Annual Report and Accounts 2022

Network International Holdings Plc

Annual Report and Accounts 2022

 

Network International Holdings Plc (LSE: NETW) (the "Company"), the leading enabler of digital commerce across the Middle East and Africa (MEA), announces that further to the release of the Company's preliminary results announcement on 9 March 2023, the Annual Report and Accounts for the year ended 31 December 2022 ("2022 Annual Report") has been published today and is available on the Company's website at  https://investors.networkinternational.ae/ . It has also been submitted to the National Storage Mechanism and will shortly be available at  https://data.fca.org.uk/#/nsm/nationalstoragemechanism .

 

The appendix to this announcement contains additional information which has been extracted from the 2022 Annual Report for the purposes of compliance with the FCA's Disclosure & Transparency Rules and should be read together with the Company's preliminary results announcement, which can be found at  https://investors.networkinternational.ae/ .  

 

Together these constitute the information required by DTR 6.3.5 to be communicated to the media in unedited full text through a Regulatory Information Service. This information is not a substitute for reading the full 2022 Annual Report.

 

Jaishree Razzaq

Chief Risk Officer & Group Company Secretary

Network International Holdings Plc

 

Investor Relations enquiries
Network International	InvestorRelations@Network.Global
Amie Gramlick, Head of Investor Relations
Media enquiries
Teneo	NetworkInternational@Teneo.com
Anthony Di Natale, Andy Parnis

 

 

Appendix: additional information required by DTR 6.3.5R

 

In compliance with DTR 4.1.12R, the Annual Report and Accounts 2022 contain Directors' responsibilities statements. These are reproduced below, alongwith the Statement on Risks & Uncertainties and Related Party Balances and Transactions, in line with DTR 6.3.5R. The statements relate to and have been extracted from the 2022 Annual Report.

 

Page and note references in this appendix refer to page numbers and notes in the 2022 Annual Report.

 

DIRECTORS' RESPONSIBILITIES STATEMENTS

Statement of Directors' responsibilities

 

The Directors are responsible for preparing the Annual Report and the Group and parent Company financial statements in accordance with applicable law and regulations.

Company law requires the Directors to prepare Group and parent Company financial statements for each financial year. Under that law they are required to prepare the Group financial statements in accordance with UK-adopted international accounting standards and applicable law and have elected to prepare the parent Company financial statements in accordance with UK accounting standards and applicable law, including FRS 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland. In addition, the Group financial statements

were also prepared in accordance with International Financing Reporting Standards as issued by the International Accounting Standards Board ('IFRSs as issued by the IASB').

Under company law the Directors must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and parent Company and of the Group's profit or loss for that period. In preparing each of the Group and parent Company financial statements, the Directors are required to:

› select suitable accounting policies and then apply them consistently;

› make judgements and estimates that are reasonable, relevant, reliable and prudent;

› for the Group financial statements, state whether they have been prepared in accordance with UK-adopted international accounting standards; and in accordance with International Financing Reporting Standards as issued by the International Accounting Standards Board ('IFRSs as issued by the IASB');

› for the parent Company financial statements, state whether applicable UK accounting standards have been followed, subject to any material departures disclosed and explained in the parent Company financial statements;

› assess the Group and parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and

› use the going concern basis of accounting unless they either intend to liquidate the Group or the parent Company or to cease operations, or have no realistic alternative but to do so.

The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the parent Company and enable them to ensure that its financial statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.

Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that complies with that law and those regulations.

The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company's website. Legislation in the UK governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.

In accordance with Disclosure Guidance and Transparency Rule 4.1.14R, the financial statements will form part of the annual financial report prepared using the single electronic reporting format under the TD ESEF Regulation. The auditor's report on these financial statements provides no assurance over the ESEF format.

 

Responsibility statement of the Directors in respect of the annual financial report

We confirm that to the best of our knowledge:

› the financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole; and

› the Strategic Report/Directors' Report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.

We consider the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's position and performance, business model and strategy.

 

PRINCIPAL RISKS AND UNCERTAINTIES

 

Overview

Given the dynamic markets we operate in across the Middle East and Africa, our approach to risk management continues to mature across the Group. A sound regulatory compliance monitoring and reporting structure has been established across the Group to ensure that we remain compliant with regulatory requirements across all jurisdictions. We have enhanced our risk oversight of our third-party vendors and supply chain, which was achieved by enhancing our policies, monitoring and collaborative due diligence. Following the acquisition of the DPO Group in 2021, we have successfully implemented the Group's Enterprise Risk Management Framework (ERMF) and processes across the DPO business. With our continuous business expansion across the Middle East and Africa, our risk appetite, principal and emerging risks were also revaluated and approved by the Board. Ensuring our focus on our environmental, social and governance responsibilities, we have also developed climate change risk-related Key Risk Indicators (KRIs) which have been integrated within our existing principal risks framework.

 

 

ERMF integration in DPO business:

› Risk assessments for all DPO business units have been completed, enabling a 360° view of the DPO business and its risk profile.

