GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

Transcription

1 Document number GP24 Revision number 02 Issue date 23 May 2017 Author name Andrew Davies Approval Risk Committee

2 02 CONTENTS 1 Purpose 04 2 Objective 04 3 Risk and opportunity governance policy 04 4 Governance structure 04 5 Roles and responsibilities 06 6 Risk appetite and risk tolerance 06 7 Risk and opportunity governance process 07 8 Annexure A - Risk governance policy 11 9 Annexure B - Matrix of board sub-committees 11

3 03 DOCUMENT APPROVAL Name Designation Date Complied Andrew Davies Group Risk Manager May 2017 Reviewed Cathie Lewis Group Company Secretary May 2017 Approved Grindrod Limited Risk Committee 23 May 2017 Revised Andrew Davies Group Risk Manager September 2017 Reviewed Mandhir Ramruthan Group Risk and Internal Audit September 2017 Approved Cathie Lewis Group Company Secretary September 2017 Grindrod Limited Risk Committee DISTRIBUTION Designation Executive Committee Divisional Executives Senior management Controlled copy number REVISED RECORD Revised number Date of change Page number Description of change GP October 2017 Whole document King IV compliant

4 04 1 Purpose A Risk Governance Framework (the Framework) has been developed for Grindrod for review by the risk committee and approval by the Board. The purpose of the Framework is to set out the Risk Governance Strategy of Grindrod and to give an overview of its Risk Governance Policy, risk reporting and risk appetite. It also describes key aspects of the risk governance process implemented by Grindrod to provide reasonable assurance regarding the achievement of its strategic objectives. 2 Objective This Framework aims to ensure that the activities of Grindrod and its controlled entities are undertaken within the Board approved risk appetite and tolerance levels to protect the profitability, balance sheet and reputation of Grindrod. As a general principle, the risk management process is to be undertaken in conjunction with strategic planning planning and should consider risks and opportunities in an integrated way over the short, medium and long term. In this regard the King IV code states that risk governance should encompass both the: opportunities and associated risks to be considered when developing strategy; and potential positive and negative effects of the same risks on the achievement of organizational objectives. The risks identified and evaluated as part of the annual strategic planning process will be the risks that will affect Grindrod s ability to achieve its strategic objectives. A structured Framework provides a number of beneficial outcomes by: enhancing strategic planning through the identification of risks that may pose as threats to Grindrod s strategic objectives and opportunities that may strengthen the prospects of Grindrod achieving its strategic objectives. encouraging a proactive approach to issues likely to negatively and positively impact Grindrod s the strategic objectives. improving the quality of decision making by providing structured methods for the exploration of risks and opportunities, and allocating resources. supporting consistent behaviours and decision-making with respect to risks and opportunities across the Group. 3 Risk governance policy Grindrod has adopted a Risk Governance Policy (Policy) (Annexure A of this document) designed to protect and enhance resources and enable the achievement of its strategic objectives. The Policy emphasises that risk management is an integral part of Grindrod s business processes. The risk governance policy is based on the following principles. Risk management is: the responsibility of the Board, executives, managers and employees; integrated into all business activities and systems; based on the South African Risk Management Standard SANS ISO 31000:2009; and compliant with the King IV Code. The Risk Governance Policy is supported by existing related policies. 4 Governance structure An effective risk governance framework is dependent on a governance structure that has: defined roles and responsibilities; adequate separation of duties; proper systems of supervision and monitoring of activities and transactions; and risk consciousness and a proactive approach to managing risks and opportunities across the structure.

5 05 Grindrod risk governance structure An organogram setting out Grindrod s committee structure with specific reference to their risk functions is annexed as Annexure B of this document.

6 06 5 Roles and responsibilities Set out below is summary of the responsibilities of the various roles within Grindrod in relation to risk governance and management. Role Board Risk Committee Audit Committee Social and Ethics Committee Nomination Committee Executive Management Divisional Chief Executives Group Risk Management Employees Internal Audit Responsibilities The Board retains the ultimate responsibility for risk governance and for determining the appropriate level of risks and opportunities that Grindrod is willing to accept. The role of the Board with respect to risk governance encompasses both compliance and performance related aspects. The Risk Committee assists the Board in carrying out its risk oversight responsibilities. Ensure the integrity of internal financial controls and identify and manage financial risks. Assist the board to fulfil its corporate governance responsibilities relating to social and economic development, good corporate citizenship, the environment, health and public safety, consumer relations, labour and employment. Keeps the Board s skill and experience base under continued review, conducts search and selection processes for new directors and recommend new appointments to the Board. In addition, the Committee oversees executive succession planning to ensure continuity of senior management at and below Board level. Management is accountable to the Board for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the company. Management has a mandate to ensure risks are contained within approved risk tolerance levels. Divisional Chief Executives are responsible for the development and implementation of all risk management processes and methodologies within their divisions. Group Risk Manager is responsible for the reporting on the status of key business risks and opportunities within the Group. All Grindrod employees are responsible for the reporting of risks they become aware of. Internal Audit performs an objective assessment of the effectiveness of risk governance. 6 Risk appetite and risk tolerances Risk Appetite is the amount of risk a business is willing to accept in pursuit of specific return on the assumption of sustainable business operations. Risk tolerances are specific boundaries/parameters relative to the residual risk on the specific risk identified. The Risk Committee is responsible for assisting the Board in determining the risk appetite and risk tolerances for Grindrod.

