131 INTEGRATED ANNUAL REPORT 2026 ENTERPRISE RISK MANAGEMENT Enterprise Risk Management process The Group ERM Policy Statement and Framework is aligned with ISO 31000:2018 Risk Management Guidelines, ensuring a structured and integrated approach to manage risks across the Group. This alignment underscores the Group's commitment to achieving its strategic objectives while safeguarding its assets, reputation, and stakeholder value. Key elements of alignment with ISO 31000 include: • Three Lines Model: The framework adopts this model to delineate clear responsibilities across operational, oversight, and assurance roles, ensuring comprehensive risk governance. Risk ownership resides within the businesses, GRC provides oversight and coordination, and IA provides independent assurance. • Risk Integration into Strategic Planning: The framework embeds risk considerations into decision-making processes, reflecting ISO 31000's emphasis on integrating risk management into all organisational activities. • Continuous Monitoring and Improvement: In line with ISO 31000's iterative process, the framework emphasises ongoing risk monitoring, review and adaptation of emerging risks to address the dynamic risk landscape. This approach facilitates effective identification, assessment, evaluation, treatment, monitoring and reporting of the existing and emerging risks. The overview and interrelation of Enterprise Risk Management (“ERM”) framework components is depicted as below: Development of controls The ERM framework prioritises robust control mechanisms to address identified risks effectively. The development of controls follows a methodical approach: - 1. Identification of key controls: Controls are identified based on their ability to address root causes and mitigate risks comprehensively. These controls are categorised into: • Preventive Controls: Designed to preclude the occurrence of risks (e.g., cybersecurity awareness training, environmental screenings). • Detective Controls: Focused on identifying risks post-occurrence (e.g., compliance audits, key risk indicators). • Corrective Controls: Aim to reduce the impact of materialised risks (e.g., insurance programmes, disaster recovery plans). GOVERNANCE | STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL Establishing Context Risk Treatment Risk Identification Risk Analysis Risk Evaluation Risk Control Self-Assessment Communication & Consultation Monitoring and Review Recording and Reporting
RkJQdWJsaXNoZXIy NDgzMzc=