PROACTIVE DEFENSE

RISK MANAGEMENT
REPORT

Knowing that careful
positioning is key

RISK MANAGEMENT

REPORT

RISK MANAGEMENT AND INTERNAL CONTROLS

Since the pandemic in 2020-2021, the real estate landscape has evolved in accordance with the emerging trends and changes in consumer behaviours. 2022 and 2023 were marked by geopolitical and macroeconomic instability, creating disruption and uncertainty in the real estate sector. Today, these challenges are joined by the emergence of climate and sustainability risks. Yet, in this changing environment, it is crucial for investors to strike a balance between new risks and opportunities. Risk management must be underpinned by an agile approach in order to remain effective in this dynamic world. At Lavastone Properties, we identified and seized the following opportunities during this financial year:

• Concluded the negotiation for the acquisition of Warehousing Facilities allowing the Group to further diversify its assets in FY 2024.
• Sale of Morcellement Plots at Case Noyale at the level of South West Safari Group.
• Renovated and let out the 5th and 6th Floor of Absa House in Ebène to new tenants.
• Upgraded the terraces at EDITH to provide tenants with better protection in case of bad weather.
• Converted La Galerie du Génie at EDITH into a permanent Immersive Art Experience for House of Digital Art.
• New Restaurant and Retail tenants at EDITH.

Lavastone Properties has adopted its risk management framework from the ISO 31000 and risk management has been an essential component of Governance and Leadership. It is the ultimate responsibility of the Board of Directors to establish an effective system of internal controls within the organisation. The role of the Board of Directors, through our Risk Management and Audit Committee (“RMAC”), has a duty to keep under review the adequacy and effectiveness of the systems of internal control, including financial control and business risk management. The whole purpose of managing risks across our organisation is to protect and enhance its value and the foundation of our framework lies on 8 principles:

• Integration
• Structure and comprehensiveness
• Customisation
• Inclusiveness
• Dynamism
• Availability of information
• Human and cultural factors
• Continuous improvement

Our risk management process includes the following steps, and is aligned to the framework ISO 31000:

The three lines of defence

To achieve a robust internal control and risk management system, the three lines of defence is adopted by the organisation.

Risk Governance

The Board is responsible for risk governance and ensures that the Company develops and executes a comprehensive and robust system of risk management and maintains a sound internal control system.

The Risk Management and Audit Committee (“RMAC”), a sub-committee of the Board, has been delegated the responsibility to provide insights into our risk management and internal control practices. This oversight mechanism also serves to provide confidence in the integrity of these practices. The committee is guided by a formal and approved charter and performs its role by providing independent insight to the Board and assisting the Board and management by providing advice and guidance on the adequacy of our initiatives.

Our RMAC comprises of 3 non-executive directors and is chaired by an Independent Non-Executive Director.

The key role and responsibilities of the Committee is to provide its independent and objective advice on the key components of the controls’ framework:

• Financial statements
• Internal Audit
• External Audit
• Reporting and disclosure
• Risk Management

The Managing Director and Management team are accountable to the Board and the RMAC, and are responsible for the design, implementation, review and report on the risk management process and strategy.

A risk champion has been formally designated to promote a risk management culture across the company.

A Compliance and Legal Officer has been appointed and focuses mainly on the regulatory, compliance and legal risks, including AML/CFT.

Our Internal Audit function provides assurance to the RMAC and Management on the status of the Risk and Control environment. Refer to the below section on Internal Audit.

To remain effective in its risk management process, Lavastone Properties has implemented the following components:

Risk management policy

Our RM policy was reviewed in January 2023 and approved by the Board of Directors and the RMAC. The policy is aligned to our vision and strategic objectives.

Our vision: Lavastone Properties aims to be the preferred partner for commercial real estate solutions, while delivering optimum value to its shareholders.

To achieve our vision, our strategic objectives are centred around our key stakeholders:

Critical success factors have been established to measure our progress and provide a sense of direction and dynamism across the organisation.

Risk appetite statement

The risk appetite is the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives. Lavastone Properties has defined its risk appetite statement, which has been approved by the Board of Directors.

We will pursue growth whilst continuously improving customer service and operational excellence.

To improve our commitment to sustainability, we will strive to meet the criteria for a LEED certification in our new development projects.

We aim to grow regionally and have 10% of our portfolio outside of Mauritius in 10 years’ time.

However, we will not engage in and tolerate activities which create safety, regulatory and quality concerns.

