Enterprise Risk Management

JG Summit recognizes that robust risk management is instrumental to building resilience and ensuring sustainable growth in an increasingly complex and volatile business environment. Following the principles of the COSO ERM framework, we promote integrated risk governance to foster a strong risk-aware culture and adopt a proactive, forward-looking approach to risk management. We have also integrated sustainability and climate-related risks and opportunities into the Company’s ERM framework, aligning our risk strategies with long-term ESG considerations to ensure a holistic approach in addressing key business risks.

In 2025, JG Summit convened its annual risk conference, bringing together risk heads and functional leaders from across the Group to tackle pressing and emerging risks. In the same forum, the participants deepened their understanding of risk leadership in building a resilient organization with insights shared by Mr. Anton Periquet, JG Summit and URC Independent Director, and Ms. Rizalina Mantaring, URC Independent Director and Head of Board Risk Oversight Committee. Market trends and evolving policies on climate transition were also presented to enable risk leaders assess how these developments affect our various industries.

Independent Directors, Ms. Rizalina Mantaring and Mr. Anton Periquet, share insights on risk leadership, reform, and organizational resilience during the Group’s Annual Risk Conference

Risk Leaders participate in a megatrends workshop to evaluate emerging risks and drive future-ready strategies.

Risk Governance

Effective risk governance is fundamental to the Company’s ERM framework, ensuring a structured approach to identifying and managing key business risks. The governance structure provides clear lines of responsibility and accountability, guiding the Board and Management in overseeing risk exposures at both the business unit and enterprise levels. This includes the governance of sustainability-related and climate-related risks, reinforcing the Company’s commitment to integrating these important risks into its overall risk management approach.

The Board of Directors (BOD) provides oversight to JGSHI’s risk management practices and sets guidelines for managing critical risks.
The Audit, RPT, and Risk Oversight Committee (AURROC) supports the BOD by monitoring the implementation of and assessing the effectiveness of the ERM framework.
The Chief Executive Officer (CEO) holds ultimate accountability for the overall risk management approach of the Company, ensuring that risk considerations are embedded in strategic decision-making and operations.
The Chief Risk Officer (CRO) leads the development and implementation of the ERM framework and processes and is responsible for reporting risk exposures and mitigation efforts to Senior Management and AURROC.
The Risk Council, composed of JGSHI functional heads, supports the CRO in identifying and addressing significant risk exposures and in overseeing the Company’s risk management strategies. Additionally, SBU CROs participate in Risk Council meetings to provide insights into the key risks affecting their respective business units and to support efforts to achieve a well-aligned, cohesive risk management approach across the Group.
Risk Owners are accountable for the identification and management of risks in their assigned areas of responsibility and for communicating risk status and progress to the relevant stakeholders.
Risk Custodians support Risk Owners in monitoring, analyzing, and reporting on risk status, trends, and the progress of mitigation initiatives.
The ERM Team supports the CRO in the development, continuous improvement, and effective implementation of the ERM framework and methodologies across the organization.
The Internal Control Team ensures that robust control mechanisms are in place to mitigate risks effectively, conducts periodic evaluations on the adequacy and effectiveness of controls, and communicates significant control weaknesses or breaches to Management and AURROC.
The Internal Audit Team provides independent assurance to Management and AURROC on the adequacy and effectiveness of the Company's risk management and internal control processes.

Risk Management Process

At the parent level, the Company provides guidance on the ERM framework to promote alignment in the risk management approach across the Group. It also fosters group-wide sharing of best practices and ERM learning initiatives. Each SBU establishes its own risk governance structure and processes to address the unique risks of its operations, according to its business environment, risk profile, and strategic and operational goals.

Risk Identification, Assessment, and Prioritization

Risks are identified using different tools such as risk factor analysis, megatrends analysis, and systems dynamics analysis. Identified risks are categorized, and their potential impact is evaluated based on the risk assessment scale we developed for various impact areas. Likewise, we set the likelihood parameters to define the probability of each risk. Each operating company develops its own risk assessment scale according to its context and risk appetite.

