The practice of recognising the most critical threats to our company is a fundamental operational procedure. However, in recent times, this process has gained unprecedented significance. The outbreak of the pandemic has transformed our risk landscape into a constantly evolving and unpredictable terrain, influenced by numerous external elements at both the global and national scales.
Our vigilance and adaptability in assessing and mitigating risks during the 2022/23 reporting period have become paramount for the continued success and resilience of our business.

We continued to manage the risks we had to confront within the framework of the recover and sustain strategy and the revised financial plan that we had put into place in 2020. In our response to the pandemic, we continued to adhere to all management protocols mandated by the world health organisation (WHO), the international civil aviation organisation (ICAO) and IATA. Crisis committees remained in place throughout the business to ensure full and complete compliance at all of our airports, while operations adopted an exceptionally agile approach in order to deal with the challenges of upscaling the business as the pandemic abated and as new challenges presented themselves.

Cognisant of the complexity of the challenges that lie ahead in a post-COVID-19 pandemic world, we also put a new corporate plan and Growth Strategy into place, which allow for the many new realities that we face. These provide a strategic and operational framework for recovery and growth over three timeframes to 2030 as well as for the development of infrastructure to support diversification into non-aeronautical revenue streams.

A full risk assessment is undertaken annually, and risk reviews are conducted quarterly to ensure that our risk management processes remain relevant and are being fully implemented. The key risks we faced during the reporting period are detailed in the tables below, as are the mitigation measures and control we have in place to manage each risk.

Nature of Risk Mitigation Measures and Controls

Not being able to adapt and recover quickly from adverse external events such as the impact of the COVID-19 pandemic or major supply chain disruptions due to diminishing opportunities to generate revenue, which could threaten the sustainability of the business as a whole.

We conduct ongoing assessments of our strategies, plans and models to ensure that the business is flexible enough to adapt to the impact of crises and changing operating conditions.

We have a Recover and Sustain Strategy, a Growth Strategy, a Commercial Strategy, and an in-depth Corporate Plan in place to provide a framework for managing our post-COVID-19 pandemic recovery and growth to 2030. The principles in the Corporate Plan inform our response to all adverse events.

We have established and well-defined corporate governance structures, systems and procedures that are aligned with the guidelines given in King IV™. These enable us to respond quickly to all sustainability threats and risks. We have proven long-term financial planning capabilities as well as the ability to adapt our financial planning to accommodate unforeseen events.

We actively manage costs and liquidity.

Not being able to manage and/or recover quickly from an adverse event with serious environmental, social and/or governance impact.

All our airports are ISO 14001: 2015 certified for compliance with international environmental management standards.

We are currently reviewing and updating our Environmental, Social and Governance (ESG) Framework. All management measures currently in place are being adhered to.

Our environmental management programme focuses on energy conservation, climate change mitigation, water usage, waste management, air quality, noise management and biodiversity. It is a key strategic aim for the Group to become carbon neutral as soon as financially and technologically possible.

Environmental risk is closely monitored and a report on this area of risk is presented to the Board on a quarterly basis.

Nature of Risk Mitigation Measures and Controls

Not being able to execute our strategic objectives and/or operational obligations due to constraints on revenue, which could increase our safety and security risk, lead to a weaker financial position and result in poorer financial performance.

We have well-established and proven long-term financial planning capabilities.

We have strong economic regulatory specialist capabilities.

We adhere to a constructive engagement process that complies with and goes beyond the requirements of the economic regulator.

We actively participate in the Economic Regulatory Review Process led by the Department of Transport (DoT).

We have a conservative approach to financial planning.

We conduct regular, in-depth scenario planning to mitigate financial risk.

Nature of Risk Mitigation Measures and Controls

Not being able to adapt to and mitigate the impact of load-shedding (planned rolling power blackouts) at our airports and on our stakeholders.

Extensive on-site back-up generators are in place to provide power during the periods in which we do not have grid electricity.

Our capex budgets will include provision for additional generator capacity, as needed, and our operating budgets will allow for the purchase of the diesel required to run them.

Four of our airports have extensive solar farms specifically designed to reduce our reliance on grid electricity and enable us to manage the impact of load-shedding.

