Enterprise Risk Management and Internal Controls

JGSHI recognizes the increasing importance of sound risk management practices to drive business growth and sustainability. The Company acknowledges that viewing business risks and opportunities in the context of sustainable development is the way to remain responsive,  relevant and successful. Aware of its volatile, uncertain, complex, and ambiguous (VUCA) business environment, the Company puts emphasis on critical, emerging, and systemic risks and drivers, including ESG risks and megatrends, to ensure that these are managed well  and the interest of stakeholders are protected.

Risk Governance

The role of Enterprise Risk Management (ERM) to oversee that a sound ERM framework is in place to effectively identify, monitor, assess and manage key business risks. The risk management framework shall guide the Board in identifying units or business lines, enterprise-level risk exposures, as well as the effectiveness of risk management strategies. The following structure represents the line of responsibility of key functions that ensure the effective management of all risks that are considered material to the Company.

The Board of Directors (BOD) assume ultimate responsibility for the oversight of the Company’s ERM management policies and procedures. The BOD sets clear directions on the management of the most important risks and evaluates the overall effectiveness of the ERM process, both at the operating company level and the JGSHI level. The Board of Directors reviews Management reports with due diligence to enable the company to anticipate, minimize, control and manage risks or possible threats to its operational and financial viability.

The Audit, Related Party Transactions and Risk Oversight Committee (AURROC) oversees the implementation of the ERM plan in accordance with the Board approved policies and procedures and it ensures the Board is fully informed on material risk exposures, mitigation actions, and residual risks.

The Chief Risk Officer (CRO) leads the Enterprise Risk Management process that will ensure a sound ERM framework is in place to effectively identify, monitor, assess and manage key business risks. The CRO spearheads the development, implementation, maintenance and continuous improvement of ERM processes and documentations, and communicates significant risk exposures, control issues, and risk management plans to the AURROC.

The Board appointed Brian M. Go as the Chief Finance and Risk Officer (CFRO) of the Company. Under the risk and controls function, the CFRO is the steward of risk management, specifically those that have financial impact and affect company value.

Brian M. Go, 49, was appointed as the CFRO of JGSHI on July 1, 2021. He is also a Board Director and Executive Committee member for Maxicare, Maxilife and Maxicare Health Services, the Managing Director of URC Equity Ventures Pte Ltd., as well as serving on the Investment Committee of JG Digital Equity Ventures (JGDEV), and a Senior Advisory Board member of Robinsons Bank Corporation. Brian started his career in New York City with Booz Allen Hamilton in 1996, in the Financial Services practice. He returned to Manila in 1998, working at DTPI (Digitel/Sun Cellular) in Corporate Planning, and as Managing Director of the Datacom business. He worked in China from 2003 to 2013, serving as Finance Director, then Chief Financial Officer of Ding Feng Real Estate (DFRE) group of companies. From 2007, he concurrently assumed the General Manager role for URC China, and was later appointed General Manager of URC Malaysia/Singapore. He was also the Vice President for URC’s International Trading Operations/Global Exports based in Singapore from 2019 to 2022. Brian graduated from Harvard University with a degree in BA Economics, Cum Laude, in 1996. He completed his Executive MBA with Kellogg-HKUST in 2007 and is a CFA charter holder.

The Risk Council supports the CRO by identifying key risk exposures in all areas, including those relating to Economic, Environmental, Social and Governance factors and defining risk management strategies. The Risk Council leads the development of risk mitigation plans and in monitoring risks and effectiveness of response plans.

Risk Champions are functional or business unit heads responsible for setting and implementing controls to mitigate risks relevant to their respective departments or business units. They act as the ERM subject-matter experts on specific risk categories, collaborating with other risk champions to better understand risk interaction across the organization. They ensure the effective execution and continuous improvement of the ERM process in their respective areas of responsibility.

The Risk Owners are directly accountable and responsible for the identification and management of assigned risks. They work with risk champions to determine the best approaches to managing the risks. They evaluate the effectiveness of response, track and report residual risks, and recommend further risk treatment to the risk champion and the ERM Team.

