Governance, Risk and Regulation

Governance Risk and Regulation

Upholding the highest standards of corporate governance and acting in an ethical manner makes business sense.

Strong Governance

We ensure that Safaricom is run in an ethical, transparent and accountable manner by having robust governance processes and structures in place, along with explicit guiding principles and clear lines of responsibility. This minimises the risk of corruption and fraud, which, in turn, bolsters the reputation and trust we enjoy, strengthens employee morale and engagement, and improves stakeholder sentiment and interest.

Unlawful or dishonest dealings will not only impact revenues negatively, and damage the brand and reputation of the company in the market, but are likely to result in legal charges, potential imprisonment, ﬁnes, a loss of investment and other unconstructive consequences.

Our response to governance is multi-dimensional and requires having the right structures in place and then monitoring and evaluating these regularly.

Robust Risk Management

Our governance objectives are supported by our risk management processes. We use a combination of bi-annual risk assessments, together with audit and fraud reviews to monitor and manage risk throughout the company.

We also benchmark ourselves against other leading telecommunications operators and independent assurance is provided through both internal and external audit functions. As a company, we also endeavour to apply the Precautionary Principle to all of our activities to help ensure that we continue to act as a responsible corporate citizen.

‘Customer First’ risk management

One of our primary responses to the new company strategy was to explore ways of expanding our risk management to meet the needs of our customers. An example of this new approach was to increase the number of fraud reviews conducted on areas that affect customers directly, such as data conﬁdentiality, premium rated services and ﬁxed data services.

We also sought to help customers by becoming more actively involved in tackling criminal syndicates preying on M-PESA customers. With the support of the Inspector General of Police and senior Law Enforcement Agencies, we proposed and formed the Mobile Money Investigation Unit (MMIU) in March 2014. The success of the new unit has already been such that we are looking to decentralise it and set up units in each of our six regions to improve our reach and response times.

Our automated fraud management system was upgraded extensively during the year as well, enabling us to identify suspicious patterns, such as the bulk sending of fraudulent SMS messages (blasting), across the network quicker.

An enhanced Revenue Assurance System was also introduced during the year to help ensure that customers receive accurate bills and are not over-charged. The new system is more powerful and covers more revenue streams than the old system.

Our security teams — the teams responsible for ensuring the physical safety of employees, equipment and members of the public on company property and at Safaricom events — have also been restructured and devolved to the six regions to ensure faster response times.

Risk assessments

Bi-annual risk assessments carried out by the Risk Management Division. These assessments are supported by in-depth audit reviews of speciﬁc internal controls within the organisation and fraud reviews of processes that are suspected of having become compromised.

Each of the nine risk assessments was conducted twice during the year and encompassed the following categories: enterprise risk management, operational risks, strategic risks and ethics risks per strategic objective. Some of the key risk items identiﬁ ed during the year included: adverse regulation, business disruptions due to systems instability, competition and delays in rolling out key projects. Mitigation plans were then developed to counter any of the risks identiﬁed.

Fraud reviews

We also continue to take proactive steps to identify cases of fraud. These steps include using the fraud management system to identify possible cases of fraud and to carry out in-depth fraud reviews to determine whether fraud had occurred within key processes. Eleven fraud reviews were carried out. The fraud reviews have been key in uncovering frauds and also in proactively enhancing controls to prevent the occurrence of fraud in the future.

Audit reviews

Twenty audit reviews were also carried out during the reporting period. The objective of the reviews was to obtain assurance on the adequacy, design and operating effectiveness of internal controls. Eleven additional reviews were carried out that were special requests from management.

Fraud investigations

Where unethical action was suspected during the year, investigations were undertaken. The investigations covered various frauds, including asset misappropriation, fraudulent expense claims and corruption cases. The investigations led to disciplinary action against members of staff and, in two cases, reporting cases to law enforcement ofﬁcers and prosecuting suspects.

While the number of investigations carried out during the year was substantively the same as FY15, the average number of people implicated per case dropped dramatically and resulted in a marked reduction in the number of dismissals, down to 18 from 58 in FY15.
Although every case of fraud is one too many, this trend is gratifying in as much as it suggests that the nature of fraud within the organisation may be changing from the collusive behaviour of groups of people to the isolated actions of individuals.

It is still early days, but this positive trend could be attributed to the continuous ethics awareness training being provided, growing vigilance on the part of employees and the fact that swift action is taken against those found to have engaged in fraud.

Ethics and Values

Underpinning governance and risk management are our ethics and values, which are the principles and standards that guide our behaviour as employees and individuals. We use an independent ethics perception survey and preventative measures like our ongoing ethics awareness and staff anti-corruption training programmes to monitor and manage the ethics within Safaricom.

