Omnicane - Risk Management Framework 2020 V02-1586253883829

Enterprise Risk Management Framework Approved by: CRO Version: 02 07th April 2020

Omnicane Enterprise Risk Management Framework CONTENTS 1. INTRODUCTION .......................................................................................... 3 2. GOALS OF THE FRAMEWORK ........................................................................... 3 3. PRINCIPLES UNDERPINNING THE FRAMEWORK....................................................... 4 4. RISK APPETITE ........................................................................................... 4 5. ENTERPRISE RISK MANAGEMENT FRAMEWORK ......................................................10 6. RISK HIERARCHY ........................................................................................11 7. RISK GOVERNANCE AND ACCOUNTABILITIES ........................................................11 8. ENTERPRISE RISK MANAGEMENT APPROACH ........................................................14 8.1 GENERAL...........................................................................................14 8.2 COMMUNICATE AND CONSULT ..................................................................15 8.3 ESTABLISHING THE CONTEXT ...................................................................15 8.4 RISK IDENTIFICATION.............................................................................15 8.5 RISK ANALYSIS.....................................................................................16 8.6 RISK EVALUATION.................................................................................19 8.7 RISK TREATMENT .................................................................................20 9. RISK REGISTER ..........................................................................................21 10. MAINTENANCE OF RISK REGISTERS ................................................................21 11. BUSINESS UNIT OPERATIONAL RISK MANAGEMENT ..............................................23 12. RISK MONITORING AND REVIEWING ...............................................................23 13. RISK STATUS REPORTING ...........................................................................23 14. DOCUMENTATION AND RECORD KEEPING ........................................................24 15. CONTINUAL IMPROVEMENT OF FRAMEWORK.....................................................24 ANNEXURES ...................................................................................................25 Annexure A – Board’s strategic objectives ............................................................25 Annexure B – Business Unit Risks Mapped to Board Risks............................................26 Annexure C - Template for Risk Identification........................................................27 Annexure D – Risk Analysis Template...................................................................28 Annexure E - Risk Evaluation Template ................................................................29 Annexure F - Risk Treatment Schedule Plan Template ..............................................30 Annexure G – The Risk Register Template .............................................................31 Annexure H – GRCconnect Snapshots...................................................................32 Annexure I – The Risk Reporting Template ............................................................34 2

Omnicane Enterprise Risk Management Framework 1. INTRODUCTION The management of risk is an integral component of effective Corporate Governance. In order to embed the good practice principles, Omnicane is implementing a risk management program which is based on the ISO 31000/2009. The risk management program seeks to align business opportunities and the taking of risks to the ever- present challenges to Omnicane in achieving its mission and core objectives. It encompasses the whole spectrum of risk ranging from the high-level Group wide strategic business risks to individual business units/divisional/section operational risks. Omnicane’s vision for risk management is to enhance performance culture by ensuring that all decision makers are fully informed of risks, and that risks are effectively managed in the achievement of our objectives. 2. GOALS OF THE FRAMEWORK This framework has been developed to:  allow Omnicane to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce the group’s risk profile thereby maintaining a safer environment for all its stakeholders;  ensure appropriate strategies are in place to mitigate risks and maximise opportunities;  embed the risk management process and ensure it is an integral part of the group’s Planning process at a strategic and operational level;  help create a risk awareness culture from a strategic, operational, individual project;  give credibility to the process and engage management’s attention to the treatment, monitoring, reporting and review of identified risks as well as considering new and emerging risks on a continuous basis;  recognise the need for, and align, the holistic group wide “top- down” strategic assessment with the “bottom-up” operational and strategic risk assessment. 3

Omnicane Enterprise Risk Management Framework 3. PRINCIPLES UNDERPINNING THE FRAMEWORK Adherence to good corporate governance practices is important to Omnicane. To this end, the Board is committed to comply with the Code of Corporate Governance of Mauritius 2016 with regards to risk management: “The Board is responsible for the governance of risk and should ensure that the organisation develop and execute a comprehensive and robust system of risk management. It is responsible for determining the nature and extent of the principal risks it is willing to take in line with the business model and in achieving its strategic objectives—that is, assessing its risk appetite and tolerance.” Code of Corporate Governance of Mauritius 2016 “The Board should oversee and ensure management’s continual monitoring of risk, and management should consider and implement appropriate risk responses that involve the following: taking risk (when the risk is present, is within the risk tolerance and otherwise represents a missed opportunity); addressing risk when it is too high and when application of internal controls can mitigate it; transferring risk when the risk is too high but can be transferred to a third party; or terminating when the risk is too high and cannot be mitigated or transferred to a third party.” Code of Corporate Governance of Mauritius 2016 4. RISK APPETITE A clearly defined risk appetite provides the directors, management and employees with a framework which facilitates the identification and management of both risks and opportunities. 4

