ENTERPRISE RISK MANAGEMENT FRAMEWORK [Enterprise Risk Management Framework V.01] In order to deliver value to our stakeholders which include our consumers, employees, communities and shareholders, IOI Properties Group Berhad must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, financial impacts, operational issues, compliance with laws, and reporting obligations. This document provides an overview of our enterprise-wide approach to risk management (the IOI Properties Group Berhad “Enterprise Risk Management Framework”) and illustrates examples of how this approach is implemented within the organization. Version (01) .1. 2018
56
Embed
ENTERPRISE RISK MANAGEMENT FRAMEWORK · Establishing a common language for risk is important in promoting the practice of a consistent and effective risk management across the IOIPG.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ENTERPRISE RISK MANAGEMENT
FRAMEWORK
[Enterprise Risk Management Framework V.01]
In order to deliver value to our stakeholders which include our consumers, employees, communities and shareholders, IOI Properties Group Berhad must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, financial impacts, operational issues, compliance with laws, and reporting obligations. This document provides an overview of our enterprise-wide approach to risk management (the IOI Properties Group Berhad “Enterprise Risk Management Framework”) and illustrates examples of how this approach is implemented within the organization.
Version (01) .1. 2018
2 | P a g e
TABLE OF CONTENTS OVERALL ENTERPRISE RISK MANAGEMENT FRAMEWORK OF IOI PROPERTIES GROUP BERHAD (“IOIPG”)
The 2nd Phase is Risk Analysis and assessment. The analysis should involve
developing an understanding of the risk, the likelihood of the risk occurring and the full
range of potential impact/consequences. Identification of likelihood and impact is a
qualitative exercise based on perception and history. The initial analysis provides the
Inherent Likelihood, the Inherent Impact and the Inherent Risk Rating.
At this stage, the analysis assumes that all controls have failed or there were no
effective controls in place. Whilst this is unlikely, this allows IOI Properties Group
Berhad to understand which risks have the greatest potential for disrupting the
business operation and gives significant impact therefore require strong and effective
controls with appropriate and ongoing oversight.
Table 2: Risk Categories & Classification
39 | P a g e
8.3.3 Risk Evaluation
Risk evaluation is the process of identifying and measuring risk. Risk evaluation
process includes identification of risk, determine its probability and impact, action plan
to control inherent risk, define the risk rating to mitigate in the stage of residual risk and
monitoring them.
All of these risk management processes would be catered by one of risk management
tool called risk register.
8.4 Risk Mitigation Strategies
Risk mitigation involves identifying the most appropriate responses to reducing the inherent
risk level to a status acceptable within IOI Properties Group Berhad risk tolerance. Both
controls and mitigations are designed to mitigate the risk by reducing the likelihood of
negative risks occurring and/or reducing the impact of risks should they occur.
There are a number of mitigation options available and more than one will be applied to any
risk. Typical mitigation options include the establishment and operation of controls designed
to mitigate, discourage, identify and/or limit the impact and likelihood of a risk from
occurring. Most risks will have multiple different controls in place, some intended to prevent
a risk occurrence, some will detect an occurrence whilst others are designed to respond to
an occurrence. Controls will not always be performed by the risk owner. For example,
Business Units will have a key reliance on Technology to manage controls to ensure
systems are available and operating as required.
8.4.1 Controls
a) Directive Controls are those designed to establish desired outcomes.
Examples:
• Setting Council policies, Business Unit policy/procedures
• Setting capital expenditure limits
• Laws and regulations
• Training seminars
• Job descriptions
• Meetings
40 | P a g e
b) Preventive Controls are designed to discourage errors or irregularities from
occurring. They are proactive controls that help to ensure departmental
objectives are being met. Examples include:
• Training on applicable policies, Department policy/procedures;
• Review Occupational safety & health of office premises
• Segregation of duties (authorisation, record keeping & custody of the
related assets should not be performed by the one same individual)
• Physical control over assets
• Locking office door to discourage theft
• Using passwords to restrict computer access
• Shredding documents with confidential information.
