Risk management

We are committed to effective risk management through building an empowered and risk-intelligent organisation that consistently meets or exceeds its performance objectives in a sustainable manner. What remains central to our risk management ethos is a mandate-centric and beneficiary-focussed delivery approach that, in its design and realisation, ultimately creates, preserves, and grows shareholder value sustainably.

Overview

Risk management is an integral part of our governance model and daily operations. We not only focus on ensuring that we minimise uncertainty by curtailing the downside effects of risk, we also, where feasible, actively seek to capitalise on the potential upside presented by strategic and operational opportunities that aid in the achievement of our strategic objectives. The view of the organisation on risk is that the NLC should enhance its strategic and operational resilience through formulation, deployment and enablement of effective risk sensing and intuitive risk response, which is integrated through formalised scenario planning. The Board holds an additional perspective that risk, if well studied and understood, may hold opportunities that the organisation can exploit for competitive value creation. As a result, the organisation has deployed a formalised risk opportunity management framework as a sub-set of the enterprise risk management framework. Through this process, the NLC is able to consider strategic change opportunities, operational optimisation requirements and additional areas where collaborative innovation provides a better return on investment than traditional risk mitigation strategies.

We recognise that our work has a direct impact in certain areas on shareholder value, risk and, in some cases, reputation. We therefore deliberately adopt a view that our work should, in material segments, correlate and strike a balance between our mandate and shareholder priorities, in so far as these promote positive performance and sustainability outcomes. Through ongoing shareholder interface through the Board and from an operational perspective through the Executive Management team, we continue to promote a positive and value-building relationship between the organisation and our shareholder. The organisation takes its reputation, that of its shareholder, and the National Lottery seriously and conducts its operations with relevant prudence to ensure that lottery participants are duly protected and that the organisation governs its affairs with a view to ensuring sustainability. We have thus engaged in a structured process of studying the key drivers of reputational risk on a proactive and historical basis and developed formalised reputation preservation and building strategies underpinned by a detailed root-cause analysis.

The risk implications of COVID-19

The organisation is committed to the principle that, although the nature and form of business continuity threats remains unpredictable and vague in form, we should deploy robust and responsive business continuity plans that ensure rapid response and recovery, despite the form of business disruption suffered. To realise this, the Board has ensured that the organisation’s scenario-based business continuity planning is formalised, fully implemented, and functionally tested on an ongoing basis.

At the onset of the COVID-19 pandemic within the borders of South Africa in early 2020, the organisation implemented immediate and formalised protocols to respond to the effects of the pandemic from a health perspective, as well as from performance and sustainability perspectives. Part of these protocols included the formal assessment of COVID-19 risks and development of a risk management response for each identified issue.

During South Africa’s COVID-19 lockdown levels 5 and 4, stringent restrictions were imposed and these resulted in adverse impacts on both the NLC and the operator’s operations due to lockdown restrictions placed on the sale of lottery tickets through retailers as part of a total basket of offerings considered non-essential during that time. In addition, grant applications – which are dependent on some degree of face to face contact for the 2020/21 call – were also delayed during this period. These restrictions introduced a need for the organisation to implement enhanced strategies, processes and technologies that would ensure continuity of operations and services in the event of business disruption.

Our policy on risk management

The organisation’s risk management efforts are directed by an enterprise risk management policy that is approved by the Board after receiving inputs and recommendations from the Audit and Risk Committee and the Executive Management team. This policy provides clear and measurable principles to be achieved by the risk management programme and observed by all officials within the organisation. There is clear ownership of the enterprise risk management policy by the Board and subsequent assurance reporting thereon is a key mechanism that the Board relies on to ensure compliance with the principles embedded therein.

The Board, Commissioner and all staff members, as well as stakeholders who utilise organisational resources and deliver the organisation’s programmes, products and services, are expected to observe the requisite prudence and ensure that they manage risk to prevent adverse impact on lottery participants, beneficiaries, the NLC, community lotteries, other stakeholders and the organisation, whether immediately or in the future.