Omnicane Enterprise Risk Management Framework OMNICANE’S RISK APPETITE STATEMENT Omnicane’s risk management approach includes integrating a risk culture within all aspects of its business. Omnicane is in several businesses and aims at adopting a risk management strategy with a top down approach covering all Group entities. Omnicane recognises that risk tolerance (maximum risk that can be taken in theory) is different from risk appetite (how much risk can be accepted in practice) and through the definition of its eight strategic objectives (Annexure A), the group’s overall risk tolerance is shown in the graph below: Omnicane's Overall Risk Tolerance 10 Strategic Sustainable Enhance value Diversify Achieve Rebalance 9.5 Partnership Growth of Land Bank Geographical Financial Gearing Objectives 9 Base 8.5 8 7.5 7 6.5 6 5.5 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Strenthening of Vertical business in integration of territories cane industry where Omnicane operates Board Objectives Graph showing Omnicane’s overall risk tolerance Omnicane will periodically (at least annually) review its risk tolerances in light of changing circumstances in its wider environment, its organizational capacity to bear risk and the potential rewards associated with taking on an additional level of additional risk. It will manage its risks recognizing both threats and opportunities, seizing opportunities for innovation and business improvement whilst managing threats to its business and stakeholders. 5

Omnicane Enterprise Risk Management Framework In deciding upon an appropriate risk tolerance against the core business objectives for Omnicane, a range of alternatives were considered, from low risk tolerance to high risk tolerance, as presented in Table 1 below. Assessment Description High Risk Tolerance Omnicane accepts threats and opportunities that have a high risk even after existing controls are in place. This is because these risks are concentrated around areas of the business that have high returns or because the risk is outside our control and offer opportunities for innovation without threatening the core of the business. Medium Risk Omnicane is willing to accept some risks in certain circumstances, but this is Tolerance weighed against the cost effectiveness of improving the risk versus the risk presented and the relative contribution of the area of the business to stakeholders. Low Risk Tolerance Omnicane is not willing to accept risks in most circumstances. Zero Risk Tolerance Omnicane is not willing to accept risks under any circumstances. Table 1: Risk Tolerance for Omnicane Figure 1 shows the tolerance of Omnicane with regards to the eight board objectives identified. 6

Omnicane Enterprise Risk Management Framework Figure 1: Risk Tolerance Dashboard 7

Omnicane Enterprise Risk Management Framework Table 2 describes the coloured region depicted in the heat maps above. Colour Significance Green- Comfort The organization is comfortable with the risks taken when in this region. The risk is Zone/Acceptable acceptable. Yellow/Amber- The organization is taking risks which are slightly outside its risk tolerance level. Warning Omnicane needs to start taking actions to bring back its risk exposure within the Zone/Tolerable green region. The risk is tolerable but may need a treatment plan. Red- No-go The organization is adventuring far beyond its risk tolerance. Omnicane needs to Zone/Intolerable take immediate actions to get back in the yellow region. The risk is intolerable. Table 2: Description of Heat Maps In recognition that risk may arise at multiple levels (from taking strategic decisions, to implementing supporting actions) and take many forms, Omnicane has formulated a number of more detailed guiding risk categories (see table 3) to guide its people in their actions and support different levels of reporting. Risk Category Descriptions Financial The financial risks include liquidity risks and risk associated with interest rates, Operational foreign exchange rates, taxation, capital structure and profitability risk. Political & Operational risks include all processes and sub processes from the time the raw Regulatory materials are produced/ received, the production process up to the point of Natural receipt by the customer. Environment Political and regulatory risks include those surrounding political decisions, events or conditions and environmental laws, health & safety requirements and People compliance with the code of corporate governance. Natural environment risks include all actual or potential threats of adverse effects on the environment by effluents, emissions, wastes, resource depletion, etc arising out of Omnicane’s activities. People risks include all risks associated with recruitment & retirement, on-going talent management & succession planning, relations with trade unions & regulatory bodies and employee disciplinary issues. 8

