Understanding and managing our risk environment to support the Group’s objectives
Ravi Rajagopal
Chair, Audit and Risk Committee
Identifying and managing risk
The directors have carried out a robust assessment of the company’s principal and emerging risks to comply with Provision 28 of the Corporate Governance Code. We’ve designed our risk management framework to give us a consistent means of identifying, mitigating and monitoring risk across all 14 OpCos and Group entities. It provides senior management and Board of directors with oversight of our principal risks and promotes a bottom-up approach to identifying and managing risks across the Group.
Risk management governance
Our Board of directors has overall responsibility for the Group’s risk management framework and processes. Through the Audit and Risk Committee, the Board oversees the Group’s risk management framework and regularly reviews its principal risks as well as emerging risks that may impact the Group. Within that overarching framework, the governance of risk management has been cascaded to various levels across the organisation to allow effective management of the Group’s risks. The framework covers the interplay between risks impacting Airtel Africa as a whole and risks identified at either the OpCo level (geography-related) or the functional level (business function-related).
Our Group Executive Risk Committee (ERC) evaluates and prioritises the principal risks with the potential to undermine our strategy, business model and solvency, in line with our overall risk appetite. The committee also reviews, on an ongoing basis, the external business environment to identify emerging risks which could potentially have an impact on the Group’s business in the future. Group functional teams identify functional risks cutting across our OpCos to create a consistent Group-wide risk mitigation strategy for similar risks.
We operate a similar risk management governance structure at Group level and within our OpCos, with both having an executive risk management committee and with overall risk management responsibility resting with the respective Boards. Each OpCo identifies risks within their business environment and takes appropriate mitigation actions. The governance of risk management at each OpCo rests with the OpCo Executive Risk Committee (ERC) and the OpCo Board of directors which is responsible for risk management processes and oversees the respective OpCo’s principal risks and the effectiveness of its mitigation actions.
1
Our work has included assessing risk management, improving controls and tracking compliance against regulations applying to mobile money businesses in all our markets and arising from central bank licences. Strengthening the IT systems and increasing resilience of application software has been a core part of our work this year.
2
Risk governance
Board – Audit and Risk Committee
The Board has overall responsibility for the Group’s risk management processes. Through the Audit and Risk Committee (ARC), the Board oversees the Group risk management framework, approves the Group’s risk appetite and regularly reviews our principal and emerging risks.
The Board maintains oversight of the effectiveness of the Group’s risk management processes through regular reviews of the Group’s principal and emerging risks, thematic risk reviews and review of key risk indicators (KRIs) against tolerance limits set. This year, the ARC carried out several in-depth thematic risk reviews – see more in the ARC chair’s report.
Group Executive Risk Committee
The Group Executive Risk Committee (ERC) is responsible for the implementation of the risk management framework across the Group. The ERC reviews our significant risks, the progress and effectiveness of mitigation actions and performance of KRIs to ensure that the Group operates within its defined risk appetite.
The ERC meets quarterly and carries out robust reviews of the Group’s principal risks which span its operating markets and functions. It also reviews and discusses emerging risk trends which potentially impact the Group’s business.
Functional risk management reviews
The Group executive functional heads are responsible for identifying and mitigating risks across the Group within their functional areas. They are responsible for embedding risk management within operational business processes. The Group’s risk register is created from risks identified either by the Group functional heads or the OpCo ERCs.
The Group functional heads carry out ongoing risk reviews as part of their operational functional processes. These risk reviews address risks within their functions across the Group’s operating footprint.
OpCo Executive Risk Committee and OpCo Board
Each OpCo ERC performs a similar role to the Group ERC. They're responsible for implementing the risk management framework in our subsidiaries.
ERCs identify risks within the local environment and mitigation actions to manage those risks. Each OpCo Board has overall responsibility for the risk management process within that OpCo.
The OpCo ERCs meet on a quarterly basis while the OpCo Boards review the OpCo principal and emerging risks at least on a semi-annual basis.
Risk identification process
Identify
OpCo
Function
Risks are identified by analysing external and internal context both at an operating subsidiary and at a Group functional level.
Risk analysis
Discuss and validate each risk
Assess each risk
- Likelihood
- Impact
Identified risks are assessed on:
Likelihood of occurrence
Impact/consequence
Rank
Score and prioritise each risk
Each risk is then assigned a risk rating based on the likelihood of occurrence and the possible impact/consequence
Risk rating
Airtel Africa’s principal risks
Risks impacting the Group’s strategy, business model and solvency
Emerging risks
Ongoing review of the external environment and potential risks
Risk identification process
Identify
OpCo
Function
Risks are identified by analysing external and internal context both at an operating subsidiary and at a Group functional level.
