Network International Holdings Plc
Annual Report and Accounts 2021: 19 April 2022
Network International Holdings Plc (LSE: NETW) (the "Company"), the leading enabler of digital commerce across the Middle East and Africa (MEA), announces that further to the release of the Company's preliminary results announcement on 9 March 2022, the Annual Report and Accounts for the year ended 31 December 2021 ("2021 Annual Report") has been published today and is available on the Company's website https://investors.networkinternational.ae/ . It is also being submitted to the National Storage Mechanism and will be available at https://data.fca.org.uk/#/nsm/nationalstoragemechanism .
The appendix to this announcement contains additional information which has been extracted from the 2021 Annual Report for the purposes of compliance with the FCA's Disclosure & Transparency Rules and should be read together with the Company's preliminary results announcement, which can be found at https://investors.networkinternational.ae/ .
Together these constitute the information required by DTR 6.3.5 to be communicated to the media in unedited full text through a Regulatory Information Service. This information is not a substitute for reading the full 2021 Annual Report.
Jaishree Razzaq
Chief Risk Officer & Group Company Secretary
Network International Holdings Plc
Investor Relations enquiries
Network International InvestorRelations@Network.Global
Amie Gramlick, Head of Investor Relations
Media enquiries
Teneo NetworkInternational@Teneo.com
Ben Foster, Andy Parnis
Appendix: additional information required by DTR 6.3.5R
In compliance with DTR 4.1.12R, the Annual Report and Accounts 2021 contain Directors' responsibilities statements. These are reproduced below, alongwith the Statement on Risks & Uncertainties and Related Party Balances and Transactions, in line with DTR 6.3.5R. The statements relate to and have been extracted from the 2021 Annual Report.
Page and note references in this appendix refer to page numbers and notes in the 2021 Annual Report.
DIRECTORS' RESPONSIBILITIES STATEMENTS
Statement of Directors' responsibilities
The Directors are responsible for preparing the Annual Report and Accounts and the Group and Parent Company financial statements in accordance with applicable law and regulations.
Company law requires the Directors to prepare Group and Parent Company financial statements for each financial year. Under that law they are required to prepare the Group financial statements in accordance with UK-adopted international accounting standards and applicable law and have elected to prepare the Parent Company financial statements in accordance with UK accounting standards and applicable law, including FRS 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland. In addition the Group financial statements were also prepared in accordance with International Financing Reporting Standards as issued by the International Accounting Standards Board ('IFRSs as issued by the IASB').
Under company law the Directors must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and Parent Company and of the Group's profit or loss for that period. In preparing each of the Group and Parent Company financial statements, the Directors are required to:
› Select suitable accounting policies and then apply them consistently;
› Make judgements and estimates that are reasonable, relevant, reliable and prudent;
› For the Group financial statements, state whether they have been prepared in accordance with UK-adopted international accounting standards; and in accordance with International Financing Reporting Standards as issued by the International Accounting Standards Board ('IFRSs as issued by the IASB').
› For the Parent Company financial statements, state whether applicable UK accounting standards have been followed, subject to any material departures disclosed and explained in the Parent Company financial statements;
› Assess the Group and Parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and
› Use the going concern basis of accounting unless they either intend to liquidate the Group or the Parent Company or to cease operations, or have no realistic alternative but to do so.
The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the Parent Company and enable them to ensure that its financial statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.
Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that complies with that law and those regulations.
The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company's website. Legislation in the UK governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.
Responsibility statement of the Directors in respect of the Annual Report
We confirm that to the best of our knowledge:
› the financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole; and
› the Strategic Report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.
We consider the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's position and performance, business model and strategy.
PRINCIPAL RISKS AND UNCERTAINTIES
Overview
It has been an exciting and busy year for us as we successfully executed many of our key strategic initiatives. We completed the acquisition of DPO Group and continue to monitor its risk profile. We are now focused on embedding the Group's current risk management practices into the DPO business. We have refreshed our risk assessment in preparation for entry into the Saudi Arabia market and performed risk assessments in support of our ESG strategy, including climate related risks. Our risk appetite and our principal and emerging risks were also refreshed and approved by the Board twice during the year as planned. All activities in support of our second line assurance plan for 2021 were completed and we have developed a comprehensive assurance plan for 2022 which was approved by the Board. We continue to make good progress on the TCFD Disclosures and further details are disclosed on pages 42 to 45.
ERMF integration in DPO business:
› Post completion we have focused on further enhancing our understanding of DPO business risks and its risk profile.
› We have made good progress on our ERMF integration plan within the DPO business which started with discovery and awareness sessions. These sessions covered all risk, legal, business continuity, data governance and information security and compliance streams.
› The risk profile of the DPO business was re-evaluated to assess the impact on the overall risk profile of the Group, with separate Key Risk Indicators (KRIs) developed to monitor risk trends within the DPO business.
› Relevant DPO policies and procedures were either aligned with or substituted by the Group's policies and procedures.