Omnicane Enterprise Risk Management Framework Risk Category Descriptions Business Risk that are outside the control of Omnicane Group relating to macro-economic Environment & evolution, politics, foreign investments, climatic conditions etc. Market Partners and suppliers risks encompasses all risks associated with sourcing of Partners & products, suppliers vetting and evaluation, loss/gain of key suppliers and Suppliers relationship/ partnership with other companies. Table 3: Description of Risk Categories 9

Omnicane Enterprise Risk Management Framework 5. ENTERPRISE RISK MANAGEMENT FRAMEWORK An overview of the Framework is provided in Figure 2. The diagram illustrates the key elements necessary for managing risk and the integration of these elements at all levels. The elements are risk hierarchy, risk governance and accountabilities and risk system. Risk Governance & Risk Hierarchy GRCconnect Accountabilities Board GRCconnect Tool Risk Committee Approve and maintain Risk Management Policy. Set and review the Risk Appetite on a periodic basis. • Risk Registers • Review risk Maintain oversight of the Risk Management • Dashboard reports and Framework. monitor Reports effectiveness of Chief Sustainability Officer/Chief Risk Officer • E-mail Alerts risk management • Approval Report to the Board on risks and controls • Provide guidance Discuss with the Board status of mitigating Action Tracking for to Internal Audit Plan Performance against risk appetite Risk Assessment Function • Exception focusing on key Department Heads (Risk Owners) reports areas for review • Specialist Attend periodic meetings to discuss risk management Industry Group Internal Audit reports. knowledge Approve appropriate action to bring organisational • Carry out risks within tolerance level. internal audits Maintain oversight of their respective risk/control on a risk basis owners. • Provide Action & Control Owners assurance re adequacy of Identify and assess new risks and update controls across GRCconnect. specific risk Reassess the existing risks and send for approval. areas (including Updating GRCconnect on controls performed at the risk management pre-defined frequencies. Remediate control failures. Figure 2: An Overview of the Enterprise Risk Management Framework 10

Omnicane Enterprise Risk Management Framework 6. RISK HIERARCHY In the Framework, two levels of risk are considered: risks identified at Board level and risks identified at business unit levels. The risk hierarchy defines accountability for identifying, treating, monitoring, communicating and managing risks throughout Omnicane. The Board is responsible for management of the board risks and the department heads/ risk owners are responsible for managing risks identified at business unit level. The risks identified at business unit levels were mapped to the relevant board risks as shown in (Annexure B). Accountability of the board risks are assigned to the Chief Sustainability Officer. 7. RISK GOVERNANCE AND ACCOUNTABILITIES Risk governance includes mechanisms that ensure accountability and authority for the management of risk, implementation, maintenance and continuous improvement of the risk management framework and providing risk management assurance. The roles and responsibilities for each of the groups outlined in the framework diagram above are detailed below: Structure Responsibilities The Board The Board is responsible to determine the level and balance of risk to allow best strategy for sustainable growth with dynamic data intelligence and feedback. The Board should approve the risk management framework and monitor its effectiveness against risk appetite levels. It should review material risk incidents and note or approve management’s actions, as appropriate. Key elements of the Board’s oversight of risk management would include:  Assume ownership of Board level risks and oversee organisational risks.  Make risk management a standing meeting agenda item.  Include risk management experience/expertise in the competencies of at least one director. Where composition of the Board does not allow for this, an expert external adviser should be sought externally  Approve the Risk Management Policy, set Omnicane’s risk appetite, and approve the risk management plan and risk register at least annually  Review risk management report and note/approve actions as appropriate  Require external review of effectiveness of risk management framework on a periodic basis. 11

Omnicane Enterprise Risk Management Framework Structure Responsibilities The Risk Committee is responsible for monitoring the risk management system to ensure and provide assurance as to its effectiveness. They should review and agree the processes for managing risk. The Risk The Committee should have risk management as a standing agenda item at its Committee meetings and should exchange information with the Board, Group Internal Audit and the Chief Executive Officer regarding the effectiveness of the risk management framework. This role includes:  Review risk reports and monitor the effectiveness of risk management  Approve the Risk Based Internal Audit Plan  Provide guidance to the Group Internal Audit function focusing on key areas that are outside Risk Appetite levels. The Chief Sustainability Officer/Chief Risk Officer should: Chief  Act as the risk champion for Omnicane Sustainability  Report to the Board and to the Risk Committee at least quarterly on Officer/Chief Risk Officer performance against risk appetite and on Key Risks and Controls.  Overseeing the departmental heads in relation to their risks and controls responsibilities.  Ensuring that there are appropriate resources (Internal/External) in place to support the Risk Management Framework.  Ensure that there is an appropriate cost & benefit review carried on proposed action plans. Group Internal Audit should: Group Internal  Provide objective assurance to the Board on the effectiveness of organisation Audit risk management process. Departmental  Provide assurance that risks identified are being managed appropriately and Heads (HODs) that the system of internal control is operating effectively.  Review and provide assurance on the risk assessment tracking process.  Not oversee Risk Management Process HODs/ Risk Owners are responsible for operational risks and should identify, measure and take ownership of the risks in line with the Board’s strategy. Assume primary ownership for organisation risks and actions in the Risk Register.  Contribute to the development of Risk Management Policy.  Monitor effectiveness of risk management.  Promote ongoing enhancement of risk management processes.  Comply with controls stated in Risk Register and report any control gaps / weaknesses.  Participate in the identification, measurement, prioritisation, and management of risks and controls.  Report systematically and promptly to the MD any perceived new risks or failures of existing control measures and deviations from risk appetite levels. 12