Highly-rated risks are subjected to further evaluation for prioritization, considering the organization’s overall risk profile, level of vulnerability, and contribution to amplifying certain risks. Furthermore, we also consider the urgency of the risks, which depends on the velocity, or how quickly we will feel the impact of the risks when they materialize, and the mitigation timeframe, or the length of time needed to manage these risks.

Strategic Risk

Concerns events that could affect the outcome of strategic decisions, such as mergers and acquisitions, key investments, resource allocations, and new business ventures.

Reputational Risk

Refers to anything that could impact the Company’s brand value, public perception and stakeholder relationships.

Governance Risk

Risks related to implementation of and adherance to policies and procedures and ethical practices within the organization.

Emerging Risk

Refers to new or developing risks that the Company has little to no experience in.

Climate Risk

Potential physical risks that may arise from climatic events or business risks arising from regulatory efforts or changing stakeholder expectations associated with the shift towards a carbon-neutral economy.

Operational Risk

Relates to factors that could disrupt routine business activities or impair property, infrastructure, and security.

IT and Digitalization Risk

Risk of business disruption caused by hardware or software failure, cyberattacks, unauthorized access to company information, and the like, or lost opportunities associated with lack of innovation or investments in technology.

People Risk

Refers to factors and events that could compromise the wellbeing, productivity, and performance of our employees.

Financial Risk

Refers to matters that could affect the financial position or performance of the Company such as credit, liquidity and foreign currency risks.

Legal and Compliance Risk

Refers to risks arising from non-compliance with applicable laws, rules, and regulations, including new or amended government issuances, as well as, exposures related to contractual obligations, anti-competition and anti-monopolization concerns, and potential legal disputes involving the Company.

Risk Response, Monitoring, and Reporting

For each priority risk, we develop appropriate risk responses that align with the Company's risk appetite and overall risk management strategy. At the enterprise level, we implement responses for risks that are common across the Group, fostering a cohesive and integrated approach to risk management.

Risk Owners are tasked to continually monitor and evaluate the effectiveness of the risk responses. Material residual risks are regularly assessed to improve risk responses and identify recovery measures. Given the dynamic nature of risks, the entire risk management is an iterative process at the functional units of our operating companies and at the Group level. The risk management framework is presented to the AURROC for review on a regular basis, and the key risks are updated and reported annually.

Building on our overarching ERM framework, the following outlines the risk management process adopted and applied to sustainability- and climate-related matters:

Sustainability and Climate Risk and Opportunity Management Framework
Identification	Determine Relevant Sustainability and Climate Risks and Opportunities: Consider the following references in ‘identifying’: For Sustainability Risks and Opportunities – reference to Sustainability Accounting Standards Board (SASB) industry-specific disclosure topics and World Business Council for Sustainable Development (WBCSD) system risks For Climate-related Physical Risks and Opportunities – incorporation of Philippine-relevant climate hazards such as typhoons, flooding, extreme heat, and sea level rise For Transition-related Risks and Opportunities – reference to emerging trends on the transition to low-carbon operations Global references include but are not limited to: United Nations Environment Programme Finance Initiative (UNEP FI) World Bank International Energy Agency (IEA) European Commission Asian Development Bank (ADB) International Civil Aviation Organization (ICAO) Principles for Responsible Investment (PRI) - Inevitable Policy Response (IPR) Local references include but are not limited to: Local legislation (Executive Orders, Senate and Congress Bills) Department of Energy (DOE) Philippine Energy Plan (PEP) Securities and Exchange Commission (SEC) Bangko Sentral ng Pilipinas (BSP)
Assessment	Qualitative and Quantitative Analysis: Assess the likelihood and impact of identified sustainability and climate risks using both qualitative and quantitative methods. Scenario Analysis: Use scenario analysis to evaluate the potential impacts of climate-related physical and transition risks and opportunities under various future conditions. Employ business sense and expert judgment from relevant teams, such as but not limited to, sustainability, risk, strategy, finance, and operations.
Prioritization	Risk Ranking: Determine which sustainability and climate risks are most material to the organization based on their potential impact on business operations and stakeholder value. Rank the identified risks based on their severity and likelihood, focusing on their financial impact. Employ business sense and expert judgment from relevant teams, such as but not limited to, sustainability, risk, strategy, finance, and operations.
Response and Monitoring	Response and Mitigation Strategies: Develop and implement strategies to mitigate high-priority sustainability and climate risks, while maximizing relevant opportunities. Integration into Business Processes: Ensure sustainability and climate risk management feed into decision-making and core business processes (such as Enterprise Risk Management and Strategic Planning).
Reporting	External sustainability and climate risk disclosures follow the Group’s ERM reporting processes and undergo review by AURROC and GNRSC.