The Enterprise Asset Management Department has developed a framework to mitigate the risk of the national grid collapsing, should this happen. The framework outlines a six-point response consisting of: (i) prioritising load requirements, (ii) sustaining the load, (iii) maintaining availability, (iv) securing and sustaining supply, (v) engaging with stakeholders, and (vi) monitoring responsibilities and accountability.

Carbon Neutrality: Our Roadmap to Carbon Neutrality includes medium- to long-term solutions intended to enhance our energy security through the use of various forms of renewable energy.

Inability to manage challenges in the jet fuel supply chain, which could result in shortages and have a critical impact on operations.

The South African Petroleum Industry Association Fuel Forum has been reformed to ensure that all stakeholders are kept fully informed of the constraints affecting the supply of jet fuel at airports. Supply is vulnerable for a number of reasons including reduced local refining capacity, changing international market dynamics, the impact of load-shedding, intermittent logistics and labour issues, and the fact that South Africa does not hold strategic reserves of jet fuel.

ACSA mitigates this risk by identifying and making use of multiple jet fuel suppliers including the only refinery in South Africa that still produces jet fuel.

We have also recently increased jet fuel storage capacity at our busiest airports, namely Cape Town International and O.R. Tambo International by 7 and 8 million litres respectively.

Nature of Risk Mitigation Measures and Controls

Not being able plan for recovery, growth, and development due to uncertainty related to the regulations governing aeronautical revenue, which could impact on our ability to develop and maintain appropriate infrastructure in order to meet present and future demand.

We actively participate in the Economic Regulatory Review process led by the Department of Transport (DoT).

We have proposed amendments to the Airports Company Act (No. 44 of 1993) which, if approved, will introduce a mechanism for appealing new or amended regulations.

We adhere to a constructive engagement process that complies with and goes beyond the requirements of the economic regulator.

We have a Partnership Strategy designed to inform engagement with all stakeholders, including our engagements with the economic regulator.

In the short-term, the permission process for the FY2023/24 to FY2027/28 financial years is currently underway, and proposals for tariff increases have been submitted to both the regulatory body and the aviation industry. The Regulatory Committee has granted an inflationary increase on the tariffs granted for FY2022/23 and these are being applied in the current financial year. This increase serves as an interim permission for the FY2023/24 to FY2027/28 period and is allowing the Regulatory Committee sufficient time to review ACSA’s application for full permission. The interim permission allows for a 4.4% increase in FY2023/24, with a subsequent increase of 4.5% in each year from FY2025 to FY2027/28.

With a long-term perspective in mind, ACSA is making submissions to the Government of South Africa which, in turn, is making submissions to the International Civil Aviation Organization (ICAO) Economic Commission. The objective of these submissions is to supplement or expand ICAO Doc 9082 on airports and air navigation services charges for international civil aviation. The position of global airport operators, including ACSA, is that governments must recognise the need to maintain economic equilibrium in times of disaster or in the face of unexpected shocks – and that the regulated formula must consider market and demand conditions. The current single-till approach does not afford ACSA this much-needed equilibrium, hence the need to relook at the method and to move to a double-till approach.

Nature of Risk Mitigation Measures and Controls

Not being able to diversify our revenue stream by leveraging opportunities to generate non-aeronautical revenue, which could impact on the long-term success and sustainability of the business.

There is a strong legislative framework to support business diversification.

We are in the process of implementing our Recover and Sustain Strategy and our Growth Strategy, both of which focus strongly on revenue diversification.

We have a Board-approved Commercial Strategy, which is reviewed regularly and updated if and as necessary.

We are reviewing all infrastructure development plans that were shelved during the pandemic in order to ensure that the business is suitably equipped to diversify its revenue streams not only in the short-term, but also in the medium- and long-term.

We have standardised processes and procedures for rental case negotiations.

Nature of Risk Mitigation Measures and Controls

Not being able to adopt and deliver innovative, resilient, and secure digital platforms and technologies that support our digital transformation and business growth objectives, which could erode our reputation and standing as an operator of world-class airports.

We have a Digital Strategy in place that is aligned with the Knowledge and Innovation Strategy, the Enterprise Security Strategy, the Enterprise Risk Management Strategy, and the Business Continuity Framework.

We also have an Information Management Plan in place, which is monitored by our Information Management Committee, which provides the Board with quarterly reports.

