Sun International : Risk Report

STRATEGIC LEADERSHIP	SUSTAINABLE VALUE CREATION	STRONG BUSINESS RESPONSE	CORPORATE DATA AND ADMINISTRATION			17

RISK MANAGEMENT

Sun International's risk management process is focussed on identifying and minimising the impact of the key strategic, operational, financial, reputational and regulatory risks facing the business in the geographies and economic sectors in which the company operates. The process encompasses activities which are from a risk perspective value accretive as well as those activities which could potentially lead to value depreciation. The scope of the risk management process includes the consideration of internal and external factors, which could impact on the successful implementation of the group's strategy with a focus on operating environment, trends, material matters, threats, opportunities and stakeholder engagement.

COVID 19

The group continues to enforce and monitor strict and disciplined Covid-19 protocols to mitigate against the risk of employees, customers and other key stakeholders contracting the virus. These protocols are benchmarked across all jurisdictions.

RISK APPROACH

The board is ultimately responsible for the governance of the group's risk management process and the formulation of the group's risk appetite and setting and monitoring risk tolerance. The board discharges its duties by mandating specific risk management duties and responsibilities to the group's risk committee and the group's chief executive and executive management team. The executive management are collectively responsible for the compilation and continuous review of the group's risk register, which is tabled

at each meeting of the risk committee for discussion as well as ensuring that the risk management process is inclusive and deeply embedded throughout the group.

The group considers its risks in terms of the potential likelihood of an identified risk actually occurring and its impact on the group, resulting in each risk being allocated an inherent risk rating. The potential impact is determined by considering the operational, regulatory and financial impact a risk could have on the group, while the likelihood is rated on a scale ranging from a remote

to a definite possibility. Each inherent risk is considered along with the effectiveness of mitigating controls, which results in a residual risk exposure. A residual risk rating is allocated to each risk, with a detailed risk mitigation action plan with quarterly status updates and contingency plans and opportunities, to minimise or prevent the risk. Each risk is assigned to a specific executive who is responsible for implementing the mitigation measures and is held accountable for continually monitoring, mitigating where possible and reporting on progress.

Prior to the final risk committee meeting for the year, the group's risk working committee, comprising of the executive team, senior management and other relevant invitees conduct a full review of the risk register, risk ratings and mitigation measures, for presentation to the risk committee. The risk committee ensures that the group's approach to risk management and methodology remain relevant and that the risks included in the risk register represent the group's risk universe. The risk committee is satisfied that the group's 2021 risk approach was consistently applied group-wide and remains relevant and robust. The group's risk management process and the effectiveness of risk mitigation implemented at a group and unit level are reviewed by various providers, as defined in the group's combined assurance framework.

The group's risk management approach stood us in good stead when addressing the Covid-19 pandemic. The executive team acted decisively and quickly in putting additional policies and protocols in place to address Covid-19. The risk committee also annually reviews the group's insurance programme before presentation to the board for approval. The 2019/2020 programme included infectious diseases in its business interruption cover and the group was successful with a claim against its insurers receiving a substantial settlement during the year under review.

To further bolster our risk process, a dedicated group risk manager was appointed who will be responsible for supporting the leadership and management. The group will also commission a third-party independent review of the group's risk management approach and methodology,

to ensure its effectiveness and alignment with the board's risk appetite, tolerance plus industry best practice.

RISK GOVERNANCE

The risk committee chairman reports to the board following each meeting, in accordance with the committee's terms of reference. The committee's mandate provides that material matters are reported to the group's audit committee to ensure the committee has appropriate insight into the group's material risks and opportunities and to avoid duplication of matters within the remit of both committees. The board, through the audit and risk committees, considers the risks and opportunities the group may face. It also seeks the assurance of the risk committee chairman that the risks have been assessed and mitigated by management. The audit committee chairman is a member of the risk committee. The interaction between these two committees is such that

the audit committee has an oversight role, specifically in relation to financial reporting risks.

