Compliance Governance

On aggregate the Framework focuses on two integrated themes to manage an array of potential, perceived or actual risk exposure areas. The first theme pivots on professional business conduct and ensuring integrity in how we operate. The second theme ensures the Group complies with all identified and applicable obligations imposed by laws, regulations, and adopted rules, codes, and standards the Group subscribe to, being applicable in the jurisdiction where the Group has a presence.

The Integrity theme pivots on engineered solution to support the business culture, from a conduct point of view. The Group Code of Conduct is the pivot of enabling internal and external stakeholders to gauge behaviour and integrity. Refer to the Ethics, Conduct and Integrity Management Approach.

The Compliance theme pivots, as reference on Compliance risk management. To this end, it entails the process to engineer, operationalise and maintain compliance solutions to ensure compliance.

Impact

If not well managed, non-compliance can have far-reaching effects, and can theoretically manifest in a regulatory, financial, reputation and other related risks. The imposition of findings, and subsequent penalties, sanctions and/ or fines, due to non-compliance to imposed obligations, as well as to international declaration, convention, and/or treaties, can also substantially affect the perception of investors. In addition, albeit the potential negative financial impact, actions required by a Regulator can also influence operational efficiency and progress.

Commitment

Gold Fields is committed to operate within the ambit of the law and portray good corporate citizenship in how we conduct business, and more importantly with integrity.

Management Actions

Reference has been made to the process whereby compliance solutions are engineered, operationalised, and maintained.

A published Management Guideline in relation to the Compliance Governance Framework contextualises the Framework, as well as the required engagement by all role-players to actively manage any actual or potential risk of non-compliance exposure.

An interactive Group Compliance Governance Portal enables execution and oversight, which systemically record, analyse, and report on the level of compliance in the Group, across an array of governance and compliance criterion, in line with the adopted risk-based approach.

An annual Group Compliance Management Plan is project managed by the in-country legal teams per operating jurisdiction.

• Scanning the regulatory environment to identify current and upcoming regulatory changes. This is to ensure a frequent review of the recorded control environments re changes, to confirm control design and operating effectiveness. As an example, in 2023, as part of screening of the external landscape, 375 changes have been identified as applicable, assessed and controls were implemented or maintained.
• Identifying and consistently reviewing all statutes, and adopted rules, codes and standards in the operating jurisdictions and assessing the exposure to non-compliance and subsequent regulatory risks.
• Ensuring controls are aligned to imposed obligations, and maintaining of the recorded control environments, where control mapping focused on the mitigation of inherent risk exposure.

Data Protection and Privacy Gateway on the Portal enables the assessment of any actual, potential, or perceived privacy risk exposure, as it relates to Group defined projects and initiative, especially in the event of cross-border transfer of data. For context, the Gateway acts as a single source of truth for referencing mapped data flows in the organisation, as well as the drafted control frameworks to mitigate any actual or potential non-compliance exposure.

A cross-jurisdictional Framework, Policy Statement and Guideline Register for the Group and all Regions in the Group, therefore facilitating the alignment between these policy levels, and thus ensuring Group policy principles and application prevail. This register is published and maintained on the Group Compliance Governance Portal. In addition, the Register acts as the single source of truth for all internal governance documents, which apart from easy and reliable access by employees, enables document owners to adequately review and maintain documents. The solution is widely applied as a robust control mechanism and is a prominent value attribute in ISO Certification.

Maintaining a Group ISO database, via an ISO Gateway on the Portal, to ensure all non-conformances are timely remediated, and enabling external ISO Certifiers to have a birds-eye view of the Group’s ISO landscape.

An interactive Third-Party Due Diligence Gateway enables the Procurement teams across countries to ensure any potential risk of procuring products and services from a vendor is diligently accessed, and if same cannot be mitigated, not to enter a business relationship with the vendor.

Meta data analysis is conducted for each phase of the plan to determine trends, gaps and enhance the interpretation and application value of the guidance offer to the business. Data analytic tools enable management and other internal stakeholders to unpack identified trends and enhance the interpretation and application value.

Measurement, Evaluation, Assurance and Assessment

Enhancement and development of the Framework is a key focus of the Legal & Compliance team. The Framework is therefore continuously reviewed and improved.

Structured reviews of the Framework, as well as the Annual Group Compliance Management Plan are conducted by Internal Audit. This is to ensure the appropriateness and design/ operating effectiveness.

The integrated extent of the Framework resulted in no sanctions being imposed because of non-compliance to any international declaration, convention, and/or treaty, nor have cases been brought against the Group using international dispute mechanisms or national dispute mechanisms supervised by government authorities. Due to changes in the regulatory and operational landscape, the imposition of in-country penalties, sanctions and/or fines cannot always be avoided. Gold Fields is no exception, and during 2023, 27 regulatory findings (2022: 50) were reported, and 14 penalties, sanctions and/or fines (2022: 18) totalling US$73,300 (2022: US$21,900) imposed.

All findings and fines are reported per country, irrespective its materiality. For 2023, no regulatory findings, penalties, sanctions and/or fines were deemed material, based on the monetary value as % of budgeted revenue, as well as their impact internally and on stakeholders.

Reporting and Disclosure

Reporting forms an integral part of the contextualisation and disclosure focus of the Framework. To this end, a monthly Compliance Update are submitted to all Executive Vice Presidents across the Group. The intent is to keep them and their in-county management committees up to date re the state of compliance. On a quarterly basis, an aggregate Compliance Governance overview is reported to the Group Audit Committee, and other defined Board sub-committees.