The Board is responsible for technology and information governance in the Group and has delegated the management of technology and information governance to the audit and risk committee.
The audit and risk committee governs technology and information in a way that supports the organisation in setting and achieving its strategic objectives and has delegated this responsibility to management to implement and execute effective technology and information management. Management is accountable for operational governance of technology and information management.
“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”
GROUP IT STRATEGY
The technology and information environment is fully covered through King IVTM and is fully integrated into the Group’s strategic planning process to ensure strategic, tactical and operational alignment in the achievement of the Group’s objectives. An annual report on technology and information governance is tabled at the audit and risk committee meeting to address any significant technology and information investment, risks and matters to be considered to ensure compliance with the governance framework. The primary focus during the year was to review and approve the Group’s technology and information strategy to ensure that there is good governance throughout the ecosystem by ensuring the effectiveness and efficiency of the Group’s systems from a strategic alignment and risk perspective.
Business leaders are urgently trying to keep abreast of the surging pace of digital transformation globally. Information technology (IT) security can no longer be an afterthought, as the digital economy accelerates and consumers and organisations become increasingly inter-connected. Security must be the foundation on which solutions are built.
IT security incidents, such as ransomware attacks this year, occasion a large but reactionary response from companies and industries. However, this typically happens after significant damage has been done.
The world continues to evolve due to significant trends such as:
- IT automation and analytics are two key trends accompanying artificial intelligence, which is starting to play a significant role in IT security.
- further personal data legislation has a significant global impact on how companies secure their data and protect their digital assets;
- mobile devices with pervasive connectivity to the internet, as broadband data reduces in price and increases in availability, results in new heights of social media interaction on a business and personal level;
- cloud computing, which provides access to high-level, utility-based, location-independent and capital-light computing resources and agility;
- an increase in data that needs to be stored, managed and interpreted for business advantage; and
- the increase in connected devices installed to on-board computers giving rise to the internet of real-time exchange of information between connected devices.
REPORT OF THE COMMITTEE
An integrated approach for technology and information governance in all the business units was implemented and all divisions in each subsidiary have followed the Group user policies and security practices within the technology and information environment.
Group synergies continue to be sought in the following areas:
- Innovation and best practice:
- The Group collaborates and shares in areas of new skills with further enhancement envisaged in the formation of shared competency groups
- Integration of technology and information risks
- Proactive monitoring of intelligence to identify and respond to incidents, including cyberattacks and social media events
- The integration of people, technologies and information across the Group
- The continual development of our IT professionals in the Group is critical in a rapidly changing environment, with due consideration being given to new appointments for diversity and transformation targets
- Ethical and responsible use of technology and information
- Adoption of a compliance technology architecture towards establishing a robust system of record that proves a state of compliance and documents any change made, thus providing a complete audit trial
- Key suppliers are sought to optimise procurement and service levels across the Group, with shared services where appropriate and new opportunities being investigated
- Evaluation of projects throughout their life cycles and significant operation expenditure
- The leveraging of information to sustain and enhance the Group’s intellectual capital
During the year under review the committee undertook the following to ensure best practices:
- All changes to the IT systems followed an official change control process, where detailed testing of the changes was documented including the impact of the change, the associated risk and the back-up plan detailed.
- All systems were backed-up daily and stored off-site. Quarterly restore tests were done to ensure that the backups were working.
- All servers and workstations have the latest operating system patch level, all security updates are applied and compliance is monitored to ensure that the organisation is protected from security threats.
- All servers and workstations have the latest anti-virus patch levels applied to monitor compliance to ensure the organisation is protected from security threats.
- A disaster recovery/business continuity plan is being re-drafted with regular testing done to ensure that disaster does not impact the business.
- Firewalls, password management and remote access are in place to ensure that the organisation is not at risk of a security breach.
- Regular changing of passwords measures are in place.
- Restrictions to websites that pose a security threat are in place.
- Restrictions on who can access what, whether it is external or internal to the organisation have been applied.
- Strong password controls are in place and the network password policy was reinforced.
- A formal incident, fault call logging process is in place to ensure that issues are dealt with speedily.
- We instituted ransomware mitigation procedures and ESET antivirus software is updated regularly on all workstations and the server.
(King IVTM – Principle 12)
The ever-changing environment brings with it the complexities of managing information risk and the Group is applying the appropriate operational and technology interventions to manage these challenges.
As the Group is dependent on IT to meet its business needs and sustainability objectives, all identified risks are monitored and reduced to an acceptable level by executive management. The Group prides itself on the high standard of security monitoring, data protection, business service availability and network reliability. It ensures that IT maintenance is performed and reviewed constantly.
Although no material risks were reported on during the year under review, we are cognisant of cybersecurity and the implications thereof, taking into account the protection of our stakeholders, which remains a high priority. One aspect driving risks and security is our governance and internal audit to ensure that the organisations information assets are secure.
We constantly address best practices, threats from phishing, ransomware and other cyberthreats which could have an impact on business operations, financial statements, legal exposure and the Company’s reputation. (King IVTM – Principle 11)
TECHNOLOGY-ENABLED SOLUTIONS – CHANGING ROLE OF IT
In terms of our Vision 2020 Vision strategy, the Group is looking into the technology landscape and systems, taking into account the current systems. An assessment was done for an integrated technology system that would be able to accommodate all companies within the Group, taking into account the different needs of each individual company. A system was identified for the Group with future additional benefits that over time could be implemented through a phased approach.
Key to considering the new technology was the multi-user environment and data being generated in a variety of options, thus reducing the risk of errors, audit trails, document managers, improved workflows, multiple reviewers and consolidation of information and maintenance costs. The new technology will be implemented through a phased approach, with phase 1 commencing November 2017.
The Group’s current focus is on maintaining the existing traditional enterprise systems where operational reliability is paramount. The current systems have necessitated the need for enhancements within the Group’s business units and consolidation for improved corporate controls and reporting.
The Group is currently looking into an effective integrated framework and compliance technology architecture to support compliance risk management with various capabilities.
Our technology division continues to provide technology-enabled solutions which add value to our customers by:
- enhancing current services;
- providing productivity solutions to optimise business activities;
- providing integrated business solutions;
- providing consultative advice based on business needs;
- offering an integrated range of services;
- being specialists in its field; and
- providing client-centric security strategy and management services.
The digitised cloud-enabled world has many IT products and services readily available for business consumption, necessitating additional requirements from the technology division for its clients.
The Board has oversight over the effectiveness of technology and information governance through the delivery of the integrated report and the approval of governance framework and policy.
The Board oversees:
- The adoption of a governance framework and review IT policies that will detail the strategic direction on the use of technology and information;
- The new report from management will contain the following objectives in terms of compliance:
- Activities and functions of the IT strategy are aligned to the business strategy
- The optimal investment made in IT – costs are managed and the return on investment measured
- IT risks are identified and adequately addressed and assurance is obtained to ensure that the IT control framework is in place to address IT risks
- IT resources are sourced within subsidiary companies or externally
- Information, IT assets and intellectual property contained in the IT systems are protected and effectively managed and used
- IT has adequate business resilience arrangements in place for disaster recovery
- Information management is a joint IT and business responsibility
- IT governance conforms to laws and related rules, codes and standards are considered
- The use of IT is sustainable with respect to the environment and security
- Synergies between IT initiatives and the benefits to the organisation as a whole and individual business units
(King IVTM – Principle 12)
For the year under review, the committee is satisfied that is has fulfilled all its statutory duties assigned by the Board. The chairman of the audit and risk committee reports to the Board on the activities of the committee at each Board meeting.