Home / Corporate governance and risk
 

Corporate governance and risk

Remuneration committee
The members of the remuneration committee were: Ntombi Langa-Royds (chairperson), Joe Shibambo and Jerry Vilakazi. All the members are non-executive directors. PwC, appointed by the company, acted as remuneration advisors to the committee and provided detailed information on market trends and the competitive positioning of remuneration.

The committee normally asks the CEO to attend its meetings but he has no voting rights. He does not participate in discussions on his own remuneration, which is set by the committee. 
 
Terms of reference
The committee performs all functions necessary to fulfil the role stated in its terms of reference, including: 
Overseeing the establishment of a remuneration policy that will promote achieving strategic objectives and encourage individual performance 
Ensuring the remuneration policy is put to a non-binding advisory vote at the general meeting of shareholders once every year 
Reviewing the outcomes of implementing the remuneration policy against set objectives 
Ensuring the mix of fixed and variable pay, in cash, shares and other elements, meets the company’s needs and strategic objectives 
Satisfying itself on the accuracy of recorded performance measures that govern the vesting of incentives 
Ensuring all benefits, including retirement benefits and other financial arrangements, are justified and correctly valued 
Considering the results of the performance evaluation of the CEO and other executive directors, both as directors and as executives in determining remuneration 
Selecting an appropriate comparative group when comparing remuneration levels 
Regularly reviewing incentive and retention schemes to ensure continued contribution to shareholder value and that these are administered in terms of the rules 
Considering the appropriateness of early vesting of share-based schemes at the end of employment 
Advising on the remuneration of non-executive directors
Overseeing the preparation and recommending to the board the remuneration report, to be included in the integrated report. 
 
Compliance with terms of reference
The committee has reviewed group remuneration policies to ensure these are aligned with the company’s strategy and linked to individual performance.

For a more detailed report on remuneration. View the remuneration policy of the company and shareholders will be requested to pass a non-binding advisory to indicate support for this policy at the annual general meeting. The fees proposed for non-executive directors for 2011, which are subject to shareholder approval
 

Black economic empowerment and transformation committee* 
The members of the BEE and transformation committee were: Ntombi Langa-Royds (chairperson), Joe Shibambo, André Lamprecht and Peter Malungani. All members of the committee are non-executive directors.

The committee has its own terms of reference approved by the board and reviewed annually. The chairperson reports to the board on the activities and recommendations made by the committee and the latest minutes of committee meetings are included in board packs.

The committee assists the board in adopting a holistic approach to transformation and complying with all relevant legislation or charters. The newly constituted social and ethics committee had its first meeting on 26 October 2010.   
* This committee has been reconstituted and in the new financial year will be known as the social and ethics committee
 
Terms of reference
In line with its terms of reference, the committee’s objectives are to:
Ensure management embraces the principles of transformation enterprise-wide across all facets of the group’s activities 
Develop and implement an appropriate transformation strategy
Ensure equity ownership of PPC conforms to the requirements of the mining charter to achieve effective 26% empowerment by 2014 to qualify for new mining rights 
Regularly review policies, plans and processes aimed at facilitating transformation in the group 
Review integrated annual reporting to stakeholders on aspects of transformation 
Provide an objective forum dedicated to policy recommendation to the board and guiding significant matters on transformation within the group. 
 
Compliance with terms of reference
For a detailed review on transformation.
 

Deal committee
The members of the deal committee are: Peter Malungani (chairperson), Peter Esterhuysen, Ntombi Langa-Royds, André Lamprecht, Bheki Sibiya and Paul Stuiver. As noted, Peter Malungani is not an independent director but the majority of members are non-executive directors, most of whom are independent.

The committee is an ad hoc body and its terms of reference are to: 
Consider strategic options and recommendations presented by management on international expansion 
Provide guidance, support and explore options that will facilitate progress in periods between board meetings. 
 
Committee meetings are scheduled when required by progress on transactions. 
 

Compliance report 2010
A compliance function has been established in the group’s legal services department. It is responsible for advising and assisting the board and management with awareness and assessing compliance with the regulatory environment. A comprehensive compliance report is submitted to the risk and compliance committee twice a year, which in turn reports to the board.