While we acknowledge that there is still much to be done, we believe that we have been making good progress in terms of enhancing the ‘ethical climate’ within the company. It certainly appears that staff are increasingly aware of ethical issues and that management are handling these issues well.

Ethics awareness sessions

We continued to conduct regular ethics awareness sessions with staff during the year. The focus of the sessions was on addressing the concerns that were revealed by the ethics perception survey conducted in January-February 2015. The survey is an independent assessment of the opinions of our internal and external stakeholders conducted by the Ethics Institute of South Africa every two years.

One of the ethical risks identiﬁed by the survey is an obsessive focus on KPIs among employees and the danger of this breeding a culture within the company of ‘the end justifying the means’ — where the only thing that matters is achieving the target and not the process used to achieve the number. We are continuing to explore ways in which ethical impacts can be measured as part of performance against targets.

The survey also identiﬁed sexual harassment as another potential mid-level risk. During FY16 three sexual harassment cases were reported (FY15: 2 cases). During the year we reﬁned our sexual misconduct policy, the policy outlines how to identify sexual misconduct, empower staff to stand up against it or call it out and offers increased reporting channels. We also provided improved training to our Ethics Champions to better identify, handle and report such sensitive cases. Our expectation is that the drive in awareness and engagement throughout the company will result in changed behaviour.

It is no secret that corruption is rampant in Kenya, with reports suggesting that as many as one in three Kenyan companies has paid a bribe to win a contract and the country is ranked 139th out of the 168 countries listed in the Transparency International 2015 corruption index.

‘I do the right thing’ campaign

This year, we shifted our focus on promoting ethics rather than highlighting fraud. Our awareness theme for the year was the ‘I do the right thing’ campaign, which encouraged employees to become cognisant of their own ethical values and to take personal ownership and responsibility for these.

Staff ethics training

Every member of staff is expected to attend ethics training at least once a year. Most of the training is undertaken through face-to face-sessions and supplemented by e-learning courses. The awareness training is tailored to address the speciﬁc ethics risks faced by the attendees. For high corruption-risk departments, the training focuses on anti-corruption and bribery.

We set an ethics training attendance target of 97% for the year and are pleased to be able to report that we achieved a 98% attendance rate, an improvement of 4% on FY15. We were able to do this by incorporating the training sessions within existing meetings across the business, promoting our e-learning courses to employees unable to attend the face-to-face sessions, and because there has been a noticeable increase in the number of requests for ethics awareness training from teams across the business, which could be attributed to a growing appreciation of the topics covered during the sessions.

Business partner ethics training

While we have also been making good progress in terms of promoting ethical business practices and principles throughout our value chain and the wider business ecosystem in Kenya, we acknowledge that the situation is far from ideal.

It is no secret that corruption is rampant in Kenya, with reports suggesting that as many as one in three Kenyan companies has paid a bribe to win a contract and the country is ranked 139th out of the 168 countries listed in the Transparency International 2015 corruption index.

Consequently, this has been an area of sustained, consistent focus for us. We planned to offer ethics management training to 80% of our dealers and our top 200 suppliers during the year, yet managed to extend our reach using newsletters and other initiatives to over 400 suppliers and almost all of our dealers and MPESA principles.

Last year, we began requiring all new business partners to sign up to the Code of Ethics for Businesses in Kenya during the onboarding process. This year we expanded this requirement to all of our suppliers. We hosted a supplier forum breakfast, during which we raised awareness of the Code and encouraged existing suppliers to sign up. To date, 269 or 81% of suppliers with running contracts have signed up.

We also hosted an Anti-Corruption Conference in partnership with the UN Global Compact Network Kenya in December 2015. Opened by the Kenyan President, Uhuru Kenyatta, the event brought together over 400 high-level representatives from the private sector, government, international organisations, civil society and the media to discuss the critical role of the private sector in stemming the tide against corruption and the importance of all stakeholders — public, private and civil society — to unite against corruption. (For further information about this event and the work of Safaricom CEO, Bob Collymore, as a member of the UNGC Anti-Corruption Working Group

Regulatory Compliance

Ensuring that we remain compliant with regulatory requirements is necessary, not only to make sure that we are operating in a lawful manner and to the correct standards, but also to avoid exposure to the remedial measures available to the regulators, such as onerous ﬁ nes, non-ﬁ nancial sanctions and, ultimately, the revoking of our operational licence

Our response to this is primarily managed by assessing our processes against applicable laws to ensure that we are compliant and reviewing the effect of changes in legislation on our internal processes. We also proactively engage with our regulators on all issues through a variety of channels

Along with every other mobile network operator in Kenya, we were ﬁned by the Communications Authority of Kenya (CA) again this year. The CA is mandated by government to ensure that operators are delivering services of an adequate quality and, accordingly, the CA tests every operator against eight Quality of Service (QoS) measures it has developed on annual basis. Operators that fail to meet any of these criteria are ﬁned.

