Integrated Report 2021

Currently viewing: Chief Risk Officer's report / GRC case studies

Leadership
report

Chief Risk Officer's report

“EOH is now firmly on the Road to Green – our journey towards verifiable, meaningful, lived compliance with high ethical standards, at every level of the organisation. We believe that this progress not only strengthens the Group and supports sustainable and profitable growth, but also contributes to mending the moral fabric of our country.”
Fatima Newman

Fatima Newman Chief Risk Officer

GRC has traditionally been perceived as existing to protect companies from people. However, we believe most people are honest and ethical. GRC can do so much more than merely prevent unethical behaviour – it can empower that majority, give them courage, strengthen their convictions and build stronger organisations. Done properly, GRC is an enabler and protector of people and a foundation for business growth.

Effective GRC goes beyond regulatory and statutory compliance to create a rigorous ethical and moral framework informed by the priorities and aspirations of society as a whole. EOH views GRC as a differentiator and competitive advantage that is a leading force shaping Company culture, strategy and action.

ENHANCING THE GRC FRAMEWORK AND EXPEDITING RISK REMEDIATION THROUGH SYSTEMS AND TECHNOLOGY

The EOH GRC team is a small multi-disciplinary unit with cross-functional experience that combines expertise in GRC, legal, internal audit, HR and procurement. Given the complex structure of the business, our approach has made full use of the developers and system engineers in the Group to build technological solutions that increased the reach and impact of the team. The resulting GRC toolbox makes the most of technology to gather, record, consolidate and simplify information, freeing up the team to do what humans do best: think, engage, analyse and plan.

This toolbox has evolved into a GRC-as-a-service ecosystem – a suite of solutions that together enable and empower GRC processes to run more efficiently, effecting compliance as an outcome rather than an exercise. While the toolbox was developed for internal use, we believe that it provides an innovative and Fatima Newman Chief Risk Officer effective integrated solution for other enterprises and a number of engagements with external customers during the year confirmed this.

We customised and implemented a contract management solution to ensure controlled and appropriate legal contracting across the Group that aligns with the business’s risk appetite and risk mitigation measures. We also implemented a document management solution to ensure proper case and litigation management, centralising storage and reporting of critical information and documentation. Good progress is being made in centralising and automating collection and analysis of compliance data on Cerebro, our compliance platform. Digitisation of risk management continues and we are developing a process to assess risk relating to employee travel, including risk profiles of travellers and destinations in terms of both COVID-19 and security.

RESOLVING LEGACY ISSUES

The ENSafrica Forensic Investigation concluded during the year, culminating in the CEO and an ENSafrica representative testifying before the Zondo Commission in relation to fraud and corruption on certain historic EOH contracts. The information from the investigation informed the decision to instigate summonses against the previous leadership of EOH implicated in these contracts. The Group has continued its engagements with the SIU and National Treasury to close out the remaining legacy issues, with a settlement regarding the Department of Defence contract concluded and negotiations on the Department of Water and Sanitation contract nearing resolution.

Formalised governance controls are in place for all public sector engagements, including the Bid Review Committee (‘BRC’) process and contract playbooks, based on our learnings from the ENSafrica Investigation. EOH has reiterated its commitment to public sector work that has been won fairly and on mutually beneficial commercial terms.

We remain focused on reducing ongoing legal fees. Legal costs in FY2021 included finalising the ENSafrica Investigation and issuing the legal processes against former EOH executives. Other recurring legal costs have come down significantly with the high-cost items relating mainly to one-off business critical processes, such as the legal processes and defending legal claims instituted against EOH.

CYBERSECURITY

Cybersecurity has been an increasing concern for all organisations for a number of years that accelerated at the start of COVID-19 with the shift to remote work. The Protection of Personal Information Act (POPIA) further emphasises the importance of protecting companies’ networks and data.

As a company with many subsidiaries, EOH needs to ensure that effective cybersecurity solutions are in place, with a focus on the three primary components of cybersecurity – people, process and technology.

EOH Group IT sets Group-level security standards, controls the governance framework and ensures that these are consistently applied across all business entities. Each business unit or subsidiary head is accountable for adherence to governance and compliance to security controls and standards within their area of responsibility. Each business unit identifies information asset owners who work with Group IT to implement controls and standards.

As our first line of defence against cyberattacks, employees play a critical role in protecting information assets. Employee training and education is a priority and includes education on their rights under POPIA to help them understand the Company’s obligation under the Act.

