IOIPG-Enterprise Risk Management Framework PDF

[Enterprise Risk Management
Framework V.01]
In order to deliver value to our stakeholders which

include our consumers, employees, communities
and shareholders, IOI Properties Group Berhad
must understand and manage the risks faced across
our entire organization.
Risks are inherent in our business activities and can

relate to strategic threats, financial impacts,
operational issues, compliance with laws, and
reporting obligations.
This document provides an overview of our

enterprise-wide approach to risk management (the
IOI Properties Group Berhad “Enterprise Risk
Management Framework”) and illustrates
examples of how this approach is implemented
ENTERPRISE RISK MANAGEMENT within the organization.
FRAMEWORK
Version (01) .1. 2018
TABLE OF CONTENTS
OVERALL ENTERPRISE RISK MANAGEMENT FRAMEWORK OF IOI PROPERTIES GROUP BERHAD (“IOIPG”)
Abbreviations …………………………………………………………………….. 4
Key Terms …………………………………………………………………….. 5
1.0 INTRODUCTION
1.1 Overview ………………………………………………………………………. 6
1.2 Purpose ………………………………………………………………………. 7
1.3 Objective ………………………………………………………………………. 7-8
1.4 Benefit ……………………………………………………………………….. 9
1.5 Restriction ……………………………………………………………………….. 9
2.0 ORGANIZATION
2.1 Background ………………………………………………………………………. 10-11
2.2 Governance Structure ………………………………………………………………………. 11
2.3 Risk: Corporate vs Governance ………………………………………………………………………. 12
2.4 Governance of Risk: Three Lines of Defense…………………………………………………… 13-15
2.5 Risk Culture ……………………………………………………………………….. 15-16
2.6 Roles and Responsibilities ………………………………………………………………………… 16
2.6.1 Board of Directors ………………………………………………………………………… 16
2.6.2 Risk Management Committee………………………………………………………………. 17
2.6.3 Chief Executive Officer (CEO) / Senior Management…………………………….. 18
2.6.4 Risk Management Department……………………………………………………………… 18
2.6.5 Business Units / Projects……………………………………………………………………….. 19
2.6.6 Risk Champion / Representative ……………………………………………………………. 19
2.6.7 Project Managers …………………………………………………………… 19
2.6.8 Risk Quality Assurance coordinator………………………………………………………. 20
2.6.9 Group Internal Audit ………………………………………………………………………… 20
3.0 RISK AWARENESS, LEARNING AND CULTURE ………………………………………………. 21
4.0 DEFINITION OF RISK & RISK MANAGEMENT
4.1 Definition of Risk …………………………………………………………………………. 21-22

4.2 Definition of Risk Management………………………………………………………………………… 22
4.3 Definition of ERM ………………………………………………………………………… 22-23
2|Page
5.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 23
5.1 Overall Internal Control …………………………………………………………………………… 24
5.2 General Elements …………………………………………………………………………… 24-27
6.0 STRATEGY
6.1 Risk Management Strategy ……………………………………………………………………………. 28-29
6.2 Risk Appetite ……………………………………………………………………………. 29-30
6.3 Risk Response ……………………………………………………………………………. 30
7.0 GUIDELINES AND PRINCIPLES 31
7.1 Risk Management Principles ……………………………………………………………………………. 32
7.2 Risk Management Guidelines ……………………………………………………………………………. 32
8.0 RISK MANAGEMENT PROCESS 33
8.1 Communication and Consultation ………………………………………………………………. 34
8.2 Establish the context …………………………………………………………………………… 34-35
8.3 Risk Assessment …………………………………………………………………………… 36-39
8.4 Risk Mitigation Strategies …………………………………………………………………………… 39-42
8.5 Monitoring and Review …………………………………………………………………………… 42-44
8.6 Risk Management Tool – Risk Register………………………………………………………………… 44-50
9.0 RISK MANAGEMENT REPORTING 51-52
10.0 RISK TRAINING & DEVELOPMENT 52-53
11.0 APPROVING AUTHORITY 53
12.0 DATE OF IMPLEMENTATION 53
13.0 REFERENCE 53
14.0 COMPLIANCE 53
15.0 EXCEPTIONS 53
APPENDICES
Appendix 1 – RACI Matrix 54

Appendix 2 – Risk Register Template 55
Appendix 3 – Risk Review Report 56
3|Page
Abbreviations
IOIPG Group : IOIPG & Its Subsidiaries

IOIPG : IOI Properties Group Berhad
Board : Board of Directors

RMC : Risk Management Committee
CEO : Chief Executive Officer
Senior Management : Senior Management of IOIPG
PD : Property Development
PI : Property Investment
ERM : Enterprise Risk Management
RMD : Risk Management Department
BU : Business and supports units or projects in IOIPG
ISO : International Organization for Standardization
ISO 31000 : International Standards for Risk Management –
principles and guidelines
Standards Malaysia (MS) : Department of Standards Malaysia (JSM) under MOSTI

MS ISO 31000 : Malaysian Standards for Risk Management – principle
and guidelines
MOSTI : Ministry of Science, Technology and Innovation

Framework : Enterprise Risk Management (ERM) Framework
CG : Corporate Governance
RG : Risk Governance
HR : Human Resources
IA : Internal Audit
GM : General Manager
Risk Champions : Risk representative from each respective BU’s
HOD : Head of Department
4|Page
Key terms
Establishing a common language for risk is important in promoting the practice of a consistent and
effective risk management across the IOIPG. The terms used in this document are listed below, together
with their intended meaning: -
Enterprise Risk Management (“ERM”) framework

A structured and disciplined approach aligning strategy, processes, people, technology and knowledge
with the purpose of evaluating and managing the risks an organisation faces as it seeks to create value –
in essence every employee is an integral part of the IOIPG’s enterprise risk management framework.
Gross risk
The level of impact and likelihood of a risk before any control or risk mitigation is being applied.
Key risks
The risks that have been assessed and evaluated as being the most critical resulting in significant impact
to the achievement of the IOIPG’s business objectives.
Likelihood of occurrence
The probability of a particular risk occurring. Probabilities can range from “low” to “very high” and are
evaluated against a defined time period.
Senior Management/ Management
Consists of Senior Management / Management personnel of IOIPG.
Objectives
Description in measurable targets in order to reach the IOIPG’s goals.
Residual risk
The remaining risk(s) after controls has been put in place.
Risk(s)
Risk is anything that has the potential to prevent IOIPG from achieving its overall goals and objectives.
Risk impact/ consequences
An evaluation of the significance of a particular risk to IOIPG. The magnitude of impact is determined in
relation to the organisation’s appetite for risk, and organisational objectives.
Risk appetite
Risk appetite is defined as the level of risk IOIPG is prepared to accept to achieve its objectives
measurable in terms of the variance of return (i.e. risk) in order to achieve a desired level of result (i.e.
return) as set out in the risk parameters.
Risk management
Risk management is a continuous, proactive and systematic process to recognise, manage and
communicate risk from an organisation-wide perspective. It is all about making strategic decisions that
lead to achievement of the IOIPG’s overall corporate objectives.
Risk owner
Individual with overall responsibility for managing an identified risk.
Risk parameter
Used to estimate the impact of a risk should it occur and will is based on the IOIPG’s “risk appetite”.
Stakeholders
Any individual or group, internal or external, with an interest in IOIPG’s businesses.
5|Page
1.0 INTRODUCTION
1.1 Overview
The establishment and development of Enterprise Risk Management (ERM) Framework is
to provide a comprehensive and proactive approach towards managing risk for IOI
Properties Group Berhad (IOIPG), as risks influences every aspect of our business.
Understanding the risk faced by IOIPG and managing them appropriately will enhance
IOIPG ability to make better decisions. This will subsequently improve the group’s overall
performance. It is also to ensure that risk objectives are properly defined and proper
controls are in place. In addition, awareness of managing risks in general for IOIPG is
crucial.
The importance of an effective risk management is due to several factors:

