Transcription
Risk ManagementPolicy &ProcedureDocument
Sunway BerhadRisk management policy and procedure documentContentsPage No.Policy striction1.4Definition of risk1.5Definition of Enterprise Risk Management1.6Factors demanding the management of risk1.7Listing requirements for risk management1.8Critical success factors for risk management1.9Risk management context and accountabilities1–72Risk management strategy and policy of Sunway Group2.1Risk strategy2.2Risk management policy2.3Applicability8–93Risk structure3.1General concepts3.2Risk organisation structure3.3Responsibility for risk management10 – 154Risk assessment process4.1Overview4.2Preparation4.3Gross risk analysis (Workshop – Session A)4.4Control assessment (Pre-Work for Workshop – Session B)4.5Conduct workshop – Session B16 – 245Risk communication5.1General concepts5.2Nature and timing of reporting25 – 266Risk action plan and monitoring6.1Formulating risk treatment plans6.2Key monitoring functions6.3Documentation27 – 327Integration of ERM7.1ERM and Corporate Governance7.2ERM and Strategic Planning7.3ERM and Balanced Scorecard (“BSC”)33 - 348ConclusionConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.35
Sunway BerhadRisk management policy and procedure documentAppendicesAppendix A: Guidance on risk treatment optionsAppendix B: Risk categoriesAppendix C: Risk parametersAppendix D: Template for risk workshop preparationAppendix E: Risk registerConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.
Sunway BerhadRisk management policy and procedure documentAbbreviationsAC-Audit CommitteeSunway or the Company-Sunway BerhadBoard Committee-Sunway’s Board of Directors CommitteeBOD-Sunway’s Board of DirectorsBSC-Balanced ScorecardCEO-Chief Executive OfficerCRO-Chief Risk OfficerERM-Enterprise risk managementRMC-Risk Management CommitteeHOD-Heads of Division/ DepartmentMD-Managing DirectorPLC-Public Listed CompanyRC-Risk CoordinatorRMP&P/ document-Risk Management Policy and Procedures documentSIC-Statement on Internal Controlthe Group-Sunway and its subsidiaries and significant associatesConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.
Sunway BerhadRisk management policy and procedure documentKey TermsEstablishing a common language for risk is important in promoting the practice of a consistent andeffective risk management across the diverse activities of Sunway Group. The terms used in thismanual are listed below, together with practical descriptions of their meaning.ERM frameworkA structured and disciplined approach aligning strategy, processes, people, technology andknowledge with the purpose of evaluating and managing the risks an organisation faces as it seeks tocreate value – in essence every employee is part of the Group risk management framework.Gross riskThe level of impact and likelihood of a risk before consideration of the control or risk mitigation isapplied.Key risksThose risks that have been assessed as being most critical to impact the achievement of Group’sbusiness objectives.Likelihood of occurrenceProbability that a particular risk will occur. Probabilities range from rare to almost certain and areevaluated against a defined time period.ManagementConsists of management personnel in Sunway, subsidiaries and associates.ObjectivesDescription in measurable terms of what must be accomplished in order to reach the Group’s goals.Net (residual) riskThe remaining level of risk after risk treatment or controls have been applied.RiskRisk is the effect of uncertainty on the objectives.NOTE 1 An effect is a deviation from the expected — positive and/or negative.NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals)and can apply at different levels (such as strategic, organization-wide, project, product and process).NOTE 3 Risk is often characterized by reference to potential events and consequences, or a combination ofthese.NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes incircumstances) and the associated likelihood of occurrence.NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledgeof an event, its consequence, or likelihood.(Source: ISO 31000: 2009 – Risk Management Principles and Guidelines)Confidential Sunway Berhad. All rights reserved. May not be reproduced without permission.
