Table of Contents Executive summary ........................................................................................................................................ 3 1. Effective Ethical Leadership and Corporate Citizenship ....................................................... 4 1.1. Responsible Leadership ............................................................................................................. 4 1.2. Ethical foundation ........................................................................................................................ 4 2. GOVERNANCE OF RISK ..................................................................................................................... 6 2.1. The Boards Responsibility For Risk Governance ................................................................ 6 2.2. Managements Responsibility for Risk Management .......................................................... 6 2.3. Risk assessment ........................................................................................................................... 6 2.4. Risk response ................................................................................................................................ 6 2.5. Risk monitoring ............................................................................................................................. 7 2.6. Risk assurance .............................................................................................................................. 7 2.7. Risk disclosure .............................................................................................................................. 7 3. Governance of Information Technology ......................................................................................... 8 3.1. The Board should be responsible for information technology (IT) governance ....... 8 3.3. The Board should delegate to management the responsibility for the implementation of an IT governance framework ............................................................................. 8 3.4. The Board should monitor and evaluate significant IT investments and expertise ... 8 3.5. IT should form an integral part of the Companys risk management ............................. 8 3.6. The Board should ensure that information assets are managed effectively ................ 8 3.7. A Risk Committee and Audit Committee should assist the Board in carrying out its IT responsibilities ..................................................................................................................................... 9 4. GOVERNANCE WITH LAWS, RULES, CODES AND STANDARDS .......................................... 9 4.1. The Board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards ............................................. 9 4.2. The Board and each individual director should have a working understanding of the effect of the applicable laws, rules, codes and standards on the Company and its business ...................................................................................................................................................... 9 4.3. Compliance risk should form an integral part of the Companys risk management process ........................................................................................................................................................ 9 4.4. The Board should delegate to management the implementation of an effective compliance framework and processes ............................................................................................... 9 5. GOVERNING STAKEHOLDER RELATIONS ................................................................................. 10 5.1. The Board should appreciate that stakeholders perceptions affect a companys reputation.................................................................................................................................................. 10 5.2. The Board should delegate to management to proactively deal with stakeholder relationships ............................................................................................................................................ 10 5.3. The Board should strive to achieve the appropriate balance between its various stakeholder groupings, in the best interests of the company .................................................... 10 5.4. Companies should ensure the equitable treatment of shareholders ........................... 11 2
5.5. Transparent and effective communication with stakeholders is essential for building and maintaining their trust and confidence .................................................................... 11 5.6. Dispute Resolution ..................................................................................................................... 11 6. IMPLEMENTAION STRATEGIES AND ACTION PLANNING ..................................................... 11 7. SUMMARY, CONCLUSION AND RECOMMENDATIONS ........................................................... 12 7.1. Summary ....................................................................................................................................... 12 7.2. Conclusion ................................................................................................................................... 12 7.3. Recommendations ..................................................................................................................... 12
3
Executive summary Boards of directors are confronted with many difficult decisions on a regular basis. The right choice is not always obvious. The King Report on Governance for South Africa 2009 (King III) was published in September 2009 and became effective on 1 March 2010, it provides a list of best practice principles to support and guide directors to make the right choice for their company. These principles have become a necessary guide on Corporate Governance to directors, executives and regulators equally. King III provides guidance to all corporate entities on various governance related aspects, including: Ethical leadership and corporate citizenship The governance of risk The governance of information technology (IT) Compliance with laws, rules, codes and standards Governing stakeholder relationships Below is the 2013 King III report for Vodacom PTY (LTD) which is in conjunction with the new Companies Act which classifies the standard for directors conduct and regulates the liability of directors where the standard is not met. The report explains how the King III is implemented and how the companys directors are obliged to act in good faith, in the best interest of the company and with the required level of skill and diligence. These standards must be enforced by the Companies and Intellectual Property Commission, and shareholders and other stakeholders of a company will hold the company and its directors accountable. In contrast, there is no statutory obligation on companies to comply with King III. The underlying intention of King III is not to force companies to comply with recommended practice (King II required companies to comply or explain), but rather for companies to apply or explain. Directors are accountable for the governance and wellbeing of the company, and to the body of shareholders. Where directors opt not to implement the recommended practices as set out in King III, they should be able to explain their reasoning and motivation to the shareholders with their statutory duties as set out in the Companies Act; they need to ensure that each and every decision is taken with care, as every decision counts. Most, if not all of the recommended best practice principles set out in King III relate to the legislative duties of directors to exercise powers to perform their functions in good faith and for a proper purpose in the best interest of the company. In addition, this should be done with the degree of care, skill and diligence that may reasonably be expected of a director. As such, King III constitutes a valuable guide to directors and other office bearers to ensure compliance with the provisions of the Companies Act. The below report explains how the companys directors pay close 4
attention to the principles, and ambition to apply all such principles and of course, where they chose not to apply a particular principle, they should be able to explain that decision. In regards with King III principles application within the company three personnel were interviewed from different business units i.e. Management personnel, Supervisory personnel and ground level personnel.
