Back to top

The Risk Committee report

We consider risk management to be a key business discipline designed to balance risk and reward, and to protect the Group against risks and uncertainties that could threaten the achievement of business objectives. The Committee continued to review and assesses the dynamic interventions, within the Group’s available resources and skills, required in response to business-specific, industry-wide and general risks and opportunities.
O IghodaroCHAIRMAN OF THE RISK COMMITTEE
BOARD MEMBERS
BOARD STATUS
MEMBER SINCE
ATTENDANCE
O Ighodaro (Chairman)
Independent non-Executive
24 May 2018
3/3
N Gwagwa
Independent non-Executive
1 November 2006
3/3
P Langeni*
Independent non-Executive
25 August 2004
2/3
M Mthimunye**
Independent Non-Executive Director
27 February 2019
3/3
MW Slape***
Executive Director
1 September 2019
2/3
M Abdool-Samad****
Executive Director
1 August 2019
2/3
* Resigned as a member of the Risk Committee effective 21 May 2020.
**Appointed as a member of the Risk Committee effective 27 February 2019. Attended the 26 August 2019 meeting as an invitee.
*** Appointed as a member of the Risk Committee effective 1 September 2019. Attended the 26 August 2019 meeting as an invitee.
**** Appointed as a member of the Risk Committee effective 1 August 2019.
Committee Experience
Corporate governance
Compliance
General business management
Leadership
Accounting and finance
Economics/public policy
International retail
Risk management

The Board considers risk management to be a key business discipline designed to balance risk and reward, and to protect the Group against risks and uncertainties that could threaten the achievement of business objectives. The Board’s risk strategy has been established through deliberation with Massmart’s Executive Committee where the Group’s risk tolerance has been considered and balanced against the drive towards the achievement of its strategies and objectives, and the realisation of identified opportunities emanating from the assessment of the Groups risks and opportunities.

The Board has delegated the responsibility of overseeing the Group’s risk management programme to us. The day-to-day responsibility for risk management, including maintaining an appropriate loss prevention and internal control framework, remains with Massmart’s Executive Committee and Divisional Executives. Each division has developed a risk and loss prevention process that is best suited to its culture, structure and operations.

Our primary role is one of oversight and monitoring and we review and assess the dynamic interventions, within the Group’s available resources and skills, required in response to business-specific, industry-wide and general risks. We oversee the maintaining of a sound system of governance, risk management and control with regard to operations, safeguarding assets, reliability of management reporting and compliance with laws and regulations. We table a Group risk register to the Board twice a year, in February and August, which is aggregated from those prepared by the Divisions and the Massmart Executive Committee.

We are also responsible for reviewing and reporting on the Group’s application of King IV, and play an integral part in aligning the Group’s governance structures and processes with requirements and principles of the King IV.                                                                                      

In the execution of our statutory duties and in accordance with our Charter, we effectively discharged our responsibilities over the past financial year.

As part of the annual risk reporting process, the Divisions’ Risk Officers report any major risk incidents that occurred during the year.  These incidents are defined in the Group Risk Policy as ones that:

  • Directly or indirectly impact annual Divisional earnings before interest and tax or total assets by 5% or more (quantitative), or
  • Have significant qualitative dimensions that may include:
    • A major concern to Massmart Holdings’ public shareholders
    • Serious damage to the reputations of the Division and / or its executives and management
    • Affecting a major portion of the Division’s customer base
    • A large fraud or theft
    • A legal matter that may result in major financial or reputational risk
    • A material ethical or compliance breach, whether qualitative or quantitative
    • A major breakdown in the control environment
    • Significant IT system failure
    • Nationwide media coverage and/or public concern
    • Affecting the Division or Group’s ability to implement or execute its strategy and business objectives

We consider there to be two categories of Group risk that can broadly be described as strategic/environmental risks and operational risks.

Strategic/environmental risks tend to be longer-term and more material in nature and in most cases can only be monitored, managed and partially mitigated through longer-term strategic or tactical business responses. These risks, which, for example, include executive talent retention and succession, transformation and supply chain, are the primary focus of the Group’s Risk Management process.

Operational risks, by their nature, can be immediately addressed or mitigated by local management actions. These risks – which include in-store health, safety and security, compliance, fire prevention and detection, IT systems and food safety, amongst others – are therefore the direct responsibility of each Divisional Executive Committee where a Loss Prevention or Risk Officer has line-responsibility for overseeing these risks.

