Currently viewing: Methodology and approach to enterprise risk management

Risk management

Methodology and approach to enterprise risk management

Framework and model: the Group has in place an Enterprise Risk Management framework which is based on a combined assurance model comprising: management, external auditors and internal audit. This model and its related activities are structured to ensure that the Group's risks are adequately managed by formulating the Group's strategic imperatives on such.

Identification of risks

Identification of risks is based on:

Residual risk heatmap – combined
  • The Group's risk bearing capacity (the capacity to
    absorb losses arising from risks without an immediate threat to the Group's continued existence based on its current business model);
  • Risk appetite (the amount and type of risk the Group is willing to accept in pursuit of its business objectives); and
  • Risk tolerance (the acceptable levels of variation
    relative to the achievement of the Group's objectives).

Quantification of risks

Certain financial measures form the basis on which
these risks are quantified.

Categorisation of risks

Identified risks are categorised according to:

  • Inherent risk (a function of their potential impact and probability); and
  • Residual risk (based on the effectiveness of mitigating
    controls or responses to address the inherent risk).

The identified risks are encompassed in the following risk categories:

  • IT infrastructure and network vulnerability;
  • Supply chain disruptions;
  • Loss of quality earnings/revenue/profitability/future growth;
  • Talent attraction/development/retention;
  • Brand identity and corporate image; and
  • Regulatory compliance.

Here is a summary of the Group's top risks and/or material issues based on their residual risk ratings. A summary of the strategic imperatives related to each risk is provided.