MISC Annual Report 2019

In addition, the following summarises the key risk management activities undertaken during the year under review: • Embedding risk management into the annual business plan In sustaining the achievement of business objectives, it is important to manage risks across the Group on an integrated basis with a balanced view of the risks taken against the rewards of business performance. The business units, service units and key subsidiaries are required to perform an annual review of their risk profiles with the emphasis of linking risks to MISC’s business objectives. In addition, KRIs were reviewed and identified to monitor the movement of risks throughout the year, thus enabling the Management to act and take necessary measures in managing risks to ensure that strategic initiatives are implemented effectively, and business objectives are met. For the purpose of risk reporting, a breach of risk event is reported to the RMC and BARC on a quarterly basis, complete with action plans to mitigate the relevant risks. • Project Evaluation The Group continues to use a risk-based pricing framework to ensure that the returns of any capital investment or project, adequately covers the risks assumed for undertaking such an investment or project. Amongst the risk elements considered in the Project Risk Assessment (PRA) are counter party credit risk, project tenure, assumed level of debt taken to fund the project and the residual value risk of the asset at the end of the contract period. PRA is a stringent tool adopted by the Group in identifying a project’s risks prior to embarking on a new capital-intensive project. PRA enables the business to identify and implement appropriate controls to mitigate the risk of projects. In addition, the PRA advocates and ensures a consistent approach to project prioritisation during the overall planning and budget cycle throughout the Group, whilst promoting investment discipline. Ultimately, the objective of PRA is to ensure that project returns are commensurate with the level of risk taken. During the year under review, there were 14 PRAs conducted and deliberated at the RMC. • Crisis Management Crisis Management is an integrated process that aims to prepare an organisation to respond and manage crisis in the risk areas, to protect people, environment, assets and reputation. A three-tiered response system provides the demarcation of roles and responsibilities between emergency site management, business unit/subsidiary management, corporate and internal/external response agencies and/or authorities. During the year under review, drill exercises were conducted once every three months for vessel emergencies. Drill exercises carried out via simulation of test scenarios validate the effectiveness of response plans, as well as promote continuous improvement as identified in the Group Crisis Management Plan (GCMP). Drill exercise programmes are also being carried out at the respective business units and subsidiaries. • Business Continuity Management Business Continuity Management aims to build the capability of the MISC Group to recover and continue the operations of critical business functions in the event of disruption. Business Continuity Planning (BCP) was established through the BCM process to enhance the MISC Group’s preparedness to recover and restore businesses’ critical functions within a reasonable period of time towards sustaining the Group’s activities and minimising disruptions to stakeholders. Simulation exercises of test scenarios validate the effectiveness of recovery strategies, as well as maintain a high level of competence and readiness as identified in the BCP. While BCP simulations are carried out once every three years, Business Impact Analysis and recovery plan reviews are carried out on a yearly basis. The Group has gone a step further in enhancing our GCMP and BCP by developing an incident response plan for cybersecurity that provides structure and guidance for investigating and responding to cybersecurity incidents in a systematic manner. The plan intends to prevent or minimise disruption of critical information systems, loss or theft of sensitive or critical information, as well as quick and efficient remediation and recovery following cybersecurity events. Key Risk Areas • A Corruption Risk Assessment was conducted through a Corruption Risk Management (CRM) Workshop held in October 2019 to ensure that a comprehensive Anti-Bribery and Corruption (ABC) risk assessment is completed with adequate mitigation measures in place and captured in MISC’s ERM system. This is to further ensure MISC’s readiness for the new provision in the MACC Act (Amendment 2018) under Section 17A: Corporate Liability which will take effect from 1 June 2020. Similar CRM Workshop and outcome is planned to be conducted for the other subsidiaries in 2020. • MISC’s management has endorsed the establishment of a dedicated Cybersecurity team led by a Head of Cybersecurity who will be responsible for all cybersecurity programmes for MISC Group onshore and offshore. The Cybersecurity team together with Information and Communications Technology (ICT) department are tasked to implement comprehensive programmes covering user awareness, cybersecurity processes and technologies which are targeted to be completed by 2021. The status of cybersecurity programmes is presented periodically as part of the permanent MISC HSSE Council and BARC agenda respectively. A total of 16 action items were completed in 2019. The Cybersecurity transition team made up of members from Group HSSE and ICT department has operationalised the Incident Response Plan in-line with the Crisis Management Plan and put in place a Detect and Response surveillance operation for active cybersecurity threats. In summary, MISC’s cybersecurity preparedness improved reasonably in 2019 as compared to 2018. All findings and areas of improvements identified above are incorporated into the Group’s on-going improvement process and updated at appropriate review opportunities primarily during the Group’s Annual Planning Forum, yearly risk register review and BARC meetings. Statement on Risk Management & Internal Control All relevant risks that may impact the Group are evaluated as part of the risk management process. Key risks covering financials, asset performance, major Health, Safety, Security and Environmental (HSSE) incidents, project management and human resource were monitored closely at the Company’s quarterly RMC and BARC meetings. These key risks were selected based on risks that are prevalent and common across the Group, and risks that may have significant and material impact to the Group. The RMC holds quarterly meetings to review the key risks and at the same time ensure that mitigation plans are in place to manage such risks. The adequacy and effectiveness of the controls and the robustness of the mitigation actions are also addressed. These are then further deliberated at the BARC on a quarterly basis. Several reviews and periodic testing were conducted during the year under review as follows: • GIA provides an independent audit on the adequacy of MISC’s risk management system and governance. The recommendations arising from the review are adopted and corrective action plans are taken for continuous improvement. • MISC conducted 15 self-assurances through PETRONAS’ MyAssurance system. The purpose of these self-assurances is to ensure that MISC and its subsidiaries comply to the requirements established in PETRONAS’ frameworks, guidelines and guiding principles. In addition to the yearly self-assurance process, PETRONAS also conducted an Integrated Assurance on three areas within MISC namely the Health, Safety & Environment (HSE) Management System, Procurement and Risk Management. 225 224 OUR GOVERNANCE MISC BERHAD PEOPLE. PASSION. POSSIBILITIES ANNUAL REPORT 2019