RISK AND OPPORTUNITY GOVERNANCE FRAMEWORK

NAME DESIGNATION DATE

Reviewed Cathie Lewis/Karen

Warnock

Group Company Secretary/Treasury

Finance Manager

May 2019

Approved Risk Committee Grindrod Limited Risk Committee May 2019

Approved Risk Committee Grindrod Limited Risk Committee November 2017

Revised Andrew Davies Group Risk Manager September 2017

Reviewed Mandhir Ramruthan Group Risk and Internal Audit September 2017

Reviewed Cathie Lewis Group Company Secretary September 2017

Compiled Andrew Davies Group Risk Manager May 2017

Reviewed Cathie Lewis Group Company Secretary May 2017

Approved Risk Committee Grindrod Limited Risk Committee May 2017

1. DEFINITION

A Risk and Opportunity Governance Framework (the Framework) has been reviewed by the risk committee

and approved by the Board.

The purpose of the Framework is to set out the Risk and Opportunity Governance Strategy of Grindrod and

to give an overview of its Risk and Opportunity Governance Policy, risk reporting and risk appetite. It also

describes key aspects of the risk governance process implemented by Grindrod to provide reasonable

assurance regarding the achievement of its strategic objectives.

2. OBJECTIVE

This Framework has been developed based on the principles and provisions of ISO 31 000:2018, the King

IV Report on Corporate Governance for South Africa, 2016 (King IV) and the Committee of Sponsoring

Organisations of the Treadway Commission Enterprise Risk Management (COSO ERM). This Framework

aims to ensure that the activities of Grindrod and its controlled entities are undertaken within the Board

approved risk appetite and tolerance levels to ensure the sustained profitability, relevance and reputation of

Grindrod. As a general principle, the risk management process is to be undertaken in conjunction with

strategic planning and should consider risks and opportunities in an integrated way over the short, medium

and long term.

In this regard the King IV Report states that risk governance should encompass both the:

• opportunities and associated risks to be considered when developing strategy; and

• potential positive and negative effects of the same risks on the achievement of organizational

objectives.

The risks identified and evaluated as part of the annual strategic planning process will be the risks that will

affect Grindrod’s ability to achieve its strategic objectives. Although the risk committee meets bi-annually to

formally review risk governance, risk management is an on-going part of strategic planning, management and

day-to-day activities of the organisation. New risks affecting the achievement of objectives may arise at any

time.

An integrated approach to risk management will provide Grindrod with a complete and coherent picture of the

risk universe. This will be achieved by adopting the 6 Resources of the Value Creation Model approach which

provides guidance on a broad, integrated value creation process which takes externalities and intangibles into

consideration. The Company creates value by identifying and managing risks and opportunities through

considering the 6 Resources, viz, Our Money; Our Assets; Our Skills’ Our Relationships; Our People and Our

Environment within the context of the three environments in which the Company operates and impacts, i.e.

economic, social and natural..

A structured and integrated Framework provides a number of beneficial outcomes by:

• enhancing strategic planning through the identification of risks that may pose as threats to Grindrod’s

strategic objectives and opportunities that may strengthen the prospects of Grindrod achieving its

strategic objectives.

• encouraging a proactive approach to issues likely to negatively and positively impact Grindrod’s the

strategic objectives.

• improving the quality of decision-making by providing structured methods for the exploration of risks and

opportunities, and allocating resources.

• supporting consistent behaviours and decision-making with respect to risks and opportunities across the

Group.

• richer risk assessment by identifying recurring/strong themes and developing a comprehensive

understanding of causes, effects and consequence leading to a complete risk response.

• alignment of the risk appetite and organisational strategy of the Group

• improving the organisation’s agility to anticipate, identify, adapt and respond to change.

3. RISK GOVERNANCE POLICY

Grindrod has adopted a Risk Governance Policy (Policy) (Annexure A of this document) designed to protect

and enhance resources and enable the achievement of its strategic objectives. The Policy emphasises that

risk management is an integral part of Grindrod’s business processes.