1. Effective Ethical Leadership and Corporate Citizenship 1.1. Responsible Leadership The Board should provide effective leadership based on an ethical foundation. Implication: The Board has put in place appropriate structures and processes to ensure that the business is conducted in an ethical manner, taking into account the impact of the organisations business on the economy, society and the environment and balancing the interests of its various stakeholders. Also the board directs the companys activities with integrity, by the tone it sets through its actions, decisions, policies and codes, the culture it instils and the example of its directors, thereby demonstrating transparency, accountability, fairness, honesty and responsiveness to stakeholders. 1.2. Ethical foundation The Board should ensure that the Company is and is seen to be a responsible corporate citizen. Implication: To instil an ethical culture, Vodacom has implemented an ethics management programme. A Code of Conduct is also in existence and communicated to all staff. In addition, online training on the Code of Conduct was rolled out to staff. Their Code of Conduct gives employees basic guidance on how to implement the business principles in practice, and refers them to more detailed policies and guidelines for business behaviour. These documents cover a range of topics from declarations of interests to the receiving and giving of gifts and hospitality. Vodacom employees have a duty to report any suspected breaches of the Code and other Company policies. Vodacom has implemented an anti-corruption programme and requires all its employees and business partners to abide by anti-corruption laws in the conduct of Vodacoms business Through the Vodacom Foundation, Vodacom has contributed to various social development projects in the areas of mobile education, mobile health and through the Vodacom Change the World campaign. 5
Vodacom has implemented various initiatives and programmes to ensure that we promote and protect the environment and maintain the health and safety of our people, suppliers and the general public. To this end Vodacom has implemented or engaged in the following initiatives: A health and safety programme; Monitoring and reporting on our resource consumption; Participation in the Carbon Disclosure Project and have set targets to reduce our carbon footprint; Obtained ISO 14001 certification; Recently set up an environmental management review committee/working group; Developed an innovation centre that does research into efforts that Vodacom can implement to operate in a more environmentally friendly manner. Finally, Vodacom Group has a Social and Ethics Committee that maintains oversight on various sustainability and good corporate citizenship matters. The Board should ensure that the Companys ethics are managed effectively. Implication: Vodacom Group has implemented an ethics management programme called Ethics Along the Way. The Group Social and Ethics Committee and audit committees of our operating companies provide oversight of the Ethics Along the Way programme. The company conduct Ethics, People and Reputation Surveys, and review information from internal investigations and disciplinary actions to assess key ethics risks. These risks are reduced and managed as part of their risk management strategies. During the course of this year the Vodacom Code of Conduct was refreshed and communicated to all staff. All executives (Level 2) had to issue certifications that they have read and understood the training. In addition, online Code of Conduct training has been rolled out to all employees. The ethics department also provides advice to employees on general ethics topics such as giving and receiving gifts and conflicts of interest. To facilitate the handover and continued implementation of the programme to the boards and management of the individual operating companies, ethics committees have been established in their International mobile operations in DRC, Lesotho, Mozambique and Tanzania as well as Vodacom Business Africa in Nigeria. The membership of these committees includes both management and employees. The committees review the results of ethics risk assessments and other risk indicators, assist in highlighting and implementing key ethics-related policies and procedures, and bring concerns and complaints to the attention of the respective company. The Managing Directors of these 6
companies have also appointed a number of employees as ethics champions to further raise the profile of, and encourage adherence to, business ethics.