The Executive Management team are accountable and responsible for managing risks within their business units and may delegate specific responsibilities appropriately. In enabling such a process and in response to the policy, the organisation has developed and implemented a formal enterprise risk management framework. The purpose of the framework is to guide and provide a detailed outline of risk management practices and behaviours that are implemented within the organisation in alignment with leading global and national practice standards.

Structure and accountability management

Driven by a risk-aware and risk-responsive culture, the Board has promoted and exercised its oversight function over management of risk within the organisation through the establishment of a sound risk policy, Audit and Risk Committee and effective interaction on risk matters with the Executive Management team. The Board does not play a passive or ceremonial role in the management of risk. Rather, on an ongoing basis, the Board commits sufficient time and effort to the deliberation of risks and the management thereof, both by learning from historical trends and information as well as proactively engaging with the potential risk environment through scenario planning and risk sensing processes.

The Board is accountable for the governance of risk and is assisted by the Audit and Risk Committee, which, operating in terms of its defined terms of reference, reviews and monitors the effectiveness of the risk management processes within the organisation in accordance with The PFMA No. 1 of 1999, corporate governance requirements, and defined organisational policies. The Audit and Risk Committee, through its oversight role, ensures that the risk management process is appropriately resourced and structured, efficient, effective and compliant with the relevant standards. The Audit and Risk Committee exercises oversight over the activities of the organisation’s external and internal auditors, as well as the organisation’s risk management function. To ensure that the risk management programme is adequately resourced and enabled for effective implementation, the organisation has implemented the following structure:

Board of the NLC Accountable for the effective and efficient management of risk
Risk culture and leadership		Risk policy		Risk appetite		Stakeholder assurance
Commissioner Risk culture, implementation, monitoring and assurance				Audit and Risk Committee Risk oversight, monitoring and independent assurance
Key areas of responsibility Providing executive team leadership in development and implementation of a well-resourced, robust and culture-centric risk management programme Leading in the risk oversight process within the organisation through effectively contracting with the executive team, as well as ongoing risk monitoring and accountability management. Providing primary assurance overview to the Board and Audit and Risk Committee.				Key areas of responsibility Provision of independent oversight on the adequacy and effectiveness of risk management programmes and processes within the organisation. Provision of oversight over the activities and outcomes of internal audit, external audit and risk management functions. Provision of integrated assurance reporting to the Board on the status of governance, risk and compliance management.

STRATEGIC COMBINED ASSURANCE Organisational lines of primary and independent assurance
First layer assurance Implementation, embedding, supervision		Second layer assurance Extended and cross-cutting assurance		Third layer assurance Independent assurance and validation
Regulatory compliance division Grant funding Marketing and communication Finance division Commissioner’s office		Company Secretary’s office Human capital division Legal and forensics division ICT division Enterprise risk management unit		Key areas of responsibility Independent assurance on the adequacy and effectiveness of risk management. Advisory and input on combined assurance and enterprise risk management programme, wither in support of the risk management process or support of risk management programmes.
Key areas of responsibility Developing and implementing an appropriate risk framework and supporting subframeworks to enable risk management. Enabling of an optimal risk culture through culture building interventions, as well as promoting an ethical organisation.

Strategic combined assurance

From an assurance perspective, the organisation has implemented a strategic combined assurance model to provide holistic integrated assurance on key aspects of governance, risk, and compliance within the organisation. Management and risk owners provide primary assurance through their planning and performance reporting processes, including related risk and control self-assessment processes. Committees and specialist teams within the NLC partner with risk owners to enable effective risk management and to provide an extra layer of assurance that performance and sustainability imperatives will be met. Internal auditors provide the Audit and Risk Committee with assurance that significant business risks are systematically identified, assessed, and managed to acceptable levels in line with the Board’s risk appetite. With consolidated reliance being placed upon assurance derived from the Board’s oversight, Audit and Risk Committee assurance to the Board and additional assurance from the Executive Management team through the Audit and Risk Committee, the Board is empowered to lead the risk management programme of the organisation and in turn to provide required stakeholder assurance.

