Southern Steel | Official Website

Sustainability Governance Structure and Approach

Description

The Group affirms that good governance underpins sustainable business and long-term resilience. Its governance structure, framework, policies, and commitments aspire to foster a culture of integrity, accountability, transparency, and efficiency, while upholding the rule of law and aligning with the best interest of shareholders and stakeholders.

Governance Structure

The Group has a well-established governance structure led from the top, with clear accountabilities for continual implementation of sustainability initiatives and efforts to address sustainability-related risks and opportunities (SROs) and climate-related risks and opportunities (CROs) in an integrated and strategic manner. These efforts aim to support the Group’s long-term strategy and sustainable growth, while strengthening stakeholders’ trust that the Group is working towards building strategic resilience and agility to deliver a sustainable future to the shareholders and stakeholders. An overview of the Group’s sustainability governance structure is set out as below:-

The Board of Directors has oversight on the Group’s sustainability and climate related matters. On a quarterly basis, the Board reviews and approves:

• Broad strategies, including those related to ESG considerations.

• Strategic initiatives to ensure alignment with long-term value creation and ESG principles.

• The adequacy of processes for identifying, assessing, and managing sustainability and climate related risks and opportunities.

The BARMC (Board Audit and Risk Management Committee) is the Board committee that maintains oversight on ESG internal assurance, financial control, risk management, internal processes control and also acts as Governing Body of Anti-Bribery and Corruption Management System (“ABCMS”). It provides the Board with quarterly updates, including assessment of the adequacy of the Group’s sustainability governance.

The Board of Directors regularly engages third-party experts to provide briefings and specific training on sustainability and climate-related matters. This ensures that the Board members possess the necessary skills, competencies, and knowledge to effectively oversee the identification and mitigation of sustainability and climate related risk and opportunities.

The programmes and forums are listed in Corporate Governance Overview Statement, Risk Management and Internal Control, Board Leadership and Effectiveness, Part E – Commitment in annual report.

The Sustainability Steering Committee (SSC), chaired by the Group Managing Director (GMD) and supported by the Chief Financial Officer (CFO) as deputy, comprises senior Heads of Department from key operational areas. The GMD also assumes the role of Chief Sustainability Officer (CSO), providing strategic leadership and supporting the Board in its oversight of sustainability and climate-related governance. The CSO reports the progress and developments to the Board on a quarterly basis, in areas including the Company’s sustainability and climate related risks and opportunities, policies, ESG strategies, priorities, measures, targets and performance.

The GMD, assisted by the Sustainability, Technology and Innovation Department (STI), steers the sustainability and climate related strategies of the Group. The SSC considers sustainability risks and opportunities in its business activities across the value chain, focusing on environment, social and governance (ESG) aspects that could reasonably be expected to impact the cash flow, access to finance, or cost of capital over the short, medium, or long term. The SSC formulates and reviews the strategies, manages processes, initiatives, targets, and performances in relation to sustainability and climate related matters.

The SSC together with STI, work closely to integrate sustainability considerations in day-to-day operations and ensure effective implementation of sustainability strategies and plans. The SSC also oversees the implementation of the Group’s sustainability initiatives and climate related strategies to ensure that key metrics targets are being monitored.

The SSC is assisted by the SWC, comprising key staff of the operating companies as nominated by the SSC. The SWC’s reporting duties include provision of information, collection of feedback from stakeholders, addressing material sustainability issues and driving initiatives approved by the SSC. The STI coordinates with and provides support to SWC on management of material metrics and targets, and consolidates sustainability report and data from SWC to SSC.

The General Manager of STI regularly reports to and seeks guidance from CSO and SSC. The department is responsible for developing and managing the implementation of the Group’s sustainability and climate related strategies. The responsibilities of sustainability department include but not limited to:

• Reviewing and reporting the progress of strategies implementation to CSO and SSC.

• Following up the development of carbon related policies such as CBAM, carbon tax and National Decarbonisation Roadmap.

