ENTERPRISE RISK MANAGEMENT POLICY

Transcription

1 ENTERPRISE RISK MANAGEMENT Approved by the Audit Committee on 14 February 2003 and adopted by resolution of the Board on 28 March 2003 Revisions approved by the Audit and Risk Committee on 14 February 2008 and adopted by resolution of the Board on 6 March 2008 Revisions approved by the Risk Management Committee on 21 November 2014 and adopted by resolution of the Board on 04 December 2014

2 Contents Page A. Introduction 1 B. Statement of Policy 1 C. Objective 1 D. Enterprise Risk Management (ERM) Framework 2 E. ERM Process 3 F. ERM Governance Structure 4 Attachment 1: ISO 31000:2009 Risk Management Principles and Guidelines

3 VERSION NO. 3 REVISION NO. 2 PAGE NO. 1 of 7 A. Introduction Apart from the diversity of operations within the Ayala Group of Companies (herein referred to as the Group, its accountability to its stakeholders is further heightened with the incessant changes in the social, economic and political environment in the Philippines. To address the threats stemming from this situation, while also harnessing business opportunities as they arise, Ayala Corporation (herein referred to as the Company ), established an Enterprise Risk Management (ERM) Process that will provide a focused and disciplined approach in (1) identifying and analyzing risks on entering new investments; (2) managing the financial and operational stability of the Company; and, (3) recognizing risks inherent in the companies in its portfolio. The Company believes that risk management is an essential function for adopting strategic decisions, and having the proper approaches in place will pave the way for sustainable and resilient business operations for all its stakeholders B. Statement of Policy In general, risk affects the achievement of a Company s goals and objectives. With proper risk management in place, effects of negative risks may be alleviated, while positive risks may be capitalized, providing greater chances of enhancing the Company s value for all its stakeholders. Given the benefits provided by risk management, the Company strongly commits to the implementation of risk management within its organization. It shall utilize its risk management capabilities to maximize the value from its assets, business portfolio and other strategic business opportunities. The Group shall also embed it into their critical business activities, functions and processes to encourage enterprise and innovation. With a solid platform and strong commitment to risk management, the Company believes that they will be able to establish sustainable competitive advantage, optimize risk management cost, and pursue strategic growth opportunities with greater speed, skill and confidence. C. Objectives The ERM Policy provides the necessary foundation and organizational arrangements for managing risks across the Company. This document: Outlines the formal policies and procedures that will govern an integrated and enterprise-wide risk management process within the Company; States the key elements of the ERM framework that will assist in the effective implementation of the risk management process; Sets out a consistent approach for managing risks across the Company, aligned with relevant standards and industry s best practices; Presents the risk governance structure who will be responsible for the implementation of this policy; and,

4 VERSION NO. 3 REVISION NO. 2 PAGE NO. 2 of 7 Establishes the roles and responsibilities of each party at Ayala Corporation with regard to risk management. D. Enterprise Risk Management (ERM) Framework The approach to risk management is contained within and applied through Ayala Corporation s ERM Framework that is based on ISO 31000:2009 Risk Management Principles and Guidelines (refer to Attachment 1). This framework will assist in the effective application of the risk management process and shall ensure that relevant information for decision-making is timely and adequately reported. The components of the framework are as follows: Mandate and commitment Design of framework for managing risks Continual improvement of the framework Implementing risk management Monitoring and review of the framework Figure 1. Ayala Corporation s Enterprise Risk Management Framework Adapted from ISO 31000:2009 Risk Management Principles and Guidelines The continuing success and effectiveness of risk management largely depends on the strong and sustained commitment to it by the Company s management, supported by strategic and rigorous planning to achieve involvement at all levels of the organization and a risk-aware culture. As the ultimate champion in risk management, the Chief Risk Officer (CRO), with the assistance of the (GRMU), has the main responsibility in the implementation of risk management within the Company. In order to ensure that the program in place is effective and facilitates the achievement of the Company s goals and objectives, the GRMU must continuously monitor and periodically review the risk management framework. Based on the results of framework monitoring and review, recommendations for improvement may be provided by all personnel in the organization. All recommendations must then be consolidated by the GRMU for review by the CRO and approval by the BOD.

5 VERSION NO. 3 REVISION NO. 2 PAGE NO. 3 of 7 E. ERM Process Similar to the framework, Ayala Corporation s ERM Process also follows ISO 31000:2009. To be effective, this process shall be an integral part of management and embedded in Ayala s culture and practices. The activities comprising Ayala Corporation s ERM Process are as shown below: Establishing the context Communication and consultation Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitoring and review Figure 2. Ayala Corporation s Enterprise Risk Management Process Adapted from ISO 31000:2009 Risk Management Principles and Guidelines At all stages of the ERM process, an open communication and interactive consultation between top management and different business units shall take place, as this is a key to easier understanding between stakeholders and those accountable for implementing the risk management process. The Board of Directors (BOD), management committees, CRO, GRMU and different risk owners should have a collaborative effort in discussing the Company s risk management goals and objectives, defining the external and internal parameters to be considered and setting the scope for the remaining process. The GRMU, with the approval of the CRO and BOD, shall establish the Company s strategies, design and required infrastructure to ensure that the risk management capabilities of the Company are adequate. The GRMU shall then ascertain that periodic business risk assessment sessions are part of the annual strategic and business planning activities of the Company to guarantee that all significant risks are identified and evaluated appropriately. The results of risk identification, risk analysis and risk evaluation shall be reviewed periodically by the GRMU, communicated to the CRO, and reported to the BOD.