Our risk appetite position

We are, on an ongoing basis, faced with risks that are inherent or related to our mandate and line of work. Risk, by its nature, will accompany pursuit of value. The NLC therefore, on an annual basis, decides through determination of risk appetite, how much the organisation is willing to take (and manage) in pursuing its objectives. This ensures that the organisation is taking an optimal level of risk to meet the requirements of our mandate while minimising uncertainty.

We embrace risk, both as a factor that should be managed to reduce uncertainty, as well as a factor that may result in the creation of value. The realisation that the pursuit of value and risk are intertwined requires us to have some appetite for risk-taking in the pursuance of our mandate and value embedded therein. The relevant risk appetite position of the organisation is formally recorded in an approved risk appetite framework and statement. Risk appetite is based on an expression of the possible or actual effects of risk and an overall policy position as to the level of willingness to take on risks that present such effects on the organisation. Understanding risk appetite achieves the objective of balancing potential gains with the downside effects of risk.

As a separate but related consideration, the organisation also formalises its risk tolerance thresholds which, related to each risk appetite theme, reflect upon the degrees of variance in performance arising as a result of risk and the relative acceptability thereof. Defining and monitoring risk tolerance limits allows for the organisation to bring measurability to the elements within the risk appetite statement. Risk tolerance limits are also established with the intent of promoting prevention and early detection of potential risk appetite breaches.

Risk impact/ theme		Risk appetite statement
	Adverse health and safety	Zero tolerance for risks that may result in adverse health and safety events.
	Fraud	Zero tolerance for fraudulent activities.
	ICT infrastructure and systems	Aggressive risk appetite for risks related to the provision of world-class information technology solutions through digital transformation to support operational resilience and efficiencies.
	Information management and security	Zero tolerance for loss of sensitive and confidential information and data. Zero tolerance for breach of privacy and the Protection of Personal Information Act 4 of 2013.
		Zero tolerance for breach of information security.
	Reputational damage	Zero tolerance for incidents that compromise the integrity of the National Lottery.
		Prudent appetite for events that damage our reputation and erode our brand.
	Regulatory sanction	Zero tolerance for non-compliance with relevant laws, regulations, policies, and procedures by the NLC.
	Illegal Lotteries and Sports Pools	Prudent appetite for illegal Lotteries and Sports Pools in South Africa.
	Impaired sustainability	Prudent appetite for taking risks that impair the NLC’s sustainability.
		Aggressive appetite for risks related to revenue growth to enable the provision of grants for good causes and enhanced sustainability of the organisation.
		Prudent appetite for controllable risks that may result in widespread and extended business disruption.
	Financial losses	Prudent risk appetite for risks that may expose the NLC to financial losses.
	Lottery participants not protected	Moderate to aggressive appetite for risks associated with ensuring the protection of National Lottery participants.

Our risk maturity journey

Our understanding and application of risk management as a strategic response to factors that create uncertainty in the organisation has evolved over time, spanning a period from ambiguous and non-integrated application of risk management protocols to a systemic, integrated and formalised risk management programme. As our understanding of our risk landscape has improved, so has our agility to respond to risk in an efficient and effective manner.

We conduct formal risk maturity assessments on an annual basis to determine areas of strength and opportunities for improvement in our risk management practices. Our most recent risk maturity outcomes in terms of the attribute-based maturity index for risk management demonstrate that our risk management programme is operating at level five out of six possible levels. This level signifies that we have transcended implementation stages and are now actively managing risk as we pursue the ultimate maturity level wherein we are considered as optimising risk and risk management. The results of the risk maturity assessment as well as other considered factors are used to develop a multi-year risk strategy and implementation plan to address routine risk management activities and to resolve noted gaps. Over the next three-year period, we will continue to drive a risk strategy and implementation plan that is powered by the outcomes of the risk maturity assessment. The key areas of improvement over the next three-years will include the following focus areas:

Key strategic risks and responses

Our top strategic risks are diverse and consider issues that may have a direct potential impact on the achievement of strategic objectives, annual performance plans, regulatory mandate, and reputation amongst other aspects. Through our formalised and ongoing risk assessment process we have ensured that strategic risk identification and assessment ceases to be a once-per-year process and becomes adaptive and current in its content. The core strategic risks of the organisation are as below.