› Risk champions within the DPO business were nominated and trained on our risk management practices.
› The Group aims to align DPO business practices with Group standards over the next two years.
Task Force on Climate-related Financial Disclosures:
› The Group acknowledges the scientific evidence in relation to climate change and takes its responsibilities to reduce its impact and to meet its reporting obligations seriously.
› Climate change-related risk is included under the ERMF as an emerging risk.
› An Environmental, Social and Governance strategy and ESG framework aligned with our corporate strategy were developed and approved by the Board. A central team has responsibility for their implementation with oversight from the Board.
› We have developed a carbon model to accurately capture and forecast emissions over the medium term.
› Climate change risk-related KRIs are being developed based on the KPIs to monitor on a quarterly basis.
› Risk and control self-assessment ('RCSA') standards are being documented for climate change-related risks and will be tested quarterly.
Credit risk: COVID-19 related lockdowns eased in the first quarter of 2021 with trading conditions returning to pre-pandemic levels in the second half of the year.
The stress scenarios formulated in 2020 to assess the chargeback risk that could arise as a result of adverse trading conditions, focusing on certain delayed delivery merchants and their expected chargeback volumes, showed satisfactory results.
Unrecoverable chargebacks and refunds were well within risk appetite and 99% lower than the losses predicted in the stress scenarios. As a result of our proactive risk mitigating actions and prudent risk management approach our chargeback losses were only 0.001% of Total Processing More about credit risk P95 Volume at the end of 2021.
Regulatory compliance: Keeping pace with regulatory changes
The Group is increasingly subject to high levels of oversight and regulatory change from a number of different regulators and therefore continues to monitor emerging regulations to identify potential impacts on the business and to ensure it is well placed to comply with any changes. We have developed a robust framework to ensure compliance with legal and regulatory requirements and we remain committed to adhering to the highest regulatory standards in our markets of operation. We continue to work with regulators to assess the impact of any changes on our business, with identified impacts of upcoming regulatory activity incorporated into our strategic plans.
› Currently, the Group is directly regulated in nine markets (including eight markets of DPO) across MEA and we have applied for licences to operate in a further seven markets (including five markets of DPO) across the region.
› Recently, we have seen several examples of new legislative requirements that have been or are expected to be introduced in the near future in our key markets. These include:
UAE:
› The Group has submitted its application for a licence from the Central Bank based on the recently enacted Retail Payments Services Regulation which will regulate the Group's direct-to merchant business in the UAE
Saudi Arabia:
› To support Saudi Arabia market entry strategy, the Group has applied to the Saudi Central Bank (SAMA) for a payment service provider licence
Ghana:
› The Group has received its licence from Bank of Ghana which will enable the Group to provide Issuer Processing and Acquirer Processing services for its client banks, and to support DPO in its merchant aggregation business
Egypt:
› To support the new merchant aggregation business, the Group has applied to the Egypt Central Bank for a licence through a local sponsoring bank
South Africa:
› The Group is closely monitoring the development relating to a new domestic processing and data localisation regulation which will take effect in 2023 requiring payment processors to process and host data in South Africa.
The Group has started planning the implementation of these new requirements The Group has also seen the emergence of new data protection regulations in priority markets such as the UAE and KSA. The requirements emerging from these regulations will be implemented once the subsidiary regulations are enacted. Regulatory change will remain a key area of focus in the year ahead to ensure we continue to identify and assess changes in a timely manner and effectively embed new requirements into our business operations. The Group will ensure we are organisationally aligned to assess and where applicable meet all new regulatory obligations as they emerge.
Cyber security: Mitigating emerging cyber risks and continuing to invest in our cyber security programme to provide secure, trusted commerce and card payment solutions across every touch point.
The security of our solutions, systems and the data we are trusted to manage is of utmost importance to us.
› Cyber-attacks are undeniably a global threat for businesses and individuals with the frequency and sophistication of attacks increasing year on year. Governments and regulators across our markets are increasingly recognising cyber security as a systemic risk resulting in the emergence of regulations and standards to combat the emerging cyber threats
› In addition, we expect to continue to invest in resources to maintain and enhance our information security and controls and to ensure we are able to investigate and remediate any security vulnerabilities
› We have implemented an agile cyber security framework which aims to be ahead of prevailing cyber threats in our markets
› Management, organisational and technical controls support the mitigation of cyber security risk in a dynamic payments industry
› For early detection and response to cyber threats, the Group uses a defence in depth approach driven by Cyber Threat Intelligence (CTI). CIT is knowledge, skills and experience-based information concerning the occurrence and assessment of cyber threats and is intended to help mitigate potential attacks and harmful events from occurring in cyberspace
› We continually evaluate threat levels for the most prevalent attack types and their potential outcomes
› We ensure our colleagues remain aware of cyber security issues and know how to report incidents as part of our defence strategy
› We have developed a cyber security dashboard to keep the Risk & Technology Committee and the Board apprised of emerging cyber security threats
For an overview of how we manage risk, please refer to page 84 of the 2021 Annual Report available on the Company's website https://investors.networkinternational.ae/ .
