Exxaro Resources Limited
Integrated report for the year ended 31 December 2025
A robust governance framework enables the execution of governance responsibilities at all levels of the organisation.
The group governance framework applies to Exxaro Resources Limited and all our subsidiaries, including entities where Exxaro exercises control. It guides the application of governance practices at group, subsidiary and operational levels, ensuring that governance arrangements align with Exxaro's values and risk profile.
This framework is fit for purpose for Exxaro as a South African listed group with significant and geographically diverse operations. It supports Exxaro's listing on the JSE by explaining how the group board executes its direction and oversight responsibilities, and what it expects from subsidiary boards.
The framework establishes the minimum group-wide governance requirements each entity must comply with to ensure that the group meets Exxaro's governance obligations. Each entity's board is responsible for discharging its fiduciary duties at the individual entity level. Achieving the intended outcomes of the group governance framework requires appropriate governance structures and behavioural and cultural alignment across the group.
Exxaro's governance approach is grounded in accountability, transparency, fairness and responsibility, reflecting the group's commitment to ethical leadership and sustainable value creation. It is informed by King IV and international best practice and adopts an integrated approach that balances compliance obligations with performance objectives.
Management reviewed the group governance framework, which is scheduled for submission to the board for approval in 2026.
The delegation of authority policy and framework define the limits of authority designated to specific positions of responsibility in the company and the group's management structure. They also define commitments and transactions that may include capital amounts approved by individuals on our behalf. Final approval of commitments and transactions outlined in the policy must always be made by parties with designated authority.
In 2025, the group's delegation of authority policy and framework were reviewed through consultations with executive heads and key stakeholders across the group. These engagements assessed current delegations and accountabilities, with feedback used to refine authority levels, clarify responsibilities under the new management structure and align the framework with Exxaro's governance principles and operating model.
In November 2025, following the recommendation of the RBR committee, the board approved the revised delegation of authority policy and framework.
The board is satisfied that the delegations in place contribute to role clarity and the effective exercise of authority and responsibilities.
The board charter guides directors and executive management on the information to be shared with the board. The onus remains on each director to advise the chairperson and/or CEO should they believe that the information provided is insufficient for informed decision making.
The board has unrestricted access to all company employees, information, records, documents and property. A process to guide directors is provided should they require access. The board, in carrying out its tasks, may obtain outside or other independent professional advice it considers necessary, with the board charter setting out the required protocols for such requests.
Exxaro's corporate governance structure supports our ability to create value in the short, medium and long term. Through this structure, the board exercises effective control and safeguards the organisation's reputation and legitimacy. Good corporate governance is the responsibility of our board, executive management, senior management and all employees.
Board committees enhance efficiency by providing focused expertise on specific areas, allowing the board to address a broader range of issues. When used effectively, committees enhance the objectivity of the board's judgement. To facilitate the execution of its functions, the board delegates activities to board committees through formal terms of reference.
The board retains full and effective control of business and company affairs and does not assume management functions, which remain the responsibility of the executive directors, prescribed officers and other senior management.
The chairpersons of the board committees consult regularly to collaborate on areas of shared responsibility, activity and interest across the different committees.
The board approved its committees' terms of reference and annual work plans in November 2025, and the 2026 key focus areas in the first quarter of 2026.
The board confirms that it is satisfied that the board committees executed their roles and responsibilities. In this regard, the board confirms that the audit committee executed the responsibilities set out in paragraph 5.7(h) of the JSE Listings Requirements.
The board recognises the statutory and fiduciary duties of directors of subsidiary companies. Directors must always act in the best interest of the subsidiary company, irrespective of their nomination by the company in its capacity as the holding company. If a conflict arises between a director's duties to a subsidiary company and the interests of the holding company, the director's duties to the subsidiary company prevail.
The group governance framework mitigates potential tension between the holding company and subsidiary boards. Subsidiary directors must adhere to the framework and adopted group policies, however, this does not absolve them from exercising their fiduciary duties. Directors who breach their fiduciary duties may be held liable under section 77 of the Companies Act. This responsibility is clearly articulated to all subsidiary directors.
Ownership structureThe group control and oversight functions are responsible for providing enterprise-wide oversight of operational management and integrated reporting. Our group control and oversight functions include:
The board is responsible for overseeing the effectiveness of these oversight functions and ensuring an effective internal control environment within the group.
The board plays a proactive role in overseeing our ERM processes, ensuring that risks which could impact our strategic objectives are carefully monitored and managed. Our strategic risk register is regularly updated to accurately reflect Exxaro's current risk exposures and to outline the mitigation actions taken to address identified risks. The strategic risk profile, which outlines the group's key risks – along with Cennergi's top risks - is reported quarterly to the RBR committee and the board.
