The CA&S board is responsible for overseeing the group's risk management process, supported by the Audit and Risk Committee. The committee ensures that the group's risk management process aligns with relevant standards and governance requirements. At an operational level, senior management in each operation is accountable for managing risks in their respective areas, while oversight of risk management is maintained by the relevant executive teams.
Risk management approach
The risk management process includes the annual approval of the group's risk appetite and tolerance levels. The group's risk appetite is defined as the level of risk that CA&S is willing to accept or tolerate in pursuit of value creation and strategic goals. A quantitative measurement is used to assess risk appetite and tolerance, considering the impact and likelihood of risks, as well as existing management actions and controls that mitigate potential threats or capitalise on opportunities. If the residual risk exposure exceeds the defined risk appetite, management mitigates or controls these risks through appropriate measures. If it is unable to mitigate the risk to an acceptable level, the risk is avoided, if possible.
Through our risk management process and governance, each operation is equipped with the necessary information to manage risks effectively, capitalise on opportunities, and take corrective actions that ensure the successful delivery of our business strategy and objectives.
To fulfil its responsibilities, the board delegates specific risk management duties to the Audit and Risk Committee as well as the executive teams. The Audit and Risk Committee's Chairperson keeps the board apprised of the group's risks. CA&S' risk registers undergo bi-annual updates and reviews. Each risk undergoes an evaluation based on its likelihood and impact, both on an inherent (actual impact) and residual (after mitigating action) basis as well as from a threat and opportunity perspective.
Risk management process
Top risks
The table below identifies CA&S' top nine residual risks, comparatively, as well as references where these risks are discussed in more detail.
Note that for this financial year we have not experienced a material year-on-year change in risk rankings. This is due to the fact that we are not presented with significant changes to the impact or likelihood of the identified risks during the period, apart from the impact of the war in the Middle East, which started at the end of February 2026.
| Ranking | YoY change | Residual risk | Residual threat | Risk category | |
| 2025 | 2024 | ||||
| 1 | 1 | Client concentration | High | Operational | |
| 2 | 4 | Impact of political unrest / sanctions / grey-listing / global pandemic / war | High | Strategic | |
| 3 | 2 | Data and information security | High | Operational | |
| 4 | 3 | Credit risk | Medium | Financial | |
| 5 | 5 | Business continuity – safekeeping of assets | Medium | Operational | |
| 6 | 6 | Failure to attract or retain critical skills | Medium | Strategic | |
| 7 | 7 | Economic decline | Medium | Financial | |
| 8 | 8 | Fraud, theft, crime and corruption | Medium | Operational | |
| 9 | 9 | Compliance risk | Low | Operational | |
Risk heatmap
Hover a risk number to see its label. Click to open its detail below.
Risk detail
Click on any risk to expand its full description, mitigation actions and opportunities.