Our risk management governance model
We have a dynamic, practical and action-oriented risk management governance model defined in the ERMF, which helps us in proactively responding to changes in our business environment, whilst continuing to deliver on our expectations of increased transparency, value protection and creation. This is supported by our use of the three lines of defence model and the functional responsibilities and oversight committees that support it. Following the creation of the Risk & Technology Committee in June 2021, we worked closely with the Committee to report on the progress of our risk management practices, initiatives and key projects.
The Group has implemented all of the core components as part of the ERMF design and continues to use its ERMF to enable management to make sound risk-based decisions in relation to strategic initiatives. The risk profile for the Saudi Arabia market entry initiative was refreshed and with the acquisition of the DPO business completed last September, the Group is implementing its phased ERMF integration plan in the DPO business which is progressing well.
Our approach to risk management
We maintain a robust and sustainable ERMF, which ensures risks are properly identified, assessed against tolerance levels and appropriately managed across the Group. Our ERMF is designed to minimise the potential threats to achieve our objectives. In 2021, we completed the exercise of defining the risk and control self-assessment (RCSA) standards for all business units and commenced testing. This approach to risk management helps the Group in managing the risk of failure to achieve business objectives and providing reasonable assurances. The risk cannot be eliminated but transferred or accepted when measured against expected benefits or return on investments.
For an overview of our approach to risk management, please refer to page 85 of the 2021 Annual Report available on the Company's website https://investors.networkinternational.ae/ .
Risk appetite
Risk appetite is the amount of risk we are willing to take in pursuit of our objectives. It defines the level of risk at which appropriate actions are needed to reduce risk to a level that we are willing to accept. As defined in our principal risks disclosure we consider risks from a low, balanced and high perspective. Our risk appetite is not static and may change over time in line with changing capabilities for managing risk and our business environment.
The risk appetite statement is reviewed and approved by the Board annually.
Group risk appetite statement
At Network International, our growth strategy is focused on maintaining our position as the best payments partner in the Middle East and Africa. We accept that these markets are subject to higher levels of geo-political uncertainty and business risk than those in more developed markets, and are also accepting of any concentration risk based upon our entry into these markets and territories, though we act to mitigate this through revenue diversification.
We will aim to balance this against a low appetite for any risks that compromise the confidentiality, integrity or availability of our data, our customers' data or our cyber security defences. We will also aim to balance our environmental, social and governance responsibilities in the decisions we make. Additionally, we look to minimise our exposure to any risk which will adversely impact our stakeholders, operational performance or compliance with relevant regulation and legislation including environmental, social and governance considerations. The Group has a low appetite to incur losses from financial risk.
We will support this appetite with a level of investment that ensures we have suitable levels of policy and controls to effectively manage these risks, facilitate decision making and continue to support our growth strategy.
This means as a business that we have an informed appetite to taking risks which will enable us to drive growth in a sustainable manner providing an adequate and stable return on investment and which limits our exposure to those areas where we have a low risk appetite and effectively control those to which we have a greater appetite for risk. We believe that managing these risks in the right way will support our aim of enabling commerce in the world's most under penetrated payments markets.
Risk culture
The Group is committed to embedding a strong risk culture to support good governance and sound risk management practice. The Board and the ExCo play a key role in directing and influencing this by ensuring that:
› a risk based approach is used during key decision making. A recent example has been the refresh of the Saudi Arabia market entry risk profile before execution of these strategic initiatives;
› a consistent tone from the top and clear responsibilities for risk identification and challenge; refer to ESG Strategy section on pages 34 to 37;
› employees have risk management accountability and escalate issues on a timely basis;
› our incentive structures described within our Remuneration Report on page 150 promote a risk aware culture to effectively manage risk and remunerate employees accordingly;
› we adopt a culture of 'learning from our mistakes' to foster continuous improvement of processes and controls;
› whistleblowing, an independent confidential whistleblowing service to enable employees to raise their concerns through an independent route;
› risk awareness is embedded within the Group and is grounded in our strong ethical values and culture. Our risk management philosophy is cascaded top down and bottom up and runs through all our management, employees and connected stakeholders.
To improve risk awareness across the Group a comprehensive and mandatory online training programme is in place covering important risk and compliance topics. We have had very high levels of participation from our colleagues across the Group in 2021.
The importance of risk culture is reinforced in the Group's policies and standards and the Code of Conduct, to which all our colleagues attest annually as part of the annual training programme.
