GibanyeGOLD
We are One
COMPLIANCE MANAGEMENT POLICY
Corporate Governance and Compliance
Document Metadata Overview
liance Mana ement Po lic .d ocx
Carinka va n d er Watt
Document Name
Document Author/Owner
Document Control Information
Effective
From
201/11 /0 1
Version
Number
V 1.0
Amendment Details
Creation of Document
Amended By
Carinka va n d er Watt
Policy Approval
Version 1.0
Approvals
Name
Compliance Manager
Carinka van d er Watt
Chlet Financial Officer
Chari Keyter
Siba nye Complia nce Management Policy
Page I 2
Signature
-Gd~
~
Date Signed
0110'0 1fiLCl110
0., \.~, .,.., 110
§ ibanyeGOLD
We ere One
Contents
1. Executive Summary ...... ....... ............. ........ ...... ................................................. .. ........ ............... 4
2.
Policy Intent .............. .... .......... .. ..... .... .... .......... ..... .......... .................... .. .... ......................... ... ..... 4
3. Policy Governance .......... ....... ..... .............. .. .......... ..... ..... .... .................... ... .... .. ...... .......... .. ..... 5
4.
Compliance Meth odology ............. .... ...... ..... .. ............................................... .......... .. ..... ....... 6
5.
Commitment and Consequences of Non-Compliance .............. ....................................... 7
Sibanye Compliance Management Policy
Page I 3
§ ibanyeGOLD
We are One
1. Executive Summary
The policy sets the framework for the management of compliance risk within Siba nye ("The Company")
by defining the conce pt of comp lia nce risk, stru cture of the Complia nce Offi ce a nd governance. The
policy elaborates on the role o f the Complia nce O ffi ce a nd ma tters connected herewith.
2. Policy Intent
2.1
Objective
The objec tive is to provide a structured and be nc h marke d fram ework w ithin which executive and
operational management a nd the Compliance O ffice c an engage from an agreed compliance risk
ma nageme nt platform in order to reinforce a compliance culture, embed and e mbrace the
com pliance methodology and foster an environment for pro-active and informed collaboration and
d ecisio n ma king.
2.2
Scope
The policy focuses on controls and mitigating action im plemented by the Company and all its operating
entities to ensure compliance to releva nt statutory, regulatory, supervisory and other defined
requirements.
Compliance risk consists o f two elements: namely, regula tory a nd reputational. Regula tory risk in this
context is the risk that the Company and all its operating entities d o not comply with all defined
statutory, regulatory, supervisory and o ther defined requirements or the exclusion of same fro m
operational procedures. Reputational risk is the risk tha t the Company may be exposed to, suc h as
negative publicity due to inter alia, the contraven tio n of applicable statutory, regulatory a nd supervisory
requirements by the Co mpa ny or operating entities as well as by employees during the conduct o f
business.
The policy e ncompasses the Company, inclusive of a ll operations, legal entities, a nd all significant
subsidiaries inc luding Joint Ventures (JV's) , in which the Company has an interest o f 50% or greater. The
require ments also apply to any subsidiaries, including JV's w hic h they in tum own, w here the intere st is
greate r than or equal to 50% and applied co nsistently down the ownersh ip chain. Entities in which the
Company has a less than 50% ownership, is encouraged to a pply these or similar requirements .
2.3
Approach
The management o f compliance risk entails a collabora tive and aggregated effort.
All relevant
fun c tional departmen ts a nd employees need to be conversant w ith the policy, fhe regulatory
requirements applicable to their operation or business unit, and the content of the risk management
plan(s) embedded to manage rela ted compliance risks.
Sibanye Compliance Management Po licy
Page I 4
G\ibanyeGOlD
We are One
The fra mework set by the policy is executed by the embed ment and execution of the Compa ny's
Compliance Methodology .
The Company subscribes to a zero tolerance policy in respec t o f no n-
com p liance w ith laws. regulations. supervisory and other defin ed requiremenls.
3. Policy Governance
3.1
Governance Structure
The po licy is aligned with the Company's governance structure. The Compliance Offi ce will coordinate the drafting/ revision of the policy as and when needed.
3.2
Implementation
The Compliance Office will fa c ilitate a nd manage th e implementation o f the policy via the current
management structures across the Company.
3.3
Compliance Office
The Compliance Office operates across multiple disciplines within the Company's management
struc tures. Its mandate is to facilitate the management of co mpliance risk by the effective embedment
o f the compliance me thodology and furnishing advice and guidance relating to compliance issues o f
strategic nature.
