Risk management and internal control
The Group has adopted a
risk philosophy that is aimed
at maximising business
success and shareholder
value by effectively
balancing risk and reward.
Overview
As a Group that operates in and understands emerging markets, MTN believes
that risk management and internal control are fundamental to effective corporate
governance and the development of a sustainable business. The Group has
adopted a risk philosophy that is aimed at maximising business success and
shareholder value by effectively balancing risk and reward.
MTN’s objective has always been to embed risk management and internal control
into the day-to-day running of the business in a practical manner. This involves
continual proactive identification and understanding of risk factors and events that
may impact business objectives, development of appropriate response strategies
and internal control mechanisms, continual monitoring and reporting and
independent assurance. This is achieved through the implementation of various risk
management and governance mechanisms. These include:
- Monitoring the effective implementation by the various operations’ chief
executives and other management of corporate governance measures.
- Embedding risk management procedures into day-to-day activities such as
business planning, operational reviews, projects etc.
- Business risk management functions in most operations to facilitate, co-ordinate
and monitor the effective implementation of risk management mechanisms.
- Assurance from internal audit and external audit on the internal control
environment.
- Audit and risk committees in all operations.
- Group oversight.
MTN has taken cognisance of the new requirements of King III and has initiated
a project to assess gaps between MTN’s current risk management practices and
the requirements of King III. The gaps will be assessed and current practices and
systems will be adapted where necessary.
Roles and responsibilities
Board of directors
The Group board of directors is ultimately responsible for
oversight of proper risk management and internal control
mechanisms and is supported by two subcommittees, namely
the Group audit committee and the Group risk management
and compliance committee. The Group audit committee is
the oversight body for the implementation of adequate and
effective internal control mechanisms in the Group. The Group risk
management and compliance committee is the oversight body
for risk management in the Group. It sets and approves the risk
management framework, and reviews the overall effectiveness
of risk management structures and response strategies. At a
lower level, each operating company has its own audit and risk
committee which is a subcommittee of the board of directors
of that operating company. These committees are chaired by
independent non-executive directors and essentially mirror on
a lower level the role of the Group audit committee and Group
risk management and compliance committee. These committees
report to the Group committees on a regular basis to ensure
oversight from a Group perspective.
Management
Management of the Group is responsible for the implementation
of adequate and effective internal control mechanisms at an
operational level. Management is represented at a Group level by
the Group executive committee, headed by the Group president
and chief executive officer, and at an operating company level by
the chief executive officer of each operating company.
Independent business risk management function
Business risk management is an independent function responsible
for the disciplines of enterprise risk management, internal audit
and fraud risk management. It has more than 160 risk, internal
audit, fraud risk and forensic specialists across the 21 operating
countries of which more than two-thirds are internal audit
specialists. The internal audit discipline within business risk
management is independent from the risk management discipline
and does not get involved in risk management activities. Business
risk management is headed by a Group executive who reports
directly to the Group president and chief executive officer and
has direct access to, and regular meetings with, the chairpersons
of the Group audit committee and Group risk management and
compliance committee. MTN now has business risk management
functions in all of its operations with oversight from the Group
business risk management function. The activities of the business
risk management function are guided by a set of policies,
frameworks and methodologies which have been approved by
the Group audit committee and Group risk management and
compliance committee.
Risk management and internal control mechanisms
Risk appetite
MTN’s risk appetite is determined by type of risk. This allows
for a more controlled way of managing risk levels. A formal risk
escalation structure was implemented at the end of 2009 based on
MTN’s risk-bearing capacity and a set of risk thresholds at various
levels in the Group. Aggregation of total risk is done qualitatively
and the Group risk management and compliance committee
assesses the acceptability of MTN’s consolidated risk profile.
Enterprise risk management
As far as enterprise risk management is concerned, the business
risk management function is responsible for ensuring the existence
of an effective framework for risk management and driving the
implementation of this framework throughout the Group. This is
done by assisting and advising management on the topic and by
ensuring effective reporting and escalation of risks.
The process of risk management in the Group is guided by a risk
framework which is based on best practice risk management
procedures. The Group business risk management function,
together with management, has the mandate and responsibility
of ensuring that adequate risk management processes are
implemented in all areas of the business in line with the risk
framework. During the year under review, significant progress
was made with the migration of decentralised risk databases to
a consolidated risk database. This will allow for better analysis,
monitoring and reporting.
Insurance and risk transfer
MTN has a comprehensive insurance programme in place which
covers perils such as material damage/business interruption,
political risk, public liability, directors’ and officers’ liability, crime
and professional indemnity. The limits of indemnity for these
covers have been structured to optimise the balance between
maximum potential loss and containing premiums. MTN also
believes that risk retention and self-insurance are necessary to
keep premiums at reasonable levels and show commitment
towards risk management. MTN’s risk retention levels differ from
policy to policy.
Fraud risk management
The fraud risk management function is responsible for assessing
fraud risk across the Group and driving the implementation
of fraud prevention activities, which include whistleblowing
processes. Fraud risk management is also responsible for detecting
and investigating fraud. The implementation of fraud prevention
mechanisms in the Group remains a priority. There was an increase
in the number of fraud and theft cases reported in 2009. We
believe that this was not because of an increase in fraud and theft
activities, but mainly the result of the implementation of improved
fraud prevention and detection mechanisms. These included
the implementation of a Group-wide fraud incident register,
conducting fraud risk assessments in most operations and the
use of improved whistleblowing mechanisms. The overall value of
fraud and theft incidents uncovered to date is not material.
