Ensuring effective control
The board is the focal point and custodian of corporate governance in the group. To this end, the board ensures corporate governance and good practice are inherent in fulfilling its responsibilities. The board charter sets out its roles and responsibilities. The board holds its directors accountable for their integrity, competence, responsibility, fairness and transparency.
Succession planning and performance
The board is satisfied the company is appropriately resourced and its delegation to management contributes to an effective arrangement according to which authority and responsibilities are exercised. The board approves the CEO and CFO's appointments. The remuneration committee is required to consider the CEO and CFO's performance annually against agreed performance incentive objectives. The audit committee is required to consider the performance of the CFO and the finance function and will report thereon in its report included in the annual financial statements. Succession plans for the CEO and senior executives are in place and are reviewed annually by the nomination committee.
The board determines and approves, from time to time, the levels of authority for the CEO and the various members of senior management. The audit and risk committees monitor compliance with these pre-determined levels of authority. The risk management function supports the audit and risk committees by monitoring and reporting any material non-compliance to the committees. The board meets as often as required, but at least four times annually.
Board chair, lead independent non-executive director and CEO
The board has a non-executive chair, Imtiaz Patel. The chair has valuable group, industry, regulatory and intellectual capital to contribute to the future development and progression of the business. His international network is also of great value to the group.
Jim Volkwyn was appointed as the lead independent non-executive director with effect from 1 July 2021 following the tragic passing of Jabu Mabuza on 16 June 2021. The lead independent non-executive director acts in all matters where an actual or perceived conflict could exist and where it would be inappropriate for the chair to deal with the matter. In these circumstances, the board satisfied itself that Jim acted with independence of mind and judgement, and there was no interest, position, association or relationship likely to unduly influence or cause bias in decision-making in the MultiChoice Group's best interests.
Jim Volkwyn's intends on stepping down as the lead independent director in June 2024 whereafter the board plans to appoint a new lead independent non-executive director. Jim Volkwyn will, after June 2024, remain on the board as an independent non-executive director.
The CEO, Calvo Mawela, is responsible for leading the implementation and execution of the approved strategy, policy and operational planning of the group, and for ensuring the group's day-to-day affairs are appropriately supervised and controlled.
Information relevant to a meeting is supplied to the board on a timely basis, which ensures directors can make informed decisions. To ensure directors can competently discharge their duties and effectively carry out their delegated responsibilities as committee members, they have access to information relating to matters associated with the MultiChoice Group, which is governed by an approved policy. The committees have unrestricted access to information that will allow them to act in accordance with their charters, with the process conducted in an orderly manner via the board chair.
Conflicts of interest
Potential conflicts are appropriately managed to ensure candidates and existing directors have no conflicting interests between their obligations to MultiChoice and their personal interests. All directors are required to declare personal interests annually. Declaration of directors' interests is a standing item on the board's agenda. Directors who believe there may be a conflict of interest on a matter must advise the company secretary and are recused from the decisionmaking process associated with that matter.
The Companies Act process is applied in this regard. Directors are required to adhere to the group's policy on trading in MultiChoice Group securities. The trading in securities policy is aligned to the Financial Markets Act No 19 of 2012 and JSE Listings Requirements.
The group is committed to ongoing and transparent communication with its shareholders. In all communication with shareholders, the board aims to present a balanced and understandable assessment of the group's position. This is done through adhering to principles of openness, substance-over-form reporting, and striving to address matters of material significance to shareholders.
This integrated annual report is our primary form of comprehensive communication with shareholders, in accordance with King IV and the JSE Listings Requirements. We also engage with our shareholders during interim and final results presentations, and on a periodic basis through investor roadshows and conferences. Further, the board encourages shareholders' attendance at AGMs and, where appropriate, will provide full and understandable explanations of the effects of resolutions to be proposed.
