risk and opportunity governance framework · a risk and opportunity governance framework (the...
TRANSCRIPT
RISK AND OPPORTUNITY GOVERNANCE FRAMEWORK
NAME DESIGNATION DATE
Reviewed Cathie Lewis/Karen
Warnock
Group Company Secretary/Treasury
Finance Manager
May 2019
Approved Risk Committee Grindrod Limited Risk Committee May 2019
Approved Risk Committee Grindrod Limited Risk Committee November 2017
Revised Andrew Davies Group Risk Manager September 2017
Reviewed Mandhir Ramruthan Group Risk and Internal Audit September 2017
Reviewed Cathie Lewis Group Company Secretary September 2017
Compiled Andrew Davies Group Risk Manager May 2017
Reviewed Cathie Lewis Group Company Secretary May 2017
Approved Risk Committee Grindrod Limited Risk Committee May 2017
1. DEFINITION
A Risk and Opportunity Governance Framework (the Framework) has been reviewed by the risk committee
and approved by the Board.
The purpose of the Framework is to set out the Risk and Opportunity Governance Strategy of Grindrod and
to give an overview of its Risk and Opportunity Governance Policy, risk reporting and risk appetite. It also
describes key aspects of the risk governance process implemented by Grindrod to provide reasonable
assurance regarding the achievement of its strategic objectives.
2. OBJECTIVE
This Framework has been developed based on the principles and provisions of ISO 31 000:2018, the King
IV Report on Corporate Governance for South Africa, 2016 (King IV) and the Committee of Sponsoring
Organisations of the Treadway Commission Enterprise Risk Management (COSO ERM). This Framework
aims to ensure that the activities of Grindrod and its controlled entities are undertaken within the Board
approved risk appetite and tolerance levels to ensure the sustained profitability, relevance and reputation of
Grindrod. As a general principle, the risk management process is to be undertaken in conjunction with
strategic planning and should consider risks and opportunities in an integrated way over the short, medium
and long term.
In this regard the King IV Report states that risk governance should encompass both the:
• opportunities and associated risks to be considered when developing strategy; and
• potential positive and negative effects of the same risks on the achievement of organizational
objectives.
The risks identified and evaluated as part of the annual strategic planning process will be the risks that will
affect Grindrod’s ability to achieve its strategic objectives. Although the risk committee meets bi-annually to
formally review risk governance, risk management is an on-going part of strategic planning, management and
day-to-day activities of the organisation. New risks affecting the achievement of objectives may arise at any
time.
An integrated approach to risk management will provide Grindrod with a complete and coherent picture of the
risk universe. This will be achieved by adopting the 6 Resources of the Value Creation Model approach which
provides guidance on a broad, integrated value creation process which takes externalities and intangibles into
consideration. The Company creates value by identifying and managing risks and opportunities through
considering the 6 Resources, viz, Our Money; Our Assets; Our Skills’ Our Relationships; Our People and Our
Environment within the context of the three environments in which the Company operates and impacts, i.e.
economic, social and natural..
A structured and integrated Framework provides a number of beneficial outcomes by:
• enhancing strategic planning through the identification of risks that may pose as threats to Grindrod’s
strategic objectives and opportunities that may strengthen the prospects of Grindrod achieving its
strategic objectives.
• encouraging a proactive approach to issues likely to negatively and positively impact Grindrod’s the
strategic objectives.
• improving the quality of decision-making by providing structured methods for the exploration of risks and
opportunities, and allocating resources.
• supporting consistent behaviours and decision-making with respect to risks and opportunities across the
Group.
• richer risk assessment by identifying recurring/strong themes and developing a comprehensive
understanding of causes, effects and consequence leading to a complete risk response.
• alignment of the risk appetite and organisational strategy of the Group
• improving the organisation’s agility to anticipate, identify, adapt and respond to change.
3. RISK GOVERNANCE POLICY
Grindrod has adopted a Risk Governance Policy (Policy) (Annexure A of this document) designed to protect
and enhance resources and enable the achievement of its strategic objectives. The Policy emphasises that
risk management is an integral part of Grindrod’s business processes.
