Enterprise Risk Management

Introduction

BELOW is the overview ARTHALAND CORPORATION’s (the “Company”) Risk Management Framework

The framework provides the foundations and organizational strategies for designing, implementing, monitoring, reviewing and continually improving the risk management throughout the Company.

The Company is envisioning to be the preferred property company for sustainable developments, ensuring that the future will be better for its customers. Whilst this vision creates opportunities, it also means facing risks and uncertainties. The Company must manage the associated risks and opportunities in the delivery of its vision and mission. Risk management, therefore, needs to be established to have the structures and processes in place to ensure that risks and opportunities are identified, assessed, and addressed in systematic manners. This will allow the Company not only to manage its current needs, but also be prepared to meet future challenges.

Risk Management Framework

A. PURPOSE

The purpose of the Risk Management Framework is to adopt a strategic approach to risk management and to provide the basis for the development and maintenance of coordinated activities in responding to identified risks.

The framework outlines the plans, accountabilities, processes, and activities needed to manage risks by increasing risk awareness and allowing for the early warning of potential problems, primarily through governance and reporting.

Having clear, coherent, and comprehensive risk strategies and disciplines are extremely important, as effective risk management is fundamental to the Company’s ability to sustainably meet its strategic objectives.

B. SCOPE

The framework applies to all business units of the Company. Each business unit is responsible for its own risk management activities and provide reports on the status of risks to the Head of Risk Management Department of the Company, who in turn, is responsible for the consolidated reporting to the Risk Committee.

C. RATIONALE AND ADVANTAGES

Risk management is not about eliminating risk, but about making informed decisions on how to anticipate uncertain events. It is about determining what risks to avoid, how to reduce risk exposure, how to lessen the potential consequences, and even how to consciously accept some risks. As such, the following benefits accrue to the company:

  1. Improved governance and enhanced assurance
  2. Improved stakeholders’ confidence and trust
  3. Protected company reputation
  4. Compliance with relevant legal and regulatory requirements
  5. Better planning and effective decision-making
  6. Better allocation and use of resources
  7. Enhanced ability to safeguard assets
  8. Increased likelihood that the Company’s objectives will be achieved
  9. Reduced likelihood that the Company will be affected by damaging events

D. STRATEGIES AND APPROACHES

The Risk Management Framework utilizes a cyclical process designed to ensure continuous improvement. Agreed arrangements that are needed to ensure the effective management of risk across the organization are defined. These are not one-off stand-alone activities, but these are collaborative and consultative activities. It is vital that members of the Company at all levels are involved, and the risk management concept be embedded and part of the Company’s culture and values.

D.1. Core Purpose / Context

The scope, objective and parameters of the activities shall be established and documented to define who is the risk owner. A risk owner is accountable and has the authority to effectively manage the risk. The risk shall be based on the activities under evaluation and may involve consideration and evaluation of risk context.

D.2. Risk Identification

The second step in the risk management process is risk identification which varies depending on the context and the level at which risks are being assessed. This is not a one-off exercise; it is a continuous process that is needed to identify a new risk that had not previously surfaced, but which might affect the Company’s ability to achieve its objectives. Risk identification also includes the determination of existing controls that are in place, mitigating its inherent risk from happening.

The goal of the process is to come up with a comprehensive list of risks based on events that may delay or accelerate, prevent, or enhance the realization of the strategic and operational objectives. It should include all significant risks, whether the source of the risk is under the control of the Company.

General Risk Categories

  1. Political
  2. Economics
  3. Regulatory Compliance and Legal
  4. Financial
  5. Operational 
  6. Reputations 
  7. Management Strategy
  8. Assets
  9. New Projects/ Partnerships 
  10. Customers
  11. Environmental

D.3. Risk Analysis

Risk analysis is usually performed simultaneously with risk evaluation

This activity involves understanding the risks comprehensively which shall be the basis of coming up with relevant decisions or options in addressing the identified risks. The causes and sources of risk are considered together with the likelihood and impact of an event occurring.

Likelihood, Impact, and Inherent Risk

The Risk Analysis and Impact Measures shall be used to determine the likelihood and impact scores.

The “likelihood” is an estimate of how likely the risk is to occur. The “impact” or severity is an estimate of the effects of the risks if these happened. Multiplying the likelihood score by the impact score yields the inherent risk rating.

A risk register shall be created where all identified risks shall be recorded, maintained, and monitored. The risk register also contains the risk action plan for each identified risk and shall be updated by the Risk Owner or their designated nominee.

D.4. Risk Evaluation

The risks identified require treatment and in what order of priority it should be addressed. Legal and regulatory requirements shall be considered in coming up with the decision including the available resources and the Company’s risk appetite especially in terms of potential financial and reputational impact.

Risk evaluation shall also consider the degree of control over each risk and the cost impact, benefits and opportunities presented by the risk.

D.5 Risk Response / Treatment (T.R.E.A.T)

Not all risks can be managed all the time. Thus, after analyzing and prioritizing the identified risk, cost effective actions need to be taken to manage identified risk that pose the most significant threat.

