Enterprise Risk Management Framework

Transcription

1 Enterprise Risk Management Framewrk [ Date Apprved ] / Versin 1.0 Draft v.02 ERM Framewrk Custdian RBPlat Bard Dcument Owner Executive: Risk and Assurance

2 ERM Framewrk DRAFT v0.2 DOCUMENT HISTORY REVISION HISTORY Revisin Date Dc Versin Summary f Changes Authr / Reviewer 04/10/ Dcument Creatin Reginald Haman 29/10/ Changes frm varius Executives Reginald Haman APPROVALS This plicy requires at least signatries frm representatives frm the fllwing cmmittees: Name Rle Dc Versin Apprval Signature Date DISTRIBUTION This plicy has been distributed t: Name Rle Dc Versin Cnsulted / Infrmatin Date DOCUMENT PURPOSE The purpse f this dcument is t utline the Enterprise Risk Management (ERM) Framewrk within RBPlat which cntextualizes risk management and describes the cmpnents theref, as a whle, within ur business as well as hw RBPlat implements these cmpnents. DRAFT Page 2

3 ERM Framewrk DRAFT v0.2 Table f Cntents 1.0 EXECUTIVE SUMMARY ERM OBJECTIVES ERM FRAMEWORK DEVELOPMENT INTRODUCTION THE ENTERPRISE RISK MANAGEMENT ENVIRONMENT THE JOURNEY OF ERM ERM CONTEXT ERM CULTURE - BEHAVIOURS ERM PHILOSOPHY ERM VISION ERM OBJECTIVES ERM FRAMEWORK OVERRIDING PRINCIPLES BUSINESS STRATEGY, ERM STRATEGY AND RISK APPETITE ERM GOVERNANCE ERM PROCESSES RISK CALCULATIONS ERM POLICIES RISK REPORTING ERM COMMUNICATION, EMBEDDING, MONITORING, REVIEWING AND IMPROVING PEOPLE AND CULTURE APPENDIX A: DOCUMENTS REFERENCED IN THIS DOCUMENT DRAFT Page 3

4 ERM Framewrk DRAFT v0.2 Table f Figures Figure 1: RBPlat ERM maturity mdel Figure 2: RBPlat Risk Philsphy Cmpnents Figure 3: RBPlat ERM Framewrk Figure 4: RBPlat Risk Appetite Apprach Figure 5: RBPlat Risk Appetite Input Cnsideratins Figure 6: RBPlat Risk Appetite Decisin Filters Figure 7: Risk appetite cnstructin Figure 8: RBPlat 'Three Lines f Defence' Gvernance Mdel Figure 9: Business Dependency Mdel Figure 10: RBPlat Risk Appetite calculatin Figure 11: Risk Gvernance Cmmunicatin DRAFT Page 4

5 ERM Framewrk DRAFT v EXECUTIVE SUMMARY The underlying premise f Enterprise Risk Management is that every entity exists t prvide value fr its stakehlders. All entities face uncertainty and the challenge fr management and the Bard is t determine hw much uncertainty t accept, as it strives t grw stakehlder value. Uncertainty presents bth risk and pprtunity, with the ptential t erde r enhance value. Enterprise Risk Management enables management t effectively deal with uncertainty and assciated risk and pprtunity, enhancing the capacity t build value. The aim f the Enterprise Risk Management framewrk is t prvide a structure within which management can perate t enfrce the pr-active Enterprise Risk Management prcess and t inculcate a risk management culture thrughut RBPlat and its mining peratins and t further ensure that the risk management effrts f RBPlat are ptimised. RBPlat describes risk as the ptential that an undertaken actin r activity will nt result in RBPlat achieving its strategic business bjectives but thrugh the use and applicatin f suitable respnse prcedures and/r cntrls t reduce the impact n strategic business bjectives Sme f the key changes affecting the mining industry which are frcing it t dynamically change the way business is cnducted includes: Intrductin f new legislatin by regulatrs and gvernment Recent develpments in terms f labur relatins which will changed the future mining landscape Glbal ecnmic turmil and its impact n financial markets Challenging peratinal envirnment (e.g. csts and grade) in the platinum mining sectr The impact f climate change and assciated catastrphe risks assciated therewith The intrductin f these changes t an industry which has been largely relatively stable has led t a fcus n risk management. The develpment f the ERM framewrk has been cmmissined by the RBPlat Bard and Executive Cmmittee wh believe it t be gd business practice and an integral part f RBPlat s apprach t managing the changes mentined abve. The develpment f the framewrk is als a key requirement f King 3 and will enhance cmpliance t the new Cmpanies Act and ther relevant legislatin ERM Maturity Mdel The ERM maturity mdel (figure 1, pg 10) describes which stages RBPlat (and ther rganisatins) g thrugh in rder t grw int mastery in Enterprise Risk Management. While this grwth is a lngterm prcess and substantial effrt is required t mve between each ERM maturity stage, RBPlat is cmmitted t mve frm its current state ( Emerging ) t a state f Optimised by 2015 thereby nt nly ensuring imprved ERM practices but als bringing RBPlat in line with the industry leaders in risk management. DRAFT Page 5

6 ERM Framewrk DRAFT v ERM OBJECTIVES The RBPlat ERM Objectives are: T supprt the Bard f Directrs in its respnsibilities with respect t the furtherance f the safe and sund peratin f the business and the prtectin f all stakehlder interests T institute apprpriate (with due cnsideratin fr the nature, scale, and cmplexity) resurces, strategies, plicies, and prcedures fr identifying, measuring, mnitring, managing, and reprting f all material risks RBPlat may be expsed t and which is able t be adapted as the business and the external envirnment change Establish an enterprise wide risk awareness culture f identifying, quantifying managing and reprting f risks within all levels f the rganisatin i.e. strategic, prcess, peratinal level Identify and seize business pprtunities and meet acquisitin targets (where required) Enhance the internal cntrl envirnment in RBPlat Ensure Earnings Stability Prtect against unfreseen lsses Meet all regulatry requirements where applicable T supprt the attainment f these bjectives, RBPlat has adpted: The implementatin f a Risk and Cmpliance Management Cntrl Functin, Internal Audit Cntrl Functin (utsurced) a Sustainable Develpment Cntrl functin, which includes Safety, Health and Envirnment and Cmmunity Develpment (at the mining peratins). A Cmpliance Framewrk t ensure adherence t all regulatry requirements, including thse pertinent t risks and risk management. In additin, RBPlat will aim t develp and implement: An internal Cntrl Framewrk which will prvide management cntrl assurance and will fcus n imprving ur ability t manage risk effectively, s that we can quickly and cnfidently act n pprtunities t gain cmpetitive advantage, create further value and achieve sustained grwth. A Gvernance Framewrk which will ensure gd gvernance is achieved thrugh the regular measurement, reprting and cmmunicatin f risk management perfrmance. This will include measuring the prgress f risk management plans and assessing the verall maturity f the risk management prgramme. A Cmbined Assurance Plan t ensure adequate assurance is prvided acrss the RBPlat business, especially with financial and peratinal cntrl systems RBPlat cmmits the necessary risk, finance, cmpliance, internal audit, and gvernance resurces t ensure that the ERM bjectives are achieved. DRAFT Page 6

7 ERM Framewrk DRAFT v ERM FRAMEWORK DEVELOPMENT The detail cntained in the dcument herein will prvide a prcess fr management t guide the practive risk and cmpliance management prcess and inculcate a risk management culture thereby ensuring that the strategic bjectives f the business are ptimised. The ERM Framewrk specifically addresses the structures, prcesses and standards implemented t manage risks n an enterprise-wide basis in a cnsistent manner. The framewrk further addresses the specific respnsibilities and accuntabilities fr the ERM prcess and the reprting f risks and incidences at varius levels within RBPlat ensuring thrugh and transparent gvernance prcesses The Framewrk als aims, t embed the culture and practice f risk management in ur day-t-day business activities aligning strategy, prcesses, peple, technlgy and knwledge with the purpse f evaluating and managing the uncertainties RBPlat faces in creating stakehlder value. Risk Management must be actively managed and reinfrced t ensure that it becmes part f RBPlat s business culture. Dcumentatin f the ERM framewrk will prvide the initial base fr the prgressin f RBPlat up the ERM maturity scale (described abve) t a target state f Optimised by It is prudent t nte that cncepts dcumented within this dcument are in line with existing and anticipated legislatin in the mining sectr in the frthcming year. The dcument wner is very cgnisant f the fact that future editins f the ERM framewrk will take new requirements int accunt and cnstant alignment is anticipated. DRAFT Page 7

8 ERM Framewrk DRAFT v INTRODUCTION The underlying premise f ERM is that every entity exists t prvide value fr its stakehlders. All entities face uncertainty and the challenge fr management and the Bard is t determine hw much uncertainty t accept, as it strives t grw sharehlder value. Uncertainty presents bth risk and pprtunity, with the ptential t erde r enhance value. Enterprise Risk Management enables management t effectively deal with uncertainty and assciated risk and pprtunity, enhancing the capacity t build value. Value is maximised when management sets bjectives t strike an ptimal balance between grwth and related risks, and effectively deplys resurces in pursuit f the entity s bjectives. It is accrdingly accepted by all stakehlders that RBPlat will manage the risks faced in its business in an apprpriate manner. This dcument utlines the RBPlat Enterprise Risk Management Framewrk. The aim f the ERM Framewrk is t prvide a structure within which management can perate t enfrce the pr-active ERM prcess and t inculcate the risk management culture thrughut RBPlat and t further ensure that the risk management effrts f RBPlat are ptimised. It describes RBPlat s enterprise risk management prcesses and sets ut the requirements fr management in generating risk management actin, tgether with furthering risk management assurance. This dcument further sets ut RBPlat s apprach n the management f risk at all levels f the rganisatin. The ERM Framewrk specifically addresses the structures, prcesses and standards implemented t manage risks n an enterprise-wide basis in a cnsistent manner. The standards further address the specific respnsibilities and accuntabilities fr the Enterprise Risk Management prcess and the reprting f risks and incidences at varius levels within RBPlat. RBPlat describes a risk as the ptential that an undertaken actin r activity will nt result in achieving ur strategic business bjectives but thrugh the use f suitable respnse prcedures and / r cntrls, the impact n ur strategic business bjectives can be reduced. Risk management can thus be defined as activities that are undertaken t reduce expsure t lss. Risk management is f the utmst imprtance t mining cmpanies because f the inherent high risk envirnment f the industry. There are a hst f activities invlved in mining related risk management requiring bth specialised skills and centralised versight t perfrm successfully. In cnjunctin, there are als multiple changes currently affecting the mining industry glbally and lcally and future changes are expected t ccur as well and these activities are beginning, apprpriately, t fall under tighter executive management scrutiny and cntrl. Sme f the key changes affecting the mining sectr which are frcing it t dynamically change the way business is cnducted include: Intrductin f new legislatin and cdes f gd practice by regulatrs/ legislatrs Changing business envirnment due t the recent breakdwn f emplyee/ unin/ emplyers relatinships Glbal ecnmic crises and its impact n financial markets DRAFT Page 8

9 ERM Framewrk DRAFT v0.2 The impact f climate change n mining peratins and the ptential catastrphe risks assciated therewith The intrductin f these changes t an industry, which has been relatively stable, has led t an increased fcus n risk management. The ERM Framewrk will fcus n the enhancing f gvernance and cntrl functins as well as apprpriate risk management prcesses t facilitate the financial and business sustainability f mining and related cmpanies. In additin, it will als ensure cmpliance t existing and frthcming legislatin including but nt limited t: The Cmpanies Act (Act N. 71 f 2008) (with amendments) King Cde f Gvernance Principles (King III) ISO 31000:2009 Risk Management Standard Mineral and Petrleum Resurces Develpment Act (with amendments) Mine Health and Safety Act Natinal Envirnmental Management Act Natinal Water Act Natinal Energy Act Plicy and Standards related t Climate risk Other relevant legislatin By defining the ERM framewrk, it lays the platfrm t ensure effective assurance t internal and external stakehlders that RBPlat is familiar with the risk universe within which it perates, in rder t meet its set bjectives, and are able t manage it apprpriately THE ENTERPRISE RISK MANAGEMENT ENVIRONMENT RBPlat s Definitin f Enterprise Risk Management Acrss RBPlat, value is managed n an enterprise-wide basis, and thus it stands t reasn that the risks arising frm business activities t create this value shuld als be managed at the enterprise level. Enterprise Risk Management (ERM) is the prcess that ensures an integrated apprach t the management f risks within a cmplex and ever changing envirnment. An integrated ERM framewrk allws risk-based decisin making and prvides a streamlined prcess fr evaluating pprtunities within the business. An enterprise apprach t managing risks invlves all functinal and/r peratinal divisins and each emplyee is encuraged t participate in the ERM prcess and bears respnsibility fr cnducting at their rle in the cntext f rganisatinal risk management. The nature f mining is uncertainty, which presents bth risk and pprtunity, with the ptential t erde r enhance value and the challenge fr executive management is t determine hw much uncertainty t accept in the achievement f ur business bjectives. Enterprise risk management enables management t effectively deal with uncertainty and the assciated risk and pprtunity, thus DRAFT Page 9

10 ERM Framewrk DRAFT v0.2 enhancing the capacity t build value. This implies that risk management is nt risk avidance it is maximizing the risk/return relatinship it is abut taking risks knwingly nt unwittingly and is an integral part f gd management practice and an essential element f gd crprate gvernance Benefits f Enterprise Risk Management Thrugh the implementatin f ERM, the fllwing main benefits can be derived: Better alignment between RBPlat s strategy and the management f risk assciated therewith (which implies an increased likelihd f achieving the strategy) Fewer shcks and unwelcme surprises acrss the rganisatin Assurance t internal and external stakehlders that RBPlat is aware f its risk and regulatry universe applicable t its perating envirnment and is able t manage it adequately Ability t better uncver new pprtunities and challenges Adptin f industry best practice fr the management f risk within the mining industry 2.2. THE JOURNEY OF ERM ERM Maturity Mdel The ERM maturity mdel describes which stages RBPlat (and ther rganisatins) g thrugh in rder t grw int mastery in Enterprise Risk Management. While this grwth is a lng-term prcess and substantial effrt is required t mve between each ERM maturity stage, RBPlat is cmmitted t mve frm its current state ( Emerging ) t a state f Optimised by 2015 thereby nt nly ensuring imprved ERM practices but als bringing RBPlat in line with best practice fr risk management. It will als ensure that ther risk categries reach the same level f maturity as the SHE risk management prcess, but mre imprtantly the full alignment f risk management acrss the cmpany. ERM is a dynamic cncept and the framewrk will require cnstant revisiting and updating t meet RBPlat s strategic bjectives and the needs f industry and regulatin. The ERM Framewrk will certainly evlve as RBPlat matures in risk management. The maturity mdel is displayed belw: Mastery Optimised Prgresive Basic N explicit risk strategy Sil apprach, incnsistent methdlgy Address risks individually, fcus n cmpliance Fcus n new risk categries Fcus n threats, n pprtunity management Risk is nt my business mentality Emerging Current Maturity 2012 Maturity Target 2015 RBPlat quted as best practice Pervasive risk management, integrated with cmpany strategy and prcesses, fcussing n value Self-mnitring, integrated with EPM Fully integrated risk prtfli Advance tls (real-time, mnte- carl simulatins, etc) Risk is everybdy s business mentality Figure 1: RBPlat ERM maturity mdel DRAFT Page 10

