Yinson Integrated Annual Report 2025

139 INTEGRATED ANNUAL REPORT 2025 GOVERNANCE | STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL The risk governance structure ensures effective risk identification and escalation mechanisms, equipping the Board with comprehensive and timely assurance of the key risks and controls. It clearly delineates roles and responsibilities across each line of defence. It also ensures the seamless implementation of the updated ERM Policy Statement and Framework. ENTERPRISE RISK MANAGEMENT Enterprise Risk Management process The Group ERM Policy Statement and Framework is meticulously aligned with the globally recognised ISO 31000:2018 Risk Management Guidelines, ensuring a structured and integrated approach to managing risks across the Group. This alignment underscores the Group’s commitment to achieving its strategic objectives while safeguarding its assets, reputation, and stakeholder value. The key elements of aligning with ISO 31000 include: • Three Lines of Defence Model: The framework adopts this model to delineate clear responsibilities across operational, oversight, and assurance roles, ensuring comprehensive risk governance. • Risk Integration into Strategic Planning: The framework embeds risk considerations into decision-making processes, reflecting ISO 31000’s emphasis on integrating risk management into all organisational activities. • Continuous Monitoring and Improvement: In line with ISO 31000’s iterative process, the framework emphasises ongoing risk monitoring, review, and adaptation to address the dynamic risk landscape. Development of controls The ERM framework prioritises robust control mechanisms to address identified risks effectively. The development of controls follows a methodical approach: 1. Identification of key controls: Controls are identified based on their ability to comprehensively address root causes and mitigate risks. These controls are categorised into: • Preventive Controls: Designed to preclude the occurrence of risks (e.g., cybersecurity awareness training, environmental screenings). • Detective Controls: Focused on identifying risks post-occurrence (e.g., compliance audits, Key Risk Indicators). • Corrective Controls: Aim to reduce the impact of materialised risks (e.g., insurance programmes, disaster recovery plans). 2. Assessment of control effectiveness: Controls are evaluated for their design, implementation, and impact on mitigating risks, classified as: • Effective: Fully address risk vulnerabilities and function consistently. • Moderately Effective: Address aspects of risk but require enhancement. • Ineffective: Provide minimal mitigation and necessitate significant improvement. 3. Implementation and testing: Controls are integrated into operational processes and subjected to regular testing to ensure functionality and reliability. 4. Review and adaptation: Regular assessments and updates of controls ensure alignment with evolving risks and organisational objectives. Risk treatment process Yinson’s risk treatment process is integral to its ERM framework, which is aligned with globally recognised standards to ensure a systematic and effective approach to managing residual risks. The methodology is designed to evaluate and address risks in a manner that aligns with the Group’s defined risk appetite and strategic objectives. Key risk treatment strategies 1. Avoidance Certain risks are mitigated by discontinuing or refraining from activities that give rise to the identified risk. This approach is applied selectively to ensure that risk avoidance does not inadvertently lead to missed opportunities or increased risks. 2. Acceptance When risks are retained, a thorough cost-benefit analysis encompassing financial and non-financial factors supports the decision. This strategy is employed when the residual risks are within acceptable thresholds, and the potential rewards justify retention. 3. Modification Risks are mitigated by reducing their likelihood (pre-event measures), actual impact (post-event measures), or both. Examples include implementing enhanced controls, adopting new technologies, or improving processes to strengthen resilience. 4. Sharing Transferring risks to third parties through mechanisms such as subcontracting, joint ventures, partnerships, outsourcing, or insurance allows for the effective distribution of risk exposure. Such measures are often accompanied by associated costs, such as insurance premiums or contractual agreements. Governance of residual risks Risks beyond the Group’s defined risk appetite are assessed and managed through a structured governance process. Where avoidance or transfer options are impractical, residual risks are evaluated based on risk-return trade-offs and strategic objectives. Continuous monitoring, modification through action plans, and reporting to relevant oversight bodies ensure that such risks are managed within an acceptable framework.

RkJQdWJsaXNoZXIy NDgzMzc=