Navigating the evolving GRC landscape

www.pwc.co.uk

The Royal Institution

14 June 2018

Mark O’Sullivan (Corporate Reporting)Matt Elkington (Governance, Risk & Compliance)James Smither (Governance, Risk & Compliance)School of Mines

Outline of presentation

This publication has been prepared for general guidance on matters of

interest only, and does not constitute professional advice. You should not act

upon the information contained in this publication without obtaining specific

professional advice. No representation or warranty (express or implied) is

given as to the accuracy or completeness of the information contained in this

publication, and, to the extent permitted by law, PricewaterhouseCoopers

LLP, its members, employees and agents do not accept or assume any

liability, responsibility or duty of care for any consequences of you or anyone

else acting, or refraining to act, in reliance on the information contained in this

publication or for any decision based on it.

© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document,

“PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in

the United Kingdom) which is a member firm of PricewaterhouseCoopers

International Limited, each member firm of which is a separate legal entity.

01 Setting the scene: why GRC matters in mining

02Getting Governance right

04Staying on top of Compliance

03 Delivering Risk insight

The interaction of Governance, Risk and Compliance

3

A growing focus of corporate governance regimes and investors

Especially critical in the mining sector due to the range and severity of above- and below-ground risks faced

Increasingly in the spotlight following a series of corporate scandals in the UK

Growing focus on how well companies are balancing the interests of different stakeholders

Increasing UK and global regulatory burden, in which the firm itself can be a criminal actor

Growing complexity of the extended mining enterprise (JVs, contractors, value chain, marketing and trading) generates a tougher compliance challenge

Governance

RiskCompliance

The system of rules, practices and processes by which a firm is directed and controlled

The process by which the firm identifies, analyses and takes appropriate steps to

manage the uncertainties to which it is subject

Activities undertaken by the firm to ensure that its operations remain in accordance with legislation and industry-specific regulations

FCA fines mining company £4.65m for listing violationsJune 2015

Why does this matter?

4

Senior executives sacked over $10.5m consultancy payment linked to Africa mineNovember 2016

Miner’s London listing sage “a debacle of corporate governance”

August 2013

Data breach underlines need for supply chain

cyber security May 2017

$2.4bn fine for

sanction breaches

and money launderingDecember 2012

Corporate governance: winds of change

External expectations surrounding, and scrutiny of, how UK companies govern themselves is growing exponentially. Having a compelling story to share with stakeholders has rarely been more important.

Existing requirements

V2014 UK Corporate Governance Code and 2006 UK Companies Act section 172 non-financial reporting requirements

An evolving discourse

Following on from modern slavery statements, disclosures on social mobility are the new focus area

Incoming changes

Changes to the Corporate Governance Code: particular focus on greater stakeholder participation in how companies’ governance and strategy

New obligations

March 2018 London Stock Exchange announcement that all AIM-listed companies will need from 28 September to report on their application of a recognised corporate governance code

5

The risk landscape continues to evolve

6Source: 21st PwC Global CEO Survey

Although in extractives firms, HQ and overseas views ofwhat matters most often varies…

7

HQ priority risks

• Commodity prices

• Product quality for major customers

• Capital project discipline

• Health and safety

• Major environmental contamination incident

Central America

• Extortion from organised crime groups

• Community dispute over land use and access

North America

• Regional government permitting for new logistics arrangements

• Increasingly stringent enforcement of safety regulations

South America

• Legal dispute over commercial property ownership

Former Soviet Union

• Civil conflict

• Non-refund of VAT paid on imported equipment

Central Asia

• Fraud and nepotism in procurement team

Sub-Saharan Africa

• Major tropical disease outbreak

• Government pressure to finance social development activity

Eastern Europe

• Transfer pricing investigation

North Africa

• Terrorism

• Creeping expropriation

Does risk management add value or just bureaucracy?Delivering risk insight

8

Risk foresight

Early spotting of emerging threats and opportunities that could impact strategy delivery

01Risk oversight

Achievement of the right balance of risk-taking behaviours in key decision-making moments

02Risk hindsight

Assurance that the system of risk management and internal control across the Group is effective

03

Internal Audit2LOD functions

Risk

• Horizon scanning • Scenario planning• Strategic resilience

• Risk appetite articulation• Risk tolerance parameters• Key Risk Indicators (KRIs)