11 ERM Framewrk DRAFT v ERM CONTEXT 3.1. ERM CULTURE - BEHAVIOURS All stakehlders within the RBPlat value chain are respnsible fr the management f risk in accrdance with the RBPlat ERM philsphy. The table belw describes the right Risk Management behaviurs we expect all RBPlat internal stakehlders (e.g. emplyees, cntractrs, etc.) and external stakehlders (e.g. assciated cmpanies, utsurce partners etc.) t have. What kind f Risk culture d we want? Stakehlders take wnership fr the risks in their envirnment and understand hw they impact n RBPlat. Stakehlders respnd apprpriately t risk infrmatin Stakehlders understand the value f rules and plicies, adhere t, and challenge them when necessary Cnfidence t highlight and challenge inapprpriate decisins and infrmatin The right risk decisins are made by the right peple Risk infrmatin penly and transparently shared between teams The key Risk Management Behaviurs Gd business understanding Timeus and apprpriate respnse t risk situatin Adherence t Standards Clear, pen cmmunicatin channels Cnfidence Cllabrative cmmunicatin Behaviur Traits Stakehlders need t understand, articulate and cnsistently apply the risk/pprtunity 'trade ff' in their business decisin making Stakehlder must be able t identify their risk cmpnents and be clear in articulating them Stakehlders must be clear n the impact f the risks in their business decisin making Stakehlders must be able t implement effective cntrls Stakehlders must reacting and respnd apprpriately t new risk infrmatin Take crrect actin where necessary Stakehlders understand, cmply t and advcate the use f all risk plicies, standards and gvernance framewrks acrss RBPlat Rules are adhered t and where nt, they are penly challenged Risk issues are penly raised, questined and highlighted. There is receptiveness t delivering r receiving bad news Being prepared t challenge and be challenged Stakehlders feel empwered t make risk based decisins within a limits and authrity framewrk Risk infrmatin flws penly within and acrss the rganisatin Risk infrmatin is shared and used cnstructively Table 1: Table f the right Risk Management behaviurs 3.2. ERM PHILOSOPHY RBPlat views risk nt nly as a threat r uncertainty, but als as an pprtunity t grw and develp the business, within the cntext f ur risk appetite. The underlying premise f the RBPlat Risk Management philsphy is a thrugh understanding f the risk expsures f RBPlat in rder t ensure that management and the Bard are apprpriately infrmed t take strategic decisins in the interests f the sharehlder and ther stakehlders. The risk management system, plicies and prcedures shuld be embedded within the rganisatinal culture and be cnsistent with ur lng term strategy. DRAFT Page 11

12 ERM Framewrk DRAFT v0.2 Our risk philsphy is the fundatin fr ur risk strategy and is cmprised f three elements: Figure 2: RBPlat Risk Philsphy Cmpnents Risk Philsphy Element Descriptin 1. Risk Understanding RBPlat will endeavur t identify all material risks within its peratins and understand hw they impact the business RBPlat will ensure that it understands (and meet) all assciated regulatry requirements placed n these risks RBPlat will limit the taking n f significant risks r risks that wuld threaten its future ability t perate its mining peratins r risks that d nt meet set regulatry requirements RBPlat will ensure it has the apprpriate skills and systems t manage these risks and where this is nt pssible; we will limit expsure t such risks until we have develped apprpriate expertise. 2. Risk Adptin Only risks that d nt fundamentally threaten RBPlat s ability t cntinue its mining peratins will be accepted When adpting risks, RBPlat will take a grup-wide perspective but recgnise that business divisins/ peratins have the expertise and chice f whether r nt t take n certain risks. 3. Apprpriate Risk Management fr Value Creatin Table 2: RBPlat Risk Philsphy Element Descriptins 3.3. ERM VISION The RBPlat ERM Visin Outcmes: In executing the business strategy, RBPlat will seek t ptimise the risk/return trade ff (as ppsed t taking a purely lss-minimisatin apprach). Risk is cnsidered in terms f bth the ptential reward it brings and the threat it presents. In particular, the risk must be apprpriately rewarded, allwing fr all its characteristics, fr the expected return and the relative upside and dwnside it brings. Risk Management is driven frm the tp Risk Management meets all internal and external stakehlder requirements RBPlat has a cmprehensive understanding f the risks it faces as a business RBPlat is cnfident in its selectin f which risks t adpt and hw t manage them Risk management techniques are cnsistently applied t generate value Effective risk management is an inherent part f all ur day-t-day rles, thus enhancing the quality f strategic, capital allcatin and day-t-day business decisins Staff remuneratin and incentives explicitly take int accunt the extent t which risk expsures have linked int results delivered, and whether these risk expsures have cmplied with the agreed risk appetite DRAFT Page 12

13 ERM Framewrk DRAFT v ERM OBJECTIVES The RBPlat ERM Objectives are: T supprt the Bard f Directrs in its respnsibilities with respect t the furtherance f the safe and sund peratin f the business and the prtectin f all stakehlder interests T institute apprpriate (with due cnsideratin fr the nature, scale, and cmplexity) resurces, strategies, plicies, and prcedures fr identifying, measuring, mnitring, managing, and reprting f all material risks RBPlat may be expsed t and which is able t be adapted as the business and the external envirnment change Establish an enterprise wide risk awareness culture f identifying, quantifying managing and reprting f risks within all levels f the rganisatin i.e. strategic, prcess, peratinal level Identify and seize business pprtunities and meet acquisitin targets (where required) Enhance the internal cntrl envirnment in RBPlat Ensure Earnings Stability Prtect against unfreseen lsses Meet all regulatry requirements where applicable T supprt the attainment f these bjectives, RBPlat has adpted: The implementatin f a Risk and Cmpliance Management Cntrl Functin, Internal Audit Cntrl Functin (utsurced) a Sustainable Develpment Cntrl functin, which includes Safety, Health and Envirnment and Cmmunity Develpment (at mining peratins). A Cmpliance Framewrk cvering all the apprach t adhering t all regulatry requirements, including thse pertinent t risks and risk management. In additin, RBPlat will aim t develp and implement: An internal Cntrl Framewrk which will prvide management cntrl assurance and will fcus n imprving ur ability t manage risk effectively, s that we can quickly and cnfidently act n pprtunities t gain cmpetitive advantage, create further value and achieve sustained grwth. A Gvernance Framewrk which will ensure gd gvernance is achieved thrugh the regular measurement, reprting and cmmunicatin f risk management perfrmance. This will include measuring the prgress f risk management plans and assessing the verall maturity f the risk management prgramme. A Cmbined Assurance Plan t ensure adequate assurance is prvided acrss the RBPlat business, especially with financial and peratinal cntrl systems RBPlat cmmits the necessary risk, finance, cmpliance, internal audit, and gvernance resurces t ensure that the ERM bjectives are achieved. DRAFT Page 13

14 ERM Framewrk DRAFT v ERM FRAMEWORK The aim f the RBPlat ERM Framewrk ( the Framewrk ) is t prvide a prcess fr management t guide the pr-active risk and cmpliance management prcess and inculcate a risk management culture thereby ensuring that the strategic bjectives f the business are ptimised. The ERM Framewrk specifically addresses the structures, prcesses and standards implemented t manage risks n an enterprise-wide basis in a cnsistent manner. The framewrk further addresses the specific respnsibilities and accuntabilities fr the ERM prcess and the reprting f risks and incidences at varius levels within RBPlat ensuring thrugh and transparent gvernance prcesses The Framewrk als aims, t embed the culture and practice f risk management in ur day-t-day business activities aligning strategy, prcesses, peple, technlgy and knwledge with the purpse f evaluating and managing the uncertainties RBPlat faces in creating stakehlder value. Risk Management must be actively managed and reinfrced t ensure that it becmes part f RBPlat s business culture. Ryal Bafkeng Platinum Enterprise Risk Management Framewrk Overriding Inputs and Principles Regulatry Universe, ERM Cntext, Crprate Guiding Principles (Plicies), Gvernance Framewrk, Organisatinal Structure and Prcesses Strategy Setting Grup Business Strategy Risk Strategy Risk Appetite Risk Gvernance Three Lines f Defence 1 st Line f Defence 2 nd Line f Defence 3 rd Line f Defence Risk Appetite and Tlerances Criteria Develpment Operatinal Risk Plicy Financial Risk related Plicies Cntext Setting Risk Quantificatin/ Metrics Key Risk Indicatrs ERM Prcesses Risk Mnitring and Oversight Risk Identificatin Risk Management Infrmatin Systems ERM Plicies ERM Plicy Health and Safety Risk Plicy Cmpliance Risk Plicy Operatinal Risk Limits Risk Assessment Incentivising the right behaviurs Financial Ratis Risk Respnse Envirnmental Risk Plicy Sustainability Plicy Risk Reprting Internal Stakehlders External Stakehlders Cmmunicate, Embed, Mnitr, Review and Imprve Peple and Culture Figure 3: RBPlat ERM Framewrk The RBPlat ERM Framewrk cmprise f 9 key cmpnents, namely: 1. Overriding Principles 2. Business Strategy, ERM Strategy and Risk Appetite 3. ERM Gvernance 4. ERM Prcesses DRAFT Page 14

15 ERM Framewrk DRAFT v Risk Quantificatin 6. ERM Plicies 7. Risk Reprting 8. ERM Cmmunicatin, Embedding, Mnitring, Reviewing and Imprving 9. Peple and Culture 4.1. OVERRIDING PRINCIPLES The fllwing key inputs and verriding principles are cntinually kept in cnsideratin thrughut the Framewrk: ERM Cntext (described in sectin 2 abve) Any regulatry requirements Ryal Bafkeng Hldings/ Angl American Platinum Guiding Principles (Plicies), Gvernance Framewrk, Organisatin Structure & Prcesses 4.2. BUSINESS STRATEGY, ERM STRATEGY AND RISK APPETITE RBPlat Grup Business Strategy The RBPlat Business Strategy is develped by RBPlat senir management level and apprved by the Bard as part f a cntinuus business review prcess with cnsideratin f the internal and external envirnment in which RBPlat perates. Business strategy and plans are independently develped fr BRPM and Styldrif peratins, which frms the fundatin f the verall business strategy and strategic plan fr RBPlat. It is used as a primary input t the develpment f the RBPlat Risk Strategy and RBPlat Risk Appetite Risk Strategy Using the RBPlat business strategy as an input, the RBPlat risk strategy will be develped and apprved by Bard. The risk management strategy includes the risk management bjectives, risk management principles and assumptins, risk appetite (in terms f mnitring expsures against tlerances), and assignment f risk management respnsibilities acrss all the activities f RBPlat, cnsistent with RBPlat s verall business strategy. A clearly articulated Risk Strategy fr RBPlat thus leads t: A guideline fr the immediate bjectives and fcus areas fr Risk management within RBPlat Transparency and clarity acrss the business and external stakehlders as t the nature and size f risks RBPlat wants t take n A link between the RBPlat business strategy and the defined risk appetite Cmpliance with regulatry requirements DRAFT Page 15

16 ERM Framewrk DRAFT v Risk Appetite Using the RBPlat Business Strategy and RBPlat Risk Strategy as inputs, the RBPlat Risk Appetite Statement will be develped. The Risk Appetite Statement will be used t infrm the Target Risk Prfile and Risk Appetite Limits fr each Level 1 Risk Categry (see Risk Categrisatin), reflecting an apprpriate balance between risk and return which in turn serve as an input t the risk strategy and business strategy Risk Appetite Apprach The apprach taken t cnstruct the Risk Appetite is depicted belw. Risk Appetite Planning Develp Risk Mandate Mandate frm Bard Risk Appetite Framewrk Business Envirnment Understand crprate strategy and risk prfile Identify stakehlders and their expectatins Develp Risk Appetite Gvernance Accuntability and reprting Risk Appetite filters Define Appetite, Tlerances and Limits Risk Appetite Statement design Risk Appetite Prpensity t take risk Develp Cmpany wide risk appetite Risk Tlerances Prpensity t exercise cntrl Identify risks t manage allcate tlerances t set risk appetites Measurement Risk Limits Recncile Risk Prfile and Appetite Risk Prfile Measure current risk prfile fr each risk Aggregate individual risks t prduce verall risk prfile Prfile vs Appetite Cmpare aggregate appetite and prfile Adjust risk prfile and/r appetite t ensure allignment Implement, Mnitr & Reprt Risk Appetite Statement Obtain bard apprval Rll-ut and implement Mnitr and reprt Define limits and/r targets fr each risk Mnitring Figure 4: RBPlat Risk Appetite Apprach Stakehlder Risk Appetite Expectatins The RBPlat Bard has the ultimate respnsibility fr Risk Management within RBPlat which includes the develpment f the risk appetite as well as the setting and mnitring f risk tlerances. In line with the abve, the fllwing are cnsidered in develping the risk appetite statements and tlerances: Sharehlder Value Risk and Reward Mining rights Business Strategy Business Decisins Efficient Capital Utilizatin RBPlat Risk Prfile (business drivers) Organic grwth Stakehlder Management Operatinal Risk management Strng reputatin Sustainability Sharehlder expectatins Regulatrs expectatin that RBPlat understands its risk appetite Rating agencies regard risk appetite as key facet f ERM Regulatr/ Ratings Agency Expectatins Figure 5: RBPlat Risk Appetite Input Cnsideratins DRAFT Page 16

17 ERM Framewrk DRAFT v RBPlat Grup Risk Appetite Filters A filter apprach (depicted belw) will be used t determining whether any prpsed significant change in business (e.g. acquisitins, technlgy r prcess change, regulatry change, etc.) shuld be undertaken. The prpensity, capacity and appetite fr business risks assciated with business pprtunities that RBPlat Grup is prepared, willing and able t accept, mitigate and manage can be represented by this apprach. This will in turn cnfirm whether RBPlat Grup is prepared t accept the assciated risks and uncertainty assciated with the pprtunity. Each business peratin and functinal area will be required t fllw a frmal prcess and apply the filters when making business decisins t adpt the change. This prcess will include the cmpletin f frmal templates and/r dcuments demnstrating hw the filters were applied as well as mtivatin fr the new/additinal risk. Figure 6: RBPlat Risk Appetite Decisin Filters Risk Appetite Statement Design The Statement is designed t supprt the RBPlat s prevailing business strategy and is intended t facilitate decisin-making n an infrmed basis such that there is a direct crrelatin between RBPlat s strategy and its risk appetite. A cmprehensive Risk Appetite Statement therefre ensures that decisins are made n an infrmed basis and that there is a direct crrelatin between RBPlat s strategy and its risk appetite. The Statement prvides a clear reference pint t mnitr risk taking and t trigger apprpriate actin as the bundaries are apprached (r breached). The statement is designed t frce the RBPlat Grup t include risk factrs in any majr strategic r tactical decisin and ask the questin: Is this curse f actin cmpatible with ur risk appetite? The bjective f the Statement is tw-fld: T detail the risk agenda f the RBPlat externally t the market place; and T prvide the basis fr an internal risk limit structure cnsistent with Bard strategy The Statement is cnstructed as fllws: Once RBPlat s verarching risk prfile has been defined, RBPlat s appetite fr each risk type is articulated in terms f the fllwing structure: DRAFT Page 17