The fun ction is authorised and mandated by the Board and resides on four pillars:
identifying and
measuring complia nce risk. facilitating the mitiga ting compliance of risk. com pliance oversig ht and
rendering compliance related advisory services. On executing. the following objec tives are con tracted:
•
Regulatory Universe;
•
Regulatory Risk Profiles;
•
Compliance Risk Management Plans;
•
Compliance reporting;
•
Strategic compliance initiatives a nd projec ts; and
•
Compliance advisory services.
In order to effectively fulfil its responsibilities and to meet requirements while still being close to the
business. the Compliance Offi ce utilises a combination of centralised and d ece ntralised structures. The
Complia nce Office comprises o f the Compliance Officer who has a fun c tio na l reporting line to the Chief
Fin ancia l Offi cer. who in turn has d irec t access to the Execu tive Committee as well as the members of
the Board.
Sibanye Compliance Management Policy
Page I 5
§ ibanyeGOLD
We are One
4. Compliance Methodology
The methodology consists of three phases : Regulatory sca nning and complia nce risk identification,
embedment of compliance risk profiles and risk management plans, and compliance oversig ht.
4.1
Regulatory scanning and profiling
Scanning a nd profiling e ntails the
determina tion
of applicable regulatory and com p lian ce
requireme nts to a defined business unit or o peration and to subsequently measure the risk exposure in
the event of non·compliance . To determine this value, serious ness of non-compliance (impa c t o f
fin ancial loss and reputation loss) and probability of non-compliance (determ ined by assessing the
effectiveness of current con trols) are assessed w ith the assistance of selected employees renderin g a
sUbject-matter-expert and/or business application role.
4.2
Compliance Risk Management Plans
The intent of these plans is to map/align the prescriptive sections per regulatory requirement with the
array of co ntrols the business has to implement over time . This mapping is conducted by control and
process owners in the operations w ho have been executing the controls in the normal course of
business . The ou tcome of such an exerc ise depicts clearly po ten tial shortcomings that may result in or
create a situation for a non-compliance risk to materia lise.
The plans form an integra l part of the mana gemen t of compliance risk and con tain con trol procedures,
with respon sibilities and target dates tha t indicate how the risks are ma naged or w ill be managed .
Preven tative controls aim to lower the probability of the risk occurring, whilst contingent contro ls should
reduce the severity o f the impact should the risk materialise. In addition, the plan is an indicatio n of the
current status of the control environment under review and a ll contro ls listed are either already in place
or are in the process of b eing implemented by the specified target dates. The p la ns should be utilised
by management to eva luate the compliance risk profile of the activities conduc ted by the operation o r
business unit, and to assess the impac t o f additional and listed controls on the overall risk level
associated with these activities.
4.3
Oversight
Oversight focusses on the assessment of th e adequacy of control in terms of their design e ffe ctive ness
as well as the opera tio nal effec tive ness o f application, i.e. effective and consistent utilisation and
application of the controls by em ployees.
The Compliance Offi ce subsc ribes to the Combined
Assurance Model, in terms o f the various levels of reviews being conducted by internal control
fun c tions. As such, the Compliance Office focuses on defined and selected re g ulatory requireme nts or
the mes identified w ithin those requirements.
Sibanye Co mpliance Manag eme nt Po licy
Page I 6
GibanyeGOLD
We are One
The oversight fun c tion is rendered by deploying three method s o f oversight:
•
Management self-assessment;
•
Focused limited/compre hensive reviews per defined re gula tory req uirement;
•
Hot Spot Reviews.
The intent is to formulate, with input from reviews conducted as part of the Combined Assurance
Model. a view o n the effectiveness level of the control environment, derive a risk value associated with
shortcomings
in
recommenda tions
this enviro nm ent, prepare
for implementation
a
roo t
cause
of new/amended
analysis for
shortcomings,
control procedure,
table
compliance
risk
preventative guidance and facilitated contingency actions and execute on multi-level reporting.
5. Commitment and Consequences of Non-Compliance
As stated, the management of compliance risk requires a collaborative and aggregated effort. The
nature and extent of the policy provision and more specifically the embedment o f the Compliance
Methodology are e nabling factors to ac hieve this.
Commitme nt by management is there fore
imperative since the consequences of non-comp liance can potentially result in license withdrawal,
statutory censure and a non-recoverable damaged reputation .
Sibanye Compliance Management Policy
Page I 7
GibanyeGOlD
We are One