Omnicane Enterprise Risk Management Framework Structure Responsibilities Action & Action and Control Owners should: Control Owners  Update and maintain GRCconnect.  Identify new risks and update incident logs. Employees  Understand their accountability and responsibility for performing the controls.  Seek approval for risks and controls modifications.  Update management with appropriate system inputs regarding status of risks and controls as required. Employees should:  Comply with controls as stated in the Risk Register and Risk Management Business Plan and report any control gaps/ weaknesses.  Identify risks and report risk incidents.  Provide input into the identification and management of risks as required.  Understand their accountability for individual risks.  Take responsibility for carrying out control activities, reporting on control gaps/ weaknesses.  Update management regarding status of risks and controls as required. Table 4: Structure and Responsibilities 13

Omnicane Enterprise Risk Management Framework 8. ENTERPRISE RISK MANAGEMENT APPROACH 8.1 GENERAL Omnicane has adopted “ISO 31000/2009 Risk Management Principles and Guidelines” published by the International Organization for Standardization, to manage its risks. Fig.3 below extracted from ISO 31000/2009 illustrates the relationships between the risk management principles, framework and processes. Design Structure Implementation Figure 3: ISO 31000 Risk Management Process The Omnicane ERM approach is aligned to the ISO 31000 requirements. Under this approach there are four key stages to the risk management process namely: 1. Communicate and consult – with internal and external stakeholders 2. Establish the context – the boundaries 3. Risk assessment – including identification, analysis and evaluation 4. Monitoring and review – risk reviews 14

Omnicane Enterprise Risk Management Framework 8.2 COMMUNICATE AND CONSULT Internal Stakeholders The Internal Stakeholders at Omnicane include: the Board of Directors and their Sub-committees; the Leadership team comprising the Chief Executive Officer (CEO) and the Executive Management; Managers; risk owners; and the employees. External Stakeholders The External Stakeholders for Omnicane include: the Shareholder (Omnicane) and their relevant committees; Government of Mauritius; Connected Parties; suppliers and contractors; the financial institutions and the general public in Mauritius. 8.3 ESTABLISHING THE CONTEXT Establishing the context of risk management at Omnicane is the foundation of good risk management and vital to successful implementation of the risk process. Senior Management Team established the context (both internal and external) based on their experience and knowledge of the Sector and its environment. Relevant documents were reviewed and consultations had with the relevant stakeholders. The context of risk management at Omnicane is “enterprise wide” and considered risk across all its departments, functions and activities. In establishing the context, the Board objectives were identified and the corresponding risk tolerances were defined on a scale of 1 to 25 as shown by the speed dials above. 8.4 RISK IDENTIFICATION 1. The fundamental objective of a risk identification exercise is to ensure that a comprehensive inventory of risk is collated for an identified process. 2. Risks were identified in line with the Board Objectives. A comprehensive list of threats and opportunities were discussed with the relevant stakeholders based on those events that might enhance, prevent, degrade, accelerate or delay the achievement of the Board objectives. 3. We undertook a systematic and comprehensive identification of the risks, including those not directly under Omnicane’s control. The key questions when identifying the risks are:  The major business process objective?  What can happen (event) that will undermine (i.e. prevent, degrade, or delay) the achievement of the objective?  What, if it happens (event), will accelerate or enhance the achievement of the objectives?  Where it can happen? (determine the location)  When can it happen? (determine the time/s it can occur) 15

