MISC Integrated Annual Report 2020

• ERM The Group has implemented risk management best practices in the form of ERM framework which ensures all business risks are prudently identified, evaluated, treated and managed accordingly to achieve MISC’s strategic objectives. The risk management process in MISC requires management to identify business risks at the strategic, operational and tactical levels, and assess these risks in terms of likelihood and magnitude of impact, as well as to identify and evaluate the adequacy of mechanisms in place to manage these risks. Key risks covering financials, asset performance, major health, safety, security and environment (HSSE) incidents, project management and human resource are monitored closely at the Company’s quarterly RMC and BARC meeting. This process involves assessments at business and services units/subsidiary levels before being examined at the Group taking into account the strategic perspective. In sustaining the achievement of business objectives, it is important to manage risks across the Group on an integrated basis with a balanced view of the risks taken against the rewards of business performance. The business units, service units and key subsidiaries are required to perform an annual review of their risk profiles with the emphasis of linking risks to MISC’s business objectives. In addition, Key Risk Indicators (KRIs) were reviewed and identified to monitor the movement of risks throughout the year, thus enabling the management to act and take necessary measures in managing risks to ensure that strategic initiatives are implemented effectively, and business objectives are met. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL RISK POLICY MISC’s Risk Policy guides the overall best practice of identifying, evaluating, managing, reporting and monitoring the ever-changing risks faced by the Group and specific measures to mitigate these risks. The emphasis is to effectively reduce the impact of risks, respond to immediate risk events and recover from prolonged business disruption to ensure continuity and sustainability of key business activities as well as delivery of business objectives. MISC is committed to become a risk-resilient organisation. MISC shall continuously strive to implement: • Risk management best practices to protect and create value within the set boundaries; and • Risk-based decision making by providing a balanced and holistic view of exposure to achieve business objectives. Managing risk is everyone’s responsibility. RISK MANAGEMENT FRAMEWORK The Company’s risk management framework is used to identify, evaluate and manage the principal risks of the Group as described in pages 84 to 89. Appropriate internal control systems are also implemented to manage these risks, details of which are set out in the following pages. Risks across the Group are being managed on an integrated basis within stipulated and approved Limits of Authority (LOA). Evaluations of those risks are incorporated into the decision-making process. The Board adopts the PETRONAS Resiliency Model which provides an integrated view for managing risks and is also guided by international best practice as per ISO 31000. CM defines the structure and processes for managing emergencies including crises at both domestic and international operations. BCM ensures a structured recovery of business operations and business continuity in the event of a crisis or prolonged business disruption. ERM process is an integral part of managing business that provides a guide to systematically identify, assess, treat, monitor and review risks. It aims to improve the ability to reduce the likelihood and impact of identified risks that may affect the achievement of business objectives. Enterprise Risk Management (ERM) Crisis Management (CM) Business Continuity Management (BCM) PETRONAS Resiliency Model ERM FRAMEWORK GOVERNANCE • Risk policy • Organisation structure • Roles and responsibilities CONTEXT SETTING • External context • Internal context • Risk appetite • Risk criteria RISK ASSESSMENT • Risk identi cation • Risk analysis • Risk evaluation RISK TREATMENT • Risk treatment strategy • Risk treatment plan MONITORING & REPORTING • Risk reporting and monitoring • Risk information system CONTINUAL IMPROVEMENT • System monitoring and review • Risk assurance • ERM capability /////// Business Review / Leadership / Governance / Financial Statements / Additional Information / MISC Berhad / Integrated Annual Report 2020 9 296 MISC Berhad / Integrated Annual Report 2020 9 297 / Additional Information / Financial Statements / Governance / Leadership / Business Review /////// Section Section