• Governance, Risk and Regulation

If the business is not run in an ethical, transparent and accountable manner, we are likely to face legal and reputational risks, as well as being disadvantaged by eroded employee and investor trust and confidence, which quickly translates into lost opportunities and diminished success. As a result, we consider sound corporate governance, ethical behaviour, robust risk management and regulatory compliance to be fundamental to our commercial sustainability.

In response to the SDG strategy, we have aligned our efforts with five of the goals this year and committed to promote ethical business practices and fight corruption in all its forms (SDG16) within Safaricom and within the wider business community (SDG17). We have also pledged to create a non-hostile and secure workplace (SDG8) within which all employees are treated equally (SDG10). Lastly, as part of our work with the regulators, we have committed to striving to provide universal access to high quality information and communications technology through our network (SDG9).

ROBUST GOVERNANCE

From a governance perspective, we ensure that Safaricom is run in an ethical, transparent and accountable manner by having robust governance processes and structures in place, along with explicit guiding principles and clear lines of responsibility. The Board of Directors is, ultimately, responsible for corporate governance throughout the organisation and the behaviour of members is governed by an explicit Governance Charter. Members of the Board also undergo collective and individual performance assessments at least once annually.

ETHICAL BEHAVIOUR

Our ethics and values are the principles and standards that guide our behaviour as employees and individuals. We use an independent ethics perception survey and preventative measures like our continuous ethics awareness and staff anticorruption training programmes to monitor and manage the ethical culture within Safaricom.

Ethics awareness sessions

We conduct regular ethics awareness sessions with staff every year. The focus of these sessions is to address any concerns revealed by the ethics perception survey. The survey is an independent assessment of the opinions of our internal and external stakeholders conducted by the Ethics Institute of South Africa every two years. The latest survey was conducted during the previous reporting period. Topics covered during ethics awareness sessions throughout the year included sexual misconduct, gifts and conflicts of interest.

Staff ethics training

Every member of staff is expected to attend ethics training at least once a year. Most of the training is undertaken through face-to face-sessions and supplemented by e-learning courses. The awareness training is tailored to address the specific ethics risks faced by the attendees. For high risk departments, the training focuses on anti-corruption and bribery.

We are pleased to report that we achieved a 98% attendance rate again this year. This is attributable to an understanding across the business regarding the importance of the sessions. We are finding that process owners now readily welcome the sessions and, in some cases, even request them.

Business partner ethics training

We continued to promote ethical business practices and principles throughout our value chain and the wider business ecosystem in Kenya during the year. Our CEO is a committed member of the Businesses Against Corruption in Kenya (BACK) initiative and we participated in the Siemens Anti-Corruption Collaborative Action initiative. We also reviewed the syllabus and training materials used by the UNGC for its good governance and anti-corruption training sessions for smallto-medium sized businesses.

We held ethics sessions and fraud training with our M-PESA agents, dealers and suppliers. We supplemented the sessions with ethicsrelated newsletters. Topics covered included anti money laundering, how to safeguard against fraud and the new Bribery Act. We also continue to make it mandatory for our suppliers to sign up to the Code of Ethics for Businesses in Kenya (contracts are not renewed unless they do so) and, to date, 317or 98% of suppliers with running contracts have signed up.

ROBUST RISK MANAGEMENT

We use a combination of risk assessments, audit and fraud reviews to monitor and manage risk throughout the company. We also benchmark ourselves against other leading telecommunications operators and independent assurance is provided through both internal and external audit functions. As a company, we also endeavour to apply the Precautionary Principle to all our activities to help ensure that we continue to act as a responsible corporate citizen.

Monitoring corruption and fraud

Eight risk assessments were conducted across the organisation and these were supported by in-depth audit reviews of specific internal controls within the organisation and fraud reviews of processes that are suspected of having become compromised.

Each of the risk assessments encompassed the following categories: enterprise risk management, operational risks, strategic risks and ethics risks per strategic objective. Some of the key risk items identified during the year included: insecurity, regulatory risk, market disruption and inadequate capacity on key systems.

Thirty-three audit reviews were also carried out during the reporting period. The objective of the reviews was to obtain assurance on the adequacy, design and operating effectiveness of internal controls. One additional review was carried out during the year that was a special request by management.

We also continue to take proactive steps to identify cases of fraud. These steps include using the fraud management system to identify possible cases of fraud and to carry out in-depth fraud reviews to determine whether fraud had occurred within key processes. Thirteen fraud reviews were carried out during the year. The fraud reviews led to uncovering fraud and to identification of control weaknesses. Control recommendations were made for the control weaknesses.