In 2010, MTN will focus on the following inherent fraud risk
categories from both a fraud risk and internal audit point of view:
- Procurement – conflict of interest and collusion with suppliers
- Asset and inventory theft
- Site acquisition and construction
- Manipulation of billing data
- Bribery and corruption
Internal audit
MTN has a substantial internal audit discipline function which is
responsible for providing independent internal audit assurance
to the Group. The independence of the internal audit discipline
is maintained by ensuring that internal audit employees are not
involved in risk management activities and by virtue of the fact that internal audit work is ultimately governed by the Group audit
committee. The internal audit charter, which has been approved
by the Group and the operating companies’ audit committees, also
provides for the independence of the internal audit function.
Internal audit activity in the Group has been increasing for the
past few years with total internal audit hours in 2009 rising to
110 000 from 98 000 in 2008. Internal audit assurance is guided by
extensive risk evaluation. Projected internal audit hours for 2010
are in excess of 130 000 hours. The Group is now reaching the
point where internal audit coverage extends to most operations
and most high-risk processes. The distribution of these hours in the
various core business areas can be illustrated as follows:
| % audit hours |
 |
The split of audit hours planned for 2010 between the various country operations is illustrated as follows:
| Total audit hours |
 |
There has been major focus on the improvement of the quality
and maturity of internal audit coverage over the past year and
these efforts will continue into 2010 with an eventual external
quality assessment planned for 2011. Outsourcing arrangements
on some internal audits add to the objectivity and independence
of the internal audit work undertaken.
Principal risks
The board believes that management has identified
the core risks in relation to the Group. These, as
displayed in the graphic alongside, are categorised
into operational, telecoms sector, strategy and
macro-economic risks. MTN’s principal risks fall mainly
into the macro-economic, telecoms sector and
strategic categories.
The year under review
Strategy
The steep growth experienced by the
telecommunications industry in the past is starting to
slow. This is because of a number of factors ranging
from strong competition, regulatory pressures as well
as converging technologies. A challenge for MTN and
most mobile operators is to adapt its business model
and technologies from the traditional voice offerings
to a converged offering including voice, data and
content. MTN has made good progress in this regard
with various offerings including MTN MobileMoney,
MTNPlay as well as a number of business solutions
through MTN Business. MTN MobileMoney has been
launched in a number of countries with good uptake.
MTN has committed in excess of USD191 million of
investment in various submarine broadband cables to
ensure high-speed connectivity and improved quality
and capacity of voice and data offerings.
In addition to building new revenue growth models,
MTN is continuing to focus on improving operational
efficiencies in order to keep operational expenditure
under control and maintain competitive EBITDA levels.
View enlarged graphic
View enlarged graphic
International sanctions against some countries in which MTN operates, pose
a threat to the MTN Group with regards funding arrangements, supply chain
management, investor relations etc. The Group is actively aware of these situations
and has taken appropriate mitigating action wherever possible.
Sector
The regulatory environments in the MTN operating countries define special
conditions under which MTN operates. These conditions are very dynamic,
changing from time-to-time and are becoming more complex. During the
period under review, MTN has seen a number of regulatory instruments
introduced in many markets. These include the registration of SIM cards, changes
to mobile termination rates, site sharing and the promulgation or repeal of
telecommunication legislation and regulations. These are deemed to have been
made under legislative and licensing regimes that gave rise to the first wave of
licences to MTN. Regulatory pressure will continue to impact the Group. The Group
continues to monitor and engage with policy makers and regulators in order to
align its investment with the various regulatory and policy road maps.
MTN will likely face increased competition as the telecoms industry continues to consolidate.
Macro
The political situation in some of the countries in which
MTN operates continues to be challenging. The year under review
has been characterised by security, political and social unrest
challenges.
These challenges are often beyond MTN’s ability to control and
may negatively impact on the Group. MTN is confident that its risk
management strategies in response to these risks have mitigated
the risk to the Group. These strategies include strict compliance
with regulations, physical security measures, the establishment of a
Group crisis operations centre, risk transfer and insurance strategies
and good corporate citizenship.
Exposure to financial markets remains a risk to the Group. This
risk has many facets including exposure to currency fluctuations,
interest rate changes, liquidity and counterparty risk. These risks
are managed through a centralised treasury function with the
implementation of various mechanisms and procedures including
a Group treasury policy.
Operational
In the past few years, MTN has made significant progress in
reducing the risks associated with network performance in certain
countries. This is a result of considerable capital expenditure which
peaked at more than R32 billion in 2009.
The repatriation of earnings from most of the Group’s operations
has continued as planned in 2009, and good progress was made in overcoming the existing barriers to repatriation in certain
countries.
MTN has stepped up its efforts to standardise processes across
the Group with specific attention given to capital project
management, network site build, activity-based costing and
human resources. However, ongoing focus is still required.
The business continuity management project has made good
progress in the past year with a number of countries now having
formal business continuity projects in progress or, in certain cases,
completed.
Increased requirements from King III on the governance of
information technology are being assessed and any potential
shortcomings will be addressed.
A comprehensive tax risk management strategy has been
implemented to improve the management of tax risk.
The availability and depth of technical and leadership skills in
certain MTN operating countries remains a challenge to the Group.
However, the MTN Academy is now well established and its focus
on leadership development and e-learning on technical aspects,
together with other leadership development initiatives, will assist
in the years ahead.
|