The board, through the audit committee, oversees the group's assurance services and ensures these functions enable effective control and support the integrity of the group's information. The group follows a combined assurance model, which covers key risks through an appropriate combination of assurance service providers and functions. The assurance model includes line functions that own and manage risks, specialist internal audit, risk management support and compliance functions (for the group and significant subsidiaries), as well as external auditors and other relevant parties, such as regulatory inspectors and insurance risk assessors. This model is linked to key risks. An assessment of the effectiveness of our combined assurance model is reported on to the audit and risk committees. Internal audit reports on the internal control environment are submitted to the audit committee. The company secretary, group general counsel and external counsel guide the board on legal requirements. The audit committee appoints the head of internal audit, who has unrestricted access to and meets periodically with the committee chair.
The company secretary is responsible for guiding the board in discharging its regulatory responsibilities. Directors have unlimited access to the advice and services of the company secretary, who plays a pivotal role in MultiChoice's corporate governance policies and processes. She ensures that, in accordance with the pertinent laws, the proceedings and affairs of the board, MultiChoice, and where appropriate, shareholders, are properly administered. The company secretary monitors directors' dealings in securities and ensures adherence to closed periods. She attends all board and committee meetings. In accordance with King IV, the performance and independence of the company secretary are evaluated annually.
The nomination committee is responsible for recommending a suitable candidate for appointment as the company secretary. It reviews the competence, qualifications and experience of the company secretary annually and reports on whether it is satisfied therewith. Carmen Miller was appointed as group company secretary with effect from 11 June 2020. The board is satisfied with Carmen's competence, qualifications, experience, independence and suitability. Further, Carmen is not a director of MultiChoice and, after due consideration, the board is satisfied that she had an arm's length relationship with the board during the year.
Information and technology governance
MultiChoice's I&T executive (the chief information officer) oversees I&T management in the group. The board is aware of the importance of I&T relating to MultiChoice's strategy and annually reviews and approves the I&T governance charter and cybersecurity policy. I&T governance is integrated into the operations of the group's businesses.
Management of each subsidiary or business unit is responsible for ensuring effective processes for I&T governance are in place. The risk committee assists the board with overseeing I&T-related matters and I&T governance is a standing point on the risk committee agenda. I&T objectives are included in the risk committee charter. The risk committee considers the risk register, and reports on I&T from an internal audit and risk management perspective.
Compliance with relevant laws and ethical and responsible use of I&T are addressed through the group's code of ethics and conduct, legal compliance and data privacy programmes. Data privacy remains a high priority. Assurance providers, including risk management and external and internal audit, provide assurance to management, the risk committee and the board on the effectiveness of I&T governance, based on detailed controls to manage identified risks and reduce the likelihood of occurrence. These arrangements for governing and managing I&T enable the risk committee, and ultimately the board, to oversee the group's I&T governance.
The application of all approved policies and standards supporting the I&T control environment is assessed for maturity. Control self-assessments for each policy/standard are completed by the I&T governance, risk and compliance function to determine required improvements.
The group achieved international content protection certification from the Content Delivery and Security Association in 2021 for the first time. Both Samrand and Randburg production environments were accredited in terms of this international security standard. The accreditation is renewed annually and is currently underway for 2022.
The group identifies and manages cyber risks as part of its enterprise risk management framework (ERM framework) and in line with international best practices and regulations in the countries where it operates.
The group focuses on the following four areas to mitigate cyber risks:
The I&T governance charter describes how the business should assess, manage and report on its I&T-related risks. In accordance with the I&T governance charter, businesses in the group manage cybersecurity risks and I&T operations in line with the MultiChoice Group's direction. The MultiChoice Group provides oversight and guidance while setting a policy to ensure activities happen in the approved ERM framework that supports the achievement of strategic objectives.
The MultiChoice Group periodically checks the security fitness of the businesses and requires quarterly governance status reports from the group's executives and governance structures as an integral component of ongoing business reviews. The segment risk and compliance departments support businesses with risk management activities and an external subject expert provider performs cyber vulnerability scans and tests on an ongoing basis.
The group risk committee annually reviews and reauthorises the cybersecurity policy, and its implementation as part of its oversight and governance responsibilities. The group risk committee reports to the board in this regard.