c) Detective Controls are designed to find errors or irregularities after they have
occurred. Examples:
• Cash counts; bank reconciliation;
• Review of payroll reports;
• Compare transactions on reports to source documents;
• Monitor actual expenditures against budget;
• Review logs for evidence of mischief;
• Exception reports which list incorrect or invalid entries or transactions
• Reviews and comparisons
• Physical counts of inventories
d) Corrective Controls are intended to limit the extent of any damage caused
by an incident e.g. by recovering the organisation to normal working status as
rapidly and efficiently as possible. Examples:
• Submit corrective journal entries after discovering an error
• Complete changes to IT access lists if individual’s role changes
• System upgrades
• Additional training
• Changes to procedures.
41 | P a g e
e) Transfer the risk is intended to enable sharing of the risks to a third party in
order to reduce the likely impact should the risk materialise:
• Risk transfer may be achieved by taking out insurance to facilitate financial
recovery against the realisation of a risk.
• Compensating a third party to take the risk because the other party is more
able to effectively manage the risk.
• Risk may be wholly transferred, or partly transferred (i.e. shared).
• It is important to remember that it is almost impossible to transfer risk
completely. In almost all risk sharing arrangement, a degree of the original
risk remains and there is inevitably financial or other consideration for the
sharing of the risk. In addition, a new risk is inherited, that of being
dependent on a third party to manage the original risk.
f) Eliminate the risk. Some risks may only return to acceptable levels if the
activity is terminated. In such situations, the risks are deemed irrelevant and
not applicable in the current scenarios.
g) Accept the risk. A risk may be accepted because:
• the probability or consequences of the risk is low or minor,
• the cost of treating the risk outweighs any potential benefit,
• the risk falls within the group’s established risk appetite and/or tolerance
levels, or IOIPG has limited/no control over the risk. E.g. natural disasters,
international financial market impacts, terrorism and pandemic illnesses.
To manage such risks, IOIPG should have a business continuity plan (BCP)
in place to provide effective prevention and recovery.
When determining the most appropriate mitigation, IOIPG should consider:
• How will the mitigation modify the level of risk?
• How do costs balance out against benefits?
• How compatible is the mitigation with the overall business objectives?
• Does it comply with legislation?
• Does it introduce new or secondary risks?
42 | P a g e
In certain scenarios, more than one response may be necessary to address an
identified risk. In those cases a combination of responses (controls / mitigations)
should be taken into consideration.
8.5 Monitor and review
The risk assessment process provides a snap shot of the group’s risks, controls and action
plans at a given point of time – via the “Risk Register” (Appendix 3). The residual risk
impact and likelihoods and control effectiveness ratings can be reflected on a one-page
Heat Map with supporting opinion and insight on risks, controls and actions – the “Risk
Profile”.
As the external and internal environment in which we operate is fluid, therefore the
influences on our objectives continue to ebb and flow. In addition, assumptions have been
made in relation to both the quality of response strategies which are already in place and
the implementation and quality of proposed responses. As a result, the risk management
process is iterative and should be the subject of a structured monitoring and review process.
8.5.1 Ongoing review of risks
Risk response and the effectiveness of control measures to manage risk need to be
monitored on an ongoing basis to ensure changing circumstances, such as the political
environment and the IOIPG strategic objectives and risk appetite do not alter the risk
evaluation profiles and adequacy assessments. New risks or deficiencies in existing
mitigation strategies may be identified via a number of sources:
• Changes in the strategic objectives;
• Regular review of the identified risks and mitigation strategies;
• The annual Internal Audit exercise;
• Ongoing monitoring by various Committees, Audit Committees & RMC;
• New legislation;
• New accounting standards, guidelines or information from any regulator
• Complaints
• Regulatory / Compliance breaches
• Incidents
• External Audit (if any)
• Project & internal policy changes
43 | P a g e
Internal audit will provide particular attention to those controls, mitigation activities or
other responses identified through the risk assessment as having significant priority. In
addition, the Risk Assessment Process, including the Framework, will be monitored,
evaluated and reviewed by the Internal Auditor.