7 07 7 Risk and opportunity governance process Set out below is Grindrod s risk governance process which is based on the South African Risk Management Standard SANS ISO 31000: Identify and understand objectives The starting point to establish the risk context for Grindrod is the overall environment in which the Company operates. Objectives are set with regard to the risk appetite. A level of variation is accepted for objectives (risk tolerance). 7.2 Risk assessment The following risk identification processes are relied upon within Grindrod to ensure risks are identified and reported. Risk identification group Formal risk assessments Normal organisation activities Assessment against standards/audits Incident or event logging Exception reporting Examples Business strategic planning reviews Risk workshops Monthly Management meetings Business and operational managers forums Capital expenditure risk assessments Routine data collection and business data analysis Financial reviews and external audits Six monthly Letters of Assurance Internal Audit and peer reviews Third Party Accreditation reviews Corporate Compliance and Risk Audits SHERQ audits Internal incident reporting incorporating health, safety, environment and property incidents Tip - Offs hotline Monthly exception reporting incorporating legal, IT, employment practices, insurance, SHERQ and tax risks.

8 Consider controls A control is any measure or action that treats risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented. Management must identify the controls in place to mitigate each risk identified and consider the adequacy and effectiveness of such controls in reducing the likelihood of the risk event arising or mitigating the consequences should the risk event occur. 7.4 Residual risk evaluation Residual risks are those risks that are expected to remain after implementing the planned risk mitigation strategies, as well as those that have been deliberately accepted. Residual risk evaluation is the process of calculating the likelihood of an event and consequence if it were to occur, after consideration of the influence of controls in place to reduce the likelihood and/or consequence. The product of these two variables is the risk rating (i.e. the level of risk = likelihood x consequence). The likelihood of the risk occurring is linked to probabilities. The higher the probability, the higher the likelihood. The likelihood rating scale in the table below is used to determine the likelihood. Liklihood rating Description 1 Rare: Risk will not even occur long term 2 Unlikely: Risk unlikely to occur even medium term 3 Moderate: Risk could occur medium term 4 Likely: Risk certain to occur in the short term 5 Common: Risk is pervasive and occurring regularly The consequences of each identified risk event needs to be determined. When considering the consequences, both monetary and non-monetary consequences need to be considered. The measurements of consequences that do not have a natural monetary value, for example, reputation loss, need to be determined. Reputation loss, for instance, can be measured in loss of market value terms due to a reduction in share price. The main purpose of placing a value on the consequence is to get a feel for the magnitude of risk and its priority. The consequence rating scale in the table is used to determine the consequence. Consequence rating Description 1 Adverse variance for inclusion in management report 2 No material impact on achievement of objectives 3 Disruptive to normal operations with a limited impact 4 Reduced ability to achieve objectives 5 Will not achieve objectives The residual risk rating equals the product of the likelihood rating and the consequence rating. The residual risk is then classified as per the table below. Evaluation range 1 6 Low 8 16 Medium 20 High 25 Critical Matrix evaluation

