ETHICS MANAGEMENT AND
GOVERNANCE

Code of Business Conduct and Ethics

In line with Principle 2 of King IV™, as the highest governing authority in the company, the Board governs the ethics of the company in a way that supports the establishment of an ethical culture. The Board is committed to conducting business ethically, and has delegated to management the responsibility to implement and execute appropriate codes and practices. The company operates within a formal Code of Business Conduct and Ethics (the Code), which was reviewed and updated in 2018, and approved by the Board. The Code was communicated and distributed to all employees across all levels in the company, and to suppliers. The Code is based on a fundamental belief that all business transactions should be legal and conducted beyond reproach in the spirit of honesty and fairness. The company has a zero tolerance approach to theft, fraud, corruption and any violation of the law or unethical business dealing by employees and suppliers. The Code also addresses conflict of interest situations and encourages employees to report any conflict or perceived conflict of interest situation. This may arise due to employees being offered and receiving gifts in return for favours, employees not being independent from business organisations having a contractual relationship or providing goods or services to Tongaat Hulett, and employees’ personal investments taking priority over transactions for the company and its clients.

Ethics management reporting and oversight

The Audit and Compliance Committee assists the Board in overseeing the consistent application of and compliance with the Code through reports compiled by the corporate security manager and reported to the committee by internal audit. Incidents of fraud, corruption or unethical practices that are reported or detected through management controls are formally investigated, followed by formal disciplinary processes. In severe instances, criminal proceedings are instituted. Management is strict in ensuring the implementation of the Code across all operations in a daily context. Compliance by directors, all employees and suppliers to the high moral, ethical and legal standards of the Code is mandatory, and if employees become aware of, or suspect, a contravention of the Code, they are urged to promptly and confidentially report it to the Company Secretary or senior officials at management level.

Key areas of focus during the reporting period included revising and updating the Code to include the CEO’s statement highlighting the company’s commitment to integrity, ethics and honest behaviour; commitment to ZERO HARM in SHE practices; commitment to respecting human rights and highlighting the importance of whistle-blowing and revitalising awareness on the Tip-Off Anonymous Service. Other enhancements to the Code included highlighting the company’s strong stance against intimidation, victimisation, retaliation or harassment of any stakeholders (including all employees, business partners and suppliers) who in good faith raise or report a concern that they reasonably believe is a violation of the Code or ethical behaviour.

Whistle-blowing service

As part of the fraud and corruption prevention approach, Tongaat Hulett has engaged the services of an independent whistle-blowing service provider to report on any unethical and unlawful behaviour or non-compliance with the Code. The anonymous independent whistle-blowing service is operational in South Africa, Zimbabwe, Botswana, Mozambique, Swaziland and Namibia. Continuous training and awareness are important aspects of a successful ethics management programme. Each centre has been provided with the official Deloitte/Tongaat Hulett Tip-Offs DVD describing the whistle-blowing process, plus stickers and posters which have also been translated into Portuguese for the Mozambique operations.

Measures taken to monitor organisational ethics include ongoing monitoring and reporting of fraudulent activities that are identified through the whistle-blowing service. Detailed reports are discussed at operational audit committee meetings, with significant reports submitted to and discussed in detail by the Audit and Compliance Committee meeting. The detailed reports, submitted by internal audit, highlight the nature of the violation of the Code, the detail of any financial loss if applicable, the root cause of the violation, the disciplinary action taken, and whether any criminal or civil action will be undertaken, as well as any possible recovery. During the period under review, there were no new significant fraudulent activities reported.

Risk management process

Tongaat Hulett’s approach to strategic risk management (and its integration with seeking and maximising the connected or related opportunities or the conversion of the risk into opportunity) is aligned with Principle 11 of King IV™ and is continuously evolving. The risk management framework is reviewed continuously and updated when relevant. The framework includes a focus on risk tolerance (ability to withstand or even survive the issue/event) and risk appetite (risk limits desired or risk level willing to be taken), which have been detailed previously and remain applicable.