The compliance function’s structure and approach enable it to support management at all levels by leveraging off specialised technical skills and business knowledge. Compliance is structured into centralised and decentralised functions. The former is responsible for group-wide monitoring and forms the centre of expertise on legislation and regulatory impact on the group. The latter comprises compliance champions and unit compliance officers who are deployed into the various business units. They are responsible for business-specific monitoring, training and advice.

The two key areas of responsibility are: 
Identifying and advising the group on existing and new legislation applicable to its business 
Facilitating compliance with relevant legislation and assigning responsibility for areas of compliance. 
 
Once new legislation is identified, management appoints a task team to conduct an impact assessment. After that project plans and timelines covering implementation and training are agreed and implemented. 
 

Focus areas in review period
There have been many changes to laws and regulations in prior years, with more to be finalised or effective shortly, most notably: 
King III
King III came into effect on 1 March 2010. During the year a gap analysis between the group’s current practices and those recommended by King III confirmed that many King III practices and recommendations are already in place. Those areas requiring corporate governance changes have been identified and most gaps have been closed. 
The new mining charter
South Africa launched a new charter in September 2010 to facilitate the sustainable transformation and development of its mining industry, with emphasis on a target of 26% black ownership of the country’s mining assets by 2014. The implications of the new charter have been incorporated into the company’s transformation roadmap which has been approved by the board for implementation. 
Environmental impact assessment regulations (NEMA)
These regulations govern procedures and criteria as contemplated in chapter 5 of the act for the submission, processing, consideration and decision of applications for environmental authorisation of activities and related matters. The implication of the promulgation of these regulations influenced PPC’s earlier withdrawal of its EIA application in the Western Cape. 
Training and awareness
In addition to training on new legislation, the compliance unit implemented and concluded an intensive training programme for all grade 1-6 employees on competition legislation. All new employees joining the company at these job levels will be required to complete this training. 
 
New legislation that will affect the group in the new financial year include: 
Consumer Protection Act
This act aims to promote a fair, accessible and sustainable marketplace for consumer products and services. The act will entrench national norms and standards on consumer protection and provide for improved standards of consumer information. The act prohibits certain unfair marketing and business practices and promotes responsible consumer behaviour 
New Companies Act
The act aims to simplify the registration of companies, encourage entrepreneurship and high standards of corporate governance, balance the rights and obligations of shareholders and directors, and promote the efficient and responsible management of a company. It also provides for increased liabilities for directors for breaches of fiduciary duty or for any direct or indirect loss, damage or costs sustained by the company as a result 
Protection of personal information bill
The bill was tabled before parliament in August 2009. Once enacted, it will regulate processing personal information of individuals and juristic entities and will apply to all private- and public-sector bodies as well as individuals. 
 
Management carried out an extensive impact analysis of this legislation in 2010 and has task teams in place to ensure PPC effectively addresses compliance implications. 
 

Key regulators
PPC is regulated by several stakeholders including the JSE, Department of Trade and Industry, Department of Water and Environmental Affairs, Department of Mineral Resources and SARS. The group seeks to maintain relationships of trust and transparency with all regulators.

The compliance function guides business units before and during submissions to and meetings with regulators. It also maintains a log of all interactions with regulators and reports to the risk and compliance committee on the outcomes of these interactions. 
 

Prosecutions
In November 2009, PPC was granted conditional leniency from prosecution under the Competition Act by the competition commission. This was in exchange for PPC’s complete and truthful disclosure of market-sharing arrangements between PPC and its competitors in the late 1990s. This investigation is ongoing. 
 

Risk management review
In 2008, PPC commissioned an independent high-level review of its risk management function, which covered the group risk strategy, governance, risk management process, risk management function, culture and capability. Based on the results, PPC is further enhancing its risk management system by adopting the ISO 31000 standard for managing risks and King III principles on governance of risks.

PPC’s commitment to managing risks and opportunities is supported by the recently developed comprehensive enterprise-wide risk management policy and framework. This follows a holistic approach to identifying, evaluating and treating risks and opportunities. With this tool, the organisation aims to ensure that managing risks and opportunities is an integral part of PPC’s corporate governance system.

The group risk unit, being at the focal point of this process, is responsible for coordinating the identification and documentation of risk areas throughout the group, enhancing the risk management system and regularly monitoring its effectiveness. Internal audit plays a vital role in providing assurance to the board on the effectiveness of the system. In the case of any finding, these are taken into account as part of the continuous improvement of our risk management system. 
 

