Currently viewing: Adequate and effective control | Next: Trust, good reputation and legitimacy
Our group governance framework provides an overview of our governance principles, structures, policies and practices and the integration of the minerals and energy strategies and budgets. It guides monitoring and oversight of business affairs to achieve accountability, authority and sound decision making as well as policies to support the group in achieving the Sustainable Growth and Impact strategy. It is an entrenched governance principle within Exxaro that group-wide policies require board approval, and this is captured in the delegation of authority framework.
The group governance framework sets out the following:
The group governance framework was reviewed in 2023 to enable Exxaro’s core businesses to thrive in an increasingly dynamic market and industry sector, and to continue to support the execution of the approved strategy. The revision included new board and management committees.
The delegation of authority policy and framework defines the limits of authority designated to specific positions of responsibility in the company and the group’s management structure. It defines commitments and transactions that may include capital amounts approved by individuals on our behalf. The final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.
The policy and framework are regularly reviewed to ensure aligned decision making within a changing business environment. It also provides direction and clear delegation of power to management. The framework is adopted by our subsidiary company boards and implemented throughout the group as part of the overall group governance framework.
We conducted a comprehensive review of the group delegation of authority framework in 2022, and it will be reviewed in 2024.
The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.
The board charter guides directors and executive management on the information requirements to be shared with the board while the onus remains on each director to advise the chairperson and/ or CEO should they believe that the information provided is insufficient for informed decision making.
The board has unrestricted access to all company employees, information, records, documents and property, and a process to guide directors is provided should they require access. The board, in carrying out its tasks, may obtain outside or other independent professional advice it considers necessary to execute its duties. The board charter sets out the required protocols for requests of this nature.
Stakeholders
Exxaro’s corporate governance structure supports its ability to create value in the short, medium and long term. Through this structure, the board exercises effective control and builds and protects the organisation’s reputation and legitimacy. Good corporate governance is the responsibility of our board, executive management, senior management and all our employees.
Board committees enhance efficiency by providing focused expertise on specific areas, allowing the board to address a broader range of issues. When used effectively, committees also enhance the objectivity of the board’s judgement. As such, to facilitate the execution of its functions, the board delegates activities to board committees through formal terms of reference.
The board retains full and effective control of business and company affairs and does not assume management’s functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.
The chairpersons of the board committees periodically meet to consult and collaborate on areas of shared responsibility, activity and interest across the different committees.
In response to the business risk resulting from unavailability of rail capacity in executing the Exxaro strategy, the board established an ad hoc board logistics committee early in 2023. The logistics committee is responsible for monitoring and reporting to the board on the development of long-term solutions for logistics access to international markets, identification of medium-term solutions and alternatives, and related matters.
The board, based on the longer-term nature of logistical challenges in the industry, and as recommended by the nomination committee, approved the logistics committee becoming a standing board committee.
The terms of reference of the respective board committees were reviewed in 2023, including key focus areas and annual work plans being revisited.
The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard, it confirms that the audit committee has executed the responsibilities set out in paragraph 3.84(g) of the JSE Listings Requirements.
Appointed by shareholders
To fulfil the statutory functions as set out in section 94 of the Companies Act and assist the board in providing independent oversight of the quality and integrity of, among others, the company’s financial statements
Appointed by the board
To monitor and report to the board on material acquisition, merger and investment or disposal opportunities and related ongoing material transactions in the scope of the energy and minerals businesses
Appointed by the board
To develop long-term solutions for logistics to access international markets for coal and minerals and identify medium-term solutions and alternatives to mitigate rail capacity risk
Appointed by the board
To assist the board with director recruitment in fulfilment of the nomination process, oversee the board’s effectiveness evaluation process, and evaluate and determine the adequacy and efficiency of the group governance structure and practices
Appointed by the board
To ensure the group remunerates fairly, responsibly and transparently and to ensure compliance with the JSE Listings Requirements and related reporting obligations
Appointed by the board
To ensure that risk management enhances the company’s ability to achieve its strategic objectives and annually assure the business’s resilience in a changing environment to enable it to deliver its objectives, survive and prosper
Appointed by shareholders
To advise the board on the fulfilment of the statutory duties as set out in regulation 43 of the Companies Act, oversee significant impacts of the company on the economy, environment, society and broader public interest, and to ensure negative impacts are mitigated effectively
The board, on behalf of the company, recognises the statutory and fiduciary duties of directors of subsidiary companies. Directors are obligated to act in the best interests of the subsidiary company at all times, regardless of their nomination to the board of the subsidiary company (in its capacity as holding company). If a conflict arises between a director’s duties in a subsidiary company and the interests of the company, as holding company, the director’s duties in the subsidiary company prevail.
