Governance/ Risk management

Risk management

The AECI Board recognises that risk management is an integral part of the Group strategy-setting process and that leadership and oversight in risk management is the Board's responsibility. These principles underpin in AECI's risk philosophy which recognises that managing risk is fundamental to the generation of sustainable shareholder value and the enhancement of stakeholder interests. Risk management is integrated into the culture of the organisation. It is driven and monitored in line with the Board's mandate and commitment. The Risk Committee plays a leadership role in this regard.

Although it is acknowledged that risk can never be fully eliminated, great effort is made to ensure that the potential impact of significant risks is properly identified, understood and mitigated to safeguard shareholder value and the Company's continued growth. Management is responsible for the ongoing refinement and application of standards and processes in this regard, at individual Group business level and for the organisation as a whole.

Management drives the assessment and monitoring of risks specific to the business as well as those pertaining to the broader context in which the Group operates. The latter risks relate to the political and economic landscape, industry, labour and financial market trends. Work includes the analysis of research materials and industry benchmarking studies by institutions such as the World Economic Forum, the World Bank and Willis Risk Alert. These serve as an early warning system or a mechanism for the identification of future risks and opportunities.

In 2018 focus was maintained on understanding and managing risk in new territories and markets of operation, informing the Group's expansion strategy. The underlying objective is to optimise the Group's positioning in terms of its ability to capitalise on opportunities, in line with the philosophy of not only concentrating on downside risk. The Risk Management function is optimally geared to provide support in this regard.

Activities and processes are underpinned by the Group Risk Management Policy and the Group Enterprise Risk Management Framework ("Framework"). The Framework is based on the principles of the International Guideline on Risk Management (ISO 31000) and King IV, where guidelines are provided for the systematic, consistent and professional approach required for successful and effective management.

On the basis of the internal risk assessment process and the outcomes of feedback from stakeholders, AECI identifies the high level material issues that could impact the delivery of its strategy and growth objectives both positively and negatively. These are set out below.

2018 HIGHLIGHTS

In 2018 significant attention was paid to the integration of Schirm and Much Asphalt into the Group relating to AECI's risk model and processes. The risk identification process was also enhanced to highlight more clearly the upside as well as the downside of risk.

To mature its business continuity management processes further, AECI engaged its insurance brokers, Willis Towers Watson, to undertake an operational resilience project for the Group's major assets and plants. The results and gap analysis from this work will be revisited to strengthen the Risk Management model further.

With support from the Internal Audit function, the Risk Management team tested the business' accountability and related risk management culture. The outcome did not indicate any major issues of concern.

In addition, the Board held a Risk workshop to understand the possible strategy constraints for the Group over the next five years. The process revealed that additional readiness and preparedness are required to better align the Group with the fourth industrial revolution generally, and as it relates to artificial intelligence more specifically.

The work plan in the coming year will include a reassessment of the Company's risk appetite and tolerance scales, with revisions to follow if required.

Management of information technology ("IT") risk

King IV places responsibility for IT governance with the Board and the AECI Board has given the Chief Financial Officer overall responsibility for managing the IT governance structures and processes. IT operations are managed by the Chief Information Officer, who reports to the Chief Financial Officer. An IT Steering Committee ("Committee") is chaired by the Chief Financial Officer and its membership comprises the Chief Information Officer and the members of the AECI Executive Committee. The Committee has a well-defined charter and assists the Chief Financial Officer in the discharge of his duties as they pertain to IT- related activities and compliance with applicable laws, rules and standards.

AECI has adopted the IT Governance Institute's model as a framework for IT governance. It also employs the guidelines set out in the Control Objectives for IT and related infrastructure Library. This assists in establishing and maintaining effective internal controls, continuity and risk management. A new framework of IT policies has been developed and adopted, taking into consideration the business imperative, current legislation and IT trends.

The Company's Internal Audit function provides assurance to management, the Audit Committee and the Risk Committee on the effectiveness of IT governance.