Enterprise-wide risk management framework
PPC’s risk management framework (shown below) has been aligned to the requirements of King III and incorporates best governance and risk practices. It is supported by a risk management plan that details the approach to be taken to address and improve risk management in PPC to achieve set objectives. 
 

PPC’s enterprise-wide risk management framework
 

Developing the risk management framework
Interviews were conducted with a large number of stakeholders including members of the board (executive and non-executive), members of the risk and compliance committee, members of management, internal and external audit. All the information collected was considered and incorporated into the draft framework where appropriate.

The PPC group risk management policy has been developed against requirements of King III, among others, and was authorised in September 2010. The policy institutes the mandate from the group chief executive officer as delegated by the board and provides the statement of commitment for implementing risk management in the group. In terms of the policy, our goal is to ensure that risk management is embedded in our business by implementing an integrated risk management plan.

A combined assurance model has been developed in line with King III to ensure that all risks identified are subjected to the appropriate level of control and assured by internal and external providers as appropriate. Internal audit provides assurance to the board on the effectiveness of the system.

The risk management framework and processes have been developed to ensure a consistent approach to managing risk across PPC. A risk management plan details the approach to be taken to address and improve risk management in PPC to achieve set objectives.

Managing risk and setting the risk appetite is the board’s responsibility, which it discharges through its risk and compliance committee. This committee has not yet articulated the group risk appetite since the focus has been mainly on audit materiality. With the implementation of the enterprise-wide risk management process in PPC, the board has taken the initiative in investigating ways of setting these values and the process of establishing the overall risk-bearing capacity and risk appetite is under way. This will ensure our business objectives and strategies are aligned with these values and that limits are set for management to take risks and exploit opportunities within set tolerance limits.

The group values the importance of stakeholder engagement and has therefore attempted to identify its stakeholders and their reporting needs. To ensure transparency in our systems, risk information affecting these stakeholders will continue to be shared without compromising commercially privileged information. 
 

Risk management policy
Risk is inherent in most business activities. PPC will evaluate and manage risk through a structured and integrated risk management process that considers the interests of all stakeholders.

Risk management comprises the identification and evaluation of existing and potential risk associated with the company’s operations and strategy, followed by appropriate management responses such as tolerance (acceptance), mitigation, transfer, avoidance or termination or a combination of such responses.

The board is accountable to shareholders for the governance of risk and should ensure that the company’s strategic and business plans have properly considered and evaluated the associated risks. In fulfilling this obligation, the board approves and annually evaluates the implementation of this policy and the risk management plan of the company.

The board has delegated responsibility to evaluate the risk management progress, effectiveness of risk management activities, key risks facing the company and appropriate responses to address key risks, to the risk and compliance committee of the board.

The board has delegated the responsibility to design, implement and monitor the risk management plan to management. Risk management is however a team effort and every employee will be responsible for managing risk in his/her working environment and should assist in identifying risk at all levels and in all functions of the business as required by the integrated risk management plan. Regular and formal risk analysis will provide the basis for risk identification and evaluation, and appropriate risk responses and treatment.

Management will ensure effective management of risk through continuous and regular measurement and reporting of the company’s risk management performance to the risk and compliance committee. Control assurance will focus on continuously improving the underlying quality and sustainability of the company’s business activities.

The risk management process will cover the spectrum of the company’s activities including: commercial, financial, human resources, technical, legal, regulatory, contractual, political, information, competitive, social, strategic, environmental and reputational risks. 
 
Best-practice risk methodologies have been developed for the group, modelled on existing best practice in risk management. These are constantly reviewed and enhanced by a deployed risk management team.

Network groups are being established and their focus will be a meaningful contribution to the risk management strategic objectives. These forums will facilitate the proactive exchange of information between group risk, group compliance, group sustainability, group information technology and group finance functions. By forming these networks, PPC aims to eliminate ‘silo thinking’ across different risk types and ensure increasing integration of the traditionally separate domains of risks across the group.

Our risk management process follows a consistent methodology and set of guidelines informed by the group policy and framework. The risk assessment process is linked to group strategy and objectives. As part of the implementation process, risk profiles have been developed for the group from top to bottom with the intention of directing information to all levels of the organisation.

PPC is exposed to a wide variety of developments in the environment in which it operates and different potential risks and opportunities arise continually. Our aim is to take maximum advantage of viable opportunities and continuously evaluate other potential opportunities in all areas as an integral part of our strategy. 
 

