Enterprise Risk Management and Internals Controls
The Company recognizes the increasing importance of sound risk management practices to drive business growth and sustainability. The Company implemented systems and processes to facilitate proper risk identification, monitoring and control, which are key to effective corporate governance. Timely and accurate management and financial reporting systems, internal controls, and audits are also employed to protect and maximize stakeholders’ value.
The Board oversees Management’s adoption and implementation of a sound risk management framework for identifying, monitoring and managing key risk areas. The Board reviews the risk management framework annually to ensure its continued relevance and effectiveness.
Enterprise Risk Management (“ERM”)
The role of ERM is to ensure that a sound ERM framework is in place to effectively identify, monitor, assess and manage key business risks. The risk management framework shall guide the Board in identifying units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
The following structure represents the line of responsibility of key functions that ensure the effective management of all risks that are considered material to the Company.
The Board of Directors (BOD) assumes ultimate responsibility for the oversight of the Company’s ERM policies and procedures. The BOD sets clear directions on the management of the most important risks and evaluates the overall effectiveness of the ERM process, both at the operating company level and the JGSHI level. The Board of Directors reviews Management reports with due diligence to enable the Company to anticipate, minimize, control and manage risks or possible threats to its operational and financial viability.
The Audit, Related Party Transactions and Risk Oversight Committee (AURROC) oversees the implementation of the ERM plan in accordance with the Board approved policies and procedures and it ensures the Board is fully informed on material risk exposures, mitigation actions, and residual risks.
The Chief Finance and Risk Officer (“CFRO”) leads the Enterprise Risk Management process that will ensure a sound ERM framework is in place to effectively identify, monitor, assess and manage key business risks. The CRO spearheads the development, implementation, maintenance and continuous improvement of ERM processes and documentations, and communicates significant risk exposures, control issues, and risk management plans to the AURROC. Under the risk and controls function, the CFRO is the steward of risk management, specifically those that have financial impact and affect company value.
Brian M. Go, 49, was appointed as the CFRO of JGSHI on July 1, 2021. He is also a Board Director and Executive Committee member for Maxicare, Maxilife and Maxicare Health Services, the Managing Director of URC Equity Ventures Pte Ltd., as well as serving on the Investment Committee of JG Digital Equity Ventures (“JGDEV”), and a Senior Advisory Board member of Robinsons Bank Corporation. Brian started his career in New York City with Booz Allen Hamilton in 1996, in the Financial Services practice. He returned to Manila in 1998, working at DTPI (Digitel/Sun Cellular) in Corporate Planning, and as Managing Director of the Datacom business. He worked in China from 2003 to 2013, serving as Finance Director, then Chief Financial Officer of Ding Feng Real Estate (DFRE) group of companies. From 2007, he concurrently assumed the General Manager role for URC China, and was later appointed General Manager of URC Malaysia/Singapore. He was also the Vice President for URC’s International Trading Operations/Global Exports based in Singapore from 2019 to 2022. Brian graduated from Harvard University with a degree in BA Economics, Cum Laude, in 1996. He completed his Executive MBA with Kellogg-HKUST in 2007 and is a CFA charter holder.
Risk Champions are functional or business unit heads responsible for setting and implementing controls to mitigate risks relevant to their respective departments or business units. They act as the ERM subject-matter experts on specific risk categories and collaborate with other risk champions to better understand risk interaction across the organization. They ensure the effective execution and continuous improvement of the ERM process in their respective areas of responsibility.
The Risk Owners are directly accountable and responsible for the identification and management of assigned risks. They work with risk champions to determine the best approaches to managing the risks. They evaluate the effectiveness of response, track and report residual risks, and recommend further risk treatment to the risk champion and the ERM Team.
Internal Audit provides independent assessments to the AURROC, Management and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the Company.
Risk Management Process
The Company acknowledges that viewing business risks and opportunities that includes the context of sustainable development challenges is the way to remain responsive, risk intelligent, relevant and successful. In 2021, JGSHI identified key risk owners and risks in each operating company and the Corporate Center Unit and provided them with the needed tools to conduct more comprehensive risk identification process, assessment, and prioritization. The Company engaged Business for Sustainability Development (BSD) to help facilitate this process and enhance the Company’s ERM system to better capture Sustainability risks, formulate mitigation and response, and improve risk disclosures.
The risk management process employs a bottoms-up approach. The top risks for each functional unit were rolled up to the enterprise level of each operating company and further elevated to the JGSHI level. The Group’s top risks and mitigation plans are regularly reported to the AURROC.
Every year, the Company discloses the top risks in its Annual Report.