Sunway BerhadRisk management policy and procedure documentKey Terms (cont’d)Risk impact/ consequencesAn evaluation of the significance of a particular risk to the organisation. Magnitude of impact isdetermined with respect to the organisation’s appetite and capacity for risk, and organisationalobjectives.Risk appetiteRisk appetite is defined as the level of risk Sunway is prepared to accept to achieve its objectivesmeasured in terms of variability of return (i.e. risk) in order to achieve a desired level of result (i.e.return) as set out in the risk parameters.Risk managementRisk management is a continuous, proactive and systematic process to recognise, manage andcommunicate risk from an organisation-wide perspective. It is about making strategic decisions thatlead to achievement of the organisation’s overall corporate objectives.Risk management policyDocument outlining the vision, objectives, principles and guidelines for risk and assurance in theGroup.Risk management representativeIndividual(s) within the Group consisting the Risk Coordinator and Risk Assistant who are responsiblefor coordinating risk management activities within their operating divisions, subsidiaries andassociates.Risk ownerIndividual with overall responsibility for managing an identified risk.Risk parameterUsed to estimate the consequences of a risk should it occur and will be based on Sunway’ “riskappetite”.StakeholderAny individual or group, internal or external, with an interest in the Group, including: ShareholdersCustomersBankersDirectorsBusiness/ Joint Venture partnersSuppliersEmployeesGovernment agencies/ regulatorsCommunityConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.
Sunway BerhadRisk management policy and procedure documentPolicy statementSunway is committed to integrating risk management practices into all business processes andoperations to drive consistent, effective and accountable action, and management practices.Sunway recognises that risk is dynamic and is inherent in all external and internal operatingenvironments and is committed to managing risks effectively. Just as risk is inherent in our operations,risk management is also inherent in all decision making and management processes.Effective risk management provides the mean for achieving competitive advantage and is pivotal tosafeguarding assets, enabling the on-going growth and success of our business. To meet thiscommitment, risk management is to be every employee’s business. All employees are responsible andaccountable for managing risk within their area of responsibility.It is important that Sunway have a robust Risk Management Framework in which critical risks areproactively identified, communicated and managed across the organisation. Sunway’s fundamental,underlying risk management principles are consistent with the ISO 31000 Risk Standards; and COSOframework for Enterprise Risk Management. Management is committed to the ‘best practice’ riskmanagement practices across the business, in Malaysia and international scenes.Risk management is a priority and will be implemented through consultation with the Board, President,Directors, Executives and all employees.Risk Management CommitteeDate:Confidential Sunway Berhad. All rights reserved. May not be reproduced without permission.
Sunway BerhadRisk management policy and procedure document1.IntroductionThis risk management policy and procedure document (“document”) is designed to: establish the context for an embedded Enterprise Risk Management (“ERM”)framework within Sunway Berhad (“Sunway” or “the Company”), its subsidiaries andsignificant associates (“Sunway Group” or “the Group”); formalise the ERM functions across Sunway Group; sensitise staff more strongly to risk identification, measurement, control, ongoingmonitoring, responsibilities and accountabilities; coordinate and standardise the understanding and application of ERM within SunwayGroup; and ensure compliance by Sunway’s Board with its organisational obligations and dutiesof care in accordance with the Malaysian Code on Corporate Governance (“MCCG”)and the Listing Requirements (“LR”) of Bursa Malaysia Securities Berhad.This document is a corporate policy applicable to Sunway Group. It defines the standardconditions and minimum requirements for ERM by the Company, all its subsidiaries andsignificant associates.1.1ObjectiveThe objectives of the Group’s risk management policy and procedure document are to: outline the Group’s risk context which comprises group’s philosophies, strategies andpolicies, and operating system so as to better manage the business risks faced by theGroup; provide guiding ERM principles to Heads of Division to govern the action of theiroperating personnel pertaining to risks; and provide assurance to the Board that a sound risk management and internal controlsystem is in place and in accordance with the regulatory bodies’ requirements.This document shall be reviewed periodically to ensure that it is always consistent with thebusiness and market environment that Sunway Group is faced with.To realise the Group’s ERM objectives, we will: ensure that an appropriate ERM framework is in place and that it is aligned toSunway’s business strategy; support the framework and strategy with an appropriate organisational structure andensure that associated responsibilities are clearly defined and communicated at alllevels; ensure the risk management process is applied systematically across the Group toidentify, assess, treat and manage risks that threaten resources or the achievement ofobjectives; ensure that risk information is communicated through a clear and robust reportingstructure; andConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.1
