Viewing: Risk report / Next: Remuneration report

Risk report

The Board is responsible for Datatec's strategy, leadership and decision-making which are all impacted by risk. Risk-based leadership, with the Board at its apex, is fundamental to Datatec.

Johnson Njeke
Audit, Risk and Compliance Committee Chair

Risk policy

The Group's risk policy:

  • sets out and explains Datatec's approach to risk and risk management;
  • records the Board's evaluation of Datatec's risk appetite for the main categories of risk;
  • explains the principles behind Datatec's risk management framework which contains the procedures by which the policy is implemented; and
  • supports management in managing risk, allowing risk to be managed on a decentralised basis subject to Group overview.

The approach to risk management and internal control defined in the risk policy has been applied throughout the year under review and up to the date of approval of this Annual Report and annual financial statements.

The risk policy is reviewed by the ARCC and approved annually by the Board. The latest update was approved in March 2023.

While all risks are continually monitored, the ARCC is paying particular attention to cyber security threats, which remain at a very high level. Risk mitigation in this area is being undertaken continuously across the Group and is being closely monitored by the ARCC.

The risk management framework which is used for maintaining sound risk management and internal control systems throughout the Group is explained in more detail later in this report.

Board assessment of the Group's system of internal controls and risk management

Nothing has come to the attention of the Board or has arisen out of the internal control self-assessment process, internal audits or year-end external audit that causes the Board to believe that the Group's system of internal controls and risk management is not effective or that the internal financial controls do not form a sound basis for the preparation of reliable financial statements. The Board's opinion is based on the combined assurances of external and internal auditors, management and the ARCC.

Risk management framework

The Group's risk management process has three key steps:

  • Identify key risks – document in risk registers
  • Implement controls to mitigate risk – monitor through continuous review
  • Obtain assurance that controls are effective – combined assurance programme

Within this framework, the specific responsibilities of different designates and the processes they follow are set out below:

  Responsibility   Process  
  Board
  • Extensive experience in the Group's main business streams
  • Experience of the non-executive directors in other fields of business
  
  • Level of risk tolerance and limits of risk appetite are set as part of the strategic direction of the Group
  • A combined assurance framework is in place to ensure adequate assurance that the controls over the identified risks are operating effectively
  • A Group risk register is maintained and risks across all aspects of the Group's operations are considered, including financial, market, political and operational risks, as well as social, ethical and environmental risks
  
  Audit, Risk and Compliance Committee  
  • Monitors risk management activities on an ongoing basis
  • Discusses risk topics raised
  • Reviews risk registers semi-annually
  • Reviews divisional audit, risk and compliance committee meeting minutes
  • Reviews CRO Forum minutes
  
  Group Chief Risk Officer  
  • Chairs CRO Forum
  • Chairs Information and Communication Technology ("ICT") Governance Committee
  • Maintains Group risk register
  • Reports to CFO
  • Reports to ARCC
  • Ensures that the risk management framework is operating effectively in the divisions
  • Ensures improvements in the controls and risks identified in the Group risk register
  
  Divisions – divisional boards and executive committees  
  • Regularly review strategic and emerging risks
  • Input to risk registers
  • Identify and prioritise high-risk areas on risk maps based on impact and likelihood
  • Impact ratings are broadly defined in terms of financial thresholds, operational impacts, regulatory compliance, customer and community impacts, employee impacts and reputational impacts
  • Likelihood ratings are defined in terms of the overall likelihood of a risk materialising
  • Further analyse high-risk areas to identify potential root causes
  • Identify mitigating controls and associated monitoring/assurance activities for each high-risk area
  • Assign an executive to monitor and manage specific risk areas
  • Review risk registers and risk maps semi-annually
  
  Divisional chief risk officers  
  • Ensure divisional risk procedures are in accordance with and support the Group's risk management framework
  • Maintain divisional risk registers
  • Coordinate the execution at divisional level of the risk management framework
  • Identify emerging risk and compliance issues
  • Report on divisional management of risk to divisional audit, risk and compliance committees
    (which report to the divisional boards)
  • Oversee management's response to matters identified as requiring improvement
  • Report to the semi-annual CRO Forum
  

Financial and internal control

The Group's internal control and accounting systems are designed to provide reasonable, but not absolute, assurance as to the integrity and reliability of the financial information and to safeguard, verify and maintain accountability of its revenues and assets. These controls are implemented and maintained by skilled personnel.

The operation of key internal controls is assessed on an annual cycle using an internal control questionnaire ("ICQ") process which is completed by the process owners of all Group subsidiaries with operational accounting functions. The CFOs of the subsidiaries are responsible for validating the responses. The results of the ICQ are critically assessed by divisional and Group management and assist in harmonising controls and setting standards across the business.