Omnicane Enterprise Risk Management Framework  Why and how can it happen (causes)? (determine the causes of why and how it may or may not occur)  What is the impact (consequence)?  Who is responsible (risk owner)? 4. For example, the objective of minimising production costs in order to achieve financial objectives. However, there are uncertainties/risks associated with production cost which when describing in terms of causes/risk drivers can be sub optimal suppliers or lax controls over purchases and when describing in terms of impact/consequence can be high production costs in case of sub optimal suppliers and unbudgeted cost/cash outflows in case of lax controls over purchases. The owner of the risk shall be the production/plant manager, that is, the person who has been given the authority to manage the risk and is ultimately accountable for the risk. The answer to when can it occur can be arrived at by either looking at past ownership history if any, or of similar owners if any or it may be purely perception and subjective. 5. The risk identification template provided in (Annexure C) was used to compile the database and record all information regarding the identified risks. 6. The risk identification process is done through workshop sessions with the departmental/entity heads and the relevant stakeholders. The workshops were structured to consider each risk category for each business activity. As the attendees understood all aspects of the business; this ensured a variety of viewpoints which drew out all areas of risks. 7. The identified risks and related information were agreed upon between the department heads and the employees. 8. A copy of all final records/documents related to the risk identification process shall be maintained by the departmental head – also known as the risk owner. The risk owners are now responsible towards the Chief Sustainability Officer for the risks listed in their respective risk registers. 9. A set of risks were also identified at Board level – namely the ‘Board Risks’. 8.5 RISK ANALYSIS 1. Risk is analyzed by determining the impacts and their likelihood. The impact and likelihood should be determined on an inherent basis – i.e. without the existing controls, and on a residual basis after the existing controls and their effectiveness have been considered. 2. The risk analysis template provided in (Annexure D) was used to compile the database and record all information regarding the risk analysis. 16

Omnicane Enterprise Risk Management Framework 3. Risk analysis would involve developing an understanding on the risk identified, by considering the source, the cause and impact (inherent) and then identifying and assessing the current controls, if any, in place to manage the risk. 4. The concept of control owner was also introduced to Omnicane – whereby accountability of maintaining/monitoring the effectiveness of the identified controls was attributed. 5. The effectiveness of the current controls can be subsequently assessed through several different process including:  Control self-assessment  Internal Audit reviewing the effectiveness of the controls  External audit reviewing the effectiveness of the controls 6. Risk Likelihood was evaluated initially based existing controls (Residual risk) as in Table 5 below. Descriptor Description Level (5 is Rare highest) Unlikely Possible May occur in exceptional circumstances. No past history event 1 Likely history. Almost certain Could occur in some circumstances or at some point in next 3- 2 5 years. Some past history exists. Might occur at some point in next 1-2 years. Past warning signs 3 exist. Will probably occur in most circumstances in next 7-12 months. 4 Recurring past event history exists. Expected to occur in most circumstances in next 0-6 months. 5 There has been frequent past event history. Table 5: Risk Likelihood Table 7. Risk impact was then evaluated also based on existing controls (Residual risks) as in Table 6 below. In cases where the risk has varying impact on several assessment criteria (for e.g. financial and customer), the worst score was chosen. 17

Omnicane Enterprise Risk Management Framework Descriptor Financial Impact People Impact Operational Reputational Score over a period of 3 Impact Impact years Little financial Lack of discipline 1 hour Minor 1 Insignificant impact Absenteeism downtime incidents 2 Minor injuries causing 5% drop in earnings minor spillage Minor Marginal overrun on Poor talent acquisition 1 day Negative budget & retention downtime publicity on Moderate 10% drop in Minor drop in media Major earnings productivity Complaints Increasing risk of from Extreme strike stakeholders Recurring minor Spillage injuries cleared in one day Increase in gearing Strike < 2 weeks 1 week Selling non- 3 Late payment to Lack of personal downtime conforming suppliers development/ training products 15% drop in Poor succession earnings planning Poor industrial Inability to repay relations debts Conflict of interest Impairment of Moderate drop in major investment productivity 20% drop in Major injuries earnings Strike < 1 month 1 month Loss of 4 1-2 Fatalities downtime international accreditation s Bankruptcy Prolonged & recurrent > 3months Breach of 5 50% drop in strike > 1 month downtime environment earnings Fatalities >5 al regulations Table 6: Risk Impact Table 18

