Currently viewing: Chief Risk Officer's report / Next: EOH Governance Framework

Chief risk officer's report

"We have worked hard to bring on a multi-disciplinary team in the CODE function with expertise in GRC, legal, internal audit, HR and procurement. We have hired individuals with cross-functional experience so we can serve the wider organisation effectively and make a meaningful impact even with a relatively small team. We have a wealth of internal skills to assist us with building out our teams and technology wherever we can to streamline and take the friction out of day-to-day business processes."

Fatima Newman
Chief Risk Officer


Forensic analysis of risk

ENSafrica risk assessment


Group legal maturity assessment


Human capital maturity assessment


Strengthened governance and risk management

Bid governance framework


Internal audit function, plan and charter


Corporate governance framework


Updated governance structures and processes


Deliver justice and mitigate damage

Ongoing legal process


Expose IT whistleblowing app


Anti-bribery programme


A sustainable and ethical futureproofing for people

Employee Code of Conduct


Know your client (for suppliers)


Recruitment of key skills


Employee ethics training and platform


QNow that EOH has concluded the investigation into the legacy business practices, what further steps still need to be taken?

To date, EOH has instituted legal action against a number of the perpetrators identified as part of the investigation. In addition to providing information to the Hawks and the Financial Intelligence Centre (FIC), EOH has been engaging with the National Treasury and the Special Investigating Unit (SIU). An agreement has been reached between the SIU and the Company over repayment of the over-payment to EOH on the Department of Defence licence agreements.

QEOH recently changed auditing firms. What level of review did they do on the forensic investigation and how comfortable are you with the outcome?

We ran an extensive and detailed legal review and used one of the big firms to do a further independent assessment. The review covered 161 contracts and was done on a very granular level.

Allegations were investigated by ENS using a risk based approach. These allegations were categorised according to customers and in some cases the allegations were linked to specific contracts using evidence obtained both forensically and through data that was readily available. In a number of cases the allegations were found to be unfounded and in others, there was insufficient information to conclude. EOH has discharged all of its reporting obligations in terms of PRECCA and other appropriate legislation.

PwC conducted their own intensive track and trace exercise and:

  • verified the process followed;
  • reviewed the evidence supporting the legal conclusions; and
  • assessed the reasonability of the provisions and contingencies detailed within the financial statements for both 2019 and 2020 financial years.

I am pleased with the outcome and am confident that the process followed by EOH had adequately provisioned for any potential legal claims against EOH and in some cases our 2019 legal claims provisions were higher than the settlements ultimately agreed with relevant parties.

QThe legacy issues in the public sector business have been a key part of the clean-up of the company. Can you elaborate how you and your team have gone about implementing process to ensure the highest governance and compliance standard?

As we have previously advised, we have been closely managing and tracking the operational and financial viability of eight legacy public sector contracts that have had a negative impact on the financial performance of the business. A special task team (Project Green) was set up to ensure these projects receive the right level of executive support to allow for resolution.

We have learned many lessons from this exercise and have used the knowledge garnered to put in place robust processes that will ensure that our bidding processes going forward will be conducted in an ethical and transparent manner. We have made improvements to our know your customer (KYC) and know your supplier (KYS) processes by centralising and digitising elements of the screening process to ensure robust vetting processes are in place. We have also created a Bid Review Committee that meets weekly to review all public sector and material private sector bids. This Committee includes members from CODE and the business to ensure risks are identified and assessed and a go/no go decision is taken on the bid. We have also rolled out training to our people to help them understand the basic tenets of ethical contracting. As an added bonus, the policies and procedures that have been put in place from this process have enabled a seamless, robust and well governed transition into a remote-working digital environment.

Q How has the governance function changed over the past year?

We have worked hard to bring on a multi-disciplinary team in the CODE function with expertise in GRC, legal, internal audit, HR and procurement. We have hired individuals with cross-functional experience so we can serve the wider organisation effectively and make a meaningful impact even with a relatively small team. We have a wealth of internal skills to assist us with building out our teams and technology wherever we can to streamline and take the friction out of day-to-day business processes.

QWhat role do you believe technology can play in enhancing governance and compliance?

Technology has started to play a critical role in strengthening and monitoring our control environment and the management of risks within our organisation. I believe that the use of AI and robotics to enhance data interrogation and analysis will help to identify compliance and governance related issues which will allow the GRC functions to respond rapidly.

