ESR AR 2019 EN

Risk Management The Group strongly believes that risk management is central to the sustained growth of the organisation. A proactive and robust risk management programme aligned to strategy aims to not only protect but create value for ESR’s shareholders and investors. The Group acknowledges that risk management should not only be about reducing and minimising risks. It is also about seeking out and capitalising on opportunities through risk-informed and considered decision-making. Therefore, it is important that ESR continuously adopts a robust risk management framework that optimises the risk-reward relationship while ensuring risks are taken in a prudent, justified manner well-supported by facts and available information. Risk Governance The Board acknowledges that it has overall responsibility for the governance of risks and maintenance of a sound system of risk management and internal controls. With the support of the Audit Committee (AC), the Board oversees the design, implementation and monitoring of risk management within the Group. The Audit Committee comprises of five Non-executive Directors (of which three of them are Independent Non-executive Directors) and meets at least twice annually. In establishing an organisation-wide risk governance structure, ESR adopts the ‘four lines of defence’ model. This governance model aims to drive risk accountability and ownership at all levels of the organisation, at the same time maintaining the right level of commitment and segregation across stakeholder groups. 4th Line of Defence: Board Oversight Board 3rd Line of Defence: Independent assurance Internal/External Audit 2nd Line of Defence: Management and Assurance ERM function Compliance 1st Line of Defence: Business Governance/Policy Management Operational Governance Financial Governance Policy Management people process systems Four Lines of Defence 1st Line of Defence: Business Governance/ Policy Management Business, processes and risk owners constitute the first line of defence. Risk management is embedded in day-to-day routines and governed by procedures that can manage risks to an acceptable level for the achievement of the business objectives. 2nd Line of Defence: Management and Assurance This line of defence comprises of risk management and governance related functions within the Group. The main role of these functions is to ensure risk management and governance related frameworks are well defined and consistently applied across the organisation. 3rd Line of Defence: Independence Assurance Functions in this line of defence primarily provides independent assurance over the effectiveness of risk management and internal controls. 4th Line of Defence: Board Oversight The last line of defence against risks is the Board of Directors. The Board, supported by the AC, is overall responsible for risk management, governance and assurance within the Group to safeguard the interests of the Company and its shareholders as a whole. 54 Focused