➢ Significant losses experienced in the property development industry;
➢ New regulatory requirement and international best practices;
➢ Regular changes in business environment including political atmosphere;
➢ Growing need to optimize economic capital and measure performance;
➢ Protection and enhancement of stakeholders’ and shareholders’ value
To appropriately respond to the above factors and at the same time to promote and
inculcate a balanced risk-taking business, IOIPG had recognized the need to create risk
awareness among staff and stakeholders. This in turn will assist IOIPG in establishing an
adequate enterprise risk management framework.
The scope of the enterprise risk management framework covers all activities, processes,
functions projects, products, services, assets and systems currently in place at IOIPG.
The process owner for all risk management initiatives is the Head of Risk Management
Department while the intended users include all stakeholders of IOIPG. In addition, the
framework is also in compliance with the best practices of International Standard of ISO
31000 (Risk Management – Principles and guidelines) and Malaysian Standard of MS ISO
31000.
6|Page
1.2 Purpose
Risks influences every aspect of IOIPG’s business and operations. Understanding the risks
that IOIPG faces and managing them appropriately will enhance the group’s ability to make
better decisions making, meet objectives and subsequently improve performance of the
group.
This enterprise risk management framework is designed to:

• Establish the context for an embedded enterprise risk management framework within
the IOIPG;
• Formalize the risk management functions across IOIPG;
• Brief personnel more strongly towards risk identification, measurement, control,
ongoing monitoring, responsibilities and accountability;
• Coordinate and streamline the understanding and application of risk management
within IOIPG and;
• Illustrate compliance by Board of Directors with duty of care and diligence in line with
good corporate governance practices.
1.3 Objective
The primary objective of the ERM framework is to support the overall achievement of IOI
Properties Group Berhad strategic objectives and safeguard the group’s resources, people,
finance, property and reputation through:
• Provision of a structured and a more consistent approach to identifying, rating,

mitigating, managing and monitoring risks.
• Assistance to decision makers to make good management decisions within a tolerable
strategic and business risk limits, including identifying and on leveraging opportunities.
• Challenges and informed strategic decisions via Risk Profile;
• An environment where staff understand and assume responsibility for managing the
risks for which they are accountable for as well as to be aware of the controls in place
to mitigate those risks;
• Provision of relevant and timely information across clear reporting structures; and
• Independent assurance and audit activities to provide feedback to the management
that quality processes and proper controls are in place and are effective.
7|Page
Other relevant objectives of this framework are to:
• Outline the IOIPG’s risk context which comprises its philosophies, strategies and
policies, and operating system so as to better manage the business, project or any risk
exposures faced by the group;
• Provide guiding risk management principles to the respective HOD to assist them in
governing the actions of their respective personnel pertaining to managing risks and;
• Provide assurance to the Board that a sound risk management and internal control
system are in place and in conformance with global risk management standards (ISO
31000).
To realize the objectives of the enterprise risk management framework, IOIPG shall:
• Ensure that an appropriate enterprise risk management framework is in place and

aligned to the overall IOIPG’s business strategy;
• Support the framework and it’s strategy within an appropriate organizational structure
and ensure that associated responsibilities are clearly defined and communicated at
all levels;
• Ensure the risk management process is applied systematically across IOIPG to identify,
analyze, assess, evaluate, treat and manage risks that threaten the achievement of the
group’s objectives;
• Ensure that risk information is communicated through a clear and robust reporting
structure and;
• Integrate ongoing risk management activities within the business and throughout any
of IOIPG’s projects.
8|Page
1.4 Benefits
The positive outcomes to be derived from an effective enterprise risk management
framework are as following:
• To act as a platform to enable IOIPG anticipate and respond to risks effectively;
• To encourage comprehensive and reliable sources of information on the status of risks
and the control measures;
• To minimise the likelihood of unforeseen damage to IOIPG’s financial performance,
reputation and stakeholders confidence;
• To create opportunity to align corporate strategy with risk strategy;
• To act as a tool which will enable the management of risks affecting to both tangible
and non-tangible assets;
• To provide opportunities in eliminating or reducing costs through more targeted and
effective control measures, which is aligned to key objectives and risks;
• To provide the basis for more effective strategic planning;
• To contribute to the improvement of overall organizational efficiency and effectiveness;
• To enable optimum use of resources and;
• To provide a framework for ensuring that unavoidable risks are adequately mitigated.
1.5 Restriction
This ERM framework is for internal use in IOIPG and not for general circulation or
publication nor is it to be reproduced, either in whole or part, or used for any other purposes
without Management’s prior written consent. Management does not assume any
responsibility or liability arising from any losses however occasioned by any other party
arising from the circulation, publication, reproduction or use of this document.
9|Page
2.0 ORGANIZATION
2.1 Background
IOI Properties Group Berhad (“IOIPG”) is one of Malaysia’s leading public-listed property
developers. It has built a solid reputation as the esteemed property arm of IOI Group prior
to its successful listing onto the Main Market of Bursa Malaysia Securities Berhad on 15
January 2014.
IOIPG is renowned as one the largest property companies in the country with proven track
record spanning more than three decades in the property development industry. Its principal
activities include property development, property investment, leisure and hospitality. It has
successfully developed sustainable township in sought-after region of Klang Valley and
Johor in Malaysia while embarking on property developments in Singapore and the
People’s Republic China. IOIPG currently has a total of 10,000 acres of landbank in
Malaysia and abroad.
IOIPG established its presence in Singapore property market in 2007. It has ventured into
five property developments in the country comprising high-end residential developments
and integrated mixed developments. Among them are the luxury condominium
developments of Seascape and Cape Royale in Sentosa Cove and the award-winning
South Beach project.
In 2010, IOIPG ventured into property development in China. It has embarked on two mixed
property developments namely the IOI Park Bo Bay and IOI Palm City in Xiamen, Fujian
Province of the People’s Republic of China.
On the leisure and hospitality front, IOIPG owns and manages prestigious hotels, shopping
malls, golf courses and office blocks in Malaysia.
A strong testament to its quality excellence, it is consistently ranked among the top
developers in Asia and bestowed numerous accolades by leading publications and
organizations such as FIABCI, BCI Asia, The Edge Malaysia, Asia Pacific Property Awards,
and the Building and Construction Authority (“BCA”) in Singapore.
10 | P a g e
The IOI Properties Group Berhad provides a diverse range of services to 110,000 residents
in one of Victoria’s most densely populated municipalities. IOI Properties Group Berhad is
required to plan for and manage growth and change, deliver on its objectives within the
context of significant population, climate and urban change as well as increased legislative
and regulatory compliance obligations and financial accountability.
2.2 Governance Structure

IOIPG has defined the following governance structure for overall risk management:
Diagram 1: IOIPG’s Governance Structure
11 | P a g e
2.3 Corporate Governance vs Risk Governance
IOIPG maintains a strong leadership through sound governance and ethical business
conduct. It believes in achieving responsible commercial success while balancing the
interests of its stakeholders, and fervently uphold sustainability practices in the business as
well as regulatory laws imposed in the countries where it operates.
The safety and soundness of corporate governance rely on the effectiveness of risk
oversight and control functions. Over time, risk management approaches and practices in
the industry have evolved substantially, with increased attention to advancements in risk
management process and practices, as well as in the segregation of function as
independent parties in internal control environments.
Risk governance focuses on applying the principles of sound corporate governance to the
assessment and management of risks to ensure that risk-taking activities are aligned with
IOIPG capacity to absorb acceptable losses and its long-term viability.
It is concerned in particular with the roles of the board, senior management, and risk
management control functions as well as the processes by which risk information is
collected, analyzed and communicated to provide a sound basis for management
decisions. It is also concerned with the effects of incentives and organizational culture on
risk-taking behaviors and perceptions of risk in IOIPG.
With various kind of business property development, projects and activities, the availability
of comprehensive process and integrated systems to support an enterprise-wide or
consolidated view of risks, is particularly critical. Also important is the capacity of IOIPG to
respond swiftly to changes in the operating environment and developments in the business
strategies.
12 | P a g e
2.4 Governance of Risk: Three Lines of Defense Model
Risk management has a key role in the corporate governance structure to ensure the
effective management of risk.
The board provides direction to senior management by determining and setting the
organization’s risk appetite. It also seeks to identify the principal risks facing the group.
Thereafter, the board assures itself on ongoing basis that the senior management is
responding appropriately to these risks identified.
The board delegates primary ownership and responsibility to the CEO and senior
management for operating risk management and control. It is the management
responsibility to provide leadership and direction to the rest of the employees in respect of
risk management, and to control the organization’s overall risk-taking activities in relation
to the agreed level of risk appetite.
To ensure the effectiveness of an organization’s enterprise risk management framework,

the board and senior management need to rely on adequate line functions – including
monitoring and assurance functions within the organization. The corporate best practices
of risk management acknowledge the ‘Three Lines of Defense’ model as a way of defining
the relationship between these functions and act as a guideline to responsibilities should
and accountabilities:
1. The first line of defense – functions that own and manage risk.
2. The second line of defense – functions that oversee or specialize in risk
management and compliance.
3. The third line of defense – functions that provide independent assurance
above all internal audit.
13 | P a g e
The “Three Lines of Defense” model provides a simple and effective way to enhance
communications on risk management and control by clarifying essential roles and duties:
Diagram 2: The Three Lines of Defense Model
➢ 1st Line of Defense – Head of Business Units.