Risks are to be monitored and reviewed by the responsible manager/officer on an
ongoing basis and reported to committees at least quarterly. The effectiveness of risk
responses will be continuously monitored by the responsible manager/officer and
reviewed six monthly (Half Yearly).
8.5.2 Alignment to the strategic plan
For risk assessments associated with the whole of IOI Properties Group Berhad or
individual departments, the review process will be built into the business planning
process. Output from the Strategic Risk Assessment and Business Unit Risk
Assessments are to be used as input to the Business Planning Process. That input will
include risk response plans. Internal Audit will use the information from the Business
Planning Risk Assessments, in particular the risk response plans, to assist with
development of the Internal Audit plan.
Existing Risks New Risks
Existing Response Plans New Response Plans
• Identify existing risk response plans in place.
• Establish objectives of the risk response plan,
i.e. which risk is being mitigated and to what
level/extent.
• Evaluate if the existing risk response plans
meet their objectives Assess if the response
plans are sufficient and relevant, i.e. if any
additional or removal of risk response plans is
required.
• Evaluate if Business Unit is prepared to accept
the type of risk and, if so, how much risk it is
prepared to tolerate.
• Assess if the existing response plans can be
leveraged to mitigate/control the new risks
identified .Identify a range of risk response
options & evaluate the options.
• Design a plan to implement the preferred
options, including the relevant KPIs and
measures of success Implement the selected
risk response plans.
Diagram 7: Risk Response Plans
44 | P a g e
To ensure that the identified strategic risks, and measures in place to manage them,
remain aligned to the group’s strategic objectives, any change to the overall Strategic
Plan will trigger a review of the risk assessment exercise and the Risk Management
Process.
8.5.3 Project related risks
In relation to project-based risk assessments, the risk mitigation plan provides the
project manager with a tool to continuously monitor project improvement through the
implementation of the plan.
Issues and delivered risks identified through the course of the project must be assessed
and included in the project risk register, having gone through the full risk assessment
process outlined above. This will ensure the continuing relevance of the risk
assessment.
8.6 Risk Management Tool – Risk Register
Risk registers provides a mechanism for documenting, managing, monitoring, reviewing,
updating and reporting risk information. Risk Register design, use and related processes
are developed and maintained by the Risk representatives appointed by the respective
Head of Business Units respectively. IOI Properties Group Berhad has adopted a risk
register template, each tailored to the classification of risks being managed and contain
crucial information on all identified risks of each Business Unit’s, including its risk owners
and accountability. This template is in line with the ISO: 31000 guidelines and in compliance
to the global standards. The critical information included in the risk register template
includes:
1. Risk Name & No.
2. Risk Category
3. Risk Rating
4. Risk Owner
5. Risk Impact
6. Risk Likelihood / Probability of Occurrence
7. Existing Control Activities
8. Corrective Action & Mitigation Strategies
9. Areas of Improvement : Consequences / Opportunities arises from the risk
45 | P a g e
A sample of the Risk Register Template is enclosed as Appendix 3.
The business units will conduct its own review of their risk registers and provide updates
on the risk information from time to time via risk review reports for analysis and verification
by Risk Management Department for the purpose of Half Yearly Financial risk review
sessions with the “Risk Management Committee (“RMC”).
A sample of Risk Review report is enclosed as Appendix 4.
8.6.1 Inherent likelihood & Probability
The Inherent Likelihood of a risk occurring is defined as the probability and frequency
of its
occurrence. The table below is a commonly used format with Four (4) levels of
Likelihood from Low, Medium, High and (an event that occurs only in exceptional
circumstances) to Very High (occurring frequently within a year). Each criterion is
assigned a range in between 0.1- 4.0 that will define the level of likelihood of
occurrence of each respective risk. (See Table 4- Probability Matrix).
Table 3: Risk Probability Matrix
8.6.2 Inherent impact
This is defined as the potential impact or consequence of a risk occurring and is
generally expressed as being a financial loss, non-financial loss (e.g. damage to
reputation, client impact, regulatory impact) or occasionally a gain. (See Table 5 - Risk
Impact Matrix) Accurately determining and assigning the possible multiple impacts can
be achieved by utilising the Impact range table, which is assigned four (4) levels:
Probability Definition Rating
Low <= 5% 0.1 to 1.0
Medium 6% to 20% 1.1 to 2.0
High 21% to 50% 2.1 to 3.0
Very High > 50% 3.1 to 4.0
46 | P a g e
Impact Levels:
• Low (Range 0.1 to 1.0)
• Medium (Range 1.1 to 2.0)
• High (Range 2.1 to 3.0)
• Very High (Range 3.1 to 4.0)
Table 4: Risk Impact Matrix
A risk may fit into a single category or fall across multiple types and similarly the level
of impact may fit into more than one column. It is up to management (with assistance
from risk representatives) to determine the type with the highest consequence for
inclusion into the risk register. This consequence matrix document should be reviewed
at least every two (2) years with business subject matter experts as part of the
Framework review to ensure that categories and descriptions are relevant and
reflective of IOI Properties Group Berhad internal and external environments.
8.6.3 Inherent risk rating
For each of the risks listed from the Risk Identification process, the likelihood of the risk
occurring and its impacts can be plotted using the criteria matrices by multiplying the
numbers associated to each criteria of Likelihood of occurrence and Impact and be
illustrated in a heatmap (see Diagram 3):
e.g The Likelihood of a single risk is considered as ‘Very High’ (4) x with the Impact
assessed as being ‘Very High’ (4) = 16.
Impact Definition Rating
Low will not derail objective / immaterial loss 0.1 to 1.0
Medium impede full achievement of objective / sustainable loss 1.1 to 2.0
High will derail objective / material loss 2.1 to 3.0
Very High serious damage / critical loss 3.1 to 4.0
47 | P a g e
The resulting level of risk will be shown as the intersection of the two dimensions on
the Risk Level Matrix (see below and Appendix 3). This provides the Inherent Risk
Rating of 16 = Very High ( ) and immediate remedial action should be taken to reduce
this risk.
The risk rating displayed on a heatmap is described in Four (4) Shaded areas reflecting the
level of risk(s) :-
Low High
Medium Very High
8.6.4 Current control environment
To understand the extent to which the likelihood and impact of a risk occurring is being
mitigated, the full set of controls currently in place must be documented and assessed
for effectiveness of design and operation. The assessment should only assess controls
that are currently in operation, not those that are planned.
Diagram 8: Risk Heat Map
48 | P a g e
Where controls are operated by a third party (e.g. Technology), discussions with the
control owner should take place to ensure there is an appropriate assessment of the
control that takes into consideration the views of the control owner and the risk owner.
8.6.5 Residual risk
When the controls have been assessed and rated, the “Residual Risk” (the amount of
risk left over after inherent risks have been reduced by controls) rating can be
determined. For each of the risks listed from the Risk Identification process, the
Residual Likelihood of occurrence and potential impacts can be plotted by multiplying
the numbers associated to each criteria of Likelihood and Impact. For example, the risk
of a Cost Overrun occurring in the Project Management process, taking into
consideration the effectiveness of controls in place (considered ‘Good’), could now be
reassessed as follows:
The Likelihood is Low (= 1) X Impact assessed as now being Medium (= 3).
The resulting residual risk (1 x 3 = 3) will be shown as the intersection of the two
dimensions on the matrix (see below). This provides the Residual Risk level of 3 =
Low. It is likely that no further actions would be required to further mitigate this risk.
Diagram 9: Residual Risk Rating
49 | P a g e
Alternatively, if controls in place to mitigate a Cost Overrun occurring in the Project
Management process are determined to be ‘Poor’, the inherent risk could be
reassessed as follows:
The Likelihood is Possible (= 3) X Impact assessed as still being Major (= 4).
The resulting residual risk (3 x 4 = 12) would be High. In these circumstances, the
Residual risk would be outside of appetite and would require actions to address the
controls gaps or weaknesses to further mitigate the likelihood or impact of the risk
occurring.
8.6.7 Residual Risk Rating
This step prioritises the Residual risks to be addressed. The IOIPG Board Of Directors
and Risk Management Committee (“RMC”) will set a threshold (Risk Appetite) every
two years whereby risks above the threshold are unacceptable and must be addressed
and risks below the threshold are treated differently (i.e. recorded/recorded &
monitored). IOIPG has also set criteria for responses to the range of Residual Risk
Level ratings.
Using the example above – the Residual risk of a Cost Overrun is assessed as being
High.
Naturally, this is unacceptable so actions are required to develop or enhance controls
to mitigate the likelihood and impact of a Cost Overrun from occurring.
• Residual Risks assessed as ‘Very High’, are likely to impact on strategic
objectives and are unacceptable and must be immediately and actively mitigated,
managed and monitored by the risk owner.
• Residual Risks identified as ‘High’ are likely to impact Division or possibly
strategic objectives and therefore the IOIPG Board Of Directors and Risk
Management Committee (“RMC”) are likely to view these risks as unacceptable.
The risk owner must actively mitigate, manage and report with ongoing
monitoring by the RMD – Risk Mgt Dept.
50 | P a g e
• Residual Risks identified as ‘Medium’ should be assessed on a case by case
basis to understand the nature of the risk and whether the strengthening of
controls is required, otherwise this can be tolerated if it is determined that impacts
won’t adversely affect organisational objectives. Medium risks can be managed
with controls but must be monitored to ensure the risk exposure is effectively
managed and doesn’t worsen.
• Residual Risks identified as ‘Low’ are within operational and organisational
tolerances and can be accepted. Low risks must still be recorded.
8.6.8 Action plans
Where control weaknesses are identified and the decision is taken that further
mitigation is required (i.e. the residual exposure is not accepted), an action plan must
be established.
All actions must be:
• Owned: who is responsible for ensuring the action is addressed.
• Specific: the exact activities that will be undertaken.
• Timely: must be completed within appropriate time frames, commensurate with
the significance of the gap/weakness.
• Achievable: the action/activities must be realistic to ensure appropriate
mitigation.
• Measurable: it must be possible to quantify the action or have a means of
assessing progress.
• Justified: can demonstrate a further reduction in the Residual Likelihood and/or
Impact.
• Governed: tracked, managed and reported.
51 | P a g e
9.0 RISK REPORTING
Reporting associated with the Risk Management Framework is structured to satisfy two criteria:
1) Information relating to the IOI Properties Group Berhad existing risk profile & Risk
registers and;
2) Information relating to the IOI Properties Group Berhad implementation, performance
and status of the Framework. (Compliance)
The table below indicates the reporting responsibilities and frequency:
Report Name Submission By Report Recipient Frequency
Strategic Risk
Assessment
Chief Operating Officer
(COO)
Senior Management /
Risk Management
Committee (“RMC”) /
Group Risk Management
Department
Annually
Business Unit Risk
Register Status Report
All Business Unit General
Managers / Asst. General
Managers / Managers
Risk Management
Committee (“RMC”) /
Group Risk Management
Department
Quarterly / Half
Yearly
Department Risk
Assessment(s)
Business Unit Managers /
Risk Team
Group Risk Management
Department
Quarterly / Monthly
reviews for High /
Very High risks
Risk Mitigation Actions
on Track
Responsible risk control
& action owners
(facilitated by
Risk & Assurance Team)
Group Risk Management
Department
Quarterly
Table 5: Reporting Accountabilities & Frequencies
52 | P a g e
Diagram 10: Reporting Structure
10.0 RISK TRAINING & DEVELOPMENT
To ensure the successful implementation of risk management throughout the organisation, it is
planned that appropriate training in risk management will be provided to High Level Management
and managers of each respective Business Units. Training co-ordinated between Training
Department & Group Risk Management Department should encompass the risk management
process, application of risk management tools, assistance with identification and analysis of the
group’s risk exposures, risk profiling and reporting.
In addition, the group’s Risk Management Team will coordinate with the Training and
Development Department to work towards ensuring:
• Induction training will include Risk Management awareness and Employee Code of
Conduct.