6 VERSION NO. 3 REVISION NO. 2 PAGE NO. 4 of 7 Once risk assessment has been completed, risk owners shall recommend the appropriate plan of action for addressing risks in their respective functional areas. Prior to implementation, all risk treatment plans must be duly reviewed by the GRMU. Monitoring and review of the risk management process should be conducted at regular intervals by the GRMU. It should encompass all aspects of the risk management process, and the results of which should be recorded and reported to the Risk Management Committee (RMC). In summary, the following are the key deliverables for the ERM process: Activity Key Deliverable Person Responsible Risk management goals and o Prepared by GRMU objectives o Reviewed by CRO o Approved by BOD Establishing the Context Risk management policy Risk management governance structure Risk Assessment Risk Universe o Prepared by risk Risk Treatment Risk Monitoring and Review Risk Dictionary Risk Portfolio Risk Analysis Report Risk Treatment Plan Updates to Ayala Risk Portfolio Periodic Risk Management Report Annual Risk Management Report owners o Reviewed by GRMU CRO F. ERM Governance Structure To ensure an effective and efficient management of risks within Ayala Corporation, the Company implements a risk governance structure such that an integrated and independent view of risk exposures can be obtained. Board Oversight Risk Governance Audit Policy & Management Board of Directors Risk Management Committee (RMC) Risk Appetite/Tolerance Risk Management Processes Management Committees *Committees created by Management * Internal Audit Chief Risk Officer (CRO) (GRMU)

7 VERSION NO. 3 REVISION NO. 2 PAGE NO. 5 of 7 Embedded Risk Management ERM Policy Corporate Strategy ERM Program Risk Owners Transactional Risk Management Corporate Resources Monitoring & Reporting Corporate Governance Finance Figure 3. Ayala Corporation s Enterprise Risk Management Governance Structure Reporting Structure Board of Directors Risk Management Committee Line Management Parent Chief Risk Officer Affiliate/Subsidiary Chief Risk Officer Parent Group Risk Management Unit Officer Affiliate/Subsidiary Risk Management Unit The following is the framework of responsibilities for risk management, in consistency with the Company s risk governance structure. a. Board of Directors Approves the Company s risk appetite and risk exposure allocation; Approves the Company s enterprise risk management policy and any revisions thereto; Approves the policies, strategies and systems implemented for the ongoing identification, control and mitigation of risk exposures; and, Reviews report from the Risk Management Committee with regard to the overall effectiveness of the risk management process. b. Risk Management Committee

8 VERSION NO. 3 REVISION NO. 2 PAGE NO. 6 of 7 Reviews and recommends to the Management the Company s levels of risk appetite and risk exposure allocation; Reviews and assesses the adequacy and sufficiency of the Company s policies and processes for risk identification, assessment and mitigation; Reviews the objectivity, effectiveness and efficiency of the Company s risk management function; and, Establishes a sound risk-aware culture throughout the enterprise. c. Management Committees Provide strategic leadership for the Company s risk management; Provide oversight of the strategic and operational risks for the Company, including reviewing the Company s risk universe and the progress of treatment plans that are being managed by different business units; Regularly identifies risk priorities and aligns business objectives with risk strategies and policies; and, Arbitrates and resolves conflicts arising from different risk mitigation strategies among business units. d. Internal Audit Provides objective and reasonable assurance that the internal control framework is operating effectively; Reports directly to the RMC any risk management issue due to identified internal control deficiencies and provide recommendations for improvement; Reviews the alignment of internal control framework with the identified risk exposures; and, Assists in the enhancement of the understanding of risk and controls among line staff. e. Chief Risk Officer The CRO is the advocate of enterprise-wide risk management at Ayala Corporation and oversees the entire risk management function. He: Works with the management committees, as well as operational units, to integrate risk management within the Company; Ensures that the Company s overall risk exposures are consistent with its risk appetite and are properly covered by risk policies; Strengthens systems and measurement tools needed to provide robust foundation for risk management; Identifies developing or emerging risks, concentrations and other situations that need to be studied through stress testing or other techniques; Ensures that all initiatives related to risk management are monitored and reported to the appropriate members of the organization; Monitors the top risks of the Company and reports status of the implementation of risk management strategies and action plans; and,

9 VERSION NO. 3 REVISION NO. 2 PAGE NO. 7 of 7 Ensures that the GRMU receives appropriate organizational support to implement enterprise risk management on a day-to-day basis. f. The GRMU has the overall accountability and ownership for the continuity and success of the enterprise risk management function. The GRMU Head, together with its members, shall: Continuously work with the CRO in developing, implementing, reviewing and improving the Company s ERM framework and associated policies and procedures; Formulate an annual risk management plan and coordinate overall enterprise risk management activities within the Company; Assist the Management in determining, evaluating and measuring the Company s risk exposures, risk appetite and risk tolerance; Ensures that developing or emerging risks and interrelationship of new and existing risks are regularly reviewed, updated and reported to the CRO; and, Facilitates continuing education of Company personnel in order to enhance the capacity and capability of all departments to effectively and efficiently manage risk. g. Risk Owners Are ultimately responsible for risks in their functional areas of responsibility; Collect and analyze risk data to provide risk information to the Board, RMC and other departments of the Company; Approve and coordinate risk management efforts and specific strategies in their functional areas; Recommend risk tolerance levels or risk limits with corresponding measurement methods for approval by the Board; Evaluate measurement methodologies used in quantifying risks in their functional areas; and, Evaluate the effectiveness of the infrastructure (e.g., people, systems, support) in place for managing specific risks in their respective functional areas. While the Company has formal risk governance structure, all staff still bear the responsibility to contribute to the continued improvement and enhancement of the Company s risk management capabilities. They shall take all reasonable and practical steps to perform their responsibilities in relation to risk management. Furthermore, they shall report to Management any incidents that may result in unacceptable levels of risk or non-compliance with established procedures for measuring and reporting risk.