Strategic risk statement		Strategic objective
Inadequate regulatory oversight over lotteries and sports pools	We have formalised regulatory oversight structures and policies that are informed by our founding legislation. This is supported by a continual drive to ensure that the organisation has the requisite skills to enable effective regulatory oversight. As a continual enhancement strategy, we work on an ongoing basis with the Department of Trade, Industry and Competition to enable a responsive and up to date legislative framework that ultimately enhances protection of lottery participants and beneficiaries of the work of the NLC.
Inadequate compliance by the National Lottery operator	We continue to exercise ongoing and detailed oversight over the activities of the National Lottery operator. Through a technology and business process driven approach we receive ongoing updates either directly from the National Lottery operator or through our own independent review processes. The Independent Verification System (IVS) for independent verification of National Lottery ticket sales is a key control mechanism. We aspire to achieve real-time monitoring capability over the National Lottery operator through technology interface and investment.
Ineffective enforcement and prohibition action	Our focus on preventing, detecting, and combating illegal lottery operations is not only empowered by legislation but is also further enhanced through collaboration with other regulators, law enforcement agencies and stakeholders in the market and internationally. Through active media monitoring, formal registration criteria and an easy registration process for compliant lotteries, we continue to work hard to prevent illegal lottery activity. Indeed, the one challenge is a lack of awareness as to the nature of illegal lotteries and for that reason we prioritise ongoing awareness campaigns. Our hotline and complaints management process empowers affected individuals or entities to raise their concerns with us anonymously. We further rely upon civil litigation and recovery from illegal lotteries and possible criminal prosecution of illegal lottery operators as additional layers for enforcement.
Inadequate regulation and focus on sports pools (as part of mandate)	The NLC has developed a comprehensive strategy to focus on the regulation of sports pools. This includes clear targets that are tracked within the Annual Performance Plan of the organisation.
Ineffective change management	The organisation is working under the guidance of a revised strategic direction that provides clear emphasis on the core focus of the NLC, which is its regulatory mandate. There is also a formal communication management process as well as consequence management. Formalisation of the change management process through development and implementation of a formal change management strategy will bring structure and consistency to the process going forward. We continue to benchmark the local approach to regulation in comparison with international approaches, as well as source broader literacy in the lotteries market as a capability development intervention. We will continue to strive to regulate for impact and will develop tangible models to effectively measure impact from regulatory activities.
Failure to timely and efficiently appoint a competent national lottery operator	This risk highlights the potential challenge wherein the NLC’s administrative processes may be ineffective to ensure timely recommendation to the executive authority for the appointment of a national lottery operator. Through the request for proposal (RFP) management process, the NLC assists the executive authority to reach a conclusion on the National Lottery operator. This in combination with the fact that the NLC works with sufficient lead times supports a considered and balanced RFP process that is informed by a formal RFP strategy. A reserving strategy is in place to protect business continuity and ensure that the NLC is less affected by key business disruptions should these arise.
Critical business continuity disruptions	Formal business continuity planning is in place and this is supported by robust crisis management and emergency planning. Such supporting contingency management practices include a pandemic mitigation strategy, off-site back-up solution, a disaster recovery policy and structured health and safety management in terms of a formalised occupational health and safety policy. There are additional interventions in the form of an employee wellness programme and crisis communications management to deal with the fall out resulting from certain types of business disruptions. Going forward, periodic testing of the business continuity plan will be undertaken to ensure that under practical circumstances, the organisation can rely upon the business continuity plan.
Lottery and lottery-related gaming proliferation outside of regulation	Through resourcing and executing our enforcement and prohibition functions in terms of legislation, we continue to play a role in curbing illegal lotteries. At a broader scale, there remains a key need to ensure collaborative work between the NLC and other stakeholders within the lotteries and gaming sector, where possible.
