Enterprise Risk Management

• Monitored the continued growth in maturity of enterprise risk management
• Considered the implementation of Business Continuity Plans across the organisation
• Considered and approved the company’s risk framework including the company’s risk appetite and risk tolerance levels
• Oversight of the mitigation of business risk – building capacity for power redundancy across SANBS fixed operating sites and mobile blood collections units
• Considered the extent of the value of the current investment required in alternative/backup power
• Discussed the risk of business operations disruption, which was re-evaluated during the annual Board and Exco risk assessment in August 2023, resulting in the establishment of a strategic project to ensure appropriate mitigation
• Regularly reviewed the strategic risk register, treatment actions and emerging risks. Deliberated on the risk profile of various strategic risks to determine their relevance and risk ratings
• Approved the risk profile for inclusion in the integrated report
• Considered and approved the insurance programme renewal

Technology and Information Governance

• Reviewed the IT risk register, cyber-security posture (incl cyber incident updates and information security audits), investments monitoring report, Business Continuity Management, BECS project update and go-live on 7 November 2023
  • During the year, one of our service providers experienced a cyber-attack, resulting in the minimal exposure of SANBS data. The affected data subjects were notified, and the incident was reported to the Information Regulator
• Noted that the BECS phase II (involves a review of the eTraceline and COSMAS systems), is currently on hold with initiation thereof to be considered once eProgesa stability is achieved
• Received updates on the extent of post go-live issues relating to the new BECS that have been raised with MAK-SYSTEM, noting high priority issues and managements’ assurance that project challenges are being managed
• Provided input and support to management on strategic projects – BECS implementation and change management, the modernisation of the ERP system, Order-to-Collect, Procure-to-Pay and the Data Governance and inventory optimisation projects
• Approved the Information Security Governance Framework
• Discussed current technological advancements such as AI, Block Chain and Cloud computing – considering the plan and impact of these technologies focusing on digitalisation and zero carbon emissions

Compliance

• Monitored and exercised oversight over compliance monitoring reports
• Received updates on material regulatory developments that could have an impact on the organisation
• Received updates on the progress of the development of the Compliance Programme to help mitigate risks, detect violations of regulations and promote ethical behaviour in the organisation
• Considered the development of a compliance coverage plan to prioritise efforts, schedule activities, and outline reporting obligations
• Reviewed the monitoring of the various pieces of legislation in terms of the compliance monitoring plan to determine whether the controls were adequate and effective for the pieces of legislation under review
• Noted the reports submitted as required according to various legislative requirements
• Approved the revised Privacy Statement for the website and noted the revision of the internal Privacy Policy

Other

• Reviewed and approved the committee terms of reference and annual work plan

The Committee will remain focused on overseeing the management of the risks associated with:

• Strategic projects, with an emphasis on the BECS Phase II post go-live stabilisation, optimisation and enhancements; the Order-to-Collect process and the Procure-to-Pay process; the ERP Modernisation next phases; and Data Governance
• Cybersecurity posture and information governance
• The strategic risk reporting and the continuous monitoring of the risks
• Continued oversight of emerging risks from new legislative developments