The Board considers risk management to be a key business discipline designed to balance risk and reward, and to protect the Group against risks and uncertainties that could threaten the achievement of business objectives. The Board’s risk strategy has been established through deliberation with Massmart’s Executive Committee where the Group’s risk tolerance has been considered and balanced against the drive towards the achievement of its strategies and objectives, and the realisation of identified opportunities emanating from the assessment of the Groups risks and opportunities.
The Board has delegated the responsibility of overseeing the Group’s risk management programme to us. The day-to-day responsibility for risk management, including maintaining an appropriate loss prevention and internal control framework, remains with Massmart’s Executive Committee and Divisional Executives. Each division has developed a risk and loss prevention process that is best suited to its culture, structure and operations.
Our primary role is one of oversight and monitoring and we review and assess the dynamic interventions, within the Group’s available resources and skills, required in response to business-specific, industry-wide and general risks. We oversee the maintaining of a sound system of governance, risk management and control with regard to operations, safeguarding assets, reliability of management reporting and compliance with laws and regulations. We table a Group risk register to the Board twice a year, in February and August, which is aggregated from those prepared by the Divisions and the Massmart Executive Committee.
We are also responsible for reviewing and reporting on the Group’s application of King IV, and play an integral part in aligning the Group’s governance structures and processes with requirements and principles of the King IV.
In the execution of our statutory duties and in accordance with our Charter, we effectively discharged our responsibilities over the past financial year.
As part of the annual risk reporting process, the Divisions’ Risk Officers report any major risk incidents that occurred during the year. These incidents are defined in the Group Risk Policy as ones that:
We consider there to be two categories of Group risk that can broadly be described as strategic/environmental risks and operational risks.
Strategic/environmental risks tend to be longer-term and more material in nature and in most cases can only be monitored, managed and partially mitigated through longer-term strategic or tactical business responses. These risks, which, for example, include executive talent retention and succession, transformation and supply chain, are the primary focus of the Group’s Risk Management process.
Operational risks, by their nature, can be immediately addressed or mitigated by local management actions. These risks – which include in-store health, safety and security, compliance, fire prevention and detection, IT systems and food safety, amongst others – are therefore the direct responsibility of each Divisional Executive Committee where a Loss Prevention or Risk Officer has line-responsibility for overseeing these risks.
Summary of key focus areas in 2019:
Focus areas for 2020 and beyond:
Information and technology governance
Massmart has a comprehensive Information Technology (IT) Governance Framework in place that outlines the structures, processes and mechanisms enabling the delivery of value to the Group; and reducing information and technology risks. While the Group operates a federated business model regarding Information and Technology, in order to ensure maximum value creation, certain key functions such as Information Technology and Information Security are being centralised to ensure efficiencies and uniformity throughout the Group.
Massmart aligns its IT teams with best practice frameworks including the Information Technology Information Library (ITIL) and Control Objectives for Information Technology (COBIT) and National Institute of Standards and Technology (NIST) Cyber Security Framework and the Group’s own IT Policy framework. Measures are in place to ensure compliance with all relevant laws, information security and the protection of personal information. The Group’s Chief Information Officers (CIO) and IT-Governance sub-Committee are responsible for ensuring appropriate system security, data integrity and business continuity. Through its link into Walmart’s Information Security Department, Massmart receives daily and weekly updates regarding any concerns that are identified internationally, as well as active monitoring of Massmart owned and managed IT systems.
This information is shared with Massmart’s Divisions through the Divisional CIOs. Active network monitoring and profiling is managed through industry best-practice tools and firewall traffic is submitted real-time to Walmart’s Security Operations Centre for interrogation.
As a responsible retailer, Massmart is committed to ensuring that all internal e-waste is discarded in a safe, responsible and secure manner, minimising the risk to human health and the environment and maintaining the security of public and private information. The Board, through the Risk Committee and Massmart’s Compliance department, oversees the protection of privacy and personal information. To ensure that management keeps abreast of changing regulation and best practices across all jurisdictions in which Massmart operates, regular meetings are held with management to discuss regulatory requirements and identified risks and opportunities. Data privacy training has been conducted throughout the Group to increase awareness of data privacy compliance requirements. An independent Global Risk Assessment team also completes a risk assessment on the privacy programme annually.
The Board receives independent assurance on the effectiveness of technology and information internal controls from internal and external auditors. Massmart Audit Services (MAS) not only assess the processes and controls around large projects, but also the control environment within existing systems and the Group’s general computer control environment. MAS adopted the COBIT methodology for technology auditing several years ago.
Massmart has acquired cyber security insurance which will assist with reducing the associated cost-impacts related to security incidents. This can also be utilised to assist with the liability exposure for Members of the Board.
Massmart is committed to the highest level of information and technology governance, managed by the Group Chief Information Officer (CIO). The Board is satisfied that Massmart complies with the significant governance principles in King IV, and has identified Information and cyber security as an area for future focus.
Internal control framework
Massmart maintains clear principles and procedures designed to achieve corporate accountability and control across the Group. These are codified in the Massmart Delegation of Authority policy that describes the specific levels of authority and the required approvals necessary for all major decisions at both Group and Divisional level. Through this framework, operational and financial responsibility is formally and clearly delegated to the Divisional Boards. This is designed to maintain an appropriate control environment within the constraints of Board-approved strategies and budgets, while providing the necessary local autonomy for day-to-day operations.
Identified risks and how assurance is achieved over those risks are reported to the Board through this and the Massmart Audit Committees, who assume responsibility for the oversight thereof, on an annual basis. Massmart’s combined assurance model incorporates and optimises all assurance services and functions so that, taken as a whole, they enable an effective control environment; support the integrity of information used for internal decision making by Management and the Board; and support the integrity of the Group’s external reports.
Massmart adopts a collaborative approach to risk identification, mitigation and assurance activities between the management of the various Divisions, Head Office support functions and internal and external assurance providers. The Divisional risk committees provides us with feedback on their significant risks and material matters, as we ultimately own and manage risks, and in turn give feedback to the Board thereon.
The Board, through us, objectively reviews the Group’s combined assurance model bi-annually, forming an opinion on the integrity of information and reports, and the degree to which an effective control environment has been achieved. An important role of Massmart’s Audit Committee, as delegated by the Board, is to monitor and supervise the effective function of MAS to provide an objective overview of the operational effectiveness of the Group’s systems of internal control and reporting.
Litigation and other contingent liabilities
During 2019, we managed litigation, regulatory challenges and some other contingent liabilities, some of which have been resolved and others that are ongoing but are unlikely to impact the group. The Competition Commission probe into the Grocery Retail Market Inquiry was finalised with a report being issued in November of 2019 stating that all lease exclusivities must be phased out in a period of 5 years from the date of report, amongst other things. The Commission will seek to enforce regulations governing this going forward.
Chairman of the Risk Committee
2 April 2020