The completed priorities for Group Risk in 2021:
Priorities for 2021 Benefits
Governance Risk and Compliance platform implementation. |
Centralised tool for managing risks, controls, risk assessments and loss management.Theplatformenablescross-functionalcollaborationandalignment. |
Completed the implementation of RCSA for all functional units. |
RCSA helps the first line function in developing its control testing standards for the identified controls documented in the risk assessments and tests its effectiveness on defined frequencies. RCSA also helps in promoting and embedding a risk awareness and management culture across the Group through effective process governance. |
Completed the annual assurance plan for 2021. |
Provided assurance on the effectiveness of Group's current control environment by the second line of defence and to ensure this is aligned and meeting the overall Group's business objectives. |
Completed separation of Group's cyber security services from Emirates NBD Group. |
Achieved self-sufficiency in the area of cyber security and implemented enhanced security solutions in line with the Group requirements. |
Further enhanced our acquiring fraud monitoring capabilities with the implementation of new e-commerce risk control tools. |
Supports growth in e-commerce business with the required risk controls. |
Focus areas for 2022
In 2022 we will focus on further embedding our approach to risk management throughout our business, markets and support functions to build an even richer picture of risk information.
The priorities for Group Risk throughout 2022 will be:
Priorities for 2022 Rationale
Integration of the Group's ERM framework into DPO business. |
Implementing and embedding an integration strategy with prioritised focus on control functions in line with our ERM framework. Consolidate the existing risk management practices of DPO and align to the Group framework, taking into account local requirements. |
Completion of the annual assurance plan for 2022. |
To provide assurance on the effectiveness of Group's current control environment by the second line of defence and to ensure these are aligned and meeting the overall Group's business objectives. |
Completion of the compliance monitoring plan for 2022. |
Theme-based reviews to capture market abuse regulations, whistleblowing and a further review of DPO AML framework. |
Enhancement of the automation of our AML processes. |
To ensure effective and timely monitoring of AML risks, a project is in progress to implement an AML monitoring system to support our direct-to-merchant business in Jordan. |
Our principal and emerging risks
The Group's principal risks include those risks that could result in events or circumstances that might threaten the Group's business model, future performance, solvency, liquidity and reputation. We continue to see the risk trends remaining stable for our principal risks. However, we recognise that we operate in a dynamic business environment and that our risk profile will continue to evolve over time. We continue to remain focused on new and emerging risks which could adversely affect our accepted risk profile and strategic planning in the longer term. We have revisited these risks which are primarily driven by external factors including cyber, regulation, market stability and climate change.
We have completed a detailed assessment of our principal and emerging risks that we consider are most likely to have an impact on our business in the future. Not all risks facing the business are listed; however, we have highlighted on pages 89 to 96 the principal and emerging risks that we consider may have an impact on the business. These risks are not listed in any particular order of priority.
As a result of this assessment, we have made changes to the principal risks as follows:
› The separate principal risks in ARA 2020 - Technology Resilience, and Operational Resilience - have been combined under the risk category of 'Operational Resiliency' as both focus on business
operations resiliency of the Group and providing critical services to our customers. Resilience risk
arises from failures or inadequacies in processes, people, systems or external events.
› The separate principal risks in ARA 2020 - Strategy and Business, and Execution - have been combined under the risk category of 'Execution Risk' as both focus on the delivery of our strategy which includes the implementation of strategic initiatives and external threats to the achievement of our strategy. This also includes risks associated with reputation or brand values.
› Minor changes were made to Compliance Risk in order to broaden the scope.
› Introduced a new emerging risk reflecting the increasing geo-political risks following the Russian invasion of Ukraine and the adverse impact on the global economy following the imposition of wide ranging sanctions and the heightened risk of cyber related activity. See page 96.
We are now monitoring the nine principal risks below;
1. Cyber Security
2. Operational Resiliency1
3. Execution Risk2
4. People
5. Compliance Risk3
6. Financial
7. Third Party
8. Fraud and Credit
9. Geo-political
1 Reported as separate principal risks in ARA 2020 (i.e. Technology Resilience, and Operational Resilience). Both these principal risks are now being combined under the risk category of 'Operational Resiliency' as both these risks focus on business operations resiliency of the Group and providing critical services to our customers. Resilience risk arises from failures or inadequacies in processes, people, systems or external events.
2 Reported as separate principal risks in ARA 2020 (i.e. Strategy & Business and Execution). Both these principal risks are now being combined under the risk category of 'Execution Risk' as both these risks focus on strategy which includes the implementation of strategic initiatives and external threats to the achievement of our strategy. This also includes risks associated with reputation or brand values.
3 Minor change to broaden the scope.
For 2021, the overall risk profile of the Group was managed at acceptable levels with the majority of the Group's principal risks falling within the 'Informed' risk rating. The overall residual risk trend when compared to the risk profile for the prior 12 months has been stable due to continuous investments in the Group's infrastructure, resources, governance model and internal control framework.
The following section contains information about the principal risks, including a summary of the progress made in 2021 and the plans for 2022, their potential impact, our risk appetite and the link to our strategic priorities.
