Risk Governance

In order to support effective implementation of our Enterprise Risk Management framework we have adopted the three lines of
defense model as illustrated below;

Three Lines of Defense
First line of defense Second line of defense Third line of defense
Primary Risk Owners:

  • Each Division owns the risks that face their operations
  • We have management and financial controls in place to mitigate the risks.
Oversight function:

  • Risk Management
  • Compliance Management
  • Business Continuity
  • Quality Assurance
Independent Assurance provider:
Internal and External Auditors
Reports to management Reports to CEO and Board Audit Committee Reports to Board Audit Committee


Our risk identification and mitigation processes have been designed to be responsive to the ever-changing environment that we operate in

Our principal risks and what we are doing about them

Our risk identification and mitigation processes have been designed to be responsive to the ever-changing environment that we operate in. We classify our risks into two categories; Strategic and Operational.
The following are Safaricom’s principal risks and mitigation strategies. The fact that we disclose details of these risks means that each receives the requisite and considerable management attention.


Risk Mitigation Strategy
Strategic Risks
Adverse Regulations
The Regulatory environment that Safaricom operates in is
increasingly becoming complex and it continues to be one of the
key areas of focus.
The nature of products and services that we provide requires that
we comply with a wide range of laws and regulations from our
While we comply with all laws and regulations, we continue to build constructive relationships with the regulators as well as contribute to discussions on emerging legislation and regulations as we prepare to comply with the same.

Our products and services are carefully and continuously
monitored to ensure they do not contravene any regulations

Economic Growth ProspectsKenya has continued to experience challenges from a volatile
currency, increased inflation and a reduction of FOREX earnings.
The prolonged electioneering period in 2017 also caused
uncertainty among investors thereby shying away from local
investment opportunities.Other factors such as crippling drought, floods and the regulatory
cap on lending rates also contributed to a reduction in consumer’s
purchasing power.
We continue to proactively monitor and mitigate these challenges to cushion both our business and customers.
Market Disruption

The industry has become increasingly competitive in terms of
product and service offerings. We face increased competition from a variety of new technology providers, disruptive technologies,changing customer preferences and new players in the market.

Our strategies to manage market disruption focus on growing and retaining our customers by offering quality services as well as and leveraging on strategic partnerships within different sectors
to ensure we provide our customers with relevant products and services and customer experience.
We continue to be innovative and adopt an agile operating model to be able to respond rapidly to the ever changing customer needs.
Political uncertainties and unrestThe last year has seen the country experience an extended period of political quagmire which has had adverse impact on the economic, social and business environments. Insecurity and or terrorism in some parts of the country may result in increased costs of operations. The business continues to monitor the political situation keenly while taking appropriate business measure to safeguard our operations. To manage these security risks, we have invested
heavily to ensure our staff, contractors and assets are protected and we continue to work closely with Law enforcement authorities to ensure our customers’ interests are well protected.
Further we carry out proactive intelligence gathering, screening and security surveillance. We will continue to invest in security training and awareness as well as maintenance and improvement
of our security infrastructure and tools.
Operational Risks
Information and cyber threats

Cyber-attacks, hacking, insider threat or supplier breach
(malicious or accidental) could result in service interruption and/
or the breach of confidential data, with resulting negative impact
on customers, revenues and reputation, and potential costs
associated with fraud and/or extortion.

Safaricom has enhanced its capacity to handle cybercrime incidents and technology related crime. Of particular note are robust cyber security controls complemented by the 24/7 Security Operations Centre to ensure we safeguard the services that we offer.

Our ISO 27001 Information Security Certification is an
independent confirmation to our customers that we have implemented appropriate processes and controls relating to our M-PESA, billing, mobile data, customer support and cloud services to protect the privacy of their information.

To ensure excellence in operations we aslo hold the following certification by a reputable firm from UK:

  • ISO 22301 – Business continuity management system
    demonstrating our commitment to delivering sustained, consistent and exception services to our customers and
    stakeholders even in the event of any disruption.
  • ISO20000 – Information technology service management to ensure effective running and delivery of IT services.Our M-PESA service holds GSMA mobile money certification
    providing assurance that we have implemented the best mobile money standards that includes robust security measures. Our Thika Data Center offering collocation and Cloud services has recently received the Uptime Tier III Design certification by Uptime Institute of US, the certification confirms that our Data center design meets the international best practice requirements and this is a commitment of our endeavor to provide quality data center services to our customers.