Internal Audit provides independent assessments to the AURROC, Management and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the Company.

Risk Management Process

As a group, we employ a bottom-up approach involving each functional unit of our operating companies — Airline, Food Manufacturing, Real Estate, Bank, and Petrochemicals — to identify, assess, prioritize, and build risk responses. The top risks identified at the functional unit’s level are rolled up to the enterprise level of our operating companies, and then to the JG Group enterprise.

Risk Identification, Assessment, and Prioritization

Risk champions and owners conduct risk identification using different tools such as risk factor analysis, megatrends analysis, and systems dynamics analysis. This enables them to determine the factors that could prevent delivery of their unit’s business objectives. Identified risks are grouped into categories as follows:

Strategic Risk

Concerns events that could affect the outcome of strategic decisions, such as mergers and acquisitions, key investments, resource allocations, and new business ventures.

  • Capital allocation
  • Business performance
  • Investor sentiment
Reputational Risk

Refers to anything that could impact the company’s brand value, public perception, and stakeholder relationships.

  • Corporate image and third-party ratings
  • Misinformation
  • Unmet customer and community needs
Governance Risk

Pertains to risks related to implementation of and adherence to policies and procedures and ethical practices within the organization.

  • Compliance with company policies
Emerging Risk

Refers to new or developing risks that the company has little to no experience in, such as climate change, biodiversity loss, and pandemics.

  • Geopolitical tensions
  • Climate change risk
Operational Risk

Relates to factors that could potentially disrupt routine business activities or impair property, infrastructure, and security.

  • Geohazards
  • Supply chain disruptions
  • Safety and product quality
  • Equipment and process management
  • Gas emissions and solid waste management
IT and Digitalization risk

Refers to the Risk of business disruption which may be caused by hardware or software failure, cyberattacks, unauthorized access to company information, and the like, or lost opportunities associated with lack of innovation or investments in technology.

  • Cybersecurity
People Risk

Refers to factors and events that could compromise the wellbeing, productivity, and performance of our employees.

  • Talent recruitment and retention
  • Occupational health and safety
Financial Risk

Refers to matters that could affect the financial position or performance of the company such as credit, liquidity, and foreign currency risks.

  • Increases in interest rates
  • Higher commodity costs
  • Foreign exchange volatility
Legal and Compliance Risk

Includes risks related to compliance to rules and regulations, adaptation to changing political landscapes and new government pronouncements, as well as exposures that could arise from contractual obligations, anti-competition and monopolization concerns, and legal disputes against the company.

  • Potential legal disputes
  • Variability in law interpretation
  • Changing regulatory environment

For each risk category, we developed a risk assessment scale that defines what is considered insignificant, minor, moderate, major, or extreme impact to our business. Likewise, we set the likelihood parameters defining whether the chance of occurrence is rare, unlikely, probable, likely, or almost certain. Each operating company developed their own risk assessment scale depending on their context and risk appetite. In doing so, we made our risk rating process easier and more objective.

In assessing risks, we rated the severity of impacts of the risks based on their nature, regardless of our organization’s circumstances and capability to manage them. Those rated high and very high in severity were considered in the prioritization process.

Risks are prioritized based on our organization’s risk profile, vulnerability, and contribution to aggravating certain risks. The latter is particularly relevant to ESG risks, like climate change impact which we also contribute to. Furthermore, we also consider the urgency of the risks which is a factor of velocity or how quickly we will feel the impact of the risks when they materialize, and mitigation timeframe or the length of time that we need to manage these risks.

Risk Response, Monitoring, and Evaluation

We ensured that appropriate risk responses are in place for each priority risk, both at the level of the risk champions and risk owners and at the enterprise level of our operating companies. Risk responses have also been put in place at the JGSHI level, specifically those that are common to most of our businesses.

Risk champions are tasked to continually monitor and evaluate the effectiveness of the risk responses. Material residual risks are assessed properly for improvement of risk response and identification of recovery measures.