Link to strategic priorities
1 Faster signup of merchants and financial institutions
2 Grow the merchant base
3 Access new revenue pools
1 Harness the power of partnerships
2 Add new revenue streams to every transaction
3 Be the e-commerce champion in the region
Risk appetite rating defined
Low - We will ensure that we have sufficient controls and mitigations in place to allow for a low level of risk whilst recognising there may be a limited reward potential.
Informed - An approach which we feel could deliver reasonable rewards, economic or otherwise, by managing the risk in an informed way.
High - Willing to consider opportunities with higher levels of risk in exchange for potential greater reward.
Risk trends defined
Decrease in principal risk impact and/or probability at residual level.
No change in principal risk impact and/or probability at residual level.
Increase in principal risk impact and/or probability at residual level.
Cyber Security Risk of breach of the Group's infrastructure resulting in the compromise of data or service disruption through cyber security breaches. |
Strategic priorities 2 , 2,3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
An external cyber attack, insider threat or third party breach could cause the loss of confidential data or service disruption leading to financial loss and reputational damage. |
· Completed the enhancement of our incident response mechanism by implementing next generation security operations centre ('SOC') with additional controls and enabling security monitoring with a 360-degree view of our on premise and cloud infrastructure. · Enhanced our Information Security Awareness programme by rolling out trainings on Data Privacy and Data Governance. |
· Enhance our cyber security position by adding additional security solutions to protect us from emerging threats. · We continue to mobilise our cyber security practices in new markets of operation to ensure our controls are standardised across the Group. · Integration of Group's cyber security framework into the DPO cyber security practices.
|
Increase Potential increase in the number and frequency of cyber activity as a consequence of Russia - Ukraine conflict
Risk appetite: Low The Group will not accept risks which may compromise the confidentiality, integrity and availability of its data and its customers' data. |
Operational Resiliency (Formerly Technology Resilience and Operational Resilience) Risk of interruption to critical production services and inability to execute operational processes and deliver on contractual obligations due to operational inefficiencies and discontinuity, defects, errors and delays, which could damage customer relations, decrease potential profitability and expose the Group to liability.
|
Strategic priorities 1, 2, 3, 1, 2, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
Undesired level of service to customers due to failure or poor performance of technology and/ or system operating environment resulting in customer attrition, financial and/or reputational loss.
An unexpected disruption to operational performance that may cause damage to customer relations or financial loss to the business. |
· Completedthesetupofthe newdatacentreintheUAE(Dubai) and migrated all services to the new data centre. · Completed the expansion of our existing data centre facility in Abu Dhabi and segregation from the shared infrastructure with ENBD. · Completed our Group-wide IT disaster recovery and business continuitytestinginH12021across all Grouplocations. · Completed the Robotic Process Automation (RPA) initiative for our manual processes for settlement and reconciliation in the UAE and chargeback processing for both UAE andAfrica. |
· Improve availability of critical services across the Group by implementing high availability and active hot standby (Disaster Recovery (DR)). · Enhance transaction monitoring capabilities to improve faster recovery of services and improve customer experience. · Continue to expand the scope of automation through RPA in Africa and other functions in Middle East to minimise processing errors. · Enhance digital onboarding functionalities for merchants and build self-onboarding feature capabilities in the UAE. · Provide technological support to critical and strategic projects such as, KSA market entry, Enterprise Resource Planning (ERP) systems for Finance and Human Capital Management, Data Lake for enterprise wide data analytics, Application Plug In (API) programme and an intranet for employees. · Security patching process to be enhanced to mitigate risks of evolving cyber security threat landscape. |
Decrease Improvements in maintaining high availability of tier 1 systems and service levels. Investments in new data centre in UAE.
Risk appetite: Informed We are accepting some level of modest disruption and operational failure from time to time, within the relative norms of the markets in which we operate, provided the impact of failures remains within acceptable limits. However we ensure appropriate levels of resilience are in place to minimise the impact to our customers. |
Execution Risk (Formerly Strategy and Business, and Execution) Risk of the Group's ability to maintain its position as the best payments partner in the Middle East and Africa. Our ambitious growth and expansion plans could be compromised if we are not able to deliver key strategic projects within expected deadlines. Ourgrowth plans could create heightened levels of risk with regard to people and organisational capacity asweexecuteourgrowthplanstoensureontimedeliverywithoutdisruptiontoourday-to-day operations. Failure to do so could expose us to adverse financial and reputationalrisk and negatively impact our return on investment.
|
Strategic priorities 1, 2, 3, 1, 2, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
We do not retain our strategic position as the best payments partner in the Middle East and Africa, impacting our ability to maintain market share and to meet growth and profit targets. We failtodelivercriticalstrategic projects on time and on budget, deferring or stallinggrowth and increasing operational and capital expenses. |
· DPOcontinuestotradewellwith USD7millioncontributiontothe Group'srevenueandmovedinto positive EBITDAgeneration. · Completedtheacquisition of DPObusiness. · Initiated our execution plan for SaudiArabiamarketentryinline withtheapprovedbusinesscase. · Made significant progress on our product set(s) being rolled out to bankcustomersacross15+markets in Africa, including pan regional processingcustomers.