During 2018 the Group made significant progress globally in:

In 2019, the IT function will focus on:

Attention to all aspects of security to protect systems and data is unwavering

LEVEL OF RISK MATURITY

AECI's maturity level, determined through an assessment based on its adopted Risk Intelligence Maturity Model, is on the border between "semi-integrated and change driven" and "intelligent, integrated and optimised", with the desired future maturity level being "intelligent, integrated and optimised". The characteristics of the various states of maturity, as self assessed, are detailed in the schematic below.

AECI will continue its pursuit of its desired risk maturity level. To this end, greater focus in 2018 and in future years will be on:

RISK INTELLIGENCE MATURITY MODEL

RISK INTELLIGENCE MATURITY MODEL

INITIAL   INFORMAL
 
STANDARDISED AND
GOVERNANCE- DRIVEN
 
SEMI-INTEGRATED
AND CHANGE-DRIVEN
  INTELLIGENT,
INTEGRATED
AND OPTIMISED
  • Ad hoc/chaotic
  • No formal risk management (“RM”)strategy
  • No use of standards, tools and techniques
 
  • RM predominantly “risk specific”
  • Limited focus on integration
  • Risk viewed solely as an event with a negative consequence
  • Aware of techniques without the formal application of standards
  • No differentiation between “risks” and “hazards”
 
  • Reporting focus
  • Common framework, programme statement and policy
  • High level risk assessments
  • Management of all risk types is not approached uniformly
  • Risk viewed largely as an event with a negative consequence
  • Use of standards
 
  • Change management approach to RM
  • Coordinated RM across businesses and activities
  • All types of risks are managed through a uniform system
  • Risk is viewed as uncertainty and linked to objectives
  • Driven by performance-based standards
 
  • Enterprise-wide approach to RM
  • RM drives proactive and informed decision-making
  • Company and RM processes are fully integrated
  • RM is embedded in culture
  • RM is a strategic advantage
  • Sound understanding
    of standards and use
    of tools and techniques

EMBEDDING A RISK-INTELLIGENT AND RESILIENT ORGANISATION

Establishing the context of risk management at AECI is the foundation of good risk management and is vital to the successful implementation of the risk management process. Important considerations when determining context are illustrated in the framework diagram below.

Given the Group's competitive and rapidly evolving external environment, contextual analysis is crucial for the provision of proactive and informed risk information that supports timeous decision-making and leads to effective strategy execution. Scanning the external environment involves a multi-dimensional assessment of key elements that shape and are shaped by the Group's actions, also as illustrated below.

In line with the aspiration to continually improve the AECI Governance and Assurance service offering, a review by the Internal Audit function was undertaken in 2017. This review followed the Process Element Approach contained in the Institute of Internal Auditors' Practice Guide - Assessing the Adequacy of Risk Management Using ISO 31000.

The review concluded that, at a technical level, the AECI Enterprise Risk Management process contains the required elements of ISO 31000, both in design and in operation, and that the process is considered to be fit for purpose.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Management INTERNAL
CONTEXT
SETTING
  EXTERNAL
CONTEXT
SETTING
  RISK
MANAGEMENT
CONTEXT SETTING

The internal environment in which the entity seeks to achieve its objectives:

  • GOVERNANCE
  • STRUCTURE
  • CULTURE
  • CAPABILITY
  • POLICIES, PROCEDURES, IT SYSTEMS ETC.
 

The external environment in which the entity seeks to achieve its objectives:

  • POLITICAL
  • ECONOMIC
  • SOCIAL
  • TECHNOLOGICAL
  • LEGAL
  • ENVIRONMENTAL
 

The approach and boundaries are defined and applied to the risk assessment at hand:

  • SCOPE AND BOUNDARIES
  • DEFINE RISK CRITERIA
  • RISK ASSESSMENT METHODOLOGY

BUSINESS ENVIRONMENT ASSESSMENT

BUSINESS ENVIRONMENT ASSESSMENT