• Embedding sustainability into existing operational practices.

• Leading corporate sustainability reporting and identifies areas for improving operational improvement.

• Delivering ESG (non-financial) data reporting and performance management

Risk Management

Description

The Group recognises that effective risk management is essential in the steel industry, given its exposure to global market volatility, and ESG concerns. Risk management helps in calculating the uncertainties and predicts their impact, thus enabling the Group to make strategic decisions. Risk management also provides the Group the opportunities to proactively manage the unexpected by mitigating or minimising the impacts of risk rather than reacting to them. The effectiveness of risk management is crucial for the Group’s resilience, financial stability, and long-term sustainability.

Risk Management Structure

The Board is responsible for overseeing and maintaining sound risk and opportunity management within the Group to ensure smooth business operations. The BARMC, a subcommittee of the Board, is entrusted with maintaining a sound risk management system, reviewing, and presenting the company's risk management and audit report. Meanwhile, the GMD, as the chairman of the SSC, is responsible for reporting the progress of activities related to the Group's ESG, sustainability- and climate-related risks and opportunities to the Board on a quarterly basis.

The BARMC comprises directors from the Board, with its chairman being an Independent Non-Executive Director. The CFO, Head of Internal Audit, GMD, and senior management may attend committee meetings by invitation to provide information and clarification on agenda items

Risk Management Framework and Process

The Group is certified to several risk-based ISO Management Systems such as ISO 9001, ISO 14001, ISO 45001, and ISO 37001. One of the key requirements in these management systems is managing risks. The audits by certification bodies benefit the Group, whereby they assist in ensuring that the management systems have been properly implemented and maintained, as well as identifying opportunities for improvements and potential risks that may have been missed out.

The Group adopts ISO 31000 Risk Management as its risk management framework to improve the identification of opportunities and threats, and effectively allocates and uses resources for risk treatment. The management is accountable for the effective internal control and implementation of risk management within the Group whilst the Internal Audit Department (“IAD”) and Sustainability department facilitates the maintenance of the risk management framework on an ongoing basis. The IAD applies appropriate auditing standards in assessing the integrity and effectiveness of internal controls, and compliance with the established policies and procedures.

The Group’s risk management is a continuous process designed to proactively identify, assess, and respond to risks and opportunities. As illustrated below, this process enables timely management of factors that may affect the achievement of our operational objectives and strategic goals, including long-term sustainability goals.

Risk Rating Matrix

The Group integrates sustainability-related risks and opportunities and climate-related risks and opportunities into its risk management framework. A customised risk rating matrix has been established to assess and determine risk levels based on the likelihood of occurrence and the potential financial impact. The revenue of preceding financial year is used as basis for assessing financial impact.

Risk and Opportunity Register

The Risk and Opportunity registers of the Group are as below:

Approach to Non-Compliance

The Group recognises that non-compliance can expose it to legal, financial, and reputational risks. To address this, the Group adopts a proactive approach as outlined in Section 3.3: Ethics and Integrity, specifically under the Anti-Bribery and Corruption (ABC) Policy and the Whistleblowing Policy. These policies are designed to help identify and mitigate risks before they escalate.

The Whistleblowing Policy encourages individuals to raise genuine concerns regarding improper or wrongful conduct involving the Group through designated whistleblowing channels. Whistleblowers are protected from adverse employment actions and, where feasible and permitted by law, their identities will be kept confidential.

The procedures for investigating non-compliance are summarised in the flow chart displayed on the right. The number of non-compliance incidents is reported in Section 3.3: Ethics and Integrity, under the Whistleblowing Policy.

The Group has an established process requiring all employees to self-declare their compliance with the Company’s Code of Conduct and the Anti-Bribery Corruption Policy. The Human Resources department reviews the declarations and identifies any instances of non-compliance for further action

Major ESG Catastrophic Events

ESG catastrophic events refer to severe incidents that significantly impact a company’s performance, reputation, and stakeholder trust due to failures in ESG areas. Such events can adversely affect a business’s financial condition, operational results, access to capital markets, and borrowing costs.