Risk Appetite

JG Summit’s risk appetite framework articulates the level and types of risk the Group is willing to accept in pursuit of its strategic objectives. In defining risk appetite statements across major risk categories, we are guided by the following core principles:

On capital and financial management: long-term shareholder value creation and financial resilience
On strategy and portfolio management: disciplined approach to business decisions and consistency with strategic priorities
On people, leadership, and culture: ethical leadership and long-term organizational stability
On digital transformation: robust cybersecurity, regulatory compliance, and effective internal controls
On reputation and stakeholder management: ethical business conduct, social responsibility, and upholding stakeholder trust

These principles guide us as we pursue prudent risk-taking in areas that support growth and innovation, while maintaining a conservative stance in areas that could materially impair financial stability, compliance, or corporate reputation.

Top Risks

At least once a year, members of the Risk Council convene to deliberate on developments in JG Summit’s business environment, emerging risks, and shifts in the overall risk profile. This structured dialogue enables a forward-looking assessment of material exposures and ensures calibration of risk ratings relative to our risk appetite. The outcome of this process serves as the basis for JG Summit’s top risks for the year.

Risk	Category	Rank
Risk	Category	2025	2024	Change
Cybersecurity	IT and Digitalization	1	1	-
Interest rate / Forex risk	Financial	2	3	▲ 1
Material cost and availability	Operational	3	8	▲ 5
Product safety and quality	Operational	4	7	▲ 3
New business risk	Strategic	5	-	New
Funding / Liquidity risk	Financial	6	-	New
Business continuity risk	Operational	7	-	New
IT vendor / third-party risk	IT and Digitalization	8	-	New
Geopolitical tensions	Emerging	9	10	▲ 1
Regulatory changes	Legal and Compliance	10	4	▼ 6

Despite ongoing improvements to our risk mitigation and control environment, cybersecurity remains the most critical and evolving risk, amplified by the Group’s accelerating digitalization and growing exposure to sophisticated and rapidly advancing threats. Interest rate and foreign exchange risk also remain prominent amid growing market uncertainty. We also consider material cost and availability to be one of the most impactful risks to the Group as a consequence of increasing volatility in global trade and geopolitical tensions that intensified cost pressure and input constraints.

1. Cybersecurity

Loss of confidentiality, integrity, or availability of information, data, or information systems resulting from a cyber attack or data breach.

Implications

Loss of credibility and erosion of brand value
Loss of critical information
Operational disruptions
Sanctions and fines

Risk Drivers

Increasing cyber threats in frequency and sophistication
Vulnerabilities of vendors and third-party service providers
Lack of employee awareness and human error
Inadequate incident response plans

Mitigation

Robust vulnerability management, assessment, and testing
Enhanced identity and access management
Use of data encryption solutions
Regular back-up of critical data and disaster recovery testing
Due diligence on outsourced partners
Regular information security compliance audits
Continuous monitoring and threat scanning
Employee awareness programs

2. Interest Rate / Forex risk

Volatility in the group’s financial performance due to unpredictability of interest rates and/or forex rates.

Implications

Forex losses on foreign-denominated debts and transactions
Increased debt service cost
Reduced margins on imported raw materials

Risk Drivers

Central bank monetary policy changes
Excessive debt burden unfavorable mix of interest rate structures and maturities
Forex fluctuation, depreciation of local currency
Market volatility due to geopolitical events

Mitigation

Borrowing in local currency to avoid forex risk on debt
Investments in less risky fixed-income instruments
Preparation of sensitivity analysis and regular reporting of exposure and potential impact to bottom line
Constant monitoring of macro factor movements
Regular monitoring of investment portfolio and communication with Investment Committee

3. Material Cost and Availability

Volatility in material costs and disruptions in the availability of critical inputs adversely affecting operational efficiency, project delivery, profitability, and business continuity.