|
· Deliverrevenuegrowthforthe Group by cross-selling DPO productstoexistingcustomers and in othermarkets. · ImplementourERMframework intheDPObusinessasper · our integration plan. · Complete the deployment of infrastructure in Saudi Arabia andsecuretherequiredlicences andcertifications. · Executeonallaspectsofour2022 strategicplan. · Continue to further expand our productstoourclientbanksand to direct-to-merchant channel in new markets such as Egypt and SaudiArabia |
No change
Risk appetite: Informed Revenue growth in line with investor expectations and no dilution of Group's market position in its markets of operation. The Group has limited appetite for late or over budget delivery of critical strategic projects.
|
People Inability to attract, develop and retain a skilled workforce and inconsistent organisational culture across the Group.
|
Strategic priorities 1, 2, 3, 1, 2, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
We areunabletoeffectively manage our workforce to ensure consistentdelivery oftheGroup'sstrategyand/or operationalperformance. |
· Conducted regular health and wellness awareness sessions for our colleagues through live webinars on topics relating to parenting during the pandemic, meditation, stress and hypertension and prevention. · Vaccination drives were organised in our UAE, Jordan and Egypt offices. · Conducted independent employee engagement survey to understand our colleagues' sentiments and concerns. · Operated several platforms to enhance leadership interactions with colleagues at all levels e.g. Ask GCEO, NI on AIR, Meet the Leaders, Town Halls, GCEO and Chairman interactions. · Delivered on our diversity and inclusion initiatives for our colleagues on programmes such as the 'Women of the Future' summit; the Beacon Award to celebrate and recognise star women performers. |
· Roll out of Human Resource Management System (HRMS). The HRMS will support in: on-boarding of talent; compensation and benefits; performance management; succession planning; and learning and development. · Implement our initiatives highlighted in our cultural dashboard to ensure we embed our values and the elements of the Network Way for our colleagues. · Launch of 'Training Needs Analysis' which will include trainings such as Prevention of Sexual Harassment (POSH), Developing and Leading High Performance Teams, Leadership Skills for Managers and; Career Counselling and Mentorship. |
Decrease Engaged workforce with low attrition levels.
Risk appetite: Informed Group annual attrition ratenottoexceeddefined parameters however we accept a modest number of regretted losses which do not materially impact operational efficiency or impact ourcustomers
|
Compliance Risk (Formerly Regulatory Compliance) Failure or inability to comply with relevant laws, regulations, scheme rules and mandatory reporting requirements including failure to identify, monitor and respond to changing regulations or scheme rules.
|
Strategic priorities 1, 2, 3, 1 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
A breach or noncompliance to legal or regulatory standards leading to penalties, sanctions or reputational damage. |
· Completedtheassessmentofnew and emerging regulations during the year with oversight from the Regulatory and Data Privacy Change ManagementCommittee. · The Group applied for a payment serviceslicenceinGhanatosupport its Issuer Solutionsbusiness. · The Group has submitted its application to the Central Bank ofUAEontherecentlypublished regulation on 'Retail Payment Services' which aims to regulate payment services in the UAE. Approval is expected to be received in2022. |
· Completion of our compliance monitoring programme for theyear. The programme includes new theme-based reviews to capture market abuse regulations, whistleblowing and a further reviewoftheDPOAMLframework toalignwiththeGroup'spractices. · Continue to implement new and changesinregulatoryrequirements as and when received. Obtain regulatory licences in Saudi Arabia andEgypt. · Furtherstrengtheningcompliance capabilities in certain markets to meet regulatory requirements (Jordan/Nigeria/Ghana). |
Increase Wide ranging and extensive sanctions as a consequence of Russia - Ukraine conflict.
Risk appetite: Low The Group will not accept practices which could cause breaches of laws, regulations or scheme rules; or a delay and/or failure to adapt its systems, processes and controls to prevent material compliance breaches and/or regulatory censure.
|
Geo-Political Risk of significant political, social and economic instability in one or more of the Group's target markets which could have a material adverse effect on the Group's business, financial condition and results of operations.
|
Strategic priorities 1, 2, 3, 1, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
Ageo-politicaleventwithinour marketsthatimpactsourability to do business or to meet our strategicobjectives |
· Completed country risk assessments of markets the Group identified as high risk. · Reviewed evolving regulatory changes in the payments markets where the Group provides its services. · Completed due diligence review for issuing clients across all operating regions.