 

› A dedicated ERM team has been established in DPO to manage and monitor the implementation of our risk framework, ensuring alignment with Group standards and best practices.

 

› DPO businesses have been aligned with the Group's principal risks, KRIs and reporting processes.

 

› Risk champions have been nominated across all DPO businesses and trained on the Group's risk management practices.

 

Task Force on Climate-related Financial Disclosures:

› Climate change-related risk continues to be monitored as an emerging risk.

 

› Current and anticipated climate-related risks were categorised using the TCFD categorisation for transition risk and physical risk.

 

› Risks were identified and scored by the TCFD working group, validated in a workshop with senior stakeholders, and presented to the Board Audit Committee.

 

› Climate change risk-related KRIs have been developed and have been approved by the Board.

 

› These climate change risk-related KRIs have been integrated within our existing principal risks and will be monitored.

 

› Risk and Control Self Assessment (RCSA) standards are being documented for climate change-related risks and will be tested periodically.

 

With the expansion of the Group's business in 2022, the following principal risks were in focus

 

Execution:

The importance of managing execution risk is crucial for the Group to achieve its goals, minimise losses, maintain business continuity and increase shareholder confidence in the Group's ability to deliver results.

 

Operating in developing and volatile markets in the Middle East and Africa, the Group's strategic plans are subject to the risk of failing to achieve the desired outcome or can be negatively impacted by external factors such as changes in technology, regulations or market conditions. This can include risks related to the development and implementation of new products or services, expansion into new markets and reliance on key partnerships or technologies.

 

To overcome this, the Group has engaged in initiatives to diversify its revenue streams, partnered with other companies, kept abreast with regulatory changes, strengthened its risk management framework, invested in technology and established a strong cyber security process. Details of the progress made by the Group and future plans are explained on page 110.

 

Operational Resiliency:

Managing operational resiliency risk is critical for the Group to protect its operations, maintain the reputation and brand image, comply with regulatory requirements, and avoid losses, damages and negative consequences.

 

The Group has invested heavily to ensure its ability to continue its operations effectively in the face of operational disruptions that may be caused by cyber-attacks, hardware failures, natural disasters or human errors.

 

This was achieved through a combination of robust risk management processes, Disaster Recovery (DR) planning, data backup and recovery systems, security measures and business continuity planning. The ultimate goal being to minimise downtime, ensure continuity of services and protect sensitive customer information. Details of the progress made by the Group and future plans are explained on page 109.

 

Cyber security:

Mitigating emerging cyber risks and continuing to invest in our cyber security programme to provide secure, trusted commerce and card payment solutions across every touch point.

 

› The security of our solutions, systems and the data we are trusted to manage is of utmost importance to us.

 

› Cyber-attacks are undeniably a global threat for businesses and individuals with the frequency and sophistication of attacks increasing year on year. Governments and regulators across our markets are increasingly recognising cyber security as a systemic risk resulting in the emergence of regulations and standards to combat the emerging cyber threats.

 

› In addition, we expect to continue to invest in resources to maintain and enhance our information security and controls and to ensure we are able to investigate and remediate any security vulnerabilities.

 

› We have implemented a dynamic cyber security framework which aims to be ahead of prevailing cyber threats in our markets.

 

› Management, organisational and technical controls support the mitigation of cyber security risk in a dynamic payments industry.

 

› For early detection and response to cyber threats, the Group uses a defence in depth approach driven by Cyber Threat Intelligence (CTI). CTI is knowledge, skills and experience-based information concerning the occurrence and assessment of cyber threats and is intended to help mitigate potential attacks and harmful events from occurring in cyberspace.

 

› We continually evaluate threat levels for the most prevalent attack types and their potential outcomes.

 

› We ensure our colleagues remain aware of cyber security issues and know how to report incidents as part of our defence strategy.

 

› We maintain a cyber security dashboard to keep the Risk & Technology Committee and the Board apprised of emerging cyber security threats.

 

How we manage risk

 

For an overview of how we manage risk, please refer to page 104 of the 2022 Annual Report available on the Company's website h tt ps://investors.networkinterna ti onal.ae/ .

 

Our risk management governance model

We have a dynamic, practical and action-oriented risk management governance model defined in the ERMF, which helps us in proactively responding to changes in our business environment, whilst continuing to deliver on our expectations of increased transparency, value protection and creation. This is supported by our use of the three lines of defence model and the functional responsibilities and oversight committees that support it. We continue to work closely with our Risk & Technology Committee to report on the progress of our risk management practices, initiatives and key projects. Some of the key projects in 2022 included Application Programming Interface (API) programme, DPO synergies, Saudi Arabia market entry, Merchant Services in Egypt and Data Lake for enterprise-wide data analytics.

 

Our ERMF model has enabled management to make sound risk-based decisions on strategic initiatives. The Group is well poised for its entry into the Saudi Arabia market in a phased manner in 2023, including the establishment of a dedicated Risk, Compliance and Information Security team. The Group has successfully completed the integration of ERMF across the DPO business and all risk policies and processes have been aligned with the Group. Comprehensive risk assessments were conducted to support the expansion of our products into new markets with our Merchant Services being introduced in Egypt, and the Group's Data Lake solution has been implemented to enhance our enterprise-wide data analytics capabilities.