18 ERM Framewrk DRAFT v Prpensity t Take Risk 2. Risk appetite statement 3. Risk measurement apprach 4. Prpensity t exercise cntrl 5. Risk Tlerance Levels Figure 7: Risk appetite cnstructin 1. The prpensity t take risk fr a particular risk type refers t the RBPlat s tendency t accepting r rejecting that risk. In line with its enterprise-wide risk prfile, the grup therefre has a tendency (i.e. prpensity) t: a. Tend t avid the risk; b. Tend t be averse twards the risk; c. Tend t be cnservative twards the risk; d. Tend t be receptive twards accepting the risk, within limits; e. Tend t be unlimited twards accepting the risk, uncnstrained by limits 2. The risk appetite statement fr each risk type represents the prevailing view regarding the quantum f risk that the Grup is willing t accept in pursuit f its strategic bjectives. 3. The risk measurement apprach fr each risk type is defined accrding qualitative and quantitative risks. In many instances (e.g. Legal and Reputatinal Risk), certain aspects f risk either prevent accurate measurement r make measurement extremely elusive and difficult. In these cases, a qualitative risk measurement apprach will be preferred t articulate risk appetite. 4. Prpensity t exercise cntrl refers t the level f management cntrl deemed mst apprpriate fr the exercise f cntrl measures arund the acceptance f that risk. 5. Risk Tlerance Threshlds are measured by risk type. Breaches f these tlerance levels require specific interventin by the level f management identified at prpensity t exercise cntrl level. The threshlds are set accrding t what level is deemed acceptable, tlerable and unacceptable in defined prbability ranges. Expsures that are: a. Acceptable (green) breaches f the tlerance target are deemed reasnable and likely d nt require specific actin ther than nting; b. Tlerable (amber) breaches f the tlerance target may be tlerated but need t be mnitred clsely t ensure that the level f expsure des nt wrsen; and c. Unacceptable (red) breaches are unacceptable, and will require an immediate respnse t ensure that the effects are mitigated r eliminated. During the initial rll ut f the risk appetite, budgets (peratinal and capital) and the authrity limits manual will be used as a basis t determine appetite and tlerance levels. Once the risk appetite and assciated reprting has been fully embedded the prcess will be extended t individual mine and functinal area level as part f the jurney up the ERM maturity scale. DRAFT Page 18

19 ERM Framewrk DRAFT v ERM GOVERNANCE The RBPlat Bard has the ultimate accuntability fr risk management within RBPlat and has mandated the establishment f an ERM Framewrk, the attainment f the ERM bjectives and the implementatin f assciated prcesses, rles and respnsibilities, plicies and reprting. The gvernance fr the ERM framewrk is aligned t the verall RBPlat Gvernance Framewrk Three Lines f Defence RBPlat has adpted the three lines f Defence mdel, which is emerging as an industry nrm, as an verriding guide fr the gvernance f risk. This mdel is depicted belw. Bard First Line Secnd Line Third Line Accuntability Respnsibility fr: Day t day identificatin, assessment, managing, mnitring and reprting f all risks within their respective areas Ensuring risk expsures stay within limits Taking actin t mitigate levels f risk deemed t be beynd, r clse t the risk limits Respnding apprpriately t challenge by the secnd line CEO Crprate Management and staff Mine Management and staff Clear and well-cmmunicated risk plicies Effective cntrl and mnitring systems Prviding assurance that risks are being apprpriately managed acrss the business Prviding rbust challenge t the first line teams Facilitating actins t mitigate levels f risk deemed t be beynd, r clse t, ur appetite Assessing the verall risk prfile f the mine/functinal area The Risk and Gvernance Cmmittee Executive: Risk and Assurance Risk champins Executive: Business Sustainability Cmpany Secretary Independent assurance and versight n the effectiveness f systems f gvernance, risk management and internal cntrl Internal Audit External Audit Bard sub - cmmittees Audit & Risk, Remuneratin & Nminatin and Scial &Ethics Figure 8: RBPlat 'Three Lines f Defence' Gvernance Mdel RBPlat Risk Management Gvernance Framewrk The RBPlat Risk Management Gvernance Framewrk is described belw. It is an extensin f the RBPlat Gvernance Framewrk and is subject t all requirements and principles described therein (detailed in the RBPlat Gvernance Framewrk dcument). The rles and respnsibilities belw nly describe the rles and respnsibilities in the ERM cntext. DRAFT Page 19

20 ERM Framewrk DRAFT v0.2 RBPlat Bard Executive Cmmittee Chief Executive Officer Management Gvernance Cmmittees Management Cntrl Functins Crprate Functinal Area Heads Chief Operatins Officer BRPM JV Management Cmmittee Safety, Health Envirnment Business Sustainability Gvernance Risk & Cmpliance RBPlat Internal Audit (utsurced) HR, Finance, Prjects Mining General Managers Prcurement Cmmittee SHE Manager (BRPM) Executive: Business Sustainability Cmpany Secretary Executive: Risk & Assurance External Audit Safety, Health, Envirnment Cmmittee Executive Risk & Gvernance Cmmittee Bard Audit & Risk Cmmittee Bard Scial & Ethics Cmmittee BRPM/ Styldrift Mines Mine Risk Champins Mine Risk Frums Bard Remuneratin & Nminatin Cmmittee Crprate Risk Crprate Risk Frum 1 st Line f Defence 2 nd Line f Defence 3 rd Line f Defence Oversight Crprate Respnsibility Mine Respnsibility Rles Table 3: RBPlat Risk Gvernance Structure st Line f Defence: Chief Executive Officer The Chief Executive Officer f RBPlat is accuntable t the Bard while the Bard is accuntable t stakehlders fr ensuring that the RBPlat has and maintains an effective, efficient and transparent risk management prcess. Mre specifically the CEO s respnsibilities include: Recmmending t the Bard Audit and Risk Cmmittee and/r Bard, frm time t time, n matters relating t risk threshlds, risk plicies, risk framewrk, risk strategies and the risk philsphy f RBPlat Ensuring the develpment f the necessary ERM framewrk, risk plicies, risk strategy, risk prcesses, risk reprting mechanisms and risk structures Ensuring the rll ut f the ERM framewrk, risk plicies, risk strategy, risk prcesses, risk reprting mechanisms and risk structures int all business areas f RBPlat Identifying the risk appetite and risk tlerance levels and btaining Bard apprval Cnsider the business significant expsure and ensure effective risk assessment criteria is in place Ensuring the fllwing: Apprpriate leading practice risk management mdels, standards and techniques are used in the ERM prgram and system That strategic, prcess, peratinal and prgramme risk assessments are undertaken n at least an annual basis DRAFT Page 20

21 ERM Framewrk DRAFT v0.2 That there are effective cmmunicatin, measuring and mnitring systems in place Regular reprts n the status f significant risks and related risk treatment plans and the effectiveness theref are prepared That the managing f risks is everyne s respnsibility within RBPlat and everyne is aware f that That there are effective systems, prcesses, plicies and internal cntrl systems in place within RBPlat and that they are peratinal in all respects Ensure that the ERM system is linked t RBPlat perfrmance management system Apprpriate ERM Cmmittees are established and are functining as intended Attend the Risk and Gvernance Cmmittee meeting as well as the Bard Audit and Risk Cmmittee st Line f Defence: Executive Cmmittee ( Exc ) Exc is accuntable t Bard fr designing, implementing and mnitring the prcess f risk management and integrating it int the day-t-day activities f RBPlat. Mre specifically, the Exc is respnsible fr: Designing an Enterprise Risk Management strategy in cnjunctin with the Executive: Risk & Assurance Deciding n the manner in which risk mitigatin will be embedded int management prcesses Develping a culture f risk management in RBPlat Ensuring that adequate and cst effective risk management structures are in place Develping and ensuring the implementatin f risk management plans including: Actins t ptimise risk/ reward prfile, maximise reward with risk cntained within the Bard s apprved risk appetite and tlerance limits A cst effective preventative and cntingent cntrl framewrk A framewrk t ensure adherence t legal and regulatry requirements Mnitring f the Enterprise Risk Management prcesses n bth a detailed and macr basis by evaluating changes, r ptential changes t risk prfiles Ensuring the implementatin f measures recmmended by the internal/ external auditrs, which, in their pinin, wuld enhance cntrl at a reasnable cst Defining rles, respnsibilities and accuntabilities at the executive and senir management level Assigning a manager t every key risk fr apprpriate respnse actin including an actin date Utilising available resurces t cmpile, develp and implement plans, prcedures and cntrls within the Framewrk t effectively manage the risks Identifying, evaluating and measuring risks and where pssible quantifying and linking each identified risk t key risk indicatrs Implementatin f cst effective preventative and cntingent cntrl measures DRAFT Page 21

22 ERM Framewrk DRAFT v0.2 Implementatin f prcedures t ensure adherence t legal and regulatry requirements Implementing and maintaining adequate internal cntrls and mnitring the cntinued effectiveness theref Reprting t the Bard Audit and Risk Cmmittee n the risk prcess and resultant risk/ reward prfiles Prviding plicies, framewrks, methdlgies and tls t the business units and subsidiaries fr identificatin, assessment and management f risks st Line f Defence: General Managers The General Managers are accuntable fr ensuring that their areas f respnsibility have maintained an effective, efficient and transparent risk management prcess. Mre specifically their respnsibilities include: Ensuring the rll ut f the Framewrk, risk plicies, risk strategy, risk prcesses, risk reprting mechanisms and risk structures within their areas f respnsibility Assisting in the develpment f the risk appetite and risk tlerance levels and btaining Bard apprval Ensuring the divisin perates within the cnfines f the risk appetite and risk tlerance levels Ensuring sufficient resurces are cmmitted t ensure the ERM Prcesses are carried ut effectively Have a gd understanding f the divisin s significant expsures and ensure effective risk assessment and mitigatin criteria is in place Ensure regular reprts n the status f significant risks and related risk treatment plans and the effectiveness theref fr risks within the divisin are prepared A risk culture exists n the mine That there are effective systems, prcesses, plicies and internal cntrl systems in place within RBPlat and that they are peratinal in all respects Chair the Mine Risk Frum and attend the Executive Risk and Gvernance Cmmittee meeting st Line f Defence: Mine (BRPM and Styldrift) Each emplyee within each mine is tasked with taking respnsibility fr the management f risk in their divisin (see 2 nd Line f Defence: Mine Risk Champins). Each emplyee has the persnal respnsibility fr day t day management f the risks assciated with their tasks and the cmmunicatin f these risks t the Risk Champins. DRAFT Page 22

23 ERM Framewrk DRAFT v st Line f Defence: Crprate Functinal Area Heads The Crprate Functinal Area Heads f RBPlat are accuntable fr ensuring that supprt functins effectively supprt the rest f the business and that they maintain an effective, efficient and transparent risk management prcess. Mre specifically their respnsibilities include: Ensuring the rll ut f the ERM framewrk, risk plicies, risk strategy, risk prcesses, risk reprting mechanisms and risk structures within their areas f respnsibility Assisting in the develpment f the risk appetite and risk tlerance levels and btaining Bard apprval Ensuring the divisin perates within the cnfines f the risk appetite and risk tlerance levels Ensuring sufficient resurces are cmmitted t ensure the ERM Prcesses are carried ut effectively Have a gd understanding f the divisin s significant expsures and ensure effective risk assessment and mitigatin criteria is in place Ensure regular reprts n the status f significant risks and related risk treatment plans and the effectiveness theref fr risks within the divisin are prepared A risk culture exists within the divisin That there are effective systems, prcesses, plicies and internal cntrl systems in place within RBPlat and that they are peratinal in all respects Attend the Crprate Risk Frum and Executive Risk and Gvernance Cmmittee meeting st Line f Defence: Crprate Functinal Areas (HR, Finance, Prjects) Each emplyee within each mine is tasked with taking respnsibility fr the management f risk in their divisin (see 2 nd Line f Defence: Crprate Functinal Area Risk Champins). Each emplyee has the persnal respnsibility fr day t day management f the risks assciated with their tasks and the cmmunicatin f these risks t the Risk Champins nd Line f Defence: Cmpliance Cntrl Functin In terms f the cmpany s cmmitment t its adherence t all relevant legislatin, it has established a cmpliance cntrl functin, which has been structured in such a way as t facilitate a culture f cmpliance thrughut the cmpany. The cmpliance cntrl functin is managed by the Executive: Risk & Assurance and is respnsible fr identifying, assessing, advising n, mnitring and reprting n, amngst thers, the regulatry cmpliance risk in the cmpany. In rder fr it t be effective, the cmpliance cntrl functin needs t be, and needs t be perceived t be, independent. It als needs t be granted the apprpriate authrity and status t perate effectively. DRAFT Page 23

24 ERM Framewrk DRAFT v0.2 In rder fr the Bard t fulfil its respnsibility fr managing regulatry risk, there must be rutine, frmal reprting t the Bard by the Executive: Risk & Assurance. The Cmpliance functin shuld be able t: Prvide the RBPlat Bard with regular infrmatin regarding the level f cmpliance with regulatry requirements Have adequate resurces available t ensure prper cmpliance mnitring Have access t the Chairman f the Audit and Risk Cmmittee and Scial and Ethics Cmmittee Liaise directly with the Regulatrs The primary rle f the cmpliance cntrl functin is t assist with, facilitate and mnitr the effective management f cmpliance risks by RBPlat, thrugh, inter alia, the fllwing: The develpment f the cmpliance functin strategy and cmpliance plan Setting plicies and standards fr cmpliance Prviding advice n cmpliance related matters Identifying the regulatry universe Measuring and assessing cmpliance risk Cmpiling and maintaining a cmpliance manual r peratinal plan Establishing and maintaining a cmpliance culture Mnitring the level f cmpliance n an nging basis: Highlighting and key cmpliance risks and the steps being taken t address them Perfrmance against cmpliance standards and gals Cmpliance issues invlving management r persns in psitins f majr respnsibility Material cmpliance vilatins r cncerns invlving any ther persn r business divisin Material fines r ther disciplinary actins taken by any regulatr r supervisr in respect f RBPlat r any emplyee Mnitring the ethics htline nd Line f Defence: Head f Cmpliance The respnsibility t facilitate cmpliance thrughut the cmpany has been delegated t the Executive: Risk and Assurance, wh is respnsible fr the effective implementatin f the Plicy. The Executive: Risk & Assurance is respnsible fr the fllwing: Develpment f the Cmpliance Plicy and Framewrk and t ensure that it is fully aligned with this ERM Plicy and Framewrk Develpment f a Regulatry Universe in cnjunctin with the varius functinal areas t ensure that all Regulatry requirements are identified DRAFT Page 24

