risk Committee for consideration and recommendation to the Board for approval. Both the COSO Risk Management Framework and the King Report on Corporate Governance™ will be updated during the following review process.

Remgro is an investment holding company and as such the risk management process takes cognisance of risks and opportunities within the Company as well as the risks and opportunities inherent to its investment portfolio.

The table below summarises the salient control objectives and related controls included in the Remgro risk register:

KEY CONTROL OBJECTIVES   KEY CONTROLS
     

The appointment and retention of suitably skilled and experienced directors and officers possessing the required values and drive.
 

 

Effective functioning of the Remuneration and Nomination Committee.

Performance assessments and committee evaluations.

Strong ethical leadership.
 

Ethical and visible leadership via governance structures and related processes.
 

 

Anti-corruption procedures.

Embedded system of values and ethics and maintenance thereof via visible leadership.

Formalised ethics policies and codes of conduct.

Corporate culture focused on excellence in execution and fairness in dealing and transparency in reporting.

Comprehensive and King III compliant corporate governance structures and systems.
 

Adoption and implementation of appropriate long-term strategy within approved risk appetite duly communicated
and delegated to the executive.
 

 

Effective Management Board supported by executive management and an experienced investment division.

Dedicated focus on external risks such as country and economic risk.
 

Maintaining the significance of Remgro’s corporate presence in the investment environment as this enables it to acquire meaningful stakes in selected investment opportunities.
 

 

A conservative business approach with long-term investment criteria focused on growth, sustainability and liquidity.

Corporate actions are aligned with the long-term strategy
and responsible investment criteria.
 

Ensuring that opportunity risks are managed to avoid lost investment opportunities that meet Remgro’s stringent investment criteria.
 

 

Good corporate reputation and brand as investor of choice.

Skilled and experienced investment division with efficient operational processes and controls.

Effective support structures and negotiation processes supported by proven due diligence processes.

Workgroups focused at future scanning and key investment strategy objectives reporting to the Management Board.
 

Available liquidity to fund new investments and further
support successful investments.
 

 

Conservative cash administration and well-managed and secure treasury environment.

Borrowing facilities in place.
 

Effective group structuring to house existing and new
investments.
 

 

Appropriate control structures supported by skilled and experienced legal and corporate tax specialists.
 

Effective management of underlying investments and ensuring that Remgro’s investment criteria are maintained and the Group’s rights are protected.*
 

 

Comprehensive shareholder agreements are concluded at time of investment. This facilitates effective control or significant influence over the executive management teams in the underlying investee companies and ensures that strategies, goals and deliverables are met and that salient risks are duly managed.

Detailed reporting, review and management structures are implemented to ensure timely, accurate and reliable information used in decision-making processes.

The early identification of abnormal investee risk profiles through internal processes.
 

   
* As stated in the “Group Profile” section of this report, Remgro is not involved in the day-to-day management of investee activities but does have non-executive representation on these autonomous boards via shareholder agreements. These bodies are responsible for risk management
at investee level.
 
KEY CONTROL OBJECTIVES   KEY CONTROLS

Effective internal operations, including secretarial, financial, human resources and all other departmental activities in the service company and wholly owned subsidiaries under the control of the management of the service company.
 

 

Skilled and experienced managers regularly review policies and practices governing internal controls designed to ensure the consistent achievement of relevant objectives.
 

Given the significance of treasury, the following salient objectives are integrated into the Treasury Committee’s
(a management committee chaired by the Chief Financial Officer (CFO), also comprising the Chief Executive Officer (CEO) and other senior managers) mandate:

  • Liquidity requirements and risk appetite are formalised and linked to realised returns on treasury funds
  • Terms of trade with banks are reviewed to ensure adequate risk sharing
  • Payment systems are secured
  • Information is secured
  • FAIS (Financial Advisory and Intermediary Services Act, 2002)
    and FICA (Financial Intelligence Centre Act, 2001) legislation is complied with
  • The following treasury risks are specifically managed:

    • Liquidity risk
    • Instrument risk (derivatives)
    • Investment credit risk (credit limits and spread of cash between approved institutions)
    • Foreign currency risk (spread and composition of approved currency exposures)
    • Interest rate risk

 

 

A formalised Treasury Policy is maintained by the Treasury Committee and amendments are submitted to the Board
for approval.

Skilled staff is employed in the treasury department and comprehensive internal controls are deployed and
complied with.

The treasury department is subject to quarterly FAIS and FICA reviews from the FSB (Financial Services Board) approved external compliance officer. In addition, the
treasury department (back and front office) are subject to regular internal audit reviews and a year-end review by
the external auditor.
 