 

Our approach to risk management

We maintain a robust and sustainable ERMF, which ensures risks are properly identified, assessed against tolerance levels and appropriately managed across the Group. Our ERMF is designed to minimise the potential threats to achieve our objectives. In 2022, to mitigate the risk impact of the Russia-Ukraine conflict as well as the impact of inflation experienced across our geolocations, we focused on strengthening the risk teams across the Group by hiring additional risk resources for key roles.

 

Several measures were taken to enhance our sanctions compliance controls in relation to the Russia-Ukraine conflict. A due diligence task force including risk, legal and finance control functions was also established to improve oversight of third-party vendors and supply chain to assess and mitigate our risk exposures. Third-party vendor security assessments conducted by our information security team have also been strengthened to ensure that optimal standards are maintained. The additional risk resources across the Group have supported us in strengthening the assurance reviews, with more focus on information technology-related activities.

 

With the Group's expansion into new markets, increased regulatory landscape and macroeconomic uncertainties, we are now aiming to move towards an agile model of risk management across the Group from the traditional waterfall approach by instilling collaborative working groups between Risk and Business functions to support, manage and mitigate risks while striving to achieve business objectives.

 

For an overview of our approach to risk management, please refer to page 105 of the 2022 Annual Report available on the Company's website h tt ps://investors.networkinterna ti onal.ae/ .

 

Risk appetite

Risk appetite is the amount of risk we are willing to take in pursuit of our objectives. It defines the level of risk at which appropriate actions are needed to reduce risk to a level that we are willing to accept. As defined in our principal risks disclosure we consider risks from a low, balanced and high perspective. Our risk appetite is not static and may change over time in line with changing capabilities for managing risk and our business environment.

 

The risk appetite statement is reviewed and approved by the Board annually.

 

Group risk appetite statement

At Network International, our growth strategy is focused on maintaining our position as the best payments partner in the Middle East and Africa. We accept that these markets are subject to higher levels of geopolitical uncertainty and business risk than those in more developed markets, and are also accepting of any concentration risk based upon our entry into these markets and territories, though we act to mitigate this through revenue diversification.

 

We will aim to balance this against a low appetite for any risks that compromise the confidentiality, integrity or availability of our data, our customers' data or our cyber security defences.

 

We will also aim to ensure our environmental, social and governance responsibilities are reflected in the decisions we make. Additionally, we look to minimise our exposure to any risk which will adversely impact our stakeholders, operational performance or compliance with relevant regulation and legislation, including environmental, social and governance considerations. The Group has a low appetite to incur losses from financial risk.

We will support this appetite with a level of investment that ensures we have suitable levels of policy and controls to effectively manage these risks, facilitate decision making and continue to support our growth strategy.

 

This means as a business that we have an informed appetite to taking risks which will enable us to drive growth in a sustainable manner, providing an adequate and stable return on investment and which limits our exposure to those areas where we have a low risk appetite and effectively control those to which we have a greater appetite for risk. We believe that managing these risks in the right way will support our aim of enabling commerce in the world's most under penetrated payments markets.

 

Risk culture

The Group is committed to embedding a strong risk culture to support good governance and sound risk management practice.

 

The Board and the ExCo play a key role in directing and influencing this by ensuring that:

 

› a risk-based approach is used during key decision making. A recent example has been the refresh of the Saudi Arabia market entry risk profile before execution of these strategic initiatives;

 

› a consistent tone from the top and clear responsibilities for risk identification and challenge; refer to ESG Strategy section on pages 38 to 57;

 

› employees have risk management accountability and escalate issues on a timely basis;

 

› our incentive structures described within our Remuneration Report on page 173 promote a risk aware culture to effectively manage risk and remunerate employees accordingly;

 

› we adopt a culture of 'learning from our mistakes' to foster continuous improvement of processes and controls;

 

› whistleblowing, an independent confidential whistleblowing service to enable employees to raise their concerns through an independent route; and

 

› risk awareness is embedded within the Group and is grounded in our strong ethical values and culture. Our risk management philosophy is cascaded top down and bottom up and runs through all our management, employees and connected stakeholders.

 

To improve risk awareness across the Group a comprehensive and mandatory online training programme is in place covering important risk and compliance topics. We have had very high levels of participation from our colleagues across the Group in 2022.

 

In addition, in accordance with our three lines of defence model, Group Internal Audit completes an annual plan of risk-based audits that provides an independent assessment of the Group's control environment and risk and control culture. Operational Risk, Cyber Security and Compliance work closely with Group Internal Audit to coordinate their respective assurance plans to maximise the combined assurance coverage each year.

 

The importance of risk culture is reinforced in the Group's policies and standards and the Code of Conduct, to which all our colleagues attest annually as part of the annual training programme.