|
· Assessment of new regulations, amendments, and local guidelines for new market entries the Group intend to progress with. · Risk assessments will be conducted for regions where the Group does not have a physical presence, and provides services on a cross-border basis, such as Togo, Angola, Rwanda, Tanzania, Sudan etc |
No change
Risk appetite: High The Group's growth strategy is focused on markets which are likely to be subject to higher levels of political, legal, economic and social instability than those in more developed markets |
Financial Risk of the Group's inability to have sufficient liquidity to meet its obligations including minimum capital funding requirements across geographies as they fall due. Adverse movements in foreign exchange rates arising from the Group's foreign operations and transactions in currencies other than AED and USD pegged currencies. Adverse interest rate risk primarily on its variable rate long-term borrowing/revolving working capital line of credit and exposure to inaccurate forecast of future business performance due to various forecasting models being used.
|
Strategic priorities 1, 2, 3, 1, 2, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
Our liquidity, foreign exchange or interest rate risks are not effectively managed affecting the business's ability to meet its financial obligations, profitability targets or working capital needs |
· Post review of liquidity headroom position, availability period of undrawn USD 150 million of term loan was not extended. Repayment on drawn loan of USD 375 million will start in March 2022. · USD 75 million revolving credit facility is now available until October 2022. · We continued monitoring of our liquidity requirements in view of recovery of business to pre- pandemic level and sufficient liquidity was available to meet our liquidity requirements. · We considered and analysed options for interest rate hedge during the year, based on interest rate forecasts provided by our banking partners and concluded not to proceed with interest rate hedging to benefit from continued low interest rates, based on the interest rate curves at the time of analysis. |
· The Group will develop policies tofurthermanagefinancialrisks concerning FX, debt management and derivatives and financial instruments and this is expected to be completed in 2022. · Continue closemonitoring of our liquidity position to ensure sufficient funds and liquidity headroom are available to meet our financial obligations. · Repayment of the term loan instalment (USD 37.5 million) andrevolvingcreditfacilityas contractually due orearlier. · Continue to monitor interest rate curvesandappropriatedecisionwill betakentohedgetheinterestrates onourvariablerateborrowings. · As LIBOR will cease to exist by June 2023, we will prepare for shifting to an alternative risk-free rate 'SOFR' by proactively engaging with banks to minimise the impact of any expected increase in effective rate on our borrowings. |
Decrease The Group has sufficient liquidity backed up by improved business performance post recovery from the pandemic.
Risk appetite: Informed The Group will manage its liquidity, FX and interest rate risks in line with agreed policies and thresholds. |
Third Party Risk of the Group's dependencies on various third parties to provide core systems, technologies, infrastructure, product and service related support which may increase the Group's risk exposure intheeventofamaterialservicedisruption,delayorcyber-attackwithnoalternativearrangements. Also, risk of failure of third parties to comply with contractual obligations, applicable laws and internationalstandards |
Strategic priorities 1, 2, 1, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
A third-party provider does not meet its obligations, which negatively impacts our customer relationships, and causes disruption to business performance |
· Completed the desktop reviews of high-risk vendors through due diligence questionnaires. · Extended the scope of our vendor assurance programme by including medium-risk rated vendors and initiated desktop reviews. We aim to complete these reviews in 2022 |
· Conduct questionnaire based ongoing risk assessments for high and medium-risk rated vendors. · Monitor and close the open risks with high-risk vendors identified through reviews. · Address any contractual deficiencies for high-risk vendors identified during vendor review process, where appropriate. · Monitor the performance of high-risk vendors.
|
No change Risk appetite: Low The Group will not accept risks which may compromise the confidentiality, integrity and availability of its data and its customers' data. |
Fraud and Credit Riskofcompromiseofcardormerchantdataorcompromiseofsystemsornetworksorcollusive merchants with the intention of performing unauthorised payment transactions for financial or non-financial gain resulting in losses to the Group or the Group's clients. Risk of financial or non-financial losses arising due to internal or external parties making a negligent and/or intentionalfraudulentmisrepresentationagainsttheGrouporanyofitsclients.Theriskof merchants' inability to meet obligations resulting in chargebacks, refunds, scheme fines, fees and other charges. Risk of clients' inability to settle invoices for services received as part of issuing oracquiringprocessing.TheriskthattheGroupwillbeliableformeetingthesettlementobligation ofsponsoredissuingclientswheresuchclientsareunabletodosoorcomplywithschemerules.
|
Strategic priorities 1, 2, 3, 1, 3 |
||
Risk impact |
Progress during 2021 |
Plan for 2022 |
Risk trend |
Higher level of losses resulting in material impact on reported results and material damage to reputation.
|
· E-commerce acquiring fraud monitoring capabilities have been enhanced with the introduction of new fraud prevention tools. · Close monitoring and recovery efforts have resulted in reduced delinquency levels of processing clients' receivables and unrecoverable chargeback and credit losses were at very low levels well within our risk appetite. · Re-assessment of large risk exposures of DPO's credit risk portfolio was completed.
|
· In view of the Group's plan to expand the direct-to-merchant acquiring portfolio, fraud detection processes and best practices proven in UAE will be implemented in the new markets. · Re-assessment of credit and fraud risk profile of the DPO business and embed the Group Enterprise Risk Management Framework.
|
No change Risk appetite: Informed Acquiring fraud losses as a percentage of sales to be less than market average of 6.3 bps. Enterprise level fraud losses to be less than 5% of EBITDA.