Sunway BerhadRisk management policy and procedure document 1.2integrate ongoing ERM activities within the business of the Group.BenefitsThe benefits to be derived from an effective ERM framework include the following: a platform to enable Sunway Group to anticipate and respond to risks effectively; encourages comprehensive and reliable sources of information on status of risks andcontrols; minimisation of the likelihood of unexpected damage to the Group’s financialperformance, reputation and stakeholder confidence; the opportunity to align corporate strategy with risk strategy; a tool which allows management of risks affecting both tangible and non tangibleassets; an opportunity to eliminate cost through more targeted and effective controls that arealigned to key objectives and risks; provides the basis for more effective strategic planning; contributes to improved organisational efficiency and effectiveness; enables optimum use of resources; provides Management with a concise summary of the major risks affecting the Groupand a mechanism to ensure that appropriate resources are directed towards areas ofhigh risk; and provides a framework for ensuring that unavoidable risks are adequately managed.1.3RestrictionThis RMP&P is not for general circulation nor is it to be reproduced, either in part or in full,or used for any other purpose without Management’s prior written consent. TheManagement does not assume any responsibility or liability arising from any losseshowever occasioned by any other party because of circulation, publication, reproductionor use of this document.1.4Definition of riskRisk may be viewed as ”the effect of uncertainty on the objectives”, thus, includes threatof certain events, action or loss of opportunity that, if it occurs or crystallises, willadversely affect any or a combination of the following: value to Sunway’s shareholders and other stakeholders; ability to achieve objectives; ability to implement business strategies;Confidential Sunway Berhad. All rights reserved. May not be reproduced without permission.2
Sunway BerhadRisk management policy and procedure document manner in which operations are conducted; and Sunway’s reputation.As may be appreciated from the concept and due to the diversity of business objectives,strategies and operations, a multitude of risks would be faced by an entity. These may becategorised in general into strategic risks, operational risks and project risks, which aredealt with in Section 1.9. Because the future as such is uncertain, any business activity isassociated with risks and rewards, and it’s very objectives are to identify and reaprewards and opportunities, as well as to manage and control the resulting risks.1.5Definition of Enterprise Risk ManagementERM is a structured and disciplined approach aligning strategy, processes, people,technology, and knowledge with the purpose of evaluating and managing the risks theGroup faces as it creates value.“Enterprise-wide” means the removal of traditional functional, divisional, departmental, orcultural barriers. A truly holistic, integrated, future-focused, and process-orientedapproach helps the Group manage all key business risks and opportunities with the intentof maximising shareholder value for the Group as a whole.ERM shall be a core management competency that incorporates a well-structuredsystematic process to identify business risks and lessen their impact on the Group.This involves the following core elements: the identification of each business risk; the measurement of the identified business risk; the control or the way the risk is managed in line with the needs of the SunwayGroup’s policies and strategies; and constant monitoring and communicating of risks associated with any activity, functionor process in a way that will enable the Sunway Group to minimise losses andmaximise opportunities.The risk management framework, as shown in Diagram A below, provides a holistic viewof how risks and strategies are linked to a performance management system such asBalanced Scorecard (“BSC”) in order to achieve the Group’s business objectives. It alsoassists in identifying changes and efforts required to embed an effective risk managementprocess. Further information on the integration of ERM is explained in Section 7 of thisdocument.Confidential Sunway Berhad. All rights reserved. May not be reproduced without permission.3
Sunway BerhadRisk management policy and procedure documentDiagram A: An integrated ERM framework with BSC.The risk management framework provides the basis for challenging the maturity of riskmanagement in organisations and assists with identifying practical and relevant steps tomove along the maturity continuum depending upon the desire to change within theorganisation.In this context, the ERM framework that Sunway could adopt would consist of fiveelements, which is in line with globally accepted risk standards such as the ISO 31000Risk Management Principles, as depicted in Diagram B below:Diagram B: Five key elements of ERM FrameworkConfidential Sunway Berhad. All rights reserved. May not be reproduced without permission.4
Sunway BerhadRisk management policy and procedure document1.6Factors demanding the management of riskThe global pace of change, resource constraint, demands from stakeholders for growingopenness, transparency and accountability and continued pressures for organisationalchange, all has an impact on the Sunway Group. These factors demand Sunway Group tohave a more systematic risk management structure.Broadly, the benefits of managing risk include the following: early exploitation of business opportunities; increased likelihood of achieving business objectives; recognised the upside of the risk; increased market capitalisation; more effective use of management time; also avoid “fire-fighting”; lower cost of capital; fewer unexpected threats to the business; more effective management of change; and clearer strategy setting.By consciously and regularly looking for “what else might happen” scenarios, and bydiscovering possible unintended consequences in advance of choosing a particularcourse of action, our decision-making will obviously be based upon more relevant andcomplete information, and we will significantly decrease the chances of being “blindsided”by some unforeseen scenarios or potential crises. We will also have better contingencyplans prepared should one of the risk scenarios materialise.1.7Listing requirements for risk managementThe Listing Requirements of Bursa Malaysia, Chapter 15 of the LR sets out the keycorporate governance requirements for PLCs.In effect, the Malaysian Code on Corporate Governance (“MCCG”) was given its practicalefficacy through the key provisions in the LR on corporate governance disclosurerequirements in the annual reports of PLCs:The main requirement is for the BOD to maintain a sound system of internal control withinthe PLC group through a system of internal control where the monitoring of risks andcontrols is embedded into the fabric of the Group through the implementation of an ERMsystem which balances risks and controls.This ERM system is supplemented by an objective assurance on the adequacy andintegrity of the internal control system provided by an independent internal audit function.Confidential Sunway Berhad. All rights reserved. May not be reproduced without permission.5
Sunway BerhadRisk management policy and procedure document1.8Critical success factors for risk managementThe successful management of risk within the Group will depend upon: risk management being an integral part of strategic, project and operational planningand activities throughout all levels of the Group; risk management being openly accepted and supported by the Group’s leadership asproviding good business value, with this acceptance reinforced through avenues suchas managers and staff performance requirements and part of their performanceassessment criteria; and risk management being easy to incorporate into our daily activity and being seen ashelpful to us in achieving our vision and strategic goals.1.9Risk management context and accountabilitiesThe context within which we manage our risks and the key focus of accountability for thisis as follows:1.9.1Strategic riskStrategic risks are primarily risks caused by events that are external to the Group, buthave a significant impact on its strategic decisions or activities.The causes of these risks include such areas as national and global economies,government policies and regulations, inflation, geopolitical changes, interest rates, andclimatic change. Often, they cannot be predicted or monitored through a systematicoperational procedure. The lack of advance warning and frequent immediate responserequired to manage strategic risks means they are often best identified and monitored bysenior management as part of their strategic planning and review mechanisms.Accountability for managing strategic risks therefore rests with the Board and thePresident. The benefit of effectively managing strategic risks is that we can better forecastand quickly adapt to the changing demands that are placed upon the Group. It alsomeans that we are less likely to be surprised by some external event that calls forsignificant change.1.9.2Operational riskOperational risks are inherent in the ongoing activities within the different business unitsor subsidiaries of the Group. These are the risks associated with such areas related to theday-to-day operational performance of staff, the risks caused by the company structureand the manner
RMC - Risk Management Committee HOD - Heads of Division/ Department MD - Managing Director PLC - Public Listed Company RC - Risk Coordinator . (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to pote
