Our approach to risk management
At Harmony, our approach to risk relies on the continual monitoring of risk and related mitigation procedures and when appropriate, their revision. Our risk management strategy strives to be practical and effective, rather than to focus solely on compliance. Risk management is embedded within our day-to-day activities and processes.
Our risk management process
The management of risk is guided by specific regulatory and legislative requirements, and is championed internally by our chief executive officer. While management is responsible for implementation and compliance, the audit and risk committee is responsible for oversight of the process, its adequacy and effectiveness. Reporting on risk-related performance is marked for the attention of the various board sub-committees.
Because relationships underpin everything we do, our risk management process is based on engagement – between management and the board, and between the company and various stakeholders – to ensure that we address risks appropriately.
Risk management has as its starting point the group's strategy. It is important to understand those factors that have the potential to hinder our ability to deliver on our strategy, as well as to identify those opportunities that will enable us to achieve our goals. We benchmark the risks and opportunities identified against those of our peers to ensure that the risks we identify are not only specific to Harmony but also include those facing the industry.
In preparing their formal reports to the board, the executive committee and the audit and risk committee meet quarterly to examine the risks and discuss any changes in their relative importance or in their mitigation. The audit and risk committee's review is supplemented by feedback from the various board sub-committees and reviews of specific risks falling within the ambit of their responsibilities.
Each quarterly examination is based on experiences at the operations, feedback from key stakeholders, external factors and management meetings. In addition, various teams within the company address risk on a regular basis as part of their day-to-day roles. This creates an ongoing conversation about risk at different levels, allowing any changes to be captured on a continuing basis.
While risk management is included in our day-to-day processes, formal weekly risk reviews are undertaken by management teams at the operations, to identify and prioritise specific high-risk issues at an operational level. These operational and safety risk reviews are reported to the respective regional general managers with additional oversight by the operations' committees.
Roles of the board and audit and risk committee
Risk is a standard item on the agenda at audit and risk committee meetings and the committee's role in our risk management process is multi-dimensional. The committee's primary task is to identify, prioritise, manage and monitor strategic enterprise risks at Harmony, while operational and safety specific risks are monitored by the technical committee of the board. Our risk management process reflects our integrated approach to business and the audit and risk committee – supported by various board sub-committees – examines all risks affecting our strategy.
To do this, the committee spends considerable time reviewing and evaluating the processes in place to identify, monitor and manage risk. These include our risk management policy, methodology and planning, formal risk assessment, internal controls and assurance processes, our risk appetite and tolerance and our responses to the risks identified. Once the audit and risk committee is satisfied with these, responsibility for their implementation devolves to executive management and their teams. In turn, their task is to ensure that these risk processes are constantly applied in day-to-day activities.
Based on these reviews, the audit and risk committee submits its findings to the board. The top strategic, operational and safety-specific risks and mitigating factors are reported to the board on a quarterly basis.
We have formulated group-level risk appetite and tolerance levels, and monitor our risks to identify and manage those that are most material to the company.
While our group-level risk appetite and tolerance levels are subject to formal annual reviews, these are continually monitored for relevance in terms of changing macro-environment factors. Our tolerance levels are further defined at lower tolerance limits per risk.
Our risks and opportunities
Our risk profile is based on potential events and/or factors that pose either a threat and/or an opportunity. These downside and upside risk factors are duly taken into account in our day-to-day business activities and, having been identified, are integral to the formulation and management of our group strategy.