The risk governance policy is based on the following principles. Risk management is:

• the responsibility of the Board, executives, managers and employees;

• integrated into all business activities and systems;

• based on the South African Risk Management Standard SANS ISO 31000:2018;

• based on the provisions of the COSO ERM

• compliant with the King IV Code; and

• embracive of the 6 Resources of the Value Creation Model.

The Risk Governance Policy is supported by existing related policies.

4. GOVERNANCE STRUCTURE

An effective risk and opportunity governance framework is dependent on a governance structure that has:

• defined roles and responsibilities;

• formal policies, objectives and strategies in place

• adequate separation of duties;

• good relationships with internal stakeholders;

• proper systems of supervision and monitoring of activities and transactions;

• formal information systems, information flows and decision-making processes;

• proper understanding of resources and knowledge capabilities;

• risk consciousness and a proactive approach to managing risks and opportunities across the structure

and.

• risks being viewed in an integrated manner within the context of the external environment

Grindrod risk and opportunity governance structure

An organogram setting out Grindrod’s committee structure with specific reference to their risk functions is

annexed as Annexure B of this document.

5. ROLES AND RESPONSIBILITIES

Set out below is summary of the responsibilities of the various roles within Grindrod in relation to risk governance

and management.

Role Responsibilities

Board The Board retains the ultimate responsibility for risk governance and for determining

the appropriate level of risks and opportunities that Grindrod is willing to accept. The

role of the Board with respect to risk governance encompasses both compliance and

performance related aspects.

Risk Committee The Risk Committee assists the Board in carrying out its risk oversight responsibilities.

Audit Committee Ensure the integrity of internal financial controls and identify and manage financial

risks by means of a combined assurance model integrating internal and external

assurance providers.

Social and Ethics Committee Assist the board to fulfil its corporate governance responsibilities relating to social and

economic development, good corporate citizenship including ethics, the environment,

health and public safety, legal compliance, stakeholder relations, labour and

employment and transformation

Nomination Committee Continually reviews the skill and experience base of the Board and its committees,

conducts search and selection processes for new directors and recommend new

appointments to the Board. In addition, the Committee oversees executive succession

planning to ensure continuity of senior management at and below Board level.

Executive Management

Management is accountable to the Board for designing, implementing and monitoring

the process of risk management and integrating it into the day-to-day activities of the

company.

Management has a mandate to ensure risks are contained within approved risk

tolerance levels and opportunities are identified and developed as may be appropriate.

Divisional Chief Executives Divisional Chief Executives are responsible for the development and implementation of

all risk management processes and methodologies within their divisions.

Group Risk Management Group Risk Manager is responsible for the facilitation of the risk and opportunity

governance of the Company and reporting on the status of key business risks and

opportunities within the Group.

Employees All Grindrod employees are responsible for the reporting of risks and opportunities they

become aware of.

Internal Audit Internal Audit performs an objective assessment of the effectiveness of risk

governance.

6. RISK APPETITE AND RISK TOLERANCES

Risk Appetite is the amount of risk a business is willing to accept in pursuit of specific return on the

assumption of sustainable business operations. An approved risk appetite level will improve the ability of the

Board, other sub-committees and management to evaluate action plans by providing a benchmark of the

level of risk considered acceptable. Risk tolerances are specific boundaries/parameters relative to the

residual risk on the specific risk identified. The risk tolerance reflects an organisation’s ability or readiness

to accept residual risk after all mitigating controls have been put in place The Risk Committee is responsible

for assisting the Board in determining the risk appetite and risk tolerances for Grindrod.

7. RISK GOVERNANCE PROCESS

Set out below is Grindrod’s risk governance process which is based on the South African Risk Management

Standard SANS ISO 31000:2018.

7.1 IDENTIFY AND UNDERSTAND OBJECTIVES

The starting point to establish the risk context for Grindrod is the overall environment in which the Company

operates. The environment that will be considered in risk management activities include global, strategic,

operational, compliance and financial. Risks and opportunities are identified and governed through the

lenses of the 6 Resources, which include Our Money; Our Assets; Our Skills; Our Relationships; Our

People and Our Environment, whereby the interests of stakeholders are considered. Objectives are set

with regard to the risk appetite, which may change, depending on changes in the internal and external

environment of the Company. A level of variation is accepted for objectives (risk tolerance).