The Group has identified a list of risks that may potentially lead to major ESG catastrophic events, based on its Risk and Opportunity Registers and historical data. These risks include:

• Spreading of infectious diseases (e.g., pandemics or endemics)

• Impact of climate change (e.g., flood)

• Cyber-attacks (e.g., ransomware)

To address these risks, the Group has established control measures aimed at mitigating their potential impact and ensuring business resilience.

Ethics and Integrity

Description

The Group firmly believes that ethics and integrity are the cornerstones of a trustworthy and reputable business. These values are essential not only for building trust but also for ensuring long-term success, boosting employee morale and productivity, strengthening customer relationships, attracting investors and strategic partners, and maintaining compliance with laws and regulations.

We are committed to conducting our business with integrity, accountability, and transparency. These principles form the foundation of our corporate culture and our way of doing business.

Business Model and Value Chain

The Group acknowledges that ethical business conduct and integrity are essential across the entire value chain, from raw material sourcing and production to sales, distribution, and supporting functions. Upholding these principles is critical to maintaining stakeholder trust and long-term sustainability.

The Group is committed to principled leadership and responsible governance. The Board of Directors of the Group is fully committed to upholding the Code of Ethics for Company Directors. In alignment with this, the management team and all employees of the Group adhere to the Group’s Code of Conduct and Ethics, demonstrating a shared commitment to ethical business practices and integrity in all aspects of our operations.

BARMC is the governing body for the Group’s Anti-Bribery and Corruption Management System, overseeing policy approval and implementation. The ABCMS Compliance Function Officer is responsible for ensuring the system’s effectiveness and alignment with its objectives.

The Group is certified under ISO 37001 Anti-Bribery Management System, clear expectations have been established for all stakeholders to act in a manner that is lawful, ethical, and honest, in alignment with the Group’s anti-bribery and corruption policy. This certification also reflects the Group’s strong commitment to integrity and reinforces our stance on promoting transparency and accountability in all business dealings.

Strategy and Decision Making

The Group has established a structure framework which is built on policies, code of conduct, procedures and promotional activities to effectively prevent, detect and respond to bribery and corruption risks. This framework supports the Group’s commitment to ethical business practices and compliance with ISO 37001 standards.

1. Policies

Anti-Bribery and Corruption Policy

The Group is committed to conducting its business ethically in compliance with applicable anti-bribery and corruption laws in every country where we operate. We do not condone any form of bribery and corruption. Stakeholders are encouraged to report any bribery and corruption related concern or suspicion to the Head of Internal Audit or Head of Human Resources as outlined in the policy.

Whistleblowing Policy

The Group promotes and supports a culture where people including employees, contractors, joint ventures, parties working with the Group, external stakeholders and members of the public feel comfortable to raise genuine and legitimate concerns regarding inappropriate conduct and behaviour.

Employees and staff are strongly encouraged to speak up if they become aware of any improper or wrongful act involving the Group. To facilitate this, the Group has published a Whistleblowing Policy along with Whistleblower Form to enable whistleblowers to report concerns. Anonymous reporting is accepted; however, complaints that are found to be frivolous, vexatious, or an abuse of the process will be disregarded.

The Group is also committed to protecting the confidentiality of people, including whistleblowers who make genuine and legitimate disclosures from adverse employment actions to the extent permitted by law. To support this commitment, the Group has established a Whistleblowing Communications Plan and Investigation Procedures, which outlined the methods for communicating the Whistleblowing Policy to employees and the investigation procedures in response to reported non-compliance.

Gifts and Entertainment Policy

The Group adopts a strict “No Gift Policy”, under which all employees are prohibited from giving or receiving gifts and entertainment, except as expressly permitted by the policy. In September 2025, the policy was updated to clearly define thresholds for festive gifts, permitted entertainment, and customer function gifts. It also outlines the required approval levels based on employee categories. This policy is designed to regulate the giving and receiving of gifts and prevent any form of undue influence.

