Governance functional areas Risk and opportunity

While the Board maintains ultimate responsibility for risk management within the Group, the Audit and Risk Committee oversees the risk management function and makes recommendations to the Board for consideration and approval. Risk management, systems and performance are continuously monitored and reviewed and reported to the Executive Committee regularly, by the Risk and Regulatory Committee. The Risk and Regulatory Committee is constituted as a sub-committee of the Executive Committee which steers the integrated risk management framework. The committee and its members are accountable for the performance of the framework.

The committee directs and evaluates the effectiveness of the integrated risk management framework and standards, and reinforces accountability for risks, controls and tasks.

Airports Company South Africa’s enterprise risk management is guided by an integrated enterprise risk management framework based on the following:

  • Expressing a clear mandate and lines of management accountability
  • Setting the performance requirements for risk management throughout the Group
  • Promoting commonality of risk management processes and methodologies and a common language
  • Organisation-wide requirements to gather and report risk information for governance purposes
  • Compliance with applicable legislation
  • Effective integration with corporate strategy and planning
  • A leadership culture that embraces risk management

In developing the framework, the Group applied the principles of the PFMA, the Companies Act, 2009, the ISO 31000:2009 and guidelines of international risk benchmarks. The illustration on page 112 indicates the components of the integrated risk management framework.

The following were among the projects rolled out during the year to enhance risk management in the Group:

  • Risk assessments: Business risk assessments for infrastructure asset management, business development, airport management and, to a large extent, technical service and solutions were completed.
  • Subsidiary risk registers: The process of assessing risk for subsidiaries was finalised.
  • Other future focus areas over and above completion of risk assessments and divisional and subsidiary plans include:
    • Competency training for enterprise risk management champions on the framework, standards, the approved risk management information system and conducting awareness training for all employees.
    • Skills enhancement for facilitators and enterprise risk management champions, typically in risk assessment and root cause analysis.
    • Line manager review: control assurance covering control design and control self-assessment.
  • As part of the continuous integrated reporting process, we updated the material risk and opportunity register to reflect management’s opinion on developments in strategic risks and opportunities.
  • We conducted a strategic risk assessment with the Board and executive leadership, in addition to the Group-wide risk assessments conducted at operational level so as to improve decision-making and enhance the performance of the Group.

In addition to the annual audits conducted by Group Internal Audit, audits to ensure the effectiveness of enterprise risk management are initiated by the Group Executive: Governance and Assurance, the Audit and Risk Committee, business unit risk committees, or the Group Manager: Risk Management.

Integrated risk management process

The Group’s integrated risk management process is intended to achieve an appropriate balance between realising opportunities for gain, while minimising adverse impacts through Board, and Audit and Risk Committee oversight of risk governance.

Our key risks and opportunities are continuously monitored through our enterprise risk management process, which is reviewed annually.

The process is based on the outcomes of best practice reviews, annual maturity assessments and continuous interaction with our governance structures, including executives, Executive Committees, sub-committees and the Audit and Risk Committee. The FY2018/19 Internal Audit review indicated that internal controls and management activities require moderate management intervention and improvement in mitigating against the possible likelihood or consequences of the risks materialising.

The Group’s revised governance framework and operating model have improved the integration of risk through the Group. We have implemented a Board approved integrated business continuity programme to strengthen the effectiveness of our identification of and response to internal and external risks.

The Board continuously assesses and monitors the treatment of strategic risks, including active engagement in the review of strategic risks and identification of mitigation activities for each.

The following table describes our top critical risks, year-on-year changes and reasons for the changes. Each risk is linked to the relevant material matters and our responses to mitigate risk or realise opportunity.

Ranking Risk title Risk description FY2018/19 priority ranking FY2017/18 priority ranking 2017 priority ranking Response to risks and opportunities Related strategy outcome Related material matter
1 Sustainability Potential loss of hub status, leading to erosion of airport sustainability I II II Airports Company South Africa has engaged continuously with network hubs and carriers. Through a process of air traffic development, the Group is implementing measures to attract more carriers and hub connections to remain a preferred connective point for travellers, for example, Latin America has become a gateway to the US, and Cathay Pacific and Singapore Airlines a gateway to the Asia Pacific region. The traffic development strategy is aimed at increasing both cargo and passenger traffic Long-term sustainable value creation Competing countries
2 Diversification Insufficient growth opportunities in non-aeronautical revenue I II II Commercialisation process defined in line with regulatory requirements. A decision was made for the Commercial division to be temporarily incorporated into the COO’s office for improved focus and acceleration Long-term sustainable value creation New growth opportunities
3 Aviation security Unlawful acts of interference within airport operations, compromising airport security I II II Implementation of smart security technology, continuous trend analysis, benchmarking against best airport practices globally, implementation of behavioural detection training, intelligence monitoring and gathering through relevant state agencies, participation in global forums, ongoing engagements through the National Aviation Security Committee (NASC) and with the relevant government agencies Passenger safety Safety and security
4 Regulatory environment Unpredictability of decisions by the Economic Regulating Committee, leading to regulatory uncertainty I II II Active continuous contribution to the economic regulatory review process, including the introduction of an appeals mechanism in the Airports Company Act, and a review of the funding model. Long-term sustainable value creation Economic regulation
5 Brand and reputation Loss of confidence in Airports Company South Africa and decline in reputation I II II The Group proactively responds and provides accurate and factual content where requested. Media policy developed with protocol Enhance our reputation Brand and reputation

Risks are all ranked as Priority I (critical risks)