The framework provides an overview of our governance principles, structures, policies and practices and the integration of the minerals and energy strategies and budgets. It guides monitoring and oversight of business affairs to achieve accountability, authority and sound decision making, as well as policies to support the group in achieving the Sustainable Growth and Impact strategy. It is an entrenched governance principle within Exxaro that group-wide policies require board approval, and this is captured in the delegation of authority framework.
The group governance framework was reviewed in 2023 to enable Exxaro’s core businesses to thrive in an increasingly dynamic market and industry sector, and to continue to support the execution of the approved strategy. The revision included new board and management committees.
The charter and code of conduct regulate the parameters in which the board operates and ensure good corporate governance principles are applied in all dealings in respect and on behalf of the company and group. The charter sets out the roles and responsibilities of the board, individual directors, chairperson, CEO, lead independent non-executive director and group company secretary.
The charter and nomination and appointment policy require board members to be individuals of calibre, integrity and credibility, with the necessary skills and experience. The nomination committee must ensure continuity of directorships and undertake succession planning on behalf of the board. This includes identifying, mentoring and developing future candidates. The nomination committee is also responsible for conducting independent background checks on all proposed candidates prior to recommending their appointment to the board.
The charter was reviewed in 2023 to align with new executive designations and the nomination and logistics committees.
The board charter guides directors and executive management on the information requirements to be shared with the board while the onus remains on each director to advise the chairperson and/or CEO should they believe that the information provided is insufficient for informed decision making.
The board has unrestricted access to all company employees, information, records, documents and property, and a process to guide directors is provided should they require access. The board, in carrying out its tasks, may obtain outside or other independent professional advice it considers necessary to execute its duties. The board charter sets out the required protocols for requests of this nature.
The delegation of authority policy and framework defines the limits of authority designated to specific positions of responsibility in the company and the group’s management structure. It also defines commitments and transactions that may include capital amounts approved by individuals on Exxaro’s behalf. The final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.
The policy and framework are regularly reviewed to ensure aligned decision making within a changing business environment. This also provides direction and clear delegation of power to management. The framework is adopted by our subsidiary company boards and implemented throughout the group as part of the overall group governance framework.
The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.
Our corporate governance structure supports our ability to create value in the short, medium and long term. Through this structure, the board exercises effective control, and builds and protects the organisation’s reputation and legitimacy. We consider good corporate governance the responsibility of our board, executive leadership, management and all our employees.
Board committees enhance efficiency by providing focused expertise on specific areas, allowing the board to address a broader range of issues. When used effectively, committees also enhance the objectivity of the board’s judgement. As such, to facilitate the execution of its functions, the board delegates activities to its committees through formal terms of reference.
The board retains full and effective control of business and company affairs and does not assume management’s functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.
In response to the business risk resulting from unavailability of rail capacity in executing the Exxaro strategy, the board established an ad hoc board logistics committee early in 2023. The logistics committee is responsible for monitoring and reporting to the board on the development of long-term solutions for logistics access to international markets, identification of medium-term solutions and alternatives, and related matters. The board, based on the longer-term nature of logistical challenges in the industry, and as recommended by the nomination committee, approved the logistics committee becoming a standing board committee.
The board committees’ terms of reference were reviewed in 2023, including key focus areas and annual work plans.
The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard it is confirmed that the audit committee has executed the responsibilities set out in paragraph 3.84(g) of the JSE Listings Requirements.
The board, on behalf of the company, recognises the statutory and fiduciary duties of subsidiary companies’ directors and particularly their duty to act in the best interests of the subsidiary company at all times whether or not the director is nominated to the board of the subsidiary company (in its capacity as holding company). In the case of a conflict between a director’s duties in a subsidiary company and the interests of the company, as holding company, the director’s duties in the subsidiary company must prevail.
The group governance framework seeks to mitigate possible tension between the holding company and its subsidiary boards. The subsidiary directors must adhere to the framework and adopted group policies. This does not absolve the directors of subsidiary boards from exercising their fiduciary duties. If directors breach their fiduciary duties, they may be held liable under section 77 of the Companies Act. This responsibility is clearly highlighted for all our subsidiary directors.
The group control and oversight functions are responsible for providing enterprise-wide oversight of operational management and integrated reporting. The heads of these functions have direct access to the board, audit committee and RBR committee, as appropriate.
Our group control and oversight functions consist of:
The board is responsible for overseeing the effectiveness of the oversight functions and ensuring an effective internal control environment within the group.
Our ERM framework provides a process for effective risk management. We follow a layered approach (top-down and bottomup) that considers all risks and impacts. The same terminology and assessment mechanisms are used across the organisation. Our risk catalogue includes a set of risk names, and an impact and likelihood scale is used across different disciplines to ensure management concentrates efforts and resources on material activities.
We link all risks, assurance activities and material issues to reduce assurance costs and derive greater value from auditing controls. A tracking and monitoring system is applied for transparency for audit findings to be closed out.
The risk management function, through the combined assurance model, coordinates with the internal audit function to obtain evidence on the effectiveness of treatment and control activities in achieving the desired or planned risk treatment outcomes.
Assurance providers (internal audit, sustainability KPI audits, external assurance providers, self-assessments and accreditation reviews) monitor the effectiveness of significant risk treatments and compliance with regulatory requirements, non-binding rules, codes and standards, as well as policies and procedures.
The ERM framework and process are based on principles published by the Committee of Sponsoring Organizations of the Treadway Commission, the ISO 31000 international guideline on risk management, and King IV. It also considers applicable codes of best practice such as ISO 9001, 14001 and 18001.