Combined assurance

A combined assurance framework for monitoring and evaluating the effectiveness of the internal controls is in place throughout the Group. This framework deploys and co-ordinates internal and external assurance providers to report on the effectiveness of the Group's internal controls.

A combined assurance model aims to optimise the assurance coverage obtained from management, internal assurance providers and external assurance providers on the risk areas affecting the Group. Within Datatec there are a number of assurance providers that either directly or indirectly provide the Board and management with certain assurances over the effectiveness of those controls that mitigate the risks as identified during the risk assessment process. Collectively, the activities of these assurance providers are referred to as the combined assurance framework.

As the nature and significance of risks vary, assurance providers are required to be equipped with the necessary expertise and experience to provide assurance that risks are adequately mitigated. External assurance providers include external audit, specialist IT and cyber security specialists, sustainability assurance providers and other professional advisers.

In the combined assurance model, each control is linked to a specific assurance provider, where applicable, to enable the following to be identified:

  • Risk areas where no/insufficient controls have been identified
  • Risk areas where controls have been identified, yet insufficient assurance is provided (gaps)
  • Risk areas where duplicate or "excess" assurance is provided (duplication)

Management-based assurance: Management oversight, including strategy implementation, performance measurements, control self-assessments and continual monitoring mechanisms and systems:

  • Local management is required to undertake the ICQ process annually to ensure key controls are in place and this is monitored against internal control norms. Remediation is taken where any control is considered to be ineffective. The process and results are also reviewed by the ARCC.
  • In addition, the Board obtains a formal letter of assurance twice a year from each of its subsidiary divisions (supported by similar representations from the divisions' own subsidiaries) which provides the Board with assurance over the operation of the risk management processes described above, including the operation of internal controls over financial and IT risks, compliance with legislation, and the ethical and sustainable management of the business.

Internal assurance: Risk management (adopting an effective enterprise risk management framework), legal, compliance, health and safety, and quality assurance departments are included. They are responsible for maintaining policies, minimum standards, oversight and risk management performance and reporting. The internal audit function, as described in more detail below, is the primary assurance provider within the organisation.

Independent assurance: Independent and objective assurance of the overall adequacy and effectiveness of risk management, governance and internal control within the organisation includes external audit and other expert assurance providers required from time to time.

Oversight committees: Appropriate assurance providers under each of the above categories have been identified:

  • The ARCC
  • The Social and Ethics Committee with regard to oversight of the Group's controls in the sphere of ethics, corporate social responsibility and sustainability
  • The Remuneration Committee with regard to controls in the remuneration sphere
  • The Nominations Committee in relation to Board diversity and corporate governance structures

Management has used this model to conclude on the completeness and appropriateness of the current assurance activities for each risk identified and that the level of assurance provision is satisfactory. It continues to maintain the framework as part of the ongoing risk management process.

The ARCC has reviewed the combined assurance frameworks for the Group and its divisions to satisfy itself with management's conclusions and will continue to review them as part of its role in oversight of risk management.

In light of its review of the combined assurance framework, the ARCC has recommended to the Board that appropriate assurance activities are in place in relation to the controls operating over each risk identified in the risk management process.

The governance of ICT

The Board has the responsibility to govern technology and information in a way that supports the organisation in setting and achieving its strategic objectives
(King IV Principle 12). To achieve this, the governance of ICT is embedded in the Group's risk management framework. ICT risk is managed across all operations with controls and assurance provision to be maintained and reviewed in the same way as for other risks. The Board has adopted an ICT governance policy setting out the Group's approach to ICT governance. Within this policy, an ICT Governance Committee has been established comprising divisional ICT risk management and ICT executives with the aim of reinforcing the integration of IT risk issues into the Group's risk management framework.

The Board includes a review of ICT governance procedures operated by the Group's major divisions in its annual timetable to assist in its ICT governance role.

There are documented and tested procedures in the major subsidiaries which will allow them to continue their critical business processes in the event of a disastrous incident impacting their activities. Such business continuity planning procedures are reviewed annually and, where weaknesses are identified, the relevant subsidiaries are required to rectify them.

Management reporting

The Group operates management reporting disciplines which include the preparation of annual budgets by operating entities. Monthly results and the financial status of operating entities are reported against approved budgets. Project projections and cash flow forecasts are reviewed regularly, while working capital, borrowing facilities and bank covenant compliance is monitored on an ongoing basis.

All financial reporting by the Group, including external financial reporting and internal management reporting, is generated from the same financial systems which are subject to the internal controls and risk management procedures described below.