Risk assessment
Strategic business risk assessments have been conducted for the PPC group, as well as for the lime, aggregates, Zimbabwe and Botswana divisions. In addition, business risk assessments were facilitated by group risk at all factories and all central office functions (such as group supply chain, information technology, organisational performance, transformation, etc). The various management teams have taken ownership of their specific risk registers, developed action plans to mitigate the risks and provided feedback to the risk and compliance committee. 
 

Business continuity management
During the year, PPC aligned the management of business continuity with the internationally recognised British Standard 25999 (BS 25999). This is also aligned with various other International Standards Organisation (ISO) measurements currently in use in PPC.

Business continuity management is a process (of plan, do, check, act) to minimise PPC’s exposure to internal and external threats. Secondly, it synthesises all customer-related processes to provide effective prevention and recovery controls while maintaining competitive advantage and integrity of the group’s value system.

The output of this process is a formal business continuity plan that will ensure the business is not unduly disrupted.

The group is currently reviewing divisional business continuity plans to create a more robust business continuity management system. This process will be completed and fully implemented by the middle of the 2011 financial year.

Aligning to corporate governance and ITIL (The Information Technology Infrastructure Library, a set of best practices for IT), IT disaster recovery is a key component of our business continuity management process, ensuring all critical IT services can be recovered in the event of a major business disruption within agreed time scales.

The current Sandton (central IT facility in PPC) documented disaster recovery plan caters for both the Windows and SAP environments. Tests take place at the disaster recovery sites three times a year to ensure continuity of critical operations in the event of a disaster. To ensure business continuity across the group, disaster recovery network links, supplied by Telkom, are also in place.

Each factory site schedules disaster recovery exercises for their local IT environment biannually at Sandton in a controlled and supervised environment.

All disaster recovery plans are documented, tested and signed to ensure ongoing commitment of critical resources and continuity of operations. Detailed work instructions for all key stakeholders in the organisation are included. 
 

Information security management
The objective of information security is to protect information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

The terms information security, computer security and information assurance are frequently but incorrectly used interchangeably. These fields are often interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.

PPC is reviewing current information security controls following a recent independent audit that revealed some areas for improvement. The goal is to review current information security processes and their controls using ISO 27000:2005 as reference. 
 

Insurance
The following risk management surveys were undertaken by PPC’s insurance brokers and underwriters: 
Full underwriting surveys were conducted at Slurry, Colleen Bawn and Bulawayo. Calculations for the Dwaalboom survey were updated in 2010 
Machinery breakdown surveys were conducted at Dwaalboom, Slurry, Hercules, Riebeeck West, De Hoek, Colleen Bawn, Bulawayo and Lime Acres.
These surveys elicited positive feedback on risk management and maintenance programmes in the PPC group which has had a positive impact on the maximum probable-loss machinery breakdown calculations and the claims experienced (although PPC has had a few machinery breakdown claims, these have been relatively minor in the overall context). The current economic environment has resulted lower capacity utilisation across the group which has also contributed to lower claims. This could change when the economic situation improves. 
A fire protection survey was conducted in Zimbabwe, focused mainly on cable tunnels and server rooms. 
 
PPC’s insurance cover and associated premium were reviewed in May 2010. 
 

Case study – Protecting IT in PPC
The PPC IT unit embarked on the ITIL journey to introduce service management and good governance principles across its team. The Information Technology Infrastructure Library (ITIL) is a set of best practices for IT that is now widely used, and supported by a range of materials and training courses (including exams and certification). It is generally divided into two main areas, service support and service delivery. These in turn comprise a number of ITIL disciplines.

The ITIL-aligned disciplines introduced at PPC were incident, problem, change, release and service level management. The service desk function was also reorganised to provide a single point of contact for group IT users.

This initiative has given the IT team a common focus of providing excellent customer service to customers while adhering to governance processes. It has provided visibility on all activities taking place within IT, allowing the team to make informed decisions on new projects and initiatives, determining the impact and risk of introducing changes, resource use, etc.

The unit is currently implementing service asset and configuration management, which gives it a full view of PPC IT assets and relationships, location and current status. This will enable the team to proactively manage each IT asset and related service.

ITIL has given PPC the operational framework to meet King III IT governance requirements. This will be expanded in the coming year to provide a full IT governance and control framework for PPC. 

Pages: 1 2 3

Back to top