Inefficient ICT infrastructure and systems	A formalised ICT strategy guides the priorities and focus areas of the ICT function of the NLC. This ICT strategy is aligned to and responsive to the organisational strategy. This is further supported by clear ICT policies, which are not only enabled logically but practically through awareness building amongst staff members and subject matter expertise enhancement within the ICT function.
Cyber security and Information security threats	ICT security remains a priority of the organisation and is addressed through a formal ICT security policy and its supporting sub-processes. Routine awareness building is seen to assist in limiting the occurrence of ICT threats because of human actions. Routine network vulnerability assessments subject the NLC’s networks to potential attack scenarios and determine areas of strength and those for improvement. An independent review of ICT security is planned, and the results thereof will be considered in determining key improvements to cyber security.
Failure to promote socio-economic welfare through funding activities	Funding for impact underpins the NLC’s ethos and approach to grant funding imperatives. We have formalised our grant funding policies and procedures over the years and continue to exercise close scrutiny over grant funding activities to ensure that the aspirations that inform our funding for impact focus are not lost. Through formalised grant funding calls, we ensure that grant funding is directed at sectors that are aligned with national priorities. Formal approval and dirbursement management processes are in place. We will ensure that relevant relationships with stakeholders in the grant funding process are formalised and managed effectively.
Inadequate human resource capacity and skills to meet mandate and strategic obligations	A formal human capital strategy informs the NLC’s human capital management initiatives in support of the organisational srategy. This is supported by an enabling change management strategy at the human capital management level. Through skills mapping, the organisation is able to ensure that the required skillsets to enable the strategy are in place and where this is not the case, through the staff development programme as well as the recruitment and selection process, the required skills can be acquired. Additional wellness interventions are a key risk management measure that works with the health and safety policy. Performance management and related development is a formalised process within the NLC that is designed to drive performance through recognition, incentivisation and consequence management when it comes to individual and team performance. A skills audit is planned for future years.
Impaired financial sustainability	The annual and ongoing budget preparation and monitoring processes ensure that the organisation remains in touch with its financial health and implements required financial mitigations, where required, in a timely manner. The organisation implements a reserving strategy to absorb the financial effects of uncertainties and disruptions. This is combined with ongoing cost containment measures and revenue maximisation strategies that are reviewed formally at least annually. Cost containment is supported by awareness sessions with staff members that are designed to build a culture of cost saving whilst ensuring that the organisational mandate is achieved and exceeded.
Fraud and unethical conduct	Driven by a formal anti-fraud and corruption policy, the organisation enables timely fraud reporting, investigation, resolution and reporting through a range of related standard operating procedures. The organisation performs a periodic review of its fraud risks through a formal fraud risk assessment. We support openness and transparency through a clear set of organistaional values, a clearly communicated whistleblowing policy and channels thereof, as well as protecting the rights of whistleblowers in terms of legislation. An ethics policy underpins our approach to ethics and this is overseen by the Human Resources, Ethics and Social Responsibility Committee. Through effective segregation of duties, awareness building and consequence management, we give priority to the management of fraud risks within the organisation, not only as a cause of financial losses but a key cause of reputational risk, as well as a direct cause of loss of value and protection for lottery participants and beneficiaries.
Emerging Risks	Although the preceding information provides a synopsis of the strategic risks that were initially identified by the organisation, due to our ongoing risk assessment culture, we normally identify additional risks during the year. We do this through a formalised emerging risk identification, assessment, and response process. By implementing an agile and responsive emerging risk management process we can ensure that our risk information, priorities and responses remain relevant in the face of ever-changing circumstances.