2. GOVERNANCE OF RISK 2.1. The Boards Responsibility For Risk Governance The Board should be responsible for the governance of risk: Vodacom boards charter reflects its responsibility for risk governance, and it discharges this responsibility by receiving reports from the Chairman of the Risk Committee at its quarterly meetings, and by making recommendations to management on its risk management programme. The Board should determine the levels of risk tolerance: The board has adopted the levels of risk tolerance utilised by the Risk Committee and management in determining the companys risk management framework and the methodology for rating risks in the companys risk registers and this is reviewed by the Board on an annual basis. The Risk committee or Audit committee should assist the board in carrying out its risk responsibilities: The charters of both the Risk and Audit Committees require these Committees to assist the board in carrying out its risk governance responsibilities, and they provide this assistance by monitoring the companys risk management activities and the board has appointed the ARC committee to assist with its risk responsibilities. 2.2. Managements Responsibility for Risk Management The Board should delegate to management the responsibility to design, implement and monitor the risk management plan: Vodacom has appointed a Chief Risk Officer who assists in identifying, assessing and recording the strategic risks facing the company and, where appropriate, monitors mitigating actions. 2.3. Risk assessment The Board should ensure that risk assessments are performed on a continual basis: The board receives assurance from the Risk Committee that risk assessments are carried out continually and that the companys risk registers are updated at least annually by management. The Board must ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks: The board receives assurance from the Risk Committee that the process of continual risk assessment by management takes in to account emerging and unusual risks not typical of normal operating and environmental conditions. 2.4. Risk response The Board should ensure that management considers and implements appropriate risk responses: The board receives assurance from the Risk 7
Committee and the Company Risk Manager that management appropriately identifies, manages, transfers and mitigates risks facing the company. 2.5. Risk monitoring The Board should ensure continual risk monitoring by management: The board receives assurance from the Risk Committee that it and management continually monitor risks facing the company. 2.6. Risk assurance The Board should receive assurance regarding the effectiveness of the risk management process: The board receives assurance from the Internal Audit Department and management, via the Audit Committee and from the Risk Committee, as to the adequacy of the risk management process. 2.7. Risk disclosure The Board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders: The board ensures that the companys Integrated Annual Report, as well as its public announcements where necessary, appropriately discloses risk- related information of importance to stakeholders. The below implication applies to principles covered in elements 3.3 to 3.7:
Management continuously develops and enhances its risk and control procedures, aiming to improve risk identification, assessment and monitoring. The directors consider business risks when setting strategies, approving budgets and monitoring progress against budgets. Risks are managed at three distinct levels Risk Management Committees, the Risk Group and line management. The Group Risk Management Committee (GRMC) which meets four times a year and which is chaired by the Chief Financial Officer has been in existence for eight years. Current membership comprises the Group Executive Committee members, the Chief Risk Officer and the Managing Directors of each of the local markets. The two main functions of the GRMC are: To filter and approve the list of strategically high and critical risks and to present these risks to the Group Board yearly; and To oversee and monitor the various projects and structures designed to manage specific identified risks for example Business Continuity Management. The GRMC also acts as the Risk Management Committee (RMC) for Vodacom South Africa. The risk management committees in each country of operation are chaired by the respective Managing Director and the remaining members are the Executive Committee of 8
the local operation. The mandate of each committee is identical to that of the GRMC. Risks are identified and managed at five levels within the Group: project, process, operational, tactical and strategic levels. Risks are periodically reviewed and updated. For strategic risks, a filtering and reporting process ensures that the relevant items are reported to the Risk Management Committees and are then reviewed by the relevant boards.
3. Governance of Information Technology 3.1. The Board should be responsible for information technology (IT) governance The written charter of the board records its responsibility for IT governance, and it discharges this duty by monitoring reports on IT governance related matters provided by the Audit and Risk Committees. 3.2. IT should be aligned with the performance and sustainability objectives of the Company As an ICT company, technology is core to the business of Vodacom. 3.3. The Board should delegate to management the responsibility for the implementation of an IT governance framework A Board approved technology governance framework is in place as well as a Technology Governance Charter. The Board has delegated to management the responsibility for the implementation of technology governance. The CEO is the individual responsible for the management of technology governance.
3.4. The Board should monitor and evaluate significant IT investments and expertise Vodacom has a capital expenditure review board which reviews and considers capital expenditure investment, which includes investment in technology. A summary of investments considered by the capital expenditure board is reviewed by the ARC Committee as an when investments in technology are required. 3.5. IT should form an integral part of the Companys risk management This is embedded in Vodacoms risk management programme and risks are reviewed on a quarterly basis at the Risk Management Committee meetings. 3.6. The Board should ensure that information assets are managed effectively 9
Technology assets are managed through the sponsorships of the office of the Chief Technology Officer who has the responsibility to manage technology assets effectively.
3.7. A Risk Committee and Audit Committee should assist the Board in carrying out its IT responsibilities Both the Risk and Audit Committees assist the board in carrying out its IT governance responsibilities, as required by their written charters.
4. GOVERNANCE WITH LAWS, RULES, CODES AND STANDARDS 4.1. The Board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards Compliance with laws, standards and codes forms part of Vodacoms key business principles: The board has determined that compliance with laws is the minimum standard of conduct, is made aware of applicable laws and regulations and voluntary codes by the company secretary, and monitors compliance/adherence through the Audit Committee which receives reports from the internal audit department following its annual legal compliance audit. 4.2. The Board and each individual director should have a working understanding of the effect of the applicable laws, rules, codes and standards on the Company and its business Vodacom has a dedicated legal and regulatory division who assists the board in its understanding of applicable laws, rules and codes as these affect the business of Vodacom. 4.3. Compliance risk should form an integral part of the Companys risk management process Compliance risk is a key area of focus of the companys risk management programme, and business unit heads actively consider regulatory compliance when compiling and annually reviewing the risk registers for their business units. 4.4. The Board should delegate to management the implementation of an effective compliance framework and processes A Chief Officer: Legal and Regulatory has been appointed and he and his team assist with the management and implementation of an effective compliance framework. This includes the following: 10
Engaging with the various communications administrations and regulatory authorities; Advising and assisting the organisation with the management of applications for new licences and overseeing compliance with licence conditions and obligations; Commenting on communications legislations and other laws relevant to the industry; Monitoring, developing and providing awareness training on policies and procedures to ensure compliance with laws, regulations, codes and various standards applicable to the Groups operating companies; and The legal compliance programme includes anti-corruption, money laundering and terrorist financing (anti-CMT) compliance.
