Early in 2009, the AngloGold Ashanti board decided to adopt a more systematic approach to risk management at a group level, moving the discipline from an approach centred on compliance to one focused on supporting business strategy. The change was made in anticipation of two important codes under development at that time - the King Committee on Governance ‘Code of Governance Principles for South Africa 2009’ (King III) and the ISO 31000 risk management standard.
As a first step, a change in approach to risk management was enabled by a restructuring of the risk management function that positioned it within the business strategy team. The team dedicated to this task designed a new risk management process, taking into account three major objectives:
The roll-out of the new process began in 2009 and will be extended to all of the company’s operations during 2010.
Core to our approach is a ‘live’ risk register or database that includes a risk tracking and reporting system accessible to all operations globally, as well as projects, exploration and regional and corporate functions. To support consistent application of a risk process across the company, the team created a common risk ‘language’ that is now in use. Risk assessment and evaluation processes are included in the system to ensure the validity of the risk information; ultimately equipping senior management to take key risks into account in the decision-making process.
Through the system, risk data has become accessible to all layers of the company and there is already good evidence that risk information is being adopted into business strategy.
“I see the beginnings of a truly risk-aware culture within the company,” says Mark Robins – Vice President: Risk Management. “We are starting to move away from managing risk in silos and are now managing risks continuously, using online tracking tools. Risk is starting to inform all our decisions in a more documented and formal manner”.
As an example, group internal audit will make use of the information to conduct risk-based audits of management controls in 2010, moving away from the compliance approach that was in place until this year. Accountability for managing risk areas has been strengthened by the appointment of ‘risk owners’ in charge of each of the company’s risk areas at regional, divisional and operational level.
Reports have been designed and created to properly inform each type of user including the board, which is accountable through its audit and corporate governance committee for risk management at group level.
Business sustainability risks are tracked by the environment and community function amongst other discipline specialists. Although risk ownership and the accountability to manage risk remains with line management, functional experts review data to ensure the validity of the process and the accuracy of the risks presented.
The process will take three years to become fully embedded and effective. The goal for 2010 is to improve the quality of risk information and begin the process of managing risk responses and treatment. During 2011, the priority will lie with ensuring that key threats are properly mitigated and opportunities can be harnessed. Opportunities, or ‘up-side’ risks, are identified, assessed and managed in the same way and using the same process as threats (‘down-side’ risks), in order to ensure that those opportunities that potentially offer us significant advantage as a mining company are realised where possible.