ESR AR 2019 EN

Risk Management Process The Group adopts a four-step iterative risk management processes aimed at identifying, assessing, managing and monitoring different types of risk. • Identifying Risks The risk identification process involves key stakeholders within the organisation, taking into account views from top Management, Department Heads as well as country representatives. The Group’s risk profile, including key risks and risk assessments performed, is refreshed annually, or more frequently of the business environment warrants. ESR’s risk universe is reviewed and refreshed and documented, including risks sub-categorised into strategic, financial, operational, compliance and technology. In order to focus risk management efforts on key risks to the Group, a five-by-five risk consequence matrix is used as the primary tool to facilitate the prioritisation of risks. Risks are valued on the matrix based on likelihood of occurrence and magnitude of impact should the risks materialise. Parameters representing ESR’s risk appetite and tolerance are also established to guide the valuation of risks on the matrix. This risk identification exercise is conducted to ensure the Group’s risk profile remains relevant to the business context and respond to changes in its business and external environment. The key risks of the Group will be identified and reviewed by top Management before it is drawn to the attention of the Board. • Assessing and Managing Risks In-depth risk assessments are performed for key risks faced by the Group. The risks assessments consider the potential drivers, likelihood of the risks occurring and consequences should they occur, as well as mitigating controls in place to manage them. Risk assessments are reviewed periodically to ensure continued relevance to the Group. The Group has put in place various policies and procedures to mitigate key risks to an acceptable level based on the Board and Management’s risk appetite and tolerance. These policies and procedures aim to drive consistency in work processes and application of controls within operations. All policies and procedures are reviewed on a periodic basis to ensure they remain up-to-date. Key updates and revisions to policies and procedures must be approved by appropriate parties and communicated to all relevant parties. • Monitoring and Reporting Risks To ensure that risk management remains focused and effective, the Group has set in place mechanisms to monitor and report risks on a regular basis. Appointed risk owners are responsible for the continuous monitoring of their respective risks as delegated by top Management. Significant exceptions noted are highlighted to appropriate parties in a timely manner. At least half-yearly basis, key updates on risks and controls are presented to the Board, AC and Management for discussions and review. Iterative and continuous 4-step process ERM Process Identify Monitor & Report Assess Manage 55 ESR Annual Report 2019 RISK MANAGEMENT