Each Business Unit is responsible for the ownership and management of their
respective risks. They are also responsible for implementing corrective actions to
address process deficiencies. Each business unit naturally serves as the 1st line as
controls are designed into business processes under their guidance. There should be
adequate managerial and supervisory controls in place to ensure compliance and to
highlight control breakdown, inadequate processes and unexpected events.
In some areas, specialist compliance roles have also been established to assist in
promoting and monitoring compliance e.g. Finance and Business Technology.
14 | P a g e
➢ 2nd Line of Defense – Risk Management & compliance.
The risk management and compliance functions ensure that the framework is fully
embedded, operational and monitor the 1st line controls to ensure that risks are being
effectively managed. It is a risk management function that facilitates and monitors the
implementation of effective risk management practices by management and assists
risk owners in defining the target risk exposure and reporting adequate risk-related
information throughout the organization. Each of these functions has some degree of
independence from the first line of defense.
➢ 3rd Line of Defense – Internal Audit
Internal audit (IA) provides independent assurance on the effectiveness of governance,

risk management, and internal controls, including the manner in which the 1st and 2nd
lines achieve risk management and control objectives. IA provides IOIPG and senior
management with comprehensive assurance based on the highest level of
independence and objectivity.
2.5 Risk Culture

The Chief Executive Officer (CEO) has the ultimate responsibility and accountability for
ensuring that risk is managed across the business units within IOIPG and is supported by
the Chief Operating Officer (COO) of both the Property Investment & Property Development
as well as Corporate Entities.
The Chief Executive Officer (CEO) and the Senior Management Leadership Team provide
governance leadership, agree to the strategic direction and risk appetite and promote the
culture and ‘tone from the top’ in order to ensure the best outcome for the group, staff and
stakeholders. They will actively consider risks during strategic and tactical decision-making
processes as will all levels of management and they will determine the level of residual
risk/appetite they are willing to accept, annually. IOIPG will take a risk-based approach to
managing internal and external projects, operational and strategic risks: i.e. risks will be
managed and monitored according to severity and financial risks to identify the quantum of
each respective risks involved and its impact.
15 | P a g e
The Risk Management Committee (“RMC”) will conduct full Two (2) half Yearly reviews
of their business unit risks (facilitated by the Risk Management & Quality Assurance Team)
with monthly High & Very High risks and quarterly monitoring of Medium and Low risks.
Management will also conduct out-of-cycle reviews of operational & financial risks, project
or strategic risks in cases such as if material changes occur, breakdown of controls or new
risks emerge i.e. organization change, major process or system change, failure of controls,
a major incident, a compliance breach, serious complaint or significant near miss.
2.6 Roles and Responsibilities

The Responsible, Accountable, Consulted, Informed (RACI) table (see Appendix 1)
illustrates accountability across the varied risk roles at IOI Properties Group Berhad. Risk
Management within the IOI Properties Group Berhad is an integral element of good
business practice. The Strategic and Operations Risk Assessment Processes are
integrated with the Strategic Planning and Business Planning processes.
It is therefore everyone’s responsibility within IOIPG to manage risk - the accountability for
managing any specific risk sits with the person most appropriate to manage that risk. This
is reflected in position descriptions (with varying degrees of responsibility at the various
levels) and the performance management process.
Notwithstanding the “whole of organisation” approach to risk management responsibility,

the Risk Management Framework has specific elements which require defined alignment
of roles and responsibilities. The responsibilities for each of the roles identified at each level
are as follows: -
2.6.1 Board of Directors (“Board”) of IOI Properties Group Berhad (“IOIPG”)
• Overall responsibility is to establish policies and framework for risk

management;
• Approve the Risk Management Policy and note the Enterprise Risk
Management (“ERM”) Framework;
• Be satisfied that strategic risks are identified, managed and controlled
appropriately and;
• Appoint the Risk Management Committee.
16 | P a g e
2.6.2 Risk Management Committees (“RMC”)
• Discuss, deliberate and recommend on issues relating to risk management

strategies, risk tolerance, policies and processes prior to submission to Board
for decision;
• Review adequacy of risk policies and framework and the extent to which these
are operating effectively;
• Review risk management reports on risk exposure, portfolios and risk
management activities;
• Endorse risk strategies, policies, and processes for eventual approval by
Board;
• Review the Enterprise Risk Management Framework and policy on
procedures for endorsement by Board;
• Approve the Enterprise Risk Management Framework as an internal guidance
and control process for managing risk;
• Encourage promotion of risk management awareness throughout IOIPG;
• Approve operational decisions in improving risk management;
• Ensure the Enterprise Risk Management Framework is being implemented
throughout IOIPG;
• Oversee the Risk Management Framework and review the mechanisms in
place to comply with the framework;
• Monitor the systems and process via the group’s risk profile and consider the
risk profile when developing and implementing the Internal Audit and
Compliance Program;
• Consider the adequacy of actions taken to ensure that the risks have been
dealt with in a timely manner to mitigate exposures to the group;
• Identify and refer specific projects or investigations deemed necessary to
assess risk management through the Chief Executive Officer, the internal
auditor and the Group;
• Oversee any subsequent investigation, including the investigation of any
suspected cases of near misses and;
• Review Project Portfolio and associated risks.
17 | P a g e
2.6.3 Chief Executive Officer (CEO) / Senior Management team
• The CEO, supported by the Chief Operating Officers of Divisions (COO), is
accountable for ensuring appropriate risk management within the group;
• Endorse the Risk Management Policy for approval by Board of Directors of
IOI Properties Group Berhad (IOIPG), approve the Enterprise Risk
Management Framework, and monitor implementation;
• Provide executive leadership in the management of strategic, operational and
project risk and generally champion risk management within the group;
• Ensure that their respective divisional risk profile as entered by each
department is reviewed, updated and approved quarterly (monthly- high risks);
• Report expeditiously to Risk Management Committee (“RMC”) incidents or
material risk mitigation failures and actions taken.
2.6.4 Risk Management Department / Manager

• Lead in enforcing the Risk Management Framework;
• Develop, promote and implement risk management awareness;
• Play facilitator/consultation role and provide training on risk management;
• Report to senior management on risk management information;
• Implement processes to monitor risks across IOIPG;
• Review industry developments and identify emerging risks;
• Review, analyse and assess risks across IOIPG;
• Review and forward specific incidents to Group Internal Audit for information,
where applicable;
• Provide assurance in the development, implementation and review of the Risk
Management Policy, Enterprise Risk Management Framework, and general
risk management practice within the group;
• Quality assure enterprise risk management reporting according to the
ISO:31000 Standards to the Risk Management Committee, Senior
Management & Quality Assurance;
• Ensure the organisation has the appropriate culture, capability, processes and
systems to deliver on this policy and the Enterprise Risk Management
Framework and;
• Provide sound recommendations for IOIPG Group on risk related matters and
strategies to mitigate an incident form occurring.
18 | P a g e
2.6.5 Business Units (BU’s) or Project Units – Risk Owner
• Accept the risk owner concept to own and manage their risks;
• Take all necessary steps to comply with Enterprise Risk Management
Framework;
• Support risk correspondence in promoting / championing risk awareness and
reporting of risk management;
• Conversant with the risk correspondence profiles of their own
units/projects/departments and if required, to share such knowledge with both
internal management and/or the external relevant bodies related;
• Verify and validate risk reporting by risk champion/coordinator personnel;
• Validate risk ratings, preventive controls and mitigating measures;
• Escalate risk issues to Risk Management Department / Manager and related
departments;
• Takes ownership of risk management of its business or project units and;
• Instil, apply and promote risk management awareness to staff.
2.6.6 Risk Champion / Coordinator Officer
• Submit prompt reporting of risk reviews on a specified deadline;

• Highlight risk issues to business/project owners and Risk Management
Department (RMD);
• Instil, apply and promote risk management awareness to staff and;
• Periodically review of risk ratings and control/mitigations actions.
2.6.7 Project managers
• Ensure that this framework is applied to the projects under their purview; and
• Where the project is considered to materially influence the achievement of
IOIPG Corporate Objectives, ensure that the project risk assessment is
facilitated by the Risk and Compliance Representative.
19 | P a g e
2.6.8 Risk Quality Assurance coordinator
• Lead the development, implementation and review of the Risk Management

