Enterprise Risk Management, Accountability, and Audit

The Company recognizes the increasing importance of sound risk management practices to drive business growth and sustainability. The Company implemented systems and processes to facilitate proper risk identification, monitoring and control, which are key to effective corporate governance. Timely and accurate management and financial reporting systems, internal controls, and audits are also employed to protect and maximize stakeholders’ value.

The Board oversees Management’s adoption and implementation of a sound risk management framework for identifying, monitoring and managing key risk areas. The BOD reviews Management reports with due diligence to enable the Company to anticipate, minimize, control, and manage risks or possible threats to its operational and financial viability.

Enterprise Risk Management

Through a sound Enterprise Risk Management (ERM) framework, the Company effectively identifies, monitors, assesses, and manages key business risks. The framework guides the Board in identifying units/business lines and enterprise level risk exposures, as well as the effectiveness of risk management strategies.

The ERM framework revolves around the following eight interrelated risk management approaches:

1. Internal Environmental Scanning - it involves the review of the overall prevailing risk profile of the Business Unit (BU) to determine how risks are viewed and addressed by the management. This is presented during the strategic planning, annual budgeting and mid-year performance reviews of the BU.
2. Objective Setting - the Company’s BOD mandates Management to set the overall annual targets through strategic planning activities, in order to ensure that management has a process in place to set objectives that are aligned with the Company’s goals.
3. Event Identification - it identifies both internal and external events affecting the Group’s set targets, distinguishing between risks and opportunities.
4. Risk Assessment - the identified risks are analyzed relative to the probability and severity of potential loss that serves as basis for determining how the risks will be managed. The risks are further assessed as to which risks are controllable and uncontrollable, risks that require management’s action or monitoring, and risks that may materially weaken the Company’s earnings and capital.
5. Risk Response - the Company’s BOD, through the oversight role of the Internal Control Group ensures the action plan is executed to mitigate risks, either to avoid, self-insure, reduce, transfer or share risk.
6. Control Activities - policies and procedures are established and approved by the Company’s BOD and implemented to ensure that the risk responses are effectively carried out enterprise-wide.
7. Information and Communication - relevant risk management information is identified, captured and communicated in the form and substance that enables all personnel to perform their risk management roles.
8. Monitoring - the Internal Control Group of the Company and RLC Internal Audit constantly monitor the management of risks through audit reviews, compliance checks, revalidation of risk strategies, and performance reviews.

Risk Assessment Tool

To help Business Units in the Risk Assessment Process, the Risk Assessment Tool, which is a database driven web application, was developed for departments and units to facilitate the assessment, monitoring and management of risks.

The Risk Assessment Tool documents the following activities:

1. Risk Identification – is the critical step of the risk management process. The objective of risk identification is the early identification of events that may have negative impact on the Company’s ability to achieve its goals and objectives.
   1. Risk Indicator – is a potential event or action that may prevent the continuity of operation or business
   2. Risk Driver – is an event or action that triggers the risk to materialize
   3. Value Creation Opportunities – is the positive benefit of addressing or managing the risk
2. Identification of Existing Control Measures – activities, actions or measures already in place to control, prevent or manage the risk.
3. Risk Rating/Score – is the quantification of the likelihood and impact to the Company if the risk materializes. The rating has two (2) components:
   1. Probability – the likelihood of occurrence of risk
   2. Severity – the magnitude of the consequence of risk
4. Risk Management Strategy – is the structured and coherent approach to managing the identified risk.
5. Risk Mitigation Action Plan – is the overall approach to reduce the risk impact severity and/or probability of occurrence.

Results of the Risk Assessment Process is summarized in a Dashboard that highlights the risks that require urgent actions and mitigation plan. The Dashboard helps Management to monitor, manage and decide a risk strategy and the needed action plan.