IT governance sub-committee

	Economic	impact		Risk	tolerance
	Effectiveness of		Covid-19 impact
	mitigating controls
	Reputational risk	Factors	Business
	considered	opportunities
			by the
	Legal compliance	board when	Risk movement and
	assessing risk	level of control
	Stakeholder impact		Business interruption
	Risk appetite		Risk timeframe -
		short, medium and
				long-term

RISK IDENTIFICATION PROCESS

Risk appetite

The board determines the group's risk appetite annually based on an assessment of the strategic,

financial, operational, compliance and reputational risks contained in the risk register

	Review and	Consolidate	Consider	Communicate	Report most	Conduct an
	identify unit	and update	additional	the consolidated	significant risks	annual risk
	risks for the	unit-specific	group risks and	group risk	to the risk	review workshop
	group through	risk registers	interrogate	register to	committee as
	the quarterly	into a group risk	and update	all units for	well as any new
	unit-specific risk	register	the controls	updates,	or deleted risks
Responsibility	registers		and mitigating	review and
		actions	consideration
Management	Risk	Risk working	Risk	Executive	Risk

Risk committee

Insurance and risk

	Sun International	Audit committee
	board of directors
				Group Internal Audit
	Executive committee

at unit level

manager

committee

manager

team

committee

Assurance

Various assurance providers review and audit the group's risk management processes at group and at unit level

2021 SUN INTERNATIONAL Integrated Annual Report

Unit	Gaming	Hospitality
operational risk	operational	operational
committee	committee	committee

Risk and sustainability

STRATEGIC LEADERSHIP	SUSTAINABLE VALUE CREATION	STRONG BUSINESS RESPONSE	CORPORATE DATA AND ADMINISTRATION			18

Risk management continued

COMBINED ASSURANCE MODEL

Required level of assurance in respect of group risks

Philosophy and approach

Sun International's combined assurance strategy and framework objective is to ensure optimal, cost-efficient and focused assurance coverage across the group. Our hybrid top-down and bottom-up approach, which aligns with the JSE listing requirements and King IV outcomes, ensures adequate assurance on key business risks and processes as detailed below.

The group's combined assurance provides a view and opinion over the adequacy and operational effectiveness of key controls in relation to material risks. Successful assurance enhances the degree of confidence that the control environment is functioning optimally, to mitigate material risks and promote the achievement of group-wide objectives. Sun International's combined assurance is designed such that the level of assurance required is dependent on the level of risk assessed,

assurance activities as well as the assurance provider's level of independence, skill and qualifications. Sun International's assurance strategy is tailored so that the higher the level of risk, the higher the level of assurance required.

The audit committee and senior management ensure that both external and internal assurance providers appointed have the appropriate experience, skills and follow an acceptable assurance approach. This is achieved through periodic

THE GROUP'S COMBINED ASSURANCE APPROACH

INTEGRATES

the group's value drivers and strategic objectives

THE GROUP'S COMBINED ASSURANCE FRAMEWORK

taking into account inherent risk and risk appetite. The assurance quality provided by the various assurance providers depends on factors such as the nature, timing, and extent of

assessment of the assurance providers to establish both assurance coverage and assurance quality.

The group's combined assurance approach ensures that assurance services and functions:

Enable an

effective control

environment

Support the integrity of information for internal decision making

Support the

integrity of the organisation's external reports

ASSISTS

the board and executive committee (exco) in executing their fiduciary duties and responsibilities, by ensuring:

Achievement of the group's strategic objectives

Reliability and integrity of financial and operational information

Effectiveness and efficiency of operations and programmes

Safeguarding of assets

Compliance with laws, regulations, policies, procedures, and contracts

Operational excellence and profitability

ENSURES

a sound control framework for an adequate and effective control environment, risk assessment, control activities, reporting and monitoring