We have a secure and fit-for-purpose IT architecture in place. This is regularly assessed and updated in order to keep pace with rapid technological developments.

Our digitalisation journey focuses on building, securing, maintaining, and developing an integrated system that is compliant, secure, and resilient.

Nature of Risk Mitigation Measures and Controls

Not being able to protect our digital systems and data from the growing threat of cyber attacks, which could compromise both our ability to operate and our reputation as a trusted airports operator.

We have a Cyber Security Strategy in place and implementation is constantly monitored.

We have best-of-breed digital security systems, both on-site at all of our airports and in the Cloud.

We have a team of cyber security experts on permanent staff, led by a Chief Information Security Officer (CSIO).

We monitor for cyber security threats 24/7/365.

We undertake biannual assurance assessments to supplement the annual cyber security audits undertaken by the Auditor General.

We have cyber security insurance to mitigate against the threat posed by increasingly sophisticated cyber criminals.

We comply fully with the Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standards (PCI DSS) and the Minimum Information Security Standards (MISS).

We have technology security tools in place to prevent data leakages and connectivity incidents.

We use unique usernames and passwords to authenticate and authorise access to systems and information.

Nature of Risk Mitigation Measures and Controls

Misalignment of our people management approach with the overall corporate strategy and/or mismanagement of our relationships with our staff and other stakeholders.

We have a Board-approved People and Culture Strategy in place.

The implementation of the strategy is closely monitored and reports are made to the Social and Ethics Committee on a quarterly basis.

Training and refresher courses on ACSA’s values are regularly provided for all staff.

We also have a Change Management Framework in place, which provides all of the appropriate tools for implementing the change management process that was put into place in response to the COVID-19 pandemic.

Awareness of both the framework and the change management process is closely monitored and measured.

Capacity modelling has been allowed for in our new Operating Model and Governance Framework and this will be used to develop a strategic workforce plan.

Nature of Risk Mitigation Measures and Controls

Not complying with all relevant legislation, regulations, policies, and procedures, which could compromise safety and security, threaten our licence to operate and damage our reputation.

We have fully mapped our compliance universe.

We conduct training and awareness programmes regularly.

Policies, frameworks, manuals, and procedures are carefully monitored and regularly reviewed.

We have compliance risk management and compliance assurance plans in place.

We have a compliance management system in place.

Nature of Risk Mitigation Measures and Controls

Not being able to manage and improve our reputation through the effective management of the brand and our stakeholders, which could cause reputational damage, compromise relationships with stakeholders and impact on our ability to raise capital.

We have a comprehensive Communications Strategy, a Partnership Strategy, and a Stakeholder Engagement Strategy in place to support and protect our brand and reputation.

We proactively profile ACSA from an external perspective in order to monitor our reputation with all stakeholder groups, including the general public.

We conduct focused engagements with all critical stakeholders.

We have strong stakeholder risk intervention policies and procedures in place.

We have a proactive internal and external stakeholder communications programme in place.

We conduct airport stakeholder feedback surveys.

We have a proactive programme of brand communications in place.

We have approved social media procedures in place and a strong social media presence.

We have formal external communications procedures in place.

We have formal crisis management procedures in place.

We have approved ethics and anti-corruption policies in place.

We have ethics risk assessment and a management plan in place.

We conduct an annual internal communications survey.

Nature of Risk Mitigation Measures and Controls

Not being able to effectively execute operational objectives as a result of a lack of strategic and operational planning, an erosion of skills, a lack of business intelligence, poorly managed project implementation and incorrect resource allocation could impact on our services offering and reputation and cause stakeholder dissatisfaction.

Various strategies are in place to provide a framework for business recovery and growth to 2030.

Our Operational Plan is fully aligned with our Recover and Strategy and our Growth Strategy.

We review performance against the Operational Plan on a biannual basis and submit reports to the Board for review.

We have reviewed all our business processes to allow for the impact of the COVID-19 pandemic and other external events and they have been adapted to enable us to deliver on our strategic objectives.

We have well-established operational governance procedures.

Our governance structures and the delegation of authority is regularly reviewed.

We conduct regular customer and stakeholder surveys to continuously align our infrastructure and services with changing demand.