Risk management: General risks

1. Operational risk
The Group mitigates this risk through its culture and values, a comprehensive system of internal controls, internal audit, forensic and compliance functions and other measures such as back-up facilities, contingency planning and insurance. The initiation of transactions and their administration is conducted on the basis of the segregation of duties, designed to ensure the correctness, completeness and validity of all transactions.

The management of risks associated with human resources is not addressed in this Report, but elsewhere in the Corporate Governance and Abridged Sustainability reports. 
The following functionaries assist in mitigating operational risk:
  Internal audit
  A Board-approved internal audit charter governs internal audit activity within the Group. Regular risk-focused reviews of internal control and risk management systems are carried out. The chief audit executive of Sanlam is appointed in consultation with the chairman of the Audit, Actuarial and Finance committee and has unrestricted access to the chairman of the committee. The authority, resources, scope of work and effectiveness of the functions are reviewed regularly.
  External audit
  The Group's external auditors are Ernst & Young Inc. View the reports of the independent auditors for the year under review.

The external auditors provide an independent assessment of certain systems of internal financial control which they may rely on to express an independent opinion on the annual financial statements. Non-audit services rendered by the external auditors are strictly governed by a Group policy in this regard. The Group applies a policy of compulsory rotation of audit partners. 
Information and technology risk
The "Group Information and Technology (I&IT) Risk Management policy" is authorised by the Group Risk forum and the Group IT Governance committee and ratified by the Group Executive committee. It stipulates the role of the Information and IT Risk manager that each business is responsible for appointing. Furthermore, it provides a framework of IT risk management, the methods of reporting, assessment and action, appropriate documentation and management of all risk-related IT incidents that have occurred, timing of communication and liaison with other functions in the Group.

Reliance on and the continuous availability of IT systems and processes are inherent to the nature of the Group's operations. An important objective of the Group Information and Technology Risk Management policy is accordingly to ensure that the Group's IT resources and platforms are maintained and developed in line with changes in the Group's business environment and requirements, and that proper back-up processes and disaster recovery measures are in place. 
Going concern/business continuity risk
The Board regularly considers and records the facts and assumptions on which it relies to conclude that Sanlam will continue as a going concern. Reflecting on the year under review, the directors considered a number of facts and circumstances and are of the opinion that adequate resources exist to continue business and that Sanlam will remain a going concern in the foreseeable future. The Board's statement to this effect is also contained in the statement on the responsibility of directors in the annual financial statements. 
Legal risk
During the development stage of any new product and for material transactions entered into by the Group, the legal resources of the Group monitor the drafting of the contract documents to ensure that rights and obligations of all parties are clearly set out. Sanlam seeks to minimise uncertainties through continuous consultation with internal and external legal advisers, to understand the nature of risks and to ensure that transactions are appropriately structured and documented. 
Compliance risk
Laws and regulations:
Sanlam considers compliance with applicable laws, industry regulations and codes an integral part of doing business. The Group Compliance Office, together with the compliance functions of the Group businesses, facilitates the management of compliance through the analysis of statutory and regulatory requirements, and monitoring the implementation and execution thereof. 
Compliance with client mandates:
Rules for clients' investment instructions are loaded on an order management system, which produces post-trade compliance reports that are continuously monitored. On a monthly basis, these reports are manually compared with the investment instructions. When a possible breach is detected, the portfolio manager is requested to confirm whether a breach has taken place, to explain the reason for the breach and indicate when it will be rectified (which is expected to be as soon as possible). Further action may be taken, depending on the type of breach. The detailed results of the mandate monitoring process are discussed with the head of investment operations on a monthly basis.
Fraud risk
The Sanlam Group recognises that financial crime and unlawful conduct are in conflict with the principles of ethical behaviour, as set out in the Group's code of ethics, and undermines the organisational integrity of the Group. The financial crime combating policy for the Sanlam Group is designed to counter the threat of financial crime and unlawful conduct. A zero-tolerance approach is applied in combating financial crime and all offenders are prosecuted. The forensic services function at Group level oversees the prevention, detection and investigation of incidents of unlawful conduct that are of such a nature that they may have an impact on the Group or the executive of a business cluster. Group Forensic Services is also responsible for the formulation of Group standards in respect of the combating of unlawful conduct and the implementation of measures to monitor compliance with these standards.

The chief executive of each business cluster is responsible for the implementation of the policy in his or her respective business and is accountable to the Group Chief Executive and the Sanlam Board.

Quarterly reports are submitted by Group Forensic Services to the Sanlam Life Risk and Compliance committee on the incidence of financial crime and unlawful conduct in the Group and on measures taken to prevent, detect, investigate and deal with such conduct. 
Taxation risk
The risk is addressed through clear contracting to ensure that policy contracts entitle policyholders to after-tax returns, where applicable. The Group's internal tax resources monitor the impact of changes in tax legislation, participate in discussions with the tax legislator to comment on changes in legislation and are involved in the development of new products. External tax advice is obtained as required. 
Regulatory risk
Regulatory risk is mitigated by ensuring that the Group has dedicated personnel that are involved in and therefore informed of relevant developments in legislation. The Group takes a proactive approach in investigating and formulating views on all applicable issues facing the financial services industry. The risk is also managed as far as possible through clear contracting. The Group monitors and influences events to the extent possible by participation in discussions with legislators, directly and through industry organisations.
Process risk
The risk of failed or inadequate internal processes is addressed through a combination of the following:
> A risk-based approach is followed in the design of operational processes and internal controls;
> Operational processes are properly documented;
> Staff training and the employment of a performance-based remuneration philosophy; and
> Internal audit review of key operational processes.
Project risk
A formalised, risk-based approach is followed for the management of major projects to ensure that projects are effectively implemented and the project hurdle rate is achieved. Key deliverables, progress and risks are monitored on a continuous basis throughout the project life cycle. Internal specialists and external consultants are used as required to provide specialist knowledge and experience.
2. Reputational risk
Risks with a potential reputational impact are escalated to the appropriate level of senior management. The Audit and Risk committees and Board are involved as required. Events with an industry-wide reputational impact are addressed through industry representative groups.
3. Strategic risk
The Group's governance structure and various monitoring tools ensure that any events that affect the achievement of the Group's strategy are escalated and addressed at the earliest opportunity. The Board has no tolerance for any breach of guidance.

Group strategy is addressed on a continuous basis at various forums within the Group, the most important of which are: 
> The Group's strategic direction and success is discussed and evaluated at an annual special strategic session of the Sanlam Board as well as at the scheduled Board meetings during the year;
> As part of the annual budgeting process, the Group businesses present their strategic plans and budgets to the Sanlam Group Executive committee, which ensures that the businesses' strategies are aligned with the overall Group strategy; and
> The Sanlam Group Executive committee, which includes the chief executives of the various Group businesses, meets on a regular basis to discuss, among others, the achievement of the businesses' and Group's strategies. Any strategic issues are identified at these meetings and corrective actions are immediately implemented.