Risk analysis
Discuss and validate each risk
Assess each risk
- Likelihood
- Impact
Identified risks are assessed on:
Likelihood of occurrence
Impact/consequence
Rank
Score and prioritise each risk
Each risk is then assigned a risk rating based on the likelihood of occurrence and the possible impact/consequence.
Risk rating
Airtel Africa’s principal risks
Risks impacting the Group’s strategy, business model and solvency
Emerging risks
Ongoing review of the external environment and potential risks
Our risk appetite framework
The Group’s risk appetite framework and statement formalises the Group’s risk appetite, tolerance limits and governance oversight processes to ensure that risks across the Group are managed within acceptable limits. Airtel Africa adopts a four-point scale for risk appetite, described below:
Open
We strongly accept these risks as they are incidental to the achievement of our business objectives. These risks provide good risk/reward trade-off, and internal competencies exist to manage or exploit these risks effectively.
Flexible
We’re open to accepting these risks on a justifiable basis. We will consider available options and select the option that provides good returns with an acceptable level of risk in the pursuit of our objectives.
Cautious
We will accept these risks only if essential, with limited potential for a negative outcome. We prefer to avoid these risks and where these risks are accepted, the risks are carefully measured and monitored.
Averse
We’re strongly opposed to these risks and prefer to avoid them. We are not open to any risk/return trade-off and will always accept the lowest risk option for these risks.
Risk appetite monitoring
To ensure adherence to the Group’s risk appetite framework and that risks are managed within acceptable limits, the Board of directors, through the Audit and Risk Committee, has approved a set of key risk indicators (KRIs) and tolerance limits across key organisational functions and processes. Performance against these KRIs and their respective tolerance limits is tracked, reported and reviewed by the Executive Risk Committee (ERC) and the Audit and Risk Committee (ARC) on a quarterly basis. Where tolerance limits are breached for any KRI, an appropriate risk mitigation plan is developed, and its implementation is monitored as part of the risk review process. The Group’s risk review and governance processes, along with the ongoing monitoring of KRIs and their corresponding tolerance limits, enable the Board to assess whether risks across the Group are being managed within the established risk appetite.
How we classify our risks
Strategic risks
These are risks arising from changes in our external business environment such as macroeconomic conditions or market/competitive dynamics.
Adverse competition and market disruption
Digitalisation and innovation
Geopolitical risks and adverse macroeconomic conditions
Philosophy/approach
We operate in 14 countries across Africa with significant market opportunities arising from low penetration of telecoms and banking services. The Group is bullish on the opportunities that Africa presents and is generally open to taking increased levels of risk to capture these market opportunities.
Operational risks
Risks affecting our ability to effectively operate our business model across a variety of functional areas
Cyber and information security threats
Increase in cost structure
Leadership succession planning
Internal controls and compliance
Technology resilience and business continuity
Philosophy/approach
Delivering on the Group’s strategic objectives requires an effective operating model, execution excellence and operational rigour, with a focus on customer satisfaction across the organisation. This operational excellence will ensure that the Group can continue to deliver incremental revenue growth at minimal marginal costs, resulting in a positive flow-through to profitability.
Financial risks
Risks impacting our liquidity or solvency, financial reporting or capital structure
Exchange rate fluctuations and shortage of foreign currency
Philosophy/approach
The Group is committed to prudent financial management built on a robust system of controls and effective business partnering. The Group is flexible in its risk-taking approach to financial management to support the Group’s strategic growth objectives but averse to any form of violation of its system of key financial and internal controls.
Governance and compliance risks
Risks affecting our ability to comply with our legal, regulatory and governance obligations
Uncertainty in policy and regulatory environment
Philosophy/approach
We are committed to complying with laws and regulations in the jurisdictions where we operate and averse to violations of legal or regulatory obligations.
Risk heat map (residual risks)
In the current year there has been no change to principal risks, their impact and likelihood as compared to 2023/24
Strategic risks
Adverse competition and market disruption
Digitalisation and innovation
Geopolitical risks and adverse macroeconomic conditions
Operational risks
Cyber and information security threats
Increase in cost structure
Leadership succession planning
Internal controls and compliance
Technology resilience and business continuity
Financial risk
Exchange rate fluctuations and shortage of foreign currency
Governance and compliance risk
Uncertainty in policy and regulatory environment