We were ﬁned KSh 157,000,000 by the CA. This penalty represents 0.1% of our Gross Annual Revenue (GAR) and this percentage was applied to all operators that were found to be non-compliant.

It should be noted that we, along with the other Kenyan mobile network operators, have expressed concerns regarding the QoS measures used by the CA and the Authority is evaluating the methodology that underpins its testing framework.

We also have two escalated legal actions lodged before the Competition Authority, but we are unable to comment further on these as the outcomes are still pending.

Putting customers’ rights ﬁrst

We have made Customer Experience a core focus of the Regulatory and Public Policy Department. As part of this new approach, we were involved in the reviewing and revising of the Terms and Conditions for Safaricom products and services. Our goal was to make these as straightforward as possible and to ensure that customers receive adequate information so that they can enjoy using our products and services with conﬁdence and satisfaction. We have also prioritised our support for the customer education and awareness initiatives of other Business Units where relevant.

Externally, we have also reinvigorated our support for Chukua Hatua, the consumer education outreach programme of the Communications Authority of Kenya, responding timeously to all queries and issues that are raised and participating in other ways when appropriate.

Supporting operational excellence

Part of our new strategy has been to get closer to our customers through decentralising and becoming more responsive in our six regions and this has required us to support other Business Units at the county level, assisting with county license fees negotiations, site acquisitions, business permits and regulatory counsel.

We also continue to collaborate with other Business Units on matters of competition, public policy, spectrum and regulatory economics to ensure optimum performance within our regulatory environment.

Assisting with product relevance

Our existing mandate to seek regulatory approval for all new and amended products and services has been expanded to include providing internal feedback and input into the product creation process; in other words, the regulatory team has now taken an active, co-creation role in product development. Customer feedback also continues to shape the regulatory environment within which we operate and we relay information regarding these shifting requirements and needs into the process.

Proactively engaging with the regulator

We continue to engage with the Communications Authority of Kenya on the following issues:

SIM Registration Regulations

During the reporting period, the CA amended the SIM Registration Regulations and introduced new requirements on operators to retain copies of subscriber national Identiﬁcation cards. We are working closely with the Authority in order to construct a framework that meets these regulatory objectives in a satisfactory manner.

Infrastructure Sharing Regulations

In December 2015, the CA published six draft Regulations for the purposes of public consultation, including Regulations on Infrastructure Sharing. We are concerned that these Regulations fail to take into account international best practice — where sharing is based on technical and commercial viability — and we are engaging the CA and the government on these proposals.

National ICT Policy

In October 2014, the government published a draft ICT policy for stakeholder comments and input. We made formal submissions in response to this draft in FY15 (regarding infrastructure sharing, the county telecommunications operators, the reduction of radio spectrum fees and the need to include incentives for environmental management) and we continue to engage with the CA during stakeholder engagement forums. We are in the process of issuing our input through our representation in the sectoral working groups on emerging issues.

Information and Communications Sector Regulations

The CA suspended its comprehensive review of the regulations governing the sector on 9 December 2015 and commenced the process of recruiting a consultant to undertake a Competition Study in the Telecommunications Market by issuing a Request For Proposals (RFP) for this process. We await the outcome of this process and continue to support attempts to grow the market and to provide consumers with the very best offerings in terms of variety, price and quality that are aligned with international best practices.

Looking ahead

Customer awareness will remain an area of focus in the year ahead, as we continue to embed the new company strategy. We intend to conduct nationwide awareness campaigns to alert customers to the common fraud schemes used by crime syndicates and to offer advice on steps they can take to prevent being defrauded.

In conjunction with raising customer awareness of potential fraudulent activity, we are also planning heightened monitoring of suspicious activity on the M-PESA platform and to introduce new Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) measures.

Next year will also see us intensify our efforts in the ﬁght against corruption. In partnership with the UNGC, we intend to forge even closer ties with likeminded Kenyan companies and to support the Government of Kenya in its endeavours. As well as sharing experiences and lessons learnt with larger organisations, we will begin training medium and smaller companies on good governance and anti-corruption best practices. We will also continue to insist that suppliers commit to the Code of Ethics for Businesses in Kenya.