• Key risks and controls assurance• ERM effectiveness and culture insight• Continuous improvement of 3LOD

Led by…

DATAEnabled by…

Risk appetite articulation continues to be key area of focus in ERM

9

A

Starting-point

The organisation’s main areas of risk

How appetite is derived

A simple scale (e.g. 1 = averse; 5 = hungry) or

Derivation from risk assessment (impact + likelihood = acceptable or unacceptable)

Key attributes

• Minimal discussion / debate required

• Changes driven largely by risk profile

• Lacks transparency and connectivity with performance management / upside

• Does not provide detailed guidance to inform decision-making at operational levels of the company

Outputs

A high-level summary of the scoring of risk areas or

identification of specific risks that are/are not deemed acceptable by the Board

The usual approach…

Our approach…

A

Starting-point

The key value drivers inherent to executing the organaistion’s strategy

How appetite is derived

Analysis of which business activities, decision points, cultural and environmental factors drive risk taking behaviors and exposure levels in practice

Key attributes

• Requires engaged debate/challenge (senior management, Exec and Board)

• Evolves in line with the strategy, and will be influenced by changes in the external and internal business environment

• Transparent, measurable and leverages data. Explicit linkage to performance and reward

• Directly informs operational decision-making

Outputs

Directional/advisory ‘Board level’ risk appetite statements

Operational tolerance thresholds in KRIs -define the limits of acceptable risk-taking and trade-offs in the context of risk drivers, and enable predictive monitoring

BAD PRESS

The compliance challenge: navigating an increasingly complex global regulatory landscape

10

The rapidly changing regulatory and compliance environment provides both threats and opportunities. Global organisations are utilising governance and compliance proactively to pursue strategic objectives to add value to the wider organisation.

UK Bribery Act (2010)

UK Modern Slavery Act

(2015)

UK Criminal Finances

Act (2017)

UK legislation

EU legislation (in place)

PAY A FINE

GO TO JAIL

EU legislation (incoming)

Sanctions and trade controls

EU anti-trust

regulations

Global regulations and standards

Criminal liability for economic

crime

Market abuse

regulations

General Data

Protection Regulation

Anti-corruption legislation

Human rights due diligence

4th and 5th

Anti-Money Laundering Directives

Network and Information

Systems Directive

Case study: building a robust compliance environment

11

Development and roll-0ut of CODE OF CONDUCT

Leadership ADVOCACY and role-modelling

Articulation of VALUES

Assessment of RISKS

WHISTLEBLOWING

A step-by-step solution to integrating a compliance mindset across an organisation….

Conclusion: pulling all the levers

Embedding a high-performing GRC framework uses the full range of available levers and enablers:

• Values that encourage positive and discourage negative behaviours in relation to risk and compliance

• A governance model that places the emphasis on leaders participating fully in risk management and compliance and regularly communicating their importance

• Policies and controls that explicitly address the management of the key risks facing the business

• Performance and reward systems that appropriately identify, promote, reward (or penalise) leaders for the risk management attributes they exhibit

• An Internal Audit function that uses a flexible and proactive, fully risk-based approach

• Full exploitation of technology to enhance controls, risk monitoring, assurance and risk reporting activities

• Alignment of governance, risk management and compliance with organisational resilience (e.g. crisis management and business continuity planning) 12

GRC

Questions to ask at HQ about GRC around the firm

Do all of our people really understand their roles and responsibilities around risks and control?

What evidence do we rely on? Is this consistently applied across the board?

What is the scope for automation, better leverage of data, and cost reduction?

How do we know our controls are effective in every location? How can we evidence that?

Is assurance delivered in the right places and at the right time?

Is there scope for greater commonality and standardisation across geographies?

Does everyone across the organisation know what our desired risk-taking approach is? How can we track this?

Does our controls environment deliver predictable, stable outcomes regardless of location?

Do we know what our key risks and controls actually are across the full footprint of our business?

Is our risk management framework truly effective at identifying and escalating significant risks across all of our territories?

Do our lines of defence operate effectively in relation to each other?

How can we visualise our control environment?

13

This presentation has been prepared for the PwC School of Mines 2018 for general guidance on matters of interest only, and does not constitute professional

advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express

or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,

PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of

you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2018. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International

Limited, each member firm of which is a separate legal entity.