Unrecoverable chargebacks and credit losses to revenue ratio not to exceed more than 5% by portfolio. All sponsored issuing clients' settlements to be cleared within 15 days
|
Emerging risks
Emerging risks have the potential to increase in significance and affect the performance of the Group and, as such, are continually monitored through our existing risk management processes by risk owners at all levels of the Group. We also use tools such as horizon scanning, operational risk aggregation and external sources to support our analysis. The outputs of these processes are reported to the Risk & Technology Committee and Board of Directors for their review and assessment.
Our ERM process ensures emerging risks are considered to aid the Risk & Technology Committee's assessment of whether the Group is adequately prepared for the potential opportunities and threats they present. The process enables new risks to be discussed at an early stage, allowing us to analyse them thoroughly and assess potential exposure.
We closely monitor emerging risks and with time they may become principal risks as they mature. Emerging risks may also be superseded by other risks or cease to be relevant as the internal or external environment in which we operate evolves. Additionally, we recognise that some of our principal risks are more volatile or fast changing than others and, therefore, would benefit from the increased management processes that apply to emerging risks. A non-exhaustive list of some current emerging risks of relevance to the Group and those principal risks that are subject to the emerging risk process are set out below.
1. Increasingly sophisticated cyber security threats:
We expect to see an increase in the level of sophistication of cyber related attacks as a result of the shifting geo-political tensions in the MEA. We regularly intercept sophisticated and malicious third- party attempts to identify and exploit system vulnerabilities, or which aim to penetrate or bypass our security measures, in order to gain unauthorised access to our networks and systems or those of our associated third parties.
We follow a defence-in-depth model to ensure we are proactively employing multiple methods of defence at different layers to protect our systems against intrusion and attack. However, we cannot always be certain that these measures will be successful and will be sufficient to counter all current and emerging cyber threats.
2. New and emerging regulatory changes in the MEA:
The increase in growth and innovation of payments services and the DPO acquisition expose the Group to a number of additional regulatory regimes focusing on payment services and data governance. The Group's ability to navigate these changing environments will be a long-term driver of competitive advantage. In the short to medium term these initiatives could present increased complexity and cost to our operating model.
3. Climate change:
In an ever-changing world, we recognise that we have a responsibility to meet our environmental and sustainability commitments and obligations. We have made progress over the last year in measuring and reporting our energy consumptions. We will continue to develop systems to report on GHG emissions, and to understand the risks that a changing climate may present to our business. Refer to page 43 for details.
4. Competition risk:
The Group has accelerated the shift from cash to digital payments resulting in an increasingly competitive landscape in the Middle East and Africa region. Our ability to grow our business and deliver an exceptional customer experience may be impeded by new market entrants and established payments service providers operating in certain territories, be it though competitive pricing, enhanced capabilities and solutions, or skilled resources with local market knowledge.
5. Increasing geo-political risks:
The Russia - Ukraine conflict carries significant risks for the world economy that has yet to fully recover from the impact of the global pandemic. A prolonged conflict will, over the short and medium term, pose additional risks to the global economic recovery as the impact of wide ranging sanctions including those affecting international financial and payment systems take effect. There is also a heightened risk in times of political uncertainty on this scale of an increase in the number, frequency and scale of cyber related activity across all sectors.
RELATED PARTY BALANCES AND TRANSACTIONS
Parties are considered to be related if one party has the ability to control the other party or exercise significant influence over the other party in making financial and operating decisions. Related parties include associates, parent, subsidiaries, and key management personnel or their close family members. The terms and conditions of these transactions have been mutually agreed between the Group and the related parties. Key management personnel consists of the Network Leadership Team. The management believes that the terms and conditions of these transactions are comparable with those that could be obtained from third parties.
Transguard Cash LLC
Transactions for the year (refer to note 9) - there are no receivable/payable balances as at 31 December 2021 and 2020.
Transguard Cash LLC
Transactions for the year (refer to note 9) - there are no receivable / payable balances as at 31 December 2021 and 2020.
|
2021 |
2020 |
|
USD'000 |
USD'000 |
Executive Directors' remuneration |
|
|
Directors' remuneration during the year |
1,007 |
816 |
Terminal and other benefits |
1,842 |
56 |
Share-based payments |
2,084 |
3,093 |
|
|
|
Non-Executive Directors' remuneration |
|
|
Directors' remuneration during the year |
1,651 |
1,293 |
Terminal and other benefits |
- |
16 |
|
|
|
Other key management personnel remuneration |
|
|
Salaries and allowances |
3,610 |
3,578 |
Terminal and other benefits |
4,182 |
1,045 |
Share based payments |
3,763 |
3,936 |
**END**