7.2 RIKS ASSESMENT

The following risk identification processes is relied upon within Grindrod to ensure risks are identified and

reported. Key risks and opportunities are identified and governed, considering the 6 Resources of the Value

Creation Model (Our Money; Our Assets; Our Skills; Our Relationships; Our People and Our Environment)

and how these Resources are interlinked and interdependent on one another, affecting the risk tolerance

levels and ultimately the residual risk of the Company.

Risk identification group Examples

Formal risk assessments Business strategic planning

reviews Risk workshops

Normal organisation activities Monthly Management meetings

Business and operational managers forums

Capital expenditure risk assessments

Routine data collection and business data analysis

Assessment against

standards/audits

Financial reviews and external audits

Six monthly Letters of Assurance

Internal Audit and peer reviews

Third Party Accreditation reviews

Corporate Compliance and Risk Audits

SHERQ audits

Incident or event logging Internal incident reporting incorporating health, safety, environment and

property incidents Tip - Offs hotline

7.3 CONSIDER CONTROLS

A control is any measure or action that treats risk. Controls include any policy, procedure, practice,

process, technology, technique, method, or device that modifies or manages risk. Risk treatments

become controls, or modify existing controls, once they have been implemented. Management must

identify the controls in place to mitigate each risk identified and consider the adequacy and effectiveness

of such controls in reducing the likelihood of the risk event arising or mitigating the consequences should

the risk event occur.

7.4 RESIDIUAL RISK EVALUATION

Residual risks are those risks that are expected to remain after implementing the planned risk mitigation

strategies, as well as those that have been deliberately accepted (risk tolerance).

Residual risk evaluation is the process of calculating the likelihood of an event and consequence if it were

to occur, after consideration of the influence of controls in place to reduce the likelihood and/or

Exception reporting Monthly exception reporting incorporating legal, IT, employment practices,

insurance, SHERQ and tax,

consequence. The product of these two variables is the risk rating (i.e. the level of risk = likelihood x

consequence).

The likelihood of the risk occurring is linked to probabilities. The higher the probability, the higher the

likelihood. The likelihood rating scale in the table below is used to determine the likelihood.

Likelihood rating Description

1 Rare: Risk will not even occur long term

2 Unlikely: Risk unlikely to occur even medium term

3 Moderate: Risk could occur medium term

4 Likely: Risk certain to occur in the short term

5 Common: Risk is pervasive and occurring regularly

The consequences of each identified risk event needs to be determined. When considering the

consequences, both monetary and non-monetary consequences need to be considered, that is, the

consequences affecting some or all of the 6 Resources, depending on the circumstances. The

measurements of consequences that do not have a natural monetary value, for example, reputation loss,

need to be determined. Reputation loss, for instance, can be measured in loss of market value terms due

to a reduction in share price. The main purpose of placing a value on the consequence is to get a feel for

the magnitude of risk and its priority.

The quality of information used in assessing risk is important and should consider past records, loss

events and incident register, relevant experience, industry practice and experience and specialist and

expert judgements.

The consequence rating scale in the table is used to determine the consequence.

Consequence rating Description

1 Adverse variance for inclusion in management report

2 No material impact on achievement of objectives

3 Disruptive to normal operations with a limited impact

4 Reduced ability to achieve objectives

5 Will not achieve objectives

The residual risk rating equals the product of the likelihood rating and the consequence rating. The

residual risk is then classified as per the table below.

The residual risk scores can then be transposed onto a heat map for reporting purposes as follows.

7.5 RESIDIUAL RISK RESPONSE STRATEGY

The tolerance for the residual risk needs to be determined and must be aligned with the group risk appetite

and risk tolerance approved by the Board.

7.6 RISK TREATMENT

If the residual risk for any risk is in excess of the risk tolerances set by the Board, an action plan setting

out the steps to treat the risk in order to reduce the risk to tolerable levels together with a reasonable time

frame in which the action plan will be implemented must be prepared for management approval. The

action plan should include the responsible person and time lines.

Management will identify and consider different ways that Grindrod can respond to the risks identified

during the risk assessment process. These responses opted for will be noted in the risk report. The

options for responses will include:

• Terminating the risk or avoiding the risk by not starting the activity that creates exposure to the risk.