 

 

The completed priorities for Group Risk in 2022:

 

Priorities for 2022	Benefits
Completion of integration of the Group's ERM Framework into DPO business.	Implemented and embedded an integration strategy with prioritised focus on control functions in line with our ERM Framework. Consolidated the existing risk management practices of DPO and aligned them to the Group framework, taking into account local requirements.
Completion of the annual assurance plan for 2022.	Provided assurance on the effectiveness of Group's current control environment by the second line of defence and to ensure these are aligned and meeting the overall Group's business objectives.
Completed the enhancement of the automation of our AML processes.	To ensure effective and timely monitoring of AML risks, a project was completed for implementation of an AML monitoring system to support our Merchant Services business in Jordan.

 

 

Focus areas for 2023

 

In 2023 we will focus on further embedding our approach to risk management throughout our business, markets and support functions to build an even richer picture of risk information.

The priorities for Group Risk throughout 2023 will be:

Priorities for 2023	Rationale
Risk and Control Self Assessment (RCSA) testing to be rolled out in DPO.	Implementing and embedding RCSA testing across the DPO business to ensure operating effectiveness of the controls in place to mitigate the risks identified in the risk assessments.
Completion of the annual assurance plan for 2023.	To provide assurance on the effectiveness of Group's current control environment by the second line of defence and to ensure these are aligned with and meeting the overall Group's business objectives.
Completion of the compliance monitoring plan for 2023.	Theme-based reviews to capture market abuse regulations, whistleblowing, anti-bribery and anti-corruption programme and an end-to-end review of the DPO AML framework to align with the Group's practices.
Complete the enhancement of the automation of our AML processes.	To ensure effective and timely monitoring of AML risks, a project is in progress for implementation of an AML monitoring system to support our Merchant Services business in UAE, South Africa and Saudi Arabia.

 

Our principal and emerging risks

It was a busy year with significant time and focus given to monitoring the principal and emerging risks identified as facing the Group given the macroeconomic uncertainties and the rise in global inflation. This is also attributed to the Russia-Ukraine conflict which has had a direct impact on global price levels with cost of food and fuel having notably risen and having a knock-on effect on other industries. As a result, there have been rigorous processes in place to identify, evaluate and manage the principal risks faced by the Group, as well as the likelihood of a risk occurring and the costs of control.

 

We completed a robust assessment of the Group's principal and emerging risks, including those that could result in events or circumstances that might threaten the Group's business model, future performance, solvency or liquidity and reputation. The outcome of the assessment concluded that no changes were recommended for 2023 since the current principal risks adequately define the overall risks to the Group. Based on the global economic uncertainties, a number of changes were made to the linked KRIs and underlying thresholds to reinforce the Group's current principal risk framework.

 

With the implementation of the Group's ESG strategy, climate risk was recognised as an emerging risk in 2021. Since then, extensive work has been undertaken in 2022 to identify appropriate climate-related risk measures to monitor the impact of climate change on the Group. Given that we are a low emitter (as in TCFD), rather than creating a standalone principal risk, we have developed climate risk-related KRIs which have been embedded into the Group's existing principal risk framework. As climate risk continues to evolve, the effect upon these risks may change over time.

 

For 2022, the overall risk profile of the Group was managed at acceptable levels with the majority of the Group's principal risks falling within the 'Informed' risk rating. Despite the heightened global risk, our overall risk has remained stable due to continuous investments in the Group's infrastructure, resources, governance model and internal control framework.

 

The following section contains information about the principal risks, including a summary of the progress made in 2022 and the plans for 2023, their potential impact, our risk appetite and the link to our strategic priorities.

 

Link to strategic priorities

 

1 - Faster sign-up of merchants and financial institutions

2 - Grow the merchant base

3 - Access new revenue pools

 

1 - Harness the power of partnerships

2 - Add new revenue streams to every transaction

3 - Be the e-commerce champion in the region

 

Risk appetite rating defined

 

Low - We will ensure that we have sufficient controls and mitigations in place to allow for a low level of risk whilst recognising there may be a limited reward potential.

 

Informed - An approach which we feel could deliver reasonable rewards, economic or otherwise, by managing the risk in an informed way.

 

High - Willing to consider opportunities with higher levels of risk in exchange for potential greater reward.

 

Risk trends defined

 

Decrease in principal risk impact and/or probability at residual level.

 

No change in principal risk impact and/or probability at residual level.

 

Increase in principal risk impact and/or probability at residual level.

 

Cyber Security Risk of breach of the Group's infrastructure resulting in the compromise of data or service disruption through cyber security breaches.

Strategic priorities 2 2 3

Risk impact   An external cyber attack, insider threat or third-party breach could cause the loss of confidential data or service disruption leading to financial loss and reputational damage.

Progress during 2022   · A new Group CISO was hired in June 2022 and we have refreshed the cyber security strategy, benchmarked our capabilities against our international peer group, redesigned our organisational design for cyber security and integrated our regions into a Group aligned structure, including the DPO business. · All regions, including our new business in Saudi Arabia, have been PCI DSS and PCI PIN certified and our ISO 27001 certification has been expanded for Africa to include our Ghana and Nigeria businesses. · We have implemented automation tools to enhance the vulnerability detection, reporting and mitigation process. This is a significant improvement to our security posture which has reduced timelines for treating critical vulnerabilities. · We have continued to deploy industry leading access management and Privileged Access Management controls across the Group including Saudi Arabia and Nigeria. · Automated the detection of indicators of compromise (IOCs) with our security operations centre (SOC) to enhance protection and reduce human dependency.

