Executive summary of this risk report
- Group risk management supports the implementation of the four strategic choices.
- The group principal risk owners (GPRO) own relevant Capricorn Group material matters, and specific board committees have oversight of these.
- Our risk management practices are aligned to King IV™, and we apply our group risk, internal control and assurance framework according to the unique features of each operating entity.
- The principal risks are defined and mitigating actions explained, combined with key risk indicators, trends, oversight accountability and future focus areas.
- Nine principal risks show stable trends, one is deteriorating, and four are improving.
The Capricorn Group recognises that the foundation for a sound governance, risk and compliance environment is an effective risk culture. Risk culture is woven into the fabric of our corporate culture, The Capricorn Way. We create an environment where every employee knows the group’s strategic choices and his or her role in relation to strategy and the obligation to manage risk.
Employees are enabled to manage the risks that are part of their daily work and to adapt to changes in the economic cycle, new customer requirements and the ever-increasing competitiveness of market participants. Through our risk culture, we earn the trust of our customers, employees, shareholders and society.
Capricorn’s Risk Culture Building framework is based on four pillars, which link directly into The Capricorn Way. Face-to-face Risk Culture Building Awareness training sessions were conducted with boards, management teams and employees of majority-owned subsidiaries in all four countries in which Capricorn Group does business.
Building a risk culture
Philosophy and approach
The Group Risk Internal Control and Assurance Framework (GRICAF) follows a systemic approach to risk and control framework design to ensure that our risk management practices support and sustain the performance objectives of the system as a whole. Capricorn Group further promotes decentralised risk management responsibility where executives are accountable, and everyone is responsible for managing risk. Risk management practices are guided by business objectives and formal risk capacity, appetite and tolerance statements.
At a strategic level, the objectives of GRICAF are to:
- optimise efficiency through effective use of risk resources in the group;
- directly contribute to the creation of end-customer value by eliminating unnecessary tasks in the process;
- build standard risk management accountability, principles and processes into the business management process; and
- ensure that risks are understood and managed proactively within acceptable risk capacity, appetite and tolerance.
Risk management and strategy
The strategic choices help to frame the long-term direction for risk management infrastructure, key skills and risk management capabilities. The implications of the strategic choices (see below) have been carefully evaluated to determine the right level of maturity for the GRICAF and to pinpoint focus areas such as developing analytical and electronic crime prevention capabilities, strengthening legal, compliance and due diligence processes and transitioning manual processes to automated workflows.
Risk and governance structures aligned to material matters
Material matters have an impact on the strategy and operations of the group. As such, they form part of the context for risk management and are, therefore, linked to principal risk frameworks and risk governance structures.
As part of the material matters identification and approval process, we mapped the material matters against principal risk categories and confirmed the appropriate board committee that should provide oversight per material matter.
Read more about the material matters and the strategic landscape shaping our current and emerging risks.
The Bank of Namibia embarked on the implementation of Basel III in 2017. The first Basel III determination, BID-5A (capital requirements for credit, market and operational risks), was issued on 24 August 2018 and became effective from 1 September 2018. The capital requirements for credit risk under Basel III remained the same as the capital requirements under Basel II.
The second Basel III determination, the revised BID-6 (minimum liquid assets), was issued for commentary in June 2018. The two Basel III liquidity ratios, the Net Stable Funding Ratio and the Liquidity Coverage Ratio, were not addressed in the revised determination.
Banking regulation in Botswana and Zambia is based on Basel II. The Bank of Botswana has indicated that it will engage the industry in 2020 on the implementation of Basel III.
How we govern risk
The board assumes responsibility for the governance of risk and sets the direction for how risk should be approached in the group. The board recognises that risk is about the uncertainty of events and that these could potentially have a positive or negative impact on our ability to create value.