25 ERM Framewrk DRAFT v0.2 Develpment f specific Cmpliance Risk Management Plans, where required, t ensure adherence t the identified legislatin Identify, assess and reprting n cmpliance and regulatry aspects t the varius risk and gvernance structures Manage cmpliance risks by identifying and develping apprpriate risk management strategies and plicies Identify ptential areas f cmpliance vulnerability and risk and develp crrective actin plans Advise functinal areas and mining units n their regulatry risk prfiles and assciated implicatins Creating a cmpliance driven culture in RBPlat that values respnsible cnduct and cmpliance with internal and external bligatins nd Line f Defence: Risk Management Cntrl Functin The risk management cntrl functin has the authrity t cmmunicate with any emplyee n its wn initiative and btain access t any recrds required t carry ut its respnsibilities independent f the influence f ther functins and Senir Management. The RBPlat risk management cntrl functinal area respnsibilities include: Assisting the Bard f Directrs and Senir Management in the effective peratin f the risk management system, in particular by perfrming specialist analysis and perfrming quality reviews; Oversight, tracking and measurement f adherence t risk system including the risk register and assciated prcesses Drive the identificatin, reprting and management f material risk psitins and risk expsures Assist in classificatin and rating f risks Assessment f the evlving risk prfile Assessment f pre-defined risk tlerances Drive the identificatin and mitigatin f crss functinal/ mine risks and in relatin t strategic affairs such as crprate strategy, mergers and acquisitins, and majr prjects and investments Ensure cnsistency in risk dcumentatin and reprting Liaise with external market t identify trends in risk management and present business Mnitring the risk management system Maintaining an rganisatin-wide and aggregated view n the risk prfile Reprting details n risk expsures and advising the Bard f Directrs with regard t risk management matters in relatin t strategic affairs like crprate strategy, mergers and acquisitins and majr prjects and investments Reprting t Senir Management, key persns in Internal Cntrl Functins, and the Bard f Directrs n the cmpany s risk prfile, and detailing all material risk expsures facing RBPlat and related respnse plans Identifying and assessing emerging risks DRAFT Page 25

26 ERM Framewrk DRAFT v nd Line f Defence: Executive: Risk & Assurance The Executive: Risk & Assurance shuld enjy the freedm within the rganisatinal structure t be bjective and independent f the influence f ther functins and Senir Management. He / she has the authrity and respnsibility t regularly reprt t the Bard f Directrs all material issues regarding RBPlat evlving risk prfile, management f the risk functin itself and risk management issues related t strategic affairs as necessary. The main bjective f the Executive: Risk & Assurance is t ensure that RBPlat is able t timeusly identify measure, manage, mnitr, and reprt n all material risks by ensuring that the ERM Plicy and Plan is executed and embedded in the rganisatin. The Enterprise Risk Management Framewrk and Plicy is in line with internatinal standard (ISO 31000). The Executive: Risk & Assurance will perfrm within the fllwing key perfrmance areas: Develpment and implementatin f risk management cntrl functin strategy Develpment and implementatin f the risk management functin s peratinal plan Ensure the establishment and implementatin f the risk management prcess thrughut RBPlat Oversee, mnitr, evaluate and cmmunicate the status f implementatin f risk management at RBPlat Ensure the effective functining f the Crprate and Mine Risk Frums, Executive Risk and Gvernance Cmmittee and Bard Audit and Risk Cmmittee; Analyse and reprt n risks t management, the Executive Risk and Gvernance Cmmittee and Bard Audit and Risk Cmmittee Ensure that RBPlat has the requisite assurance plan and crdinate utputs t assurance prviders t the rganisatin Mnitr and evaluate the effectiveness f RBPlat s assurance plan Manage business risks by identifying and develping apprpriate risk management strategies and plicies Identify, quantify, mnitr and reprt business risks acrss all business divisins, and prfile them accrdingly Ensure that an adequate Risk Financing (Insurance) Prgramme is in place t prtect the RBPlat assets and t mitigate any ptential cntingent liability expsures Identify ptential areas f cmpliance vulnerability and risk and develp crrective actin plans; Advise functinal areas and mines n their risk prfiles and assciated implicatins Attend Bard Cmmittee meetings t prvide the requisite reprts nd Line f Defence: Executive: Business Sustainability The Executive: Business Sustainability has the respnsibility t ensure that Sustainable Develpment related risks are identified and apprpriate risk respnse plicy and plans are develped and implemented. He / she has the authrity and respnsibility t regularly reprt t the Bard f Directrs all material issues regarding RBPlat evlving sustainable develpment risk prfile and the management f respnses in relatin t strategic affairs as necessary. DRAFT Page 26

27 ERM Framewrk DRAFT v0.2 The Executive: Business Sustainability will perfrm within the fllwing key perfrmance areas: Develpment and implementatin f sustainable develpment plicy and strategy Develpment and implementatin f the sustainable develpment peratinal plan Ensure the establishment and implementatin f a sustainable develpment prcess thrughut RBPlat Oversee, mnitr, evaluate and cmmunicate the status f implementatin f sustainable develpment at RBPlat Ensure that RBPlat has the requisite assurance n sustainable develpment activities and prcesses Identify ptential areas f climate change vulnerability and risk and develp respnse plans Advise functinal areas and mines n sustainable develpment and assciated implicatins Attend Bard Scial and Ethics Cmmittee meetings t prvide the requisite reprts nd Line f Defence: Cmpany Secretary The cmpany secretary must prvide directrs with guidance in their duties, respnsibilities and pwers and make directrs aware f all laws and regulatins relevant t the cmpany. This shuld include advice n business ethics and gd gvernance. The cmpany secretary shuld remain abreast f develpments in crprate gvernance and is pivtal t ensuring that the directrs adhere t the highest gvernance standards as detailed in the King Reprt ( King III ). The cmpany secretary shuld als mnitr internatinal develpments n crprate gvernance and bring these t the bard s attentin where they wuld add value. He / she are the custdian f Bard gvernance and is respnsible t ensure that all gvernance related legislatin and standards (Cmpanies Act, King 3, JSE Listing requirements, memrandum and articles f assciatin etc) is adhered t. The Cmpany Secretary will perfrm within the fllwing key perfrmance areas: The cmpany secretary is respnsible fr the schedule f bard and cmmittee meetings fr the year. The cmpany secretary prepares the agendas fr these meetings in cnjunctin with the chairpersn and key executives. The cmpany secretary takes the minutes f these meetings and shuld ensure that they are distributed as sn as pssible thereafter t aid directrs in implementing the decisins. The cmpany secretary shuld ensure that the bard s plicies and instructins are cmmunicated t the relevant persns in the cmpany and that pertinent issues, including risks identified, frm management are referred back t the bard where apprpriate The cmpany secretary must ensure that the directrs and management perate within an authrity framewrk apprved by the bard and reviewed and updated frm time t time nd Line f Defence: Safety, Health and Envirnment T ensure Safety, Health and Envirnmental related items are addressed frm a risk perspective the risk prfile related t these items must be kept up t date in line with the cmpanies review and revisin plicy fr dcuments. The SHE functin must ensure the fllwing: DRAFT Page 27

28 ERM Framewrk DRAFT v0.2 There must be a SHE Baseline risk assessment where the functinal areas, sub functins, physical structures and related activities are listed and defined. Critical task inventry lists are dne t ensure all emplyees are trained t identify the hazards they will be expsed t and hw t mitigate such hazards s that they can cnduct their duties in a safe, healthy and envirnmental friendly way. Where specific items f cncern is identified, the issue based risk assessment prcess need t be fllwed t address that specific risk s that the mitigating factrs can be put in place t reduce the risk t an acceptable risk prfile. Fr day t day peratins, the cntinuus risk assessment methd is used s that persns can d pre-check and start up inspectins befre a task is cnducted nd Line f Defence: SHE Manager (BRPM) The SHE Manager (BRPM) has verall respnsibility t ensure that adequate SHE Management systems are develped and implemented t manage all SHE related risks. The identificatin and actin plans required fr all identified hazards and risks related t Safety, Health and Envirnment will fall under the respnsibility f the SHE Manager BRPM/Styldrift. The SHE Manager will perfrm within the fllwing key perfrmance areas: Manage a grup f specialists either under Shared Services r at the peratinal shafts t ensure the requirements f the MHSA and relevant Envirnmental Acts are being cmplied with. Ensure that any significant risk identified that can pse an issue nw r int the future fr RBPlat be reprted t the relevant General Manager and then fr inf t the Executive: Risk and Assurance and if applicable t the Executive: Business Sustainability. Develpment and implementatin f the varius SHE Management systems peratinal plans Ensure the establishment and implementatin f a SHE Risk Assessment prcess thrughut RBPlat Oversee, mnitr, evaluate and cmmunicate the status f implementatin f SHE Management at RBPlat Ensure that RBPlat has the requisite assurance n SHE activities and prcesses Advise HOD s at the mines SHE issues and assciated implicatins Attend Bard Scial and Ethics Cmmittee meetings t prvide the requisite reprts Assist the Executive: Risk and Assurance t ensure risk management is imbedded at mine level with regards t SHE risks and prvide assistance t the Executive: Business Sustainability in the managing f sustainable develpment risks nd Line f Defence: Executive Risk and Gvernance Cmmittee The Risk and Gvernance Cmmittee is attended by each Functinal Area Exc member, the Executive: Risk & Assurance, Chief Executive Officer, Mine General Managers and Cmpany Secretary. The respnsibilities f the Executive Risk and Gvernance Cmmittee are set ut in its terms f reference and briefly include the fllwing: DRAFT Page 28

29 ERM Framewrk DRAFT v0.2 Review the RBPlat risk management framewrk and structures t be implemented as well as any significant subsequent changes theret. This will include the review and apprval f risk identificatin and measurement methdlgies Review the effectiveness f the risk management prcess n an n-ging basis at strategic and peratinal level Cnsider the adequacy f risk management strategies fr significant risks facing RBPlat Ensuring that the RBPlat strategic, prcess, peratinal and prgramme level risks are assessed n an n-ging and that its cntrl effectiveness are determined and evaluated Develpment and maintenance f a strategic risk register Mnitr the prgress and implementatin f actin plans and r treatments t address significant risks Prvide the Executive Cmmittee with regular reprts dealing with the effectiveness f the risk management prcess as well as infrmatin n significant risks and the status f the cntrl envirnment Review the prpsals fr any new significant change t the business (new prduct, acquisitin, channel, plicy, pprtunity) using the risk appetite filter apprach Make recmmendatins frm time t time t the Bard Audit and Risk Cmmittee n matters relating t risk threshlds, risk plicies, risk strategies and risk philsphy Review and ratify RBPlat specific asset and liability insurance prgrammes and their implementatin nd Line f Defence: Functinal Area and Mine Risk Champins Functinal Area and Mine Risk Champins will have the respnsibility fr the crdinatin f ERM, measurement, evaluatin, analysis, treating and reprting f all risk status and strategies fr their functinal area/ mining unit. The Executive: Risk & Assurance will supprt management with these functins, while Executive and Senir Management will be respnsible fr the day-t-day interpretatin and management f plicy and prcedural issues assciated with ERM. The Risk Champins respnsibilities include: Identificatin f risks within their functinal area/ mine and accrdingly, the apprvals, respnsibilities and accuntabilities applicable t the identificatin, analysis, treatment and reprting f risks, must be reprted t the Executive Risk & Assurance. Where current risk cntrls are deemed ineffective t reduce the risk expsure and therefre warrant actin, prepare apprpriate cntrl imprvement and actin plans. Included in each cntrl plan will be the allcatin f accuntabilities and actin dates fr the implementatin f the cntrl imprvement plan. Prmte a culture f sund risk management and cmpliance within their functinal area/ mine Prvide the Bard with adequate and timely infrmatin t enable the Bard t carry ut its duties and functins including the mnitring and review f the perfrmance and risk expsures, and the perfrmance f the Senir Management DRAFT Page 29

30 ERM Framewrk DRAFT v0.2 Prvides the relevant stakehlders and the Regulatr with the infrmatin required t satisfy the legal and ther bligatins Review prgress n the implementatin f agreed Risk Respnse Plans as well as changes in the risk envirnment Cnduct a risk review r assessment fr any material changes in the risk landscape Mnitr cmpliance t all legislatin Clear all Internal and External Audit findings as per agreed management actins Attend the Mine/ Crprate Risk Frums as a member t crdinate assciated risks; Participate in any risk and gvernance related prjects, representing their divisin s interest nd Line f Defence: Crprate and Mine Risk Frums The Risk Frums are quarterly frums (nt necessarily stand- alne)) held between the functinal heads/ Mine General Managers and their management cmmittee and representatives frm Risk Management. The Risk Frums respnsibilities include: Review f the risks (and assciated cntrls) impacting the mine/ functinal area Review the Regulatry/ legal universe t ensure cmpliance Address any ptential Audit cncerns Manage all Risk stakehlders Orchestrate a chesive apprach t mitigate the mine/ functinal area specific risks Prepare cnfirmed, cnslidated feedback n risks t Executive Risk and Gvernance Cmmittee Identify risk management related training requirements rd Line f Defence: RBPlat Internal Audit (utsurced) The Bard and the Bard Audit and Risk Cmmittee have an versight rle t determine that apprpriate risk and assurance prcesses are in place and that these prcesses are adequate and effective. The rle f Internal Audit in crprate gvernance is defined by the Suth African Institute f Chartered Accuntants as fllws: T supprt the Bard and Management in identifying and managing risks and thereby enabling them t manage the rganisatin effectively. This is achieved by: Enhancing their understanding f risk management and the underlying cncepts Assisting them t implement an effective risk management prcess Prviding bjective feedback n the quality f rganisatinal cntrls and perfrmance. The Internal Audit functin (utsurced), assists RBPlat management, the Audit and Risk Cmmittee and the Bard, by examining, evaluating, reprting and recmmending imprvements n the adequacy and effectiveness f financial and business/peratinal internal cntrls. The Internal Audit functin is respnsible fr: DRAFT Page 30

