| Risk management |
| |
Active risk management a core competence to exploit opportunities |
At the John Keells Group, risk management is an integral part of its valuedriven corporate governance. Through a proactive risk management programme, risks, both at group level and within all constituent businesses, the assets, financial position and earnings situation of the group are secured enabling the business units and GEC to recognise and analyse adverse trends early for prompt corrective action.
The enterprise risk management (ERM) process is structured to align the key fundamentals of governance, strategies, business objectives, ethics, policies, standards and compliance, and hence is an integral part of all our decisions and business processes. The group recognises the complexity and the diversity of risks that surround its operational activities and endeavours, through a risk management program, to maximise opportunities and minimise exposures to risk while being cognisant of the risk/reward relationship and the ranges of its risk appetite. |
| |
Efficient organisation of risk management |
In line with its vision, the group maintains an integrated, ERM program. The group has set up a central risk management function to ensure that the GEC is continuously and promptly kept informed of important developments in risk management by the Group Risk and Control Review (R&CR) Department. During the latter part of the year, with a view to achieving synergies, on the functions of internal control, the internal audit, risk management and risk transfer were brought under one risk umbrella with accountability lying with the Group R&CR Department.
The ChairmanCEO and under his direction, the GEC, are the prime movers in setting the risk management policy of the group. The R&CR Department at the centre, converts the policy so set, into a set of processes, procedures and guidelines for the uniform adoption by the businesses within the group. The Audit Committee monitors the progress regularly.
The risks in the group are identified and analysed using a universal risk register adapted, as appropriate, for the group. The individual risk categories are founded on the critical success factors for the implementation of the corporate strategy and its objectives. The key operational and financial risks include areas such as socioeconomic, competition, internal processes, procurement, product, currency and interest rate fluctuations, information technology, human resources etc. Appropriate mitigating actions have been identified and have been put into place at the various levels of the group.
The group rates its risk as ultra high, high, moderate, low and insignificant after taking into consideration the probable impact/severity ranking on one side and the likelihood/occurrence ranking on the other. |
| |
Clear allocation of responsibilities for risk identification, analysis and assessment |
The group has established a comprehensive and systematic risk management system, the basic principles of which are laid down in group guidelines. It is incumbent on the operational management of the risk owner to take direct responsibility for the early recognition, management and communication of the risks. Under the risk management system, the group companies adopt a bottomup approach and report the status of any significant risks and any changes in those risks. In addition, any risks which arise at short notice or which have repercussions for the whole group are communicated directly to the appropriate personnel in the group, irrespective of the normal reporting channels.
The aim is to identify potential risks of our operations at an early stage by incorporating them into a database, to assess them using specific criteria, to evaluate the extent and characteristics of the risks and to introduce appropriate precautionary and security measures.
Risk Management is analysed, evaluated and controlled efficiently at four broad levels. The risk champions at the business units/sectors ensure the implementation of the procedures under the leadership of the CEOs of the business units, sector heads and the presidents of the industry groups.
• At the first level of operations, responsibility for strategy, performance management and risk control lies with the chief executives of the business units,
• The top risks identified at the first operating level are considered along with the specific risks affecting the industry and market by the sector/industry groups,
• The key risks identified at sector and industry group levels and macro risks are considered by the Group Executive Committee when identifying and assessing the risks faced by the group as a whole,
• The holding company and/or business unit audit committees review the findings of the risk management program on a regular basis to gain assurance on its effectiveness. The centre based R&CR function (Internal Audit) also audits the risk procedures as a part of its audit programs. |
| |
Consistent risk monitoring |
It is the duty of every risk champion to see to the implementation and effectiveness of risk management. Based on periodic monthly reviews at business unit level and quarterly at sector levels, the business units are in a position to continuously update and complete their risk profile and matrix. Every six months, the GEC is presented with status reports from the Group R&CR Department for discussion and review of progress and action plans.
The group R&CR department checks the central and decentralised risk management reports for functionality, topicality, completeness, reliability and effectiveness and collates the same for highlighting to the Group Executive Committee and the business unit audit committees. In addition, as a part of its audit programs, audits are performed at company level by the appointed outsourced internal audit firms and external auditors. |
| |
Key risk areas |
| A review of the JKH portfolio of risks saw a hardening in the risk ratings in certain areas due to prevailing economic and external factors and the relevant business units are developing appropriate action plans towards mitigating the impacts arising from this. The risk ratings after taking into consideration the implementation progress made on identified action plans and other mitigation activities and control measures are as detailed below |
| |
| Political and economic risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Ultra High |
Ultra High |
High |
|
|
| |
Action plans
The group is actively working with the government, private sector and other relevant stakeholders in influencing progress towards lasting peace, stability of economic factors and the operating environment.
The group acknowledges the important role that the private sector can play in increasing the quality of life by wealth creation through good investment and increasing productivity through training, development and empowerment. |
| |
| Enabling infrastructure risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Ultra High |
Ultra High |
High |
|
|
| |
Action plan
The lack of enabling infrastructure has been identified as one of the key inhibitors of economic growth. It is most welcome to note that the government has, as one of its strategic priorities, focused on developing and strengthening infrastructure that is required to create an enabling environment towards economic growth.