9 09 The residual risk scores can then be transposed onto a heat map for reporting purposes as follows. 7.5 Residual risk response strategy The tolerance for the residual risk needs to be determined must be aligned with the group risk appetite and risk tolerance approved by the Board. 7.6 Rist treatment If the residual risk for any risks is in excess of the risk tolerances set by the Board, an action plan setting out the steps to treat the risk in order to reduce the risk to tolerable levels together with a reasonable time frame in which the action plan will be implemented must be prepared for management approval. Management will identify and consider different ways that Grindrod can respond to the risks identified during the risk assessment process. These responses opted for will be noted in the risk report. The options for responses will include: Terminating the risk or avoiding the risk by not starting the activity that creates exposure to the risk. Treating the risk, through improvements to the control environment in order to reduce or mitigate the risk. Risk treatment may include methods, procedures, applications, managements systems and the use of appropriate resources that reduce the probability or possible severity of the risk. Transferring the risk exposure, usually to a third party better able to manage the risk, for example, through insurance or outsourcing. Tolerating or accepting the risk, where the level of exposure is as low as reasonably practicable or where there are exceptional circumstances. 7.7 Monitoring and review The information gathered at each stage of the risk management process should be documented in risk registers. Set out below is an overview of the information required in all risk registers. Risk ID # Related strategy Category Specific risk Controls Six Resources of Value Creation Unique identifier assigned to each risk in the register The category the risk fits into under the strategic risk categories identified Describe the risk in detail Current controls in place that reduce the likelihood of the risk event arising or that mitigate the consequences should the risk event occur Analyse key risks identified and how they interact with the 6 Resources (Our Money; Our Assets; Our Skills: Our Relationships; Our People and Our Environment) Residual risk Likelihood rating The chance of the risk/event happening AFTER it is controlled Impact rating Risk rating Colour coding The impact of the risk after the control(s) has been implemented The residual risk rating represents the level of risk/impact associated with a risk AFTER the controls have been implemented to reduce the risk/impact Colour coding based on level after control(s)

10 010 Is Residual Risk Tolerable? Action Plan for Improvement Risk Owner Yes or no? Measure against Board approved risk appetite and risk tolerances where applicable Describes how the chosen treatment options will be implemented Who will monitor this risk and its treatment, i.e. who is the risk owner? In creating the Risk Register, the risk owners (i.e. the persons who are actually accountable for managing the risk and its consequences) can satisfy themselves that they have defined and properly addressed the real risk. It makes it easier to review the risks and ensure that they continue to be complete, relevant and accurate having regard for both internal and external changes. Documentation of risks is the foundation for any meaningful verification process by senior management, the Board, the Risk Committee or other Committees of the Board and internal and external auditors of the ongoing existence and relevance of, and compliance with, the risk governance process. Risk Registers should be dynamic documents; that is, as any risk, opportunity, consequence, probability or mitigator changes, the register should be updated to reflect the current situation. As a minimum the Grindrod Risk Register is reviewed by the Grindrod Risk Committee every six months. The monitoring and review process will examine how robust the selected risk controls and management strategies are, as well as monitor the effectiveness of all steps in the risk governance process. Divisional key risks are discussed and reviewed on a continual basis as a formal agenda item at Opco / Exeo / board meetings, as applicable. The status of the key risks should be evaluated by examining any changes to the risk and the effectiveness of the controls in place. 7.8 Communication and consulting As risks are interrelated, it is essential that communication and consultation with stakeholders across the company takes place at each stage of the risk governance process. Communication should address the risk and the process to manage it. Effective internal and external communication is important to ensure that those responsible for implementing the risk management system and those with a vested interest understand the basis on which decisions are made and why particular actions are required. Communication is a two-way process; it must flow upwards through management to the Board, and downwards to all staff from the Board. 7.9 Risk governance continuous improvement The Framework is aligned to the principles of continuous improvement. It requires management to continually identify, assess, mitigate, review and report risks and opportunities within their business units so that all risks are mitigated and managed to an acceptable level in accordance with Grindrod s risk appetite statement and all opportunities are considered. Internal audit will perform an objective assessment of the effectiveness of Grindrod s risk governance process annually.

11 011 8 Annexure A Risk governance policy Grindrod is committed to the management of: Risks affecting Grindrod s reputation; Risks affecting Grindrod s management of and accountability for its performance against strategic objectives; Risks affecting its service delivery obligations, its regulatory framework and business/stakeholder relationships. Risks affecting its assets and intellectual property; and Risks affecting safety, security, health and the environment. To achieve this aim, risk governance standards based on ISO and King IV will be maintained and continually improved. These risk governance standards will involve: The design and implementation of a risk governance program to reasonably assure the achievement of strategic objectives; Regular risk workshops for the purposes of identifying, evaluating and mitigating risks and identifying and considering opportunities; The monitoring, review and reporting of risk governance to the board; A co-ordinated assurance process between management, Risk and Internal Audit and the MRG to develop and implement a rigorous Risk Control Programme based on the MRG Risk Control Standards; Risk and opportunity governance education and training; and An insurance strategy which manages predictable losses, self-insures consistent with optimal risk financing and uses secure insurance markets to insure against catastrophic losses. Risk governance is: the responsibility of the Board, executives, managers and employees; integrated into all business activities and systems; based on the South African Risk Management Standard SANS ISO 31000:2009; and compliant with the King IV. The Risk Governance Policy is supported by the Grindrod Risk Governance Framework and existing related policies. The effective governance of risk is vital to the continued growth and success of Grindrod. 9 Annexure B Matrix of board sub-committees The Board Sub-Committees, listed below, are constituted as standing committees of the Board in terms of section 72 and 94 of the Companies Act. The Board delegates certain functions to these committees without abdicating its own responsibilities. These committees have an independent and monitoring role, advisory in nature and a maker of recommendations. A key aspect of these committees mandate is the oversight role of specific risks. The risks covered and the committee processes followed are detailed below: Board sub-committees # Risk category Social and ethics Audit Nomination Remuneration 9.1 SHERQ* ü 9.2 Reputational* ü 9.3 Empowerment/B-BBEE* ü ü 9.4 Loss of key senior/executive management* ü ü 9.5 Legal/Policy compliance** ü ü 9.6 IT** ü 9.7 Fraud** ü ü * Top Group Risk ** Pervasive Group Risk ü Primary Committee that oversees the management of this risk ü This Committee oversees the management of aspects of this risk