Omnicane Enterprise Risk Management Framework 8. Each risk was therefore rated in terms of likelihood and impact, and a total score is obtained (product of likelihood and impact ratings). The scores are considered as follows: Colour Significance Green Low Risk - represents a total score of 1-5 Yellow Medium Risk – represents a total score of 6-10 Red High Risk – represents a total score of 12-25 9. The information gathered through risk analysis was used to inform the risk evaluation and guide risk treatment to be chosen. 8.6 RISK EVALUATION 1. Based on the results/outcomes from the process of risk analysis, the process of risk evaluation was carried out whereby we compare the residual rating to the risk tolerance to determine whether the risk is tolerable or acceptable. 2. The risk evaluation template provided in (Annexure E) was used. 3. Based on the impact and likelihood concluded for an identified risk, the risk was mapped to the relevant Board objective, based on which the applicable risk tolerances are determined. 4. Therefore, using the risk evaluation methodology, a high risk (as described in section 8.5) could well be within Omnicane’s tolerance set by objective. 5. For treatment, the risks which are assessed as “Intolerable Risk” shall be given the top most priority. All cases of “Intolerable Risk” will require an immediate treatment plan to bring the assessment levels to “Tolerable Risk” or “Acceptable Risk”. Because the risk appetite is set against the Board objectives, there may be some risks which are scored high but which are still considered to be tolerable or indeed acceptable. 6. Risks assessed as “Tolerable Risk” may need a treatment plan to bring the assessment levels to “Acceptable Risk” and might require treatment plans which would largely be initiatives for improvement. 19

Omnicane Enterprise Risk Management Framework 8.7 RISK TREATMENT 1. Risk treatment involved examining possible treatment options to determine the most appropriate action for managing the risk. Treatment actions are required where the current controls are not managing the risk within defined acceptable levels. Treatment plans could involve providing controls or improving/modifying existing controls and implementing additional controls. 2. Possible risk treatments options include:  Terminate (avoid) the risk by removing the risk source or stopping the activity giving rise to the risk which may involve change in the business process or objectives. For example, risk of undertaking an activity which may lead to non-compliance with the relevant laws should be avoided completely considering the adverse Compliance and Governance impact it will have;  Treat the risk by changing the impact or the likelihood, which may involve actions aimed at reducing the impact or the cause of the risk. Treating risk can be proactive, such as preventing the risk from arising, or detective where systems are put in place in order to see if the causes are changing. There might also be corrective treatment actions where the impact of a risk is minimised through responding to the risk as it arises. For example, the risk of loss or leakage or damage to IT assets (including data) through internal/external sources can be treated in a number of ways like developing and implementing IT Security policies and procedures, creating security awareness among the users, vulnerability assessments, regular audits, etc. and thereby bringing down the likelihood of the risk event materializing;  Transfer the risk with/to another party or parties, which may involve transfer of ownership and liability to a third party. For example, the risk of loss of a company asset can be transferred through insurance;  Tolerate (retain or accept) the risk i.e. where the cost of risk treatment outweighs the benefits that can be expected from the treatment. For example, the transmission and distribution assets at the Group level are self-insured and to that extent the risk of loss of these assets due to natural calamities is being accepted; and  Take the risk in order to pursue an opportunity for example the selection of new software/application is an opportunity risk, where the intention is to achieve better results by installing the new software/application, but it is possible that the new software/application will fail to deliver all of the functionality that was intended and the opportunity benefits will not be delivered. In fact, failure of the functionality of the new software/application may substantially undermine the operations of the organization. 3. When determining the preferred treatment option based on the current residual risk, consideration should be given to the cost of the treatment as compared to the likely risk reduction that will result i.e. the cost benefit analysis. Comprehensive documentation shall be maintained for the cost benefit analysis undertaken. Decision shall take into account the Risk Appetite levels approved by the Board. 20

