A robust governance framework enables the execution of governance responsibilities at all levels of the organisation.
The Exxaro group governance framework provides an overview of our governance principles, structures, policies and practices and the integration of the minerals and energy strategies and budgets. It guides monitoring and oversight of business affairs to achieve accountability at all levels, clarifying reporting roles, limits on authority, guides sound decision making as well as informs group-wide policies to support achievement of the Sustainable Growth and Impact strategy and ethical culture. It is an entrenched governance principle within Exxaro that group-wide policies require board approval, as captured in the delegation of authority framework.
The group governance framework enables Exxaro's core businesses to thrive in an increasingly dynamic market and industry sector and to continue to support the execution of the approved strategy.
The group governance framework was reviewed and, following recommendation by the nomination committee, an update was approved by the board in 2023.
The delegation of authority policy and framework define the limits of authority designated to specific positions of responsibility in the company and the group's management structure. It also defines commitments and transactions that may include capital amounts approved by individuals on Exxaro's behalf. The final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.
In November 2024, following recommendation by the RBR committee, the board approved the revised Exxaro delegation of authority framework. A structured and inclusive review highlighted several key areas to promote collaboration, enhance clarity, improve efficiency in business execution, and strengthen the governance framework.
Four main principles were considered throughout the process:
The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.
The board charter guides directors and executive management on the information requirements to be shared with the board. The onus remains on each director to advise the chairperson and/or CEO should they believe that the information provided is insufficient for informed decision making.
The board has unrestricted access to all company employees, information, records, documents and property. A process to guide directors is provided should they require access. The board, in carrying out its tasks, may obtain outside or other independent professional advice it considers necessary. The board charter sets out the required protocols for requests of this nature.
Our corporate governance structure supports our ability to create value in the short, medium and long term. Through this structure, the board exercises effective control, and builds and protects the organisation's reputation and legitimacy. We consider good corporate governance the responsibility of our board, executive leadership, management and all our employees.
Board committees enhance efficiency by providing focused expertise on specific areas, allowing the board to address a broader range of issues. When used effectively, committees also enhance the objectivity of the board's judgement. As such, to facilitate the execution of its functions, the board delegates activities to its committees through formal terms of reference.
The board retains full and effective control of business and company affairs and does not assume management's functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.
The chairpersons of the board committees meet regularly to consult and collaborate on areas of shared responsibility, activity and interest across the different committees.
The board committees' terms of reference, key focus areas and annual work plans were reviewed in the first quarter of 2025, properly sequenced to follow the approval of the delegation of authority.
The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard it is confirmed that the audit committee has executed the responsibilities set out in paragraph 3.84(g) of the JSE Listings Requirements.
The board, on behalf of the company, recognises the statutory and fiduciary duties of subsidiary companies' directors and particularly their duty to act in the best interests of the subsidiary company at all times whether or not the director is nominated to the board of the subsidiary company (in its capacity as holding company). In the case of a conflict between a director's duties in a subsidiary company and the interests of the company, as holding company, the director's duties in the subsidiary company must prevail.
The group governance framework seeks to mitigate possible tension between the holding company and its subsidiary boards. The subsidiary directors must adhere to the framework and adopted group policies. This does not absolve the directors of subsidiary boards from exercising their fiduciary duties. If directors breach their fiduciary duties, they may be held liable under section 77 of the Companies Act. This responsibility is clearly highlighted for all our subsidiary directors.
The group control and oversight functions are responsible for providing enterprise-wide oversight of operational management and integrated reporting.
Our group control and oversight functions consist of:
The board is responsible for overseeing the effectiveness of the oversight functions and ensuring an effective internal control environment within the group.
Our ERM process is robust and ensures that we identify, assess, manage and mitigate risks across the organisation. The ERM framework is designed to support strategic decision making, safeguard assets and enhance our ability to achieve long-term objectives while creating value for our stakeholders.
We are dedicated to cultivating a culture of risk awareness across all levels of the organisation. We have integrated ERM into our daily operations, ensuring that risk management is embedded in every aspect of the business (top-down, bottom-up approach). The ERM process involves identifying existing and emerging risks, evaluating their potential impact on the organisation, and implementing effective control measures to mitigate them to acceptable levels.
Our ERM framework is aligned with globally recognised best practices, including the ISO 31000 standard on risk management and the Committee of Sponsoring Organizations of the Treadway Commission framework. These principles guide our approach to managing risk in a way that ensures consistency, transparency and accountability across all levels of the organisation.
Through the combined assurance model, we bring together the efforts of internal audit, risk management, compliance teams and external auditors to assess and verify the effectiveness of our risk mitigation strategies. This collaborative approach ensures that we avoid duplication, optimise resources and provide a comprehensive view of how well we are managing risk.
The board plays a proactive role in overseeing our ERM processes, ensuring that risks which could impact our strategic objectives are carefully monitored and managed. Our strategic risk register is regularly updated to ensure it accurately reflects Exxaro's current risk exposures and outlines the mitigation actions taken to address identified risks. The strategic risk profile, which outlines the group's key risks — along with Cennergi's top risks — is reported to the RBR committee and the board on a quarterly basis.
