Our philosophy of integrated governance is reflected in the extent to which the report back on our governance functional areas is integrated into the underlying elements of our integrated annual report. Oversight of these functional areas is maintained by the board and its sub-committees as follows:
|Functional areas||Committee oversight||Report back|
|Risk||Audit and risk||Risk management and assurance process – page 79
Our materiality, material risks and opportunities – pages 27 to 29
|Technology and information||Audit and risk||Technology and information governance –
Product relevance to customer experience – page 55
|Regulatory compliance||Audit and risk
Social and ethics
|Regulatory compliance – page 59|
|Assurance||Audit and risk||About this report – page 01
Risk management and assurance process – page 79
|Stakeholder relationships||Social and ethics||Key relationships – pages 30 to 32|
|Remuneration||Remuneration||Remuneration – pages 81 to 88|
The Tsogo Sun board recognises that the management of business risk is crucial to our continued growth and success and this can only be achieved if all three elements of risk – namely threat, uncertainty and opportunity – are recognised and managed in an integrated fashion.
The audit and risk committee is mandated by the board to establish, coordinate and drive the risk process throughout the group. It has overseen the establishment of a comprehensive risk management system to identify and manage significant risks in the operational divisions, business units and subsidiaries. Internal financial and other controls ensure a focus on critical risk areas, are closely monitored and are subject to management oversight and internal audit reviews.
The systems of internal control are designed to manage rather than eliminate risk, and provide reasonable but not absolute assurance as to the integrity and reliability of the financial statements, the compliance with statutory laws and regulations, and to safeguard and maintain accountability of the group’s assets. The board and executive management acknowledge that an integrated approach to the total process of assurance improves the assurance coverage and quality in addition to being more cost-effective and the combined assurance framework is as follows:
In addition to the risk management processes embedded within the group, the group executive committee identifies, quantifies and evaluates the group’s risks annually utilising a facilitated risk assessment workshop. The severity of risks is measured in qualitative (e.g. zero tolerance for regulatory risks) as well as quantitative terms, guided by the board’s risk tolerance and risk appetite measures. The scope of the risk assessment includes risks that impact shareholder value or that may lead to a significant loss, or loss of opportunity. Appropriate risk responses to each individual risk are designed, implemented and monitored.
The risk profiles, with the risk responses, are reviewed by the audit and risk committee at least once every six months. In addition to the group risk assessment, risk matrices are prepared and presented to the audit and risk committee for each operational division. This methodology ensures that identified risks and opportunities are prioritised according to the potential impact on the group and cost-effective responses are designed and implemented to counter the effects of risks and take advantage of opportunities.
For key areas of focus refer to our materiality, material risks and opportunities – pages 27 to 29. There were no unforeseen or unexpected risks outside the tolerance levels.
An independent assurance of the effectiveness of the risk management is carried out on a periodic basis and was last completed during the 2016 financial year. There were no significant matters noted.
The objectives of assurance are to assess whether the internal control environment is effective, there is sufficient integrity in the information used for internal decision-making and to support the integrity of external reports.
The combined assurance framework has been applied to both internal and external reporting in the risk management, control environment, compliance and financial reporting functional areas. Although there is internal review of all external reporting, non-financial information contained in external reports is currently not independently assured. Based on the internal review process during the preparation and review of the integrated annual report the board is satisfied with the integrity of the information contained within the report.
The directors are responsible for the group's systems of internal control. The systems of internal control are designed to manage rather than eliminate risk, and provide reasonable but not absolute assurance as to the integrity and reliability of the ﬁnancial statements, the compliance with statutory laws and regulations, and to safeguard and maintain accountability of the group's assets. The directors have satisﬁed themselves, based on the combined assurance framework, that adequate systems of internal control are in place to mitigate signiﬁcant risks identiﬁed to an acceptable level.
Internal audit is outsourced and reports to the Chief Audit Executive and independently to the audit and risk committee. The outsourced function was provided until 31 March 2018 by KPMG who were replaced by a new service provider GRIPP Advisory, which is a subsidiary of HCI. GRIPP Advisory will provide internal audit services to the HCI group. Internal audit forms part of the combined assurance framework. Internal audit is subject to internal quality reviews annually and independent quality reviews every five years. The last review was carried out during the 2014 financial year. They are also subject to professional ethics and independence standards. The audit and risk committee approves the approach, scope of the internal audit plan and scoring on an annual basis. The internal audit focus over the past three years has been on efficiencies and developing and rolling out the combined assurance framework and model. The audit and risk committee is satisfied with the effectiveness of the internal audit function.
The board is accountable for IT governance. The IT governance charter was updated and approved by the board during the year and takes into account the requirements of King IVTM, globally accepted standards and good practice, together with the performance and sustainability objectives of the group.
Areas of focus during the year were:
In the coming year the group will prioritise the following:
The Chief Information Officer reports directly to the Chief Executive Officer and has responsibility for the ownership and execution of IT governance.
The key IT risks are integrated into the enterprise-wide risk governance and management process. Independent IT assurance reviews are conducted annually to ensure governance and policies are adhered to, laws are complied with and data is secure and protected. No major incidents occurred during the year which required remedial action and the board is satisfied with the effectiveness of technology and information governance.
The group operates in a highly regulated industry in gaming and the regulatory environment in South Africa is complex. The group invests in a strict culture of compliance. Refer to regulatory compliance on page 59.
Stakeholder relationships are monitored by the social and ethics committee where matters relating to regulators, customers, communities, employees and unions are reported on, on a bi-annual basis. While the board has mandated the social and ethics committee to develop a formal stakeholder relationship management policy, it is satisfied that the current interactions with stakeholders are effective. Refer to the key relationships on pages 30 to 32.