Risk report


The Board is responsible for determining the nature and extent of the risks it is willing to take in achieving its strategic objectives. Risk-based leadership with the Board at its apex is fundamental to Datatec's approach to its operations and, in line with the King III Code, the Board takes ultimate responsibility for risk management. The Group's risk policy sets out the Board's approach to risk management and establishes a risk management framework to enable risk to be managed on a decentralised basis subject to Group overview.

The approach to risk management and internal control defined in the risk policy has applied throughout the year under review and up to the date of approval of this Integrated Report and annual financial statements. The risk management framework for maintaining sound risk management and internal control systems throughout the Group is explained in more detail later in this report.

The key risks to the Group are set out below.

Key risks

  Technological market disruption     Internal technological risks     Financial risk related to financial instruments     Dependence on key vendors     Risk of failure to fund working capital needs sufficiently  
  The Group's operations focus on the higher value, faster growing products and services in the ICT supply chain. While the Group's portfolio does not include any manufacturing, it is essential to anticipate the impact of the rapid technological change which is a feature of the sector. This risk is addressed through careful partner selection in terms of vendors and by working closely with our vendor partners. In addition, the Group's operating divisions must pre-empt market changes resulting from new technology such as the provision of Infrastructure as a Service (“IaaS”) enabled by the development of cloud computing.    

The Group's internal systems are at risk, both from planned changes leading to business interruption and disruption by external “cyber” threats. The Group has high dependence on its key information systems and accordingly deploys significant resources on its own information security defences.

The implementation of new systems such as the ERP system at Westcon-Comstor carries particular risks which the Group mitigates by careful planning of phased introduction. This approach allows time to rectify problems encountered during the roll out to be rectified before continuing with the deployment in remaining jurisdictions. Despite this phased introduction approach the Group has not been able to mitigate the disruption to the Westcon-Comstor business resulting from the ERP implementation in EMEA during FY17. This implementation was the most complex in the sequence of implementations and now that the ERP roll out is complete it will provide a much improved platform for risk management of the Westcon-Comstor business.

    These risks include market risk (foreign exchange risk and interest rate risk), credit risk and liquidity risk. The Group seeks to minimise the effects of these risks by using derivative financial instruments to hedge these risk exposures where possible and appropriate. While the Group utilises derivative financial instruments where appropriate, the Board cannot predict the effect of exchange rate fluctuations upon future operating results and there can be no assurance that exchange rate fluctuations will not have a material adverse effect on its business, operating results or financial condition. In addition, the imposition of currency controls by governments further restricts the ability of the business to manage its exposure to foreign exchange risk in particular circumstances. The Group aims to minimise its exposure to markets identified as being at risk in terms of foreign exchange and capital controls.     The Group is dependent on certain vendors, particularly Cisco, whose product and services accounted for approximately 46% of the Group's revenue. If any one of the Group's principal vendors terminates, fails to renew or materially adversely changes its agreement or arrangements with the Group, it could materially reduce the Group's revenue and operating profit and thereby seriously harm the Group's business, financial condition and results of operations. The Group's management recognises the importance of its vendor partners as one of its key stakeholder groups and assigns the highest priority to maintaining close, transparent relationships with them for the mutually beneficial development of the business.    

The Group's business is working capital intensive; this is particularly relevant for Westcon-Comstor. Westcon-Comstor's working capital is utilised to finance accounts receivable and inventories. Westcon-Comstor largely relies on revolving credit and vendor inventory purchase financing for its working capital needs. The availability of these facilities to particularly Westcon-Comstor, and any material changes thereto, will affect the business's ability to fund its working capital requirements.

Management of working capital through inventory control and effective accounts receivable management is also crucial for the business and is a key focus of management and of the review processes in the risk management framework.

 
  Management of future growth and acquisition risk     Risk of mismanagement of payment discounts, product rebates and allowances     Risk of overdependence on key personnel     Dependence on key customers  
  The Group's planned growth strategy will continue to place additional demand on management, customer support, administrative and technical resources. If the Group is unable to manage its growth effectively, its business operations or financial conditions may deteriorate. To date, the business of the Group has grown through acquisitions and through organic growth. The Group will continue to consider further acquisition opportunities. If the Group is unable to successfully integrate an acquired company or business, such acquisition could lead to disruptions to the business. If the operations or assimilation of an acquired business does not accord with the Group's expectations, the Group may have to decrease the value attributed to the acquired business or realign the Group's structure. To mitigate this risk, the Group undertakes extensive due diligence of potential acquisitions, including detailed integration planning. These processes are managed and directed by Datatec's central team.

