Ensuring effective control
The board is the focal point and custodian of corporate governance in the group. To this end, the board ensures corporate governance and good practice are inherent in fulfilling its responsibilities. The board charter sets out its roles and responsibilities. The board holds its directors accountable for their integrity, competence, responsibility, fairness and transparency.
Succession planning and performance
The board is satisfied the company is appropriately resourced and its delegation to management contributes to an effective arrangement according to which authority and responsibilities are exercised. The board approves the CEO and CFO's appointments. The remuneration committee is required to consider the CEO and CFO's performance annually against agreed performance incentive objectives. The audit committee is required to consider the performance of the CFO and the finance function, and will report thereon in its report included in the annual financial statements. Succession plans for the CEO and senior executives are in place and are annually reviewed by the nomination committee.
The board determines and approves, from time to time, the levels of authority for the CEO and the various members of senior management. The audit and risk committees monitor compliance with these predetermined levels of authority. The risk management function supports the audit and risk committees by monitoring and reporting any material non-compliance to the committees. The board meets as often as required, but at least four times annually.
Board chair, lead independent non-executive director and CEO
The board has a non-executive chair, Imtiaz Patel(1). The board is of the view that appointing a non-executive chair, who is not independent, is appropriate for the MultiChoice Group under the circumstances because the chair has valuable group, industry and regulatory intellectual capital to contribute to the business's future development and progression.
|(1)||Imtiaz Patel was recategorised as non-executive with effect from October 2020, when his executive contract ended.|
Jabu Mabuza was appointed as the lead independent non-executive director with effect from 3 April 2020. The lead independent non-executive director acts in all matters where an actual or perceived conflict could exist and where it would be inappropriate for the chair to deal with the matter. In these circumstances, the board satisfied itself that Jabu acted with independence of mind and judgement, and there was no interest, position, association or relationship likely to unduly influence or cause bias in decision-making in the MultiChoice Group's best interests. Sadly, Jabu passed away on 16 June 2021. Jim Volkwyn was elected as the lead independent director with effect from 1 July 2021.
The CEO, Calvo Mawela, is responsible for leading the implementation and execution of the approved strategy, policy and operational planning of the group, and for ensuring the group's day-to-day affairs are appropriately supervised and controlled.
Information relevant to a meeting is supplied to the board on a timely basis, which ensures directors can make informed decisions. To ensure directors can competently discharge their duties and effectively carry out their delegated responsibilities as committee members, they have access to information relating to matters associated with the MultiChoice Group, which is governed by an approved policy. The committees have unrestricted access to information that will allow them to act in accordance with their charters, with the process conducted in an orderly manner via the board chair.
Conflicts of interest
Potential conflicts are appropriately managed to ensure candidates and existing directors have no conflicting interests between their obligations to MultiChoice and their personal interests. All directors are required to annually declare personal interests. Declaration of directors' interests is a standing point on the board's agenda. Directors who believe there may be a conflict of interest on a matter must advise the company secretary and are recused from the decision-making process associated with that matter. The Companies Act process is applied in this regard. Directors are required to adhere to the group's policy on trading in MultiChoice Group securities. The trading in securities policy is aligned to the Financial Markets Act No 19 of 2012 and JSE Listings Requirements.
The group is committed to ongoing and transparent communication with its shareholders. In all communication with shareholders, the board aims to present a balanced and understandable assessment of the group's position. This is done through adhering to principles of openness, substance-over-form reporting, and striving to address matters of material significance to shareholders.
This integrated annual report is our primary form of comprehensive communication with shareholders, in accordance with King IV and the JSE Listings Requirements. We also engage with our shareholders during interim and final results presentations, and investor roadshows periodically. Further, the board encourages shareholders' attendance at AGMs and, where appropriate, will provide full and understandable explanations of the effects of resolutions to be proposed.
The board, through the audit committee, oversees the group's assurance services and ensures these functions enable effective control and support the integrity of the group's information. The group follows a combined assurance model, which covers key risks through an appropriate combination of assurance service providers and functions. The assurance model includes line functions that own and manage risks, specialist internal audit, risk management support and compliance functions (for the group and significant subsidiaries), as well as external auditors and other relevant parties, such as regulatory inspectors and insurance risk assessors. This model is linked to key risks. An assessment of the effectiveness of our combined assurance model is reported on to the audit and risk committees. Internal audit reports on the internal control environment are submitted to the audit committee. The company secretary, group general counsel and external counsel guide the board on legal requirements. The audit committee appoints the head of internal audit, who has unrestricted access to and meets periodically with the committee chair.
The company secretary is responsible for guiding the board in discharging its regulatory responsibilities. Directors have unlimited access to the advice and services of the company secretary, who plays a pivotal role in MultiChoice's corporate governance policies and processes. She ensures that, in accordance with the pertinent laws, the proceedings and affairs of the board, MultiChoice, and where appropriate, shareholders, are properly administered. The company secretary monitors directors' dealings in securities and ensures adherence to closed periods. She attends all board and committee meetings. In accordance with King IV, the performance and independence of the company secretary are evaluated annually.
The nomination committee is responsible for recommending a suitable candidate for appointment as the company secretary; reviews the competence, qualifications and experience of the company secretary annually; and reports on whether it is satisfied therewith. Carmen Miller was appointed as group company secretary with effect from 11 June 2020. The board is satisfied with Carmen's competence, qualifications, experience, independence and suitability. Further, Carmen is not a director of MultiChoice and, after due consideration, the board is satisfied that she had an arm's length relationship with the board during the year.