Summary of key focus areas in 2019:

  • Review and monitoring of the significant risks and opportunities facing the organisation taking into consideration the Group’s long-term strategy, its operating context, the interests of key stakeholders, media coverage and/or public concern
  • Provision of independent and objective oversight of risk management across the Group and its Divisions by directing the way risk management should be approached and addressed in the Group
  • Considering the Group’s IT strategy and the adequacy of the cyber security, information management and data security interventions in place
  • Review of events and risks that occurred or were emerging and expected to have a direct or indirect impact on the Group’s risk profile
  • Monitoring of Massmart’s effectiveness in the application of the King IV principles and recommended practices
  • Reviewed the appropriateness of the combined assurance model
  • Ensuring that the Group maintained an effective and independent ethics and compliance function


Focus areas for 2020 and beyond:

  • Continue to monitor management’s risk assessments and their response to significant risks
  • Ensure that consideration is given to the upside presented by such risks to ensure that possible opportunities are captured
  • Conduct a review of global, domestic, industry and the competitor risk environment
  • Review of the Group’s information and technology governance and controls framework and its responsiveness to the Group’s IT strategy, including the adequacy of cyber security measures
  • Review Massmart’s level of risk appetite and tolerance and its determination of what constitutes excessive risk
  • Monitor increasing and evolving regulatory developments and their consequential impact on the Group’s growth agenda


Information and technology governance

Massmart has a comprehensive Information Technology (IT) Governance Framework in place that outlines the structures, processes and mechanisms enabling the delivery of value to the Group; and reducing information and technology risks. While the Group operates a federated business model regarding Information and Technology, in order to ensure maximum value creation, certain key functions such as Information Technology and Information Security are being centralised to ensure efficiencies and uniformity throughout the Group.

Massmart aligns its IT teams with best practice frameworks including the Information Technology Information Library (ITIL) and Control Objectives for Information Technology (COBIT) and National Institute of Standards and Technology (NIST) Cyber Security Framework and the Group’s own IT Policy framework. Measures are in place to ensure compliance with all relevant laws, information security and the protection of personal information. The Group’s Chief Information Officers (CIO) and IT-Governance sub-Committee are responsible for ensuring appropriate system security, data integrity and business continuity. Through its link into Walmart’s Information Security Department, Massmart receives daily and weekly updates regarding any concerns that are identified internationally, as well as active monitoring of Massmart owned and managed IT systems.

This information is shared with Massmart’s Divisions through the Divisional CIOs. Active network monitoring and profiling is managed through industry best-practice tools and firewall traffic is submitted real-time to Walmart’s Security Operations Centre for interrogation.

As a responsible retailer, Massmart is committed to ensuring that all internal e-waste is discarded in a safe, responsible and secure manner, minimising the risk to human health and the environment and maintaining the security of public and private information. The Board, through the Risk Committee and Massmart’s Compliance department, oversees the protection of privacy and personal information. To ensure that management keeps abreast of changing regulation and best practices across all jurisdictions in which Massmart operates, regular meetings are held with management to discuss regulatory requirements and identified risks and opportunities. Data privacy training has been conducted throughout the Group to increase awareness of data privacy compliance requirements. An independent Global Risk Assessment team also completes a risk assessment on the privacy programme annually.

The Board receives independent assurance on the effectiveness of technology and information internal controls from internal and external auditors. Massmart Audit Services (MAS) not only assess the processes and controls around large projects, but also the control environment within existing systems and the Group’s general computer control environment.  MAS adopted the COBIT methodology for technology auditing several years ago.

Massmart has acquired cyber security insurance which will assist with reducing the associated cost-impacts related to security incidents. This can also be utilised to assist with the liability exposure for Members of the Board.

Massmart is committed to the highest level of information and technology governance, managed by the Group Chief Information Officer (CIO). The Board is satisfied that Massmart complies with the significant governance principles in King IV, and has identified Information and cyber security as an area for future focus.

Internal control framework

Massmart maintains clear principles and procedures designed to achieve corporate accountability and control across the Group. These are codified in the Massmart Delegation of Authority policy that describes the specific levels of authority and the required approvals necessary for all major decisions at both Group and Divisional level. Through this framework, operational and financial responsibility is formally and clearly delegated to the Divisional Boards. This is designed to maintain an appropriate control environment within the constraints of Board-approved strategies and budgets, while providing the necessary local autonomy for day-to-day operations.

Combined assurance

Identified risks and how assurance is achieved over those risks are reported to the Board through this and the Massmart Audit Committees, who assume responsibility for the oversight thereof, on an annual basis. Massmart’s combined assurance model incorporates and optimises all assurance services and functions so that, taken as a whole, they enable an effective control environment; support the integrity of information used for internal decision making by Management and the Board; and support the integrity of the Group’s external reports.

Massmart adopts a collaborative approach to risk identification, mitigation and assurance activities between the management of the various Divisions, Head Office support functions and internal and external assurance providers. The Divisional risk committees provides us with feedback on their significant risks and material matters, as we ultimately own and manage risks, and in turn give feedback to the Board thereon.

The Board, through us, objectively reviews the Group’s combined assurance model bi-annually, forming an opinion on the integrity of information and reports, and the degree to which an effective control environment has been achieved. An important role of Massmart’s Audit Committee, as delegated by the Board, is to monitor and supervise the effective function of MAS to provide an objective overview of the operational effectiveness of the Group’s systems of internal control and reporting.

Litigation and other contingent liabilities

During 2019, we managed litigation, regulatory challenges and some other contingent liabilities, some of which have been resolved and others that are ongoing but are unlikely to impact the group. The Competition Commission probe into the Grocery Retail Market Inquiry was finalised with a report being issued in November of 2019 stating that all lease exclusivities must be phased out in a period of 5 years from the date of report, amongst other things. The Commission will seek to enforce regulations governing this going forward.

 

Olufunke Oghodaro
Chairman of the Risk Committee

2 April 2020