Plan for 2023   · Complete the roll out of our single SOC coverage for all regions to unify our response efforts, automate detection and provide greater clarity on the threat environment across all markets. · Continue to deploy protective and detective controls across our multi-Cloud environments to support the Group's ambition to be quicker to market and be the e-commerce champion for the region. · Build a development, security and operations (DevSecOps) function to further integrate secure software development lifecycle practices across the Group as we build new innovative features to support customer needs. · Maximise the entire Group information security footprint to harness capability in the regions and generate greater symmetry across regions.

Risk trend Increase Increase in the number and frequency of cyber activity, potentially as a consequence of the Russia-Ukraine conflict. Distributed denial of service (DDOS) attacks have increased across the payments industry by 109% in terms of volume and duration. Recent malware attacks on clients and vendors demonstrate the supply chain risks prevalent in the industry.   Risk appetite: Low The Group will not accept risks which may compromise the confidentiality, integrity or availability of its data or systems for the benefit of customers.

Operational Resiliency   Risk of interruption to critical production services and inability to execute operational processes and deliver on contractual obligations due to operational inefficiencies and discontinuity, defects, errors and delays, which could damage customer relations, decrease potential profitability and expose the Group to liability.

Strategic priorities   1 2 3 1 2 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend Decrease

Undesired level of service to customers due to failure or poor performance of technology and/or system operating environment resulting in customer attrition, financial and/or reputational loss. An unexpected disruption to operational performance that may cause damage to customer relations or financial loss to the business.

· Completed our Group-wide Disaster Recovery (DR) testing for all applications across all Group locations. · Completed the DR data centre build, and core systems migration in Jordan. · Completed the self-onboarding portal build for UAE. Self-onboarding portal build completed for Saudi Arabia for pre-paid and debit card issuers. · Completed the technological production readiness for Saudi Arabia market entry, including proving of DR capability. Other key strategic objectives completed include Enterprise Resource Planning (ERP), Application Programming Interface (API), and Data Lake for enterprise-wide data analytics. · Continued with automation and optimisation of processes across regions to enable scale in processing volumes, faster turnaround times and enhanced controls. · Completed the automation of reports in Jordan for customers to have instant access to reports thereby enhancing customer experience. · Enhanced security patching process to mitigate cyber security threats by implementing monthly critical patches instead of quarterly.

· Hardware Security Module (HSM) upgrade to enhance the stability and security, and ensure payments eco-system runs on hardware compliant with PCI and regulatory requirements in UAE. · Authorisation switch system upgrade in GCC to extend hardware and software support until 2026. · Enhance UAE switch system to support Payment Authorisation Application Programming Interfaces (APIs). · Optimise existing automation solutions through re-engineering and re-design at back office to deliver more efficiencies across all regions. · Continue to enhance self-service portals to digitise and deliver optimum services to customers. · Enhance systems availability for Africa by implementing High Availability on Network Lite platform. · Improve resilience and increase bandwidth for switch connectivity to schemes.

Improvements in maintaining high availability of tier 1 systems, service levels and disaster recovery capabilities. Investments in new data centre in Jordan and enhanced security patching process.   Risk appetite: Informed We are accepting some level of modest disruption and operational failure from time to time, within the relative norms of the markets in which we operate, provided the impact of failures remains within acceptable limits. However, we ensure appropriate levels of resilience are in place to minimise the impact to our customers.

Execution   Risk of the Group's ability to maintain its position as the best payments partner in the Middle East and Africa. Our ambitious growth and expansion plans could be compromised if we are not able to deliver key strategic projects within expected deadlines. Our growth plans could create heightened levels of risk with regard to people and organisational capacity as we execute our growth plans to ensure on time delivery without disruption to our day-to-day operations. Failure to do so could expose us to adverse financial and reputational risk and negatively impact our return on investment.

Strategic priorities  1 2 3 1 2 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend No change

We do not retain our strategic position as the best payments partner in the Middle East and Africa, impacting our ability to maintain market share and to meet growth and profit targets. We fail to deliver critical strategic projects on time and on budget, deferring or stalling growth and increasing operational and capital expenses.

· Digital onboarding developed to capture full suite of use-cases and capabilities. Self-onboarding capability developed for UAE and digital onboarding enhanced in Egypt, Jordan and DPO Africa. · Continued momentum in online merchant sign-ups, supported by DPO Pay in UAE. · ERM Framework implemented in the DPO business as per the integration plan. · Deployment of infrastructure in Saudi Arabia and progressed on securing the required licences and certifications, with a healthy business pipeline for 2023. · Expanded our products into new markets with our Merchant Services offering being introduced to Egypt. · We have adopted a 'Cloud First' strategy for all new market entry where permissible. This has been implemented in Saudi Arabia and can be replicated in other markets as opportunities present themselves.