Policy, Enterprise Risk Management Framework, and supporting processes
and systems;
• Develop, maintain and quality assure enterprise risk registers and monitor
implementation of controls and agreed mitigation actions in accordance to
ISO:31000;
• Prepare various risk management reports to the Senior Management Team,
Risk Management Committee, Risk Management Department and divisional
leadership teams in accordance with this framework and the Risk
Management Policy;
• Provide risk management training, advice and support and conduct risk
assessments as agreed with the Senior Management;
• Liaise with the Internal Auditor and provide secretariat support to the Risk
Management Committee and;
• Measure enterprise risk management maturity and report on the
implementation of actions to achieve target maturity.
2.6.9 Group Internal Audit
• Consider strategic and operational risks in the development and

implementation of the Group’s Internal Audit and Compliance Plan and
recommending improvements;
• Periodically auditing IOIPG’s Risk Management practices and providing
recommendations on improvement to management and the Risk Management
Committee;
• Ensuring the adequacy of risk management policies;
• Examine and evaluate the appropriateness and effectiveness of risk
management process;
• Evaluate the reliability (including integrity, accuracy and comprehensiveness)
and timeliness of risk management information;
• Evaluate the continuity and reliability of the risk management systems and;
• Evaluate the independence and overall effectiveness of the risk management
function.
20 | P a g e
3.0 AWARENESS, LEARNING AND CULTURE
IOI Properties Group Berhad (IOIPG) Berhad will build a strong risk culture which is a
combined set of individual and corporate values, attitudes, competencies and behavior that
will determine our commitment style towards risk management.
Risk management requires overall participation for both reporting and managing risks.
Substantial communication and awareness are essential to build a common understanding
of risk management and to gain widespread staff buy-in. The success of a risk management
program will depend almost entirely on how it is perceived and embraced by staff and
managers who shall execute it.
Premised to the above, Risk Management Department (RMD) is to work closely with Human
Resource Department (HR) – Training & Development; to develop a structured risk
awareness and learning program where the learning modules are customized to suit the
staff of various levels.
4.0 DEFINITION OF RISK, RISK MANAGEMENT & ERM
The purpose of this Enterprise Risk Management Framework is to provide a comprehensive

and proactive approach towards managing risk in IOI Properties Group Berhad (IOIPG).
Risk influences every aspect of our business thus the needs to understand of the
description and its definition.
4.1 Definition of Risk

Risk is the probability of an internal or external situation (an incident) having the potential
to impact upon IOI Properties Group Berhad; preventing it from successfully achieving its
objectives, delivering its services or capitalizing on its opportunities. Risks are an everyday
occurrence that could potentially impact on IOIPG’s ability to meet its obligations to
stakeholders and the community. IOI Properties Group Berhad recognizes that while some
risks cannot be fully eliminated they can be identified, controlled and managed to an
acceptable level. Based on ISO 31000, risk is defined as an effect of uncertainty on
objectives.
21 | P a g e
Risk may be viewed as the threat to some events, action or loss of opportunity that, if it
occurs or crystallizes, will adversely affect any or combination of the following:
• Value to IOIPG’s shareholders and other stakeholders.

• Ability to achieve objectives.
• Ability to implement business strategies.
• Manner in which operations are conducted.
• IOIPG’s reputation.
As may be appreciated from the concept and due to the diversity of the business objectives,
strategies and operations, a multitude of risks would be faced by IOIPG. These may be
categorized in general into strategic risks, operational risks and project risks.
Since the future as such is uncertain, any business or project activity is individually
associated with risks and rewards, and its objectives are to identify and reap rewards and
opportunities, as well as to manage and control the resulting risks.
4.2 Definition of Risk Management

Risk management is defined as “the coordinated activities to direct and control an
organization with regard to risk” based on ISO 31000 international standards definition.
Risk management is a continuous, proactive and systematic process to recognize, manage

and communicate risk from an-
Risk management is a central part of any organization’s strategic management. It is the

process whereby organizations methodically address the risks attaching to their activities
with the goal of achieving sustained benefit within each activity and across the portfolio of
all activities.
4.3 Definition of Enterprise Risk Management (ERM)

ERM is a structured and disciplined approach, aligning strategy, processes, people,
technology and knowledge with the purpose of evaluating and managing the risks that
IOIPG faces as its creates value.
22 | P a g e
ERM is truly a holistic, integrated, future-focused, and process-oriented approach that helps
IOIPG to manage all key business risks and opportunities with the intent of maximizing
shareholder value as a whole.
ERM shall be a core management competency that incorporate a well-structured

systematic process to identify business risks and lessen their impact on IOIPG.
This involves the following core elements:

• The identification of each business risk;
• The measurement of the identified business or project risk;
• The control or the way that risk is managed in line with the need of IOIPG’s policies
and strategies and;
• Constant monitoring and communicating of risks associated with any activity, function
or process in a way that will enable IOIPG to minimize opportunities.
5.0 THE EFFECTIVENESS OF RISK MANAGEMENT FRAMEWORK
IOI Properties Group Berhad’s Enterprise Risk Management Framework (“Framework”) is

aligned to the ISO: 31000 Standards and shall be applied to all activities across IOI
Properties Group Berhad. All risks need to be understood, considered and addressed by
everyone, including executive staff and senior management, employees, partners and
related stakeholders. IOIPG is committed to promoting an organizational culture where risk
management is embedded in all activities and business processes, to ensure long term
sustainability and growth of the company.
Diagram 3: Effectiveness of Enterprise Risk Management Framework
23 | P a g e
5.1 Framework as an overall internal control
IOI Properties Group Berhad undertakes proactive enterprise risk management because:
5.1.1 It is good practice to understand the strategic and operational risks and
opportunities facing IOI Properties Group Berhad in order to make informed
decisions and meet organizational and strategic goals;
5.1.2 IOI Properties Group Berhad provides critical services and infrastructure to the
customers and stakeholders; and IOI Properties Group Berhad has service
agreements and contractual obligations to non-government business entities and
organizations;
5.1.3 To implement the best practices of risk management in the market and in line
with the International Standard related.
The Framework is designed to provide the architecture for a common platform for all risk
management activities undertaken by IOI Properties Group Berhad, from individual
functional, process or project-based assessments to whole-of-organization assessments,
with the aim of enabling comparative analysis and prioritization of those assessments either
individually or cumulatively.
5.2 General Elements in Framework
The effectiveness of risk management will depend on its integration into governance of the
organization, including decision-making. This requires support from stakeholders,
particularly the senior management.
Framework development encompasses integrating, designing, implementing, evaluating

and improving risk management across IOIPG. (Diagram 4 illustrates the element
components of a framework).
The organization should evaluate its existing risk management practices and processes,
evaluate any gaps and address those gaps within the framework.
24 | P a g e
The components of the framework and the way in they work together should be customized
to the needs of IOIPG.
Diagram 4: Elements in Framework
The brief description of elements in framework is as follows:
5.2.1 Leadership and commitment
The Board and senior management should ensure that risk management is integrated
in all organizational activities and should demonstrate leadership and their
commitment by:
i. customizing and implementing all components of the framework;
ii. issuing a statement or policy that establishes a risk management approach,
plan or course of action;
iii. ensuring that the necessary and sufficient resources are allocated to manage
risks and;
iv. assigning authority, responsibility and accountability at appropriate levels within
the organization.
Senior management is accountable for managing risk while the Board are accountable
for overseeing risk management as a whole.
25 | P a g e
5.2.2 Integration
Integrating risk management relies on an understanding of organizational structures

and context. Structure differ depending on the organization’s purpose, goals and
complexity. Risk is managed in every part of the organization’s structure. Everyone in
an organization has responsibility for managing risk.
Integrating risk management into organization is a dynamic and iterative process and
should be customized to the organization’s need and culture. Risk management should
be a part of, and not separate from, the organizational purpose, governance, leadership
and commitment, strategy, objective and operations.
5.2.3 Design
The Board and senior management should demonstrate and articulate their continual
commitment to risk management through a policy, a statement or other forms that
clearly convey an organization’s objectives and commitment towards good risk
management.
They should ensure that the empowerment, responsibilities and accountability for
relevant roles with respect to risk management are assigned and communicated at all
level of the organization, and also should ensure allocation of appropriate resources
for risk management.
The organization should establish an unified approach to communication and

consultation in order to support the framework and facilitate the effective application of
risk management. Communication should involve sharing of information with targeted
audiences. Consultation should also involve participants providing feedback with the
expectation that it will contribute and shape decisions or other activities. These
methods and content should reflect the expectations of the stakeholders, where it is
relevant. It should also be timely and ensure that relevant information is collected,
collated, synthesized and shared, as appropriate, and that feedback is provided and
improvements are made.
26 | P a g e
5.2.4 Implementation
A good implementation of the framework requires the engagement and awareness of

stakeholders. This enables organizations to explicitly address uncertainty in decision-
making, while also ensuring that any new or subsequent uncertainty can be taken into
account as it arises.
Implementation of this framework will ensure that the risk management process is a
part of all activities throughout the organization, including decision-making, and that
changes in external and internal contexts will be adequately captured.
5.2.5 Evaluation
Framework performance should periodically measure, review and evaluate against its
purpose, implementation plans, indicators and expected behavior, to ensure that the
effectiveness of risk management are in order and in place.
In order to evaluate the effectiveness of the risk management framework, the

organization should determine whether it remains suitable to support achieving the
objectives of the organization.
5.2.6 Improvement
The organization should continually monitor and adapt the risk management framework
to address external and internal changes. In accomplishing this, the organization can
enhance its value.
It also should continually improve the suitability, adequacy and effectiveness of the risk
management framework and the way risk management process is integrated.
As relevant gaps or improvement opportunities are identified, the organization should

develop plans and tasks, and assign them to those accountable for implementation.
Upon implementation, these improvements should contribute to the enhancement of
risk management.
27 | P a g e
6.0 STRATEGY
6.1 Risk Management Strategy

Risk management strategy is an integral component of the overall strategy, which
determine core capabilities, departments, business units, projects, competitive advantages,
the formation of the value-added chain, and thus IOIPG’s value drivers. The risk
management strategy will align risk management resources and actions with business
strategy necessary to maximize organizational effectiveness. Linking the business
strategies to risk management approach can also provide a context for setting risk appetite
and risk measures so that they are linked to the overall strategic plan for IOIPG.
As an essential surface of the risk management system, the following risk strategy forms
the strategic drive of the Risk Management Framework and sets the internal control method
that guides all personnel of IOIPG in dealing with risks in a rational, target-oriented manner:
6.1.1 IOIPG’s Risk Management Framework statement shall be adopted by all

business units & projects and the risk management decision shall be made at the
operating level where knowledge and expertise reside. Responsibility for risk
management will be undertaken by business units & projects with appropriate
guidance from Risk Management Committee (RMC) / Group Risk Management
Department (RMD).
6.1.2 The Board strongly supports risk management with formal reporting. Risk
management is periodically on the Board’s agenda, Senior Management are
aware of and well-versed in risks associated matters within the IOIPG’s business.
6.1.3 Risk management is linked to business and operational planning and is generally
incorporated into new undertakings or projects
6.1.4 The risk management process is meant to promote a proactive risk management
approach and create the necessary risk awareness and cultivate a risk and
control culture within IOIPG.
As a business strategy indicates the direction of the business, a risk strategy provides
guidance for the risk activities within IOIPG. It can set the tone for aggressive or
conservative risk management activities, dictate how measuring and monitoring activities
can be accrued out and provide strategical view needed by the Board and
28 | P a g e
Senior Management. It is the risk strategy that provides the backbone for embedding risk
management within the culture of IOIPG business.
6.2 Risk Appetite

Risk appetite is the amount of risk exposure, or potential adverse impact from an event,
that the IOI Properties Group Berhad is willing to accept in pursuit of its objectives. Once
the risk appetite threshold has been breached, risk management controls and actions are
required to bring the exposure level back within the accepted range by considering:
1. Emerging risks,
2. Risks that might be outside group’s control (i.e. political change and climate);
3. Where best to allocate scarce resources; and
4. Where the IOI Properties Group might want to take on additional risk to pursue a
strategic objective or expectation of above average returns.
Risk appetite should be set for each individual strategic risk and tolerance levels agreed,
using relevant performance indicators which are monitored through the monthly enterprise
reports. For operational risks, the group’s risk appetite will inform the annual risk process,
controls and assurance activities and is generally defined as follows:
RISK RATING MINIMUM DESCRIPTION

MITIGATION
ACTION
Very High Risk Reject & Avoid or Immediate action required in consultation with
Mitigate Management to either avoid the risk entirely or to
reduce the risk to a low, medium or high rating.
High Risk Accept & Mitigate These risks need to be mitigated with actions as
required and managers need to be assigned these
risks.
Medium Accept Managed by specific monitoring or response
procedures.
Low Accept Managed by routine procedures.
Table 1: Risk Appetite
29 | P a g e
To reduce and minimise the risk exposure and impact on IOI Properties Group Berhad on
materialisation of risks, the limit for Board’s approval on “Investment” is to be capped at
10% of the Company’s market capitalization, while the capital expenditure’s limit be
reduced to RM100 million.
6.3 Risk Response
In consideration of our risk appetite, one or more of the following action may be pursued:
6.3.1 Risk Tolerance

This is taken usually when the risk is equal to the cost of doing business. Nothing
can be done at a reasonable cost to mitigate it.
6.3.2 Risk Treatment

To take action to control risks in an event it occurs. It is important that the control
put in place is proportionate to the risk. In general, the purpose of the control is
to contain the risk rather than to remove it.
6.3.3 Risk Termination

When it is feasible and cheaper to do so rather than being the risk, we may decide
to remove the risk altogether.
6.3.4 Risk Transfer

To consider a risk transfer strategy for operational risk losses that go beyond
IOIPG’s risk appetite. Risks transfer can be made possible via insurance or
outsourcing (of certain processes).
30 | P a g e
7.0 PRINCIPLES AND GUIDELINES
The framework provides an overview of the group’s enterprise-wide approach to risk

management and illustrates of how this approach is implemented within the IOIPG.
It also provides a common methodology to identify and manage potential events that may
affect the group’s accountability for risk management and its governance.
The framework that IOIPG Group adopts is in line with global best practices and globally
accepted risk management standards such as the ISO 31000 standards, as depicted in the
following diagram:
Diagram 5: Risk Management – Principles and Guidelines
31 | P a g e
7.1 Risk Management Principles
All levels of IOIPG Group shall commit to incorporating the following principles from the
International ISO: 31000 standards. Risk management will:
• Create and protect value;
• Be an integral part of Council’s organizational processes;
• Be part of the decision-making process;
• Explicitly address uncertainty by providing a framework in which risk can be assessed;
• Be systematic, structured and timely;
• Be based on the best available information;
• Be tailored to the group’s internal and external environments;
• Take into account group’s human and cultural factors;
• Be a transparent and inclusive process;
• Be dynamic, iterative and responsive to changes; and
• Continually improve.
7.2 Risk Management Guidelines

IOI Properties Group Berhad has finite resources, time and budget to manage all aspects
of its activities. It is therefore vital that IOIPG apportion adequate resources into the most
critical area, or that will have the greatest impact on the organisation. IOI properties group
Berhad will therefore take a risk-based approach to managing operational risks as follows,
• The Inherent Risks - The risk that an activity would pose if no controls or other
mitigating factors were in place. Determining the Likelihood and Impact of the risk
occurring allows IOIPG Group to understand which risks are of greater concern and
must therefore be mitigated accordingly.
• The Residual Risk - the risk that remains after the effectiveness of controls are
taken into account (the risk after controls) - can then be determined by assessing the
effectiveness of controls in place to mitigate the Likelihood and Impact of the risk
occurring.
All risks will be captured in an organisational Risk Register (Excel spreadsheet) and
reported regularly through the various Management and Committee structures.
32 | P a g e
8.0 RISK MANAGEMENT PROCESS
The risk management process is the “how to” element of the Framework and is defined in
the ISO Standard as “the systematic application of management policies, procedures and
practices to the task of communicating, establishing the context, identifying, analysing,
evaluating, treating, monitoring and reviewing risk.”
2. ESTABLISHING THE CONTEXT

• Understand the internal Environment
8.0 • Understand the External Environment
• Establish the context of Risk Management
9.0 process
• Define Risk Criteria
10.0
11.0 3. RISK ASSESSMENT
• Review Internal& external environment & emerging risks

• Develop Internal & external communication plans
12.0 Identifying Risks.

• Identify sources of risks , areas of impact,
• Assist to establish context, tools & templates
13.0 events and its causes and its potential

consequences.
14.0 a • Generate comprehensive list of risks
identified.
• Secure endorsement & approvals
15.0
• Pool areas of expertise together
1. Communication & Consultation
• Performance measures & metrics

Analyze Risks.
16.0 • Evaluate existing control environment.
• Develop understanding of risks.
17.0
• continuous improvement
• Analysis of lessons learnt
• Consider the causes and consequences of

risks including impact & probability.
18.0
5. Monitor & Evaluate
19.0 Evaluate Risks.

• Determine treatment & priority for
20.0 treatment implementation
21.0
4. RISK TREATMENT
22.0 • Selecting 1 (one) or more options for
modifying risks & implementing the option:
23.0 1. Avoid Risk
2. Accept Risk
3. Remove Risk
4. Change likelihood & Consequence
5. Share / Transfer Risk
Diagram 6: IOIPG Risk Management Framework Process
33 | P a g e
8.1 Communication and Consultation
Communication and consultation with internal and external stakeholders are important
elements at each step of the risk management process. Effective communication is
essential to ensure that those responsible for implementing risk management and those
with a vested interest understand the basis on which risk management decisions are made
and why particular actions are required.
Key direction is set through the adoption of the IOI Properties Group Berhad Corporate
Plan, which is reviewed annually to ensure it continually reflects important priorities. IOIPG
Group is dependent on the framework to be used at the strategic and departmental
business unit level to improve performance by the organisation in the achievement of the
group’s strategies and actions as detailed in the Plan.
8.2 Establish the context

Establishing the strategic and operational context, in which the risk management process
will take place, defines the parameters within which risks must be managed, the criteria
against which risk will be evaluated and the structure of the analysis.
8.2.1 External context

In addition to considering the external environment, this also includes the relationship
or interface between IOIPG and its external environment. This may include:
• Business, social, regulatory, cultural, competitive, financial and political

environment.
• International, National, State, Industry and Community impact, trends and practice
• The group’s external opportunities and threats.
• Health and Safety.
• Media.
• Legal and Regulatory obligations.
• Strategic relations with external or stakeholders and key 3rd party service providers.
34 | P a g e
Establishing the external context is important to ensure that our business counterparts
and external partners and their objectives are considered when developing risk
management criteria and that externally generated threats and opportunities are also
properly taken into account.
8.2.2 Internal context

An understanding of IOIPG as an organisation is important prior to understanding the
risk management process, regardless of the level. Areas to consider include:
• Goals and objectives and the strategies that are in place to achieve them;
• Culture;
• Strategic Plan, budget and drivers;
• Internal stakeholders;
• Occupational Health and Safety;
• Governance and structure;
• Capabilities in terms of resources such as people and systems;
• Processes; and
• IOIPG internal strengths, weaknesses, opportunities and threats (SWOT).
8.2.3 Risk management context

The level of detail that will be entered into during the risk management process must
be considered prior to commencement and should be commensurate with the extent
and nature of the inherent level of risk. The extent and scope of the risk management
process will depend on the goals and objectives of the group’s activity that is being
addressed, as well as the budget that has been allocated to that activity.
In each instance, consideration must also be given to the roles and responsibilities for
driving and undertaking the risk management process. The next phase involves three
(3) interconnected stages - Risk Identification, Risk Analysis and Risk Mitigation.
35 | P a g e
8.3 Risk Assessment
8.3.1 Risk Identification / Classification
The 1st phase is the Risk Identification phase. The purpose is to identify all risks: the
“what, when, why and how” incidents might impact on the achievement of the groups
objectives. Comprehensive identification using a well-structured systematic process is
critical, as a risk not identified will be excluded from further analysis, so identification
should include all risks, whether or not they are under the control of IOI Properties
Group Berhad.
An incident relates to the failure of people, processes, systems or from external factors
(e.g. fire, flood, assault or damage). In other words, something has gone wrong i.e. a
control failed to operate as expected, was not performed, or perhaps there was no
control in place. Incidents can have multiple and varied impacts:
• Financial (e.g. Losses, Costs, Fines, Penalties)
• Non-Financial (e.g. Customer, damage to Reputation/Assets, Regulatory,
Business interruption).
In this stage, all business units are to have a foresight of all potential risks and its
impact on the operations of the business units and register these foresights in their
respective risk registers and NOT a current ongoing “problem statement” with
corrective measures to overcome those statements.
Capturing, understanding the root causes and investigating incidents are critical as
these provide us with important and timely information on the operation and
effectiveness of our controls, threats to our business operation and the extent and
nature of our risks.
A comprehensive risk identification process is delivered through consideration of the

potential influence of each of the elements on the internal and external operating
environment on the group’s objectives. A systematic process includes working through
each goal, objective or planned implementation action, identifying the things that may
inhibit, detract from or prevent the achievement of the goal or enhance the opportunity
to meet the objective.
36 | P a g e
Documentation of identified risks and its categories occurs through the development of
a description of the risk and entry into the group’s Risk Register (Microsoft Excel
Spreadsheet). The risk description should contain a category of risk, statement of the
risk and include those factors which could cause or contribute to the occurrence of the
risk event.
IOI Properties Group Berhad utilise a range of tools and approaches to determine
potential risks, including:
• Team based brainstorming with experienced and knowledgeable staff
representatives;
• Structured techniques (such as SWOT analysis, process mapping, flow charting,
systems analysis or operational modelling);
• Annual strategic planning, budget and risk identification workshops,
• Examination and analysis of historical reports and incidents;
• Regular compliance reviews (internally and externally);
• Internal review by the Risk Management Committee (“RMC”); and
• Reviews by external service providers.
The organisational strategic risks are developed annually in conjunction with the
Executive Management Team, using the group’s strategic objectives and plan as a
starting point. The organisational operating risks are identified in conjunction with
Heads of Business Units on a monthly basis as a minimum, which run parallel with the
group’s annual business planning cycle. Output from both the Strategic and Business
Unit Risk Assessments are to then be used as input to the Business Planning Process.
37 | P a g e
RISK CATEGORIES
Operational Market Reputation Financial Technology Political Strategic
• Supply Chain • Investors • Compliance • Credit • Systems • Government • Change in
Stability Technology
• Production • Demand & • Customer • Liquidity • CyberSecurity • Socioeconomic • Regulatory
Supply Service conditions
• Hazard • Pricing • Product • FX Rates • Outdated • Internal Conflict • Political
Liability Hardware
• HR • Consumer • Public • Interest Rate • Connectivity • External • Global
Behaviour Enquiry & Conflict Economy
Damage
• Integrity • Commodity • Compliance • Competition
• Counter party • Investment • Corporate
Governance
• Security • Global Economy
• Health & • Taxation
Safety
Table 2: Risk Categories & Classification
8.3.2 Risk Analysis & Assessment

The 2nd Phase is Risk Analysis and assessment. The analysis should involve
developing an understanding of the risk, the likelihood of the risk occurring and the full
range of potential impact/consequences. Identification of likelihood and impact is a
qualitative exercise based on perception and history. The initial analysis provides the
Inherent Likelihood, the Inherent Impact and the Inherent Risk Rating.
At this stage, the analysis assumes that all controls have failed or there were no
effective controls in place. Whilst this is unlikely, this allows IOI Properties Group
Berhad to understand which risks have the greatest potential for disrupting the
business operation and gives significant impact therefore require strong and effective
controls with appropriate and ongoing oversight.
38 | P a g e
8.3.3 Risk Evaluation
Risk evaluation is the process of identifying and measuring risk. Risk evaluation
process includes identification of risk, determine its probability and impact, action plan
to control inherent risk, define the risk rating to mitigate in the stage of residual risk and
monitoring them.
All of these risk management processes would be catered by one of risk management
tool called risk register.
8.4 Risk Mitigation Strategies
Risk mitigation involves identifying the most appropriate responses to reducing the inherent
risk level to a status acceptable within IOI Properties Group Berhad risk tolerance. Both
controls and mitigations are designed to mitigate the risk by reducing the likelihood of
negative risks occurring and/or reducing the impact of risks should they occur.
There are a number of mitigation options available and more than one will be applied to any
risk. Typical mitigation options include the establishment and operation of controls designed
to mitigate, discourage, identify and/or limit the impact and likelihood of a risk from
occurring. Most risks will have multiple different controls in place, some intended to prevent
a risk occurrence, some will detect an occurrence whilst others are designed to respond to
an occurrence. Controls will not always be performed by the risk owner. For example,
Business Units will have a key reliance on Technology to manage controls to ensure
systems are available and operating as required.
8.4.1 Controls
a) Directive Controls are those designed to establish desired outcomes.

Examples:
• Setting Council policies, Business Unit policy/procedures
• Setting capital expenditure limits
• Laws and regulations
• Training seminars
• Job descriptions
• Meetings
39 | P a g e
b) Preventive Controls are designed to discourage errors or irregularities from
occurring. They are proactive controls that help to ensure departmental
objectives are being met. Examples include:
• Training on applicable policies, Department policy/procedures;

• Review Occupational safety & health of office premises
• Segregation of duties (authorisation, record keeping & custody of the
related assets should not be performed by the one same individual)
• Physical control over assets
• Locking office door to discourage theft
• Using passwords to restrict computer access
• Shredding documents with confidential information.
c) Detective Controls are designed to find errors or irregularities after they have
occurred. Examples:
• Cash counts; bank reconciliation;

• Review of payroll reports;
• Compare transactions on reports to source documents;
• Monitor actual expenditures against budget;
• Review logs for evidence of mischief;
• Exception reports which list incorrect or invalid entries or transactions
• Reviews and comparisons
• Physical counts of inventories
d) Corrective Controls are intended to limit the extent of any damage caused
by an incident e.g. by recovering the organisation to normal working status as
rapidly and efficiently as possible. Examples:
• Submit corrective journal entries after discovering an error

• Complete changes to IT access lists if individual’s role changes
• System upgrades
• Additional training
• Changes to procedures.
40 | P a g e
e) Transfer the risk is intended to enable sharing of the risks to a third party in
order to reduce the likely impact should the risk materialise:
• Risk transfer may be achieved by taking out insurance to facilitate financial

recovery against the realisation of a risk.
• Compensating a third party to take the risk because the other party is more
able to effectively manage the risk.
• Risk may be wholly transferred, or partly transferred (i.e. shared).
• It is important to remember that it is almost impossible to transfer risk
completely. In almost all risk sharing arrangement, a degree of the original
risk remains and there is inevitably financial or other consideration for the
sharing of the risk. In addition, a new risk is inherited, that of being
dependent on a third party to manage the original risk.
f) Eliminate the risk. Some risks may only return to acceptable levels if the
activity is terminated. In such situations, the risks are deemed irrelevant and
not applicable in the current scenarios.
g) Accept the risk. A risk may be accepted because:

• the probability or consequences of the risk is low or minor,
• the cost of treating the risk outweighs any potential benefit,
• the risk falls within the group’s established risk appetite and/or tolerance
levels, or IOIPG has limited/no control over the risk. E.g. natural disasters,
international financial market impacts, terrorism and pandemic illnesses.
To manage such risks, IOIPG should have a business continuity plan (BCP)
in place to provide effective prevention and recovery.
When determining the most appropriate mitigation, IOIPG should consider:

• How will the mitigation modify the level of risk?
• How do costs balance out against benefits?
• How compatible is the mitigation with the overall business objectives?
• Does it comply with legislation?
• Does it introduce new or secondary risks?
41 | P a g e
In certain scenarios, more than one response may be necessary to address an
identified risk. In those cases a combination of responses (controls / mitigations)
should be taken into consideration.
8.5 Monitor and review
The risk assessment process provides a snap shot of the group’s risks, controls and action
plans at a given point of time – via the “Risk Register” (Appendix 3). The residual risk
impact and likelihoods and control effectiveness ratings can be reflected on a one-page
Heat Map with supporting opinion and insight on risks, controls and actions – the “Risk
Profile”.
As the external and internal environment in which we operate is fluid, therefore the
influences on our objectives continue to ebb and flow. In addition, assumptions have been
made in relation to both the quality of response strategies which are already in place and
the implementation and quality of proposed responses. As a result, the risk management
process is iterative and should be the subject of a structured monitoring and review process.
8.5.1 Ongoing review of risks
Risk response and the effectiveness of control measures to manage risk need to be
monitored on an ongoing basis to ensure changing circumstances, such as the political
environment and the IOIPG strategic objectives and risk appetite do not alter the risk
evaluation profiles and adequacy assessments. New risks or deficiencies in existing
mitigation strategies may be identified via a number of sources:
• Changes in the strategic objectives;

• Regular review of the identified risks and mitigation strategies;
• The annual Internal Audit exercise;
• Ongoing monitoring by various Committees, Audit Committees & RMC;
• New legislation;
• New accounting standards, guidelines or information from any regulator
• Complaints
• Regulatory / Compliance breaches
• Incidents
• External Audit (if any)
• Project & internal policy changes
42 | P a g e
Internal audit will provide particular attention to those controls, mitigation activities or
other responses identified through the risk assessment as having significant priority. In
addition, the Risk Assessment Process, including the Framework, will be monitored,
evaluated and reviewed by the Internal Auditor.
Risks are to be monitored and reviewed by the responsible manager/officer on an

ongoing basis and reported to committees at least quarterly. The effectiveness of risk
responses will be continuously monitored by the responsible manager/officer and
reviewed six monthly (Half Yearly).
Existing Risks New Risks
Existing Response Plans New Response Plans
• Identify existing risk response plans in place. • Evaluate if Business Unit is prepared to accept
the type of risk and, if so, how much risk it is
• Establish objectives of the risk response plan, prepared to tolerate.
i.e. which risk is being mitigated and to what
• Assess if the existing response plans can be
level/extent.
leveraged to mitigate/control the new risks
identified .Identify a range of risk response
options & evaluate the options.
• Evaluate if the existing risk response plans
meet their objectives Assess if the response
plans are sufficient and relevant, i.e. if any • Design a plan to implement the preferred
additional or removal of risk response plans is options, including the relevant KPIs and
required. measures of success Implement the selected
risk response plans.
Diagram 7: Risk Response Plans
8.5.2 Alignment to the strategic plan
For risk assessments associated with the whole of IOI Properties Group Berhad or
individual departments, the review process will be built into the business planning
process. Output from the Strategic Risk Assessment and Business Unit Risk
Assessments are to be used as input to the Business Planning Process. That input will
include risk response plans. Internal Audit will use the information from the Business
Planning Risk Assessments, in particular the risk response plans, to assist with
development of the Internal Audit plan.
43 | P a g e
To ensure that the identified strategic risks, and measures in place to manage them,
remain aligned to the group’s strategic objectives, any change to the overall Strategic
Plan will trigger a review of the risk assessment exercise and the Risk Management
Process.
8.5.3 Project related risks
In relation to project-based risk assessments, the risk mitigation plan provides the
project manager with a tool to continuously monitor project improvement through the
implementation of the plan.
Issues and delivered risks identified through the course of the project must be assessed
and included in the project risk register, having gone through the full risk assessment
process outlined above. This will ensure the continuing relevance of the risk
assessment.
8.6 Risk Management Tool – Risk Register

Risk registers provides a mechanism for documenting, managing, monitoring, reviewing,
updating and reporting risk information. Risk Register design, use and related processes
are developed and maintained by the Risk representatives appointed by the respective
Head of Business Units respectively. IOI Properties Group Berhad has adopted a risk
register template, each tailored to the classification of risks being managed and contain
crucial information on all identified risks of each Business Unit’s, including its risk owners
and accountability. This template is in line with the ISO: 31000 guidelines and in compliance
to the global standards. The critical information included in the risk register template
includes:
1. Risk Name & No.