Given the dynamic nature of risks, the entire risk management process is iterated as separate and independent processes at the functional units of our operating companies and as a group-wide process.

Internal Controls

To further advocate the Company’s commitment in the pursuit of good governance and achieving compliance with applicable laws and Company policies and procedures, the Company ensures to strengthen the Enterprise Governance, Risk Management and Compliance (GRC) Culture and maintain a strong system of internal controls focused on accountability and oversight of operations. With the leadership of the Company’s CFRO, internal control is embedded in the operations of the company and in each Business Unit (BU) and Corporate Center Unit (CCU). To accomplish the established goals and objectives, the BUs and CCUs implement robust and efficient process controls to ensure:

  • Compliance with policies, procedures, laws and regulations
  • Economic and efficient use of resources
  • Check and balance and proper segregation of duties
  • Identification and remediation control weaknesses
  • Reliability and integrity of information
  • Proper safeguarding of company resources and protection of company assets through early detection and prevention of fraud

Accountability and Audit

The Board ensures that its shareholders are provided with a balanced and comprehensible assessment of the Company’s performance, position and prospects on a quarterly basis. Interim and other reports that could adversely affect its business are also made available in the Company website including its submissions and disclosures to the SEC and PSE.

The Board also appoints a Chief Audit Executive (“CAE”) upon the recommendation of the Audit Committee (now AURROC).

Rya Aissa S. Agustin, 42, is the Chief Audit Executive of JGSHI, appointed on July 1, 2021. Prior to her current role, she served as Director for Corporate Internal Audit. She has extensive experience in internal audit, compliance, risk management and finance in local and international sectors. Before joining JGSHI in 2020, she was the Compliance and Monitoring Head for National Grid Corporation of the Philippines. She started her audit practice in the Global Internal Audit group of Procter & Gamble handling several roles as Global Subject Matter Expert across various audit areas. She is a Certified Internal Auditor (“CIA”) and a Fellow, Life Management Institute, with Distinction (“FLMI”) which are globally recognized certifications for audit and financial services professionals. She graduated with a degree in BS Economics (Magna Cum Laude) from the University of the Philippines.

Internal Audit

The Internal Audit Group is focused on adhering to their purpose, mission and vision to be the trusted advisors of the Board and Management and be world-class internal audit professionals who deliver independent, objective, quality and agile audit services at benchmark value, enabled by innovative audit systems and technologies.

The activities of the Internal Audit Group are governed by an Internal Audit Charter which is approved and reviewed periodically by the AURROC. Under the charter, the Internal Audit adopts a risk-based audit approach and performs agile risk assessment to consider new and emerging risks. The Internal Audit Group provides independent and objective assurance, consulting and investigative services to assess and enhance the overall control environment encompassing the through Governance, Risk Management and Compliance (GRC) scale and synergies, with applicable laws and regulations.

To create competitive advantage through GRC scale and synergies, the Internal Audit continues to work closely with the internal audit teams of the different business units through benchmarking and sharing of knowledge, best practices and tools.

The Internal Audit Group provides continuing training and professional development programs to remain relevant and to keep with the evolving business needs of the conglomerate.

Other Matters

External Auditor and their fees

Name of AuditorAudit and Audit-Related FeesYr. 2022
SyCip, Gorres, Velayo & Co.

Fees for services that are normally provided by the external auditor in connection with statutory and regulatory filings or engagements

Total

P 4,780,000

P 4,780,000

Company Website

The Company updates the public with operating and financial results through the timely disclosures filed with SEC and PSE. The company website is maintained to ensure investor-friendliness and the convenient access to information for all the shareholders and various stakeholders. The Company website contains comprehensive information about the Company’s business portfolios, disclosures and reports, corporate governance reports, manual and policies, press releases and an archive thereof, vision, mission, core values, investor relations program, sustainability and corporate social responsibility activities, among others. The Company ensures that all information included in the Company website is accurate, relevant and up-to-date.

Company Website