We will not make decisions which pose a financial risk impact of 10% or more on our revenue or increase
our loan to value ratio to above 40%. Our exposure is limited to:

–   25% of Net Asset Value for any one sector (Retail, Hospitality, Office, Industrial, Residential etc)
–   20% of Investment Property Value for any single building
–   20% of Rental Revenues for a single tenant

During the financial year, we decided to draw down on the last tranche of the MCB Bond Programme at a fixed interest rate to rebalance our portfolio with Industrial Buildings following the sale of Riche Terre Industrial Park. In November 2023, we identified and completed negotiations on the acquisition of two Properties of Sofap at
Coromandel and Riche Terre. Together with the opening of PLAY Mourouk Hotel in Rodrigues, our exposure to the Office Segment will reduce to 32% in terms of property portfolio value but more importantly, our exposure to any single tenant will reduce to 18% in terms of revenues. Lavastone Properties will continue to acquire and develop industrial properties in order to rebalance its portfolio.

Lavastone Properties is committed to adhering to its risk appetite statement and the risk appetite is continuously monitored by our management team.

Risk criteria

Our risk criteria take into consideration the two elements of probability and impact and is defined on a scale of 1 to 5.

PROBABILITY

IMPACT

Our impact criteria include aspects such as financial, legal & regulatory, health and safety, reputation and business continuity.

Risk champion

A risk champion has been identified among our management team and is our Financial Controller. The latter’s role is to raise awareness on the risk environment across the organisation and coordinate the risk meetings.

Business Risk Register

As part of the ‘Recording and reporting’ process, Lavastone Properties has developed a Business Risk Register (“BRR”), which consists of risk identification, assessment and response. The BRR is a recording and monitoring tool designed to assist the Management team of Lavastone Properties for informed decision-making.

Our BRR is reviewed and updated on a quarterly basis through risk management meetings and reported to the RMAC.

Our risk management meetings consist of the Management Team, the Risk Champion and the Internal Auditor and the purpose of such meetings is to identify changes in existing risks and emerging new risks.

Refer to the risk heatmap on link.

Risk metrics

Measuring performance is a key monitoring activity to assess how effective risk management is at supporting our strategic objectives. The approach to measuring performance must be a data-driven exercise. To remain agile, risk data should be shared throughout the organisation. At Lavastone Properties, we have defined risk indicators which enable our team to objectively evaluate the risk environment on a regular basis.

SYSTEM OF INTERNAL CONTROLS

The Board recognises and is committed to its responsibility to keep under review the adequacy and effectiveness of the system of internal controls, at least on an annual basis. The purpose of such system is to protect the company, prevent and detect fraud and enabling the achievement of its objectives. The Board, through the RMAC, reviews and challenges the following components:

• Financial statements
• Internal Audit
• External Audit
• Narrative reporting
• Internal control and risk management system
Key features of the internal control system are:
• Governance structure with clear reporting channels
• Strategy review and plan
• Comprehensive financial reporting and business planning systems
• Formal policies and procedures
• Risk assessment and management process
• Continuous monitoring and review by executive management
• Communication and awareness
• Internal Audit

INTERNAL AUDIT

The Internal Audit function of the Group has been outsourced to an independent firm, SmarTree Consulting Ltd (also referred to as ‘SCL’ or ‘the Internal Auditor’), since 2018. The Internal Audit team consists of professionals who are either Certified Internal Auditors (CIA), ACCA qualified or degree / diploma holders. As part of their continuous professional development and education, the internal auditors attend regular training sessions on key topics.

The mission of Internal Audit is to provide independent, objective assurance and consulting services, designed to add value and improve our operations. The Internal Auditor is not responsible for the implementation of controls or the management and mitigation of risk, responsibilities which remain at the Board and management levels.

The internal audit function is governed by the mandatory elements of the Institute of Internal Auditors’ (IIA) International Professional Practices Framework, including the Core Principles, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing.

A formal internal audit charter is approved by the RMAC and describes Internal Audit’s role, responsibilities, scope, authority and reporting structure, amongst others.

An internal audit plan is approved by the RMAC on an annual basis and uses a risk-based approach. During FY 2023, the Internal Auditor covered the following scope:

The objectives of the internal audit assignments were to:

• Provide assurance to the Board, RMAC and Management that risks are mitigated through control measures and adequate procedures.
• Evaluate the controls design.
• Provide risk insights and recommendations on the improvement of the control environment.
• Evaluate adherence to the internal policies and procedures and regulatory framework.

As part of its key responsibilities, the RMAC:

• Reviews and approves the internal audit charter
• Reviews and approves the annual internal audit plan
• Reviews and monitors management’s responses and actions to internal audit findings
• Reviews and monitors the effectiveness of the internal audit function

As part of the internal audit process and methodology, the Internal Auditor monitors and assesses their audit recommendations with the Management on a monthly basis, until they are fully implemented. The Internal Auditor reports to the RMAC on a quarterly basis and the status of audit recommendations and Management action plans
are reported to the RMAC. The Internal Auditor has unrestricted access to and communicates and interacts directly with, the RMAC.

Risk Heatmap September 2023

Top 10 risks