The risk management process involves identifying, analysing and taking the appropriate action with regard to specific identified scenarios, the aggregation of a number of individual risks, interrelated and interconnected issues, strategic positioning issues, macro issues/global trends, relevant clusters of such topics and a focus on the whole situation. Essentially it is an aggregation of risk data, with a consensus view thereof and the appropriate response. It is particularly aimed at identifying risks that might become extreme/beyond tolerance, as well as risk items, with their potential impact, that are being classified as within tolerance but could be beyond appetite.

The aim of this risk management process is to support and complement the setting and achieving of strategic objectives. The process is embedded and integrated into the business activities of Tongaat Hulett, from strategic and business planning through to day-to-day management.

This integrated approach results in:

• A thorough assessment of risks and opportunities emanating from the positioning and operation of Tongaat Hulett in the full extent of its broader spheres of influence and areas of engagement, leading to the appropriate and proactive strategic positioning and response to the potential risk/opportunity profile. This includes assessing risks (probability together with potential impact) and then focusing on both "mitigation" (reducing the probability and the potential impact) and shifting risks to "possibilities" and "opportunities".
• The resultant business strategy and plans include providing an approach that allows the business to operate under conditions of volatility and to be able to work through and recover from potential "shocks".

The Board has consistently delegated to management the responsibility to implement and execute effective risk and opportunity management. Reporting to and engaging with the Board on these topics is clearly spelled out and integrated into the regular Board reports, Strategic Plans and Budget/Business Plans, together with specific other communication when required. This takes into account the "triple context" (i.e. economic, societal and natural environment contexts) relevant to Tongaat Hulett and the "six capitals".

In analysing the potential impact/consequence, a number of factors (financial; sustainability/environment/human; stakeholder; reputation; governance and compliance; and projects related) are considered. Using the relevant measures it is then determined if it is a high, medium or low impact/consequence (e.g. for a financial measure, a high impact could measure in the hundreds of millions of profit/cash flow). Likewise, in analysing the probability/possibility/likelihood, it is then assessed if it has a high, medium or low likelihood. Given the complex nature of many such strategic topics, one practical option is to complete the aforementioned ratings (impact/consequence and probability/possibility/likelihood) on the basis of a consensus view derived from the aggregated risk data in an executive review of the topic, with a reasonable calibration being important. The holistic rating of the risk issue (i.e. residual risk after mitigating actions and factors) would then classify it as extreme, substantial or tolerable. The assessment needs to take into account the actions and mitigation already underway or requiring to be undertaken.

An integration of risks and opportunity management, linked to strategy, is covered throughout the CEO’s review.

The Tongaat Hulett internal audit function, which is supported by its internal audit service provider, KPMG, has performed a review of the effectiveness of the company’s internal control environment, including its internal financial controls, and the effectiveness of its risk management process. The evaluation of the company’s risk management processes included a review undertaken by KPMG. It noted Tongaat Hulett’s positioning, for the review period, on the KPMG Risk Maturity Continuum as "integrated", which is the second highest level. The KPMG Risk Maturity Continuum has the levels of "weak-sustainable-mature-integrated-advanced" (order of maturity). Consequently, the company’s internal audit function has provided independent assurance to the Audit and Compliance and Risk, SHE, Social and Ethics Committees and the Board on the effectiveness of its risk management processes.

Company-wide systems of internal control exist in all key operations to manage and mitigate risks and a Combined Assurance Strategy and Plan has been implemented to further enhance the co-ordination of assurance activities. Tongaat Hulett’s Combined Assurance Plan provides a framework for the various assurance providers to work together to provide assurance to the Board, through the Audit and Compliance and Risk, SHE, Social and Ethics Committees, that all significant risks are adequately managed. The Plan consists of "three layers of defense", being management, functional oversight and independent assurance providers, wherein the assurance on the risk management and related controls for the company is reported.

Appropriate business continuity plans and resources have been identified in order to ensure the implementation of recovery procedures, where potential risks have been identified as having the possibility of constituting a disaster.

For the period under review, the Tongaat Hulett Board, assisted by the above-mentioned committees, is of the view that the internal control environment and the risk management processes in place for the company are effective.