Effective from 1st January 2021, all employees are required to submit a half-yearly declaration regarding the giving and/or receipt of gifts and entertainments.

Self- Declaration Policy

The Group has implemented a Self-Declaration Policy applicable to management and high-risk departments, including but not limited to Procurement, Sales and Marketing and Finance. Under this policy, individuals in these departments are required to annually confirm their compliance with the Group’s Code of Conduct and Ethics, as well as the Anti-Bribery and Corruption Policy. They must also disclose any actual or potential conflicts of interest involving companies or businesses that have dealings with any of the Group’s operating entities. These annual declarations help ensure that the information remains current, accurate, and transparent.

Donation Policy

The Group’s Donation Policy was updated in September 2025 to ensure that all corporate donations are made in a transparent, accountable, and ethical manner. The policy governs contributions to charities, non-profit organizations, and causes that serve the greater good. To uphold neutrality and ethical standards, the Group maintains a strict prohibition on all forms of political contributions.

Refer to FY2025 Annual Report page 113 for Community Engagement details on donation.

2. Codes

Code of Ethics for Company Directors

The Group’s Code of Ethics sets clear standards and guidelines for directors, promoting accountability, transparency, and ESG-driven sustainability. All Board members must formally acknowledge and comply with these standards.

Group Code of Conduct and Ethics

Applies to all employees, promoting integrity, accountability, and lawful conduct.

3. Procedures

Conflict of Interest

The Group aims to avoid any potential conflicts of interest during the tendering and recruitment processes. Members of the tender committee are required to self-declare any potential conflicts of interest with participating tenderers. Similarly, during recruitment interviews, candidates must disclose if they have any family members or relatives currently employed by the Group.

Refer to FY2025 Annual Report page 134 for Statement of Declaration by the Board members.

Due Diligence

The Group is committed to conducting due diligence prior to engaging with potential vendors, contractors, and employees. This process is essential to uphold our standards of integrity and to mitigate bribery and corruption risks.

As part of our vendor and contractor screening, the Group refers to the Malaysian Anti-Corruption Commission (MACC) Offender Database to verify whether any directors of potential vendors or contractors have a history of bribery or corruption. For potential employees, the Group engages third-party service providers to perform comprehensive background checks before issuing employment offers

ABCMS Risk Mitigation and Control Measures

The Group has implemented a range of procedures designed to reduce major or significant bribery and corruption risks to minor or trivial levels. These controls help prevent misconduct such as bribery, false claims, fraud, and abuse of power. Examples of key procedures and policies include:

• Tender Procedure – Ensures transparency and fairness in procurement.

• Recruitment Procedure – Promotes integrity and prevents nepotism or bias

4. Promotional and Awareness Activities

Annual ABCMS Awareness Program

In FY2025, the operating companies within the Group conducted various programs to promote a culture of integrity and reinforce the understanding of anti-bribery and corruption principles.

• SSB – Anti-bribery and corruption video making competition

Encouraged creative engagement and raise awareness among employees.

• SPC and SSM – Anti-bribery and corruption talk by MACC

Featured insights and guidance from MACC, enhancing understanding of legal and ethical expectations.

• SPIM/SSP – Banner design competition

Fostered a culture of creativity and raise awareness in the workplace.

Communication of ABC Policy to Business Associates and Intermediaries

The Group actively communicates its Anti-Bribery and Corruption Policy to business associates and intermediaries, including contractors, via email. In addition, suppliers and contractors are provided with the Suppliers’ Code of Conduct and Ethics, reinforcing our expectations for ethical behaviour and compliance.

To ensure understanding and commitment, the Group actively engages with business associates and intermediaries to obtain their formal acknowledgement of key policies. The previously established target was successfully achieved and concluded in FY2024, with a cumulative response rate exceeding 90% across the Group.