The board allocates the responsibility for oversight and governance of risk management to the BARC. The Group CEO is the senior executive responsible for the implementation of a sound risk management framework. The executive officer for ERM has delegated authority to facilitate the appointment of group and entity principal risk owners (PROs) and the development of appropriate risk and control frameworks for each of the principal risks. Each principal risk is assigned to an executive officer with relevant expertise as the PRO. Entity PROs are responsible for the risk management frameworks within the respective entities. Group PROs are responsible for the appropriateness, effectiveness and consistency of principal risk frameworks across the group. Central risk functions within the banks and at the group head office are responsible for providing the risk management infrastructure (guidance, policy, standards, processes and tools) to support the GRICAF and provide oversight and assurance.
Alignment with King IV™
Capricorn Group, with the assistance of a governance expert, reviewed King IV™ with a view to:
- ensure alignment in the understanding of the King IV™ philosophy, corporate governance outcomes, the 17 principles and how to apply the principles through supporting practices;
- assess the appropriateness of current practices in support of the outcomes required by every one of the 17 King IV™ principles; and
- identify proposed changes and enhancements to current practices to ensure more effective application of the King IV™ principles and practices.
The group governance framework and GRICAF support the 17 principles of King IV™ and provide a stable foundation for the following enhancements that were identified and implemented:
- An ethics strategy and action plan, informed by a group-wide ethics risk assessment, was approved and initiated. The ethics officer was certified by the Ethics Institute of South Africa.
- A review of the terms of reference of board committees and the quality and appropriateness of reporting was completed.
- Closer alignment between strategy and risk management practices was achieved through the linking of material matters to the principal risk frameworks and the identification and formal reporting within the governance structure of risks to the strategy, suboptimal risk-taking (too much or too little) and emerging risks.
Creating value through Enterprise Risk Management (ERM)
Through the group’s ERM process, we proactively identify and act on risks and opportunities that impact on the group. This supports the successful implementation of our strategy and ensures that we achieve desirable outcomes.
The strategic choices of the group are supported by a risk management framework that is becoming dynamic as it matures. This stage of maturity is characterised by a risk and control environment that senses changes in the operating environment and responds to them dynamically. The focus of dynamic risk management is on continuous improvement of methods and procedures, proactive risk identification and reward, assured regulatory delivery, and risk behaviours that are evidenced in the industry. This leap from an established, process-oriented framework to a responsive and dynamic risk management framework is supported by investment in technology and building a risk culture.
The effective management of risk depends on the decisions taken by employees every day in their roles and any situation to mitigate, control and optimise risk to add value to the business. The risk culture principles and their practical application were shared with all employees as a component of the Risk Culture Awareness Training to support better risk decision-making.
Enablers of a dynamic risk management system
Group Risk, Internal Control and Assurance Framework (GRICAF)
The group maintains the GRICAF based on the standard risk practices of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Basel II/III. The GRICAF encompasses the risk management value chain, highlighting the primary activities and role-players involved in risk management.
The uniqueness of each operating entity is considered when the GRICAF is applied. For example, credit risk only applies to lenders, and investment risk only applies to Capricorn Asset Management (CAM). The standard practices of the GRICAF provide a common language and understanding of risk, which allows the group to standardise and aggregate risk reporting to enable effective oversight by governance structures.
Oversight of risk management and group management model
The Capricorn Group board is ultimately accountable for the adequacy of the GRICAF. The board discharges its responsibilities for risk management through the group governance structure (refer to the governance report) and specifically the BARC. The board is assured of the adequacy of the GRICAF through the second and third lines of defence consisting of the risk, management assurance, compliance and internal audit functions. In a coordinated approach, these internal functions provide the board with a view of the execution of the GRICAF practices by the various role players. In addition to the internal functions, the board draws on the perspectives of external auditors and regulators who conduct regular reviews of the operating entities in the group. These external perspectives are combined with the views of the internal functions to provide the board with an overall evaluation of the implementation adequacy and effectiveness of the risk policies and frameworks. Any improvement areas identified in the reviews are tracked for implementation by management to ensure the continuous improvement in the GRICAF. Based on the combined assurance provided by the external and internal assurance providers, which did not highlight any material gaps in the GRICAF, the board is satisfied that the GRICAF was adequately executed during the 2019 financial year.
