Logo
Exxaro Resources Limited
Integrated report 2022

Adequate and effective control

Group governance framework

To further allow Exxaro's core businesses to thrive in an increasingly dynamic market and industry sector, and to continue to support the execution of the approved strategy, group governance was extensively reviewed in 2021. The board adopted a framework that provides an overview of governance structures, principles, policies and practices, which together enable the company to meet statutory and regulatory requirements, and direct stakeholder engagements.

The legally sound framework guides monitoring and oversight of business affairs to achieve accountability, authority and sound decision making as well as policies to support the group in achieving the Sustainable Growth and Impact strategy. It is an entrenched governance principle within Exxaro that group wide policies require board approval. All group-wide policies are therefore submitted to the board for final approval.

The framework sets out the following:

  • Statutory and regulatory framework of corporate governance
  • Various group governance structures and role players
  • Guiding principles that underpin effective corporate governance and describe the role of the board regarding reserved matters, delegations, policies and frameworks that apply across the group
  • The roles of:
    • Shareholders and stakeholders as well as shareholder reserved matters
    • The board, board committees and reserved matters
    • Executive management and the executive committee
    • Independent control functions and structures within the group
    • The holding company, subsidiaries and other entities

Delegation of authority

The delegation of authority policy and framework defines the limits of authority designated to specific positions of responsibility in the company and the group's management structure. It also defines commitments and transactions that may include capital amounts approved by individuals on Exxaro's behalf. The final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.

The policy and framework are regularly reviewed to ensure aligned decision making within a changing business environment. This also provides direction and clear delegation of power to management. The framework is adopted by our subsidiary company boards and implemented throughout the group as part of the overall group governance framework.

In 2021, the energy business-specific delegation of authority was subjected to a rigorous review process by the executive and the board with various opportunities to provide input around delegations and oversight requirements. A revised energy-specific delegation of authority framework was approved by the board and adopted by the subsidiary company. Following this, a review of sub-processes was scheduled for 2022 as it is a critical governance pillar to ensure an effective control environment and is a key enabler for the achievement of group-wide objectives.

A comprehensive review of the group delegation of authority framework was conducted in 2022. Major changes were made in respect of legends used to ensure clarity, further enhancements as well as changes to actual delegations. It is planned to provide separate approval frameworks for the subsidiary entities in 2023.

The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.

Board committees

Exxaro's corporate governance structure supports its ability to create value in the short, medium and long term. Through this structure, the board exercises effective control, builds and protects the organisation's reputation and legitimacy. We consider good corporate governance the responsibility of our board, as well as our executive leadership, management and all our employees.

The board committees enable the board to deal with more issues with greater efficiency by having focused expertise considering specific areas on behalf of the board. If approached appropriately, the involvement of a committee should ideally also enhance the objectivity of the board's judgement. Therefore, to assist the board with the execution of its functions, the board delegates activities to board committees through formal terms of reference. It should be noted that the board retains full and effective control of the business and company affairs, and does not assume management's functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.

In 2020, board committees embarked on a significant transformation journey, focusing on reimagining the operating model, acquisitions and evolving the broader business strategy. This was driven by a changing business environment and regulatory developments. To this end, Exxaro revisited and enhanced the respective terms of reference of its corporate governance structures. In line with King IV, these included:

  • Exxaro's current operating environment and the impact of its activities on public interest
  • Effective collaboration through cross-membership between committees
  • Balanced distribution of power

The terms of reference of the respective committees were reviewed in 2022, including key focus areas and annual work plans being revisited.

The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard it is confirmed that the audit committee has executed the responsibilities set out in 3.84(g) of the JSE Listings Requirements.

Subsidiary companies

The board, on behalf of the company, recognises the statutory and fiduciary duties of directors of subsidiary companies and, in particular, their duty to act in the best interests of the subsidiary company at all times whether or not the director is nominated to the board of the subsidiary company (in its capacity as holding company). In the case of a conflict between the duties of a director in a subsidiary company and the interests of the company, as holding company, the duties of the director in the subsidiary company must prevail.