Despite the completion of this target, the Group continues to communicate these policies to all newly onboarded business associates and intermediaries to maintain consistent awareness and compliance

Training

The Group continues to enhance employees’ understanding of ABCMS and related policies through structured training programs. All existing employees will undergo refresher training once in every three years via e-training and evaluation portal. The current training cycle commenced in FY2025 and will conclude in FY2027.

The contents of the refresher training include:

• Overview of Anti-Bribery Management System

• Anti-Bribery and Corruption Policy Statement

• Anti-Bribery and Corruption Policy

• Whistleblowing Policy

• Gifts and Entertainment Policy

• Applicable Laws of Malaysia

• Certification on ISO 37001

• Definition of bribery, forms of bribery, causes, and negative effects of bribery and corruption

All the newly recruited employees undergo an onboarding program that includes ABCMS awareness while face to face classroom refresher training is organised specifically for foreign workers to ensure effective understanding.

Compliance Monitoring and Audits

The Group adopts a proactive approach to identify, maintain, and review ABCMS risks on a quarterly basis to ensure adherence and identify areas for improvement. As part of the ABCMS risk assessment process, each respective risk owner is responsible for establishing a mitigation plan to address identified risks, with particular focus on high or significant risks.

Financial Effect

The Group assesses the financial implications of anti-bribery and corruption matters in relation to sustainability-related risks and opportunities. The Group is exposed to certain SRO factors that may lead to reputational damage and potential financial penalties. This includes inadequate governance measures to prevent bribery and corruption within the Group and among the business associates.

Nevertheless, as the Group has implemented a structure framework to adequately prevent, detect and respond to bribery and corruption risks within the Group, the current and anticipated financial impacts are anticipated to be low.

Resillience of the Group's Strategy and Business Model

The Group considers its current approach and the measures implemented are adequate for consistently meeting regulatory requirements and upholding strong governance practices. These measures support ethical business conduct and integrity across the entire value chain, contributing to long-term resilience of the Group’s strategy and operation.

Metrics and Targets

ISO 37001 Anti-Bribery Management System

100% of the operating companies in the Group are certified to ISO 37001 Anti-Bribery Management System

ABCMS Risk Assessment

In FY2025, all operating companies within the Group successfully conducted ABCMS risk assessments, demonstrating our commitment to continuous improvement and effective risk management in combating bribery and corruption.

Gift and Entertainment Declaration

The Group’s declaration rate is presented in the table below. Employees on extended hospitalisation leave during the declaration period were excluded from the reporting.

Whistleblowing Disclosure

In FY2025, the Group received two whistleblowing disclosures through its reporting channels. Both cases were investigated thoroughly, and appropriate disciplinary actions were taken accordingly.

Training

Data Privacy and Security

Description

The Group recognises the critical role of personal data in business operations and treats stakeholder concerns regarding the collection, use, and storage of personal data with utmost importance. In light of increasing digitalisation, the importance of data privacy and cybersecurity cannot be trivialised. Cyber threats, whether internal or external, pose significant risks to operational continuity, financial stability, and stakeholder trust.

Business Model and Value Chain

The Group recognises that data privacy and security are critical across its entire business model and value chain, including operations and interactions with business associates, such as suppliers and customers. Data privacy and security are embedded into the Group’s core operations through a structured governance framework. Oversight is provided by BARMC, with integration into corporate policies and the Group’s risk management framework. This includes the use of secure technologies and infrastructure, ongoing employee training and awareness programs, and established protocols for incident response and recovery.

Across the value chain, the Group ensures secure handling of personal data, including customer and supplier information. Controls are in place to manage data transfers and sharing, in compliance with applicable data protection regulations. The Group remains vigilant in safeguarding its data and digital infrastructure to maintain operational resilience, mitigate sustainability-related risks, and uphold stakeholder trust. These efforts support long-term value creation and reinforce the resilience of the Group’s business model.