Internal Controls

With the leadership of the Company’s Chief Financial Officer (CFO), internal control is embedded in the operations of the company and in each BU, thus increasing their accountability and ownership in the execution of the BU’s internal control framework. To accomplish the established goals and objectives, BUs implement robust and efficient process controls to ensure:

1. Compliance with policies, procedures, laws and regulations,
2. Economic and efficient use of resources,
3. Check and balance and proper segregation of duties,
4. Identification and remediation control weaknesses,
5. Reliability and integrity of information, and
6. Proper safeguarding of company resources and protection of company assets through early detection and prevention of fraud.

Adequate and Timely Information

To enable the Directors to properly fulfill their duties and responsibilities, Management provides the Directors with complete, adequate, and timely information about the matters to be taken up in their meetings. Information may include the background or explanation of matters brought before the Board, disclosures, budgets, forecasts, and internal financial documents. If the information provided by Management is not sufficient, further inquiries may be made by a Director to enable him to properly perform his duties and responsibilities. The Directors have independent access to Management and to the Corporate Secretary.

The Directors, either individually or as a Board, and in the performance of their duties and responsibilities, may seek access to independent professional advice within the guidelines set by the Board.

Accountability and Audit

The Board ensures that its Shareholders are provided with a balanced and comprehensible assessment of the Company’s performance, position and prospects on a quarterly basis. Interim and other reports that could adversely affect its business are also made available in the Company website including its submissions and disclosures to the SEC and to the Philippine Stock Exchange (PSE). Management formulates the rules and procedures on financial reporting and internal control for presentation to the Audit Committee in accordance with the following guidelines:

1. The extent of its responsibility in the preparation of the financial statements of the Company, with the corresponding delineation of the responsibilities that pertain to the External Auditor, should be clearly defined;
2. An effective system of internal control that will ensure the integrity of the financial reports and protection of the assets of the Company for the benefit of all Shareholders and other Stakeholders;
3. On the basis of the approved Internal Audit Plan, Internal Audit examinations should cover, at the minimum, the evaluation of the adequacy and effectiveness of controls that cover the Company’s governance, operations and information systems, including the reliability and integrity of financial and operational information, effectiveness and efficiency of operations, protection of assets, and compliance with contracts, laws, rules, and regulations;
4. The Company consistently complies with the financial reporting requirements of the SEC;
5. The External Auditor shall be rotated or changed every five (5) years or earlier, or the signing partner of the External Auditing firm assigned to the Company, should be changed with the same frequency. The Corporate Internal Audit Head should submit to the Audit Committee and Management an annual report on the Corporate Internal Audit Department’s activities, responsibilities, and performance relative to the Internal Audit Plan as approved by the Audit and Risk Committee. The annual report should include significant risk exposures, control issues, and such other matters as may be needed or requested by the Board and Management. The Corporate Internal Audit Head should certify that he conducts his activities in accordance with the International Standards on the Professional Practice of Internal Auditing. If he does not, the Corporate Internal Audit Head shall disclose to the Board and Management the reasons why he has not fully complied with the said documents; and
6. The Board, after consultations with the Audit Committee shall recommend to the Shareholders an External Auditor duly accredited by the SEC who shall undertake an independent audit of the Company, and shall provide an objective assurance on the matter by which the financial statements shall be prepared and presented to the Shareholders.

Internal Audit

The Corporate Internal Audit is focused on delivering its mandate of determining whether the governance, risk management and control processes, as designed and represented by Management, are adequate and functioning in a manner that provides a reasonable level of confidence that:

1. Employees’ actions are compliant with policies, standards, procedures, and applicable laws and regulations;
2. Quality and continuous improvement are fostered in the control processes;
3. Programs, plans, and objectives are achieved;
4. Resources are acquired economically, used efficiently, and protected adequately;
5. Significant financial, managerial, and operating information is accurate, reliable, and timely;
6. Significant key risks are appropriately identified and managed; and
7. Significant legislative or regulatory issues impacting the Company are recognized and properly addressed.

Opportunities for improving management control, profitability, and the Company’s reputation may be identified during audits.