The board determines and approves, from time to time, the levels of authority for the CEO and the various members of senior management. The audit and risk committees monitor compliance with these predetermined levels of authority. The risk management function supports the audit and risk committees by monitoring and reporting any material non-compliance to the committees. The board meets as often as required, but at least four times annually.

Board chair, lead independent non-executive director and CEO

The board has a non-executive chair, Imtiaz Patel. The chair has valuable group, industry, regulatory and intellectual capital to contribute to the future development and progression of the business. His international network is also of great value to the group.

Jim Volkwyn is the lead independent non-executive director. The lead independent non-executive director acts in all matters where an actual or perceived conflict could exist and where it would be inappropriate for the chair to deal with the matter. The board is satisfied that Jim acts with independence of mind and judgement, and there was no interest, position, association or relationship likely to unduly influence or cause bias in decision-making in the MultiChoice Group's best interests.

Jim Volkwyn intends on stepping down as the lead independent director in June 2024 whereafter the board plans to appoint a new lead independent non-executive director. Jim Volkwyn will remain on the board as an independent non-executive director after June 2024.

The CEO, Calvo Mawela, is responsible for leading the implementation and execution of the approved strategy, policy and operational planning of the group, and for ensuring the group's day-to-day affairs are appropriately supervised and controlled.

Information

Information relevant to a meeting is supplied to the board on a timely basis, which ensures directors can make informed decisions. To ensure directors can competently discharge their duties and effectively carry out their delegated responsibilities as committee members, they have access to information relating to matters associated with the group. This is governed by an approved board policy with the process conducted in an orderly manner via the board chair. Similarly, board committees have unrestricted access to information that will allow them to act in accordance with their charters.

Conflicts of interest

Potential conflicts are appropriately managed to ensure candidates and existing directors have no conflicting interests between their obligations to MultiChoice and their personal interests. All directors are required to annually declare personal interests. Declaration of directors' interests is a standing item on the board's agenda. Directors who believe there may be a conflict of interest on a matter must advise the company secretary and are, when appropriate, recused from the decision‑making process associated with that matter. The Companies Act process is applied in this regard. Directors are required to adhere to the group's policy on trading in MultiChoice Group securities. The trading in securities policy is aligned to the Financial Markets Act No 19 of 2012 and JSE Listings Requirements.

Shareholder communication

The group is committed to ongoing and transparent communication with its shareholders. In all communication with shareholders, the board aims to present a balanced and understandable assessment of the group's position. This is done through adhering to principles of openness, substance-over-form reporting, and striving to address matters of material significance to shareholders.

This integrated annual report is our primary form of comprehensive communication with shareholders, in accordance with King IV and the JSE Listings Requirements. We also engage with our shareholders through our interim and annual financial statements, during interim and final results presentations, and on a periodic basis through investor roadshows and conferences. Further, the board encourages shareholders' attendance at AGMs and, where appropriate, will provide full and understandable explanations of the effects of resolutions to be proposed.

Assurance

The board, through the audit committee, oversees the group's assurance services and ensures these functions enable effective control and support the integrity of the group's information. The group follows a combined assurance model, which covers key risks through an appropriate combination of assurance service providers and functions. The assurance model includes line functions that own and manage risks, specialist internal audit, risk management support and compliance functions (for the group and significant subsidiaries), as well as external auditors and other relevant parties, such as regulatory inspectors and insurance risk assessors. This model is linked to key risks. An assessment of the effectiveness of our combined assurance model is reported on to the audit and risk committees. Internal audit reports on the internal control environment are submitted to the audit committee. The company secretary, group general counsel and external counsel guide the board on legal requirements. The audit committee appoints the head of internal audit, who has unrestricted access to and meets periodically with the committee chair.

Company secretary

The company secretary is responsible for guiding the board in discharging its regulatory responsibilities. Directors have unlimited access to the advice and services of the company secretary, who plays a pivotal role in MultiChoice's corporate governance policies and processes. She ensures that, in accordance with the pertinent laws, the proceedings and affairs of the board, MultiChoice, and where appropriate, shareholders, are properly administered. The company secretary monitors directors' dealings in securities and ensures adherence to closed periods. She attends all board and committee meetings. In accordance with King IV, the performance and independence of the company secretary are evaluated annually.

The nomination committee is responsible for recommending a suitable candidate for appointment as the company secretary; reviewing the competence, qualifications and experience of the company secretary annually; and reporting on whether it is satisfied therewith.

Carmen Miller is the group company secretary and the board is satisfied with Carmen's competence, qualifications, experience, independence and suitability. Carmen is not a director of MultiChoice and, after due consideration, the board is satisfied that she had an arm's length relationship with the board during the year.

Information and technology (I&T) governance

MultiChoice's Information and Technology (I&T) executive (the chief information officer), supported by a chief data officer and other support functions, oversees I&T management in the group. The board recognises the importance of I&T in relation to MultiChoice's strategy and I&T governance is integrated into the operations of the group's businesses.

Management of each subsidiary or business unit is responsible for ensuring effective processes for I&T governance are in place. The risk committee assists the board with overseeing I&T-related matters and I&T governance is a standing item point on the risk committee agenda. I&T objectives are included in the risk committee charter. The risk committee considers the risk register, and reports on I&T from an internal audit and risk management perspective. The group's code of ethics and conduct, I&T governance charter, artificial intelligence ethics and governance policy, cybersecurity policy, and legal compliance, and data privacy programs address legal compliance, ethical, and responsible use of I&T.

