Enterprise Risk Management
The Company recognizes the increasing importance of sound risk management practices to drive business growth and sustainability. The Company implemented systems and processes to facilitate proper risk identification, monitoring and control, which are key to effective corporate governance. Timely and accurate management and financial reporting systems, internal controls, and audits are also employed to protect and maximize stakeholders’ value.
The Board oversees Management’s adoption and implementation of a sound risk management framework for identifying, monitoring and managing key risk areas. The Board of Directors reviews Management reports with due diligence to enable the company to anticipate, minimize, control and manage risks or possible threats to its operational and financial viability.
Enterprise Risk Management
Through a sound Enterprise Risk Management (ERM) framework, the Company effectively identifies, monitors, assesses and manages key business risks. The framework guides the Board in identifying units/business lines and enterprise level risk exposures, as well as the effectiveness of risk management strategies.
The ERM framework revolves around the following eight interrelated risk management approaches:
- Internal Environmental Scanning - it involves the review of the overall prevailing risk profile of the Business Unit (BU) to determine how risks are viewed and addressed by the management. This is presented during the strategic planning, annual budgeting and mid-year performance reviews of the BU.
- Objective Setting - the Company’s Board mandates Management to set the overall annual targets through strategic planning activities, in order to ensure that management has a process in place to set objectives that are aligned with the Company’s goals.
- Event Identification – it identifies both internal and external events affecting the Group’s set targets, distinguishing between risks and opportunities.
- Risk Assessment - the identified risks are analyzed relative to the probability and severity of potential loss that serves as basis for determining how the risks will be managed. The risks are further assessed as to which risks are controllable and uncontrollable, risks that require management’s action or monitoring, and risks that may materially weaken the Company’s earnings and capital.
- Risk Response - the Company’s Board, through the oversight role of the Internal Control Group ensures action plan is executed to mitigate risks, either to avoid, self-insure, reduce, transfer or share risk.
- Control Activities - policies and procedures are established and approved by the Company’s Board and implemented to ensure that the risk responses are effectively carried out enterprise-wide.
- Information and Communication - relevant risk management information is identified, captured and communicated in form and substance that enable all personnel to perform their risk management roles.
- Monitoring - the Internal Control Group of the respective Company and BUs as well as Corporate Internal Audit constantly monitor the management of risks through audit reviews, compliance checks, revalidation of risk strategies and performance reviews.
Risk Assessment Tool
To help the Company in the Risk Assessment Process, the Risk Assessment Tool, which is a database driven web application, was developed for departments and units to facilitate the assessment, monitoring and management of risks.
The Risk Assessment Tool documents the following activities:
Risk Identification – is the critical step of the risk management process. The objective of risk identification is the early identification of events that may have negative impact on the Company’s ability to achieve its goals and objectives.
- Risk Indicator – is a potential event or action that may prevent the continuity of operation or business
- Risk Driver – is an event or action that triggers the risk to materiapze
- Value Creation Opportunities – is the positive benefit of addressing or managing the risk
- Identification of Existing Control Measures – activities, actions or measures already in place to control, prevent or manage the risk.
Risk Rating/Score – is the quantification of the likelihood and impact to the Company if the risk materializes. The rating has two (2) components:
- Probability – the likelihood of occurrence of risk
- Severity – the magnitude of the consequence of risk
- Risk Management Strategy – is the structured and coherent approach to managing the identified risk.
- Risk Mitigation Action Plan – is the overall approach to reduce the risk impact severity and/or probability of occurrence.
Results of the Risk Assessment Process is summarized in a Dashboard that highlights the risks that require urgent actions and mitigation plan. The dashboard helps Management to monitor, manage and decide a risk strategy and needed action plan.
With the leadership of the Company’s Chief Financial Officer (CFO), internal control is embedded in the operations of the company and in each Corporate Center Unit (CCU), thus increasingtheir accountability and ownership in the execution of the CCU’s internal control framework. To accomplish the established goals and objectives, CCU’s implement robust and efficient process controls to ensure:
- Compliance with policies, procedures, laws and regulations
- Economic and efficient use of resources
- Check and balance and proper segregation of duties
- Identification and remediation control weaknesses
- Reliability and integrity of information
- Proper safeguarding of company resources and protection of company assets through early detection and prevention of fraud.