• Treating the risk, through improvements to the control environment in order to reduce or mitigate the

risk. Risk treatment may include methods, procedures, applications, managements systems and the

use of appropriate resources that reduce the probability or possible severity of the risk.

• Transferring the risk exposure, usually to a third party better able to manage the risk, for example,

through insurance or outsourcing.

Residual Risk Heat Map

Imp

act

5 5 10 15 20 25

4 4 8 12 16 20

3 3 6 9 12 15

2 2 4 6 8 10

1 1 2 3 4 5

1 2 3 4 5

Likelihood

Evaluation range Matrix evaluation

1 – 6 Low

8 – 15 Medium

16 - 20 High

25 Critical

• Tolerating or accepting the risk, where the level of exposure is as low as reasonably practicable or

where there are exceptional circumstances.

7.7 MONITORING AND REVIEW

The information gathered at each stage of the risk management process should be documented in risk

registers. Set out below is an overview of the information required in all risk registers.

Risk ID # Unique identifier assigned to each risk in the register

Related strategy Category The category the risk fits into under the strategic risk categories identified

Specific risk Describe the risk in detail

Controls Current controls in place that reduce the likelihood of the risk

event arising or that mitigate the consequences should the risk

event occur

Control document evidence The manner in which the control is documented and monitored

Six Resources of Value

Creation

Analyse key risks identified and how they interact with the 6

Resources (Our Money; Our Assets; Our Skills: Our

Relationships; Our People and Our Environment)

Opportunities Identify the upside of risk, i.e. how the risks can be converted into

opportunities, considering the Six Resources of Value Creation

Residual risk Likelihood rating The chance of the risk/event happening AFTER it is controlled

Impact rating The impact of the risk after the control(s) has been implemented

Risk rating The residual risk rating represents the level of risk/impact associated

with a risk AFTER the controls have been implemented to reduce the

risk/impact

Colour coding

Colour coding based on level after control(s)

Is Residual Risk Tolerable? Yes or no? Measure against Board approved risk appetite and risk tolerances where

applicable

Action Plan for Improvement Describes how the chosen treatment options will be implemented

Risk & Control Owner Who will monitor this risk and its treatment, i.e. who is the risk owner?

In creating the Risk Register, the risk owners (i.e. the persons who are actually accountable for managing

the risk and its consequences) can satisfy themselves that they have defined and properly addressed the

real risk. It makes it easier to review the risks and ensure that they continue to be complete, relevant and

accurate having regard for both internal and external changes.

Documentation of risks is the foundation for any meaningful verification process by senior management,

the Board, the Risk Committee or other Committees of the Board and internal and external auditors of

the ongoing existence and relevance of, and compliance with the risk governance process.

Risk Registers should be dynamic documents; that is, as any risk, opportunity, consequence, probability

or mitigator changes, the register should be updated to reflect the current situation.

As a minimum the Grindrod Risk Register is reviewed by the Grindrod Risk Committee every six months.

The monitoring and review process will examine how robust the selected risk controls and management

strategies are, as well as monitor the effectiveness of all steps in the risk and opportunity governance

process and planned areas of future focus.

Divisional key risks are discussed and reviewed on a continual basis as a formal agenda item at

Operational or Executive committee or board meetings, as applicable. The status of the key risks and/or

opportunities should be evaluated by examining any changes to the risks and opportunities and the

effectiveness of the controls in place.

7.8 MONITORING AND REVIEW

As risks and opportunities are interrelated, it is essential that communication and consultation with

stakeholders across the Company takes place at each stage of the risk and opportunity governance

process. Decision making within the organisation should involve the explicit consideration of risks and

the application of risk management to some degree.

Communication should address the risk and/or opportunity and the process to manage it. Effective

internal and external communication is important to ensure that those responsible for implementing the

risk management system and those with a vested interest understand the basis on which decisions are

made and why particular actions are required.

Communication is a two-way process; it must flow upwards through management to the Board, and

downwards to all staff from the Board.