We are rearchitecting our network environment to modernise it and cater for the new way of work in which employees work from anywhere at any time. This includes strengthening zero trust architecture, moving away from the assumption that anything inside an organisation’s network can be trusted, to a “never trust, always verify” principle. This approach recognises that the point of initial attack is often not the target destination and implements controls to prevent lateral threat movement within a network by using microsegmentation and granular perimeters enforcement, based on data, user and location.

Group IT is developing a cybersecurity framework and an incident management playbook that documents the root causes of incidents, measures required to prevent similar attacks and actions from concluding investigations while implementing additional safeguards.

We recognise that cybersecurity is an ongoing journey and we continue to strengthen our processes and controls to safeguard the Company’s networks and data, and those of our clients.

ENHANCING COMPLIANCE CONTROLS AND ENGAGEMENT

An outside business interest declaration tool was developed and implemented across the Group, achieving a 100% completion rate, and will be used for annual declarations going forward. We ran the EOH Ethics League, a well-received and successful learning management project that helped to embed the key GRC principles across the organisation. The necessary controls to ensure POPIA compliance were implemented, with further enhancements to these controls underway.

Compliance workshops were held across the business to unpack the regulatory universe and the resulting control identification process is being carried out with the tool being developed on Cerebro. The Governance Committee was established to oversee implementation of the policy framework across the Group.

PRIORITIES FOR THE YEAR AHEAD

For the year ahead, the legal function will develop and implement systems to enhance legal awareness and application using contract management, data storage and analysis and machine learning to create a proactive, efficient and fluid legal function within the business. System development will focus on operational KPI monitoring tools and intellectual property frameworks.

Risk will continue to assess and address the challenges arising from the emerging hybrid work environment that combines working from home and returning to the office, with a specific focus on managing cyber threats and ensuring compliance with data privacy laws. We will incorporate the lessons learned from our experience of remote work, cyber-attacks and civil unrest during the past year into our business resilience plans and ensure that the Group-wide roll-out of the new ERP solution includes the necessary operational controls and monitor and mitigate the risk of business interruption should the roll-out not go to plan. We are currently conducting a risk scenario deep-dive on a number of scenarios to understand drivers and mitigation measures.

Internal audit will continue to focus on driving audit efficiencies and quality by exploring new ways of work and using technology in response to opportunities and threats, improving skills and completing the combined assurance milestones and GIA plan. We will also explore efficiency and cost-saving initiatives around credit and fuel card use, as well as variable pay assurance. The audit team is working on a fraud detection and an ongoing monitoring solution that draws information from a range of sources, including payroll, purchase order data, tax and VAT submissions and correlates these against information in the Companies and Intellectual Property Commission (‘CIPC’) database to identify conflicts of interest and double-paying of fraudulent entities.

Compliance will prioritise the continued roll-out of a compliance robotic solution that gathers information from across the automated process and presents data in an intelligent manner through a dashboard to save time and effort, support analysis and interpretation and improve decision making. We will continue to embed and roll out the compliance framework with a focus on breach management, complaint management, automated compliance risk management plans (‘CRMP’) processes and case management. We will continue adding processes to the Cerebro compliance management platform.

Previous GRC training combined principle and operational training. From FY2022, training will be separated into annual operational training and thematic principle-based training. We will continue to improve data privacy controls and processes, build out a fit-for-purpose compliance framework to meet the needs of the international business and ensure compliance to the Cyber Crimes Act.

OUTLOOK

The control environment continues to strengthen across the organisation with the roll-out of increased digitisation and automation to effectively mitigate risk. Culture and ethics are improving as a result of training initiatives and ongoing interaction and collaboration across the business to educate on compliance principles and processes and embed the behaviours required for effective governance.

Fatima Newman
Chief Risk Officer

OUR RESPONSE TO COVID-19

OUR RESPONSE TO COVID-19

Throughout 2020 and 2021, our response focused on the immediate crisis bought on by the pandemic, which required our swift response to enable us to keep our employees safe and assist our customers with the support they required from a technological perspective. Our main responses during this time included:

  • Enabling a fully remote workforce
  • Implementing safety measures in the workplace where required
  • Assisting our customers to digitise to allow them to continue
  • Assist government with interventions such as set-up of the Solidarity Fund

Building on the resilience and successes of what we achieved in the initial response, our next focus is to identify ways to restart the economy and create employment. We are building out a detailed response focusing on:

  • Supporting the vaccination programme through key targeted education interventions with our employees
  • Addressing vaccine hesitancy by providing scientific research to our employees
  • Defining our work from anywhere approach with tools and technology from which our customers can leverage
  • Providing ongoing mental health wellness support for all our employees to assist with the effects of the pandemic and transitioning work environment