The risk governance policy is based on the following principles. Risk management is:
• the responsibility of the Board, executives, managers and employees;
• integrated into all business activities and systems;
• based on the South African Risk Management Standard SANS ISO 31000:2018;
• based on the provisions of the COSO ERM
• compliant with the King IV Code; and
• embracive of the 6 Resources of the Value Creation Model.
The Risk Governance Policy is supported by existing related policies.
4. GOVERNANCE STRUCTURE
An effective risk and opportunity governance framework is dependent on a governance structure that has:
• defined roles and responsibilities;
• formal policies, objectives and strategies in place
• adequate separation of duties;
• good relationships with internal stakeholders;
• proper systems of supervision and monitoring of activities and transactions;
• formal information systems, information flows and decision-making processes;
• proper understanding of resources and knowledge capabilities;
• risk consciousness and a proactive approach to managing risks and opportunities across the structure
and.
• risks being viewed in an integrated manner within the context of the external environment
Grindrod risk and opportunity governance structure
An organogram setting out Grindrod’s committee structure with specific reference to their risk functions is
annexed as Annexure B of this document.
5. ROLES AND RESPONSIBILITIES
Set out below is summary of the responsibilities of the various roles within Grindrod in relation to risk governance
and management.
Role Responsibilities
Board The Board retains the ultimate responsibility for risk governance and for determining
the appropriate level of risks and opportunities that Grindrod is willing to accept. The
role of the Board with respect to risk governance encompasses both compliance and
performance related aspects.
Risk Committee The Risk Committee assists the Board in carrying out its risk oversight responsibilities.
Audit Committee Ensure the integrity of internal financial controls and identify and manage financial
risks by means of a combined assurance model integrating internal and external
assurance providers.
Social and Ethics Committee Assist the board to fulfil its corporate governance responsibilities relating to social and
economic development, good corporate citizenship including ethics, the environment,
health and public safety, legal compliance, stakeholder relations, labour and
employment and transformation
Nomination Committee Continually reviews the skill and experience base of the Board and its committees,
conducts search and selection processes for new directors and recommend new
appointments to the Board. In addition, the Committee oversees executive succession
planning to ensure continuity of senior management at and below Board level.
Executive Management
Management is accountable to the Board for designing, implementing and monitoring
the process of risk management and integrating it into the day-to-day activities of the
company.
Management has a mandate to ensure risks are contained within approved risk
tolerance levels and opportunities are identified and developed as may be appropriate.
Divisional Chief Executives Divisional Chief Executives are responsible for the development and implementation of
all risk management processes and methodologies within their divisions.
Group Risk Management Group Risk Manager is responsible for the facilitation of the risk and opportunity
governance of the Company and reporting on the status of key business risks and
opportunities within the Group.
Employees All Grindrod employees are responsible for the reporting of risks and opportunities they
become aware of.
Internal Audit Internal Audit performs an objective assessment of the effectiveness of risk
governance.
6. RISK APPETITE AND RISK TOLERANCES
Risk Appetite is the amount of risk a business is willing to accept in pursuit of specific return on the
assumption of sustainable business operations. An approved risk appetite level will improve the ability of the
Board, other sub-committees and management to evaluate action plans by providing a benchmark of the
level of risk considered acceptable. Risk tolerances are specific boundaries/parameters relative to the
residual risk on the specific risk identified. The risk tolerance reflects an organisation’s ability or readiness
to accept residual risk after all mitigating controls have been put in place The Risk Committee is responsible
for assisting the Board in determining the risk appetite and risk tolerances for Grindrod.
7. RISK GOVERNANCE PROCESS
Set out below is Grindrod’s risk governance process which is based on the South African Risk Management
Standard SANS ISO 31000:2018.
7.1 IDENTIFY AND UNDERSTAND OBJECTIVES
The starting point to establish the risk context for Grindrod is the overall environment in which the Company
operates. The environment that will be considered in risk management activities include global, strategic,
operational, compliance and financial. Risks and opportunities are identified and governed through the
lenses of the 6 Resources, which include Our Money; Our Assets; Our Skills; Our Relationships; Our
People and Our Environment, whereby the interests of stakeholders are considered. Objectives are set
with regard to the risk appetite, which may change, depending on changes in the internal and external
environment of the Company. A level of variation is accepted for objectives (risk tolerance).