Accurate, transparent and reliable reporting and inter­action with stakeholders.
 

 

Formalised stakeholder and communication policies.

Effective internal financial controls.

Comprehensive combined assurance plans and processes.

Structured and considered integrated reporting.
 

Full compliance with taxation and other relevant legislation and industry practices.
 

 

Employment of tax experts and consultation with independent tax and legal professionals.

Legal Compliance Policy linked to expert legal advice.
 

Reliable and secure information systems to support business objectives and requirements.
 

 

Effective outsource agreement with a credible vendor and service levels supporting cost-efficient, secure and available systems and networks.

IT Governance Policy supported by procedures over key activities such as business continuity, information security, document retention and user acceptable usage policies.
 

Due consideration and support to sustainability matters
such as BBBEE, environmental management and social corporate support.
 

 

Board guidelines to the Corporate Social Investment function.

Effective Social and Ethics Committee.

BBBEE policies and mandates.

Safety, health and environmental management included under the ambit of the Risk and IT Governance Committee with formalised policies.

Successful participation in Carbon Disclosure Project (CDP) and inclusion in FTSE/JSE Responsible Investment Index.

Ethics governance and anti-corruption processes.
 

Material external risks include uncertainty on government ability to deliver on its mandate and the sustained global economic downturn impacting on market confidence and global, regional and local stability.

Remgro, being a responsible investor, ensures that proper corporate governance is implemented and maintained in all entities it invests in via the above processes.

Risk Management Structure

The following structure has been implemented and maintained in the Company to ensure the effective and efficient management of risk and opportunity within the Company.

In the structure below the function of the Chief Risk Officer is shared amongst the following individuals:

  • The CEO reports directly to the Board on an ongoing basis as regards the risks that may impact the effective and efficient execution of its strategy.
  • The CFO, as chairman of the Risk and IT Governance Committee, is responsible for the induction of risk management into the daily activities of the Company, including the drafting, review and maintenance of the Risk Register and Risk Management Policy and plan.
  • The head of internal audit attends meetings of the Risk and IT Governance Committee and renders independent assurance regarding the effectiveness of this committee’s activities as well as the system of internal control.

Risk Tolerance Levels

The Remgro Board has formalised and approved the risk tolerance levels to define the Board’s risk appetite and to ensure that all risks within the Group are managed within the limits so defined.

Remgro, due to the nature of its core activities, deals with risk tolerance levels in the following three risk categories using dedicated and bespoke methodologies:

Investments

Risk tolerance levels are set in accordance with the cost of funding the investments (WACC) as adjusted with a risk weighting (Beta) to ensure a sustainable and positive risk return environment.

Treasury

Given the liquidity requirements to support performing investments and to seize new investment opportunities, the risk tolerance levels and linked returns for cash held in South Africa and internationally are measured in terms of lending rates achieved by major banks in the money market, including but not limited to STeFI (Short Term Fixed Interest) or LIBOR (London Interbank Offered Rate), as well as compliance with minimum credit ratings set for approved counterparties. This is continuously monitored and reassessed given prevailing market volatilities, risk and, at times, negative returns on cash in certain international money markets.

Foreign currency risk and capital preservation risk in an adverse economic climate are mitigated by means of conservative policies regarding hedging strategies and counterparty vetting.

The treasury funds are invested as per a Board-approved Treasury Policy which deals with counterparty (credit) risk, liquidity risk, interest rate risk, currency risk, instrument risk and commercial risk (terms of trade), as well as the policies deployed to safeguard cash and liquid assets.

The Treasury Committee is furthermore tasked to assess liquidity requirements, considering the identified investment opportunities, and to recommend funding instruments to the Board if so required.

Other

This category includes risks associated with unplanned loss to assets, exposure to liabilities, fidelity, business interruption and other operational risk.

In these instances the Board has, in addition to stringent internal controls, adopted a conservative approach by taking sufficient insurance cover to mitigate the anticipated maximum loss should risk realise in these categories.

RISK APPETITE

Risk appetite is defined as the risk that the Company is prepared or willing to accept without further mitigating action being put in place or the amount and nature of risk the Company is willing to accept in pursuit of objectives. This is also defined as the risk propensity of the Board in pursuing the creation of sustainable wealth.

The following qualitative and quantitative factors are considered by the Board in evaluating risk appetite:

  • risk and return profile of the current investment portfolio;
  • availability of cash resources and other liquid (available for sale) assets;
  • available funding opportunities;
  • risk return profile of prospective opportunities;
  • financial ratios relevant to measuring performance, including inter alia:
    • Intrinsic Net Asset Value (INAV)
    • return on INAV relative to comparable risk investments
    • dividend policy;
  • international and local economic cycles and trends;
  • foreign currency rates and trends; and
  • materiality of risks with reference to the INAV of the Group.

