Enterprise Risk Management
The Board shall oversee that a sound Enterprise Risk Management (ERM) framework is in place to effectively identify, monitor, assess and manage key business risks. The risk management framework shall guide the Board in identifying units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Risk management policy is part and parcel of the Corporation's business strategy. The Board is responsible for defining the Corporation's level of risk tolerance and providing oversight over its risk management policies and procedures.
Subject to its size, risk profile and complexity of operations, the Corporation shall have a separate enterprise risk management function to identify, assess and monitor key risk exposures.
The risk management function involves the following activities, among others:
- Defining a risk management strategy;
- Identifying and analyzing key risks exposure relating to economic, environmental, social and governance (EESG) factors and the achievement of the organization's strategic objectives;
- Evaluating and categorizing each identified risk using the Corporation's predefined risk categories and parameters;
- Establishing a risk register with clearly defined, prioritized and residual risks;
- Developing a risk mitigation plan for the most important risks to the Corporation, as defined by the risk management strategy;
- Communicating and reporting significant risk exposures including business risks (i.e., strategic, compliance, operational, financial and reputational risks), control issues and risk mitigation plan to the Board Risk Oversight Committee; and
- Monitoring and evaluating the effectiveness of the organization's risk management processes.