Omnicane Enterprise Risk Management Framework 4. The cost of any treatment plan/actions should be incorporated into the relevant budget planning process, the person responsible for delivery of the treatment plan/actions should be clearly identified with the expectation being communicated to them, realistic due dates for implementation should be set and performance measures should be determined. 5. The risk treatment schedule plan template provided in (Annexure F) should be compiled for the relevant risks and all information recorded regarding the treatment plan. 9. RISK REGISTER 1. A Risk Register (RR) shall be developed and maintained for each Department/business unit for capturing comprehensively all risks related to the Department/business unit. It shall be owned and maintained by relevant Department/business unit. The Risk Register template has been provided in (Annexure G). 2. All the business unit/department risks have been merged into a comprehensive list under the “Masterfile” excel. 3. The ‘Board Risk Register’ comprises of the risks identified by the Board during their risk identification session. 10. MAINTENANCE OF RISK REGISTERS 1. Till such time that Omnicane does adopt an automated tool for risk management, the RR shall be maintained and updated on a spreadsheet in the format as provided in Omnicane ERM Framework document. 2. The RR must be a living document which is updated as frequently as risks and controls change. 3. The following steps have been designed to ensure the RR remain a living document and decision making process is enhanced throughout Omnicane Group:  Define Review Plan and Schedules Each risk owner is tasked to plan, schedule, and perform risk reviews. Thereby, it helps ensure a consistent approach to risk management across OMNICANE. A risk review plan will contain the following details: 1) The risk owner. 2) Schedule of the risk reviews, that is, it can be scheduled as and when required or recurring. 3) Trigger updates from control owners and other inter-related risk owners.  Identifying New Threats and Opportunities At a risk review date, if new risks or opportunities are identified, the same risk assessment methodology as described in section 8 above will be applied. Any new risks/opportunity identified should be reported to the Chief Sustainability Officer and validated by the latter before being added to the relevant register. The risk owner can also document findings or 21

Omnicane Enterprise Risk Management Framework issues, attach evidence, and route the data for review and approval. Assessment scores are combined to flow up into an overall risk score. Issues identified during the assessment become part of the risk action and mitigation process.  Control self-assessments A series of control assessments should be designed to monitor the effectiveness of specified controls. In the series, it should be clearly defined how often individual inspections occur and who performs the inspections. An example of control assessment is shown below: As per the re-evaluation of the effectiveness of controls per risk, the risk ratings and controls should be updated accordingly. If control assessments are not performed on due date or control failures have been reported by management/external testing, the residual score of the risk will flip back to its inherent level as illustrated by the table below: 22

Omnicane Enterprise Risk Management Framework 11. BUSINESS UNIT OPERATIONAL RISK MANAGEMENT As Omnicane gains risk maturity, risks could be managed at business unit levels with a focus on operational risks. Under ERM, risks are captured, grouped and measured at Group Level and technical business specific details are skipped. Under business unit ORM, the top 5 risks by residual score for each business unit will need to be reported to the CRO. (For scoring the risks under the ORM, the same impact rating criteria as Table 6 shall be used). 12. RISK MONITORING AND REVIEWING Omnicane realises that risk has a dynamic context resulting from the constantly changing external and internal environments. After a risk assessment is completed, Omnicane will continue to monitor and review not only risks but also the effectiveness and adequacy of existing controls, risk treatment plans and the process for managing their implementation. The monitoring and reviewing process will be automated on GRCconnect (Annexure H). This will encompass all aspects of the risk management process for the purposes of:  Ensuring that controls are effective and efficient in both design and operation.  Obtaining further information to improve risk assessment.  Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures.  Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities. For example, if there are changes to internal or external objectives or regulations, the risk owner will update the corresponding information in the risk registers and use this information to reanalyse all affected risks.  Identifying emerging risks. 13. RISK STATUS REPORTING 1. Risk Reporting at Omnicane shall be broken into two distinctive levels – one at Board level and one at Business Unit level. 2. On a quarterly basis, a Risk Status Report will be provided to the Risk Committee and shall be in line with the requirements of the Omnicane ERM Framework document. 3. All the Board risks identified have been categorized into: i. Business management risks ii. Board approval risks iii. Emerging risks This categorization will assist the CRO in conveying the appropriate level of information to the Board. 23

Omnicane Enterprise Risk Management Framework Business unit risks identified during the risk identification phase feed the top risks identified by the board. As such, a risk status report template and dashboard have been provided in (Annexure I) 4. As a minimum the Group Risk Report shall summarize the status of all “Intolerable” (“red”) and selective “Tolerable” (“yellow”) rated risks. Such summaries shall include a report on the status of controls/actions i.e. the treatment plan wherein “RED” will indicate that it is fallen so far behind that it is unlikely that it can be remedied, “YELLOW” will indicate that the programme has slipped but with some effort it can be completed on schedule and “GREEN” will indicate that all actions are expected to complete on time. 5. Further individual risk summary reports shall also be provided for the risks rated as “Intolerable”, which shall include details of: risk name; risk owner; risk description; causes/risk drivers; impact; residual and targeted risk rating; current controls and their reasonableness; risk treatment plan comprising action, owner and the due date; and finally the progress report. 14. DOCUMENTATION AND RECORD KEEPING Important risk management processes, procedures and activities will be documented as it is important for the following reasons: 1. It gives integrity to the process and is part of good corporate governance; 2. It provides an audit trail and evidence of a structured approach to risk identification and analysis; 3. It provides a record of decisions made which can be used and reviewed in the future; and 4. It provides a record of the risk profile/register/universe for Omnicane to continuously monitor and to provide evidence of appropriate activity for the purpose of internal and external audit. 15. CONTINUAL IMPROVEMENT OF FRAMEWORK The effectiveness of the risk management framework implemented will be periodically reviewed to ensure continuous improvement of risk management in the Group. The purpose of the framework is to embed a risk aware and performance culture within the Group. This can be evaluated in light of breaches and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken. The framework is only effective if the context remains relevant to the Group that is, the Group objectives, the internal and external context for risk management are current and accurate. The impact assessment criteria used in the risk framework also need to be periodically reviewed to ensure they remain relevant to the size and complexity of the Group. 24