7.9 RISK GOVERNANCE CONTINUOUS IMPROVEMENT

The Framework is aligned to the principles of continuous improvement. It requires management to

continually identify, assess, mitigate, review and report risks and opportunities within their business units

so that all risks are mitigated and managed to an acceptable level in accordance with Grindrod’s risk

appetite statement and all opportunities are considered. The period to period movement in the residual

rating of risks enables management to determine whether the Company’s residual risk profile is in

alignment with the approved overall risk profile. In the event that the residual risk rating falls outside the

approved tolerance level, action plans should clearly stipulate who will do what by when to reduce the

risk rating within the tolerance levels.

Effective risk management is the responsibility of everyone in the organisation. To ensure widespread

understanding, management and all divisions should be made aware of the principles set out in this

document

The Board and committees should ensure the allocation of appropriate resources for risk management

and consider the capabilities, and constraints on, existing resources.

The Board must ensure that internal audit follows an approved risk-based internal audit plan. Internal

audit will perform an objective assessment of the effectiveness of Grindrod’s risk governance process

annually.

8. ANNEXURE A – RISK AND OPPORTUNITY GOVERNANCE POLICY

Grindrod is committed to the management of:

• Risks affecting Grindrod’s reputation;

• Risks affecting Grindrod’s management of and accountability for its performance against strategic

objectives;

• Risks affecting its service delivery obligations, its regulatory framework and business/stakeholder

relationships.

• Risks affecting its assets and intellectual property; and

• Risks affecting safety, security, health and the environment.

• Risks that incorporate the 6 Resources of the Value Creation Model resulting in a comprehensive picture

of the risk universe, including opportunities.

To achieve this aim, risk governance standards based on ISO 31000, King IV and COSO ERM will be

maintained and continually improved. These risk governance standards will involve:

• The design and implementation of a risk and opportunity governance program to reasonably assure the

achievement of strategic objectives;

• Regular risk workshops for the purposes of identifying, evaluating and mitigating risks and identifying

and considering opportunities;

• The monitoring, review and reporting of risk and opportunity governance to the board and risk committee;

• A co-ordinated combined assurance process between management, Risk and Internal Audit to develop

and implement a rigorous Risk Control Programme;;

• Risk and opportunity governance education and training; and

• An insurance strategy which manages predictable losses, self-insures consistent with optimal risk

financing and uses secure insurance markets to insure against catastrophic losses.

Risk and opportunity governance is:

• the responsibility of the Board, Risk committee, executives, managers and employees;

• integrated into all business activities and systems;

• assigned and communicated to all levels within the organisation

• based on the South African Risk Management Standard SANS ISO 31000:2009;

• based on the provisions of COSO ERM;

• compliant with the King IV Report; and

• embracive of the 6 Resources of the Value Creation Model

The Risk Governance Policy is supported by the Grindrod Risk Governance Framework and existing related

policies. The effective governance of risk is vital to the continued growth and success of Grindrod.

9. ANNEXURE B – MATRIX OF BOARD AND SUB-COMMITTEES

The Board Sub-Committees, listed below, are constituted as standing committees of the Board in terms of

sections 72 and 94 respectively of the Companies Act. The Board delegates certain functions to these

committees without abdicating its own responsibilities.

These committees have an independent and monitoring role, advisory in nature and a maker of

recommendations. A key aspect of these committees mandate is the oversight role of specific risks. The

risks covered and the committee processes followed are detailed below:

Board sub-committees

# Risk category Social and ethics Audit Nomination Remuneration

9.1 SHERQ* ✓✓

9.2 Reputational* ✓✓

9.3 Empowerment/B-BBEE* ✓✓ ✓✓

9.4 Loss of key senior/executive management* ✓✓

✓✓

9.5 Loss of key talent ✓✓

9.6 Legal/Policy compliance and governance** ✓✓ ✓✓

9.7 IT** ✓✓

9.8 Fraud** ✓✓ ✓✓

* Top Group

Risk **

Pervasive

Group Risk

✓✓ Primary Committee that oversees the management of this risk

✓✓ This Committee oversees the management of aspects of this risk

9.1 SHERQ RISK

Social and ethics committee:

• Takes into consideration and records the actions taken to reduce the negative impact of the company’s

activities, products and/or services on the environment, health and public safety.

