Enterprise Risk Management
Section 126.96.36.199.2. of the Company’s Manual on Corporate Governance, adopted on May 10, 2017, contains the Company’s policy on Enterprise Risk Management. The Board of Directors of the Company shall oversee that a sound enterprise risk management ("ERM") framework is in place to effectively identify, monitor, assess and manage key business risks, which will guide the Board in identifying units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Risk management policies are established to identify and analyze the risks faced by the Company, to set appropriate risk limits and controls, and to monitor risks and adherence to limits. Risk management policies, processes, and practices are continuously reviewed to reflect changes in the Company’s activities and market conditions. The Company, through its training and management standards and procedures, aims to develop a disciplined and constructive control environment in which all employees understand their roles and obligations.
Risk management functions are performed at the management committee level of each operating subsidiary of the Company. Managers and those responsible for risk reporting are tasked to ensure compliance with all operational and financial controls within their areas of responsibility and to implement internal controls as part of the total system to achieve the goals of the Company. Managers conduct regular evaluation of existing policies, systems and procedures to ensure that these remain relevant and effective to the current operating environment. Management also gives prompt and cooperative consideration to the recommended improvement measures made by independent internal or external audit groups.
In 2017, the Company’s Board of Directors reorganized the Audit Committee to become the Audit and Risk Oversight Committee additional function toe to be responsible for the oversight of the Company's enterprise risk management (ERM) system to ensure its functionality and effectiveness. In addition, the Audit and Risk Oversight Committee is assisted in its oversight role by the Group Internal Audit which oversees the internal audit functions of the Company’s subsidiaries. The respective Internal Audit Groups of the Company’s subsidiaries undertake both regular and ad hoc reviews of the risk management controls and procedures of these subsidiaries, the results of which are reported to the Audit and Risk Oversight Committee.
The ERM functions of the Board of Directors are exercised by the Audit and Risk Oversight Committee whose charter was adopted on August 10, 2017 whose functions include the identification, assessment and monitoring of key risk exposures, corresponding to its size, risk profile and complexity of operations. These are as follows:
Defining a risk management strategy; Identifying and analyzing key risks exposure relating to economic, environment al, social and governance factors and the achievement of the organization's strategic objectives; Evaluating and categorizing each identified risk using the Corporation's predefined risk categories and parameters; Establishing a risk register with clearly defined, prioritized and residual risks; Developing a risk mitigation plan for the most important risks to the Corporation, as defined by the risk management strategy; Communicating and reporting significant risk exposures including business risks (i.e., strategic, compliance, operational, financial and reputational risks), control issues and risk mitigation plan to the Board Risk Oversight Committee; and Monitoring and evaluating the effectiveness of the organization's risk management processes.
The Audit and Risk Oversight Committee Charter provides that the development of a formal ERM plan should contain the following elements:
- common language or register of risks;
- well-defined risk management goals, objectives and oversight;
- uniform processes of assessing risks and developing strategies to manage prioritized risks;
- designing and implementing risk management strategies; and
- continuing assessments to improve risk strategies, processes and measures;
The Audit and Risk Oversight Committee are also tasked to:
- oversee the implementation of the ERM plan, conduct regular discussions on the Corporation’s prioritized and residual risk exposures based on regular risk management reports, and assess how the concerned units or offices are addressing and managing these risks; and
- evaluate the risk management plan to ensure its continued relevance, comprehensiveness and effectiveness, revisit defined risk management strategies, look for emerging or changing material exposures, and stay abreast of significant developments that seriously impact the likelihood of harm or loss