We continuously review and update our ERM framework to ensure it remains aligned with evolving governance standards and regulatory requirements. The company regularly evaluates the framework's effectiveness, making improvements where necessary.
Risks and opportunitiesThe board governs technology and information management to support the organisation in setting and achieving its strategic objectives.
The board mandated the RBR committee to oversee Exxaro's information management strategy, including governance, the integration of the improvement programme's direction and objectives, and alignment with the enterprise business strategy, governance framework and risk management.
In addition to the RBR committee's oversight, the audit committee is responsible for ensuring adequate information management governance.
Our governance structures are supported by key ICT policies that guide the use, management and security of technology across the organisation. The board reviewed and approved the acceptable use of ICT systems and services policy and security policy to ensure they remain aligned with current regulatory requirements, risk considerations and evolving operational needs.
Information management risks and mitigation measures are monitored continuously, including assessment of emerging risks, and reported to the RBR committee quarterly.
Cybersecurity remains a material risk in the organisation due to the rapidly changing threat landscape. We enhanced our cybersecurity posture through targeted improvement initiatives, and the enterprise information management risk register was reviewed and refreshed to ensure emerging cyber and technology risks are actively managed. Several cybersecurity awareness campaigns were held across the organisation to reinforce employee awareness and encourage safer digital behaviours, recognising that informed employees are a critical line of defence against cyber threats.
Disaster recovery preparedness remains a priority. Continuous testing is conducted to ensure that critical systems and services can be effectively restored in the event of failure, thereby enhancing organisational resilience and continuity.
The group is committed to:
Maintaining high standards of integrity, professionalism and ethical behaviour in our relationships
Conducting our business in adherence to statutory, supervisory and regulatory requirements
Complying with the letter and spirit of the law and regulations governing our conduct by ensuring the organisation acts with due skill and diligence
While we ensure compliance with relevant regulatory requirements in our jurisdictions, the law serves as a minimum standard of conduct, building a culture beyond complying with the law at all levels.
Our compliance philosophy is captured in a board-approved group compliance policy, which supports ethical and responsible corporate citizenship and seeks to create sustainable value for all stakeholders by promoting operational efficiency, growth and regulatory compliance with applicable laws. The group compliance policy was approved by the board in 2025.
The board is responsible for ensuring that the group and our employees comply with all applicable laws and regulations and considers non-compliance a key risk. Accordingly, the board delegated responsibility for managing Exxaro's compliance risks to the RBR committee.
The RBR committee is responsible for:
The FD is responsible for providing a compliance and regulatory compass to the group by promoting a culture of compliance and regularly reviewing the regulatory environment.
Exxaro applies a combined assurance model, while fostering a strong ethical climate and effective compliance mechanisms.
Read combined assurance for effective governance for details on our combined assurance approach
We remain committed to continuously enhancing our combined assurance process to ensure it remains effective, adaptive and aligned with emerging risks and best practices. Through ongoing evaluation and collaboration among assurance providers, we strive to strengthen our oversight and risk management framework, fostering a culture of transparency and accountability.
The audit committee is responsible for overseeing the use of the combined assurance model to achieve the following objectives:
Enabling an effective internal control environment
Ensuring the integrity of information used for decision making by management, the board and its committees
Supporting the integrity of external reports
The combined assurance model, based on the five lines of assurance, functions through the combined assurance forum. The forum coordinates assurance for our risk exposure, as identified and ranked by the risk management function and aligned to King IV recommended practices for assurance. The forum's activities and outcomes of assurance reports are presented quarterly to the audit committee.
The combined assurance plan's focus areas align with the group's strategic risk profile, with input from assurance providers. The plan considers the assurance level provided in giving the audit committee and board confidence regarding the effective functioning of the internal control environment. Executing the assurance plan ensures the audit committee receives the assurance required to assess the effectiveness of the risk management function and the control environment.
Exxaro uses an issue tracking management system to capture and track the status of audit findings. This enables visibility and accountability when addressing identified control weaknesses. All overdue and repeat findings are reported at each audit committee meeting.
Exxaro's internal audit function is partially outsourced to the PwC consortium under the management control of Exxaro's head of internal audit. The internal audit function's responsibilities are detailed in the internal audit charter, which the audit committee reviews and approves annually. The charter informs the role and scope of work of the internal audit function.
Audit committee reportTo ensure the independence of our audit and assurance functions, the following measures are in place:
The board and audit committee are satisfied with the effectiveness of controls for the year ended 31 December 2025. This conclusion is supported by a formal combined assurance model, which is designed to optimise the assurance obtained from management, internal audit, external audit and other assurance providers.
The combined assurance approach enables a coordinated and integrated assessment of significant risks and controls, enhances assurance coverage and supports the integrity of the group's reporting. Based on the results of the combined assurance processes and the information presented, the board and audit committee did not identify any material breakdowns in the system of internal control during the reporting period.