RISK MANAGEMENT PROCESS The Group adopts a four-step iterative risk management process aimed at identifying, assessing, managing, monitoring & reporting different types of risk. Access Identify Monitor & Report Manage ERM Process Iterative and continuous 4-step process • Risk Identification The Company adopts an integrated top-down and bottom-up risk review process to enable comprehensive identification and prioritisation of key risks throughout the Group. Key stakeholders within the organisation will come together to discuss the top-tier risks and examine any other risk issues and emerging risks that they consider important. The risk identification process includes the establishment of risk context, identification of risk factors, analysis and evaluation of risk levels and their related impacts on the business performance of the Group. The Group’s risk profile, including key risks, is reviewed and refreshed annually, or more frequently when the business environment warrants. The information is maintained and documented in a risk register, with risks sub-categorised into strategic, financial, operational, compliance and technology. A 5-by-5 risk matrix is used as the primary tool to facilitate the prioritisation of risks based on likelihood and impact. Risks are valued on the matrix based on the likelihood of occurrence and magnitude of impact should the risks materialise. The magnitude of impact includes consideration of financial, regulatory, reputational and operational effects. Parameters representing ESR’s risk appetite and tolerance are also established to guide the evaluation of risks on the matrix. This risk identification exercise monitors any risk changes and trends as well as the effectiveness of the related control mechanisms and/or control activities within the overall risk profile. Group Risk Management department works closely with the risk owners to identify key risks, assess their likelihood and impact on the Group’s business, and establish corresponding mitigating controls to manage these risks. The key risks are reviewed by management and Audit Committee before they are drawn to the attention of the Board. • Risk Assessment and Management In-depth risk assessments are performed for key risks faced by the Group with the consideration of the potential drivers, likelihood of the risks occurring and consequences, as well as mitigating controls in place to manage them. These risk assessments are conducted with the risk owners from country and Group levels during facilitated risk prioritisation and training workshops during the year. Action plans are then identified to further manage risks as necessary. Risk assessments are also reviewed periodically to ensure continued relevance to the Group. The process and its outcomes are documented to facilitate communication and provide information for decision-making. The Group has put in place various policies and procedures to mitigate key risks to an acceptable residual level based on the Board and management’s risk appetite and tolerance. These policies and procedures aim to drive consistency in work processes and facilitate the understanding and effective implementation of controls within operations. All policies and procedures are reviewed on a periodic basis to ensure they remain relevant. Key updates and revisions to policies and procedures are approved by appropriate parties and communicated to all relevant parties. E S R C A Y M A N L I M I T E D A N N U A L R E P O R T 2 0 2 1 61
RkJQdWJsaXNoZXIy ODIwNTc=