Risk management

The AECI Board recognises that risk management is an integral part of the Group strategy-setting process and that leadership and oversight in risk management is the Board's responsibility. These principles underpin in AECI's risk philosophy which recognises that managing risk is fundamental to the generation of sustainable shareholder value and the enhancement of stakeholder interests. Risk management is integrated into the culture of the organisation. It is driven and monitored in line with the Board's mandate and commitment. The Risk Committee plays a leadership role in this regard.

Although it is acknowledged that risk can never be fully eliminated, great effort is made to ensure that the potential impact of significant risks is properly identified, understood and mitigated to safeguard shareholder value and the Company's continued growth. Management is responsible for the ongoing refinement and application of standards and processes in this regard, at individual Group business level and for the organisation as a whole.

Management drives the assessment and monitoring of risks specific to the business as well as those pertaining to the broader context in which the Group operates. The latter risks relate to the political and economic landscape, industry, labour and financial market trends. Work includes the analysis of research materials and industry benchmarking studies by institutions such as the World Economic Forum, the World Bank and Willis Risk Alert. These serve as an early warning system or a mechanism for the identification of future risks and opportunities.

In 2018 focus was maintained on understanding and managing risk in new territories and markets of operation, informing the Group's expansion strategy. The underlying objective is to optimise the Group's positioning in terms of its ability to capitalise on opportunities, in line with the philosophy of not only concentrating on downside risk. The Risk Management function is optimally geared to provide support in this regard.

Activities and processes are underpinned by the Group Risk Management Policy and the Group Enterprise Risk Management Framework ("Framework"). The Framework is based on the principles of the International Guideline on Risk Management (ISO 31000) and King IV, where guidelines are provided for the systematic, consistent and professional approach required for successful and effective management.

On the basis of the internal risk assessment process and the outcomes of feedback from stakeholders, AECI identifies the high level material issues that could impact the delivery of its strategy and growth objectives both positively and negatively. These are set out below.

2018 HIGHLIGHTS

In 2018 significant attention was paid to the integration of Schirm and Much Asphalt into the Group relating to AECI's risk model and processes. The risk identification process was also enhanced to highlight more clearly the upside as well as the downside of risk.

To mature its business continuity management processes further, AECI engaged its insurance brokers, Willis Towers Watson, to undertake an operational resilience project for the Group's major assets and plants. The results and gap analysis from this work will be revisited to strengthen the Risk Management model further.

With support from the Internal Audit function, the Risk Management team tested the business' accountability and related risk management culture. The outcome did not indicate any major issues of concern.

In addition, the Board held a Risk workshop to understand the possible strategy constraints for the Group over the next five years. The process revealed that additional readiness and preparedness are required to better align the Group with the fourth industrial revolution generally, and as it relates to artificial intelligence more specifically.

The work plan in the coming year will include a reassessment of the Company's risk appetite and tolerance scales, with revisions to follow if required.

Management of information technology ("IT") risk

King IV places responsibility for IT governance with the Board and the AECI Board has given the Chief Financial Officer overall responsibility for managing the IT governance structures and processes. IT operations are managed by the Chief Information Officer, who reports to the Chief Financial Officer. An IT Steering Committee ("Committee") is chaired by the Chief Financial Officer and its membership comprises the Chief Information Officer and the members of the AECI Executive Committee. The Committee has a well-defined charter and assists the Chief Financial Officer in the discharge of his duties as they pertain to IT- related activities and compliance with applicable laws, rules and standards.

AECI has adopted the IT Governance Institute's model as a framework for IT governance. It also employs the guidelines set out in the Control Objectives for IT and related infrastructure Library. This assists in establishing and maintaining effective internal controls, continuity and risk management. A new framework of IT policies has been developed and adopted, taking into consideration the business imperative, current legislation and IT trends.

The Company's Internal Audit function provides assurance to management, the Audit Committee and the Risk Committee on the effectiveness of IT governance.

During 2018 the Group made significant progress globally in:

• migrating legacy technologies to an enterprise cloud. This provides opportunities to deploy new systems more rapidly and facilitates the introduction of new and innovative services and solutions, in line with the ever-increasing business requirement to centralise and automate transactional and other IT systems;
• setting the foundation for consolidating, standardising and upgrading ERP solutions across the Group - including alignment to a single instance solution in the Mining Solutions pillar and comparable standardised financial and supply chain management solutions in other operating segments;
• implementing a modern Human Capital Management solution to serve as a single system of record for all employees. This solution will support the Group Human Capital directives to drive transparency and transferability of skills across critical skill areas and enable leaders to improve employee management globally;
• defining a baseline process taxonomy for Group-wide process management and systemic execution of best practice governance. The taxonomy drives the prioritisation of systems investments and highlights the required roadmap for ERP and specialised applications to direct technology resources to critical corporate priorities such as safety management, supply chain management, contract management and enterprise asset management;
• consolidating forests to a single Active Directory domain and Exchange environment, thereby allowing for faster deployment of future Company initiatives; and
• upgrading the Local Area Networks at AEL, Modderfontein, and at the Umbogintwini site.