Options for treating risks are not exclusive and may include the following approaches:

  1. Take/ Accept – retain the risk by informed decision and develop a contingency plan if appropriate to minimize the impacts should they arise. A decision is made to accept the risk. Management and/or risk owner makes an informed decision to accept that existing actions sufficiently reduce the likelihood and impact of a risk and there is no added value in doing more.
  2. Reduce – implement controls and other treatments to minimize the likelihood of an event occurring (e.g., preventive action) and/or reducing the potential impact should the risk occur. Further actions shall be recorded in the risk register and regularly monitored. Once these have been completed, appropriate resultant action shall be recorded as an existing action and the risk level shall be re-assessed
  3. Exploit – whilst taking action to mitigate risks, a decision is made to exploit a resulting opportunity.
  4. Avoid – to not start or continue with the activity that gives rise to the risk. A decision is made not to take the risk. Where the risks overweigh the possible benefits, avoid risk by doing things differently, e.g., revise strategy, revisit objectives or stop the activity.
  5. Transfer – or share the risk through contracts, partnership, risk financing, insurance, etc. Although responsibility can be transferred, in most cases accountability remains with management/risk owner, so this still needs to be monitored.

D.6. Communication / Consultation

Risk management is an ongoing and continuous undertaking, and the risks need to be reviewed regularly to ensure prompt and appropriate actions are taken to manage its likelihood and impact. Thus, communication and consultation with internal and external stakeholders should take place at all stages of the risk management process and plans to communicate risks, causes, impact, and treatments shall be developed.

Effective communication and consultation are essential to ensure that those responsible for managing the risk, and those with vested interest, understand the basis on which decisions are made and why particular treatment and action options are selected or the reasons to accept the risks.

Status of risks and updates on management actions shall be periodically reported to the Board of Directors through the Risk Committee. Ideally, active risks shall be standing items in the Risk Committee agenda. Also, the committee shall receive a more detailed report on all risks rated above its tolerance threshold.

D.7. Monitoring and Controlling

As the Company continues its operations, changing circumstances may result in risks increasing or decreasing in significance. Thus, it is essential to monitor and control the management of risks. These can be best monitored through the Risk Appetite set by the Company.

It is ultimately the responsibilities of the Risk Owner and the Company’s Risk Management Team to conduct of the following:

  • Detect any changes in the internal and external risk factors
  • Identify emerging risks
  • Assess the performance of the treatment options
  • Assess if a risk has changed and requires escalation or is no longer valid and can be archived.

Internal or external auditors may conduct a verification review if the above are consistently and effectively being carried out.

E. ROLES AND RESPONSIBILITIES

It is the responsibility of all employees of the Company to have a level of understanding of the risk management approach and regard risk management as integral part of their responsibilities.

All Employees

  1. Report risk management concerns to their immediate line managers and manage the day-to-day risk and opportunities effectively.
  2. Attend training and awareness sessions and fully participate in risk workshops and planning.
  3. Espouse and support the risk management culture of the Company.
  4. Perform duties in a manner that is within the acceptable level of risk to their safety and health, and that of other employees and the Company.

Risk Management Committee

Monitor and review the appropriateness and effectiveness of the Risk Management Framework and improvement strategies.

President and Vice Chairman

The “Overall Risk Executive” is the ultimate responsible for enterprise risk management priorities, including strategies, risk tolerance and policies.

Risk Management Department

  1. Own, promote and drive the effective implementation of the Risk Management Framework for all functions across the Company
  2. Provide support and guidance to risk owners on the appropriate and effective management of risks at business unit level.
  3. Provide assurance that enterprise-wide risks are being effectively assessed and managed.
  4. Collate risk information and prepare reports as necessary.
  5. Drive consistent embedding of a risk management culture and ensure that risks are considered in the decision making.
  6. Ensure resources are appropriately allocated throughout the business units to manage the risks in line with the Company’s risk appetite and tolerance

Business Unit Heads

  1. Promote and drive the effective implementation of Risk Management Framework for all areas under their control.
  2. Incorporate risk management into their units’ activities and meetings and ensure that risks are identified, recorded, and managed by openly discussing the following:
    1. New or emerging risks
    2. Review existing risks
    3. Control adequacy
    4. Outstanding issues and actions

Internal Audit

Undertake independent reviews of the adequacy and effectiveness of the Risk Management Framework and related risk management processes.

F. GOVERNANCE AND INFORMATION FLOW

The Company’s approach to managing its risks is on several different levels, which is illustrated in the table below. This table represents the governance and information flow that shall happen within the Company, but this is not an organizational chart in terms of reporting lines. All these structures and forums shall enable the management of risk to take place.


G. RISK STATUS AND MITIGATION UPDATE

The Risk Owner shall close the identified risks when remedial actions are completed and/or risk decisions are arrived at. The Risk Management Committee shall be formally notified when closing High and Very High risks maintained in the Risk Register. The notification shall form part of the regular risk reports to the Committee at each meeting.

H. TRAINING AND AWARENESS

The Risk Management Department shall provide regular training courses in the risk management processes and its application to the Company. This is to ensure that adequate risk management competency levels are achieved and maintained all through the Company. The training may be in a facilitation mode or via intranet access. Additional ad-hoc training shall also be provided as required/on-request.