12 SHERQ risk Social and ethics committee: Takes into consideration and records the actions taken to reduce the negative impact of the company s activities, products and/or services on the environment, health and public safety. Monitors and considers the ESG reporting according to the FSTE/JSE Responsible Investment Index Themes. 9.2 Reputational risk Social and ethics committee: Monitor and reviews social and economic standing in terms of: Goals and purposes of the 10 principles set out in the United Nations Global Compact Principles. OECD recommendations regarding corruption. Promotion of equality, prevention of unfair discrimination and reduction of corruption as well as contributions to development of communities in which its activities are predominately conducted. Recording of sponsorships, donations and charitable giving. Upholding and maintaining best practice corporate governance, as set out in King III. Identifying and reviewing items that conflict with the practice of good corporate. citizenship, the Code of Ethics and/or any other policy that is of an ethical nature. Reviews and monitors policies on whistleblowing, or any other policy that may require independent investigation. Reviewing and monitoring the ethical framework. Monitors the relationships with all stakeholders. Assess and monitor the company s standing in terms of the International Labour Organisation Protocol on decent work and working conditions, employment relationships and contribution by the company towards the educational development of its employees. Draws to the attention of the Board and shareholders, matters within its mandate as they occur and at the annual general meeting respectively. 9.3 Empowerent/B-BBEE risk Social and ethics committee: Monitors that Grindrod has embraced and duly executed the necessary measures to ensure the proper implementation of transformation and B- BBEE and; Ensures that the Group develops and implements programmes to address the requirements of B-BBEE and all other appropriate legislation. Inculcates the culture of developing people to achieve their optimum potential in the implementation of transformation processes and establishment of empowerment businesses. This should form part of the business plan of the company. Assists in identifying special projects/initiatives to uplift disadvantaged communities within the areas where the company s operations are situated, in line with the Group s socio economic development policy, with specific focus on educational upliftment. 9.4 Loss of Key Senior/Executive Management risk Nomination committee: Monitors formal succession plans for the Board, Chief Executive Officer, Financial Director, Executive members and Senior Management. Remuneration committee: Reviews and monitors the implementation of the remuneration policy that will promote the achievement of the strategic objectives of the company and encourage individual performance. Monitors the specific remuneration packages for Executive Directors and Executive members of the company, including but not limited to, basic salary, performance based short-term and long term incentives, pensions and provident funds, medical aid and other benefits. Ensures that the mix of fixed and variable pay in cash, shares and other elements meets the company s needs and is in line with the company s strategic objectives. Monitors long term incentives and the allocation of shares and rights in terms thereof. Monitors salary adjustments for employees outside the bargaining unit, the Profit Share Incentive Scheme for all employees and the staff retention strategy policy.

13 Legal/policy compliance risk Audit committee: Monitors legal compliance at a group level and assists the company in ensuring that any/all appropriate, applicable charters and policies are adequately addressed. Monitors legal compliance relating to human capital and should recommend to the Board on areas that may require additional resources/ attention. 9.6 IT risk Audit committee: Provides oversight on following IT risks and activities: IT Governance (King III/COBIT). Group IT Operating Model. Application and infrastructure landscape. Project Management Office (PMO). 9.7 Fraud risk Audit committee: Provides oversight on financial reporting risks, internal financial controls, fraud risks as it relates to financial reporting. Social and ethics committee: Monitors and reviews: OECD recommendations regarding corruption. Policies and statistics on whistleblowing. Fraud risk management plan. Material fraudulent activities.