In common with all business concerns, the Group strives to achieve its objectives amidst uncertainties and has adopted as reference the risk management principles and guidelines under the International Standard ISO31000 to manage the effect of such uncertainties on the achievement of its objectives. The risk management process, developed according to the standard is an integral part of the management, tailored to and embedded in the business practices. The process comprises the following activities and phases.
- Communication and consultation
Communication and consultation with stakeholders or risk owners being those in charge of legal entities, functional units or business processes are established, developed and exercised at all stages of the risk management process, to address issues arising from risks, causes, consequences and measures required to treat the risks.
- Establishing the context
Desirable objectives are articulated, external as well as internal parameters defined, risk criteria set in order to facilitate the conduction of the risk management process.
- Risk Assessment
It is the overall process of risk identification, risk analysis and risk evaluation.
- Risk identification: through the network of communication and consultation established with stakeholders or risk owners, sources of risk, areas of impacts, events or changes in circumstances, causes and consequences are identified. Risks so identified are reported and recognized in the risk register to facilitate risk analysis and evaluation of their impact on the achievement of objectives.
- Risk analysis: an understanding of the risks identified is obtained in order to consider the causes and sources of risk, their consequences whether favorable or unfavorable, likelihood, confidence in determining the level of risk and sensitivity to preconditions.
- Risk evaluation: decision is made based on the outcome of risk analysis, about whether a particular risk needs treatment and corresponding priority for treatment implementation.
- Risk treatment
Where decision is made that a particular risk needs treatment, management is required to develop options to modify the risk by providing mitigation or appropriate controls in order to reduce the residual risk to a tolerable level.
- Controls address the key causes and impacts of the risk.
- Controls are designed and implemented consistent with the achievement of the corporate objectives and performance targets.
- Management reviews to ensure controls are effective and efficient in both design and operation at least annually.
- Risk management performance is regularly monitored.
- Risks and risk management performance are appropriately communicated to stakeholders or risk owners including those in charge of governance and those responsible for the management of legal entities, functional units or business processes.
The Board, with the assistance of the Audit Committee and Risk Management Committee, evaluate the effectiveness of the systems for identifying and managing risks that are material to the achievement of corporate objectives.