Data privacy remains a high priority. Assurance providers, including risk management, and external and internal audit, provide assurance to management, the risk committee and board on the effectiveness of I&T governance, based on detailed controls to manage identified risks and reduce the likelihood of occurrence of data privacy breaches or mishaps. These arrangements for governing and managing I&T enable the risk committee, and ultimately the board, to oversee the group's I&T governance.

The application of all approved policies and standards supporting the I&T control environment is assessed for maturity. Control self-assessments for each policy/standard are completed by the I&T governance, risk and compliance function to determine required improvements.

The group obtained an international content protection certification from the Content Delivery & Security Association in May 2022 and are currently being reaccredited for the year ahead. Both Samrand and Randburg production environments were accredited in terms of this international security standard. The accreditation is renewed annually.

Cybersecurity

As part of its enterprise risk management framework (ERM framework), the organization assesses and manages cybersecurity risks in accordance with worldwide best practices and laws in the nations where it conducts business.

The group focuses on the following four areas to mitigate cyber risks:

The group assesses, manages, and reports on its I&T-related risks in accordance with a board approved I&T governance charter. The MultiChoice Group provides oversight and guidance while setting a policy to ensure activities happen in the approved ERM framework that supports the achievement of strategic objectives.

As part of continuing business assessments, the MultiChoice Group regularly evaluates the businesses' security readiness and requests quarterly governance status reports from the group's executives and governance structures. Businesses are supported by the segment risk and compliance departments' risk management efforts, and outside providers periodically conduct tests and scans for cyber vulnerabilities.

The group risk committee periodically reviews and reauthorises the cybersecurity policy, and its implementation as part of its oversight and governance responsibilities. The group risk committee reports to the board in this regard.

Artificial intelligence (AI)

MultiChoice has expanded the use of AI across a variety of business areas, realising the benefits it offers for improving customer experience, operational efficiency, and revenue management. MultiChoice continues to invest in both specialized AI research and AI applications. AI-based systems deployed into the business have improved customer service (using chatbots), localisation of content (using machine translation), platforms personalization (using machine learning), and media operations (using video analytics). 

Recognising both the opportunities as well as the risks of AI implementations, the group has an AI ethics and governance policy to ensure that we conceptualise, develop and deploy AI systems responsibly and in line with our corporate values to ensure sustainable integration of AI technologies into group operations. The AI ethics and governance policy is underpinned by the MultiChoice Group Responsible AI Principles: Fairness; Reliability and Safety; Data Privacy; Security; Explainable AI; and Accountability. The AI ethics and governance committee governs and oversees all AI-related activities within the group, and reports from this committee are reported to the risk committee and in turn, the board.

Data governance and privacy

The development of a data governance council made up of data information officers, data protection officers, legal and regulatory experts, as well as business unit data stewards, underpin the rigorous data governance approach.

The administration of data privacy and rights is managed through monthly steering committee meetings where crucial decisions are taken and data governance adherence practices are evaluated. This forum reports to the group's risk committee and social and ethical committee through one of its members, and those committees in turn report to the board.

Data processing

The group's public and employee privacy policies outline what personal information is acquired from users (data subjects) utilising MultiChoice's systems and platforms, how that information is obtained, and why that information is gathered.

In line with the European GDPR, South African POPIA, and other country-specific regulations, data protection agreements have been implemented for third-party service providers who require access to personal information to perform contracted services. A revised Data Protection Addendum (DPA) has been published for the group including new Standard Contractual Clauses and variations of local country legislation, all relevant service providers are required to re-sign any existing agreement using the new version. Additional compliance measures have been put in place to ensure additional due diligence on third-party data processors.

Data loss prevention

Data loss prevention tools have been implemented for all Microsoft programs utilised by employees. This allows an employee to categorise data in accordance with the group data classification policy and enables better oversight of information shared to prevent the unauthorised sharing of personal and/or confidential information.

Data classification

To ensure employees do not accidentally disclose information, automatic scanning for sensitive fields in email attachments is performed. When sensitive information is found, the file is classified as strictly business confidential and automatically encrypted. At the same time, an alert notifies the data governance team when sensitive or private information leaves the organisation and when it is stored on local drives. This enables MultiChoice to proactively scan and prevent data losses.

Employee training and awareness

Employee awareness initiatives, such as the #PrivacyGuardian, #BeSecure and #Opt-In campaigns, emphasise raising awareness through newsflashes, screensavers, activations, and electronic communications.

Data privacy and governance e-learning modules and department-specific face-to-face training assists in giving practical tools to employees on how to implement data privacy into their day-to-day functions. All employees and contractors who deal with our employees', customers' and suppliers' personal information are required to complete the following online courses:

• POPIA module
• GDPR and Data Governance module
• Africa Data Privacy and Governance module

Data privacy issues

We enable customers to log any data privacy issues via the privacy notice on the MultiChoice.com website, our self-service portals, call centres and contact centres. These queries are logged in an incident management system and tracked to ensure we adhere to reporting standards as supplied and required by the GDPR, POPIA and other country-specific privacy regulations.

There were three complaints received regarding alleged non-compliance with customer privacy rights from any regulatory bodies, with all complaints responded to and the matters resolved with the regulatory bodies. No identified thefts, leaks or losses of customer data occurred or were reported.

The Multichoice Group recognises the following

Data subject rights: