Enterprise Risk Management

In the corporation’s Code of Corporate Governance, among the main responsibilities of the corporation’s Board of Directors is to identify key risk areas and performance indicators and monitor these factors with due diligence to enable the corporation to anticipate and prepare for possible threats to its operational and financial viability.

Furthermore, the Securities and Exchange Commission (SEC)’s Memorandum Circular #19, series of 2016, requires companies to have a strong and effective internal control system and enterprise risk management framework to ensure the integrity, transparency and proper governance in the conduct of its affairs.

It is in this view that an enterprise-wide approach to risk management is deemed very useful and critical in providing the Board and Management with reasonable assurance that risks – which may adversely affect the corporation’s ability to achieve its business objectives, comply with regulatory requirements and maximize shareholder value – are identified, monitored and effectively mitigated.

To ensure that needed measures are in place, the corporation has established an Enterprise Risk Management (ERM) Process that will provide a focused and disciplined approach to managing these risks. The corporation shall proactively manage its perceived risks by continuously identifying, mitigating or controlling and monitoring serious risks in collaboration with key risk owners, critical support units and, if necessary, with proper external entities.



The Corporation adopts a comprehensive approach to understanding and proactively managing the risks we face in our business.

We recognize taking business decisions which entail calculated risks and managing those within approved tolerances is fundamental to delivering long term value to our shareholders and meeting our commitments to employees, tenants, customers, contractors, business partners and members of the communities in which we do business. We believe risk management must be integrated into the day to day management and operation of our business. It should guide our decision making and form an integral part of our culture. Our risk management strategies are guided by the ISO 31000 Risk Management Standard and other applicable international standards.

With the effective management of risks being vital to the continued growth and success of the Corporation, we hereby state and commit that:

1. Risks faced by the Corporation shall be identified, monitored and managed effectively to the best of our ability at all times. The Corporation will use its risk management capabilities to maximize the long-term fundamental value of its assets, existing business portfolio, and future business opportunities.

2. Enterprise Risk Management will be embedded in the Corporation’s critical business activities, functions, and processes. The understanding of key risks and the Corporation’s appetite and tolerance for these risks will be critical considerations in the various decision-making processes involving our business units, including project planning, launch and delivery, capital and resource allocation, investment and partnering opportunities, business operations, sales and marketing, service support, and others.

3. A robust risk assessment system, methodology, and reporting structure will be used with all risk issues identified, analyzed, assessed, and monitored in a consistent manner. Risk controls will be designed and implemented to reasonably assure the achievement of the Corporation’s goals and objectives. The effectiveness of these controls and the mitigating strategies and action plans will be systematically reviewed and, where necessary, improved. The performance of our risk management activities will be regularly monitored, reviewed and reported. The risk management function will be implemented by the Opportunity and Risk Management (ORM) Department, with oversight from the Board of Directors through the Executive Committee and the Office of the Chief Operating Officer.



Enterprise Risk Management Process

Risk Identification. The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks.

Risk Analysis. The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk.

Risk Evaluation. The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.

Risk Treatment. The purpose of risk treatment is to select and implement options for addressing risk. Risk treatment involves the process of formulating and selecting risk treatment options, planning and implementing risk treatment, assessing the effectiveness of that treatment, and deciding whether the remaining risk is acceptable. If not acceptable, taking further treatment.