The group management model encompasses corporate responsibilities (for example the governance model design), centres of expertise (typically central risk functions, for example, the operational risk department), shared services (such as compliance monitoring, internal audit and AML) and operating unit activities (most of the risk processes). The management model provides the framework for structuring in optimal ways to ensure the following:
- effective execution of business processes which consistently achieve process objectives;
- optimal cost efficiency and making the best use of risk resources in the group;
- the ability to scale with the growth of the group; and
- remaining attuned to the local requirements of the various operating environments.
Risk services are provided through an optimal mix of centralised services, such as corporate functions and centres of expertise (for example governance, audit, compliance and risk culture building) as well as decentralised local services such as central risk teams in banks.
Risk capacity, appetite and tolerance (RCAT)
The RCAT is used by the board to set the group’s capacity, appetite and tolerance thresholds for risk. The RCAT collectively refers to qualitative and quantitative statements. The board sets qualitative risk appetite as well as quantitative risk capacity and appetite thresholds. The executive, through PROs, sets quantitative tolerance thresholds for each of the principal risks. Quantitative measures include thresholds that, if breached, trigger a change in status that attracts a higher level of monitoring and, where required, remedial action. The capacity and appetite statements are reviewed at least annually, and measurements are reported to the risk committee, executive management team and the BARCs.
Risk capacity, appetite and tolerance (quantitative and qualitative)
The board approves the RCAT annually. Quantitative indicators are aligned with the approved budget.
Risk management oversight and governance are structured in line with the size and complexity of a subsidiary, within its legal and regulatory environment:
Banking subsidiaries’ risk oversight structure
Strategic and principal risks
The group risk function prepares a quarterly report to the BARC to assess emerging matters and material issues that could impact the successful implementation of the strategic choices within the appetite set by the board as well as the aggregated risk profile and the status of issue remediation. The report scope includes all the Capricorn Group subsidiaries. The quarterly report enables better governance of risk because it exposes the key risks to our strategy and identifies gaps in the risk management framework and the progress made by management to close the gaps. The detail provided in the report enables the relevant governance forums to have robust discussions and make decisions when needed.
In addition to listing the risk profile of principal risks in the group, the report has been adapted to incorporate dynamic risk management elements that are more forward-looking in nature. The report is structured around three questions:
- What are the risks to the strategy of the group?
- Where are we potentially taking too much or too little risk (in relation to RCAT)?
- What are our emerging risks?
Key topics discussed by the BARC in relation to the above questions included:
- Market liquidity and the cost of funding in Botswana
- Regulatory compliance with electronic AML reporting to regulators in Botswana and Namibia
- Emerging competition from fintech companies in Botswana
- Business continuity and disaster-recovery readiness
- Commercial opportunities in the treasury environment
- Instability of IT systems at Bank Gaborone and Cavmont Bank
- Credit risk impacts of non-performing loans
- The Cavmont Bank turnaround plan
2019 group risk profile
Capricorn Group is a regional provider of financial services, and it assumes risk exposure by the very nature of its business and its operations.
The group identified 14 main risk categories that apply across the various operating units in all three jurisdictions (Namibia, Botswana and Zambia). The main risk categories have been defined as principal risks that are each managed according to the risk management framework.
The principal risks for 2019 are listed below.
- Finance and tax
- Financial crime
- Investment (applicable only to CAM)
The trend reflects the direction of the risk profile during the financial year considering the effect of management actions and/or external factors on the residual risk profile.
Improving = The risk profile improved during the period
Stable = The risk profile remained largely unchanged over the period.
Deteriorating = The risk increased during the period.
Red = the risk has exceeded the board risk capacity and appetite thresholds.
Amber = the risk is within appetite and closely monitored due to its proximity to the board risk capacity and appetite thresholds. For some risks, this could indicate an optimised risk/reward relationship.
Green = the risk is comfortably within appetite and, for certain principal risks, this could indicate capacity for more risk taking.