Risk Identification, Assessment, and Prioritization
Risk champions and owners conduct risk identification using different tools such as risk factor analysis, megatrends analysis, and systems dynamics analysis. This enables them to determine the factors that could prevent delivery of their unit’s business objectives. Identified risks are grouped into categories as follows:
a. Strategic risk concerns events that could affect the outcome of strategic decisions, such as mergers and acquisitions, key investments, resource allocations, and new business ventures.
b. Reputational risk refers to anything that could impact the company’s brand value, public perception, and stakeholder relationships.
c. Governance risk pertains to risks related to implementation of and adherence to policies and procedures and ethical practices within the organization.
d. Emerging risk refers to new or developing risks that the company has little to no experience in, such as climate change, biodiversity loss, and pandemics.
e. Operational risk relates to factors that could potentially disrupt routine business activities or impair property, infrastructure, and security.
f. IT and Digitalization risk refers to the risk of business disruption which may be caused by hardware or software failure, cyberattacks, unauthorized access to company information, and the like, or lost opportunities associated with lack of innovation or investments in technology.
g. People risk refers to factors and events that could compromise the wellbeing, productivity, and performance of our workers.
h. Financial risk refers to matters that could affect the financial position or performance of the company such as credit, liquidity, and foreign currency risks.
i. Legal and Compliance risk includes risks related to compliance to rules and regulations, adaption to changing political landscapes and new government pronouncements, as well as exposures that could arise from contractual obligations, anti-competition and monopolization concerns, and legal disputes against the company.
For each risk category, an impact assessment scale is developed that defines what is considered insignificant, minor, moderate, major, or extreme impact to the business. Likewise, likelihood parameters are set defining whether the chance of occurrence is rare, unlikely, probable, likely, or almost certain. The risk assessment scale is developed in the operating unit’s business context and risk appetite.
In assessing risks, the severity of impacts of the risks is rated based on their nature, regardless of the organization’s circumstances and capability to manage them. Those rated high and very high in severity are considered in the prioritization process.
Risks are prioritized based on our organization’s risk profile, vulnerability, and contribution to aggravating certain risks. The latter is particularly relevant to ESG risks, like climate change impacts which the Company also contributes to. Furthermore, the Company also considers the urgency of the risks which is a factor of velocity or how quickly the impact of the risks is felt when they materialize, and the mitigation timeframe or the length of time needed to manage these risks.
Risk Response, Monitoring, and Evaluation
The Company ensures that appropriate risk responses are in place for each priority risk, both at the level of the risk champions and risk owners and at the enterprise level of the operating companies. Risk responses have also been put in place at the JGSHI level, specifically those that are common across the Group.
Given the dynamic nature of risks, the entire risk management process is iterated as separate and independent process at the functional units of the operating companies and as a group-wide process.
IT Risk Governance
JGSHI recognizes that Cybersecurity controls are an essential component of any organization's overall security posture. The Company follows well known Cybersecurity frameworks such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). The Company adheres to the following principles and best practices on security controls:
- A layered approach to security controls is used to protect the organization's assets. This includes physical security measures, such as access controls and surveillance cameras, as well as technical controls, such as firewalls, intrusion detection systems, and endpoint protection software. The layered approach creates a more robust and effective security system.
- Regular testing and monitoring of security controls is conducted to ensure their effectiveness. This involves conducting penetration testing, vulnerability scanning, and other types of security assessments to identify weaknesses in the security system. Regular monitoring of security logs and alerts also helps detect potential security incidents before they become serious threats. This process allows the Company to identify and address weaknesses in the security system, thereby reducing the risk of a successful cyberattack or data breach.
Effective management and reporting of identified security risks require a proactive and collaborative approach across the organization. JG Summit Information Security Office (JGS ISO) regularly reviews and updates risk management practices to adapt to the evolving threat landscape and changes within the organization.
To effectively manage and report identified cyber security risks, JGS ISO adheres to the following best practices:
- Prioritize identified security risks based on their potential impact and likelihood of occurrence and focuses on addressing high-priority risks first to mitigate the most significant threats to the conglomerate.
- Develop and implement risk mitigation strategies for each identified risk. Determine appropriate controls, safeguards, and countermeasures to reduce the likelihood and impact of the risks. Align these strategies with industry best practices, regulatory requirements, and to the organization's risk appetite.
- Information Security Incident Response Plan that outlines the steps to be taken in the event of a security incident related to the identified risks. Define roles and responsibilities, communication channels, and escalation procedures. Regularly test and update the plan to ensure its effectiveness.
- A continuous monitoring program to detect and respond to security incidents and changes in risk levels. Monitor security controls, conduct vulnerability assessments, and analyze security logs and alerts. Proactively identify and address emerging risks and vulnerabilities.
- Establishment of a robust reporting mechanism to communicate identified security risks to relevant stakeholders. Prepare clear and concise risk reports that provide an overview of the risks, their potential impact, and the status of risk mitigation efforts.
- Define clear and relevant metrics and KPIs to measure the effectiveness of your risk management efforts. Track and report on these metrics regularly to assess the progress in mitigating identified risks. This helps in demonstrating the organization's commitment to security and provides insights for continuous improvement.
- Conduct periodic risk reviews to reassess identified risks, evaluate the effectiveness of risk mitigation strategies, and identify emerging risks. Incorporate feedback from security incidents, audits, and assessments into the risk management process. Use the findings to refine risk mitigation strategies and enhance security controls.
- Educate employees about the identified security risks, their potential impact, and their role in mitigating those risks. Provide regular training sessions and awareness programs to promote a culture of security within the organization. Encourage employees to report security incidents or potential risks promptly.