OPTIMISES

the risk and opportunity universe

Top 10 risks

The risk table below identifies the group's top 10 risks as at 31 December 2021. These risks are discussed in detail and include

Sun International's level of control, key stakeholders impacted and primary board committee responsible for oversight. For the year under review the following risks moved into the group's top 10 risks:

Risk 3: Political and civil unrest	The following risks moved out of the top 10 risks:
Risk 6: Recovery of the hospitality and tourism industry and its
∞	Ongoing changes in licence conditions
impact on hotels and resorts	∞	Succession plans for critical roles
Risk 9: Loss of GrandWest casino licence exclusivity	∞	Infrastructure management and maintenance
				Change
Risk		Residual	in ranking	2020 risk	Strategic
ranking	Risk description	risk		from 2020	rating	objective
1	Weak economic conditions	Extreme		(2020: 2)	SO1 SO5
2	Coronavirus (Covid-19)	Serious		(2020: 1)	SO4
3	Political and civil unrest	Serious			SO4
4	Smoking legislation	Moderate		(2020: 4)	SO4
5	Increase in gaming taxes and levies	Moderate		(2020: 5)

Lines of defence

Sun International's lines of defence model is used as a basis for risk management, governance and oversight structures to obtain assurance at various levels group-wide. The group has adopted a four lines of defence model, highlighting the different role players' responsibilities for internal controls and

risk management as shown alongside.

	Lines of
	defence (LoD)	Example and description of role players
		Management
	1st LoD	The definition of management includes all levels of the business and
		management, including exco and the chief executive.
		Support functions
	2nd LoD	Corporate functions independent from the operations - includes, compliance,
	sustainability and risk management that perform key functions to provide a
		second line of assurance to the board.
		Internal assurance
	3rd LoD	Internal assurance - incorporates internal assurance providers that provide
		objective assurance such as Group Internal Audit.
		External assurance
		External assurance - incorporates assurance providers, such as external
	4th LoD	auditors, environmental auditors, and other external parties. These structures
		are largely independent of the operational activities of the company and
		provide assurance to the board.

						SO5
6	Hospitality and tourism industry recovery and its impact	Moderate		SO1
	on hotels and resorts
7	Increased demands from stakeholders (minority		Moderate	(2020: 7)	SO4
	shareholders, communities and local suppliers)
8	Erosion of market share due to other forms of gambling	Moderate	(2020: 11)	SO5
9	Loss of GrandWest casino licence exclusivity		Within	(2020: 17)	SO5
				appetite
10	Cyber threats and information security		Within	(2020: 9)	SO4
				appetite
Constant	Increased	Decreased	New risk

2021 SUN INTERNATIONAL Integrated Annual Report

STRATEGIC LEADERSHIP	SUSTAINABLE VALUE CREATION	STRONG BUSINESS RESPONSE	CORPORATE DATA AND ADMINISTRATION			19

Risk management continued

RISK 1	(2020: 2)

Weak economic conditions

RISK DESCRIPTION

The macro-economic outlook remains under pressure. Key factors impacting the economic climate include the impact of Covid-19 and the civil unrest and looting in parts of South Africa. Intermittent load shedding and deterioration of critical infrastructure continues to impact economic growth.

Risk category		Sun International's level
Financial sustainability		of control
		Limited
Primary board committee		Key stakeholders
Risk and audit committees		Shareholders, potential
		investors and employees

RISK MITIGATION

• Focus on improving our customer experience and engagement:
• • Launched a Sun International mobile App for both our leisure and casino customers.
  • Launched our online booking engine to drive an increase in direct bookings and improve the customer booking experience.
  • Implementing a new gaming system (Playtech), in a phased approach, which will enhance our customer experience - system to be fully implemented in 2024.
• Ongoing focus on improving operational and resource efficiencies as well as cost containment across the group.
• Strengthened our balance sheet and improved our liquidity position.

