To further allow Exxaro's core businesses to thrive in an increasingly dynamic market and industry sector, and to continue to support the execution of the approved strategy, group governance was extensively reviewed in 2021. The board adopted a framework that provides an overview of governance structures, principles, policies and practices, which together enable the company to meet statutory and regulatory requirements, and direct stakeholder engagements.
The legally sound framework guides monitoring and oversight of business affairs to achieve accountability, authority and sound decision making as well as policies to support the group in achieving the Sustainable Growth and Impact strategy. It is an entrenched governance principle within Exxaro that group wide policies require board approval. All group-wide policies are therefore submitted to the board for final approval.
The framework sets out the following:
The delegation of authority policy and framework defines the limits of authority designated to specific positions of responsibility in the company and the group's management structure. It also defines commitments and transactions that may include capital amounts approved by individuals on Exxaro's behalf. The final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.
The policy and framework are regularly reviewed to ensure aligned decision making within a changing business environment. This also provides direction and clear delegation of power to management. The framework is adopted by our subsidiary company boards and implemented throughout the group as part of the overall group governance framework.
In 2021, the energy business-specific delegation of authority was subjected to a rigorous review process by the executive and the board with various opportunities to provide input around delegations and oversight requirements. A revised energy-specific delegation of authority framework was approved by the board and adopted by the subsidiary company. Following this, a review of sub-processes was scheduled for 2022 as it is a critical governance pillar to ensure an effective control environment and is a key enabler for the achievement of group-wide objectives.
A comprehensive review of the group delegation of authority framework was conducted in 2022. Major changes were made in respect of legends used to ensure clarity, further enhancements as well as changes to actual delegations. It is planned to provide separate approval frameworks for the subsidiary entities in 2023.
The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.
Exxaro's corporate governance structure supports its ability to create value in the short, medium and long term. Through this structure, the board exercises effective control, builds and protects the organisation's reputation and legitimacy. We consider good corporate governance the responsibility of our board, as well as our executive leadership, management and all our employees.
The board committees enable the board to deal with more issues with greater efficiency by having focused expertise considering specific areas on behalf of the board. If approached appropriately, the involvement of a committee should ideally also enhance the objectivity of the board's judgement. Therefore, to assist the board with the execution of its functions, the board delegates activities to board committees through formal terms of reference. It should be noted that the board retains full and effective control of the business and company affairs, and does not assume management's functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.
In 2020, board committees embarked on a significant transformation journey, focusing on reimagining the operating model, acquisitions and evolving the broader business strategy. This was driven by a changing business environment and regulatory developments. To this end, Exxaro revisited and enhanced the respective terms of reference of its corporate governance structures. In line with King IV, these included:
The terms of reference of the respective committees were reviewed in 2022, including key focus areas and annual work plans being revisited.
The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard it is confirmed that the audit committee has executed the responsibilities set out in 3.84(g) of the JSE Listings Requirements.
The board, on behalf of the company, recognises the statutory and fiduciary duties of directors of subsidiary companies and, in particular, their duty to act in the best interests of the subsidiary company at all times whether or not the director is nominated to the board of the subsidiary company (in its capacity as holding company). In the case of a conflict between the duties of a director in a subsidiary company and the interests of the company, as holding company, the duties of the director in the subsidiary company must prevail.
The framework seeks to mitigate possible tension between the holding company and its subsidiary boards through the following measures:
The subsidiary directors are bound to adhere to the framework and adopted group policies. This does not absolve the directors of subsidiary boards from exercising their fiduciary duties. If directors breach their fiduciary duties, they may be held liable under section 77 of the Companies Act. This responsibility is clearly highlighted for subsidiary directors.
The group control and oversight functions consist of the corporate secretariat, risk management, compliance management, legal, strategy, internal audit and assurance, and finance (as it relates to financial compliance), which are responsible for providing enterprise-wide oversight on operational management and consolidated reporting. The heads of these functions have direct access to the board, audit committee and the RBR committee (as appropriate).
The internal audit function does not receive delegations through the CEO but is delegated authority directly by the audit committee to execute responsibilities in terms of the internal audit annual plan. The chief audit officer reports administratively to the finance director.
The board is ultimately responsible for overseeing the effectiveness of the oversight functions and ensuring an effective internal control environment within the group.
Ownership structure |
The board charter guides our directors and management on the information requirements to be shared with the board while the onus remains on each director to advise the chairperson and/or CEO should he or she be of the opinion that the information provided is insufficient to enable informed decision making.
In addition, the board has unrestricted access to all company employees, information, records, documents and property, and a process to guide directors is provided should such access be required. The board, in carrying out its tasks, may also obtain outside or other independent professional advice it considers necessary to carry out its duties. The required protocols for requests of this nature is set out in the board charter.
The board governs technology and information management in a way that supports the organisation setting and achieving its strategic objectives.
The board has mandated the RBR committee, as part of its business resilience focus, to oversee Exxaro's ERM process, including key risks facing the company and group and responses to address these risks, including information management risks. In addition, the RBR committee has a specific mandate to oversee governance of the information management strategy as well as integration of overall direction, context and objective for the improvement programme, and ensure alignment with the enterprise business strategy, governance and risk management. In addition, the audit committee is responsible to ensure adequate information technology governance through delegation to the information management steering committee.
