The Company believes that excellence in the management of risk is an essential part of its competitive strategy. In line with corporate strategy, the Board is tasked with approving the risk management and control policy, and periodic monitoring of the internal control and reporting systems. On the basis of the general guidelines mandated by the Board, the Management Committee (ManCom) establishes necessary corporate policies that specify the guidelines approved by the Board. In this context, and to perform its duties appropriately, the ManCom relies on the essential duties carried out by the Steering Committee (SC) – Business Risk Management (BRM) whose main responsibility includes spearheading the performance of company-wide annual risk assessment, definition of long-term objectives, and development of strategic and business plans. The Business Development (BD) unit, under the Finance function, of the Company facilitates such risk assessment.
The Board acknowledges its responsibility for the Company’s system of internal control and for reviewing its adequacy and effectiveness. The system is designed to manage the risk of failure to achieve business objectives and can only provide reasonable but not absolute assurance against material misstatement or loss.
The risks associated with the Company’s activities are reviewed regularly by the Board, which assesses the Company’s risk appetite/tolerance, and considers major risks and evaluates their impact on the Company. Policies and procedures, which are reviewed and monitored by the Head of Internal Audit, are in place to deal with any matters, which may be considered by the Board to present significant exposure.
The key features of the Company’s risk management process, which serve as measure of its effectiveness, include the following:
- Each significant risk is documented, showing an overview of the risk, how the risk is managed, and any improvement actions or corrective initiatives. Risks are categorized based on the impact to EBITDA.
- The risk profiles ensure that internal audit reviews of the adequacy, application and effectiveness of risk management and internal controls are targeted on the key risks
- Risk management is cascaded from corporate to business operating unit level. Risk assessment meetings are held at least annually, and the standard agenda include discussion of risk and control issues, and review and updating of risk profiles.
- Risk and control self-evaluation exercises are undertaken by each business operating unit level at least twice a year, and updated risk profiles are prepared.