Managing regulatory compliance risk in a mining company
The legislative requirements with which mining companies in South Africa have to comply have significantly increased over the last decade. At present, a dual-listed entity such as Lonmin is required to comply with requirements of at least 16 regulators in South Africa, combined with additional requirements from the United Kingdom where its primarily listing resides. In addition, it also has to comply with requirements from other countries where it currently performs exploration activities.
Regulatory compliance risk is defined as the risk to which an organisation might be exposed to should it fail to comply with the applicable regulatory (legislative) requirements or excludes provisions of the regulatory requirements from its operational procedures. (Compliance Institute SA: 2013). This exposure is currently a major concern for most mining companies, as indicated by their annual reports that highlight it as part of their strategic or principal risks.
Before addressing how to ensure that a mining company complies with regulatory (legislative) requirements, it is important to first highlight the real benefits of this process. These are
- compliance with the country laws, thereby preventing the risk of penalties, fines and/or imprisonment,
- maintenance of its mining licence to operate, as direct breaches of certain legislation will place the company’s sustainability at risk,
- the building of shareholder, customer and funder confidence, as none of these groupings would want to be associated with a company that breeches legislation in order to achieve financial returns,
- enhancement of stakeholder confidence, especially regulators, the mining communities they operate in, and labour unions, as their members experience the benefits of an employer that has implemented policies and procedures that complies with legislation, and
- protection from damage to the organisation’s reputation, as the regulatory compliance process ensures a continued focus on establishing and monitoring policies and procedures that improve the company’s standards of integrity and ethical conduct, as well as result in improved corporate citizenship.
While the benefits is clear with regard to employing sound regulatory compliance practices in a mining company, it will experience certain challenges in ensuring that this is performed in an effective manner. Some of these challenges are
- the magnitude of compliance, as this includes the 16 regulators’ requirements, specific country requirements where exploration activities are performed, as well as listing requirements,
- keeping abreast with the total number of amendments to applicable regulatory requirements,
- the interpretation of especially new or existing legislation by internal resources in terms of the controls that the needs to be established by the company, as well as how the regulator will enforce specific requirements, and
- the cost of compliance, as new legislation such as the Protection of Personal Information (POPI) Act no. 4 of 2013, impacts on various areas of a mining company. In order to have a comprehensive understanding of its requirements, companies may perform (by using external expertise) an initial gap analysis. They might thereafter require the same expertise in terms of assisting with the action plans required to ensure compliance. Other regulatory compliance costs will also include the use of service providers who assist in providing regulators’ regulatory updates, external expertise that may be needed to clarify regulatory concepts. The upgrade, policy changes or enhancements to company infrastructure or processes may increase operating costs as well as the cost of internal resources required to specifically oversee a regulatory compliance function.
So, how does a company the size of Lonmin ensure that it complies with such a wide range of legislation that governs their operations? Below are a few key practical steps to ensure that this is achieved in an effective manner.
- Step 1 requires the establishment of a regulatory framework that clearly outlines the background, objectives and benefits of regulatory compliance. The framework should also clarify the governance and reporting requirements from a board, audit and risk committee and an executive committee perspective, resources required, training responsibilities, regulatory requirements and criteria on how to assess regulatory compliance exposures.
- Step 2 commands Board approval of the company regulatory policy statement. The statement sets the tone for how the company views regulatory compliance and ensures commitment to implement the process.
- Step 3 entails the development of a compliance universe (with departmental compliance risk champions) that highlights the key legislation applicable to the company, its potential impact on or consequence if not complied with, as well as the probability of non-compliance. This process enables the prioritisation of key regulatory requirements. In addition to this, high-level controls, including policies and procedures, should also be identified to ensure compliance. A control-effectiveness rating should also be given to identify current control weaknesses. To conclude this step, internal or external assurance providers should also be identified, as a high degree of assurance is provided for regulatory requirements related to safety, the environment and finance.
- Step 4 necessitates the appointment of regulatory compliance champions across the various areas of the business who ensure that the regulatory compliance process is implemented in their areas of responsibility. This includes establishing compliance regulatory plans as well as compliance reports based on the compliance universe that is applicable to their areas.
- Step 5 requires the implementation of a regulatory compliance forum that meets on a regular basis and is chaired by a compliance officer or, in the case of Lonmin, the group risk manager. This forum will serve as the focal point where training is provided, legislative updates are discussed and regulatory compliance champion updates are made.
- Step 6 compels the use of a reputable third-party service provider who assists in ensuring, as a minimum, biweekly updates on new or amended regulatory requirements to the company. The group risk manager manages these updates centrally by ensuring that the appropriate compliance champions receive and update their compliance risk management plans and/or existing controls.
- Step 7 requires the use of the combined assurance process as a verification tool to ensure that the mentioned controls are implemented, especially with regard to high-consequence legislation.
- Step 8 is focused on ongoing engagement processes with regulators in order to establish sound relationships.
The journey to ensuring enhanced regulatory compliance is not an easy one and some compliance purists may not agree with all of the above-mentioned steps; however, Lonmin has derived significant benefits since employing it; while the journey presented its challenges, we are confident that the ongoing implementation thereof will ensure continuous improvement, resulting in regulatory compliance maturity.