31 ERM Framewrk DRAFT v0.2 Prviding assurance that management prcesses are adequate t identify and mnitr significant risks Using the utputs f risk assessments t direct internal audit plans Prviding n-ging evaluatin f the risk management prcesses Prviding bjective cnfirmatins that the Bard receive the right quality f assurance and reliable infrmatin frm management regarding risk Prviding assurance regarding Enterprise Risk Management prcesses frm bth a design and functinal perspective Prviding assurance regarding the effectiveness and efficiency f risk respnses and related cntrl activities Prviding assurance as t the cmpleteness and accuracy f Enterprise Risk Management reprting rd Line f Defence: RBPlat Bard The Bard is accuntable fr the effective gvernance f an insurer and therefre is als accuntable fr the ttal prcess f risk management and frming an idea n the effectiveness theref. The Bard has delegated its respnsibility fr verseeing the management f risks t Bard Audit and Risk Cmmittee. The Bard Audit and Risk Cmmittee receive quarterly reprts n the key risks and hw they are being addressed and submit an annual review t the Bard. While it is agreed that the Bard may delegate sme f the activities r tasks assciated with its wn rles and respnsibilities, given that this delegatin meets the assciated requirements described in the RBPlat Gvernance Framewrk dcument, the Bard s respnsibilities in lieu f risk management include but are nt limited t: Ensure apprpriate structures are in place fr the risk management system and internal cntrls system Ensure suitable individuals are appinted t the risk management and internal cntrls functins with due cnsideratin fr independence and bjectivity required t carry ut their allcated functins Ensure that the rles and respnsibilities allcated t the Bard, Senir Management, and Key Cntrl Functins are clearly defined s as t prmte an apprpriate separatin f the versight functin frm the management respnsibilities, and prvide adequate versight f the Senir Management. Prvide effective versight f the Senir Management tasked with risk related respnsibilities Review whether the risk strategies, plicies and prcedures, as set by the Bard, are being prperly implemented Adpt and implement a defined and well dcumented risk management strategy (which is part f the business strategy and planning prcess) Adpt and implement a defined and well dcumented risk appetite, DRAFT Page 31

32 ERM Framewrk DRAFT v0.2 Adpt and implement a Remuneratin Plicy, which des nt incentivise excessive r inapprpriate risk taking. Apprving and implementing such systems and cntrls as necessary t ensure: The financial reprts present a balanced and accurate assessment f the RBPlat s risk prfile (in additin t its general financial health and viability as a ging cncern) The prmtin f apprpriate, timely, and effective cmmunicatins with the supervisr and relevant stakehlders n the risk f the business The disclsure n matters such as risk appetite, risk tlerance and the risk management prcess in the annual reprt. Direct the risk culture and reinfrce the cmmitment t sund risk management plicies, practices, standards, mdels and techniques Ensure that a cmprehensive risk assessment is undertaken at least annually, Ensure that significant findings and bservatins regarding weaknesses risk management systems and cntrls are prmptly rectified. Where apprpriate, this shuld be supprted by a frmal prcess fr reviewing and mnitring the implementatin f recmmendatins by the external auditr. Ensure that an evaluatin f the effectiveness f the risk management systems and cntrls rd Line f Defence: Bard Audit and Risk Cmmittee The Bard Audit and Risk Cmmittee prvide independent assurance t the Bard n risk management, amngst ther respnsibilities, which is cntained in mre detail in its Terms f Reference, which entails reviewing the fllwing: The effectiveness f the internal cntrl system and satisfy itself that the relevant internal cntrls have been implemented fr all risk areas t be reviewed frm time t time; Whether the risk areas f RBPlat s peratin have been cvered in the scpe f internal and external audits. Evaluate and make recmmendatins regarding the risk cvered by internal and external audit; The effectiveness f the system fr mnitring cmpliance with laws, regulatins and the results f management s investigatin and fllw-up (including disciplinary actin) f any instances f nn-cmpliance; Cntrls ver significant risks; The Cmmittee is als tasked with the respnsibility f assisting the Bard in executing its respnsibilities with respect t risk management as set ut abve, including: Evaluating risk management systems and prcesses; Mnitring Management s: respnse in rectifying recmmendatins pertinent t risk areas recmmended by internal audit; cmmunicatin f risk management and fraud preventin plan t emplyees; and DRAFT Page 32

33 ERM Framewrk DRAFT v0.2 implementatin f risk management strategy, the fraud preventin plan, IT systems and administrative cntrls; Reprting t Bard n the effectiveness f risk management systems and cntrls; Discussing with management the rganisatin s majr plicies with respect t risk assessment and risk management; and Tracking the perfrmance in terms f risk management, cmpliance and assurance in subsidiary cmpanies There must be unrestricted access by the External Auditr t infrmatin and persns as necessary t cnduct the audit. There shuld be regular meetings between the Bard and the External Auditr during the audit cycle, including meetings withut management present rd Line f Defence: Bard Scial and Ethics Cmmittee The Bard Scial and Ethics Cmmittee prvides versight fr RBPlat s scial and ethics respnsibility in terms f the Cmpanies Act, Minerals and Energy Resurces Develpment Act, Mine Health and Safety Act, ther relevant legislatin and King 3, t ensure that RBPlat: Safeguard the grup s assets and investments Supprt business bjectives and sustainability under nrmal as well as under adverse perating cnditins Behave respnsibly twards all stakehlders having a legitimate interest in the grup Develp and implement the Scial and Labur Plan Develp and implement the grup sustainable develpment plicy Develp and implement the Safety, Health and Envirnmental plicy Develp and implement the Ethics Plicy DRAFT Page 33

34 ERM Framewrk DRAFT v ERM PROCESSES Develp the Criteria In rder t determine if a risk can be tlerated and the extent f tlerability we have t define certain criteria up frnt in rder t lay the fundatin and a reference fr the ERM prcess steps ging frward. The setting f criteria is usually perfrmed upfrnt and reviewed fr apprpriateness annually with nly minr changes expected. These criteria include the categrisatin f all ptential risks RBPlat may be expsed t, the appetite t take n the risk within the risk categrisatin mdel, tlerance levels fr these risks and the assciated risk level calculatin methdlgy Risk Categrisatin RBPlat will adpt a Risk Categrisatin Mdel which grups and categrises the ppulatin f risks RBPlat may be expsed t, dwn t a level 3 categrisatin. The table belw describes the level 1 risks RBPlat is expsed t, but each f these level 1 risks shuld have assciated level 2 and level 3 risks which will be addressed in the varius risk specific plicies and standards. L1 Risk Type Operatinal risk Safety, Health and Envirnmental risks Strategic risk Financial risk Descriptin The risk that RBPlat will nt achieve its strategic business bjectives due t failed peple, prcess, system and / r external events. The risk that RBPlat peratins culd cause injury r illness t emplyees and damage t the envirnment. The risk that discretinary decisins are made (r fail t be made) that adversely affect future earnings f the business. The risk that discretinary decisins are made (r fail t be made) that adversely affect future sustainability f the business. The risk that available liquid assets will be insufficient t meet changing market and business cnditins, liabilities, funding f asset purchases The risk f adverse changes in the market value f assets due t change in value f market factrs will negatively impact future earnings. The risk that an asset against cunterparty will nt be repaid at the due and stipulated time. Reputatinal Risk The risk that RBPlat will suffer a deteriratin f its reputatin r standing due t a negative perceptin f its image amng custmers, emplyees, cunterparties, sharehlders and/r Regulatrs. Regulatry Risk The risk that RBPlat will nt cmply with legislatin resulting financial lss r reputatinal damage Prject Risk The risk that any factr may ptentially hamper the prject's verall success and result in lss, delay, regulatry breach r reputatinal damage t RBPlat Table 4: RBPlat Level 1 Risk Categrisatin The risk categrisatin mdel will assist in: Understanding the risk landscape within the business Identifying risks Identifying crss-business cutting risks Prviding a basis fr rganising and reprting findings Prmting the cnsistent use f a cmmn risk language acrss the cmpany, allwing meaningful aggregatin and cmparisn f risks and issues Enhanced risk reprting t the Audit and Risk Cmmittee and data sharing between business areas. Risk categrisatin will be used t intrduce cmmnality f risk events within bth the risk and cntrl self-assessment and capital mdelling prcesses. DRAFT Page 34

35 ERM Framewrk DRAFT v Risk Tlerance fr Risks n the Risk Register The Bard encurages the taking f cntrlled risks; the grasping f new pprtunities and the use f innvatin t further the interest f RBPlat t achieve its bjectives; prvided the resultant expsures are within RBPlat s risk appetite and tlerance range. This tlerance range is set during the develpment f the cmpany Risk Appetite as mentined abve. The assumptin f any substantial risk utside its appetite will be specifically discussed and apprved by the Bard. Management entrusted with the wnership f a risk area may apprve within certain limited tlerance, variatin t the risk appetite Risk Assessment Methdlgy Likelihd and Cnsequences f Risks In brad terms, risk is analysed by cmbining estimates f likelihd and cnsequence in the cntext f existing cntrl measures t arrive at a level f risk. The bjectives f this analysis are t srt risks int relevant ranking levels s that nt nly majr risks are clearly identified but minr risks are als nted. This ranking can later be used t assist in the assessment and treatment f risks. Lwer level risks r risks utside the risk appetite may be excluded frm further mre detailed risk cnsideratins, but it is imprtant that they are dcumented and added t the risk prfile t demnstrate the cmpleteness f the risk analysis. Risk and Likelihd and Impact Ratings Sme events happen nce in a lifetime; thers can happen almst every day. Analysing risk requires an assessment f their frequency f happening. The fllwing table prvides brad descriptins t supprt likelihd ratings. Likelihd Descriptin 1. Negligible <1% prbability ccurrence requires exceptinal circumstances exceptinally unlikely, even in the lng term future nly ccur as a 100 year event 2. Extremely Unlikely >1% prbability, r may ccur but nt anticipated, r culd ccur in years t decades 3. Very Unlikely >20% prbability, r may ccur shrtly but a distinct prbability it wn t, r culd ccur within mnths t years 4. Mderate/ Feasible >50% prbability, r balance f prbability will ccur, r culd ccur within weeks t mnths 5. Prbable (Expected/Likely) 99% prbability, r impact is ccurring nw, r culd ccur within days t weeks Table 5: Table f Likelihds It is als freseeable that certain risks will have mre impact n the business that thers and an assessment is required t determine these impacts which wuld influence the respnse t the risks. The fllwing table prvides brad descriptins t supprt Impact ratings. DRAFT Page 35

36 ERM Framewrk DRAFT v0.2 Impact Descriptin Guidance 1. Minr Minr impact n the rganisatin (Cnsequences can be readily absrbed under nrmal perating cnditins and will nt affect achievement f bjectives). 2. Cntainable Minr impact n the rganisatin (Cnsequences can be readily absrbed under nrmal perating cnditins and will have a minr effect n achievement f bjectives). 3. Significant Impact can be readily absrbed under nrmal perating cnditins. 4. Serius Impact that can be managed under supprted perating cnditins, but management interventin is required. 5. Catastrphic/ Fundamental Table 6: Table f Impacts Event which will have a prlnged negative impact and extensive cnsequences. Ptential t lead t the cllapse f the rganisatin and is fundamental t the achievement f the RBPlat strategic bjectives. 0% t 1% f budgeted EBITA is affected based n the impact n budget 1% t3% f budgeted EBITA is affected based n the impact n budget 3% t 5% f budgeted EBITA is affected based n the impact n budget 5% t 10% f budgeted EBITA is affected based n the impact n budget 10% f budgeted EBITA is affected based n the impact n budget r the pssibility f RBPlat nt being able t perate as a ging cncern. In additin t the abve guideline in terms f financial impact, the fllwing impact/cnsequences will als be applied in terms f risk categry expsures: Rating Financial impact Operating Prfit (R) 100 millin 10 millin 99 millin 1millin 9,9 millin millin Investment impact Rand NPV 500 millin 50 millin millin 4,9 millin 5 millin ,9 millin < < Human Health and Safety Multiple fatalities / Impact n health ultimately fatal Single fatality r lss f quality f life / Irreversible impact n health Lst time injury / Reversible impact n health Medical treatment case/ Expsure t majr health risk First aid case / Expsure t minr health risk Envirnment and Cmmunity Irreversible lng term envirnmental damage t a highly valued species r lcatin Large-scale prlnged class actin. Irreversible lng term envirnmental damage. Cmmunity utrageptential fr large-scale class actin. Prlnged envirnmental impact. High-prfile cmmunity cncerns raised requiring significant remediatin measures and management attentin Majr spill r release leading t ff-site impact Medium term recvery. High ptential fr cmplaints frm interested parties. Medium term effect n envirnment/cmmunity Required t infrm envirnmental agencies Reputatin and Brand Prlnged internatinal cndemnatin RBPlat CE0 and/r Functinal Executives/ Mine GM s departs and bard is restructured Public reprimand frm Gvernment RBPlat lses mining licence fr an extended perid Prminent negative Internatinal and Suth African press reprting ver many days Nn-public reprimand by Gvernment Senir executive departs and/r bard is restructured. Operating licence is threatened Natinal press reprting Gvernment cautin Pressure n Executives t leave. Implicatins fr perating licence. Lcal press reprting Manager may be asked t leave. Gvernment may be interested Lcal press reprting Disciplinary actin may be taken Cmpliance and Legal Majr litigatin r prsecutin with damages f R50m+ plus significant csts. Custdial sentence fr cmpany Executive Lng term clsure f peratins by authrities. Majr litigatin csting R10m+. Investigatin by regulatry bdy resulting in lng term interruptin t peratins. Pssibility f custdial sentence/ Medium term clsure f peratins by gv. Majr breach f regulatin with punitive fine. Significant litigatin invlving many weeks f management time. Breach f regulatin with investigatin r reprt t authrity with prsecutin and/r mderate fine pssible. Minr legal issues, nn-cmpliances and breaches f regulatin. DRAFT Page 36

37 ERM Framewrk DRAFT v0.2 Risk Ranking Matrix RBPlat uses the risk ranking matrix belw t cmbine the selected likelihd and cnsequence ratings fr each risk identified Cnsequence Likelihd Assessing Cntrls Internal cntrls are thse prcesses in place within RBPlat which assist in limiting the risks assciated with pursuing business bjectives. Cntrls include all plicies, prcedures, management systems and structures that assist RBPlat t perate efficiently, effectively and ethically. Frmal cntrls are likely t be in place fr many risk expsures. The degree and effectiveness f existing cntrls ver risks needs t be assessed. Majr risks that are nt subject t effective cntrls may cause catastrphic cnsequences. T assess cntrl practices, the fllwing questins apply: Are all apprpriate cntrls present? Are the cntrls perfrming adequately? Des the cntrl address the risk effectively r adequately? Is the cntrl fficially dcumented and cmmunicated? Is the cntrl in peratin and applied cnsistently? Is the cntrl reviewed by anyne independent f the persn perfrming the cntrl prcedure? T help describe and attribute a cntrl rating, the fllwing indicative ratings are used: Cntrl Rating Cntrl Name Cntrl Descriptin 0.20 Satisfactry Nthing mre t be dne except review and mnitr the existing cntrls. T the extent that is reasnably achievable, cntrls are well designed fr the risk, are largely preventative and address the rt causes and Management believes that they are effective and reliable at all times Imprving Mst cntrls are designed crrectly and are in place and effective. Sme mre wrk t be dne t imprve perating effectiveness r Management has dubts abut peratinal effectiveness and reliability Ineffective While the design f cntrls may be largely crrect in that they treat mst f the rt causes f the risk, they are nt currently very effective. There may be an ver-reliance n reactive cntrls. Sme f the cntrls d nt seem crrectly designed in that they d nt treat rt causes, thse that are crrectly designed are perating effectively Pr Significant cntrl gaps. Either cntrls d nt treat rt causes r they d nt perate at all effectively. Cntrls, if they exist are just reactive. 1.0 Nne Virtually n credible cntrl. Management has n cnfidence that any degree f cntrl is being achieved due t pr cntrl design and/r very limited peratinal effectiveness. DRAFT Page 37