RISK-BEARING CAPACITY

Risk-bearing capacity is defined as a monetary value which is used as a yardstick, measuring the maximum loss the Company can endure without exposing it to the point where its existence and going concern status is under threat, given an equivalent loss.

Given the nature of Remgro’s INAV composition, i.e. equity investments, net excess cash and the size of debt at holding company level, there are no known current exposures that could jeopardise the going concern status of the Group.

UNEXPECTED OR UNUSUAL RISK EXPERIENCES

The risk management process is furthermore also externally focused to ensure the timely identification of new emerging risks and the assessment of the effectiveness of risk responses thereto.

IT GOVERNANCE

The Company reviews its IT Governance Policy annually, which is aligned with the limited technology needs of an investment holding company. This policy is further supplemented by governance-based policies such as the Acceptable IT Use policy and information confidentiality policies.

The head of IT reports to the Group Financial Manager and IT-related matters are addressed by an IT Steering Committee comprising senior management. The IT risk register is considered by the Risk and IT Governance Committee and progress on IT and control-related projects is monitored via the Risk and IT Governance Committee by the Audit and Risk Committee.

The Company has outsourced its IT operations to a credible service provider via a comprehensive Service Level Agreement. The Service Level Agreement of the operator, which deals with, inter alia, key deliverables such as system and user support, system availability, cyber risk management, virus protection, telephony and other general controls, is reviewed annually and compliance monitored. IT service management is based on the international ITIL (Information Technology Infrastructure Library) framework.

The IT risk management process is included into the combined assurance process of the Company and aligned to COBIT (Control Objectives for Information and Related Technologies). A business continuity plan has been formalised and successful tests performed on the back-up and disaster recovery process.

LEGAL COMPLIANCE

The Board, as part of its ethical leadership commitment, approved a Legal Compliance Policy and confirmed that there are sufficient management capacity and controls in place to ensure that all relevant laws and salient industry practices are complied with.

The administration of the Legal Compliance System is vested in an official with the appropriate legal qualifications. Members of senior management of the Company are informed on a regular basis of all relevant new legislation and amendments. Compliance controls also vest with senior management who are required to report to the Risk and IT Governance Committee on a regular basis regarding their compliance using a control self-assessment methodology. This process is incorporated into the annual combined assurance plan.

INTERNAL CONTROL AND INTERNAL AUDIT

The Group has implemented and maintained a comprehensive system of internal controls to mitigate the risks in the enterprise and to ensure that the Group’s objectives are consistently achieved. Internal controls are based on the principle of acceptable risk being inherent to the design and implementation of a cost-effective system of internal control. The system includes monitoring mechanisms and mitigation processes to augment deficiencies when they are detected. This system is benchmarked against the COSO Internal Control – Integrated Framework.

The internal audit function is employed by Remgro Management Services Limited and the head of internal audit, Mr Deon Annandale, reports to the chairman of the Audit and Risk Committee and functionally to the CFO. The department complies with the requirements of King III and the International Standards for the Professional Practice of Internal Auditing. The department maintains a three-tier Quality Assurance and Improvement Programme as prescribed by the IIA. This comprises a self-assessment process with Independent External Validation being performed by an international external audit firm, other than the Group’s external auditors, over a three-year rotational cycle.

The internal audit plans, as approved by the Audit and Risk Committee, are designed following a risk-based assurance approach and are focused on adding value to the control environment while rendering independent assurance to the Audit and Risk Committee and to the Board on, inter alia: the effectiveness of internal financial control; the effectiveness of internal control over operational and compliance activities; the adequacy of governance systems, including the “tone at the top”; the effectiveness of the combined assurance process and risk management process.

The function is furthermore strategically aligned to the creation and preservation of value.

The internal audit department also renders independent internal audit and risk management services to certain Group companies who elect to outsource the function. In these instances dedicated processes are maintained to ensure the independent functioning of the department, including its fiduciary duty to the respective Group companies and the safeguarding of their proprietary information.

When required, specialist skills are insourced to assist with information technology and forensic services.

EFFECTIVENESS OF RISK MANAGEMENT PROCESS AND SYSTEM OF INTERNAL CONTROL

The Board, via the Audit and Risk Committee, has considered the documented policies, procedures and independent assurance reports and is satisfied that the internal control process and risk management process implemented in the Group are effective.

The Board is not aware of any exposure or position that could culminate in the residual risk profile of the Group exceeding the risk-bearing capacity limits set by the Board.