Addressing corruption and fraud

While the number of investigations carried out during the year was substantively the same as FY16, the number of staff dismissed for fraudulent behaviour increased to 52. This was primarily due to an enhanced review process, which targeted a single area of concern and unearthed fraud schemes that were previously concealed.

The types of fraud that led to dismissals included: theft; asset misappropriation (cash collections and devices); policy breaches (unauthorised access to data systems); and fraudulent SIM swap/M-PESA Start Key issuance.

While we are disappointed by the number of people who have been involved in fraudulent activities, it is encouraging to note the increasing effectiveness of our investigations and the clear illustration of a ‘no tolerance’ approach from management.

Helping customers tackle fraud

During the year, we continued to help customers safeguard themselves from social engineering attacks and the criminal syndicates that target M-PESA users.

Safaricom mass market caravan campaigns and other activations, especially in rural areas, included awareness campaigns to alert customers to the common fraud schemes used by crime syndicates and to offer advice on steps they can take to prevent being defrauded.

We also increased the number of staff working in the team monitoring suspicious activity on the M-PESA platform and implementing Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) measures, which has enabled us to achieve our target of investigating and reporting suspicious M-PESA transactions within seven days. We also host a Mobile Money Investigations Unit (MMIU), which is a unit composed of officers from the Police Force. The unit investigates cases of mobile money fraud and forwards such cases for prosecution.

REGULATORY COMPLIANCE

We ensure that we remain compliant with regulatory requirements by assessing our processes against all applicable laws and regulations. We also engage with our regulators proactively on all issues through a variety of channels.

We were fined by the Communications Authority (CA) again this year. The CA tested our network against its eight Quality of Service (QoS) measures and indicated that we attained a score of 62.5% against a compliance minimum score of 80%. Consequently, the Authority imposed a penalty of KES 270,056,720 on Safaricom. This penalty represents 0.15% of our Gross Annual Revenue (GAR) for the period ending March 2017. It should be noted that we, along with the other Kenyan mobile network operators, have expressed concerns regarding the QoS measures used by the CA and that the Authority is evaluating the methodology that underpins its testing framework. We continue to engage the CA on the matter with the expectation that our framework concerns will be addressed.

Anti-bribery bill enacted

It was rewarding to be part of the coalition that helped draft Kenya’s new antibribery legislation and we are delighted to report that the Bribery Act has been signed into law and came into force in January 2017. An important step towards addressing the issues of corrupt practices in Kenya, the Act provides a more robust system for preventing bribery, including obligations on individuals holding positions of authority in Kenyan companies or companies operating in Kenya to report instances of bribery and obligations on companies to put in place bribery prevention policies and measures.

Network Redundancy, Resilience and Diversity (NRRD) guidelines

The CA is in the process of improving the NRRD guidelines and regulations for ICT networks in Kenya (i.e. a toughening up of QoS regulations) and published a draft document for stakeholder comment. We have since made a formal submission in response to this draft and now await the regulator’s response.

Counterfeit handset monitoring

The CA has expressed its intention to install a monitoring system within Kenyan mobile networks to help eradicate the use of counterfeit handsets. We, along with every other mobile network operator in Kenya, support this ambition, but are concerned about the method currently being proposed by the Authority. Our apprehensions include quality of service compromises, single points of failure and consumer privacy concerns. We are unable to comment further because the matter is still in court and sub judice at the time of going to print with this report.

Improved consumer protection

During the year, we successfully migrated our Safaricom Consumer Protection email portal to a CRM-based platform in order to facilitate improved responses to issues raised by the CA through its Chukua Hatua consumer education outreach programme.

Proactively engaging with the regulator

We also continue to engage with the Communications Authority on the following ongoing issues:

Information and Communications Sector Regulations

The comprehensive review of the regulations governing the sector has been completed and we await the outcome of this review. We continue to support attempts to grow the market and to provide consumers with the very best offerings in terms of variety, price and quality that are aligned with international best practices.

SIM Registration Regulations

In response to the new amendments, we have introduced an app that captures and stores customer information electronically and rolled out awareness training among M-PESA agents through a campaign called Know Your Customer (KYC), which focuses on ensuring SIM cards are properly registered when first activated.

Infrastructure Sharing Regulations

We continue to engage with the CA and the government on these proposals.

National ICT Policy

The consultation process on the draft ICT policy has concluded and we are awaiting the regulators response to our formal submission.

Looking Ahead

FY18 GOALS

  • We will continue to engage government and the CA on the ongoing initiatives highlighted in this report.
  • We will take an active role in implementing B-Team – Africa anticorruption initiatives.
  • We will continue with initiatives to ensure that agents comply with Know Your Customer (KYC) initiatives. We plan on ensuring at least two company-wide compliance checks during the year.