Risk Identification Prudent risk management is critical to SAGT’s operations; thus, a well-
structured risk management process is in place to identify potential
Risk events are defined as events which, risks and ensure their mitigation.
should they occur, may be detrimental to
SAGT’s ability to meet its stated objectives. Departmental RCSAs are reviewed every The system of internal controls includes:
quarter; individuals departments hold
SAGT classifies risk events in the following responsibility for carrying out such review and 1. Clearing all transactional entries in a
ways: communicating the status to the management timely manner, and ensuring complete
committee so that individual risk ratings may reconciliation,
• Common Risks – these are the risks be updated consolidating the Company’s
commonly identified during departmental overall RSCA for the quarter. 2. Subjecting unreconciled and open entries
RCSAs. These risks are then incorporated to scrutiny and formally flagging them to
into the Company’s consolidated risk grid Risk Reporting the Audit Committee,
and are assigned a rating.
The Head of Internal Audit Risk and 3. Ensuring the efficient management and
• Department-specific Risks – These are risks Compliance is responsible for the tracking tracking of cash and cheques deposits, in
that apply to individual departments and analysis of changes in the SAGT risk keeping with international best practices
rating system over time, as well as engaging
• Core Risks – Core risks are defined as in risk profiling and the tracking of incident 4. Continuously streamlining the Internal
those that carry catastrophic impact both reporting. Company-specific risks, as well as Audit function by optimizing focus areas
to and from the Company; typically, these risks common to the sector and the industry
risks are categorized as having a very low are then analysed and reviewed by the Senior Segregation of Duties (SoD) under
or nil probability of occurrence. These Management Team, the Executive Committee Sarbanes-Oxley (SOX) Guidelines
risks should they occur, are a threat to the and finally by the Audit Committee.
sustainability or long-term viability of the The Company is aware of the need to ensure
business. Internal Compliance that no individual has unfettered system
access to execute transactions across
Risk Rating The CEO and CFO confirm compliance with an entire organisation and as such has
statutory and other regulatory procedures enforced critical approval linkages with a
SAGT applies a rating system to determine the during a self-certification programme clear segregation of duties to prevent fraud,
level of risk of each risk event conducted quarterly. They are also required material misstatements, manipulation of
to identify any significant deviations from the financial statements and avoid the leakage
• Likelihood of occurrence – the rating of the expected norms. of sensitive information to the public domain,
probability of occurrence from 1 to 5 among other things.
System of Internal Control
• The severity of impact – the rating of the Senior Management Team (SMT) and
impact to the business from 1 to 5 Internal entail the Senior Management Team Management Committee (MC)
and Executive Committee together with the
• The velocity of risk – the assessment of the Head of the Internal Audit and the Risk and The Company’s SMT and MC are collectively
speed at which the impact of the risk would Compliance Division obtaining assurances responsible for carrying out monthly
hit the organisation on the presence and proper functioning of operational reviews, and productivity and
systems that are designed to safeguard the efficiency reviews, as well as for the quarterly
‘Residual Risk’ is the overall level of risk Company’s assets. review of SAGT’s economic, environmental
assigned having given due consideration to all and social impacts arising from the daily
risk control and mitigation measures that are operations. The MC is further tasked with
in place already. increasing engagement with the various
internal stakeholders and in ensuring
Risk Mitigation and Monitoring employee engagement and empowerment.
Within the risk management framework, each The underlying intention of forming the SMT
risk event identified will have a corresponding and MC is to encourage responsibility and
mitigation action, which may be classified as accountability at a more granular level by
preventive, detective or corrective action. Each
risk event is assigned a Risk Owner who is
responsible for managing the particular risk
and the plans to mitigate it.