Integrated Report 2021

Risk intelligence and resilience

Alongside sustainability, Barloworld's risk aspiration is to deliver a risk-intelligent and resilient organisation.

Risk intelligence means having the ability to:

  • think holistically about risk and uncertainty
  • identify the right risks for reward (managing threats and capitalising on opportunities)
  • speak a common risk language
  • use forward-thinking risk concepts and tools to make better decisions
  • create lasting value and ensure sustainability
  • continuously learn.

Resilience means having the ability to:

  • anticipate, identify and adapt rapidly to threats, vulnerabilities and opportunities
  • operate under stress without failure for extended periods of time
  • respond rapidly to contain the impact (i.e. severity/duration) of an incident/threat
  • recover rapidly in a coordinated manner
  • evolve to a higher state of resilience in response to changes in the environment, near misses and incidents through organisational learning.
Risk intelligence and resilience

Risk Management Framework

Our Risk Management Framework aids decision-making.

We don’t intend to eliminate all risk, rather we want our risk portfolio to be one that maximises opportunities and minimises adversity.

Our risk management, in line with King IV, ISO and, where appropriate, international codes of best practice, is aimed at enhancing value for our stakeholders and ensuring the efficient application of our Risk Management Framework.

Our Risk Management Framework has progressed whereby risk is embedded in our strategy setting and results in a strong governance framework.

Risk Management Framework Resulting in Risk governance framework
Risk-resilient culture
Risk-resilient strategy and appetite
Risk-resilient governance

(policy/framework/plan)
Oversight
Tone from the top
Board of directors
Audit and risk committee
Risk-resilient operating model
Risk-resilient maturity and reporting
Accountability management
Operations
People, process,
products and
services
Group Executive committee Head:
Group Risk and Insurance
Divisional management committees
Divisional risk managers
Stakeholder analysis
Environmental scanning
Risk identification
Risk assessment
Risk treatment
Risk monitoring
Risk reporting
Business continuity management
Crisis management
Disaster recovery
Risk process
(ISO and King IV)
M&A department
Finance department
Human capital department
Legal and compliance department
Risk and insurance department
Corporate affairs department
Investor relations department
Sustainability department

We also view risk as leveraging opportunities.

Aspiration of delivering a risk-intelligent and resilient organisation.

Additional focus on our risk-bearing capacity and the quality of our control environment for all business risks.

Risk Management Framework

The Barloworld risk universe

The responsibility for monitoring and providing oversight of the management of risks is assigned to the management committee of each business unit. The risks are then considered at a group level through the reporting, monitoring and review processes of the audit and risk committee. Risk registers are tabled at each business unit and subsidiary board meeting under the categories defined by the Barloworld risk universe.

The Barloworld risk universe is a depository of all the Barloworld risks, including both current and emerging risks. The depository
of our risks is defined by three core categories (external risk, internal risk and behavioural risk) and classed into 15 sub-categories.

 
External risk categories
External risk categories
  • Regulatory/legislative
  • Economic
  • Socio-political
  • Environmental
Occupational health and safety
Internal risk categories
  • Occupational health and safety
  • Strategic
  • Operations
  • Financial
  • Legal and compliance
  • Human capital
  • Technology
Behavioural risk categories
Behavioural risk categories
  • Governance
  • Ethics
  • Reputation management
  • Innovation and agility
 

Our risk universe provides the group with a wide lens of all our risks while the risk sources assist in bringing into focus those risks that may be blind spots for the organisation and that may require a more focused approach when performing high-level risk assessments. Ultimately, this ensures that all risks are noted, and that action plans are developed, monitored and discussed to reduce the risks to an acceptable residual risk level. From the risk evaluation in the risk register, significant risks are reported to the audit and risk committee, which in turn reports these risks to the board. The board is accountable for effective risk management with the guidance of the group risk and insurance officer.