38 ERM Framewrk DRAFT v0.2 Residual Risk Expsure (inherent risk x cntrl effectiveness) The Residual risk expsure can be calculated after cnsidering the effectiveness f the existing cntrls. Shuld the residual risk value still exceed the appetite and tlerance levels, treatment wuld be required. The fllwing rating table categrises the varius levels f residual risk. Residual Residual Risk rating magnitude risk Respnse Extremely High Unacceptable level f residual risk Implies that the cntrls are either fundamentally inadequate (pr design) r ineffective (pr implementatin). Needs Active Management: A risk actin plan must be established and implemented High Risk Unacceptable level f residual risk Implies that the cntrls are either inadequate (pr design) r ineffective (pr implementatin). Needs Regular Mnitring: Existing gd cntrls shuld be maintained and any additinal risk actins required shuld be defined and implemented Mderate Risk Needs Peridic Mnitring: Risk shuld be mnitred in cnjunctin with a review f existing cntrl prcedures. 1-5 Lw Risk Mstly acceptable level f residual risk Requires minimal cntrl imprvements. N Majr Cncern: Significant management effrt shuld nt be directed twards these risks. Residual Risk Appetite fr Risks in the Risk Register The Grup has adpted the Likelihd and Impact values described belw and fr the calculatin f Residual Risk Expsure. A risk with a Residual risk value f mre than 20 will nt be tlerated and will necessitate immediate management actin t reslve Cnsequence Likelihd Cntext Setting Once the criteria fr managing the risks has been develped and agreed t, it is imprtant t establish the cntext which requires the business t recgnise its bjectives. The business shuld understand its prducts and services and its custmers. This shared understanding is imprtant because it prvides the bundaries r cntext fr the risk assessments. Establishing the cntext defines the basic parameters fr managing risk and sets the scpe and criteria fr the rest f the prcess. The cntext may include bth internal and external parameters. Many f these parameters were cnsidered in the design f the risk management framewrk but need t be cnsidered in greater detail and particularly hw they relate t the scpe f the particular risk management prcess. DRAFT Page 38

39 ERM Framewrk DRAFT v0.2 RBPlat will undertake a detailed reassessment/ review f its risks at all levels within the rganisatin n an annual basis. The first part f this assessment is t prfile the key building blcks f RBPlat by means f a business dependency mdel. This will aid in highlighting its dependencies, critical parts f the business and identify vulnerabilities. Business Dependency Mdel External Change Internal Change Regulatry Cmpetitrs Objectives Infrmatin and Infrmatin Flws Prducts Key Assets and Capabilities External Stakehlders Industry Trends Markets Partners Explratin Drilling Mine develpment & cnstructin Strategic Prcesses Acrss the Value Chain Undergrund Mining Ore transprted t surface Crushing & Milling Fltatin & drying Smelting & refining Figure 9: Business Dependency Mdel Establishing the External Cntext External cntext is anything utside RBPlat which may influence the setting r achievement f ur bjectives. It is based n a cmpanywide view and includes, but is nt limited t: Regulatry: Cultural, plitical, legal, regulatry, financial, ecnmic and cmpetitive envirnment, whether internatinal, natinal r reginal Cmpetitrs: These are the cmpetitrs (bth current and future) that RBPlat has in the market in which we perate External Stakehlders: Perceptins and values f external stakehlders. All stakehlders that might have a material impact n RBPlat s perfrmance/ impact, including its Sharehlders, Cntractrs, Investrs, Financiers, cmmunities, Unins, etc. Markets: These are the markets and custmers that RBPlat has within which the rganisatin perates. Industry Trends: Trends within the industry that culd necessitate change r result in risk Partners: These are the strategic alliances and relatinships (including majr suppliers) that RBPlat has chsen t frm in supprt f its strategy Establishing the Internal Cntext Internal cntext is anything within RBPlat which may influence the way in which we will manage risk and includes, but is nt limited t: Objectives: These are RBPlat bjectives that are aligned t the strategic gals, missin and visin f the rganisatin. Infrmatin and Infrmatin Flws: This is the intellectual capital and flw f it RBPlat has develped and retains Key assets, capabilities: These are the defined key assets, including human capital that RBPlat has develped and maintained in supprt f its strategy, plicies and prcesses, standards and reference mdels, structures (e.g. gvernance, rles and accuntabilities) Prducts: These are the segments, services and prducts within which RBPlat perates and fcuses n, in supprt f its strategies. 1 Surce: Adapted frm The Institute f Risk Management Suth Africa (IRMSA) Cde f Practice DRAFT Page 39

40 ERM Framewrk DRAFT v0.2 Strategic Prcesses acrss the Value Chain: The strategic initiatives refer t the establishment f RBPlat strategic directin and mnitring executive management and rganisatinal perfrmance in achieving its strategic bjectives. These include prcesses that management have implemented and are expected t make a majr cntributin t the achievement f the strategic bjectives, missin and visin Risk Identificatin This step in the ERM Prcess entails the identificatin f material threats and risks which RBPlat is expsed t pre and pst risk mitigating steps by the business. This shuld be dne using the fllwing sub prcesses Identify ptential surces f risk assciated with the risk categrisatin mdel The risk categrisatin mdel prvides a ppulatin f the pssible risks the RBPlat culd be expsed t. A careful review f the entire risk categrisatin mdel culd reveal risks previusly verlked Identify ptential surces f risk assciated with the business dependency mdel Having established the business dependency mdel, the risk assessment prcess must then identify the ptential surces f risk assciated with each element f it. Risk is apparent in ptential sudden and unfreseen events, in variances, vlatility and failure. Risk will be apparent in nn-linear change, weakness and nn-perfrmance. Risk will als be reflected in dimensins f nn-cnfrmance. Surces f risk will be classified int external and internal factrs. The prcess must have a future rientatin as well as examining the facts f tday s business prfile Evaluate recent and imminent internal changes as pssible surces f risk Recent changes in RBPlat may be a surce f present risk. Equally, imminent change may alter the risk prfile. The nature f the changes may relate t the new initiatives, new markets being entered int bth lcally and internatinally, new partnerships, etc. Majr changes in RBPlat rganisatinal structure can change the dynamics f risk. Retrenchments, cutbacks and layffs are an bvius surce f risk. Significant shifts in strategic directin may increase the values at risk in the business Identify external changes and identify assciated risks Risk assessment prcesses must nt nly fcus n existing business dynamics. Near-future changes must als be included in the prcess. Time hrizns shuld be determined fr this. Anticipated changes that are self-generating will be easily identifiable, such as investments, capital prjects r new prducts. Their assciated risks must be assessed as part f the risk framewrk. Certain changes in the business sectr, but utside f RBPlat cntrl can als be anticipated such as regulatry change and cmpetitive mvements. Assciated risks must be assessed Emergent risks Emergent risks are thse that have nt yet ccurred but are at an early stage f becming knwn and/r cming int being and expected t grw greatly in significance. It accepted that the recgnitin f emergent is nt a precise prcess but the fllwing prpsed fcus areas i.e. tpics, under which emergent risks shuld be identified: DRAFT Page 40

41 ERM Framewrk DRAFT v0.2 Plitical: This relates t changes in plitical plicy (e.g. due t a change f Gvernment) r t actins f the plitical authrities. Legal: Risks arising frm legal actin r decisins made by the Curts. Examples are limitatins n what can be dne r financial penalties including damages and cmpensatin. Regulatry: Actins and limitatins by the regulatry authrities. Regulatry authrities include nt nly thse cvering the financial services industry but als mre general authrities such as thse respnsible fr health and safety, the envirnment and cnstructin planning. Direct Public Pressure: Direct actin by the large numbers f the public (e.g. by strikes r ther acts) r by pressure grups (e.g. thse based n lcal cncerns r thse having a specific agenda). It excludes cases where direct pressure results in actin thrugh the plitical, legal r regulatry prcesses. Security: This cvers risks ccurring frm actins needed t ensure security in the shrt term in respnse t specific events r threats and in the lng term frm the general security risks in sciety. It als cvers the risk f breaches r failures in security such as terrrist attacks. Criminal Activity Early mitigatin: This cvers all frms f criminal activity. Examples are vilence, sabtage and fraud. Technlgy: Changes due t the effects f new technical develpments that feed thrugh int changes that affect the prject. These may be based n new scientific discveries r n further implementatin f existing knwledge. Envirnmental: Risks due t any envirnmental factrs. These include climate change, weather, natural cnditins, natural disaster, disease and cntaminatin. They include the effects f changes t the envirnment due t human activity. Financial and Ecnmic: This cvers risks due t the finance f the prject r the ecnmic circumstances (lcal, natinal r internatinal) surrunding it. Examples are failure f finance and severe ver r underestimatin f cmmercial markets. It shuld be nted that all risks t a prject are likely t have financial cnsequences, many f them majr. This tpic is nt meant t cver the all risks but nly thse f a financial nature. Human Factrs: These risks arise due t the actins f peple. They can cme frm the actin f a large number f peple (e.g. a majr strike) r frm ne r a very few individuals (e.g. unauthrised perating machinery, cncealment f imprtant infrmatin). Fllwing the identificatin f emergent risk, by utilizing the abve brad fcus areas, its impact and likelihd culd be determined by undertaking the risk analysis prcess, utlined earlier Identificatin f generic cmpany specific risks In additin t the risks identified by the methds described abve t identify risks at mine level, effrt must als be allcated t identifying RBPlat specific strategic risks at Exc level. These risks must als be lgged in the risk register and fllw risk prcesses utlined in the ERM framewrk. DRAFT Page 41

42 ERM Framewrk DRAFT v Risk Assessment Once risks have been identified, they need t be assessed by thse wh identified the risk. The risk criteria discussed abve frms the basis fr this evaluatin, especially in terms f the calculatin factrs described abve fr likelihd and severity Assess the impact f risk acrss business areas Risks d nt nrmally exist in islatin. They usually have a ptential knck-n effect n ther functins, business prcesses and risk categries. These cause and effect relatinships must be identified, understd and dcumented. This principle is a deliberate and frmal part f the risk assessment prcess and the aggregated effect f these risk grupings and linkages shuld be als be recrded. Many crss-functinal effects f risk may nt be immediately apparent withut deliberate and systematic analysis, s a frmal apprach is required Identify the key cntrls currently in place fr the identified risks The existing cntrls in place fr identified risks must be dcumented (in line with the RBPlat Cntrl Internal Framewrk). A cntrl is nt nly a financial term as it is describes any mitigating measure fr any particular type f risk. Cntrls may take the frm f: Financial mitigatins such as hedges, insurance r securities Managerial actins such as cmpliance prcedures, plicies and levels f authrity Strategic decisin in nature such as diversificatin and investment related Legal actins such as cntracts and indemnities, etc Identify the perceived shrtcmings in current measures t mitigate the impact f risks Management must embark upn a frmal prcess t evaluate the apprpriateness f current cntrls. Executive bservatin and judgment is ften sufficient t identify shrtcmings in cntrl measures, and the level f desired cntrl effectiveness can be expressed. Operatinal and technical risks lend themselves mre t a mre rigrus prcess f evaluating cntrl effectiveness. Management must cnsider all categries f mitigatin in this prcess. Results must be recrded in the risk register Estimate the likelihd f risk events The likelihd f ccurrence must be assessed fr every identified risk based n the guidance prvided in the risk criteria discussed abve. A realistic evaluatin f the likelihd f the risk ccurring is essential, because it guides the allcatin f resurces in the cmpany. The estimated likelihd f the risk event must be recrded Identify any influencing factrs that may cntribute t r shape the risk prfile Having identified a key risk expsure (e.g. increasing cmpetitin) the risk assessment must identify the factrs that influence and shape the risk (e.g. barriers t entry). Every key risk will have influencing factrs r variables and these factrs may relate t inherent risk dynamics such as aggregatin, accumulatin and crrelatin. Others may relate t timing and cyclical factrs. Other influences will be reflected in vlatility, dependencies and criticality. The degree f diversificatin and spread f value may als shape the risk prfile. All influencing factrs must be dcumented as part f the prcess. DRAFT Page 42

43 ERM Framewrk DRAFT v Identify the ptential rt causes f risk events Expsures reflect the ptential fr risks materialising. Perils r triggers cause actual events. Such triggers f events must be identified and dcumented. Fr example, a business divisin may face a risk f interest rate hike. The trigger f such an event wuld be the decisin made by the authrities and the extent f the rate increase. The purpse f identifying ptential rt causes is t give directin t risk interventin measures. This prcess f identifying rt causes f risk events may be left until after the first rund f risk assessments has been cmpleted Estimate the ptential impact f the identified risk scenaris The cnsequences f risk are nt nly characterised in financial terms as described in the risk criteria sectin discussed abve. Management must cnsider the impact relevant accrding t the prevalent categry f the risk i.e. impact in terms f reputatin damage, persnal injuries and fatalities, media cverage, peratinal impact and defined bjectives f the strategy Evaluate the cntrls currently in place fr key risk Every risk shuld have a number f cntrls, mitigatins r interventins that have been designed t cntain the ptential impact f the risk. These cntrls need t be identified and evaluated. They will frm the basis f an assurance plan t the Bard f Directrs and may be tested by management, selfassessment prcesses, the internal audit prcess r ther independent means f evaluatin. It is vital that all f the existing cntrls fr identified risks are in turn evaluated in line within the guidance prvided in the risk criteria sectin discussed abve and shuld be dcumented. The gap between existing cntrl effectiveness and desired effectiveness must result in an actin plan Verify the levels f cmpliance with regulatry requirements RBPlat s risk appetite fr Regulatry risk is t avid it and adherence t legislatin and regulatry framewrks is nt negtiable. Risk-related requirements are incrprated int cntrl framewrks within RBPlat and these requirements must be verified. It is the respnsibility f management t build cmpliance prcesses arund these requirements. Any material breaches must be reprted as deemed apprpriate thrugh the structures f reprting develped fr this Risk Assessment Matrix This invlves assessing the magnitude f the cnsequences f a risk, shuld it ccur and the likelihd f the event ccurring taking int accunt the effectiveness f cntrls currently in place t mitigate the risk. This cnsequence and likelihd is cmbined t prduce a residual risk level Rank the risks in rder f pririty The ranking f risks in terms f net ptential effect prvides management with sme perspective f pririties. This shuld assist in the allcatin f capital and resurces in the business t address the risks. Althugh the scales f quantificatin will prduce an autmated ranking f risks, management may chse t raise the prfile f certain risks fr ther reasns. This may be justified, because f nnfinancial influences such as media implicatins, scial respnsibilities, regulatry pressures etc. The ranking f risks will als be shaped by strategic and business bjectives. DRAFT Page 43