OUTLOOK

• The weak economic climate is set to continue and with the risk of further Covid-19 waves, there may be additional economic pressures for corporates and consumers. South Africa's energy supplier remains fragile, high-energy costs and failing infrastructure persist, all of which impact growth opportunities. Crime, corruption and unrest also remain a concern and continue to impact our economy.

RISK 3
(2020: new risk)

Political and civil unrest

RISK DESCRIPTION

The political and civil unrest, similar to the unrest South Africa (Gauteng and KwaZulu-Natal) experienced in July 2021, is a risk to Sun International.

Risk category		Sun International's level
Financial sustainability		of control
		Limited
Primary board committee		Key stakeholders
Risk and audit committees		Employees, customers,
		shareholders, suppliers,
		communities

RISK 4	(2020: 4)

Smoking legislation

RISK MITIGATION

• Reviewed security arrangements and business interruption plans at properties.
• Reviewed the group's SASRIA insurance cover.
• Engaging with security companies to obtain early warnings of potential riots.

OUTLOOK

• Significant economic inequality could lead to future political and civil unrest which the group is closely monitoring.

RISK MITIGATION

► Submitted comments on the proposed

Tobacco Bill against the May 2018 draft

and we await government's view on the

RISK 2
(2020: 1)

Coronavirus (Covid-19)

RISK DESCRIPTION

The coronavirus global pandemic continues to severely impact our business operations and revenue across our gaming, hospitality and supply chain areas.

Risk category		Sun International's level
Business interruption		of control
		Limited
Primary board committee		Key stakeholders
Risk, audit, social and		Employees, customers,
ethics and remuneration		shareholders, suppliers,
committees		communities

RISK MITIGATION

• Covid-19protocols in place and continuously updated as lockdown levels change.
• Ongoing awareness and support provided around Covid-19 among employees, customers and guests.
• Opened several vaccinations sites at certain properties and actively promoting vaccinations group-wide.
• Significant cost containment measures implemented.

OUTLOOK

• Sun International will continue to adapt to the new normal business environment and encourage employees and guests to be vaccinated.
• Government's vaccination rollout plans will continue into 2022 to encourage citizens to be vaccinated.

RISK DESCRIPTION

South Africa's draft Control of Tobacco Products and Electronic Delivery System Bill, 2018 was published in May 2018 and includes a ban on smoking (including e-cigarettes) in public areas (both indoor and outdoor areas). This proposed legislation will have a significant impact on group casino revenues.

Risk category		Sun International's level
Regulated operating		of control
environment		Limited
Primary board committee		Key stakeholders
Risk committee		Employees, customers,
		health authorities and
		shareholders

collective submissions made.

► Continue to lobby and engage with CASA,

the gaming boards, trade unions and other

affected corporates.

OUTLOOK

• The South African legislation is not expected to be enacted in the 2022 financial year.
• The group continues to lobby and coordinate efforts with other affected industries.
• The group's legal department continues to monitor changes and/or movement on the proposed Bill.

2021 SUN INTERNATIONAL Integrated Annual Report

STRATEGIC LEADERSHIP	SUSTAINABLE VALUE CREATION	STRONG BUSINESS RESPONSE	CORPORATE DATA AND ADMINISTRATION			20

Risk management continued

RISK 5	(2020: 5)

Increase in gaming taxes, fees and levies

RISK DESCRIPTION

Various provincial gaming boards have implemented and/or proposed increases to gaming taxes and levies in 2020. Where the increases have become effective the group is obligated to comply with the increases, however the group continues to engage with the various gaming boards directly and through CASA on these increases.

The Western Cape Provincial Government (WCPG) has promulgated a Bill into law that will introduce operator fees for casinos and route operators to fund the WCPG operations. The company has instituted legal action to review the WCPG's decision to impose the operator fees concerned. In the meantime, the WCPG confirmed that it will not impose the operator fees until the review application has been heard.