Compliance framework and processes

The Board governs compliance with applicable laws and adopted non-binding rules, codes and standards in a way which supports the organisation being ethical and a good corporate citizen (King IV Principle 13). Each division manages compliance with relevant laws and regulations, which the ARCC has divided into the following broad categories for the purposes of monitoring. These are considered to be the main themes/classes of legislation which pose the biggest risk to Datatec in the event of breach:

  • Corporate law – companies acts, financial reporting
  • Financial law – anti-money laundering and fraud
  • Export regulations – trade sanctions and foreign corrupt practices
  • Import regulations – including duty and VAT taxation
  • Securities law – insider dealing and stock exchange compliance
  • Employment law – unfair dismissal, employment practices, health and safety
  • Intellectual property, trademarks and patents
  • Competition legislation
  • Data protection/privacy legislation

Each category is considered in the risk assessment process and, if appropriate, a risk is recorded on the relevant risk register and managed in accordance with the risk management framework set out in this report. The divisions' audit, risk and compliance committees report on each category of legislation above, noting whether any breaches of compliance have been identified.

Internal audit

Internal audit is an independent appraisal function which examines and evaluates the activities and the appropriateness of the systems of internal control, risk management and governance. The internal auditor is the key assurance provider in the Group's combined assurance framework. The function provides the Board with a report of its activities which, along with other sources of assurance, is used by the Board in making its assessment of the Group's system of internal controls and risk management.

Datatec has an in-house internal audit function which operates within defined terms of reference as set out in its charter and the authority granted to it by the ARCC and the Board.

The internal audit function reports to the Datatec ARCC. Internal audit, headed by the Chief Audit Executive, is functionally responsible to the Chair of the ARCC and administratively to the CFO and CRO.

Audit plans are presented in advance to the ARCC for approval. The plans are based on an assessment of risk areas involving an independent review of the Group's own risk assessments, which are recorded in the risk registers. A significant component of the internal audit plan is the continuous audit of the business process cycles through the divisional ERP systems which is undertaken using automated audit protocols. The internal audit plan also includes audits of key controls applying to business processes at specific locations. Both audit visits and continuous auditing assessments include an independent assessment by the internal auditor of the ICQ responses of the entity being audited for the controls in scope for the audit in order to validate the ICQ self-assessment.

The internal audit function has capability in cyber security and is performing cyber security audits to address this critical risk area across the Group.

The internal audit team attends and presents its findings to the ARCC. Management is responsible for acting on the findings of internal audit and implementing remedial action to correct identified control weaknesses in accordance with an agreed timetable. Internal audit reviews management's actions on the findings and reports back on the effectiveness and timeliness of the response.

The internal audit team attends the CRO Forum to assist in the dissemination of findings across the Group and the Cyber Security Internal Audit Director also provides input and assistance to the ICT Governance Committee to support the enhancement of ICT general controls and cyber security protection across the Group.

The internal audit process and management's response to the findings thereby contribute to a continuous improvement culture in the Group's risk management function.

During FY23, the internal audit team undertook a quality self-assessment which was reviewed and validated by an independent external assessor. This assessment concluded that the internal audit team generally conforms to the standards of the Institute of Internal Auditors ("IIA").

The ARCC is satisfied that internal audit has met its responsibilities for the year with respect to its terms of reference.

External audit

The ARCC is responsible for recommending the external auditor for appointment by shareholders and for ensuring that the external auditor is appropriately independent.

PricewaterhouseCoopers ("PwC") is the external auditor, having been selected and appointed in FY21. The appointment is approved by shareholders at the AGM annually. The current designated audit partner is Berno Niebuhr, who will be retiring and will be replaced by Deon Storm for the FY24 audit subject to JSE approval. Thereafter, PwC has the policy of rotating the designated partner every five years.

The external auditor carries out an annual audit of the Group's subsidiaries in accordance with international auditing standards and reports in detail on the results of the audit both to the audit, risk and compliance committees of the Group's divisions and to the Group ARCC. The external auditor is therefore the main external assurance provider for the Board in relation to the Group's financial results for each financial year.

PwC has confirmed its compliance with the ethical requirements regarding independence and is considered independent with regards to the Group as required by the codes endorsed and administered by the Independent Regulatory Board for Auditors ("IRBA"), the South African Institute of Chartered Accountants ("SAICA") and the International Federation of Accountants. As required by section 3.84(g)(iii) of the JSE Listings Requirements, the committee obtained the information listed in paragraph 22.15(h) of the JSE Listings Requirements and satisfied itself that the external auditor and audit partner, Mr Deon Storm, have the necessary accreditation and are suitable for reappointment. The committee has nominated PwC as external auditor for FY24 for approval at the AGM on 27 July 2023. The committee is also satisfied that the designated partner is not on the JSE's list of disqualified individuals.