44 ERM Framewrk DRAFT v Risk Respnse Risks abve the agreed appetite and tlerance levels shuld be identified and respnded t. A number f respnse ptins are available. There culd very well be instances where, after we have identified and assessed the risk, we actually chse t accept it as either the respnse will prve t be t expensive r it falls within ur appetite. Where this is the case it is still imprtant t recrd these situatins but when we d want t respnd t a risk, there are generally 4 respnse ptins: Respnse Avid Treat Transfer Accept Table 7: The risk respnse table Descriptin The risk by deciding either nt t prceed with the activity that cntains an intlerable risk (if this is practicable), chsing an alternative mre tlerable activity which meets the bjectives and gals f the rganisatin, r chsing an alternative less risky methdlgy r prcess within the activity. The ptin f adpting an alternative wrk practice f lwer risk reduces the cnsequences and/r likelihd f harm r lss and therefre, is a treatment and nt necessarily avidance f risk. Aviding the risk is equivalent t refusing t accept the risk. The likelihd r the cnsequences f the risk, r bth are treated. Nte that there is a trade-ff between the level f risk and the cst f reducing thse risks t an acceptable level. Where risk reductin is cnsidered bth feasible and cst effective, the required funding will need t be budgeted, with the respnsible persn ensuring that the risk reductin measures are carried ut t the level determined. Risks may als be transferred t thers thrugh insurance r cntracts, ften with utsurced service suppliers. Accept r Tlerate - a decisin is taken t accept the risk. Reasns why a risk may be accepted: The level f the risk is s lw that specific treatment is nt apprpriate within available resurces. The risk is such that there is n treatment available. Fr example, the risk that a prject might be terminated fllwing a change f gvernment is nt within the cntrl f an rganisatin. The cst f treatment, including insurance csts, is s manifestly excessive cmpared t the benefit that tleratin is the nly ptin. This applies particularly t lwer ranked risks. The pprtunities presented utweigh the threats t such a degree that the risk is justified. Higher levels f management will be cnsulted in the develpment f risk respnse plans which may als require advice frm risk cntrl and insurance specialists. Management f the prcess by senir staff shuld result in these plans being implemented. All risk respnse plans will be weighed in terms f the cst f implementing each respnse plan and the ptential benefits and respnses yielding adequate risk reductins at relatively lw cst will be implemented. Als, when cnsidering risk respnse ptins, it may be apprpriate t cmbine several respnse ptins and risk respnses may be specific t ne risk r they might address a range f risks. All risk respnses need t be dcumented and managed via the apprpriate risk gvernance structures. Where a risk respnse is utlined and implemented but desn t yield the desired utcme, the risk respnse will have t be re-assessed and addressed until the required result is btained Allcatin f risk treatment respnsibilities The senirity f the manager wh manages remedial actin depends n the nature and seriusness f the risk. This table indicates the apprpriate level f risk respnse respnsibility Risk Level Extremely High Risk High Risk Mderate Risk Level f Risk Respnse Respnsibility General Managers, Functinal Area Executives, Executive: Risk & Assurance, Chief Executive Officer, Bard Audit and Risk Cmmittee General Managers and HOD s, Functinal Area Executives, Executive: Risk & Assurance HOD s and relevant Risk Champins DRAFT Page 44

45 ERM Framewrk DRAFT v0.2 Risk Level Lw Risk Level f Risk Respnse Respnsibility Can nrmally use rutine prcedures t manage risks. Unlikely t need specific allcatin f resurces. Table 8: Apprpriate level f risk respnse respnsibility Resurces needed fr treatment Each department shuld budget fr risk mitigatin. Crprate and divisinal budgets shuld identify and capture the csts assciated with risk mitigatin csts captured Establishment f treatment milestnes and deadlines Prject plans fr treatment are captured in the risk registers. Deadlines r milestnes fr cmpletin f the prjects shuld be set t the shrtest time perid pssible, taking cgnisance f the significance f the risk. If prject plans have lng lead times, cnsideratin shuld be given t implementing interim measures r actins, if needed. If fr whatever reasn, actin plans cannt all be implemented at the time f being apprved, specific actin plans shuld be priritised based n the relative risk ratings RBPlat Specific Insurable Risks Fr all insurable assets and liabilities thrughut the Grup (e.g. buildings, legal etc), an apprpriate insurance prgramme shuld be in place. Insurable risks are identified and dcumented n the RBPlat risk register within the risk management system as well as the details surrunding the insurance. The apprach is cnsidered and ratified by the Executive Risk and Gvernance Cmmittee RBPlat Business Cntinuity Business Cntinuity Planning, including IT Disaster Recvery shuld be dne acrss the business and a cmprehensive Business Impact Assessments (BIA) shuld be perfrmed. The detailed BCP shuld include the fllwing: IT Recverability Assessment: The Recverability Assessment is a detailed evaluatin f the current backup and recvery prcedures and resurces. The bjective is t assess RBPlat s capability t achieve the recvery bjectives fr speed (Recvery Time Objective) and data integrity (Recvery Pint Objective), as identified during the Business Impact Analysis. This phase f the engagement will identify expsures and recmmend tactics t imprve IT recvery capability in the event f a disaster ccurrence. Qualitative Risk & Wrkplace Security Assessment The Qualitative Risk & Wrkplace Security Assessment is designed t fcus n the Data facility and a single adjacent building t determine its current physical cnditin, t identify pssible single pints f failure, and t recmmend actins fr risk mitigatin. The type f alternatives recmmended will depend upn the types f risks identified and may be based upn intangible factrs specific t the culture, business practices, and RBPlat plicies. Recvery Strategy Definitin Utilising the findings frm the Qualitative Risk & Wrkplace Security Assessment, the Business Impact Analysis and the Recverability Assessment, this phase f the engagement prduces a cst/benefit analysis f recvery strategy alternatives. The DRAFT Page 45

46 ERM Framewrk DRAFT v0.2 bjective is t identify the recmmended strategy fr IT recvery, by analysing the cst f recvery alternatives in balance with achieving defined Recvery Time and Recvery Pint Objectives. Data Business Recvery Plan Develpment The Data Business Recvery Plan is a cmprehensive guideline fr managing a disaster which affects the IT envirnment, based n a selected recvery strategy. The bjective f the Plan is t dcument a cnsistent, thrugh and tested set f tasks, which are then assigned t specific teams within the rganisatin and wh will be ready t respnd t a disaster situatin. Crprate and Divisinal Cntinuity Plan Develpment The Crprate and Mine Cntinuity Plans crdinates disaster recvery activities acrss a designated set f critical business functins. The bjective is t define the tasks that users must cmplete t respnd t a disaster fr their department, s that they can perfrm vital functins nce the IT infrastructure has been restred. Crisis Cmmunicatin Plans The Crisis Management Plan extends the scpe f the Data Business Recvery Plan, Crprate and Departmental Plans, t prvide a structured plan and prcess fr managing a crisis. The bjective is t establish key cmmunicatins and defined rles and respnsibilities frm tp executives t line management fr disaster situatins that require pre-planned and early warning staged activities, such as emergency Cmmand Centres and planned evacuatins. Service Cntinuity Plan The Service Cntinuity Management Plan extends the scpe f the Business Services Recvery Plan, t prvide a structured plan and prcess fr managing a majr r minr interruptin f services. The bjective is t establish key cmmunicatins, manual prcesses r wrk- arund s and defined rles and respnsibilities frm tp executives t line management fr any service situatin that require cntinuity Risk Mnitring and Oversight Risk prfiles change ver time t the extent that risk treatment plans that were nce effective may becme irrelevant; cntrl activities may becme less effective, r n lnger be perfrmed; business bjectives may change r regulatry requirements may change. This can be due t the arrival f new persnnel, changes in the business structure r directin, the intrductin f new systems and prcesses r develpments in the external envirnment. In the face f such changes, management needs t cntinually mnitr the effective functining f the risk management prcess. This mnitring shuld ccur in the nrmal curse f management activities. The fllwing mnitring mechanisms will be implemented within RBPlat: Mnitring f the apprpriateness and accuracy f risk management criteria The risk management criteria will be mnitred fr suitability within the RBPlat cntext. This will ensure the criteria used as a base fr measuring and reprting risk accurately: DRAFT Page 46

47 ERM Framewrk DRAFT v0.2 Reflects the maturity f RBPlat and ur ability t measure and reprt n risk Reflects the level f detail RBPlat wants t measure and reprt risk n Mnitring f implementatin f risk respnse plans Actin plans t develp and implement risk respnse plans need t be mnitred t ensure that the necessary plans are implemented n schedule and as intended. This mnitring prcess shuld be embedded within the nrmal day t day mnitring prcesses already in place within the business e.g. departmental meetings, management meetings, Business Review meetings etc. Internal audit will als evaluate the status f actin plans fr significant risk expsures as part f their rutine audits Mnitring f n-ging effectiveness f risk treatment cntrls The effective peratin f risk treatment cntrls must be evaluated n an n-ging basis. Each functinal area within the business will need t develp its wn plans as t the frequency and scpe f these reviews taking int accunt, inter alia, legal and regulatry requirements. These reviews may include management reviews, self-assessment reviews and third party reviews as apprpriate. The Internal audit functin will als perfrm an independent review f selected risk treatment cntrls Mnitring f the effectiveness f the risk management prcess The entire risk management prcess needs t be reviewed n a peridic basis. Internal Audit r an independent external cnsultant will be respnsible fr perfrming such review and prviding assurance that the risk management prcess has been applied apprpriately acrss RBPlat and that all elements f the prcess are suitable and sufficient. The mnitring cmpnent ensures that all ERM cmpnents functin at all levels as the envirnment changes ver time. Mnitring is carried ut either thrugh ne time evaluatins r cntinuus evaluatins. Examples f cntinuus evaluatins are as fllws: Cntinuusly review f reprts Cmmunicatins frm external parties may crrbrate internal data r, indicate prblems; Self-assessment; Training seminars, planning sessins and meetings prvide insights t emplyee s cmpetency, ethical cnduct and risk behaviurs Cntinuus Imprvement Thrugh the cnstant mnitring and versight f the ERM prcesses and engagement f all stakehlders (primarily thugh the Risk Frum meetings), it is expected that imprvement pprtunities will be identified and subsequently implemented. In additin, n an annual basis, Risk Management will undertake a frmal exercise t engage with all stakehlders t identify where the ERM prcesses can be imprved Risk Management Infrmatin Systems RBPlat shuld investigate the acquisitin f risk management infrmatin systems t manage risk events acrss the ERM Prcesses. DRAFT Page 47

48 ERM Framewrk DRAFT v RISK CALCULATIONS The utput frm the ERM prcesses will serve as input fr risk-related calculatins which will be reprted n Risk Appetite Calculatins Once the risk appetite statement is in place and the limit structure has been defined and cascaded thrughut the rganisatin, regular mnitring f the current risk prfile against the limit structure and risk appetite statement will be required. Risk appetite calculatins will be dne and reprted n a quarterly basis, initially using an excel tl as the ERM maturity prgresses s RBPlat will strive mve t mve t real time reprting using an integrated BI tl. During the initial rll ut f the risk appetite, calculatins and reprting will be made at crprate level. Once the crprate risk appetite and assciated reprting has been fully embedded the prcess will be extended t functinal area level and Mine level as part f the jurney up the ERM maturity scale. The measurement apprach, as described in the diagram belw, requires business divisins t determine three key ranges fr the tlerances: Target: the target value / range t achieve Acceptable: Observatins that fall within this range a will be acceptable and require n actin Tlerable: Observatins fall within this range a will be acceptable and require clse mnitring Unacceptable: Observatins that fall within this range will be unacceptable and require immediate actin and cntinuus mnitring On a quarterly basis, Risk Management is required t btain the actual tlerance figures and classify the results in terms f the management interventin ranges described abve and then perfrm the necessary risk appetite reprting. DRAFT Page 48

49 ERM Framewrk DRAFT v0.2 The target value / range t achieve set by Business Observatins that are expected t fall within this will be acceptable / tlerable / unacceptable and require the assciated management actin Tlerance Ntes Current Target/ Limit Tlerance fr XYZ ABC% XYZ% Acceptable Tlerable Unacceptable Q% W% R% Z% X% C% Indicatin f the current value Deviatins frm target t result in management interventin (Target realized) / target as a % Indicatin the impact n the Target value when the deviatin is applied Figure 10: RBPlat Risk Appetite calculatin Measure against the KRIs (Risk Dashbards) Key Risk Indicatrs (KRIs) prvide effective risk mnitring tls t track changes in risk levels and keep management apprised f shifts in established patterns. KRIs prvides data n whether a risk is trending up, dwn, r is stable, bth nw and in the future. This acts as an early warning system, enabling management t take actin t prevent the risk materialising. KRI s are a vital step in making risk infrmatin mre transparent, and have begun data cllectin frm the business units. There are sme readily available surces frm which KRI s can be derived. These surces include: Plicies and regulatins. Strategies and bjectives. Stakehlder requirements. The main bjective f the review against KRIs is t assess whether the business peratins and functinal areas are meeting RBPlat Grup Risk minimum standards and expectatins and highlight thse areas where imprvements are required. KRI s culd als be used t identify negative trends as is the case in this example. Hwever, the KRI culd als be used fr research r benchmarking. Any KRI s indicating a negative trend shuld be escalated t the Executive: Risk & Assurance. This exercise is fcused n: Risk Appetite Internal Risk Events (IRE) r lss data (frm the Risk Register r SHE System statistics) Risk Champins, in cllabratin with RBPlat Crprate Risk, need t frmulate detailed actin plans designed t address each f the identified weaknesses r deficiencies in their business area. This actin plan, which is prvided t RBPlat Crprate Risk, has clear wners and delivery dates. The implementatin f all agreed actin plans are ging t be mnitred by RBPlat Crprate Risk. Any key slippages will be cmmunicated t the relevant Risk Frum and/r Executive Risk and Gvernance Cmmittee. DRAFT Page 49