7.2 RIKS ASSESMENT
The following risk identification processes is relied upon within Grindrod to ensure risks are identified and
reported. Key risks and opportunities are identified and governed, considering the 6 Resources of the Value
Creation Model (Our Money; Our Assets; Our Skills; Our Relationships; Our People and Our Environment)
and how these Resources are interlinked and interdependent on one another, affecting the risk tolerance
levels and ultimately the residual risk of the Company.
Risk identification group Examples
Formal risk assessments Business strategic planning
reviews Risk workshops
Normal organisation activities Monthly Management meetings
Business and operational managers forums
Capital expenditure risk assessments
Routine data collection and business data analysis
Assessment against
standards/audits
Financial reviews and external audits
Six monthly Letters of Assurance
Internal Audit and peer reviews
Third Party Accreditation reviews
Corporate Compliance and Risk Audits
SHERQ audits
Incident or event logging Internal incident reporting incorporating health, safety, environment and
property incidents Tip - Offs hotline
7.3 CONSIDER CONTROLS
A control is any measure or action that treats risk. Controls include any policy, procedure, practice,
process, technology, technique, method, or device that modifies or manages risk. Risk treatments
become controls, or modify existing controls, once they have been implemented. Management must
identify the controls in place to mitigate each risk identified and consider the adequacy and effectiveness
of such controls in reducing the likelihood of the risk event arising or mitigating the consequences should
the risk event occur.
7.4 RESIDIUAL RISK EVALUATION
Residual risks are those risks that are expected to remain after implementing the planned risk mitigation
strategies, as well as those that have been deliberately accepted (risk tolerance).
Residual risk evaluation is the process of calculating the likelihood of an event and consequence if it were
to occur, after consideration of the influence of controls in place to reduce the likelihood and/or
Exception reporting Monthly exception reporting incorporating legal, IT, employment practices,
insurance, SHERQ and tax,
consequence. The product of these two variables is the risk rating (i.e. the level of risk = likelihood x
consequence).
The likelihood of the risk occurring is linked to probabilities. The higher the probability, the higher the
likelihood. The likelihood rating scale in the table below is used to determine the likelihood.
Likelihood rating Description
1 Rare: Risk will not even occur long term
2 Unlikely: Risk unlikely to occur even medium term
3 Moderate: Risk could occur medium term
4 Likely: Risk certain to occur in the short term
5 Common: Risk is pervasive and occurring regularly
The consequences of each identified risk event needs to be determined. When considering the
consequences, both monetary and non-monetary consequences need to be considered, that is, the
consequences affecting some or all of the 6 Resources, depending on the circumstances. The
measurements of consequences that do not have a natural monetary value, for example, reputation loss,
need to be determined. Reputation loss, for instance, can be measured in loss of market value terms due
to a reduction in share price. The main purpose of placing a value on the consequence is to get a feel for
the magnitude of risk and its priority.
The quality of information used in assessing risk is important and should consider past records, loss
events and incident register, relevant experience, industry practice and experience and specialist and
expert judgements.
The consequence rating scale in the table is used to determine the consequence.
Consequence rating Description
1 Adverse variance for inclusion in management report
2 No material impact on achievement of objectives
3 Disruptive to normal operations with a limited impact
4 Reduced ability to achieve objectives
5 Will not achieve objectives
The residual risk rating equals the product of the likelihood rating and the consequence rating. The
residual risk is then classified as per the table below.
The residual risk scores can then be transposed onto a heat map for reporting purposes as follows.
7.5 RESIDIUAL RISK RESPONSE STRATEGY
The tolerance for the residual risk needs to be determined and must be aligned with the group risk appetite
and risk tolerance approved by the Board.
7.6 RISK TREATMENT
If the residual risk for any risk is in excess of the risk tolerances set by the Board, an action plan setting
out the steps to treat the risk in order to reduce the risk to tolerable levels together with a reasonable time
frame in which the action plan will be implemented must be prepared for management approval. The
action plan should include the responsible person and time lines.