The group governance framework seeks to mitigate possible tension between the holding company and its subsidiary boards. The subsidiary directors must adhere to the framework and adopted group policies. This does not absolve the directors of subsidiary boards from exercising their fiduciary duties. If directors breach their fiduciary duties, they may be held liable under section 77 of the Companies Act. This responsibility is clearly highlighted for all our subsidiary directors.
The group control and oversight functions are responsible for providing enterprise-wide oversight of operational management and integrated reporting.
Our group control and oversight functions consist of:
The board is responsible for overseeing the effectiveness of the oversight functions and ensuring an effective internal control environment within the group.
Our ERM framework provides a process for effective risk management. We follow a layered approach (top-down and bottom-up) that considers all risks and impacts. The same terminology and assessment mechanisms are used across the organisation. Our risk catalogue includes a set of risk names, and an impact and likelihood scale is used across different disciplines to ensure management concentrates efforts and resources on material activities.
We link all risks, assurance activities and material issues to reduce assurance costs and derive greater value from auditing controls. A tracking and monitoring system is applied for transparency for audit findings to be closed out.
The risk management function, through the combined assurance model, coordinates with the internal audit function to obtain evidence on the effectiveness of treatment and control activities in achieving the desired or planned risk treatment outcomes. Assurance providers (internal audit, sustainability KPI audits, external assurance providers, self-assessments and accreditation reviews) monitor the effectiveness of significant risk treatments and compliance with regulatory requirements, non-binding rules, codes and standards, as well as policies and procedures.
The ERM framework and process are based on principles published by the Committee of Sponsoring Organizations of the Treadway Commission, the ISO 31000 international guideline on risk management, and King IV. It also considers applicable codes of best practice such as ISO 9001, 14001 and 18001.
The ERM framework is reviewed regularly to ensure alignment with current governance practice and standards. The board is satisfied that the group and company have a mature risk process that ensures the risks that potentially impact its strategic objectives are pursued by management to create shareholder value.
In terms of our group governance framework, risk management is an independent control function across the group.
The strategic risks profile, highlighting the group’s material risks (including Cennergi’s top risks) and emerging risks, is reported quarterly to the RBR committee and the board.
To test the robustness of our strategic risk profile, a study was conducted in 2023 to compare the risk register to top risks disclosed by mining industry peers. Our strategic risk profile was found to be robust and reflects relevant risks that apply to our peers.
Our risks and opportunities (integrated report)
The board governs technology and information management in a way that supports the organisation in setting and achieving its strategic objectives.
The board mandated the RBR committee, as part of its business resilience focus, to oversee Exxaro’s ERM process, including key risks facing the group and responses to address these risks, including information management risks. The RBR committee is mandated to oversee information management strategy governance, integration of the improvement programme’s overall direction, context and objective, and ensure alignment with the enterprise business strategy, governance and risk management.
In addition to the RBR committee, the audit committee is responsible for ensuring adequate information management governance.
Governance plays a pivotal role in ensuring that our technological infrastructure and processes align with organisational objectives while also adhering to industry benchmarks. We strategically aligned the information management governance framework with recognised industry standards, including ISO 27001, COBIT 2019, ITIL 4, ISO 31000 and ISO 27031, among others. This alignment supports our commitment to best practice and ensures robust oversight of our IT operations.
To further enhance decision making, oversight and strategic direction, we instituted several management governance forums: the project review committee, architectural review board, investment review board, change advisory board, and information management committee.
Our foundational policies support these structures by guiding behaviour, expectations and operations. These include the acceptable use of ICT policy, security policy, operations policy, project management policy, asset management policy and the ICT service continuity policy. Together, this forms a cohesive governance structure that promotes transparency, efficiency and innovation in our IT domain.
Information management risks and mitigation measures are monitored continuously, including assessment of emerging risks, and reported to the RBR committee quarterly.
These are our top information management risks over the past two years:
2022
1
Cybersecurity: data theft
2
Availability and quality of data
3
IT disaster recovery strategy, plan and procedures
2023
Cybersecurity: data thefts
Cyber threat: malware
Cyber threat: disruption of operations
There is also an emerging risk of impending enterprise resource planning transformation as a result of end-maintenance support. We monitor treatment plans for the risks to determine adequacy.
To ensure our disaster recovery programme is robust and resilient, we strategically aligned it with the ISO 27031 guidelines by embedding the plan-do-check-act cycle, a systematic series of steps for continuous improvement of our disaster recovery capabilities.
The group is committed to:
1
Maintaining high standards of integrity, professionalism and ethical behaviour in its relationships
2
Compliance with the letter and spirit of the law and regulations governing its conduct by ensuring the organisation acts with due skill and diligence
3
Conducting its business in adherence to statutory, supervisory and regulatory requirements
While we drive compliance with relevant regulatory requirements in our jurisdictions, the law serves as a minimum standard of conduct. Beyond complying with the law, we promote a compliance culture at all levels.