Information and technology (I&T) governance
MultiChoice's I&T executive (the chief information officer) oversees I&T management in the group. The board is aware of the importance of I&T relating to MultiChoice's strategy and annually reviews and approves the I&T governance charter and cybersecurity policy. I&T governance is integrated into the operations of the group's businesses. Management of each subsidiary or business unit is responsible for ensuring effective processes for I&T governance are in place. The risk committee assists the board with overseeing I&T-related matters and I&T governance is a standing point on the risk committee agenda. I&T objectives are included in the risk committee charter. The risk committee considers the risk register, and reports on I&T from an internal audit and risk management perspective.
Compliance with relevant laws and ethical and responsible use of I&T are addressed through the group's code of ethics and conduct, legal compliance and data privacy programmes. Data privacy remains a high priority. Assurance providers, including risk management, and external and internal audit, provide assurance to management, the risk committee and board on the effectiveness of I&T governance, based on detailed controls to manage identified risks and reduce the likelihood of occurrence. These arrangements for governing and managing I&T enable the risk committee, and ultimately the board, to oversee the group's I&T governance.
The application of all approved policies and standards supporting the I&T control environment is assessed for maturity. Control self-assessments for each policy/standard are completed by the I&T governance, risk and compliance function to determine required improvements.
The CDSA audited the group's content security management system in February 2021, and both production environments were accredited in terms of this international security standard.
The group identifies and manages cyber risks as part of its enterprise risk management framework (ERM framework) and in line with international best practices and regulations in the countries where it operates.
The group focuses on the following four areas to mitigate cyber risks:
The I&T governance charter describes how the business should assess, manage and report on its I&T-related risks. In accordance with the I&T governance charter, businesses in the group manage cybersecurity risks and I&T operations in line with the MultiChoice Group's direction. The MultiChoice Group provides oversight and guidance while setting a policy to ensure activities happen in the approved ERM framework that supports the achievement of strategic objectives.
The MultiChoice Group periodically checks the security fitness of the businesses and requires quarterly governance status reports from the group's executives and governance structures as an integral component of ongoing business reviews. The segment risk and compliance departments support businesses with risk management activities and an external subject expert provider performs cyber vulnerability scans and tests on an ongoing basis. The group risk committee annually reviews and reauthorises the cybersecurity policy, and its implementation as part of its oversight and governance responsibilities. The group risk committee reports to the board in this regard.
Data governance and privacy
The group adopted a rigorous data governance approach supported by the establishment of a data governance forum consisting of data information officers, data protection officers, legal and regulatory practitioners, as well as business unit data stewards.
Monthly steering committees are held where data governance adherence practices are measured and key decisions made regarding the management of data privacy and rights. This forum, through one of its members, reports to the group's risk committee and social and ethics committee, which in turn reports to the group's board in this regard.
Public privacy and employee privacy policies across the group set out what personal information is collected from employees and other users (data subjects) when using MultiChoice's systems, how the group collects personal information, why the group collects it and how the group uses it, and related matters.
In line with the European GDPR, South African POPIA and other country-specific regulations, data protection agreements were implemented for third-party service providers who require access to personal information to perform contracted services. These play a critical role in addressing risks relating to accessing, sharing and using personal information.
The MultiChoice Group recognises the following data subject rights:
- Right of access
- Right of accuracy
- Right to be forgotten
- Right to restriction of processing
- Right to portability
- Right to object
- Right to complain
Great effort was applied to ensure the quality of employee data is improved. Similarly, a master data management project was initiated in the customer and product environments to improve the quality of customer data.
Data loss prevention
MultiChoice implemented data loss prevention on all employees' Microsoft products. This allows each employee to classify data according to the group data classification policy. Each category describes the required level of protection.
To ensure employees do not accidentally disclose information, automatic scanning for sensitive fields in email attachments is performed. When sensitive information is found, the file is classified as strictly business confidential and automatically encrypted. At the same time, an alert notifies the data governance team when sensitive or private information leaves the organisation and when it is stored on local drives. This enables MultiChoice to proactively scan and prevent data losses.
Employee training and awareness
We conduct regular employee awareness campaigns that include the #PrivacyGuardian campaign that focuses on creating awareness using newsflashes, screensavers and corporate affairs communications. In addition, data protection was the main focus area and a topic at the MultiChoice Group legal compliance conference held in July 2020. Two data privacy and governance courses were implemented on the MultiChoice e-learning platform. These courses, itemised below, are aimed at all employees and contractors who work with the personal information of our employees and customers:
- POPIA module
- GDPR and data governance module
Data privacy issues
We enable customers to log any data privacy issues via the privacy notice on the MultiChoice.com website. All other domains point to this central privacy notice. Customers can log any queries regarding data privacy using the web form. These queries are logged in an incident management system and tracked to ensure we adhere to reporting standards as supplied and required by the GDPR, POPIA and other country-specific privacy regulations.
There were no complaints received regarding breaches of customer privacy data, nor were there any complaints from any of the regulatory bodies. Further, no identified thefts, leaks or losses of customer data occurred or were reported.
The MultiChoice Group operates in a highly regulated environment, making compliance a critical consideration. We participate in the regulatory processes affecting our industry through various public forums and debates, providing inputs on formulating standards and strategies for the industry.
During the year, there were no significant or repeated fines from regulatory bodies to companies across the group. Further, there were no environmental inspections by environmental regulators, no accidents, nor any environment-related fines imposed by any governments.
Performance and future focus
The group highly depends on its I&T systems and processes to effectively and timeously enable and support the implementation of its strategic objectives. During the year, the group undertook a detailed monthly review to identify, evaluate and assess I&T risks in six key I&T areas. The results were presented and discussed at the I&T operational forum (chaired by the chief technology officer). Based on the review, the group developed mitigation plans to address the material risks highlighted.