Implications

Operational disruptions and reduced efficiency
Higher working capital requirement and margin crunch
Project delays and inability to meet customer demands
Exposure to quality risks and reputational risks

Risk Drivers

Geopolitical tensions, natural disasters, or transportation issues affecting global commodity prices and supply
Inflationary pressures, currency fluctations
Long lead times for specialized materials
Dependence on single source or geographically concentrated suppliers

Mitigation

Supplier diversification and expansion of supplier network
Supplier performance management and contract life cycle management
Material price hedging and forward contracting
Production/construction efficiency improvement
Use of alternative energy source and energy-efficient design to counter high energy costs

Risk Categories

Beyond the top risks, we recognize the broader risk landscape that could affect different aspects of our business. The following outlines our approach to managing risks under each risk category.

Strategic Risk

Our strategic risk covers areas of capital allocation, business performance, and competition. This relates to how our long-term portfolio investment decisions may yield lower-than-expected returns. Additionally, unfavorable industry trends, market volatilities, and geopolitical uncertainties can affect enterprise value and market capitalization. These factors may also create an unfavorable perception of our value creation efforts and limit our growth prospects.

To manage these risks, we conduct in-depth sector analysis aligned with customer trends, integrate risk management into our strategic planning process, regularly review capital allocation decisions, and assess their impact on our risk-return profile. We also ensure that we effectively communicate our business performance and sustainability initiatives to key stakeholders.

Reputational Risk

Our reputational risk pertains to how public sentiment, alongside third-party ratings and views, affects our corporate image and brands. Misinformation about JG Summit and its subsidiaries, as well as unfavorable public opinion, could impact the Company’s social license to operate. Furthermore, unresolved customer complaints—especially when amplified through digital platforms—can shape wider customer perceptions of our product and service quality. Issues related to product safety, customer privacy, and advertising, if left unaddressed, may lead to declining customer satisfaction, sales, and market share.

We actively monitor mainstream and social media, track our market positioning, and manage external reputation risks. We follow established protocols for obtaining a social license to operate, recognizing that strong public and community engagement is essential to our long-term success. Failing to properly address stakeholder concerns could lead to opposition that negatively affects our operations.

Governance Risk

Our governance risk relates to compliance with company policies, ethical business practices, and adequate top management oversight. Unintended or intentional breaches of policies and ethical standards may lead to operational inefficiencies, significant financial losses, loss of stakeholder trust, and reputational damage. Weak governance structures could also compromise our ability to equitably distribute economic value to the right stakeholders.

To mitigate these risks, we continuously strengthen our internal processes and controls through capability-building initiatives, self-assessment tools, and effective risk management methodologies. We reinforce good corporate governance by conducting regular training on the Code of Business Conduct and Ethics, and fostering a culture of transparency and accountability across all levels of the organization. Additionally, we have strict anti-bribery and anti-corruption policies in place that prohibit corrupt practices, and a whistleblowing mechanism that allows stakeholders to report any suspected corruption or ethical misconduct.

Emerging Risk

We recognize that geopolitical tensions continue to pose significant and evolving risks that may materially affect our business environment and strategic outlook. Heightened global uncertainty, including instability in the Middle East, the ongoing Russia-Ukraine conflict, persistent US-China trade frictions, and territorial disputes in the West Philippine Sea, has contributed to volatility in energy markets, supply chains, foreign exchange rates, and investor sentiment.

These dynamics may lead to disruptions in trade flows, rising fuel and commodity prices, regulatory shifts, and constraints in the movement of goods and capital, potentially affecting operational stability, cost structures, and growth prospects across the Group’s portfolio. Given the interconnected nature of global markets, localized conflicts may have broader second-order impacts on financing conditions, inflation, and cross-border transactions.