During the year the Group focused on improving its procedures for the integration phase of acquisitions and established a head office function to oversee the integration of new acquisitions throughout the Group and assist with the dissemination of good practice and management tools in this area.
   

The Group receives significant benefits from purchase and prompt payment discounts, product rebates, allowances and other programmes from vendors based on various factors. A decrease in purchases and/or sales of a particular vendor's products could negatively affect the amount of discounts and volume rebates the Group receives from such vendors. Because some purchase discounts, product rebates and allowances from vendors are based on percentage increases in purchases and/or sales of products, it may become more difficult for the Group to achieve the percentage growth in volume required for larger discounts due to the current size of its revenue base. In addition, vendors may exclude the Group from time to time from participation in some of their programmes. As noted above under the "dependence on key vendors" heading, a strong and transparent relationship with our vendor partners is crucial in managing product discounts, rebates and allowances.

    The Group's future success depends largely on the continued employment of its executive directors, senior management and key sales, technical and marketing personnel. Certain key employees have relationships with principal vendors and customers which are particularly important to the business of the Group. The executive directors, senior management team and key technical personnel would be very difficult to replace and the loss of any of these key employees could harm the business and prospects of the Group. The Group's employees are a key stakeholder group and a high standard of employment conditions and working environment are seen as essential for the business.     The Group's customer base is much larger than its vendor base but nevertheless includes large individual customers in specific regions. Accordingly, the exposure to credit risk must be noted as a key risk of the business. Management's response to this risk is to maintain close relationships with key customers of the Group and to operate rigorous credit assessment and control procedures.  

Other risks faced by the Group

Other risks    
  • Intensification of competition
  • Warehouse and logistics disruption leading to business interruption
  • Changes in customer relationships
  • Managing and controlling widespread international activities
  • Restrictions on access to capital
  • Reduction in demand
  • Pressure on gross margins

Risk management framework

The Group's risk management process has three key steps:

  • Identify key risks – document in risk registers
  • Implement controls to mitigate risk – monitor through continuous review
  • Obtain assurance that controls are effective

Within this framework, the specific responsibilities of different designates and the processes they follow are set out below:

  Responsibility   Process  
  Board
Extensive experience in the
Group’s main business
streams
Experience of the non-executive
directors in other
fields of business
  • Level of risk tolerance and limits of risk appetite are set as part of the strategic direction of the Group
  • A combined assurance framework is in place to ensure adequate assurance that the controls over the identified risks are operating effectively
  • A Group risk register is maintained and risks across all aspects of the Group's operations are considered, including financial, market, political and operational risks, as well as social, ethical and environmental risks
  Audit, Risk and Compliance
Committee
  • Monitors risk management activities on an ongoing basis
  • Discusses risk topics raised
  • Reviews divisional summary risk registers semi-annually
  • Reviews divisional audit, risk and compliance committee meeting minutes
  • Reviews divisional management risk committee minutes
  Group Chief Risk Officer
  • Chairs Datatec Risk Committee
  • Chairs ICT Governance Committee
  • Maintains Group risk register
  • Reports to CFO
  • Reports to Audit, Risk and Compliance Committee
  • Ensures that the risk management framework is operating effectively in the divisions
  • Ensures improvements in the controls and risks identified in the Group risk register
  Divisions – divisional
boards, executive
committees, management
risk and compliance
committees

Head office – Datatec Risk
Committee
  • Regularly review strategic and emerging risks
  • Input to risk registers
  • Identify and prioritise high-risk areas on risk maps based on impact and likelihood
    • Impact ratings are broadly defined in terms of financial thresholds, operational impacts, regulatory compliance, customer and community impacts, employee impacts and reputational impacts
    • Likelihood ratings are defined in terms of the overall likelihood of a risk materialising
  • Further analyse high-risk areas to identify potential root causes
  • Identify mitigating controls and associated monitoring/assurance activities for each high-risk area
  • Assign an executive to monitor and manage specific risk areas
  • Review risk registers and risk maps semi-annually
  Divisional Chief Risk
Officers
  • Ensure divisional risk procedures accord with and support the Group's risk management framework
  • Maintain divisional risk registers
  • Coordinate the execution at divisional level of the risk management framework
  • Identify emerging risk and compliance issues
  • Report on divisional management of risk to divisional audit, risk and compliance committees (which report to the divisional boards)
  • Oversee management's response to matters identified as requiring improvement

Financial and internal control

The Group's internal control and accounting systems are designed to provide reasonable, but not absolute, assurance as to the integrity and reliability of the financial information and to safeguard, verify and maintain accountability of its revenues and assets. These controls are implemented and maintained by skilled Company personnel.