The group continues to lobby the authorities for progress in this area through chambers, trade associations and lobby groups and through direct dialogue. |
| |
| Brand control and protection risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
Moderate |
Moderate |
|
|
| |
| Control and protection of the brand, the company's most valuable asset, is of utmost importance. During the year many action plans were put to place to mitigate the weaknesses highlighted in the brand audit conducted last year with the assistance of specialised consultants. |
| |
| Internal operational processes |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
Moderate |
Moderate |
|
|
| |
Action plan
The group’s commitment to mitigate this risk to acceptable levels is ensured through continuous improvements developed around the concept of document, measure, analyse, and improve. These quality processes include documented work processes; documented corrective/preventative action process; effective problem solving and root cause analysis; quality service measurements based on customer requirements; customer satisfaction measurements and vendor performance evaluations. These processes are taking root throughout most of our business units and are subject to periodic review by management. |
| |
| Legal and regulatory risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
High |
High |
High |
|
|
| |
Action plan
It's our business to stay abreast of constantly changing statutory and regulatory requirements in order to ensure that our operations and services remain in compliance. Towards this, quarterly compliance reviews and audits at sector and business unit levels have been implemented. The group continues to campaign through established lobby groups for clear and unambiguous policies and laws. This is still an area of concern. |
| |
| Financial risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
High |
Moderate |
|
|
| |
Action plan
The basic risk strategies for interest, currency and liquidity management, and the objectives and principles governing group finances are determined by the central group treasury function in discussion with the business units.
Business, financing and other forex exposure activities which are not in the local currency inevitably lead to foreign currency exposures. The businesses actively monitor the resulting transaction risks themselves and agree appropriate hedging transactions with group treasury in line with agreed parameters.
Interest rate risks are also centrally managed. The group evaluates potential interest rate risks, ascertains the interest risk exposure in the major currencies and conducts sensitivity analyses. Interest rate risks are actively managed using a variety of methods. |
| |
| IT risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
Moderate |
Moderate |
|
|
| |
Action plan
To minimise the risk of business processes being interrupted as a result of systems failure, numerous security and fallback measures have been implemented. These include access control systems, contingency plans, an uninterrupted electricity supply for critical systems, backup systems and data mirroring. In addition, we use firewall systems and virus scanners to counter data security risks arising from unauthorised access to the IT systems. We also ensure the confidentiality, availability and integrity of the data. Disaster recovery plans are regularly reviewed as disruptions to critical management information systems could have a material impact on the group's continuing operations. |
| |
| Personnel risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
Moderate |
Moderate |
|
|
| |
Action plan
John Keells continues to position itself as an attractive employer and will seek to ensure the long term loyalty of its committed team by training, development, recognition and reward. The rigorous management leadership programme includes the provision of development, mentoring, support and advice, while the early identification and advancement of high achievers and those with potential is promoted via attractive performance incentive schemes.
The success of the group depends on the commitment, motivation and skills of its employees. The group is addressing the issue of the shortage of qualified personnel in some fields by ensuring opportunities for professional development. This strengthens our position as an attractive employer in the competitive market for suitably qualified employees. |
| |
| Stakeholder risks |
| Financial Year |
2007/08 |
2006/07 |
2005/06 |
| Risk Rating |
Moderate |
High |
High |
|
|
| |
Action plan
The group believes that its success depends on the degree to which it can balance both profit and the interests of all its stakeholders.
We constantly conduct analyses of our market environment and competitive situation. We obtain vital information about our customers' needs by maintaining regular contact with them, and this enables us to stay close to the market. We use the information we receive to develop and supply products tailored to suit the needs of the market and to enhance our competitive position and level of market awareness.
The competence and commitment of employees are key factors for the successful development of the group and this idea is anchored in JKH HR mission of “More than just a workplace”. The group has already implemented a series of measures to counter possible personnel risks.
This year, we focused much attention on how we as a group address the issue of sustainability, and in order to successfully meet these growing expectations, a groupwide sustainability audit was commissioned through the service of specialised consultants. This exercise was completed after the end of the financial year and suitable action plans are now being drawn up with a view to be a more goaldriven in our sustainability practices and align these with the activities of the John Keells Social Responsibility Foundation, the nerve centre for JKH's CSR efforts.
|
| |
Industry group/sector risk |
By consolidating and aggregating the findings of our industry groups/sectors, it is possible to form a view of the 10 most important strategic risks across the group.
The table below shows the weighting of the top 10 strategic business risks across the industry groups/sectors that we studied. While many risks were unique to a sector, a few key challenges had a high or critical impact for many, or even all of the sectors. Hence the risks at the top of the chart are those that will do the most to influence markets and drive corporate performance in 2008 and beyond.
This cannot, however, be used to definitively conclude that one industry group/sector is more or less risky than another. However, we can infer that, compared with what we believe are the most common strategic business risks, some industry groups/sectors are more exposed than others. |
| |
The future outlook |
| The experience gained during the past two years has now enabled the R&CR team to roll out and implement effective business continuity and disaster recovery plans, not only from a technology perspective, but more importantly from a continued business operational focus. |
| |
|
| |
| |