The framework seeks to mitigate possible tension between the holding company and its subsidiary boards through the following measures:

  • The board assumes overall responsibility for organisation and strategic coordination within the group, including its vision, mission and strategic direction, and oversees the group's performance
  • Control of a subsidiary is achieved by implementing various measures including:
    • Approving its memorandum of incorporation (MoI) and any amendments. In this regard, Exxaro's wholly owned subsidiaries have a pre-approved standard MoI applied on establishment and any amendment will be considered for approval by the RBR committee
    • Election of directors by the subsidiary shareholder (which may be delegated by the board as representative of the subsidiary shareholder in the delegation of authority policy and framework)
    • Establishment and clear communication of the group's general strategy and its adoption by the subsidiary companies
    • Requiring a shareholder vote or consent rights for specific matters as per the subsidiary MoI and the delegation of authority policy and framework (such as amendment of the MoI or election of directors)
    • Adoption of policies for key matters informed by the corporate governance principles and reflected in the framework
    • Adopting the delegation of authority policy and framework on establishment and when it is updated by the board
    • Financial control through capital allocation and budget approval for the group
    • Having regular monitoring meetings among representatives of Exxaro and its subsidiaries (as part of the Exxaro business) to follow up on implementation of directives and performance through regular reporting into the board committees
    • Setting a corporate-wide independent internal audit function with a direct reporting line to the group audit committee as well as appointment of the group external auditor
    • Implementing group-wide risk and compliance management practices and other independent control functions
    • Establishing an efficient information management system to monitor key strategic indicators

The subsidiary directors are bound to adhere to the framework and adopted group policies. This does not absolve the directors of subsidiary boards from exercising their fiduciary duties. If directors breach their fiduciary duties, they may be held liable under section 77 of the Companies Act. This responsibility is clearly highlighted for subsidiary directors.

Group-wide control functions

The group control and oversight functions consist of the corporate secretariat, risk management, compliance management, legal, strategy, internal audit and assurance, and finance (as it relates to financial compliance), which are responsible for providing enterprise-wide oversight on operational management and consolidated reporting. The heads of these functions have direct access to the board, audit committee and the RBR committee (as appropriate).

The internal audit function does not receive delegations through the CEO but is delegated authority directly by the audit committee to execute responsibilities in terms of the internal audit annual plan. The chief audit officer reports administratively to the finance director.

The board is ultimately responsible for overseeing the effectiveness of the oversight functions and ensuring an effective internal control environment within the group.

Ownership structure

Board's access to information

The board charter guides our directors and management on the information requirements to be shared with the board while the onus remains on each director to advise the chairperson and/or CEO should he or she be of the opinion that the information provided is insufficient to enable informed decision making.

In addition, the board has unrestricted access to all company employees, information, records, documents and property, and a process to guide directors is provided should such access be required. The board, in carrying out its tasks, may also obtain outside or other independent professional advice it considers necessary to carry out its duties. The required protocols for requests of this nature is set out in the board charter.

Technology and information management

The board governs technology and information management in a way that supports the organisation setting and achieving its strategic objectives.

The board has mandated the RBR committee, as part of its business resilience focus, to oversee Exxaro's ERM process, including key risks facing the company and group and responses to address these risks, including information management risks. In addition, the RBR committee has a specific mandate to oversee governance of the information management strategy as well as integration of overall direction, context and objective for the improvement programme, and ensure alignment with the enterprise business strategy, governance and risk management. In addition, the audit committee is responsible to ensure adequate information technology governance through delegation to the information management steering committee.

Information management risks and mitigation measures are monitored continuously, including assessment of emerging risks, and reported to the RBR committee quarterly.