• Monitors and considers the ESG reporting according to the FSTE/JSE Responsible Investment Index

Themes.

9.2 REPUTATIONAL RISK

Social and ethics committee:

• Monitor and reviews social and economic standing in terms of:

• Goals and purposes of the 10 principles set out in the United Nations Global Compact Principles.

• OECD recommendations regarding corruption.

• Promotion of equality, prevention of unfair discrimination and reduction of corruption as well as

contributions to development of communities in which its activities are predominately conducted.

• Recording of sponsorships, donations and charitable giving.

• Upholding and maintaining best practice corporate governance, as set out in King IV.

• Identifying and reviewing items that conflict with the practice of good corporate.

• Citizenship, the Code of Ethics and/or any other policy that is of an ethical nature.

• Reviews and monitors policies on whistleblowing, or any other policy that may require independent

investigation.

• Reviewing and monitoring the ethical framework.

• Monitors the relationships with all stakeholders.

• Assess and monitor the company’s standing in terms of the International Labour Organisation Protocol

on decent work and working conditions, employment relationships and contribution by the company

towards the educational development of its employees.

• Draws to the attention of the Board and shareholders, matters within its mandate as they occur and at

the annual general meeting respectively.

9.3 EMPOWERMENT/B-BBEE RISK

Social and ethics committee:

• Monitors that Grindrod has embraced and duly executed the necessary measures to ensure the proper

implementation of transformation and BBBEE and;

• Ensures that the Group develops and implements programmes to address the requirements of B-BBEE

and all other appropriate legislation.

• Inculcates the culture of developing people to achieve their optimum potential in the implementation of

transformation processes and establishment of empowerment businesses. This should form part of the

business plan of the company.

• Assists in identifying special projects/initiatives to uplift disadvantaged communities within the areas

where the company’s operations are situated, in line with the Group’s socio economic development

policy, with specific focus on educational upliftment.

9.4 LOSS OF KEY SENIOR/EXECUTIVE MANANGEMENT RISK

Nomination committee:

• Monitors formal succession plans for the Board, Chief Executive Officer, Financial Director, Executive

members and Senior Management.

Remuneration committee:

• Reviews and monitors the implementation of the remuneration policy that will promote the achievement

of the strategic objectives of the company and encourage individual performance.

• Monitors the specific remuneration packages for Executive Directors and Executive members of the

company, including but not limited to, basic salary, performance-based short-term and long term

incentives, pensions and provident funds, medical aid and other benefits.

• Ensures that the mix of fixed and variable pay in cash, shares and other elements meets the company’s

needs and is in line with the company’s strategic objectives.

• Monitors long term incentives and the allocation of shares and rights in terms thereof.

• Monitors salary adjustments for employees outside the bargaining unit, the Profit Share Incentive

Scheme for all employees and the staff retention strategy policy.

9.5 LOSS OF KEY TALENT

Social and Ethics committee:

• Reviews and monitors the implementation of the talent management policy that will promote the

attraction and retention of talent.

9.6 LEGAL/POLICY COMPLIANCE RISK

Social and Ethics committee:

• Monitors legal compliance at a group level and assists the company in ensuring that any/all appropriate,

applicable charters and policies are adequately addressed.

• Monitors legal compliance relating to human capital and should recommend to the Board on areas that

may require additional resources/ attention.

Audit committee:

• The Committee ensures that a combined assurance model is applied to provide a co-ordinated

approach to all assurance activities and to ensure that the combined assurance received, (including

from external assurance service providers, internal audit and the finance function), is appropriate to

address all the significant risks of the company.

9.7 IT RISK

Audit committee:

Provides oversight on following IT risks and activities:

• IT Governance (King IV/COBIT).

• Group IT Operating Model.

• Application and infrastructure landscape.

• Project Management Office (PMO).

9.8 FRAUD RISK

Audit committee:

• Provides oversight on financial reporting risks, internal financial controls, fraud risks as it relates to

financial reporting.

Social and ethics committee:

Monitors and reviews:

• OECD recommendations regarding corruption.

• Policies and statistics on whistleblowing.

• Fraud risk management plan.

• Material fraudulent activities.