Information management risks and mitigation measures are monitored continuously, including assessment of emerging risks, and reported to the RBR committee quarterly.
The top five information management risks identified at the end of 2022:
1 |
Cybersecurity: data theft |
2 |
Availability and quality of data |
3 |
Information technology disaster recovery strategy, plan and procedures |
4 |
Cyber threat: malware |
5 |
Cyber threat: disruption of operations |
Cybersecurity remains the biggest identified and managed risk. EY concluded a cybersecurity assessment in 2021, assessing the same metrics as in 2018, and found a substantial improvement across all metrics. Exxaro's scores are much higher than the mining industry peer group. Based on the assessment, a new cybersecurity programme was defined to achieve further improvements. Exxaro's cybersecurity profile (Microsoft Compliance Score) rating at the end of September 2022 was 75.73%, which meets the 70% target for the year with stretch target of 80%.
Exxaro's ERM framework provides a process for effective management of all types of risks. We follow a layered approach (top-down and bottom-up) considering all risks and impacts. The same terminology and assessment mechanisms are used across the organisation from finance to projects, safety and operational risk management, etc. A set of risk names is in our risk catalogue, and one impact and one likelihood scale is used across different disciplines to ensure management concentrates efforts and resources on material activities.
The company links all risks, assurance activities and material issues to reduce assurance costs and derive greater value from auditing controls. A tracking and monitoring system is applied for transparency in audit findings to be closed out. The risk management function, through the combined assurance model, coordinates with internal audit to obtain evidence on the effectiveness of treatment and control activities in achieving the desired and planned risk treatment outcome. Assurance providers (internal audit, sustainability KPI audits, external assurance providers, self-assessments and accreditation reviews) monitor effectiveness of significant risk treatments and compliance with regulatory requirements, non-binding rules, codes and standards as well as policies and procedures.
The ERM framework and process are based on principles published by the Committee of Sponsoring Organizations of the Treadway Commission, the ISO 31000 international guideline on risk management and King IV. It also considers applicable codes of best practice such as ISO 9001, 14001 and 18001.
The ERM framework is reviewed regularly to ensure alignment with current governance practice and standards. The board is satisfied that the company and group have a mature risk process that ensures risks potentially impacting its strategic objectives are pursued by management to create shareholder value.
In terms of our group governance framework, risk management is an independent control function across the group and our chief risk officer is a standing invitee to RBR committee and group executive committee meetings.
The strategic risks profile, highlighting the group's material risks, including Cennergi's top risks, and emerging risks are reported quarterly to the RBR committee and the board.
Our business risks and opportunities |
The group is committed to:
1 |
Maintaining high standards of integrity, professionalism and ethical behaviour in its relationships |
2 |
Compliance with the letter and spirit of the law and regulations governing its conduct by ensuring the organisation acts with due skill and diligence |
3 |
Conducting its business in adherence to statutory, supervisory and regulatory requirements |
While Exxaro drives compliance with relevant regulatory requirements in its jurisdictions, the law serves as a minimum standard of conduct. Beyond complying with the law, Exxaro promotes a compliance culture at all levels.
The group's compliance philosophy is captured in a compliance policy, which supports ethical and responsible corporate citizenship, and seeks to create sustainable value for all stakeholders by striving for operational efficiency, growth and regulatory compliance with applicable laws.
The regulatory environment in which the group operates is regularly revisited by management to identify material legislation and to categorise each using a risk-based approach.
Key focus areas of the 2022 annual compliance plan included:
Notwithstanding the regulatory jurisdiction of the business, Exxaro has a compliance function that reports to the chief risk officer. The group governance framework confirms the role of the chief risk officer with respect to regulatory compliance in that the person has oversight over group compliance management to monitor regulatory compliance and ensure consolidated compliance reporting.
Exxaro's board is responsible for ensuring that the company and its employees comply with all applicable laws and regulations, and consider non-compliance with legal and regulatory requirements a key risk. Accordingly, the board has delegated the responsibility for managing Exxaro's compliance risks to the RBR committee. The board's RBR committee is responsible for:
Exxaro applies a combined assurance model to optimise assurance by management, as well as internal and external service providers, while fostering a strong ethical climate and mechanisms to ensure compliance. Using our board-approved ERM approach, management identifies key risks facing Exxaro and implements the necessary internal controls with comparable information for trend analysis where possible.
The audit committee is responsible for overseeing the use of a combined assurance model to achieve the following objectives:
The board and audit committee found the effectiveness of controls for the year ended 31 December 2022 as satisfactory. This was concluded principally through a process of management self-assessment (including formal confirmation by executive management), reports from internal audit, independent external audit and other assurance providers.
Exxaro defines assurance broadly to cover all sources, including external assurance, internal audit, management oversight and regulatory inspections. The three lines of defence clearly delineate the roles of internal stakeholders, ensuring common procedural understanding when tackling risks.
Our combined assurance model includes and optimises all assurance services and functions to collectively provide an effective control environment and support integrity of information used for internal decision making by management, the board and its committees, and in our external reports including:
The forum's activities and outcomes of assurance reports are presented quarterly to the audit committee.
Combined assurance report |
A new issue tracking management system was installed and configured with the business user launch and training in October 2022. This system will capture and track the status of all internal audits and other assurance providers findings, and all overdue and repeat findings will be reported at each audit committee meeting.
To ensure independence of our audit and assurance functions, the following measures have been put in place: