MISC Integrated Annual Report 2020

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL PRA is a stringent tool adopted by the Group in identifying a project’s risks prior to embarking on a new capital-intensive project. PRA enables the business to identify and implement appropriate controls to mitigate the risk of projects. In addition, the PRA advocates and ensures a consistent approach to project prioritisation during the overall planning and budget cycle throughout the Group, whilst promoting investment discipline. Ultimately, the objective of PRA is to ensure that project returns are commensurate with the level of risk taken. PRA is conducted and deliberated at the RMC, for each project that is being considered for bid submission. Procurement MISC’s Procurement Manual provides the overall procurement principles, scope, functions, governance, operational procurement processes, procedures and exceptions to be adopted in relation to procurement activities within MISC. Tender Committees and Quotation Committees are established to ensure procurement activities are conducted in an effective, transparent and fair manner whereas Vendor Performance Review Committee is established to review, deliberate and endorse on overall vendor performance matters including application for suspension, blacklisting, uplifting and reinstatement. Project Management Project management of LNG and AET newbuilds are handled by Project Management Department (PMD) of the Eaglestar Group, whereas the project management for the Offshore Business will be monitored by the Project Delivery Team (PDT). The primary objective of PMD and PDT unit is to strategise, lead and control shipbuilding/conversion of vessels and conversion of floaters respectively, to ensure safe and successful execution of projects within the agreed schedule and allocated budget limits. Two main functions of Eaglestar’s PMD are: • Project Engineering team, which mainly manages project tendering and contracting, including feasibility studies, design and scope of work; and • Project Management team, which handles project execution post contract signing, supervision and appraisal of builders’ performance. PMD constantly reviews the execution of the project against the project execution plan, which includes the planned programme, procurement schedule, factory test schedule and commissioning schedule. PMD also maintains regular reporting to management on progress and to escalate pertinent issues. The Offshore Business’s PDT provides support and oversight for all project phases from bid, through Front End Engineering Design (FEED) and execution until handover to asset management. During project execution, the team will carry out regular project reviews and risk assessment and formulate risk mitigation to ensure that appropriate actions are taken in a timely manner. Independent reviews which may include external experts, if required, are performed during the project execution phase led by MISC GIA. Information & Communication Technology (ICT) MISC has largely implemented Enterprise ICT systems and corporate applications to automate its core business functions and work processes. These systems run on ICT platforms and MISC network infrastructure that connects all businesses in the Group. With the recent implementation of cloud services, ICT has continued to expand its digital footprint in pursuit of operational and service excellence. • ICT Service Continuity In view of the COVID-19 pandemic, in March 2020, ICT has exercised the ICT Service Continuity process to facilitate Work-From-Home (WFH) transition for all employees including the sub-contractors. This is to provide continued access and availability to critical applications and services. Service desk and infrastructure are implemented to support WFH with agreed Service Level Agreement. • ICT Project Management Project Management Office continue to provide management oversight on all ICT projects to ensure project delivery is done within budget, time and resources. Project management methodology is put in place to cover the end-to-end project lifecycle from project charter to project closure via online project management platform. • ICT Asset Management The asset management framework provides the policy, procedures and guidelines based on ISO 20000. The primary objective is to outline the acceptable use of ICT assets by MISC employees in order to protect against theft of information and assets, damage of assets and promote the appropriate use of the ICT assets. Continuous monitoring of software and hardware is performed to protect from breach of copyrights legislation, unauthorised or inappropriate use of ICT assets. • Technology Lifecycle Management To reduce total cost of ownership as part of cost saving, close monitoring of the technology lifecycle is performed from deployment, operation to expiration. Review and testing are done at each stage of the lifecycle to reduce operational downtime and minimal business disruption. A group-wide standardisation is implemented to streamline the ICT environment to benefit from cost optimisation and technology advancement. • ICT Governance At the governance level, the ICT Steering Committee (ITSC) provides strategic direction and guidance on ICT initiatives. Progress of ICT initiatives is monitored and reported at the ITSC meetings to ensure smooth implementation of ICT initiatives. Cybersecurity A five-year MISC Cybersecurity Strategic plan has been formulated under MISC Sustainability Strategy 2025 (Governance Pillar) to provide the roadmap for continuous maturity of cybersecurity in MISC. The strategy aims to reach a Tier-3 NIST (National Institute of Standards and Technology) maturity level and achieving ISO 27001 group-wide by end 2023. This strategy is based on internationally recognised NIST Cybersecurity Framework and International Maritime Organization (IMO)/ Tanker Management Self-Assessment (TMSA)/ Baltic and International Maritime Council (BIMCO) Cybersecurity Framework. A formal cybersecurity team was set up, led by a qualified Chief Information Security Officer (CISO) reporting to the Group HSSE Council. The CISO’s office provides management oversight in line with the cybersecurity strategy. The strategy comprises: • Cybersecurity Governance The cybersecurity governance framework outlines the policies and procedures, specifies the cybersecurity control standards and ensures a consistent approach to risk management for the Group. • Cybersecurity Operation A cybersecurity remediation plan is put in place resulting from the cybersecurity technical assessment. This is to address the cybersecurity gaps by implementing the relevant controls to safeguard the ICT infrastructure and continued protection of information against internal and external cyber threats. • Cybersecurity Culture Formal and structured cybersecurity campaigns and awareness programmes are conducted combining MISC internal cybersecurity training and email phishing campaigns. On-going cybersecurity announcements are done to provide security alerts and updates of cybersecurity incidents in developing a security culture where everyone understands that cybersecurity is everyone’s responsibility. The progress of all initiatives is reported regularly to MISC Group HSSE Council. The Board has been appraised of MISC Cybersecurity strategy. Amongst the achievements in 2020 is that MISC has been audited by the certification body and is currently fully certified in line with IMO 2021 cybersecurity compliance for ships. /////// Business Review / Leadership / Governance / Financial Statements / Additional Information / MISC Berhad / Integrated Annual Report 2020 9 302 MISC Berhad / Integrated Annual Report 2020 9 303 / Additional Information / Financial Statements / Governance / Leadership / Business Review /////// Section Section