Omnicane Ltd To promote th contribute to t ANNEXURES Annexure A – Board’s strategic objectives To expand its so that the Gr Strategic Board Objective as the transpo Strengthening of business in territories where Conversion of Omnicane operates Diversity coun Vertical integration of cane industry Selecting key Enhance value of land bank Diversity geographical base Growth withou Strategic partnerships Sustainable growth To achieve the Rebalance the gearing Achieve financial objectives To meet budge 2

Enterprise Risk Management Framework Description he brand of the Group through excellent service to its customers and to the welfare of the community as a whole. business operations into different steps on the same production path, roup becomes its own supplier of sugar canes and its by products as well ortation. its agricultural land bank into higher value projects. ntry risks by developing new markets. partners that will enhance the reputation of Omnicane. ut causing environmental problems. e gearing level as formulated in the 5 year strategic plan. ets for the financial year. 5

Omnicane Ltd Annexure B – Business Unit Risks Mapped to Board Risks Board Category Board Risks BU Risks Residu Objectives Sco 2

Enterprise Risk Management Framework ual Risk Risk Tolerance Resultant Risk Risk Strategy Risk oring Evaluation (4 T’s) Treatment Plan 6

Omnicane Ltd Annexure C - Template for Risk Identification Company: Department: Risk Champion: Date: SN Major Business Board Process R Area Objectives Objectives R 2

Enterprise Risk Management Framework Risk Risk Risk Cause or Consequences Ref. Description owner causes (how (what it may lead No. can it to or result in) happen?) Inherent 7

Omnicane Ltd Annexure D – Risk Analysis Template Company: Department: Risk Champion: Date: SN Risk Risk Risk Consequences Inherent Ref. Description Owner (what it may Likelihood No. lead to or Score result in) Inherent Data from Annex B 2

Enterprise Risk Management Framework Inherent Total Existing Residual Residual Total Impact Inherent Controls Likelihood Impact Residual Score Score Score Score Score 8

Omnicane Ltd Annexure E - Risk Evaluation Template Company: Department: Risk Champion: Date: SN Board Risk Risk Risk Residual Objectives Ref.No. Description Owner Score Data from Annexes B & C 2

Enterprise Risk Management Framework Risk Tolerance Resultant Risk RTP RTP ref. Risk assessment required No Yes/No? Evaluation priority 9

Omnicane Ltd Annexure F - Risk Treatment Schedule Plan Template Complete Function/process/activity: by: Date of review: Reviewed by: Risk (in priority Risk level Target Possible order from Risk risk treatment Preferred Register) level options options Data from Annexes B, C & D 3

Enterprise Risk Management Framework ed Results of Person Date: How the d cost- responsible for Date: risk and benefit implementation treatment d analysis: of the option Timetable for will be accept or implementation monitored reject 0

Omnicane Ltd Annexure G – The Risk Register Template Company: Department: Risk Champion: Date: SI Risk Risk Risk Risk Risk Curren No. Description Name category Ref. Own Risk No. er Data from Annexes B, C &D 3

Enterprise Risk Management Framework nt Impact Likelihoo Risk Risk RTP RTP d Appetite assessment required ref. No Yes/No? priority 1

Omnicane Ltd Annexure H – GRCconnect Snapshots Bow tie for risk 3

Enterprise Risk Management Framework Landing Page 2

Omnicane Ltd Sampled dashboard 3

Enterprise Risk Management Framework Risk Library 3

Omnicane Ltd Annexure I – The Risk Reporting Template Refer to report submitted to CRO. 3

Enterprise Risk Management Framework 4