To manage these exposures, we actively monitor geopolitical developments and incorporate structured geopolitical risk assessments into strategic planning, capital allocation decisions, and market evaluations. We also strengthen business continuity and supply chain resilience measures at the SBU level, ensuring scenario planning, contingency protocols, and proactive risk mitigation strategies are in place to enhance the Group’s preparedness amid an increasingly uncertain global landscape.

Climate Risk

JG Summit recognizes the significance of climate-related risks. A company’s inability to mitigate or address the impact of extreme weather events could result in damage to facilities, obsolescence or loss of assets, disruptions in its supply chain and operations, and the endangerment of people and the ecosystem. Enhancing infrastructure resilience against extreme weather events and adapting to changing conditions could require significant financial and capital investments. Regulatory changes related to climate change, such as carbon pricing, emissions caps, and extended producer responsibility, may also affect the company’s operations and financial results due to escalating compliance costs.

To address these risks, we have encouraged the SBUs to conduct vulnerability assessments of critical facilities and implement risk management measures across operations and supply chains. Furthermore, we enabled the SBUs to assess and prioritize climate-related regulatory and market risks, and conduct scenario analyses to anticipate potential impacts. We are monitoring evolving carbon policies and sustainability regulations to ensure that the Group will be prepared to navigate compliance challenges while exploring opportunities for efficiencies and savings.

For a more comprehensive discussion of our approach to managing climate risks, please refer to Sustainability and Climate Risk Management of our 2025 Sustainability Report.

Operational Risk

Material costs and availability present significant operational, financial, and strategic implications, as fluctuating commodity prices, rising input costs, and material shortages can significantly impact production efficiency, profitability, and overall business continuity. Supply chain disruptions, whether driven by geopolitical factors, economic conditions, or logistical constraints, may further amplify these risks by limiting access to critical raw materials. To address these potential vulnerabilities, we diversify our sourcing strategies and maintain strong supplier accreditation processes to ensure a stable and sustainable supply of quality inputs.

Product and service quality remain equally critical to operational integrity. Any lapse may result in customer dissatisfaction, regulatory sanctions, reputational damage, and financial loss. Operational reliability and efficiency are closely linked, as equipment failures, system disruptions, or process inefficiencies can compromise product integrity and service delivery. To mitigate these risks, we enforce stringent quality controls, adhere to safety regulations, and invest in preventive maintenance and continuous process improvements to enhance operational resilience.

Business continuity risk is also a key focus area, particularly in light of increasing operational interdependencies and exposure to external disruptions. Natural hazards, infrastructure constraints, and other unforeseen events may affect physical assets, personnel, and service delivery. We regularly assess site and operational vulnerabilities, maintain and test business continuity and disaster recovery plans, and ensure appropriate insurance coverage to mitigate potential financial impacts and support timely recovery from disruptions.

Beyond immediate operational considerations, we also recognize the long-term implications of resource consumption and environmental impact. In addition to reducing greenhouse gas emissions, we are taking steps to address potential material scarcity by reducing reliance on nonrenewable resources and adopting sustainable sourcing practices. We actively manage risks related to air emissions, pollutants, and solid waste through improved combustion efficiency, the use of lower-emission fuels, structured waste management programs, recycling initiatives, and product design enhancements aimed at minimizing waste. Regular monitoring and maintenance further help prevent leakages and mitigate potential impacts on human health, the environment, and surrounding communities.

IT and Digitalization Risk

Cybersecurity risk remains the most relevant IT and digitalization risk for the Group. The consequences of this risk include loss of information, disruptions to business operations, increased costs for added security or disaster recovery, and potential loss of credibility and damage to brand and company image. This risk could also lead to significant regulatory violations. Data breaches could compromise the Company’s sensitive or confidential information and even jeopardize individuals’ privacy and protection in the event of personal data leaks. We are actively mitigating this risk by strengthening our security posture with pragmatic, holistic solutions to proactively identify, protect, detect, respond, and recover, as well as to improve our system and data access controls. Critical data is regularly backed up, and its integrity is verified through periodic disaster recovery testing to ensure recoverability in the event of a cyber incident or system disruption. Actual cybersecurity incidents and their impacts are investigated, resolved, and reported to the business unit management and the Data Privacy Officer in case of data security breaches.

