Governance functional areas

Our philosophy of integrated governance is reflected in the extent to which the report back on our governance functional areas is integrated into the underlying elements of our integrated annual report. Oversight of these functional areas is maintained by the board and its sub-committees as follows:

  Functional areas     Committee oversight     Report back  
  Risk     Audit and risk     Risk management and assurance process – page 79
Our materiality, material risks and opportunities – pages 27 to 29
  Technology and information     Audit and risk     Technology and information governance – page 80
Product relevance to customer experience – page 55
  Regulatory compliance     Audit and risk
Social and ethics
    Regulatory compliance – page 59  
  Assurance     Audit and risk     About this report – page 01
Risk management and assurance process – page 79
  Stakeholder relationships     Social and ethics     Key relationships – pages 30 to 32  
  Remuneration     Remuneration     Remuneration – pages 81 to 88  


The Tsogo Sun board recognises that the management of business risk is crucial to our continued growth and success and this can only be achieved if all three elements of risk – namely threat, uncertainty and opportunity – are recognised and managed in an integrated fashion.

The audit and risk committee is mandated by the board to establish, coordinate and drive the risk process throughout the group. It has overseen the establishment of a comprehensive risk management system to identify and manage significant risks in the operational divisions, business units and subsidiaries. Internal financial and other controls ensure a focus on critical risk areas, are closely monitored and are subject to management oversight and internal audit reviews.

The systems of internal control are designed to manage rather than eliminate risk, and provide reasonable but not absolute assurance as to the integrity and reliability of the financial statements, the compliance with statutory laws and regulations, and to safeguard and maintain accountability of the group’s assets. The board and executive management acknowledge that an integrated approach to the total process of assurance improves the assurance coverage and quality in addition to being more cost-effective and the combined assurance framework is as follows:


In addition to the risk management processes embedded within the group, the group executive committee identifies, quantifies and evaluates the group’s risks annually utilising a facilitated risk assessment workshop. The severity of risks is measured in qualitative (e.g. zero tolerance for regulatory risks) as well as quantitative terms, guided by the board’s risk tolerance and risk appetite measures. The scope of the risk assessment includes risks that impact shareholder value or that may lead to a significant loss, or loss of opportunity. Appropriate risk responses to each individual risk are designed, implemented and monitored.

The risk profiles, with the risk responses, are reviewed by the audit and risk committee at least once every six months. In addition to the group risk assessment, risk matrices are prepared and presented to the audit and risk committee for each operational division. This methodology ensures that identified risks and opportunities are prioritised according to the potential impact on the group and cost-effective responses are designed and implemented to counter the effects of risks and take advantage of opportunities.

For key areas of focus refer to our materiality, material risks and opportunities – pages 27 to 29. There were no unforeseen or unexpected risks outside the tolerance levels.

An independent assurance of the effectiveness of the risk management is carried out on a periodic basis and was last completed during the 2016 financial year. There were no significant matters noted.

The objectives of assurance are to assess whether the internal control environment is effective, there is sufficient integrity in the information used for internal decision-making and to support the integrity of external reports.

The combined assurance framework has been applied to both internal and external reporting in the risk management, control environment, compliance and financial reporting functional areas. Although there is internal review of all external reporting, non-financial information contained in external reports is currently not independently assured. Based on the internal review process during the preparation and review of the integrated annual report the board is satisfied with the integrity of the information contained within the report.

The directors are responsible for the group's systems of internal control. The systems of internal control are designed to manage rather than eliminate risk, and provide reasonable but not absolute assurance as to the integrity and reliability of the financial statements, the compliance with statutory laws and regulations, and to safeguard and maintain accountability of the group's assets. The directors have satisfied themselves, based on the combined assurance framework, that adequate systems of internal control are in place to mitigate significant risks identified to an acceptable level.

Internal audit is outsourced and reports to the Chief Audit Executive and independently to the audit and risk committee. The outsourced function was provided until 31 March 2018 by KPMG who were replaced by a new service provider GRIPP Advisory, which is a subsidiary of HCI. GRIPP Advisory will provide internal audit services to the HCI group. Internal audit forms part of the combined assurance framework. Internal audit is subject to internal quality reviews annually and independent quality reviews every five years. The last review was carried out during the 2014 financial year. They are also subject to professional ethics and independence standards. The audit and risk committee approves the approach, scope of the internal audit plan and scoring on an annual basis. The internal audit focus over the past three years has been on efficiencies and developing and rolling out the combined assurance framework and model. The audit and risk committee is satisfied with the effectiveness of the internal audit function.


The board is accountable for IT governance. The IT governance charter was updated and approved by the board during the year and takes into account the requirements of King IVTM, globally accepted standards and good practice, together with the performance and sustainability objectives of the group.

Areas of focus during the year were:

  • maturing our processes in support of the King IVTM framework;
  • ensuring all parties in the value chain apply good governance principles;
  • improving our management of IT information assets including the adoption of new technologies to enhance data protection and encryption, network security, application and environmental controls;
  • aligning business continuity and disaster recovery plans;
  • ongoing management of IT risks;
  • monitoring our social media risk strategy; and
  • enhancing cybersecurity strategy and organisational awareness.

In the coming year the group will prioritise the following:

  • strengthening relationships with key business functions and third-party service providers;
  • evaluating emerging trends and potentially disruptive technologies;
  • keeping technology platforms relevant to our customer base;
  • managing the costs of our technology platform;
  • completing a data classification exercise to assist with compliance objectives;
  • improving our capability to deal with cybersecurity threats and minimise our risks; and
  • upgrading operating systems, databases and applications.

The Chief Information Officer reports directly to the Chief Executive Officer and has responsibility for the ownership and execution of IT governance.

The key IT risks are integrated into the enterprise-wide risk governance and management process. Independent IT assurance reviews are conducted annually to ensure governance and policies are adhered to, laws are complied with and data is secure and protected. No major incidents occurred during the year which required remedial action and the board is satisfied with the effectiveness of technology and information governance.


The group operates in a highly regulated industry in gaming and the regulatory environment in South Africa is complex. The group invests in a strict culture of compliance. Refer to regulatory compliance on page 59.


Stakeholder relationships are monitored by the social and ethics committee where matters relating to regulators, customers, communities, employees and unions are reported on, on a bi-annual basis. While the board has mandated the social and ethics committee to develop a formal stakeholder relationship management policy, it is satisfied that the current interactions with stakeholders are effective. Refer to the key relationships on pages 30 to 32.