50 ERM Framewrk DRAFT v Operatinal risk event data As part f the maturity prgressin f the ERM framewrk within RBPlat, the transparency and quality f data will be imprved thrugh the rll ut f frmal lss data cllectin standards fr the peratinal and strategic risk categries and embedding them acrss RBPlat. Standardisatin f lss infrmatin acrss RBPlat will facilitated early identificatin f trends leading t cntrl imprvements, enhanced risk mitigatin and imprved aggregatin f lsses. Our aim is t mitigate further peratinal risk events that lead t lsses, within reasnable expectatins, and t learn frm all lsses t imprve prcesses and prevent recurrence. A database will be administered, utlining significant peratinal lsses in ur peratins and this data will assist us t take mitigating actins practively, t avid incurring similar lsses in the future while imprving custmer experience. By cllecting data systematically and cnsistently we are able t pinpint repetitive prcess failures and actively imprve cntrls in these areas ERM POLICIES RBPlat is cnscius abut actively develping and regularly reviewing adequate written risk management plicies that include a definitin and categrisatin f the material risks t which we are expsed, taking int accunt the nature, scpe, and time hrizn f the business, the levels f acceptable risk limits fr each type f risk and the assignment f specific risk management bligatins acrss RBPlat, including in respect f risk escalatin and risk mitigatin. The ERM plicy framewrk supprts ur crprate purpse by prviding a cnsistent high level apprach t managing the risks we face in pursuit f ur strategic bjectives. Risk plicy statements set ut the minimum standards that must be applied cnsistently acrss the business. Their purpse is t ensure that risks are managed in line with the risk appetite and that business divisins perate effectively and efficiently, in cmpliance with all applicable laws and regulatins. Operatins and Functinal Areas ensure that their lcal prcedures are aligned t the RBPlat Risk Plicy Suite. Plicies are subject t regular review t reflect changes in circumstances and the risk appetite. Plicies in place cver a range f tpics, including financial risk, safety, health and envirnmental risk, peratinal risk, regulatry risk). The acceptance, implementatin, adherence and measurement f these plicies is aligned t the Plicy framewrk and are mapped t ur risk categrisatin mdel and frm a key part f ur gvernance framewrk. Their implementatin allws RBPlat t establish a cmmn framewrk f cntrl acrss the business. DRAFT Page 50

51 ERM Framewrk DRAFT v Structure f the Risk Management Plicy Suite RBPlat will adpt a cnsistent apprach t Enterprise Risk Management (ERM) that cnfrms t gd practice and is in cmpliance with Slvency Asset Management (SAM) requirements. This apprach must include the articulatin f minimum principles and standards and is structured as fllws: The ERM plicy prvides the verarching minimum principles and assciated standards fr the management f ALL risks within RBPlat. Each risk management principle is supprted by a set f standards setting ut hw RBPlat will apply the principles Measurement f cmpliance t the plicy is at the standards level Level 1 Individual risk-specific plicies (e.g. peratinal risk plicy r regulatry risk plicy), as described in the RBPlat risk categrisatin mdel have been develped t supprt the ERM Plicy, where apprpriate ERM Plicy The ERM risk plicy specifies a set f nine risk management principles and the assciated mandatry minimum standards fr the management risk acrss the business related. The list f risk management principles is described belw: The management f Risk must align t and be cgnisant f the verarching guiding principles f the RBPlat grup and sund business practice. An apprpriate strategy must be in place fr managing risk acrss RBPlat. Apprpriate risk gvernance structures must be in place t ensure that the RBPlat risk management standards are met. Risk appetite limits must be in place fr each Level 1 risk defined in the RBPlat risk categrisatin mdel and the risk appetite must be cnsistent with the Risk Strategy and reflect the preference fr and/r avidance f risk. Apprpriate risk management prcesses and metrics must be in place t ensure risks are identified, assessed and reprted n a cnsistent basis. Apprpriate risk tests and calculatins, including scenari analysis, shuld be perfrmed t better manage risks within RBPlat. Apprpriate risk reprting must be in place t supprt the management f risk. The risk management system must be reviewed t ensure that it is cnsistent with best practice, as apprpriate fr RBPlat. An pen and transparent rganisatinal culture that encurages the right risk management behaviurs must be fstered Financial Risk Plicy The RBPlat Financial Risk Plicy will: Specify the mandatry minimum standards fr the management f market risk acrss the business Specify the nature, rle and extent f RBPlat s investment and/r brrwing activities Establish explicit risk management prcedures with regard t mre cmplex and less transparent classes f asset, and investment in markets r instruments that are subject t less gvernance r regulatin. Take int accunt the Cde fr Respnsible Investing by Institutinal Investrs in Suth Africa which was issued by the Cmmittee n Respnsible Investing by Institutinal Investrs in Suth Africa. Adhere t the Prudent Persn Principle : DRAFT Page 51

52 ERM Framewrk DRAFT v0.2 RBPlat will nly invest in assets and instruments whse risks the rganisatin can prperly identify measure, mnitr, manage, cntrl, and reprt. RBPlat will nly partner with credible investrs that have a gd gvernance and investment track recrd and with an acceptable credit rating (t be determined in Financial risk plicy) Specify the mandatry minimum standards fr the management f credit risk acrss the business Operatinal Risk Plicy The peratinal risk plicy s bjective is t prvide the mandatry minimum standards fr the management f peratinal risk acrss RBPlat. Operatinal risk refers t the risk that RBPlat will nt achieve its strategic business bjectives due t failed peple, prcess, system and / r external events and includes: Prcess / Cntrl failures: The risk that RBPlat will nt achieve its strategic business bjectives due t prcess and / r assciated cntrl (n the prcess) failure. Internal Fraud: The risk that RBPlat will nt achieve its strategic business bjectives due t deliberate acts by emplyees intended t defraud, misapprpriate prperty r circumvent regulatins, the law r cmpany plicy and harm the rganisatin r a third party. External Fraud: The risk that RBPlat will nt achieve its strategic business bjectives due t deliberate acts by external parties intended t defraud, misapprpriate prperty r circumvent regulatins, the law r cmpany plicy and harm the rganisatin r a third party. Accidents and acts f nature: The risk that RBPlat will nt achieve its strategic business bjectives arising frm accidents and natural disasters. Wrk related accidents will be cvered by the Safety Health and Envirnmental Plicy. Emplyment practices: The risk that RBPlat will nt achieve its strategic business bjectives frm acts incnsistent with emplyment practices. Sales, prducts and business practices: The risk that the rganisatin, its prducts and emplyees fail t meet its prfessinal, legal and fiduciary bligatins twards its clients and third parties. Technlgy: The risk that technlgy systems are inadequate Data: The risk that RBPlat will nt achieve its strategic business bjectives due t data that is nt fit fr purpse Safety, Health and Envirnmental Plicy The SHE Plicy will cnfirm RBPlat understanding f its peratins and that it has the ptential t negatively affect the Health and Safety f peple and can cause damage t the Envirnment. As an undergrund mining peratin with an nsite cncentratr at BRPM and new mine develpment peratin at Styldrift Mine, the plicy fcus n, but nt limited t the fllwing significant SHE risks: SAFETY HEALTH ENVIRONMENTAL Trucks and Tramming HIV/AIDS Water Pllutin and availability Winches and Rigging Hearing Impairment Waste Handling Fall f Grund Management TB Disturbing Natural Resurces Equipment/material handling Irritants Cntact Bidiversity Management Man/ Machine Interactin Climate change (i.t.. bth emissins management and adaptatin) DRAFT Page 52

53 ERM Framewrk DRAFT v0.2 In rder t manage these risks, an RBPlat specific SHE Mdel is applied fr assessing new nsite initiatives and activities as well as assessing failures t the alignment with the SHE Strategy Sustainable Develpment Plicy The sustainable develpment plicy will drive RBPlat s cmmitment t its Scial and Labur Plan in additin t its envirnmental preservatin initiatives. The plicy will unpack RBPlat s cmmitment t the gal f sustainable develpment in balancing ur aspiratins fr a prsperus mining business with respnsibility and accuntability fr the impact n the natural envirnment and cmmunities within which it cnduct peratins. It will als cnfirm its missin t create stakehlder value frm safe PGM extractin t leave a lasting psitive legacy fr future generatins. Thrugh this plicy RBPlat will maintain its scial license t perate, enhance its reputatin and practively respnd t risks and assume pprtunities t maintain a cmpetitive advantage Ethics Plicy The Ethics Plicy will drive RBPlat s values and standards f right, gd and fair cnduct t shape decisins and actins f rganisatins and individuals making decisins n its behalf. The actins f RBPlat and its internal and external stakehlders will cnfrm t a set f ethical standards as defined by sciety, by laws and regulatins, and by rganisatin s wn internal plicies and prcedures. This plicy will cnsist f fur primary areas: leadership cmmitment gvernance structure establishing an ethics management prcess develping an ethical culture RISK REPORTING External Reprting Integrated Reprt Risk management activities will be reprted in the annual reprt and shuld include, amngst ther disclsures, that: The Bard is accuntable fr risk management There is an n-ging prcess fr identifying and managing risks Risks are regularly reviewed and evaluated There is an adequate system f cntrl in place t manage and apprpriately mitigate the risks There is a business cntinuity and fraud preventin plan in place The prcess f risk management includes: Significant jint ventures and assciates Sustainability risks Reasns fr nn-disclsure f specific risk management infrmatin Internal Reprting Management reprts will be cmpiled and submitted t the fllwing gvernance structures: DRAFT Page 53

54 ERM Framewrk DRAFT v0.2 Bard (when and where required) Bard Audit and Risk Cmmittee Executive Cmmittee Executive Risk and Gvernances Cmmittee Risk Frums (Mine and Crprate) Operatinal reprts shuld be reviewed by the relevant respnsible persn (as per this framewrk) and will be cnsidered at the varius frums/ cmmittees The Executive: Risk and Assurance, supprted by the Executive Risk and Gvernance Cmmittee, is respnsible fr the n-ging reprting n risks and the risk management prcess t the varius stakehlders. The risk escalatin prcess shuld establish prcedures bth fr reprting n risk issues within nrmal reprting cycles and n an ad hc basis t address matters f particular urgency Risk Champins Risk Champins need t update their risk register and reprt the fllwing t Risk Management: The risks which individual managers are respnsible and accuntable fr The current/recrded cntrls in place t manage thse risks including the assessment f the cntrl effectiveness The estimated residual risks/expsures fr each risk including agreed management actins and plans Feedback n the prgress f risk respnse plans Recent feedback frm assurance prviders regarding their independent assessments Executive Risk and Gvernance Cmmittee The fllwing needs t be presented t the ERC: High risk expsures and assciated management actins and plans Crss- cutting risks and assciated management actins and plans Perfrmance against the Risk Appetite Details f status/prgress in risk management prcess/cntrl effectiveness by individual, department and/r peratinal prcess Areas where there is a lack f prgress in risk management prcess/cntrl effectiveness - t be fllwed up and actined with individual managers/department heads Summary f the verall risk management prcess, highlighting areas requiring attentin in rder t ensure the timeus and effective implementatin f apprved risk management initiatives - t be fllwed up and actined with the respnsible individual managers/department heads Bard Audit and Risk Cmmittee Summary f the verall risk management prcess and an assessment f its effectiveness highlighting areas requiring Bard attentin DRAFT Page 54

55 ERM Framewrk DRAFT v0.2 Status Reprt n the Risk Management Implementatin plan highlighting the next steps in the way frward Overview f the Risk Prfile fr RBPlat, including: Areas f highest risk befre existing cntrls Areas f highest expsure after existing cntrls Key cntrls relied upn by management Significant changes in individual risk and cntrl assessments Critical management actins required and status f implementatin Measurement against key perfrmance standards and indicatrs established fr the risk management prcess Recmmendatins fr disclsures regarding risk management in the Integrated Reprt Incident reprts This is an internal management functin and will frm part f the enterprise risk management framewrk. The destinatin f incident reprts will be determined by the nature f the lss, but lsses that riginate frm risks cntained in the key risk registers must always be elevated t higher levels f management. Variance reprts are incrprated int rutine management reprting prcesses Risk Appetite Reprting On a quarterly basis Risk Appetite reprting will take place. As an interim measure, an excel tl will be develped t prcess the data and prepare a Grup Risk Reprt and a Risk Dashbard : Risk Dashbard t reflect key risk appetite tlerance perfrmances and will be presented at the Bard Audit and Risk Cmmittee as well as ther tlerance that d nt fall in the Acceptable management interventin range and warrant reprting at Bard Risk Cmmittee. The Grup Risk Reprt will be discussed at the Risk and Gvernance Cmmittee and will reprt n all tlerance perfrmances. Only measurements that d nt fall int the Acceptable management interventin range will be reprted n. In additin t reprting the tlerance perfrmances ver the previus perid, management actin and expected reslutin time will als be reprted fr thse tlerances utside the Acceptable range. Shuld a tlerance fall in the Tlerable range, measurement and reprting will be dne n a mnthly basis, as ppsed t a quarterly basis, until the tlerance falls in the Acceptable range. Shuld a tlerance fall in the Unacceptable range, measurement and reprting will be dne n a weekly basis, as ppsed t a quarterly/mnthly basis, until the tlerance falls int a range mre cnsistent with cmpany appetite DRAFT Page 55

56 ERM Framewrk DRAFT v ERM COMMUNICATION, EMBEDDING, MONITORING, REVIEWING AND IMPROVING Risk Infrmatin and Cmmunicatin The varius stakehlders bth within and external t RBPlat requires different infrmatin regarding the enterprise risk management prcess General Risk Gvernance Cmmunicatin The diagram belw reflects the cmmunicatin channel and methd f infrmatin distributin acrss the risk gvernance structures. Cmmunicatin and Reprting Bard Executive Cmmittee Line Management Bard Audit & Risk Cmmittee Functinal Executives Mine General Managers Risk Champins Mine & Crprate Risk Frums Risk and Gvernance Cmmittee Grup Risk Prfile Apprve ERM Plicy and Framewrk Overall Risk Gvernance Review effectiveness f risk assesment prcess Cnfirm RBPlat Strategic/ Grup Risk Prfile Mnitr implementatin f Risk Respnse Plans Determine and mnitr Risk Appetite Figure 11: Risk Gvernance Cmmunicatin Strategic Risk Prfile Mine/ Functinal Area/ Prject Risk Prfiles cnslidated Cmpany Risk Prfile agreed Strategic Risks determined Risk Type Prfiles determined Crss-cutting risks evaluated Determine and Mnitr Risk Tlerances Cmbined Assurance Mine/ Functinal Area Risk Prfile Risk Identificatin and Evaluatin Existing Cntrls agreed Risk Respnse develped Risk prfile mnitred and updated peridically Determine and Mnitr Risk limits (KRI) Internal Cmmunicatin Bard, Audit & Risk Cmmittee, Executive Cmmittee and CEO shuld: Knw abut the mst significant risks facing RBPlat Knw the pssible effects n sharehlder value f deviatins t expected perfrmance ranges Ensure apprpriate levels f awareness thrughut RBPlat Knw hw RBPlat will manage a crisis Knw the imprtance f stakehlder cnfidence in the rganisatin Knw hw t manage cmmunicatins with the investment / funding cmmunity where applicable Be assured that the risk management prcess is wrking effectively Publish a clear risk management plicy cvering risk management philsphy and respnsibilities DRAFT Page 56