Management will identify and consider different ways that Grindrod can respond to the risks identified
during the risk assessment process. These responses opted for will be noted in the risk report. The
options for responses will include:
• Terminating the risk or avoiding the risk by not starting the activity that creates exposure to the risk.
• Treating the risk, through improvements to the control environment in order to reduce or mitigate the
risk. Risk treatment may include methods, procedures, applications, managements systems and the
use of appropriate resources that reduce the probability or possible severity of the risk.
• Transferring the risk exposure, usually to a third party better able to manage the risk, for example,
through insurance or outsourcing.
Residual Risk Heat Map
Imp
act
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Likelihood
Evaluation range Matrix evaluation
1 – 6 Low
8 – 15 Medium
16 - 20 High
25 Critical
• Tolerating or accepting the risk, where the level of exposure is as low as reasonably practicable or
where there are exceptional circumstances.
7.7 MONITORING AND REVIEW
The information gathered at each stage of the risk management process should be documented in risk
registers. Set out below is an overview of the information required in all risk registers.
Risk ID # Unique identifier assigned to each risk in the register
Related strategy Category The category the risk fits into under the strategic risk categories identified
Specific risk Describe the risk in detail
Controls Current controls in place that reduce the likelihood of the risk
event arising or that mitigate the consequences should the risk
event occur
Control document evidence The manner in which the control is documented and monitored
Six Resources of Value
Creation
Analyse key risks identified and how they interact with the 6
Resources (Our Money; Our Assets; Our Skills: Our
Relationships; Our People and Our Environment)
Opportunities Identify the upside of risk, i.e. how the risks can be converted into
opportunities, considering the Six Resources of Value Creation
Residual risk Likelihood rating The chance of the risk/event happening AFTER it is controlled
Impact rating The impact of the risk after the control(s) has been implemented
Risk rating The residual risk rating represents the level of risk/impact associated
with a risk AFTER the controls have been implemented to reduce the
risk/impact
Colour coding
Colour coding based on level after control(s)
Is Residual Risk Tolerable? Yes or no? Measure against Board approved risk appetite and risk tolerances where
applicable
Action Plan for Improvement Describes how the chosen treatment options will be implemented
Risk & Control Owner Who will monitor this risk and its treatment, i.e. who is the risk owner?
In creating the Risk Register, the risk owners (i.e. the persons who are actually accountable for managing
the risk and its consequences) can satisfy themselves that they have defined and properly addressed the
real risk. It makes it easier to review the risks and ensure that they continue to be complete, relevant and
accurate having regard for both internal and external changes.
Documentation of risks is the foundation for any meaningful verification process by senior management,
the Board, the Risk Committee or other Committees of the Board and internal and external auditors of
the ongoing existence and relevance of, and compliance with the risk governance process.
Risk Registers should be dynamic documents; that is, as any risk, opportunity, consequence, probability
or mitigator changes, the register should be updated to reflect the current situation.
As a minimum the Grindrod Risk Register is reviewed by the Grindrod Risk Committee every six months.
The monitoring and review process will examine how robust the selected risk controls and management
strategies are, as well as monitor the effectiveness of all steps in the risk and opportunity governance
process and planned areas of future focus.
Divisional key risks are discussed and reviewed on a continual basis as a formal agenda item at
Operational or Executive committee or board meetings, as applicable. The status of the key risks and/or
opportunities should be evaluated by examining any changes to the risks and opportunities and the
effectiveness of the controls in place.
7.8 MONITORING AND REVIEW
As risks and opportunities are interrelated, it is essential that communication and consultation with
stakeholders across the Company takes place at each stage of the risk and opportunity governance
process. Decision making within the organisation should involve the explicit consideration of risks and
the application of risk management to some degree.
Communication should address the risk and/or opportunity and the process to manage it. Effective
internal and external communication is important to ensure that those responsible for implementing the
risk management system and those with a vested interest understand the basis on which decisions are
made and why particular actions are required.
Communication is a two-way process; it must flow upwards through management to the Board, and
downwards to all staff from the Board.