QHow has EOH ensured compliance policy adoption within the organisation?

When it came time to roll out training, we adopted two approaches which I believe gave us a significant advantage. Firstly, we didn't try to adopt a one-size-fits-all approach. Training our Board was going to be a different proposition compared to training some of the business units. We therefore began with an analysis of our audience and worked from there. The second decision was not to rely on traditional training methods. The EOH culture is very much centred on continuous learning in a way that relies on technology. We consequently met people in that space, making use of robotics and gamification (through our Galactic Learning Management System) to craft an engaging learning platform. In the end, the result - 97% uptake of GRC training across the organisation - speaks for itself!

Q How has the organisation responded to COVID-19 from a Governance, Risk and Compliance perspective?

We have known for some time that, as a risk management function, we would need to be well prepared for a significant event such as a pandemic or the impact of climate change. I am pleased by how well we were able to organise ourselves and respond to the COVID-19 pandemic. A COVID-19 Crisis Management Team (CMT) was immediately established comprising Executive Management across the business and functional areas. The CMT team allowed us to respond quickly and deal with any challenges. A plan was developed for each level of lockdown as it related to employees, facilities, travel, essential services and permitted services. Given the speed with which we were thrust into a new way of work, we updated our remote work and leave policies, as well as provided employees with remote work playbooks to assist them with this new way of work. Fortunately we were able to rapidly introduce technologies that allowed us to implement screening measures at all our facilities as well as manage capacity to ensure appropriate social distancing.

Furthermore, in the first month of the national lockdown, special lockdown leave was implemented in order to not prejudice our people. Special COVID-19 leave for family responsibility was also made available. EOH ran two separate surveys over this period to assess employee wellness and challenges faced by our people. Employee engagement took place weekly in the form of town halls to discuss and share insight into the pandemic and the Company response to it. Wellness Wednesday was instituted and to date over 3 500 employees have participated.

Q There has been a rise in cyber-attacks over the past few months as we have seen more and more reports on companies that have experienced security incidents, how are you dealing with this threat within EOH?

As a company with so many subsidiaries, we need to ensure that cyber-security solutions around risk and people structures are in place. We have made some progress in this area as set out below but there is still more to be done.

  • EOH Group IT sets the security standards, controls and governance framework in place for the entire Group and ensures that they are consistently applied across all business entities. Each BU/subsidiary head is then accountable for the adherence to governance and compliance to the security controls and standards. Information asset owners are identified in each business unit that works with Group IT to implement the set controls and standards.
  • Furthermore, we stress the importance of the role that each employee plays in the protection of our information assets. Our employees are the first line of our defence. We thus emphasise employee training and education using our Learning Management Systems. With the Protection of Personal Information Act (POPIA), employee education is also massively important - the best way to educate staff on POPIA is to educate them on their own rights under the Act, this in turn helps them understand the Company's obligation under these regulations.
  • EOH is also currently in the process of rearchitecting our network environment to modernise it and cater for a new way of work for our employees to work from anywhere at any time. The plan is to move towards a Zero Trust architecture. The purpose of a Zero Trust architecture is to address lateral threat movement within a network by leveraging micro-segmentation and granular perimeters enforcement, based on data, user and location. This is also known as the "never trust, always verify" principle, determining Zero Trust.

Q What are your focus areas for the 2021 financial year with regards to GRC within EOH?

We will be focusing on our Governance, Risk and Compliance (GRC) technologies over the next year, especially as it relates to risk management and the automation of data analysis in order to identify and quantify risks facing the organisation. This will allow for an expedited remediation process.

We will continue to focus on our regulatory control universe and enhance our engagement with key stakeholders in preparation for new regulations. Embedding a robust Group-wide policy framework and ensuring that the Group is POPIA compliant by 30 June 2021 remains a priority. Finally, we aim to use systems and technology to enhance legal processes and frameworks and are also targeting a reduction in legal costs and litigious cases.

I must add that seeing our CEO, Stephen Van Coller and Steven Powell, who led the ENSAfrica forensic investigation, testify before the Zondo Commission was a proud and poignant moment. It gave me comfort that the thorough and lengthy investigation and legal processes that we have followed to this point, are clearly yielding results.

As a business, we have come full circle as the law enforcement agencies can now take over and we can close this chapter. We can now focus on doing what we are in business to do: provide globally competitive technology services and innovations – ethically and with integrity.

Fatima Newman

Chief Risk Officer