The top five information management risks identified at the end of 2022:

1
Cybersecurity: data theft
2
Availability and quality of data
3
Information technology disaster recovery strategy, plan and procedures
4
Cyber threat: malware
5
Cyber threat: disruption of operations

Cybersecurity remains the biggest identified and managed risk. EY concluded a cybersecurity assessment in 2021, assessing the same metrics as in 2018, and found a substantial improvement across all metrics. Exxaro's scores are much higher than the mining industry peer group. Based on the assessment, a new cybersecurity programme was defined to achieve further improvements. Exxaro's cybersecurity profile (Microsoft Compliance Score) rating at the end of September 2022 was 75.73%, which meets the 70% target for the year with stretch target of 80%.

Integrated ERM

Exxaro's ERM framework provides a process for effective management of all types of risks. We follow a layered approach (top-down and bottom-up) considering all risks and impacts. The same terminology and assessment mechanisms are used across the organisation from finance to projects, safety and operational risk management, etc. A set of risk names is in our risk catalogue, and one impact and one likelihood scale is used across different disciplines to ensure management concentrates efforts and resources on material activities.

The company links all risks, assurance activities and material issues to reduce assurance costs and derive greater value from auditing controls. A tracking and monitoring system is applied for transparency in audit findings to be closed out. The risk management function, through the combined assurance model, coordinates with internal audit to obtain evidence on the effectiveness of treatment and control activities in achieving the desired and planned risk treatment outcome. Assurance providers (internal audit, sustainability KPI audits, external assurance providers, self-assessments and accreditation reviews) monitor effectiveness of significant risk treatments and compliance with regulatory requirements, non-binding rules, codes and standards as well as policies and procedures.

The ERM framework and process are based on principles published by the Committee of Sponsoring Organizations of the Treadway Commission, the ISO 31000 international guideline on risk management and King IV. It also considers applicable codes of best practice such as ISO 9001, 14001 and 18001.

The ERM framework is reviewed regularly to ensure alignment with current governance practice and standards. The board is satisfied that the company and group have a mature risk process that ensures risks potentially impacting its strategic objectives are pursued by management to create shareholder value.

In terms of our group governance framework, risk management is an independent control function across the group and our chief risk officer is a standing invitee to RBR committee and group executive committee meetings.

The strategic risks profile, highlighting the group's material risks, including Cennergi's top risks, and emerging risks are reported quarterly to the RBR committee and the board.

Our business risks and opportunities

Beyond compliance

The group is committed to:

1
Maintaining high standards of integrity, professionalism and ethical behaviour in its relationships
2
Compliance with the letter and spirit of the law and regulations governing its conduct by ensuring the organisation acts with due skill and diligence
3
Conducting its business in adherence to statutory, supervisory and regulatory requirements

 

While Exxaro drives compliance with relevant regulatory requirements in its jurisdictions, the law serves as a minimum standard of conduct. Beyond complying with the law, Exxaro promotes a compliance culture at all levels.

The group's compliance philosophy is captured in a compliance policy, which supports ethical and responsible corporate citizenship, and seeks to create sustainable value for all stakeholders by striving for operational efficiency, growth and regulatory compliance with applicable laws.

The regulatory environment in which the group operates is regularly revisited by management to identify material legislation and to categorise each using a risk-based approach.

Key focus areas of the 2022 annual compliance plan included:

  • Closing out of the POPIA implementation project with an internal audit to ensure compliance
  • Updating regulatory compliance content available to business as well as the compliance calendar

Notwithstanding the regulatory jurisdiction of the business, Exxaro has a compliance function that reports to the chief risk officer. The group governance framework confirms the role of the chief risk officer with respect to regulatory compliance in that the person has oversight over group compliance management to monitor regulatory compliance and ensure consolidated compliance reporting.

Exxaro's board is responsible for ensuring that the company and its employees comply with all applicable laws and regulations, and consider non-compliance with legal and regulatory requirements a key risk. Accordingly, the board has delegated the responsibility for managing Exxaro's compliance risks to the RBR committee. The board's RBR committee is responsible for:

  • Overseeing regulatory compliance risks, policies and frameworks
  • Monitoring compliance with agreed policies, national and international protocols and procedures on non-financial aspects in collaboration with the SERC
  • Ensuring compliance is continually monitored and reported by management, and external and internal audit

Combined assurance model

Exxaro applies a combined assurance model to optimise assurance by management, as well as internal and external service providers, while fostering a strong ethical climate and mechanisms to ensure compliance. Using our board-approved ERM approach, management identifies key risks facing Exxaro and implements the necessary internal controls with comparable information for trend analysis where possible.

