31 MARCH 2015ALEXANDER FORBES GROUP HOLDINGS LIMITEDINTEGRATED ANNUAL REPORT

GOVERNING IT

We have in place a robust IT governance strategy which is embedded in the operations of the group IT function, with risk management being a key element in the performance scorecards of IT managers and senior employees.

The group IT director is a member of the group boards and associated Audit and Risk Committees, as well as teams heading up strategic group projects. Working groups tasked with embedding regulatory requirements including the Protection of Personal Information Act, the Solvency Assessment and Management (SAM) requirements and treating customers fairly, in the organisation all include senior IT executives.

The Alexander Forbes IT governance framework is based on the following local and international frameworks:

  • King III
  • Information Technology Infrastructure Library (ITIL v3)
  • Control objectives for information and related technology (COBIT)

The framework is supported by a series of policies and procedures that enable the group to ensure compliance with our framework’s demanding standards. At year-end considerable progress had been made towards aligning our framework with COBIT 5, the latest iteration of the framework released by ISACA, an international IT governance association.

Management monitors compliance with the IT governance framework on an ongoing basis. Disaster recovery and business continuity systems and procedures all conform to the highest international standards and protocols and are regularly tested. During 2014/15, no material control or governance deficiencies were identified.

On a functional level, the group IT Steering Committee oversees the implementation of the IT governance framework. Its work also includes monitoring and reporting on the business value of IT projects. The group IT director reports to the board (which is ultimately responsible for IT governance) through the Audit Committee on such projects, including proposals for significant IT expenditure. The CIO also reports, on a formalised quarterly basis, to the Audit Committee on the top 10 IT risks.