We continuously review and update our ERM framework to ensure it remains aligned with evolving governance standards and regulatory requirements. The company regularly evaluates the effectiveness of its ERM framework, making improvements where necessary.
Our integrated ERM approach aims to mitigate risks and identify opportunities for growth and innovation. This drives sustainable growth and long-term value for our shareholders, employees, customers and other stakeholders.
The board governs technology and information management in a way that supports the organisation in setting and achieving its strategic objectives.
The board mandated the RBR committee to oversee information management strategy governance, integration of the improvement programme's overall direction, context and objective, and ensure alignment with the enterprise business strategy, governance and risk management.
In addition to the oversight of the RBR committee, the audit committee is responsible to ensure adequate information management governance.
Our foundational policies support these structures by guiding behaviour, expectations and operations. These include the acceptable use of ICT policy, security policy, operations policy, project management policy, asset management policy and the information and communications technology service continuity policy. Together, these form a cohesive governance structure that promotes transparency, efficiency and innovation in our information technology domain.
Information management risks and mitigation measures are monitored continuously, including assessment of emerging risks, and reported to the RBR committee quarterly.
Cybersecurity remains our top risk but is expected to gradually decline as mitigation measures take effect. However, advancements in technology, including AI, cloud computing and unpatched legacy systems, continue to heighten this risk. Additionally, the upcoming enterprise resource planning transformation, driven by the end of maintenance support, presents an emerging challenge. We actively monitor risk treatment plans to ensure their adequacy.
To ensure our disaster recovery programme is robust and resilient, we strategically aligned it with the ISO 27031 guidelines by embedding the plan-do-check-act cycle, a systematic series of steps for continuous improvement of our disaster recovery capabilities
The group is committed to:
 |
Maintaining high standards of integrity, professionalism and ethical behaviour in its relationships |
 |
Complying with the letter and spirit of the law and regulations governing its conduct by ensuring the organisation acts with due skill and diligence |
 |
Conducting its business in adherence to statutory, supervisory and regulatory requirements |
While we drive compliance with relevant regulatory requirements in our jurisdictions, the law serves as a minimum standard of conduct, building a culture beyond complying with the law at all levels.
Our compliance philosophy is captured in a compliance policy approved by the board, which supports ethical and responsible corporate citizenship. The policy seeks to create sustainable value for all stakeholders by striving for operational efficiency, growth and regulatory compliance with applicable laws. Our policy is being revised and will be submitted for approval in 2025.
The board is responsible for ensuring that the group and our employees comply with all applicable laws and regulations, and it considers non-compliance with legal and regulatory requirements a key risk. Accordingly, the board delegated the responsibility for managing Exxaro's compliance risks to the RBR committee.
The RBR committee is responsible for:
The chief strategic resilience and governance officer is responsible for providing a compliance and regulatory compass to the group by promoting a culture of compliance and regular review of the regulatory environment.
Exxaro applies a combined assurance model to optimise assurance by management, as well as internal and external service providers, while fostering a strong ethical climate and mechanisms that ensure compliance. Using our board-approved ERM framework, management identifies key risks we face and implements the necessary internal controls with comparable information for trend analysis where possible.
We remain committed to continuously enhancing our combined assurance process to ensure it remains effective, adaptive and aligned with emerging risks and best practices. Through ongoing evaluation and collaboration among assurance providers, we strive to strengthen our oversight and risk management framework, fostering a culture of transparency and accountability.
The audit committee is responsible for overseeing the use of a combined assurance model to achieve the following objectives:
|
Enabling an effective internal control environment |
|
Ensuring integrity of information used for decision making by management, the board and its committees |
|
Supporting the integrity of external reports |
The combined assurance model, which is based on the five lines of assurance, is in place through the effective functioning of the combined assurance forum. The forum coordinates assurance for our risk exposure, as identified and ranked by the risk management function and aligned to King IV recommended practices for assurance. The forum's activities and outcomes of assurance reports are presented quarterly to the audit committee.
The combined assurance plan focus areas align with the group's strategic risk profile with input from assurance providers. The plan considers the level of assurance from assurance providers in providing the audit committee and board with confidence regarding the effective functioning of the internal control environment. Execution of the assurance plan ensures that the audit committee receives the assurance required in assessing the effectiveness of the risk management function and effective functioning of the control environment.
Exxaro uses an issue tracking management system to capture and track the status of all internal audit and other assurance provider findings. This enables visibility and accountability when addressing identified control weaknesses. All overdue and repeat findings are reported at each audit committee meeting.
Exxaro's internal audit function is partially outsourced to PwC under the management control of Exxaro's head of internal audit. The responsibilities of the internal audit function are detailed in an internal audit charter approved by the audit committee, which is reviewed and approved annually. The internal audit charter informs the role and scope of work of the internal audit function.
To ensure the independence of our audit and assurance functions, the following measures are in place:
The board and audit committee are satisfied with the effectiveness of controls for the year ended 31 December 2024. This conclusion was reached principally through a process of management self-assessment (including formal confirmation by executive management), reports from internal audit, independent external audit and other assurance providers.
IR