The ERM framework is reviewed regularly to ensure alignment with current governance practice and standards. The board is satisfied that the group and company have a mature risk process that ensures the risks that potentially impact Exxaro’s strategic objectives are pursued by management to create shareholder value.
In terms of our governance framework, risk management is an independent control function across the group. The strategic risk profile, highlighting the group’s material risks (including Cennergi’s top risks) and emerging risks, is reported quarterly to the RBR committee and board.
To test the robustness of our strategic risk profile, a study was conducted in 2023 to compare the risk register to top risks disclosed by mining industry peers. Our strategic risk profile was found to be robust and reflects relevant risks that apply to our peers.
The board governs technology and information management in a way that supports Exxaro in setting and achieving our strategic objectives
The board mandated the RBR committee, as part of its business resilience focus, to oversee Exxaro’s ERM process, including key risks facing the group and responses to address these risks, including information management risks. The RBR committee is mandated to oversee information management strategy governance; integration of the improvement programme’s overall direction, context and objective; and ensure alignment with the enterprise business strategy, governance and risk management.
In addition to the RBR committee, the audit committee is responsible for ensuring adequate information management governance.
Governance plays a pivotal role in ensuring that our technological infrastructure and processes align with organisational objectives while also adhering to industry benchmarks. We strategically aligned the information management governance framework with recognised industry standards, including ISO 27001, COBIT 2019, ITIL 4, ISO 31000 and ISO 27031, among others. This alignment supports our commitment to best practice and ensures robust oversight of our IT operations.
To further enhance decision making, oversight and strategic direction, we instituted several management governance forums: the project review committee, architectural review board, investment review board, change advisory board, and information management committee.
Our foundational policies support these structures by guiding behaviour, expectations and operations. These include the acceptable use of information and communications technology, security, operations, project management, asset management and the information and communications technology service continuity policies. Together, this forms a cohesive governance structure that promotes transparency, efficiency and innovation in our IT domain.
Information management risks and mitigation measures are monitored continuously (including assessment of emerging risks) and reported to the RBR committee quarterly.
These are our top information management risks over the past two years:
2022
1
Cybersecurity: data theft
2
Availability and quality of data
3
IT disaster recovery strategy, plan and procedures
2023
Cybersecurity: data thefts
Cyber threat: malware
Cyber threat: disruption of operations
There is also an emerging risk of impending enterprise resource planning transformation due to end-maintenance support. We monitor treatment plans for the risks to determine adequacy.
To ensure our disaster recovery programme is robust and resilient, we strategically aligned it with the ISO 27031 guidelines by embedding the plan-do-check-act cycle, a systematic series of steps for continuous improvement of our disaster recovery capabilities.
The group is committed to:
1
Maintaining high standards of integrity, professionalism and ethical behaviour in its relationships
2
Compliance with the letter and spirit of the law and regulations governing its conduct by ensuring the organisation acts with due skill and diligence
3
Conducting its business in adherence to statutory, supervisory and regulatory requirements
While Exxaro drives compliance with relevant regulatory requirements in its jurisdictions, the law serves as a minimum standard of conduct. Beyond complying with the law, Exxaro promotes a compliance culture at all levels.
Our compliance philosophy is captured in a compliance policy approved by the board, which supports ethical and responsible corporate citizenship and seeks to create sustainable value for all stakeholders by striving for operational efficiency, growth and regulatory compliance with applicable laws.
Management regularly revisits the group’s regulatory environment to identify material legislation and categorises each using a risk-based approach.
The board is responsible for ensuring that the group and our employees comply with all applicable laws and regulations, and it considers non-compliance with legal and regulatory requirements a key risk. Accordingly, the board delegated the responsibility for managing Exxaro’s compliance risks to the RBR committee.
The chief strategic resilience and governance officer is responsible for providing a compliance and regulatory compass to the group by promoting a culture of compliance.
Key compliance activities for 2023 included:
Material compliance universe (ESG report)
Exxaro applies a combined assurance model to optimise assurance by management, as well as internal and external service providers, while fostering a strong ethical climate and mechanisms to ensure compliance. Using our board-approved ERM approach, management identifies key risks facing Exxaro and implements the necessary internal controls with comparable information for trend analysis where possible.
The audit committee is responsible for overseeing the use of a combined assurance model to achieve the following objectives:
1
Enabling an effective internal control environment
2
Ensuring integrity of information used for decision making by management, the board and its committees
3
Supporting the integrity of external reports
The combined assurance model was put in place through the effective functioning of the combined assurance forum. The forum coordinates assurance for our risk exposure, as identified and ranked by the risk management function and aligned to King IV recommended practices for assurance. The forum’s activities and outcomes of assurance reports are presented quarterly to the audit committee.
Exxaro adopted the three lines of defence model for combined assurance. The model aims to establish effective governance, risk management and control practices within Exxaro.
However, with the continuous development of the concept of combined assurance, we replaced the three lines of defence model with the five lines of assurance. The five lines of assurance are differentiated by the level of risk ownership and the independence of assurance efforts or providers.
The five lines of assurance include:
The combined assurance plan focus areas are aligned to the group’s top 10 strategic risks with inputs from assurance providers. The plan considers the level of assurance from assurance providers in providing the audit committee and board with confidence regarding the effective functioning of the internal control environment.
Exxaro uses an issue tracking management system to capture and track the status of all internal audit and other assurance provider findings. All overdue and repeat findings are reported at each audit committee meeting.
To ensure the independence of our audit and assurance functions, the following measures are in place:
The board and audit committee are satisfied with the effectiveness of controls for the year ended 31 December 2023. This conclusion was reached principally through a process of management selfassessment (including formal confirmation by executive management), reports from internal audit, independent external audit and other assurance providers.
Report Index
IR