In 2019, the IT function will focus on:

• further consolidation, standardisation and centralisation of business processes, systems and information across the Group. This will be supported by Global Enterprise Architecture and take into account the associated cyber security risks, thereby improving AECI's ability to drive insights through data and analytics, enhance service to customers, drive business growth and efficiencies and support the overall digital strategy;
• implementation of the long-term cyber and information security plan as defined in the Cyber Security Framework and high-level Cyber Incident Response process;
• commissioning of a single supplier to provide a Wide Area Network service for all Group locations worldwide;
• preparing to centralise Schirm and Much Asphalt's IT environments; and
• incorporating digital plans into the Company's overall strategy.

Attention to all aspects of security to protect systems and data is unwavering

LEVEL OF RISK MATURITY

AECI's maturity level, determined through an assessment based on its adopted Risk Intelligence Maturity Model, is on the border between "semi-integrated and change driven" and "intelligent, integrated and optimised", with the desired future maturity level being "intelligent, integrated and optimised". The characteristics of the various states of maturity, as self assessed, are detailed in the schematic below.

AECI will continue its pursuit of its desired risk maturity level. To this end, greater focus in 2018 and in future years will be on:

• entrenching the risk culture even further across all entities;
• improving accountability and responsibility for risk management;
• integrating risk management further into strategy development and implementation;
• maturing the identification and management of upside risk (opportunity risk management);
• revising the risk appetite and tolerance thresholds in line with the Delegation of Authority and financial imperatives.

RISK INTELLIGENCE MATURITY MODEL

INITIAL		INFORMAL		STANDARDISED AND GOVERNANCE- DRIVEN		SEMI-INTEGRATED AND CHANGE-DRIVEN		INTELLIGENT, INTEGRATED AND OPTIMISED
Ad hoc/chaotic No formal risk management (“RM”)strategy No use of standards, tools and techniques		RM predominantly “risk specific” Limited focus on integration Risk viewed solely as an event with a negative consequence Aware of techniques without the formal application of standards No differentiation between “risks” and “hazards”		Reporting focus Common framework, programme statement and policy High level risk assessments Management of all risk types is not approached uniformly Risk viewed largely as an event with a negative consequence Use of standards		Change management approach to RM Coordinated RM across businesses and activities All types of risks are managed through a uniform system Risk is viewed as uncertainty and linked to objectives Driven by performance-based standards		Enterprise-wide approach to RM RM drives proactive and informed decision-making Company and RM processes are fully integrated RM is embedded in culture RM is a strategic advantage Sound understanding of standards and use of tools and techniques

EMBEDDING A RISK-INTELLIGENT AND RESILIENT ORGANISATION

Establishing the context of risk management at AECI is the foundation of good risk management and is vital to the successful implementation of the risk management process. Important considerations when determining context are illustrated in the framework diagram below.

Given the Group's competitive and rapidly evolving external environment, contextual analysis is crucial for the provision of proactive and informed risk information that supports timeous decision-making and leads to effective strategy execution. Scanning the external environment involves a multi-dimensional assessment of key elements that shape and are shaped by the Group's actions, also as illustrated below.

In line with the aspiration to continually improve the AECI Governance and Assurance service offering, a review by the Internal Audit function was undertaken in 2017. This review followed the Process Element Approach contained in the Institute of Internal Auditors' Practice Guide - Assessing the Adequacy of Risk Management Using ISO 31000.

The review concluded that, at a technical level, the AECI Enterprise Risk Management process contains the required elements of ISO 31000, both in design and in operation, and that the process is considered to be fit for purpose.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

	INTERNAL CONTEXT SETTING		EXTERNAL CONTEXT SETTING		RISK MANAGEMENT CONTEXT SETTING
	The internal environment in which the entity seeks to achieve its objectives: GOVERNANCE STRUCTURE CULTURE CAPABILITY POLICIES, PROCEDURES, IT SYSTEMS ETC.		The external environment in which the entity seeks to achieve its objectives: POLITICAL ECONOMIC SOCIAL TECHNOLOGICAL LEGAL ENVIRONMENTAL		The approach and boundaries are defined and applied to the risk assessment at hand: SCOPE AND BOUNDARIES DEFINE RISK CRITERIA RISK ASSESSMENT METHODOLOGY

BUSINESS ENVIRONMENT ASSESSMENT