The company operates within a formal Code of Business Conduct and Ethics, which has been reviewed and approved by the Board, communicated and distributed to all employees across all levels in the company. The Code is based on a fundamental belief that all business transactions should be legal and conducted beyond reproach in the spirit of honesty and fairness. The company has a zero tolerance approach to theft, fraud, corruption and any violation of the law or unethical business dealing by employees and suppliers. The Code also addresses conflict of interest situations and encourages employees to report on any conflict or perceived conflict of interest situation. This may arise due to employees being offered and receiving gifts in return for favours, employees not being independent from business organisations having a contractual relationship or providing goods or services to Tongaat Hulett, and employees’ personal investments taking priority over transactions for the company and its clients.
The Audit and Compliance Committee assists the Board in overseeing the consistent application of and compliance with the Code through reports compiled by the corporate security manager and reported to the committee by internal audit. Incidents of fraud, corruption or unethical practices that are reported or detected through management controls are formally investigated, followed by formal disciplinary processes. In severe instances, criminal proceedings are instituted. Management is strict in ensuring the implementation of the Code across all operations in a day to day context. Compliance by directors, all employees and suppliers to the high moral, ethical and legal standards of the Code is mandatory, and if employees become aware of, or suspect, a contravention of the Code, they are urged to promptly and confidentially report it to the Company Secretary or senior officials at management level.
As part of the fraud and corruption prevention approach, Tongaat Hulett has engaged the services of an independent whistle-blowing service provider to report on any unethical and unlawful behavior or non-compliance with the Code. The independent whistle-blowing service, which is anonymous, is operational in South Africa, Zimbabwe, Botswana, Mozambique, Swaziland and Namibia. Continuous training and awareness are important aspects of a successful ethics management programme. To this end, each centre has recently been provided with the official Deloitte / Tongaat Hulett Tip-Offs DVD describing the whistle-blowing process, plus stickers and posters which have also been translated into Portuguese for the Mozambique operations.
During the period under review, fifty eight tip-offs were reported through the whistle-blowing service across the business. Information relating to a significant fraudulent activity was reported in detail to the Audit and Compliance Committee meeting and appropriate steps including disciplinary action have been taken.
While the Board is ultimately responsible for risk management, company management has designed and implemented a risk management framework and has committed the company to a process of risk management that is aligned to King III and to the company’s corporate governance responsibilities. This commitment is reflected in management’s continued attention to the importance of effective risk management in ensuring that business objectives and strategies are met and that continued, sustained growth and profitability is achieved. The framework, which incorporates the risk management policy, strategy and plan, aims to ensure that risk management processes are embedded in critical business activities and functions, and that risks are undertaken in an informed manner and pro-actively managed in accordance with the business risk appetite. This includes identifying and taking advantage of opportunities as well as protecting intellectual capital and assets by mitigating adverse impacts of risk.
The risk management review process seeks to achieve the correct balance between the issues that are specific to, and appropriately managed in, an operational area and those issues that are significant enough or cross cutting enough to be considered, and managed in an appropriate way, on a Tongaat Hulett wide basis. The approach to risk management includes being able to identify, describe and analyse risks at all levels throughout the organisation, with mitigating actions being implemented at the appropriate point of activity. The very significant, high impact risk areas and the related mitigating action plans are monitored at an executive level. Risks and mitigating actions are given relevant visibility at various appropriate forums throughout the organisation.
Tongaat Hulett has documented its approach towards Information and Communication Technology (ICT) in various documents such as the ICT governance framework (including the company’s policy and charter), disaster recovery plans, business continuity plans, acceptable use policy and a record of the approach to the protection and control of ICT documentation. The IT systems and application controls in the multiple computer systems in the various operations are, inter alia, subject to internal audit processes on an ongoing basis, integral to the audit of the overall control environment.
The current business environment is recognised as having many changing and challenging elements, particularly in the context of the volatile global economy and specific localised dynamics. Most of Tongaat Hulett’s business platforms and operational areas are not considered to be in a static, steady state. Consequently, rather than relying purely on periodic reviews, there is a continued and increasing adoption of a project management approach and use of project management skills in various management processes, including risk management. The ongoing, routine risk management processes are thus coupled with change management and specific, task based, project driven risk management initiatives.
Company-wide systems of internal control exist in all key operations to manage and mitigate risks and a Combined Assurance Strategy and Plan has been implemented to further enhance the co-ordination of assurance activities. Tongaat Hulett’s Combined Assurance Plan provides a framework for the various assurance providers to work together to provide assurance to the Board, through the Audit and Compliance and Risk, SHE, Social and Ethics Committees, that all significant risks are adequately managed. The Plan consists of “three layers of defense”, being management, functional oversight and independent assurance providers, wherein the assurance on the risk management and related controls for the company is reported.
Appropriate business continuity plans and resources have been identified in order to ensure the implementation of recovery procedures, where potential risks have been identified as having the possibility of constituting a disaster.
The Tongaat Hulett internal audit function, which is supported by its internal audit service provider, KPMG, has performed a review of the effectiveness of the company’s internal control environment, including its internal financial controls, and the effectiveness of its risk management process. The evaluation of the company’s risk management processes included a review undertaken by KPMG. It noted Tongaat Hulett’s positioning, for the review period, on the KPMG Risk Maturity Continuum as “advanced” out of a possible range of “basic – mature – advanced”. Consequently, the company’s internal audit function has provided independent assurance to the Audit and Compliance and Risk, SHE, Social and Ethics Committees and the Board on the effectiveness of its risk management processes.
For the period under review, the Tongaat Hulett Board, assisted by the abovementioned committees, is of the view that the internal control environment and the risk management processes in place for the company are effective.