Our compliance philosophy is captured in a compliance policy approved by the board, which supports ethical and responsible corporate citizenship and seeks to create sustainable value for all stakeholders by striving for operational efficiency, growth and regulatory compliance with applicable laws.
Management regularly revisits the group’s regulatory environment to identify material legislation and categorises each using a riskbased approach.
The board is responsible for ensuring that the group and our employees comply with all applicable laws and regulations, and it considers non-compliance with legal and regulatory requirements a key risk. Accordingly, the board delegated the responsibility for managing Exxaro’s compliance risks to the RBR committee.
The RBR committee is responsible for:
The chief strategic resilience and governance officer is responsible for providing a compliance and regulatory compass to the group by promoting a culture of compliance.
Key compliance activities for 2023 included:
Requirements, including: | Commitments, including: | Exxaro policies, including: | Standards, guidelines and protocols, including: | |||
South African Constitution and Bill of Rights | Shareholder commitments | Corporate governance framework | Mining Charter III | |||
Companies Act | UN SDGs | Code of ethics | GRI 12: Coal Sector 2022 | |||
Financial Markets Act, including JSE Listings Requirements, SAMREC Code and King IV | UN Guiding Principles on Business and Human Rights | Conflicts of interest policy and gifts and benefits policy | IFRS S1 and S2 | |||
IFRS | UK and US anti-bribery and corruption legislation | Group financial reporting policies | ISO 37001 Anti-bribery management systems (certified) | |||
Mineral and Petroleum Resources Development Act | UNGC 10 principles | ERM policy and framework, and compliance policy | ISO 45001 Health and safety (certified) | |||
MHSA and OHSA | Energy socio-economic development commitments | Crisis management policy | ISO 14001 Environmental management systems (certified) | |||
NWA, NEMA and Waste, Air Quality and Biodiversity Acts | OECD guidelines | Anti-bribery and anti-corruption policy and whistleblowing policy | ILO protocol | |||
Electricity Regulation Act | TCFD framework | Human rights policy | Among others: ISO 31000, 9001, 18001, 37301, 37000, 26000 | |||
Basic Conditions of Employment Act and Labour Relations Act | Group-wide B-BBEE target of level 1 | Supplier code of conduct and supply chain sustainability policy | ||||
Employment Equity Act and B-BBEE Act | Safety target: zero harm | Diversity and inclusion framework | ||||
Prevention and Combating of Corrupt Activities Act | CDP | Capital allocation framework | ||||
Competition Act | Climate change statement | Internal audit charter | ||||
Income Tax Act, Value Added Tax Act and Carbon Tax Act | Delegation of authority policy and framework |
Exxaro applies a combined assurance model to optimise assurance by management, as well as internal and external service providers, while fostering a strong ethical climate and mechanisms that ensure compliance. Using our board-approved ERM approach, management identifies key risks we face and implements the necessary internal controls with comparable information for trend analysis where possible.
The audit committee is responsible for overseeing the use of a combined assurance model to achieve the following objectives:
1
Enabling an effective internal control environment
2
Ensuring integrity of information used for decision making by management, the board and its committees
3
Supporting the integrity of external reports
The combined assurance model was put in place through the effective functioning of the combined assurance forum. The forum coordinates assurance for our risk exposure, as identified and ranked by the risk management function and aligned to King IV recommended practices for assurance. The forum’s activities and outcomes of assurance reports are presented quarterly to the audit committee.
Exxaro adopted the three lines of defence model for combined assurance. The model aims to establish effective governance, risk management and control practices within Exxaro.
However, with the continuous development of the concept of combined assurance, we replaced the three lines of defence model with the five lines of assurance. The five lines of assurance are differentiated by the level of risk ownership and the independence of assurance efforts or providers.
The five lines of assurance include:
The combined assurance plan focus areas are aligned to the group’s top 10 strategic risks with inputs from assurance providers. The plan considers the level of assurance from assurance providers in providing the audit committee and board with confidence regarding the effective functioning of the internal control environment.
Exxaro uses an issue tracking management system to capture and track the status of all internal audit and other assurance provider findings. All overdue and repeat findings are reported at each audit committee meeting.
To ensure the independence of our audit and assurance functions, the following measures are in place:
The board and audit committee are satisfied with the effectiveness of controls for the year ended 31 December 2023. This conclusion was reached principally through a process of management self‑assessment (including formal confirmation by executive management), reports from internal audit, independent external audit and other assurance providers.
Combined assurance for effective governance report (integrated report)