7.9 RISK GOVERNANCE CONTINUOUS IMPROVEMENT
The Framework is aligned to the principles of continuous improvement. It requires management to
continually identify, assess, mitigate, review and report risks and opportunities within their business units
so that all risks are mitigated and managed to an acceptable level in accordance with Grindrod’s risk
appetite statement and all opportunities are considered. The period to period movement in the residual
rating of risks enables management to determine whether the Company’s residual risk profile is in
alignment with the approved overall risk profile. In the event that the residual risk rating falls outside the
approved tolerance level, action plans should clearly stipulate who will do what by when to reduce the
risk rating within the tolerance levels.
Effective risk management is the responsibility of everyone in the organisation. To ensure widespread
understanding, management and all divisions should be made aware of the principles set out in this
document
The Board and committees should ensure the allocation of appropriate resources for risk management
and consider the capabilities, and constraints on, existing resources.
The Board must ensure that internal audit follows an approved risk-based internal audit plan. Internal
audit will perform an objective assessment of the effectiveness of Grindrod’s risk governance process
annually.
8. ANNEXURE A – RISK AND OPPORTUNITY GOVERNANCE POLICY
Grindrod is committed to the management of:
• Risks affecting Grindrod’s reputation;
• Risks affecting Grindrod’s management of and accountability for its performance against strategic
objectives;
• Risks affecting its service delivery obligations, its regulatory framework and business/stakeholder
relationships.
• Risks affecting its assets and intellectual property; and
• Risks affecting safety, security, health and the environment.
• Risks that incorporate the 6 Resources of the Value Creation Model resulting in a comprehensive picture
of the risk universe, including opportunities.
To achieve this aim, risk governance standards based on ISO 31000, King IV and COSO ERM will be
maintained and continually improved. These risk governance standards will involve:
• The design and implementation of a risk and opportunity governance program to reasonably assure the
achievement of strategic objectives;
• Regular risk workshops for the purposes of identifying, evaluating and mitigating risks and identifying
and considering opportunities;
• The monitoring, review and reporting of risk and opportunity governance to the board and risk committee;
• A co-ordinated combined assurance process between management, Risk and Internal Audit to develop
and implement a rigorous Risk Control Programme;;
• Risk and opportunity governance education and training; and
• An insurance strategy which manages predictable losses, self-insures consistent with optimal risk
financing and uses secure insurance markets to insure against catastrophic losses.
Risk and opportunity governance is:
• the responsibility of the Board, Risk committee, executives, managers and employees;
• integrated into all business activities and systems;
• assigned and communicated to all levels within the organisation
• based on the South African Risk Management Standard SANS ISO 31000:2009;
• based on the provisions of COSO ERM;
• compliant with the King IV Report; and
• embracive of the 6 Resources of the Value Creation Model
The Risk Governance Policy is supported by the Grindrod Risk Governance Framework and existing related
policies. The effective governance of risk is vital to the continued growth and success of Grindrod.
9. ANNEXURE B – MATRIX OF BOARD AND SUB-COMMITTEES
The Board Sub-Committees, listed below, are constituted as standing committees of the Board in terms of
sections 72 and 94 respectively of the Companies Act. The Board delegates certain functions to these
committees without abdicating its own responsibilities.
These committees have an independent and monitoring role, advisory in nature and a maker of
recommendations. A key aspect of these committees mandate is the oversight role of specific risks. The
risks covered and the committee processes followed are detailed below:
Board sub-committees
# Risk category Social and ethics Audit Nomination Remuneration
9.1 SHERQ* ✓✓
9.2 Reputational* ✓✓
9.3 Empowerment/B-BBEE* ✓✓ ✓✓
9.4 Loss of key senior/executive management* ✓✓
✓✓
9.5 Loss of key talent ✓✓
9.6 Legal/Policy compliance and governance** ✓✓ ✓✓
9.7 IT** ✓✓
9.8 Fraud** ✓✓ ✓✓
* Top Group
Risk **
Pervasive
Group Risk
✓✓ Primary Committee that oversees the management of this risk
✓✓ This Committee oversees the management of aspects of this risk
9.1 SHERQ RISK
Social and ethics committee:
• Takes into consideration and records the actions taken to reduce the negative impact of the company’s
activities, products and/or services on the environment, health and public safety.
