Risk Management FORWARD TOGETHER 66 RISK MANAGEMENT PROCESS The Group adopts a four-step iterative risk management process aimed at identifying, assessing, managing, monitoring & reporting different types of risk. How do we identify and priorities risks? IDENTIFY & PRIORITISE ASSESS MANAGE MONITOR & REPORT ERM Process The ERM Process is a standard, iterative, and continuous 4-step process What are the key causes & consequences of the risks? How do we monitor the risks and who do we report them to? What are the internal controls or mitigation measures in place to manage the risks? 1 2 4 3 • Risk Identification The Company adopts an integrated top-down and bottom-up risk review process to enable comprehensive identification and prioritisation of key risks throughout the Group. Key stakeholders within the organisation will come together to discuss the top-tier risks and examine any other risk issues and emerging risks that they consider important. This ensures a risk approach that is aligned with the Group’s business objectives and strategies, and which is also integrated with operational processes for effectiveness and accountability. The risk identification process includes the establishment of risk context, identification of risk factors, analysis and evaluation of risk levels and their related likelihood and impact on the business performance of the Group. The Group’s risk profile, including key risks, is reviewed and refreshed annually, or more frequently when the business environment warrants. The information is maintained and documented in a risk register, with risks sub-categorised into strategic, financial, operational, compliance and technology. Within the category of operational risk, the Group also considers climate-related risks which are relevant to our business. A 5-by-5 risk matrix is used as the primary tool to facilitate the prioritisation of risks based on likelihood and impact. Risks are valued on the matrix based on the likelihood of occurrence and magnitude of impact should the risks materialise. The magnitude of impact includes consideration of financial, regulatory, reputational, operational and environmental effects. Parameters representing ESR’s risk appetite and tolerance are also established to guide the evaluation of risks on the matrix. This risk identification exercise monitors any risk changes and trends as well as the effectiveness of the related control mechanisms and/or control activities within the overall risk profile. Group Risk Management department works closely with the risk owners to identify key risks, assess their likelihood and impact on the Group’s business, and establish corresponding mitigating controls to manage these risks. The Group has also developed internal key risk indicators that serve as an early-warning system to highlight risks that have escalated beyond the agreed tolerance levels. In addition, the Management has established required follow-up actions to be taken when risk thresholds are breached. The key risks and key risk indicators are reviewed by management and Audit Committee before they are drawn to the attention of the Board.
RkJQdWJsaXNoZXIy MTIwODcxMw==