Combined assurance

A combined assurance framework for monitoring and evaluating the effectiveness of the internal controls is in place throughout the Group. This framework deploys and coordinates internal and external assurance providers to report on the effectiveness or otherwise of the Group's internal controls.

A combined assurance model aims to optimise the assurance coverage obtained from management, internal assurance providers and external assurance providers on the risk areas affecting the Group. Within Datatec there are a number of assurance providers that either directly or indirectly provide the Board and management with certain assurances over the effectiveness of those controls that mitigate the risks as identified during the risk assessment process. Collectively, the activities of these assurance providers are referred to as the combined assurance framework.

As the nature and significance of risks vary, assurance providers are required to be equipped with the necessary expertise and experience to provide assurance that risks are adequately mitigated. External assurance providers include external audit, internal audit, regulators, sustainability assurance providers and other professional advisers.

In the combined assurance model, each control is linked to a specific assurance provider, where applicable, to enable the following to be identified:

  • Risk areas where no/insufficient controls have been identified;
  • Risk areas where controls have been identified, yet insufficient assurance is provided (gaps); and
  • Risk areas where duplicate or "excess" assurance is provided (duplication).

Combined assurance framework

  • Management-based assurance:
    Management oversight, including strategy implementation, performance measurements, control self-assessments and continual monitoring mechanisms and systems.
  • Local management is required to complete and submit control self-assessment programmes annually and this is monitored against internal control norms. Action is taken where ratings are considered to be inadequate. Ratings are also reviewed by the Audit, Risk and Compliance Committee.
  • In addition, the Board obtains a formal letter of assurance annually from each of its subsidiary divisions (supported by similar representations from the divisions own subsidiaries) which provides the Board with assurance over the operation of the risk management processes described above, including the operation of internal controls over financial and IT risks, compliance with legislation, and the ethical and sustainable management of the business.
  • Internal assurance:
    Risk management (adopting an effective enterprise risk management framework), legal, compliance, health and safety, and quality assurance departments are included. They are responsible for maintaining policies, minimum standards, oversight and risk management performance and reporting.
  • Independent assurance:
    Independent and objective assurance of the overall adequacy and effectiveness of risk management, governance and internal control within the organisation is predominantly the role of internal audit, external audit and other expert assurance providers required from time to time.
  • Oversight committees:
    Appropriate assurance providers under each of the above categories have been identified:
    • The Audit, Risk and Compliance Committee
    • The Social and Ethics Committee with regard to oversight of the Group's controls in the sphere of ethics, corporate social responsibility and sustainability
    • The Remuneration Committee with regard to controls in the remuneration sphere
    • The Nominations Committee in relation to Board diversity and corporate governance structures.
  • Management has used this model to conclude on the completeness and appropriateness of the current assurance activities for each risk identified and that the level of assurance provision is satisfactory. It continues to maintain the framework as part of the ongoing risk management process.
  • The Audit, Risk and Compliance Committee has reviewed the combined assurance frameworks for the Group and the three divisions to satisfy itself with management's conclusions and will continue to review them as part of its role in oversight of risk management.
  • In light of its review of the combined assurance framework, the Audit, Risk and Compliance Committee has recommended to the Board that appropriate assurance activities are in place in relation to the controls operating over each risk identified in the risk management process.

The governance of IT

The Board has ensured that the governance of IT is firmly embedded in the Group's risk management culture by identifying IT risk as one of the risks to be managed across all operations with controls and assurance provision to be maintained and reviewed in the same way as for other risks. The Board has adopted an ICT governance policy setting out the Group's approach to ICT governance. Within this policy an ICT Governance Committee has been established comprising divisional IT risk management and IT executives with the aim of reinforcing the integration of IT risk issues into the Group's risk management framework.

The Board includes a review of IT governance procedures operated by the Group's major divisions in its annual timetable to assist in its IT governance role.

In addition, there are documented and tested procedures in the major subsidiaries which will allow them to continue their critical business processes in the event of a disastrous incident impacting their activities. Such documented procedures are reviewed annually and, where weaknesses are identified, the relevant subsidiaries are required to rectify them.

Management reporting

The Group operates management reporting disciplines which include the preparation of annual budgets by operating entities. Monthly results and the financial status of operating entities are reported against approved budgets. Profit projections and cash flow forecasts are reviewed regularly, while working capital, borrowing facilities and bank covenant compliance are monitored on an ongoing basis. All financial reporting by the Group, including external financial reporting and internal management reporting, is generated from the same financial systems which are subject to the internal controls and risk management procedures described on page 47.