The KZN Provincial legislature has proposed amendments to the KZN Gambling Tax Act which seeks to increase gaming taxes; to tax Freeplay and to introduce a Transformation

Risk category		Sun International's level
Regulated operating		of control
environment		Limited
Primary board committee		Key stakeholders
Risk committee		Gaming boards, CASA,
		provincial government and
		shareholders

RISK MITIGATION

• Monitoring CASA's progress in challenging the increase on grounds of a procedural and fairness basis.
• Lobbying and challenging proposed gaming tax legislation is ongoing for the group.
• Legal action instituted to set aside the WCPG decision to impose operator fees on casinos and route operators in the Western Cape.

OUTLOOK

RISK 7	(2020: 7)

Increased demands from stakeholders (minority shareholders, communities and local suppliers)

RISK DESCRIPTION

There has been ongoing demands from local communities and local suppliers surrounding our operations, ranging from procurement, employment, shareholding to land opportunities.

Risk category		Sun International's level
Financial sustainability		of control
		Limited
Primary board committee		Key stakeholders
Social and ethics committee		Shareholders, communities
		and suppliers

RISK MITIGATION

• A formal community engagement management plan is in place to identify community needs.
• Continued to support local B-BBEE procurement and enterprise development within communities surrounding group operations, through our supplier registration database and our online tender notice board.
• Ongoing engagement with minority shareholders.
• Additional CSI and SED spend has been allocated to address some of the community needs identified as part of our ongoing community engagement strategy.
• Regular focused communication with interested stakeholder groupings such as our debt funders, shareholders and equity partners.

Fund, which is to be funded through gaming taxes raised. The company has engaged with the provincial legislature through CASA and directly in respect of its LPM operations and it will be objecting the proposed amendments.

• Currently the group is not aware of any additional increases in gaming taxes or levies.
• We anticipate engaging more constructively with gaming boards in the future regarding compliance costs associated with a gambling business.

OUTLOOK

• It is expected that increased stakeholder demands will continue, given the weak economic environment and the additional impact of Covid-19.
• Sun International will continue to proactively engage with stakeholders on their concerns.

RISK 6
(2020: new risk)

Recovery of the hospitality and tourism industry and its impact on hotels and resorts

RISK DESCRIPTION

The hospitality, travel and tourism industry recovery will be prolonged, notwithstanding global vaccination programmes. This will affect international and local group travel and conferencing. Corporate transient travel will also be sluggish in the foreseeable future. Certain group properties will be harder

RISK MITIGATION

► Integration into the Global Hotel Alliance effective

7 December 2021.

► Ongoing focus on maximising domestic leisure revenues at all

properties through online and direct booking channels.

► Continual focus on maximising gaming accommodation and

gaming revenues at Sun City, Wild Coast and Boardwalk.

► Ongoing cost reviews at all properties.

► Creation of additional events at resorts to drive midweek and

RISK 8
(2020: 11)

Erosion of market share due to other forms of gambling

RISK DESCRIPTION

The proliferation of Illegal gambling operations, the availability of casino style games offered by non-casino licensees and the operation of EBTs continues to erode gaming revenues.

RISK MITIGATION

► Engaged with a financial institution to ascertain the

viability of blocking bank accounts of persons who

are participating in illegal gambling activities.

► Continuing to participate in the National Illegal

Gambling Enforcement Forum consisting of the

SAPS and the National Gambling Board (NGB).

► Lobbying gaming boards for support from law

enforcement agencies.

► Following up on illegal gambling operations in

hit due to reliance on conferencing and international tourists.

Risk category		Sun International's level
Financial sustainability		of control
		Limited
Primary board committee		Key stakeholders
Risk committee		Shareholders, gaming boards,
		CASA

weekend demand.

► Ongoing engagement with government on vaccination travel

protocols to encourage a swift return of international tourists.

► Lobbying relevant regional and national government to

maintain and upgrade roads, airports and infrastructure around

Sun City.

