Integrated Annual Report 2021

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL GOVERNANCE Project Management Project management of LNG and AET newbuilds are handled by the Project Delivery and Technology department (PD&T) of the Eaglestar Group, whereas the project management for the Offshore Business will be monitored by the PD&T of the Offshore Business unit. The primary objective of the PD&T department is to strategise, lead and control shipbuilding/ conversion of vessels and newbuild/conversion of floaters respectively, to ensure safe and successful execution of projects within the agreed schedule and allocated budget limits. Two main functions of Eaglestar’s PD&T are: • Project engineering team, which mainly manages project tendering and contracting, including feasibility studies, design and scope of work; and • Project management team, which handles project execution post contract signing, supervision and appraisal of builders’ performance. PD&T constantly reviews the execution of the project against the project execution plan, which includes the planned programme, procurement schedule, factory test schedule and commissioning schedule. PD&T also maintains regular reporting to management on progress and escalating pertinent issues. The Offshore Business’s PD&T provides support and oversight for all project phases from the bid, through Front End Engineering Design (FEED) and execution until handover to asset management. During project execution, the team will carry out regular project reviews and risk assessments and formulate risk mitigation to ensure that appropriate actions are taken in a timely manner. Independent reviews which may include external experts, if required, are performed during the project execution phase led by MISC GIA. Information & Communication Technology (ICT) MISC has largely implemented Enterprise ICT systems and corporate applications to automate its core business functions and work processes. These systems run on ICT platforms and MISC network infrastructure that connects all businesses in the Group. With the recent implementation of Cloud services, ICT has continued to expand its digital footprint in pursuit of operational and service excellence. • ICT Service Continuity In view of the COVID-19 pandemic in 2020-2021, ICT has exercised the ICT Service Continuity process to facilitate Work-From-Home transition for all staff including the sub-contractors. This is to provide continued access and availability to critical applications and services. Service desk and infrastructure are implemented to support WorkFrom-Home with the agreed Service Level Agreement. • ICT Project Management Project Management Office continues to provide management oversight on all ICT projects to ensure project delivery is done within budget, time and resources. Project management methodology is put in place to cover the end-to-end project lifecycle from project charter to project closure via an online project management platform. • ICT Asset Management The asset management framework provides the policy, procedures and guidelines based on MISC CoBE, MISC Cybersecurity Control Standards and other relevant standards. The primary objective is to outline the acceptable use of ICT assets by MISC staff in order to protect against theft of information and assets, damage of assets and promote the appropriate use of the ICT assets. Continuous monitoring of software and hardware is performed to protect from breach of copyrights legislation, unauthorised or inappropriate use of ICT assets. • Technology Lifecycle Management To reduce the total cost of ownership as part of cost saving, close monitoring of the technology lifecycle is performed from deployment, operation to expiration. Review and testing are done at each stage of the lifecycle to reduce operational downtime and minimal business disruption. A group-wide standardisation is implemented to streamline the ICT environment to benefit from cost optimisation and technology advancement. • ICT Governance The Information Technology (IT) Program Committee (ITPC) serves as the central platform for MISC Group in evaluating and monitoring ICT strategic investments. ITPC provides management oversight and business alignment on ICT strategic initiatives as well as governance oversight on ICT financial and risk management. Progress of various ICT strategic initiatives are reported at the ITPC meetings where assessment and monitoring of progress and performance measurement of these initiatives are conducted to ensure smooth and successful implementation. Cybersecurity A 5-year MISC Cybersecurity Strategic plan has been formulated under MISC Sustainability Strategy 2025 (Governance Pillar) to provide the roadmap for the continuous maturity of cybersecurity in MISC. The strategy aims to reach a Tier-3 NIST (National Institute of Standards and Technology) maturity level and achieving ISO27001 group-wide by end of 2023. This strategy is based on the internationally recognised NIST Cybersecurity Framework (CSF) and International Maritime Organization (IMO)/ Tanker Management Self-Assessment (TMSA)/Baltic and International Maritime Council (BIMCO) Cybersecurity Framework. A formal cybersecurity team has been established and led by a qualified Chief Information Security Officer (CISO) reporting to the Group HSSE Council. The CISO office provides management oversight in line with the cybersecurity strategy. The strategy comprises of: • Cybersecurity Governance The cybersecurity governance framework outlines the policies and procedures, specifies the cybersecurity control standards and ensures a consistent approach to managing cybersecurity for the Group. • Cybersecurity Risk Management Cybersecurity risks are managed by the team based on a group-wide methodology. All projects and implementations of IT facilities will be assessed and remediated prior to handing over to operation. Regular assessments are conducted to identify changes in risk profiles and ensure continuous improvements. • Cybersecurity culture Formal and structured cybersecurity campaigns and awareness programmes are conducted combining MISC internal cybersecurity training and email phishing campaigns. On-going cybersecurity announcements are done to provide security alerts and updates of cybersecurity incidents in developing a security culture where everyone understands that cybersecurity is everyone’s responsibility. The progress of all initiatives is reported regularly to MISC Group HSSE Council. The Board has been appraised of MISC Cybersecurity strategy. Human Resource The professionalism and competency of employees are enhanced through structured development programmes and potential entrants or candidates are subject to a stringent recruitment process. A Performance Management System was established with performance indicators to measure employees’ performance and performance reviews are conducted twice annually. Action plans to address employees’ developmental requirements are prepared and implemented in a timely manner. This is to ensure that employees are able to deliver the expected performance so that the Group can meet its plans and targets. A structured Succession Planning framework was developed and implemented to identify and develop a leadership pipeline in the Group. The Succession Planning framework takes into account the potential successor’s performance track record, leadership capability and display of the MISC cultural beliefs. The Succession Planning framework also provides development plans to be mapped appropriately for each potential successor in order for them to be ready to assume critical positions as the opportunity arises. A special talent review session led by the Management Development Committee is conducted bi-annually to assess and gauge the identified talent pool’s suitability as well as their readiness level for the proposed critical position. MISC Berhad 280 Integrated Annual Report 2021 MISC Berhad Integrated Annual Report 2021 281