In addition to cybersecurity, JG Summit faces risks arising from its increasing reliance on third-party providers of IT products and services. Dependencies on external vendors for critical systems, cloud infrastructure, and specialized digital solutions expose the Group to potential service disruptions, data security incidents, compliance gaps, and operational delays originating outside our direct control. Broader digital ecosystem partnerships may further expand our exposure through interconnected platforms and shared data environments. To manage these risks, we implement structured vendor due diligence, contractual safeguards, performance monitoring, and cybersecurity assessments to strengthen oversight and resilience across our extended technology landscape.

The accelerated adoption of artificial intelligence also introduces governance and security risks. Uncoordinated or undocumented use of AI solutions may expose the Group to data privacy breaches, intellectual property risks, regulatory noncompliance, and inconsistent application of ethical standards. In response, we established an AI and Data Governance Council to provide structured oversight, and we are formalizing data and AI policies to guide responsible use. We are strengthening governance over AI tools through centralized standards, inventory management, and security validation processes to promote safe reapplication, transparency, and alignment with enterprise risk management principles.

People Risk

On people risk, talent development and retention remain crucial in the face of intense competition for key talents, especially for those within the information technology and digital space. High attrition could result in business disruptions, compromised service quality, and increased cost of talent acquisition and training. We continually upgrade our talent acquisition strategies, conduct wage and benefits benchmarking, and leverage data insights and advanced analytics to develop HR programs that support employees’ professional growth and development to address these risks.

The Company values a diverse workforce, recognizing that different perspectives drive innovation and enhance our ability to serve a broad range of stakeholders. A culture of inclusivity strengthens our talent pipeline and helps unlock opportunities in untapped markets. We also foster a safe, open environment where employees can communicate their concerns to management. Maintaining constructive labor relations is essential to reaching mutually beneficial agreements and minimizing the risk of disputes that could escalate into unrest and operational disruptions.

We continue to highlight the importance of health and safety, not just in the workplace but everywhere else. We strive to ensure that employees are healthy and safe because we understand the consequences to life and property if this is not addressed properly. Noncompliance with health and safety standards and regulations could also result in penalties from regulators, suspension of operations, attrition, and damage to the Company's reputation.

Financial Risk

Our key financial risks are primarily related to changes in market variables and liquidity. In recent years, we have experienced fluctuations in interest rates, commodity prices, and foreign exchange rates, which have significantly impacted our Group’s financials. This includes margin compression due to higher input costs, higher cost of debt, and lower returns from financial investments.

We maintain a well-diversified mix of foreign-denominated financial assets and local-currency borrowings, utilizing risk-appropriate instruments to hedge against foreign exchange volatility. Furthermore, we conduct rigorous, periodic cash requirement analysis to optimize our debt portfolio and proactively manage financial obligations. Additionally, we continue to strengthen our onshore and offshore banking relationships to enhance our financial flexibility, allowing us to effectively manage liquidity needs.

Legal and Compliance Risk

Regulatory changes pose a significant risk to the Company, as failure to comply with evolving laws and industry standards could lead to legal penalties, fines, and reputational damage. Noncompliance with regulations, including those related to tax laws, product safety, environmental protection, data privacy, and corporate governance, may lead to financial liabilities, operational disruptions, and erosion of stakeholder trust.

Given the Group’s operations across various industries and jurisdictions, it is critical to establish strong controls that minimize noncompliance risks and ensure adherence to diverse regulatory requirements. To mitigate these risks, we closely monitor legislative developments, including key policies related to the transition to low-carbon operations and climate resilience. We are also committed to strict adherence to data privacy laws, recognizing the potential legal and reputational consequences of noncompliance. To ensure compliance, we conduct extensive employee training on data protection, regularly review contracts and policies, and assess corporate activities for regulatory alignment.

Our in-house legal experts work proactively with business units to assess regulatory impacts, implement necessary legal safeguards, and ensure adherence to compliance requirements. When needed, we engage third-party consultants to strengthen our legal position and provide specialized expertise. Additionally, we actively engage with regulators, industry bodies, and other stakeholders to stay ahead of regulatory developments and advocate for fair and balanced policies.