Enterprise Risk Management, Accountability, and Audit
The Company recognizes the increasing importance of sound risk management practices to drive business growth and sustainability. The Company implemented systems and processes to facilitate proper risk identification, monitoring and control, which are key to effective corporate governance. Timely and accurate management and financial reporting systems, internal controls, and audits are also employed to protect and maximize stakeholders’ value.
The Board oversees Management’s adoption and implementation of a sound risk management framework for identifying, monitoring and managing key risk areas. The BOD reviews Management reports with due diligence to enable the company to anticipate, minimize, control and manage risks or possible threats to its operational and financial viability.
Enterprise Risk Management
Through a sound Enterprise Risk Management (ERM) framework, the Company effectively identifies, monitors, assesses and manages key business risks. The framework guides the Board in identifying units/business lines and enterprise level risk exposures, as well as the effectiveness of risk management strategies.
The ERM framework revolves around the following eight interrelated risk management approaches:
- Internal Environmental Scanning - it involves the review of the overall prevailing risk profile of the Business Unit (BU) to determine how risks are viewed and addressed by the management. This is presented during the strategic planning, annual budgeting and mid-year performance reviews of the BU.
- Objective Setting - the Company’s BOD mandates Management to set the overall annual targets through strategic planning activities, in order to ensure that management has a process in place to set objectives that are aligned with the Company’s goals.
- Event Identification - it identifies both internal and external events affecting the Group’s set targets, distinguishing between risks and opportunities.
- Risk Assessment - the identified risks are analyzed relative to the probability and severity of potential loss that serves as basis for determining how the risks will be managed. The risks are further assessed as to which risks are controllable and uncontrollable, risks that require management’s action or monitoring, and risks that may materially weaken the Company’s earnings and capital.
- Risk Response - the Company’s BOD, through the oversight role of the Internal Control Group ensures action plan is executed to mitigate risks, either to avoid, self-insure, reduce, transfer or share risk.
- Control Activities - policies and procedures are established and approved by the Company’s BOD and implemented to ensure that the risk responses are effectively carried out enterprise-wide.
- Information and Communication - relevant risk management information is identified, captured and communicated in form and substance that enable all personnel to perform their risk management roles.
- Monitoring - the Internal Control Group of the respective Company and BUs and Corporate Internal Audit constantly monitor the management of risks through audit reviews, compliance checks, revalidation of risk strategies and performance reviews.
Risk Assessment Tool
To help Business Units in the Risk Assessment Process, the Risk Assessment Tool, which is a database driven web application, was developed for departments and units to facilitate the assessment, monitoring and management of risks.
The Risk Assessment Tool documents the following activities:
- Risk Identification – is the critical step of the risk management process. The objective of risk identification is the early identification of events that may have negative impact on the Company's ability to achieve its goals and objectives.
- Risk Indicator – is a potential event or action that may prevent the continuity of operation or business
- Risk Driver – is an event or action that triggers the risk to materialize
- Value Creation Opportunities – is the positive benefit of addressing or managing the risk
- Identification of Existing Control Measures – activities, actions or measures already in place to control, prevent or manage the risk.
- Risk Rating/Score – is the quantification of the likelihood and impact to the Company if the risk materializes. The rating has two (2) components:
- Probability – the likelihood of occurrence of risk
- Severity – the magnitude of the consequence of risk
- Risk Management Strategy – is the structured and coherent approach to managing the identified risk.
- Risk Mitigation Action Plan – is the overall approach to reduce the risk impact severity and/or probability of occurrence.
Results of the Risk Assessment Process is summarized in a Dashboard that highlights the risks that require urgent actions and mitigation plan. The dashboard helps Management to monitor, manage and decide a risk strategy and needed action plan.
Internal Controls
With the leadership of the Company’s Chief Financial Officer (CFO), internal control is embedded in the operations of the company and in each BU thus increasing their accountability and ownership in the execution of the BU’s internal control framework. To accomplish the established goals and objectives, BUs implement robust and efficient process controls to ensure:
- Compliance with policies, procedures, laws and regulations
- Economic and efficient use of resources
- Check and balance and proper segregation of duties
- Identification and remediation control weaknesses
- Reliability and integrity of information
- Proper safeguarding of company resources and protection of company assets through early detection and prevention of fraud.
Adequate and Timely Information
To enable the Directors to properly fulfill their duties and responsibilities, Management provides the Directors with complete, adequate, and timely information about the matters to be taken up in their meetings. Information may include the background or explanation on matters brought before the Board, disclosures, budgets, forecasts, and internal financial documents. If the information provided by Management is not sufficient, further inquiries may be made by a Director to enable him to properly perform his duties and responsibilities. The Directors have independent access to Management and to the Corporate Secretary.
The Directors, either individually or as a Board, and in the performance of their duties and responsibilities, may seek access to independent professional advice within the guidelines set by the Board.
Accountability and Audit
The Board ensures that its Shareholders are provided with a balanced and comprehensible assessment of the Company’s performance, position and prospects on a quarterly basis. Interim and other reports that could adversely affect its business are also made available in the Company website including its submissions and disclosures to the SEC and Philippine Stock Exchange (PSE). Management formulates the rules and procedures on financial reporting and internal control for presentation to the Audit Committee in accordance with the following guidelines:
- The extent of its responsibility in the preparation of the financial statements of the Company, with the corresponding delineation of the responsibilities that pertain to the External Auditor, should be clearly defined;
- An effective system of internal control that will ensure the integrity of the financial reports and protection of the assets of the Company for the benefit of all Shareholders and other Stakeholders;
- On the basis of the approved Internal Audit Plan, Internal Audit examinations should cover, at the minimum, the evaluation of the adequacy and effectiveness of controls that cover the Company’s governance, operations and information systems, including the reliability and integrity of financial and operation information, effectiveness and efficiency of operations, protection of assets, and compliance with contracts, laws, rules, and regulations;
- The Company consistently complies with the financial reporting requirements of the SEC;
- The External Auditor shall be rotated or changed every five (5) years or earlier, or the signing partner of the External Auditing firm assigned to the Company, should be changed with the same frequency. The Corporate IA Head should submit to the Audit Committee and Management an annual report on the Internal Audit department’s activities, responsibilities, and performance relative to the Internal Audit Plan as approved by the Audit and Risk Committee. The annual report should include significant risk exposures, control issues, and such other matters as may be needed or requested by the Board and Management. The Internal Audit Head should certify that he conducts his activities in accordance with the International Standards on the Professional Practice of Internal Auditing. If he does not, the Internal Audit Head shall disclose to the Board and Management the reasons why he has not fully complied with the said documents; and
- The Board, after consultations with the Audit Committee shall recommend to the Shareholders an External Auditor duly accredited by the SEC who shall undertake an independent audit of the Company, and shall provide an objective assurance on the matter by which the financial statements shall be prepared and presented to the Shareholders.
Internal Audit
The Corporate Internal Audit is focused on delivering its mandate of determining whether the governance, risk management and control processes, as designed and represented by management, are adequate and functioning in a manner that provides reasonable level of confidence that:
- Employees’ actions are compliant with policies, standards, procedures, and applicable laws and regulations;
- Quality and continuous improvement are fostered in the control processes;
- Programs, plans, and objectives are achieved;
- Resources are acquired economically, used efficiently, and protected adequately;
- Significant financial, managerial, and operating information is accurate, reliable, and timely;
- Significant key risks are appropriately identified and managed; and
- Significant legislative or regulatory issues impacting the Company are recognized and properly addressed.
Opportunities for improving management control, profitability and the Company’s reputation may be identified during audits.