Compliance framework and processes

Each division manages compliance with relevant laws and regulations, which the Audit, Risk and Compliance Committee has divided into the following broad categories for the purposes of monitoring. These are considered to be the main themes/classes of legislation which pose the biggest risk to Datatec in the event of breach:

  • Corporate law – companies acts, financial reporting
  • Corporate law – companies acts, financial reporting
  • Financial law – anti-money laundering, fraud
  • Export regulations – trade sanctions, foreign corrupt practices
  • Import regulations – including duty and VAT
  • Taxation
  • Securities law – insider dealing, stock exchange compliance
  • Employment law – unfair dismissal, employment practices, health and safety
  • Intellectual property, trademarks, patents
  • Competition legislation
  • Customer protection legislation.

Each category is considered in the risk assessment process and, if appropriate, a risk is recorded on the relevant risk register and managed in accordance with the risk management framework set out in this report. The divisions audit, risk and compliance committees report on each category of legislation above, noting whether any breaches of compliance have been identified.

Internal audit

Internal audit is an independent appraisal function which examines and evaluates the activities and the appropriateness of the systems of internal control, risk management and governance. The internal auditor is the key assurance provider in the Group's combined assurance framework described above. The function provides the Board with a report of its activities which, along with other sources of assurance, is used by the Board in making its assessment of the Group's system of internal controls and risk management.

Datatec has outsourced the internal audit function of the Group to EY. Internal audit operates within defined terms of reference as set out in its charter and the authority granted to it by the Audit, Risk and Compliance Committee and the Board, and reports to the Audit, Risk and Compliance Committee with notification to the Chief Risk Officer.

The EY internal audit team reports to the Chief Risk Officer on day-to-day matters, and to the Chairman of the Audit, Risk and Compliance Committee and, in addition, has unfettered access to the Group CEO and CFO as required.

Audit plans are presented in advance to the Audit, Risk and Compliance Committee for approval. The plans are based on an assessment of risk areas involving an independent review of the Group's own risk assessments which are recorded in the risk registers. Audits include Group-wide reviews of specific risk areas as well as "baseline control" audits of key controls applying to business processes at specific locations. An example of a Group-wide review carried out during FY17 was a series of audits reviewing the Group's controls in relation to acquisition risk. This resulted in several improvement recommendations including establishing a Group function to oversee the integration process applied to new acquisitions as noted under the heading "management of future growth and acquisition risk" on page 45.

The internal audit team attends and presents its findings to the Audit, Risk and Compliance Committee. Management is responsible for acting on the findings of internal audit and implementing remedial action to correct identified control weaknesses. Internal audit reviews management's actions on the findings and reports back on the effectiveness of the response. An example of an internal audit finding which is currently being addressed by management across the Group is weakness in access controls to IT systems. The internal audit process and management's response to the findings thereby contribute to a continuous improvement culture in the Group's risk management function.

The Audit, Risk and Compliance Committee is satisfied that internal audit has met its responsibilities for the year with respect to its terms of reference.

External audit

The Audit, Risk and Compliance Committee is responsible for recommending the external auditor for appointment by shareholders and for ensuring that the external auditor is appropriately independent.

Shareholders have appointed Deloitte & Touche as the external auditor to the Group and their reappointment will be sought at the upcoming Annual General Meeting.

The external auditor carries out an annual audit of all the Group's subsidiaries in accordance with international auditing standards and reports in detail on the results of the audit both to the audit, risk and compliance committees of the Group's divisions and to the Group Audit, Risk and Compliance Committee. The external auditor is therefore the main external assurance provider for the Board in relation to the Group's financial results for each financial year.

The Audit, Risk and Compliance Committee regularly reviews the external auditor's independence and maintains control over the non-audit services provided, if any.

Pre-approved permissible non-audit services performed by the external auditors include taxation and due diligence services. The external auditor is prohibited from providing non-audit services such as valuation and accounting work where its independence might be compromised by later auditing its own work. Any other non-audit services provided by the external auditor are required to be specifically approved by the Chairman of the Audit, Risk and Compliance Committee or by the full committee if the fees are likely to be in excess of 50% of the audit fee.

The external auditor has the policy of rotating the lead audit partner and those of South African subsidiaries every five years and the other subsidiary audit partners with a maximum of every seven years. The Audit, Risk and Compliance Committee has adopted the same policy.

Board assessment of the Group's system of internal controls and risk management

Nothing has come to the attention of the Board or has arisen out of the internal control self-assessment process, internal audits or year-end external audit that causes the Board to believe that the Group's system of internal controls and risk management is not effective or that the internal financial controls do not form a sound basis for the preparation of reliable financial statements. The Board's opinion is based on the combined assurances of external and internal auditors, management and the Audit, Risk and Compliance Committee.