· Continue to deliver revenue growth for the Group by cross-selling both DPO and Network products to existing customers and in other markets. · Improve ease of doing business with Network through advancement in our technology platforms such as APIs, self-onboarding and self-service portals. · Explore new revenue streams by extending our analytics offerings through Cloud-based platforms that support advance analytics. · Execute on all aspects of our 2023 strategic plan. · Continue expansion of our product suite and value-added services offering to client banks and merchants.

Risk appetite: Informed Revenue growth in line with investor expectations and no dilution of Group's market position in its markets of operation. The Group has limited appetite for late or over budget delivery of critical strategic projects

People   Inability to attract, develop and retain a skilled workforce and inconsistent organisational culture across the Group.

Strategic priorities 1 2 3 1 2 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend Decrease

We are unable to effectively manage our workforce to ensure consistent delivery of the Group's strategy and/or operational performance.

· Corporate intranet portal was rolled out to enable better communication, collaboration, engagement and productivity in the workforce. · Automated the employee performance management process and also included ESG-based KPIs. · Created more comfortable and energising workspaces for employees by renovating existing offices and opening new offices in UAE, Egypt, Jordan and Saudi Arabia. · We delivered 60,244 hours of training (YTD) covering 100% of our employees across the Group. · Through the Training Needs Analysis survey, we identified and rolled out targeted high-impact learning programmes, Prevention of Sexual Harassment (POSH), leadership skills for managers, career counselling and mentorship programmes. · Network crossed the 30% mark for women representation in the workforce in 2022. · Encouraged inclusive behaviour and empowered our employees through initiatives such as 'Break the Bias', the 'Beacon Award' to recognise our exemplary women role models, 'ME Women Leaders' Summit' and 'Network Long Service Award'.

· Implement the Network Way and values behaviours along with alignment of core practices, policies and procedures in the DPO business. · Increase opportunities for collaboration through initiatives such as collaborative culture workshops, 'Cooperate and Collaborate' programmes, and focus group meetings. · Enhance career development by introducing skills and competencies-based training programmes, job rotation, mentorship programmes, and learning and development KPIs.

Engaged workforce with moderate attrition levels.   Risk appetite: Informed Group annual attrition rate not to exceed defined parameters however we accept a modest number of regretted losses which do not materially impact operational efficiency or impact our customers.

Compliance   Failure or inability to comply with relevant laws, regulations, scheme rules and mandatory reporting requirements including failure to identify, monitor and respond to changing regulations or scheme rules.

Strategic priorities 1 2 3 1

Risk impact

Progress during 2022

Plan for 2023

Risk trend Increase

A breach of or noncompliance with legal or regulatory standards leading to penalties, sanctions or reputational damage.

· Completed the annual compliance assurance reviews in line with the annual compliance monitoring plan. · Regulatory Change Management Committee monitored new and emerging regulations in the MEA region. · Acquired payments services licences from regulators in Ghana, Kenya and Egypt. · Received in principle approval from Central Bank of UAE to support the Group's acquiring business under 'Retail Payments Services and Card Scheme Regulations'. The Group has also received in principle approval from the Saudi Arabian Central Bank to conduct acquiring business in Saudi Arabia. · Implemented an AML monitoring system in Jordan to ensure effective and timely monitoring of AML risks related to our Merchant Services business in Jordan.

· Completion of our compliance monitoring programme for the year. The programme includes theme-based reviews to capture market abuse regulations, whistleblowing, anti-bribery and anti-corruption programme and a further review of DPO AML framework to align with the Group's practices. · Continue to implement new and revised regulatory requirements as and when received. · Further automation of our AML monitoring process in UAE and South Africa. · Continue to strengthen our compliance capabilities in our local regulated markets.

Wide ranging and extensive sanctions as a consequence of Russia-Ukraine conflict and inclusion of Myanmar in the Financial Action Task Force (FATF) blacklist. Risk appetite: Low The Group will not accept practices which could cause breaches of laws, regulations or scheme rules; or a delay and/or failure to adapt its systems, processes and controls to prevent material compliance breaches and/or regulatory censure.

Geopolitical Risk of significant political, social and economic instability in one or more of the Group's target markets which could have a material adverse effect on the Group's business, financial condition and results of operations.

Strategic priorities 1 2 3 1 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend No change

A geopolitical event within our markets that impacts our ability to do business or to meet our strategic objectives.

· Completed country risk assessments for markets the Group identified as high risk. · Reviewed evolving regulatory changes in the markets where the Group provides its services. · Completed due diligence review for issuing clients across all relevant markets.

· Assessment of new regulations, amendments and local guidelines for new market entries the Group intends to progress with. · Risk assessments will be conducted for regions where the Group does not have a physical presence, and provides services on a cross-border basis, such as Libya, Uganda, DRC Congo, etc.