Strategy and Decision Making

BARMC holds oversight responsibility for data privacy and security across the Group. Data governance is integrated into corporate policies and the Group’s sustainability risks and opportunities management framework. A Data Protection Officer (DPO) has been appointed to respond and investigate complaints related to breaches of customer privacy or data loss. These concerns can be submitted through the Group’s website, ensuring accessibility of reporting mechanism.

Personal data is managed in strict accordance with the Southern Steel Group Privacy Notice and is guided by Malaysia’s Personal Data Protection Act (PDPA) and other applicable regulations, reflecting the Group’s commitment to responsible data governance. The Group has implemented a comprehensive cybersecurity strategy, guided by best practices, and benchmarked against the ISO/IEC 27001:2022 Standard and its 2024 amendment. This strategy is designed to defend against cybercrime and protect critical systems and sensitive information from digital threats. Through continuous vigilance and proactive measures, the Group aims to uphold the integrity, confidentiality, and availability of its digital assets.

To support this strategy, the Group continues to implement key initiatives that enhance the protection of company data, information, and records, including:

• A robust policy framework

• Ongoing employee training and awareness programs

• Deployment of secure technologies and infrastructure

• Established protocols for incident response and recovery

Financial Effect

The Group assesses the financial implications of data privacy and security within the context of its sustainability-related risks and opportunities. The Group recognises that failure to safeguard company data, information and records could lead to increased operational costs, reputational damage, and potential financial penalties. These risks may arise from data breaches, loss of customer trust or regulatory non-compliance.

However, given the Group’s established policy framework and strategic initiatives to ensure data privacy and security—including governance oversight, secure infrastructure, employee training, and incident response protocols—the current and anticipated financial impacts are assessed to be low.

This proactive approach supports operational resilience and helps mitigate financial risks associated with data privacy and cybersecurity threats.

Resilience of the Group's Strategy and Business Model

The Group considers its current approach and controls to be adequate in meeting regulatory requirements and safeguarding data and digital infrastructure across its entire value chain. These measures contribute to operational resilience by reducing exposure to data-related risks, including cyber threats, privacy breaches, and regulatory non-compliance. By embedding data privacy and security into its governance, technology, and risk management frameworks, the Group enhances its ability to maintain business continuity, protect stakeholder interests, and support long-term value creation.

Metrics and Targets

The Group has established a dedicated reporting channel on its website for stakeholders to raise concerns or complaints related to breaches of customer privacy.

Management Systems

Description

The Group believes that ISO management systems are crucial for sustainable development because they provide a structured framework for improving governance, environmental and social performance, enhancing efficiency, and aligning with global sustainability goals. The management systems foster a culture of continuous improvement and integrate sustainability into core business strategies to achieve long-term economic viability while minimising negative impacts on the planet and society.

Our Approach

The Group implements various ISO management systems with clearly defined objectives to enhance operational excellence, ensure compliance, and support continuous improvement.

Our Initiatives

The status of ISO management systems implementation across the Group is as follows:

The Group undergoes annual internal and external audits for certified management systems, conducted by both internal auditors and accredited external auditors. These audits ensure effective implementation and support continuous improvement. For adopted (non-certified) management systems, internal audits are conducted to verify implementation and drive ongoing improvement efforts.

In term of training and awareness, a structured onboarding program is in place for newly recruited staff and contractors, which includes Management Systems Awareness Training and briefings to ensure they are well-informed before commencing work. For existing employees, periodic refresher training is conducted to reinforce long-term knowledge retention and sustain a strong culture of continuous improvement and compliance.

In supporting of the Environmental Management System, the Group consistently sends its Environmental Competent Persons to external trainings and seminars to stay updated on the latest environmental developments.

Our Performance

Our dedication to environmental stewardship paid off, as most companies within the Group maintained zero environmental fines and penalties for FY2025. However, one company incurred a single fine due to non-compliance with labelling of scheduled waste.