The past year has seen MultiChoice extend the use of AI across a number of business functions – recognising that AI presents opportunities across customer experience, improved operating efficiency and revenue management. MultiChoice continues to invest in both the application of AI, as well as targeted AI research. Some of the systems using AI that were deployed this past year have contributed to enhancing customer service using chat-bots, improving content localisation using machine translation, fine-tuning personalisation of experiences on our viewing platforms using machine learning, and using video analytics to streamline media operations.
Recognising both the opportunities as well as the risks of AI implementations, the group has implemented an AI ethics and governance policy to ensure that we conceptualise, develop and deploy AI systems responsibly and in line with our corporate values to ensure sustainable integration of AI technologies into group operations. The AI ethics and governance policy is underpinned by the MultiChoice Group responsible AI principles: fairness; reliability and safety; data privacy; security; explainable AI; and accountability. The AI ethics and governance committee governs and oversees all AI-related activities within the group, and reports from this committee are reported to the MultiChoice Group risk committee and in turn, the board.
Data governance and privacy
The group adopted a rigorous data governance approach supported by the establishment of a data governance council consisting of data information officers, data protection officers, legal and regulatory practitioners, as well as business unit data stewards.
Monthly steering committees are held where data governance adherence practices are measured, and key decisions are made regarding the management of data privacy and rights. This forum, through one of its members, reports to the group's risk committee and social and ethics committee, which in turn reports to the group's board in this regard.
Public and employee privacy policies across the group set out which personal information is collected from employees and other users (data subjects) when using MultiChoice's systems, how the group collects personal information, why the group collects it, and how the group uses it, among other related matters.
In line with the European General Data Protection Regulation (GDPR), South African POPIA, and other country-specific regulations, data protection agreements were implemented for third-party service providers who require access to personal information to perform contracted services. A revised data protection addendum has been published for the group, including new standard contractual clauses and variations of local country legislation. All relevant service providers are required to re-sign any existing agreement using the new version. Additional compliance measures have been put in place to ensure additional due diligence on third-party data processors.
Data loss prevention
MultiChoice implemented data loss prevention on all employees' Microsoft products. This allows each employee to classify data according to the group data classification policy. Each category describes the required level of protection.
To ensure employees do not accidentally disclose information, automatic scanning for sensitive fields in email attachments is performed. When sensitive information is found, the file is classified as strictly business confidential and automatically encrypted. At the same time, an alert notifies the data governance team when sensitive or private information leaves the organisation and when it is stored on local drives. This enables MultiChoice to proactively scan and prevent data losses.
Employee training and awareness
We conduct regular employee awareness campaigns, including the #PrivacyGuardian campaign which focuses on creating awareness using newsflashes, screensavers and corporate affairs communications. Close collaboration with cybersecurity during cybersecurity month showcased the importance and dependency of security for data privacy. Three data privacy and governance courses were implemented on the MultiChoice e-learning platform.
These courses, itemised below, are aimed at all employees and contractors who work with the personal information of our employees and customers:
- POPIA module
- GDPR and data governance module
- Africa data privacy and governance
Data privacy issues
We enable customers to log any data privacy issues via the privacy notice on the MultiChoice website and our self-service portals. Customers can log any queries regarding data privacy using these platforms. These queries are logged in an incident management system and tracked to ensure we adhere to reporting standards as supplied and required by the GDPR, POPIA and other country-specific privacy regulations.
There were no complaints received regarding breaches of customer privacy data, nor were there any complaints from any regulatory bodies. Further, no identified thefts, leaks or losses of customer data occurred or were reported.
The MultiChoice Group operates in a highly regulated environment, making compliance a critical consideration. We participate in the regulatory processes affecting our industry through various public forums and debates, providing inputs on formulating standards and strategies for the industry.
During the year, there were no significant or repeated fines from regulatory bodies to companies across the group. Further, there were no environmental inspections by environmental regulators, no accidents, nor any environment-related fines imposed by any governments.
Performance and future focus
The group highly depends on its I&T systems and processes to enable and support the implementation of its strategic objectives effectively and timeously.
The group undertakes a detailed monthly review to identify, evaluate and assess I&T risks in key I&T areas.
The results are presented and discussed at the monthly I&T operational forum (chaired by the chief information officer). Based on these reviews, the group develops mitigation plans to address material risks identified on an ongoing basis.