Risk appetite: High The Group's growth strategy is focused on markets which are likely to be subject to higher levels of political, legal, economic and social instability than those in more developed markets

Financial Risk of the Group's inability to have sufficient liquidity to meet its obligations including minimum capital funding requirements across geographies as they fall due. Adverse movements in foreign exchange rates arising from the Group's foreign operations and transactions in currencies other than AED and USD pegged currencies. Adverse interest rate risk primarily on its variable rate long-term borrowing/revolving working capital line of credit and exposure to inaccurate forecast of future business performance due to various forecasting models being used.

Strategic priorities 1 2 3 1 2 3

Risk impact   Our liquidity, foreign exchange or interest rate risks are not effectively managed affecting the business's ability to meet its financial obligations, profitability targets or working capital needs.

Progress during 2022   · The Group has developed policies to manage financial risks concerning foreign exchange rates and other derivatives, debt management, bank relationship management and treasury operations. · On 11 August 2022, the Group announced a share buyback programme, the 'Initial Program'. As at 31 December 2022, shares amounting to USD 40.6 million have been purchased under the Initial Program. · We continued monitoring our liquidity position closely to ensure sufficient funds and liquidity headroom are available to meet our liquidity requirements. Initial share buyback programme does not impact Group liquidity position adversely. · Payment of term loan instalments (USD 37.5 million) and repayment of revolving credit facility of USD 35 million. The revolving credit facility has subsequently matured and been cancelled. · We considered and analysed options for interest rate hedge during the year, based on interest rate forecasts provided by our banking partners, and concluded not to proceed with interest rate hedging, based on the interest rate curves at the time of analysis.

Plan for 2023   · The Group will ensure adherence to policies to manage financial risk arising from FX rate fluctuations, interest rate changes and other treasury activities. · With the completion of the Initial Program of share buyback up to an aggregate amount of USD 50 million in 2023, the Group launched buyback of a further tranche of up to USD 50 million. · We will continue close monitoring of our liquidity position to ensure sufficient funds and liquidity headroom are available to meet our financial obligations and share buyback programmes are not expected to adversely impact Group liquidity position. · Repayment of the term loan instalment (USD 75 million) as contractually due or earlier. · Continue to monitor interest rate curves and appropriate decision will be taken to hedge the interest rates on our variable rate borrowings. · As LIBOR will cease to exist by June 2023, we will prepare for shifting to an alternative risk-free rate 'SOFR' by proactively engaging with banks to minimise the impact of any expected increase in effective rate on our borrowings. · Monitor FX risk arising from cash flows from international locations subject to significant currency fluctuations.

Risk trend No change The Group has sufficient liquidity backed up by improved business performance post recovery from the pandemic. Risk appetite: Informed The Group will manage its liquidity, FX and interest rate risks in line with agreed policies and thresholds.

Third Party   Risk of the Group's dependencies on various third parties to provide core systems, technologies, infrastructure, product and service-related support which may increase the Group's risk exposure in the event of a material service disruption, delay or cyber-attack with no alternative arrangements. Also, risk of failure of third parties to comply with contractual obligations, applicable laws and international standards.

Strategic priorities 1 2 1 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend No change

A third-party provider does not meet its obligations, which negatively impacts our customer relationships, and causes disruption to business performance.

· Re-engineered the annual vendor risk assessment review process. · Thorough reviews were conducted for vendors who provide critical services to Network. · All significant findings identified as part of the 2021 reviews were closed in accordance with agreed-upon mitigation plans. · A vendor performance questionnaire was shared with internal stakeholders to measure the performance of high-risk vendors. · Implemented annual financial due diligence reviews and contractual reviews for all high-risk-rated vendors.

· Continue to conduct risk assessments for high and medium-risk-rated vendors. · Monitor and close the open risks with high-risk vendors identified through reviews. · Address any contractual deficiencies for high-risk vendors identified during vendor review process, where appropriate. · Monitor the performance of high-risk vendors. · Redefine risk assessment questionnaire based on the nature of service the vendor delivers. · Create scope-specific scorecards to measure the performance of high-risk vendors utilising KPIs/SLAs from their agreements. · Conduct financial due diligence checks for high-risk vendors at the time of onboarding. · Vendor lifecycle will be managed through Oracle-based solution with vendor onboarding, Risk and Compliance approvals being obtained through the system.

Risk appetite: Low The Group will not accept risks which may compromise the confidentiality, integrity and availability of its data and its customers' data.

Fraud and Credit   Risk of compromise of card or merchant data or compromise of systems or networks or collusive merchants with the intention of performing unauthorised payment transactions for financial or non-financial gain resulting in losses to the Group or the Group's clients. Risk of financial or non-financial losses arising due to internal or external parties making a negligent and/or intentional fraudulent misrepresentation against the Group or any of its clients. The risk of merchants' inability to meet obligations resulting in chargebacks, refunds, scheme fines, fees and other charges. Risk of clients' inability to settle invoices for services received as part of issuing or acquiring processing. The risk that the Group will be liable for meeting the settlement obligation of sponsored issuing clients where such clients are unable to do so or comply with scheme rules.

Strategic priorities 1 2 3 1 3

Risk impact

Progress during 2022

Plan for 2023

Risk trend No change

Higher level of losses resulting in material impact on reported results and material damage to reputation.