The audit committee is responsible for overseeing the use of a combined assurance model to achieve the following objectives:

  • Enabling an effective internal control environment
  • Integrity of information used for internal decision making by management, the board and its committees
  • Supporting the integrity of external reports

The board and audit committee found the effectiveness of controls for the year ended 31 December 2022 as satisfactory. This was concluded principally through a process of management self-assessment (including formal confirmation by executive management), reports from internal audit, independent external audit and other assurance providers.

Exxaro defines assurance broadly to cover all sources, including external assurance, internal audit, management oversight and regulatory inspections. The three lines of defence clearly delineate the roles of internal stakeholders, ensuring common procedural understanding when tackling risks.

Our combined assurance model includes and optimises all assurance services and functions to collectively provide an effective control environment and support integrity of information used for internal decision making by management, the board and its committees, and in our external reports including:

  • Corporate governance disclosures in terms of King IV
  • Financial statements and other external reports including our integrated and ESG reports

The forum's activities and outcomes of assurance reports are presented quarterly to the audit committee.

Combined assurance report

Overdue and repeat findings

A new issue tracking management system was installed and configured with the business user launch and training in October 2022. This system will capture and track the status of all internal audits and other assurance providers findings, and all overdue and repeat findings will be reported at each audit committee meeting.

Independence of audit and assurance functions

To ensure independence of our audit and assurance functions, the following measures have been put in place:

  • Effective for the financial year ended 31 December 2022, KPMG was appointed as Exxaro's new independent external auditor together with its delivery partner, AM PhakaMalele, approved by shareholders at the AGM held on 25 May 2022 by way of a separate resolution of shareholders in terms of the JSE Listings Requirements paragraph 3.84(g)
  • Change in internal audit service provider: PwC and its service delivery partner, Ngubane & Co, were appointed as Exxaro's internal audit service provider from 1 July 2022
  • A framework for engagement of auditors to supply non-audit services was adopted in 2021 and confirmed that KPMG, in terms of its policy, is not allowed to perform non-audit services
  • Internal audit function is confirmed by our group governance framework as an independent control function across the group
  • Internal audit charter (reviewed in 2022) informs the role and scope of work of the internal audit function
  • Chief audit officer of Exxaro and the internal audit function report directly to our audit committee and is administratively overseen by the finance director
Report SelectorReport Index
X

Generate your own report

You can create your own custom PDF version of the report.

Select your areas of interest from the list below and submit your selection to create a PDF ready for you to download.

UNDERSTANDING OUR BUSINESS
Add section
Driving transition through leadership
Driving value creation through transition
About our integrated report
Chairperson's statement
About Exxaro
Sustainable growth and impact
Our operating context

DRIVERS OF VALUE CREATION
Add section
Our business model
Our material matters
Our business risks and opportunities
Creating value through stakeholder engagement

TRANSITIONING THE BUSINESS FOR GROWTH
Add section
CEO's report
Our strategy: positioning Exxaro for sustainable growth and impact
Performance against our strategy and future focus
2022 strategic key performance indicators
Key strategic trade-offs

GOVERNANCE FOR VALUE CREATION
Add section
Our leadership
Summarised governance report
Combined assurance for effective governance

OUR PERFORMANCE
Add section
Finance director's overview
Operational performance
Business resilience
Our people
Social licence to operate: enabling our legitimacy
Our environment: stewardship and compliance
Responding to TCFD reporting requirements

OUR MINERAL RESOURCES AND MINERAL RESERVES
Add section
Our mineral resources and mineral reserves

ADDITIONAL INFORMATION
Add section
Glossary
Administration