Functional Governance

HOW WE GOVERN OUR BUSINESS

Functional governance

Operational management is organised in a decentralised manner, conducting activities within a framework of a Group-wide governance structure, which entails significant reliance on the ethical behaviour of all employees, and well-defined expectations around key performance metrics. These structures generally govern oversight, capital allocation and management, strategic integrity, reporting, and consistency of cultural values across the Group as a whole (and includes alignment with the Bidvest Code of Ethics). Management teams within the individual businesses, who often have a specialised focus and concentration in specific sectors and services, are given significant autonomy to run their businesses and achieve the results expected of them. The decentralised structure of the Group allows for agile decision-making and execution.

An authority matrix forms the backbone of day-to-day governance, and formal reporting structures complement independent business-level processes that result in dynamic and iterative risk assessment and mitigation actions. Group management and reporting is organised via an Executive management committee (“Exco”) and board at the Bidvest Company level, which oversees the operations and governance of the Group as a whole, sets the framework of key performance metrics and related goals and receives and evaluates divisional reports and results. This oversight is supported by active, quarterly divisional boards and subcommittees that provide guidance, oversight and track results of business progress within the divisions. Monthly meetings between the Group’s chief executive officer and divisional chief executive officers, which focuses on uniform and simple key performance indicators, as well as monthly timeous and granular financial reporting from the underlying businesses (with flash financial results from the underlying businesses typically available on the fifth business day of every month), allow for active management of the diverse offerings of the Group. The key performance indicators are trading profit growth, cash conversion, Return of Funds Employed (“ROFE”), sustainability and transformation and are linked to short-term and long-term incentives. The Group also places significant emphasis on the quality of existing management teams within businesses when considering potential acquisitions, and typically retains the management teams to continue to operate newly acquired businesses.

Internal audit (IA)

The IA function is an independent, value-adding, progressive and responsive service to Bidvest’s stakeholders. It fulfils a role of objectively evaluating the business processes and controls so as to appropriately manage risk and support management's commitment to a strong control environment and operational excellence.

A risk-based IA plan is approved by the divisional and Group audit committee on an annual basis and is re-calibrated quarterly in order for the IA function to provide assurance services against the relevant and elevated risks of the business.

The IA function is well-constituted with a professional audit staff (in excess of 25 CA(SA)’s in senior audit positions) with sufficient knowledge, skill-set and experience to execute on the board approved IA Charter that is consistent with the Institute of Internal Auditor's definition of internal audit as well as the principles of King IV. Given the ever-increasing dependencies of the business on IT, specialised audit and consulting skills have become a necessity in the function.

Analytics and automation are well-entrenched into the mechanisms of the IA functions with further disruptive robotic initiatives being the focus for the future of IA.

Key stakeholder relationships are an essential element of strategy implementation and supports long-term sustainable creation.

IT GOVERNANCE AND SECURITY

ALICE

ALICE
  • User Administration
  • Amendments to User Profiles
  • New and Terminated User Profile Management
  • User Access Policies and Procedures
  • User Profile Data Accuracy
  • User Profile Management
  • Microsoft SQL Hardening
  • Microsoft SQL Security Measures
  • Cloud Security
  • Generic Security Measures
  • Azure-Specific Security Measures
  • Technical Security
  • Antivirus
  • Asset Management
  • Network Security Configuration
  • Password Configuration
  • Patch Management
  • User Profile Management
  • Website Security
  • WordPress Specific Security
  • Business Resilience
  • Backup Management
  • Backup Operations
  • Business Continuity Planning
  • Disaster Recovery Planning

ALICE runs on a scheduled frequency (continuously, daily, weekly, monthly or quarterly) as deemed fit for purpose based on the maturity, complexity and posture of the IT environment of each company within the divisions. IT findings are available to IT management on a continuous, remote and near real-time basis. Remediated IT findings are re-audited by ALICE upon receipt of updated audit evidence. The IA function is required to follow-up on unresolved IT findings with IT management on a monthly basis.