• Employees receive regular Risk Management awareness and update training (at
minimum, a half-day refresher course once every year for those staff directly involved in
Risk Reporting and Monitoring).
Board
Senior Leadership Team
Management Team
Operational Team
INTE
RN
AL
REP
OR
TIN
G
EXTERNAL REPORTING
• The Group’s risk profile • Actions to address key risks • Effectiveness and progress of actions taken • State of risk management framework • Major incidents and issues
• Results/Key Performance Indicators • Commentary on major events in period • Major incidents and issues • Areas of focus where risks are changing adversely • New risk exposure • Progress on actions to address key risks
• Commentary on major events in the reporting period • Major incidents and issues • Areas of focus where risks are changing adversely. • Progress on actions to address key risks
• Better disclosure of risks and risk management practices to stakeholders
53 | P a g e
• Any updates and changes to the Risk Management Policy, Framework related policies,
procedures; Codes of Conduct, ethics etc. are circulated to all employees via the Intranet
or email where deemed necessary.
11.0 APPROVING AUTHORITY
The Board of Directors (“Board”) and Risk Management Committee (“RMC”) shall be responsible
for the approval or ratification of the Enterprise Risk Management (“ERM”) Framework.
12.0 DATE OF IMPLEMENTATION
Enterprise Risk Management (“ERM”) Framework is effective immediately upon approval by the
Board of Directors (“Board”) on 7th September 2018.
13.0 REFERENCE
The Framework is to be read in concurrence with all the other relevant policies and internal
procedural documents issued by IOIPG, International Standard bodies (“ISO”) and Department of
Standards Malaysia (“MS ISO”):
a) International Standard ISO 31000: Risk Management – Principle and Guidelines
b) Malaysian Standards MS ISO 31000: Risk Management – Principle and Guidelines
14.0 COMPLIANCE
The Framework is applicable to all departments/units/projects of IOIPG engaging or involve in.
15.0 EXCEPTIONS
Any exception from this Framework shall require the approval of Board of Directors of IOIPG
(“Board”) and Risk Management Committee (“RMC”) unless they are deemed as operational in
nature.
54 | P a g e
Appendix 1 – Risk Management RACI Matrix
The RACI matrix indicates the level of participation in each step of the process. The RACI
acronym derived from the four (4) key responsibilities in the risk management process which are
R - Responsible: Complete the work to achieve the task
A - Accountable: Ultimately answerable for accurate completion of the task or approval / final
approving authority
C - Consulted: Those whose opinions are sought to complete the task (SME)
I - Informed: Notified of the result of the task
55 | P a g e
Appendix 2 – Risk Register Template
Review Of Key Principal Risk & Control Activities
Risk Register Note : PLEASE DO NOT ALTER LAYOUT OF REPORT
Principal Risk Brief Overview of Controls, Corrective Action & Strategies
Description / Root Cause of Risk
RISK :
Risk No.
Risk Rating
N/ACorrective Action & Mitigation Strategy
Risk Status
Risk Category
Impact
Likelihood
Consequences / Opportunities (if any) arises from the Risk
Control Type
Risk Owner :
Select
Select
Select
Select
Select
PreventiveDetectiveDirectiveCorrective
56 | P a g e
Appendix 3 – Risk Review Report
Note : - PLEASE DO NOT ALTER LAYOUT OF REPORT
Risk Review Period : *Compulsory
N/A
Select
Business Entity : *Compulsory 1st Half FY 2018
2nd Half FY 2018
Scope Of Review : 1st Half FY 2019
2nd Half FY 2019
1st Half FY 2020
2nd Half FY 2020
N/A
Signed Off By, Acknowledged By,
Head Of Division / Department / Business Unit Risk Management Dept
Date : Date :
EXECUTIVE SUMMARY
We are directly responsible for the design, establishment, and maintenance of internalcontrol systems to manage risks related to our Unit / Department.
Acknowledgement
Scope of the reviewWe have for the mentioned period identified and reviewed all principal risks; correspondingcontrols (in processes and procedures) and control activities (monitoring, measure, analyses &communication) ; and have responded appropriately to the same for the following units/depts/functions : -