The 15 sub-risk categories form the basis of risk management for Barloworld, with the top risks having evolved from one year to the next with resilience taking the forefront following the residual impacts of the Covid-19 pandemic. The risk profile is prepared with the 15 risk sub-categories forming the basis, and using the top 20 risks from each business unit as of 30 September 2021 to arrive at a group-wide view. It then segments the risks into risk categories and maps them against the group risk-bearing capacity to arrive at a heat map that easily identifies the top risk in each category with those in breach of the group risk-bearing capacity being reported to the board of directors.

The Barloworld risk universe

Risk profile

For the financial year ended 30 September 2021, the group risk profile identified the following categories as focus areas for 2022:

The executives leading the business functions for which the above categories belong have provided robust business continuity management (BCM) plans, which provide insight and assurance to the group on the ongoing management of the risk categories in breach as well as a framework of the scenario planning and the effectiveness of the plans in a live scenario.

The risk profile below show that the group risks are managed to below the risk-bearing capacity for the current financial year, and while the average expected probabilities seem to be higher, they are accompanied by a marginally lower severity.

Risk profile

Barloworld
Risk Profile

Risk assurance

Our risk profile is guided by the controls we put in place to ensure that while we embrace risk at Barloworld, we give the board assurance that the quality of our control environment is effective and continually improving. As such, two levers are deployed to provide this level of assurance:

Business continuity management

Where the control environment is less than effective, we deploy a BCM plan to manage and monitor the risk. This is to ensure that we are well prepared for the eventuality of the risk maturing and coming into being and enabling probable scenarios that can be tested and the resultant effectiveness probed.

The board is ultimately responsible for effective control through its committee structure and approved policies, supported by management operating procedures and the collaborative risk, compliance and internal audit functions. Best governance practice and management requirements promote the implementation of control measures and reporting mechanisms.

Risk-based audits

Barloworld also supports the alignment of management’s obligations underpinned by a combined assurance approach to support the positive statement over the internal financial controls (IFC), subsequent to the anticipated implementation of these control activities.

The adoption of these activities will promote the assurance over key financial controls and include:

  • determining materiality to scope the IFC efforts correctly
  • determining the coverage and scope based on the identification of key accounts and sub-accounts
  • considering the key control activities in terms of the assurances provided through combined assurance and in terms of an appropriate control framework
  • management approving the appropriate level of testing of the internal financial controls (IFC) to support a positive statement.

The risk-based audit outcome report should include all assurance activities.

In addition, Barloworld has developed a combined assurance framework, which aims to coordinate assurance activities across the business and provide reasonable assurance as to the integrity of the financial and regulatory reporting of the group. This provides assurance that key risks are identified and managed appropriately and that the group’s main governance systems are suitably designed and operating effectively.

The activities coordinated via the Combined Assurance Framework include:

  • line functions, which own and manage risk, compliance and control activities at that level
  • specialist functions that oversee risk and compliance
  • independent assurance activities such as those performed by Internal Audit
  • various oversight committees
  • independent external service providers including external auditors
  • other specialists engaged for specific assurance purposes, where appropriate.

Based on its own monitoring and oversight, and assurance obtained from management, Group Risk, Compliance and Internal Audit, the board is of the view that an effective IFC environment exists to support the integrity of the integrated report.

Risk assurance

Emerging risk management

Successful management of existing and emerging risks is critical to the long-term success of our business and to the achievement of our strategic objectives. In order to seize market opportunities and leverage the potential for success, risk must be accepted to a reasonable degree. Therefore, risk management is an integral component of our corporate governance structures.

Due to the fact that emerging risks are marked by a high degree of uncertainty such that even basic information is often lacking, which would help to adequately assess the frequency and severity of a given risk, we mark our risks according to proximity and velocity. These are the two metrics that assist us in evaluating when an emerging risk is likely to come to fruition, coupled with the understanding that when it does come to fruition, what the size of its impact would be.

Emerging risk management