• Monitors and considers the ESG reporting according to the FSTE/JSE Responsible Investment Index
Themes.
9.2 REPUTATIONAL RISK
Social and ethics committee:
• Monitor and reviews social and economic standing in terms of:
• Goals and purposes of the 10 principles set out in the United Nations Global Compact Principles.
• OECD recommendations regarding corruption.
• Promotion of equality, prevention of unfair discrimination and reduction of corruption as well as
contributions to development of communities in which its activities are predominately conducted.
• Recording of sponsorships, donations and charitable giving.
• Upholding and maintaining best practice corporate governance, as set out in King IV.
• Identifying and reviewing items that conflict with the practice of good corporate.
• Citizenship, the Code of Ethics and/or any other policy that is of an ethical nature.
• Reviews and monitors policies on whistleblowing, or any other policy that may require independent
investigation.
• Reviewing and monitoring the ethical framework.
• Monitors the relationships with all stakeholders.
• Assess and monitor the company’s standing in terms of the International Labour Organisation Protocol
on decent work and working conditions, employment relationships and contribution by the company
towards the educational development of its employees.
• Draws to the attention of the Board and shareholders, matters within its mandate as they occur and at
the annual general meeting respectively.
9.3 EMPOWERMENT/B-BBEE RISK
Social and ethics committee:
• Monitors that Grindrod has embraced and duly executed the necessary measures to ensure the proper
implementation of transformation and BBBEE and;
• Ensures that the Group develops and implements programmes to address the requirements of B-BBEE
and all other appropriate legislation.
• Inculcates the culture of developing people to achieve their optimum potential in the implementation of
transformation processes and establishment of empowerment businesses. This should form part of the
business plan of the company.
• Assists in identifying special projects/initiatives to uplift disadvantaged communities within the areas
where the company’s operations are situated, in line with the Group’s socio economic development
policy, with specific focus on educational upliftment.
9.4 LOSS OF KEY SENIOR/EXECUTIVE MANANGEMENT RISK
Nomination committee:
• Monitors formal succession plans for the Board, Chief Executive Officer, Financial Director, Executive
members and Senior Management.
Remuneration committee:
• Reviews and monitors the implementation of the remuneration policy that will promote the achievement
of the strategic objectives of the company and encourage individual performance.
• Monitors the specific remuneration packages for Executive Directors and Executive members of the
company, including but not limited to, basic salary, performance-based short-term and long term
incentives, pensions and provident funds, medical aid and other benefits.
• Ensures that the mix of fixed and variable pay in cash, shares and other elements meets the company’s
needs and is in line with the company’s strategic objectives.
• Monitors long term incentives and the allocation of shares and rights in terms thereof.
• Monitors salary adjustments for employees outside the bargaining unit, the Profit Share Incentive
Scheme for all employees and the staff retention strategy policy.
9.5 LOSS OF KEY TALENT
Social and Ethics committee:
• Reviews and monitors the implementation of the talent management policy that will promote the
attraction and retention of talent.
9.6 LEGAL/POLICY COMPLIANCE RISK
Social and Ethics committee:
• Monitors legal compliance at a group level and assists the company in ensuring that any/all appropriate,
applicable charters and policies are adequately addressed.
• Monitors legal compliance relating to human capital and should recommend to the Board on areas that
may require additional resources/ attention.
Audit committee:
• The Committee ensures that a combined assurance model is applied to provide a co-ordinated
approach to all assurance activities and to ensure that the combined assurance received, (including
from external assurance service providers, internal audit and the finance function), is appropriate to
address all the significant risks of the company.
9.7 IT RISK
Audit committee:
Provides oversight on following IT risks and activities:
• IT Governance (King IV/COBIT).
• Group IT Operating Model.
• Application and infrastructure landscape.
• Project Management Office (PMO).
9.8 FRAUD RISK
Audit committee:
• Provides oversight on financial reporting risks, internal financial controls, fraud risks as it relates to
financial reporting.
Social and ethics committee:
Monitors and reviews:
• OECD recommendations regarding corruption.
• Policies and statistics on whistleblowing.
• Fraud risk management plan.
• Material fraudulent activities.