The Board has delegated the management of risk to the audit and risk committee.
The Board is committed to effective risk management in pursuit of the Group’s strategic objectives with the aim of growing shareholder value sustainably. The Board continued to enhance its capabilities to anticipate risks and manage them. The Board realises that proactive risk management is both an essential element of good corporate governance and an enabler in realising opportunities.
GOVERNANCE OF RISK MANAGEMENT
Overall, the Board is accountable and responsible for the governance of risk and is committed to effective risk management in pursuit of the Group’s strategic objectives. The Board is assisted by the audit and risk committee, which reviews and monitors the effectiveness of the risk management processes within the Group in accordance with corporate governance requirements.
The Group complies with a risk management policy that was approved by the audit and risk committee to ensure that a best practice risk assessment approach is followed. The committee ensures that the risk management process complies with the relevant standards and works effectively. The Board oversees the activities of the audit and risk committee, the Group’s external and internal auditors as well as the Group’s risk management function.
The executive committee of the divisional subsidiaries and associate companies are accountable and responsible for managing risks within their business units and may delegate specific responsibilities appropriately. This process is evaluated by the Group internal audit, who provided the audit and risk committee with assurance that significant business risks were systematically identified, assessed and reduced to acceptable levels in line with the Board’s risk appetite.
OUR APPROACH TO RISK MANAGEMENT
During the year under review, the Group’s risk management approach continued to evolve, was flexible and relevant to the business needs in an ever-changing environment. The audit and risk committee continued to assess, manage and report on all significant risks, their impact on the business and the mitigation of the risks.
The committee also assessed whether the risk process is effective in identifying and evaluating risks to determine whether the business operations have managed the risks in line with the Group’s strategy. It considered the impact of risks on the sustainability of the business and the external and internal environments, in order to identify key developments related to our risks, implications and responses. The responsibility for monitoring the management of each of these risks is assigned to the executive management of each business unit. The risks are then considered at a Group level through the monitoring process of the audit and risk committee.
In order to enhance the effectiveness of risk management in the Group, the committee engaged the services of Nexia SAB&T to perform an independent gap analysis to benchmark the current internal audit and risk management structures and practices against:
- the International Standards for the Professional Practice of Internal Auditing; and
- the risk management maturity and internal audit maturity models.
The results of the analysis revealed compliance with the said requirements. However, Nexia SAB&T identified a few areas for improvement. Management has already implemented some of the recommendations made and continues to work on the other areas that have been identified.
Risk registers are tabled at each Company and subsidiary Board meeting under the categories of financial, operational, strategic, legal compliance, human resources, economic, information and technology and environmental risk. Action plans are monitored and discussed to reduce the risks to acceptable levels. From the risk evaluation in the risk register, significant risks are reported to the audit and risk committee, who in turn reports these risks to the Board. The Board is able to oversee the risk management process at Group level.
RISK MANAGEMENT PROCESS
With the application of the risk management policy, potential risk exposures are identified, assessed on their likelihood of occurrence and impact of the outcomes and evaluated by using the risk tolerance as identified in the risk management policy.
The structure of our risk management process is set out below. This structure was rolled out across the entire Group and is in line with industry standards.
In fulfilling its mission, AEEI is exposed to a broad range of risks which arise as a consequence of its business operations and performing its duties. AEEI’s risk management charter acknowledges that the success of AEEI is dependent on the effective management of those activities that support the key strategic objectives and value drivers as outlined in the Vision 2020 Vision strategic plan and that all activities have an associated element of inherent risk. It is imperative that all levels of the organisation assess risk in order to effectively identify and appropriately address them.
The risk management policy defines the critical processes for identifying risks and prioritising and proactively managing those risks. The resulting residual risk level is that measure of risk exposure remaining following the implementation of mitigation and management strategies.
RISK APPETITE AND TOLERANCE
In support of effective governance and risk-informed decision-making, the Board of AEEI has set out a risk appetite statement for those risks which, to a lesser or greater extent, are within its control to mitigate and manage. The risk appetite statement specifies the types of risks AEEI is willing to accept in fulfilling its mandate and informs policies on the allocation of accountabilities and resources to managing its risk exposures.
We define risk appetite as the amount and type of risk that we are willing to take in order to meet our strategic objectives.
We define risk tolerance as the amount of risk that we are willing to bear and cope with despite controls.
RISK MANAGEMENT RESPONSIBILITIES
In applying the Group’s strategy, we implemented the risk management process based on the approved risk management policy. The policy document defines the objectives, methodology, process and responsibilities of the various role players. The policy is subject to annual review and any proposed amendments are submitted to the audit and risk committee for consideration and recommendation to the Board for approval.
During the year under review the committee undertook the following functions:
- Assisted the directors in fulfilling their responsibilities to ensure the risk management process is effective and in place throughout the Group
- Evaluated reports from the internal auditor concerning the Group’s risk management, compliance processes and controls in order to oversee the effectiveness thereof
- Assessed reports from divisional management concerning business, operational risk and compliance risk in order to oversee these risks and assess their impact on the Group
- Received reports from management concerning the resolution of significant risk exposure and risk events, in order to monitor and approve them in accordance with the Board’s risk appetite
- Ensured that the Group complied with applicable external and regulatory obligations and significant internal policies relating to the operation of its business units
- Assessed whether IT risks are adequately addressed through the risk management and assurance processes of the Group
- Facilitated communication of risk issues to all management
- Approved the updated risk management charter and amended risk management policy
The Board is committed to a process of risk management that is aligned to the principles of King IVTM.