· Fraud detection processes and best practices proven in the UAE were implemented in the new markets where the Group has expanded the Merchant Services portfolio. · Credit and fraud risk profile of the DPO business was re-assessed and the Group Enterprise Risk Management Framework was embedded. · Close monitoring and recovery efforts have resulted in reduced delinquency levels of Outsourced Payment Services business clients' receivables and unrecoverable chargeback. Credit losses were at very low levels, well within our risk appetite

· A 'state of the art' system with artificial intelligence and machine learning driven fraud detection and deflection capabilities will be implemented in UAE for acquiring fraud management. · Airline customer portfolio of the DPO business which is currently with other acquirers will be migrated under the sponsorship of the Group's acquiring business in UAE to benefit commercially and to align with the

Risk appetite: Informed Acquiring fraud losses as a percentage of sales to be less than market average of 6 bps. Enterprise level net fraud losses to be less than 5% of the annual net profit of previous year of the Group. The ratio of unrecoverable chargebacks and credit losses to annual net profit of previous year of the Group not to exceed more than 5% of portfolio. All sponsored issuing clients' settlements to be cleared within 15 days.

 

 

 

Emerging risks

Emerging risks have the potential to increase in significance and affect the performance of the Group and, as such, are continually monitored through our existing risk management processes by risk owners at all levels of the Group. We also use tools such as horizon scanning, operational risk aggregation and external sources to support our analysis. The outputs of these processes are reported to the Risk & Technology Committee and Board of Directors for their review and assessment.

 

Our ERM process ensures emerging risks are considered to aid the Risk & Technology Committee's assessment of whether the Group is adequately prepared for the potential opportunities and threats they present. The process enables new risks to be discussed at an early stage, allowing us to analyse them thoroughly and assess potential exposure.

 

We closely monitor emerging risks and with time they may become principal risks as they mature.

 

Emerging risks may also be superseded by other risks or cease to be relevant as the internal or external environment in which we operate evolves. Additionally, we recognise that some of our principal risks are more volatile or fast changing than others and, therefore, would benefit from the increased management processes that apply to emerging risks. A list of some current emerging risks of relevance to the Group are set out below.

 

 

1.  Increasingly sophisticated cyber security threats:

 

We expect to see an increase in the level of sophistication of cyber-related attacks as a result of the shifting geopolitical tensions in the MEA. We regularly intercept sophisticated and malicious third-party attempts to identify and exploit system vulnerabilities, or which aim to penetrate or bypass our security measures, in order to gain unauthorised access to our networks and systems or those of our associated third parties. We follow a defence-in-depth model to ensure we are proactively employing multiple methods of defence at different layers to protect our systems against intrusion and attack. However, we cannot always be certain that these measures will be successful and will be sufficient to counter all current and emerging cyber threats.

 

2.  Competition risk:

 

The Group has contributed to the acceleration of the shift from cash to digital payments resulting in an increasingly competitive landscape in the Middle East and Africa region. Our ability to grow our business and deliver an exceptional customer experience may be impeded by new market entrants and established Payment Service Providers operating in certain territories, be it through competitive pricing, enhanced capabilities and solutions, or skilled resources with local market knowledge.

 

3.  Increasing geopolitical risks:

 

The Russia-Ukraine conflict carries significant risks for the world economy that has yet to fully recover from the impact of the global pandemic. A further prolonged conflict will pose additional risks to the global economic recovery as the impact of wide-ranging sanctions including those affecting international financial and payment systems take effect. There is also a heightened risk in times of political uncertainty on this scale of an increase in the number, frequency and scale of cyber-related activity across all sectors.

 

4.  Macroeconomic risk:

 

The recent surge in inflation, interest rates, inflationary impact on costs and merchant trading can have an impact on markets that are not properly regulated which can result in both a short and long-term concern for financial institutions and Payment Service Providers. Some of the macroeconomic factors that can influence macro risk include unemployment rates, interest rates, exchange rates and commodity prices. There are also potential risks to financial stability from an unchecked broadening of access to credit in countries with weaker regulatory supervision.

 

 

RELATED PARTY BALANCES AND TRANSACTIONS

Parties are considered to be related if one party has the ability to control the other party or exercise significant influence over the other party in making financial and operating decisions. Related parties include associates, parent, subsidiaries, and key management personnel or their close family members. The terms and conditions of these transactions have been mutually agreed between the Group and the related parties. Key management personnel consist of the Network Leadership Team. Management believes that the terms and conditions of these transactions are comparable with those that could be obtained from third parties.

	2022	2021
	USD'000	USD'000
Executive Directors' remuneration
Directors' remuneration during the year	1,007	1,007
Terminal and other benefits	1,587	1,842
Share-based payments	558	2,084
Non-Executive Directors' remuneration
Directors' remuneration during the year	1,427	1,651
Other key management personnel remuneration
Salaries and allowances	4,001	3,610
Terminal and other benefits	4,151	4,182
Share-based payments	2,816	3,763

 

 

**END**