The ARCC regularly reviews the external auditor's independence and maintains control over the non-audit services provided, if any. Pre-approved permissible non-audit services performed by the external auditors include taxation and due diligence services. The external auditor is prohibited from providing non-audit services such as valuation and accounting work where its independence might be compromised by later auditing its own work. Any other non-audit services provided by the external auditor are required to be specifically approved by the Chair of the ARCC or by the full committee if the fees are likely to be in excess of 25% of the audit fee.

Key risks

Among the items on the risk register being monitored within the Group's risk management framework the following are currently seen as key priorities:

Supply chain

At the start of FY23, the supply chain situation was problematic with various factors, including the war in Ukraine, Covid-19 lockdowns in China and global inflationary pressures, which impacted freight costs, disrupting the supply chain. During the year, this disruption was seen to ease with signs of improvement noted. However, the supply chain remains a key risk area for all the Group's businesses.

Technological market disruption

The Group's operations focus on the higher value, faster growing products and services in the ICT supply chain. It is essential to anticipate the impact of the rapid technological change which is a feature of the sector.

Dependence on key vendors

The Group is dependent on certain vendors, particularly Cisco, whose products and services accounted for a significant proportion of the Group's revenue. If any one of the Group's principal vendors terminates, fails to renew or adversely changes its agreement or arrangements with the Group materially, it could significantly reduce the Group's revenue and operating profit and thereby seriously harm the Group's business, financial condition and results of operations.

Internal technological risks – cyber security

The Group's internal systems are at risk, both from planned changes leading to business interruption and disruption by external "cyber" threats. The Group continued to face the threat of financial crime attempted by "phishing" emails and "social engineering". The Group has high dependence on its key information systems.

Risk of failure to fund working capital needs sufficiently

The Group's business is working capital intensive; this is particularly relevant for Westcon International. Westcon International's financing facilities are utilised to finance accounts receivable and inventories. The availability of these facilities and any material changes thereto may affect the business's ability to fund its working capital requirements.

Risk of overdependence on key personnel

The Group's future success depends largely on the continued employment of its executive directors, senior management and key sales, technical and marketing personnel. Certain key employees have relationships with principal vendors and customers which are particularly important to the business of the Group. The executive directors, senior management team and key technical personnel would be difficult to replace and the loss of any of these key employees could harm the business and prospects of the Group.

Johnson Njeke

Chair, Audit, Risk and Compliance Committee

May 2023

ARCC constitution and operation

The committee operates within defined terms of reference as set out in its charter which has been approved by the Board.

The ARCC charter is available on the Group's website www.datatec.com.

The ARCC during FY23 consisted of the following independent non-executive directors:

  • Johnson Njeke (Chair)
  • Deepa Sita – from 1 July 2022
  • Rick Medlock
  • Ekta Singh-Bushell – up to 27 July 2022

The ARCC meets at least four times a year and the external auditors, the internal auditors, CEO, CFO, CRO and Group Legal Counsel are invited to attend.

Directors' attendance at ARCC meetings during FY23 and subsequently to the date of this report (all meetings were scheduled) is as follows:

    8 March
2022		 16 May
2022		 13 July
2022		 31 October
2022		 3 February
2023		 15 March
2023		 16 May
2023
MJN Njeke   P P P P P P P
CRK Medlock   P P P P P P P
DS Sita   P P P P P
E Singh-Bushell   P P A

P = present, A = absent

– = not a member at the time

The principal purpose of the committee is to:

  • Assist the Board in discharging its duties relating to safeguarding of assets, risk evaluation and risk management, operation of internal controls and accurate reporting to shareholders and compliance with relevant laws and regulations;
  • provide a forum for discussing business risk and control issues and for developing relevant recommendations for consideration by the Board;
  • provide oversight of the activities of the internal audit and the external audit functions.

The committee's annual report is included in the annual financial statements of this Annual Report.

The committee reviews its performance annually by means of questionnaires completed by individual committee members and attendees which are then discussed at Board and committee meetings. These appraisals enable the committee to evaluate its effectiveness objectively and to conclude that it is operating effectively under the terms of reference set down in its charter.

The committee is satisfied that it has met its legal and regulatory responsibilities for the year under review and to the date of this report with respect to its terms of reference as set out in its charter.

The Chair of the committee will be available at the AGM to answer queries about the work of the committee.