► Engagement with the Tourism Ministry and Tourism Business

Council of South Africa with respect to removing obstacles to

the growth of international tourist arrivals, e.g. Visas, air access

and destination marketing.

Risk category

Increased competition

Primary board committee Risk committee

Sun International's level of control

Limited

Key stakeholders

Gaming boards, CASA, South African Police Service (SAPS) and provincial

and national government

Sun International's catchment areas.

► The company leverages developments in the

online sports betting business to offset the erosion

of revenue.

► CASA is challenging the unlawful gambling through

the Advertising Regulatory Board and provides

regular updates to Sun International.

OUTLOOK

OUTLOOK

• While vaccination rollout programmes are ongoing, we anticipate a slow recovery in the hospitality, travel and tourism industry in 2022.

• It is anticipated that alternative casino style games will continue to grow.
• Strategic focus on growing SunBet's share in the online gaming market.
• The group's strategy is to keep abreast of the changing landscape in the online gaming environment.

2021 SUN INTERNATIONAL Integrated Annual Report

STRATEGIC LEADERSHIP	SUSTAINABLE VALUE CREATION	STRONG BUSINESS RESPONSE	CORPORATE DATA AND ADMINISTRATION			21

Risk management continued

RISK 9
(2020: 17)

Loss of GrandWest casino licence exclusivity

RISK DESCRIPTION

The Western Cape Twentieth Gambling and Racing Amendment Bill and the Western Cape Twenty-First Gambling and Racing Amendment Bill were published on

8 May 2020, which seeks to: impose new casino operator and LPM operator fees, create new exclusivity areas and reduce GrandWest's exclusivity zone from 75km to 25km, and introduce a relocation and exclusivity fee. The High court recently ruled in favour of Tsogo Sun and compelled the WGGRB to consider an application for relocation. It however suspended its decision for one year for the WCPG to enact a new regulatory regime which will expressly allow the WCPG Board to approve applications to relocate casinos in the Western Cape.

Risk category		Sun International's level
Gaming and other		of control
operating licences		Limited
Primary board committee		Key stakeholders
Risk committee		Gaming boards, provincial
		government, shareholders and
		potential investors

RISK MITIGATION

• Proactively engaging with the Western Cape Premier and national government to discuss relocation and the possibility of licence exclusivity.

OUTLOOK

• Covid-19and the weak economy will reduce the likelihood of a relocation given the financial viability of such a move.

RISK 10
(2020: 9)

Cyber threats and information security

RISK DESCRIPTION

Increasing interconnectivity, globalisation and commercialisation of cybercrime are driving greater frequency and severity of cyber incidents, including data breaches. These incidents or breaches could lead to system unavailability, business disruption and financial loss.

Risk category		Sun International's level
Business interruption		of control
		High
Primary board committee		Key stakeholders
Risk committee		Employees, shareholders
		and potential investors

RISK MITIGATION

• Establishing a security training and awareness communication strategy to enhance our people defence.
• Enhanced our remote working security protocols to combat new threats.
• Enhanced security monitoring tools to help establish a holistic security operation group-wide.
• Establishing a vulnerability management practice to provide reporting, monitoring and execution of identified threats across the application and infrastructure landscape.
• Conducting independent internal and external penetration testing to understand current threats and vulnerabilities.
• Assessing the regulatory environment, particularly the new Cyber Act, which was promulgated in May 2021 and its impact to the group.
• Assessing outsourcing security providers to enhance the security skills and existing resources required.
• A cyber insurance policy was put in place to help minimise risk exposure.

OUTLOOK

• We are constantly assessing our threat landscape to ensure our information security management systems is effective and robust to deal with evolving threats.
• Ransomware has been an increasing threat in South Africa, and we have partnered with various organisations to help with our detection and response capabilities.
• Phishing attempts are the primary attack type and our focus area is to enhance our awareness and communication to employees.
• As we look at more digital technology solutions, we have also enhanced our cloud security controls.

2021 SUN INTERNATIONAL Integrated Annual Report