5. GOVERNING STAKEHOLDER RELATIONS 5.1. The Board should appreciate that stakeholders perceptions affect a companys reputation Vodacoms brand and its reputation as a company is of paramount importance to the Board. The Social and Ethics Committee, a committee of the Board, focuses on efforts in relation to: Maintaining good relations with consumers Maintaining good relations with employees Protecting the environment and promotion of health and safety in the workplace. Preventing and combating bribery and corruption 5.2. The Board should delegate to management to proactively deal with stakeholder relationships The board has tasked management with the responsibility of engaging with the companys key stakeholders, being customers, shareholders and employees, as well as suppliers, regulators and community organisations, of devising suitable forums and communication channels for such interaction and of responding appropriately following such engagements, in the interests of the Group. 5.3. The Board should strive to achieve the appropriate balance between its various stakeholder groupings, in the best interests of the company The board aims to ensure that the interests of the companys different stakeholders are suitably considered and appropriately balanced, with a view to ensuring the companys relevance and sustainability. 11
5.4. Companies should ensure the equitable treatment of shareholders This is also a JSE requirement and every effort is made to treat all shareholders equitably. Related party transactions with the controlling shareholder, Vodafone, are handled at Board level where the Vodafone representatives on the Board are precluded from voting and the Board is mindful of the JSE Listings Requirements concerning related party transactions 5.5. Transparent and effective communication with stakeholders is essential for building and maintaining their trust and confidence The board and management work to ensure that communication with the Groups stakeholders is frequent, substantive, transparent and credible, recognising that such communication leads to trust and mutual respect and helps to ensure the sustainability of the Group.
5.6. Dispute Resolution The Board should ensure that disputes are resolved as effectively, efficiently and expeditiously as possible: The board encourages management to resolve disputes with customers, suppliers, employees and regulators in an effective and reasonable manner and in appropriate forums including alternative dispute resolution mechanisms, having due regard for contractual and legislative obligations and the best interests of the company.
6. IMPLEMENTAION STRATEGIES AND ACTION PLANNING Regarding the implementation practices of corporate governance, senior management was considered to be responsible for corporate governance structures and processes, with the majority of respondents either agreeing or strongly agreeing with this statement. One respondent was of the opinion that it is not the job of management to provide oversight of the implementation of governance measures, but rather to implement these measures after which it remains the responsibility of the board to ensure that this has been done properly. In general, the majority of respondents noted that the cost of ensuring application of corporate governance measures has been budgeted for. Fourteen percent of respondents either disagree or strongly disagree that these costs have been budgeted for. Continued formal learning on corporate governance at board level appears to take place within a company, with an average of 58 percent of respondents agreeing and 16 percent 12
strongly agreeing that this is the case in the company. It is interesting to note that 53 percent of respondents strongly agree and a further 35 percent agree with this statement, indicating high levels of learning on corporate governance taking place in the company. High numbers of respondents either agreed or strongly agreed that the value of good corporate governance is understood and integrated at all levels in the organisation.
7. SUMMARY, CONCLUSION AND RECOMMENDATIONS 7.1. Summary Overall, there has been a marginal decrease in the perceived net value of King III in comparison with King II. 85 % of respondents agreed that the value added to the organisation by King III has outweighed the effort and resources that application required in comparison with King II. The format of King III is perceived to be marginally more user friendly and accessible which the respondents felt it provided practical examples and contributed to the organisations understanding of the value of governance 7.2. Conclusion The King Codes of Governance principles are clearly implemented by the companys board and has found them to have added value to both the organisation and to the economy of South Africa as a whole. The primary driver for Vodacom to apply King III is to demonstrate commitment to corporate governance to external stakeholders, followed by motivations to enhance the effectiveness and confidence in the performance of the organisation. 7.3. Recommendations It is suggested that King III is both user-friendly and accessible, but could benefit from practical examples and supporting resources. It is recommended that more detailed guidelines, examples and training should be specific to the areas of integrated reporting and IT governance. Also corporate governance should be integrated into companys management programme curriculum across the board, from the detailed application of governance principles through to the foundation of ethics and values that underpin such principles. Finally, the focus of the board should be making sure that where the principles are not applied they should be able to explain why, supporting its decision with companies Act.