2. Risk Category
3. Risk Rating
4. Risk Owner
5. Risk Impact
6. Risk Likelihood / Probability of Occurrence
7. Existing Control Activities
8. Corrective Action & Mitigation Strategies
9. Areas of Improvement : Consequences / Opportunities arises from the risk
44 | P a g e
A sample of the Risk Register Template is enclosed as Appendix 3.
The business units will conduct its own review of their risk registers and provide updates
on the risk information from time to time via risk review reports for analysis and verification
by Risk Management Department for the purpose of Half Yearly Financial risk review
sessions with the “Risk Management Committee (“RMC”).
A sample of Risk Review report is enclosed as Appendix 4.
8.6.1 Inherent likelihood & Probability

The Inherent Likelihood of a risk occurring is defined as the probability and frequency
of its
occurrence. The table below is a commonly used format with Four (4) levels of
Likelihood from Low, Medium, High and (an event that occurs only in exceptional
circumstances) to Very High (occurring frequently within a year). Each criterion is
assigned a range in between 0.1- 4.0 that will define the level of likelihood of
occurrence of each respective risk. (See Table 4- Probability Matrix).
Probability Definition Rating

Low <= 5% 0.1 to 1.0
Medium 6% to 20% 1.1 to 2.0
High 21% to 50% 2.1 to 3.0
Very High > 50% 3.1 to 4.0
Table 3: Risk Probability Matrix
8.6.2 Inherent impact

This is defined as the potential impact or consequence of a risk occurring and is
generally expressed as being a financial loss, non-financial loss (e.g. damage to
reputation, client impact, regulatory impact) or occasionally a gain. (See Table 5 - Risk
Impact Matrix) Accurately determining and assigning the possible multiple impacts can
be achieved by utilising the Impact range table, which is assigned four (4) levels:
45 | P a g e
Impact Levels:
• Low (Range 0.1 to 1.0)
• Medium (Range 1.1 to 2.0)
• High (Range 2.1 to 3.0)
• Very High (Range 3.1 to 4.0)
Impact Definition Rating
Low will not derail objective / immaterial loss 0.1 to 1.0
Medium impede full achievement of objective / sustainable loss 1.1 to 2.0
High will derail objective / material loss 2.1 to 3.0
Very High serious damage / critical loss 3.1 to 4.0
Table 4: Risk Impact Matrix
A risk may fit into a single category or fall across multiple types and similarly the level
of impact may fit into more than one column. It is up to management (with assistance
from risk representatives) to determine the type with the highest consequence for
inclusion into the risk register. This consequence matrix document should be reviewed
at least every two (2) years with business subject matter experts as part of the
Framework review to ensure that categories and descriptions are relevant and
reflective of IOI Properties Group Berhad internal and external environments.
8.6.3 Inherent risk rating

For each of the risks listed from the Risk Identification process, the likelihood of the risk
occurring and its impacts can be plotted using the criteria matrices by multiplying the
numbers associated to each criteria of Likelihood of occurrence and Impact and be
illustrated in a heatmap (see Diagram 3):
e.g The Likelihood of a single risk is considered as ‘Very High’ (4) x with the Impact
assessed as being ‘Very High’ (4) = 16.
46 | P a g e
The resulting level of risk will be shown as the intersection of the two dimensions on
the Risk Level Matrix (see below and Appendix 3). This provides the Inherent Risk
Rating of 16 = Very High ( ) and immediate remedial action should be taken to reduce
this risk.
Diagram 8: Risk Heat Map
The risk rating displayed on a heatmap is described in Four (4) Shaded areas reflecting the
level of risk(s) :-
Low High
Medium Very High
8.6.4 Current control environment

To understand the extent to which the likelihood and impact of a risk occurring is being
mitigated, the full set of controls currently in place must be documented and assessed
for effectiveness of design and operation. The assessment should only assess controls
that are currently in operation, not those that are planned.
47 | P a g e
Where controls are operated by a third party (e.g. Technology), discussions with the
control owner should take place to ensure there is an appropriate assessment of the
control that takes into consideration the views of the control owner and the risk owner.
8.6.5 Residual risk
When the controls have been assessed and rated, the “Residual Risk” (the amount of
risk left over after inherent risks have been reduced by controls) rating can be
determined. For each of the risks listed from the Risk Identification process, the
Residual Likelihood of occurrence and potential impacts can be plotted by multiplying
the numbers associated to each criteria of Likelihood and Impact. For example, the risk
of a Cost Overrun occurring in the Project Management process, taking into
consideration the effectiveness of controls in place (considered ‘Good’), could now be
reassessed as follows:
The Likelihood is Low (= 1) X Impact assessed as now being Medium (= 3).
The resulting residual risk (1 x 3 = 3) will be shown as the intersection of the two
dimensions on the matrix (see below). This provides the Residual Risk level of 3 =
Low. It is likely that no further actions would be required to further mitigate this risk.
Diagram 9: Residual Risk Rating
48 | P a g e
Alternatively, if controls in place to mitigate a Cost Overrun occurring in the Project
Management process are determined to be ‘Poor’, the inherent risk could be
reassessed as follows:
The Likelihood is Possible (= 3) X Impact assessed as still being Major (= 4).
The resulting residual risk (3 x 4 = 12) would be High. In these circumstances, the
Residual risk would be outside of appetite and would require actions to address the
controls gaps or weaknesses to further mitigate the likelihood or impact of the risk
occurring.
8.6.7 Residual Risk Rating
This step prioritises the Residual risks to be addressed. The IOIPG Board Of Directors
and Risk Management Committee (“RMC”) will set a threshold (Risk Appetite) every
two years whereby risks above the threshold are unacceptable and must be addressed
and risks below the threshold are treated differently (i.e. recorded/recorded &
monitored). IOIPG has also set criteria for responses to the range of Residual Risk
Level ratings.
Using the example above – the Residual risk of a Cost Overrun is assessed as being
High.
Naturally, this is unacceptable so actions are required to develop or enhance controls

to mitigate the likelihood and impact of a Cost Overrun from occurring.
• Residual Risks assessed as ‘Very High’, are likely to impact on strategic

objectives and are unacceptable and must be immediately and actively mitigated,
managed and monitored by the risk owner.
• Residual Risks identified as ‘High’ are likely to impact Division or possibly

strategic objectives and therefore the IOIPG Board Of Directors and Risk
Management Committee (“RMC”) are likely to view these risks as unacceptable.
The risk owner must actively mitigate, manage and report with ongoing
monitoring by the RMD – Risk Mgt Dept.
49 | P a g e
• Residual Risks identified as ‘Medium’ should be assessed on a case by case
basis to understand the nature of the risk and whether the strengthening of
controls is required, otherwise this can be tolerated if it is determined that impacts
won’t adversely affect organisational objectives. Medium risks can be managed
with controls but must be monitored to ensure the risk exposure is effectively
managed and doesn’t worsen.
• Residual Risks identified as ‘Low’ are within operational and organisational

tolerances and can be accepted. Low risks must still be recorded.
8.6.8 Action plans
Where control weaknesses are identified and the decision is taken that further
mitigation is required (i.e. the residual exposure is not accepted), an action plan must
be established.
All actions must be:
• Owned: who is responsible for ensuring the action is addressed.

• Specific: the exact activities that will be undertaken.
• Timely: must be completed within appropriate time frames, commensurate with
the significance of the gap/weakness.
• Achievable: the action/activities must be realistic to ensure appropriate
mitigation.
• Measurable: it must be possible to quantify the action or have a means of
assessing progress.
• Justified: can demonstrate a further reduction in the Residual Likelihood and/or
Impact.
• Governed: tracked, managed and reported.
50 | P a g e
9.0 RISK REPORTING
Reporting associated with the Risk Management Framework is structured to satisfy two criteria:
1) Information relating to the IOI Properties Group Berhad existing risk profile & Risk
registers and;
2) Information relating to the IOI Properties Group Berhad implementation, performance
and status of the Framework. (Compliance)
The table below indicates the reporting responsibilities and frequency:
Report Name Submission By Report Recipient Frequency

Strategic Risk Chief Operating Officer Senior Management / Annually
Assessment (COO) Risk Management
Committee (“RMC”) /
Group Risk Management
Department
Business Unit Risk All Business Unit General Risk Management Quarterly / Half
Register Status Report Managers / Asst. General Committee (“RMC”) / Yearly
Managers / Managers Group Risk Management
Department
Department Risk Business Unit Managers / Group Risk Management Quarterly / Monthly
Assessment(s) Risk Team Department reviews for High /
Very High risks
Risk Mitigation Actions Responsible risk control Group Risk Management Quarterly
on Track & action owners Department
(facilitated by
Risk & Assurance Team)
Table 5: Reporting Accountabilities & Frequencies
51 | P a g e
Board
• The Group’s risk profile
• Actions to address key risks
INTERNAL REPORTING
• Effectiveness and progress of actions taken
• State of risk management framework
Senior Leadership
Team • Major incidents and issues
Management Team • Results/Key Performance Indicators

• Commentary on major events in period
• Major incidents and issues
• Areas of focus where risks are changing adversely
• New risk exposure
• Progress on actions to address key risks
Operational Team
• Commentary on major events in the reporting period

• Major incidents and issues
• Areas of focus where risks are changing adversely.
• Progress on actions to address key risks
• Better disclosure of risks and risk management

EXTERNAL REPORTING
practices to stakeholders
Diagram 10: Reporting Structure
10.0 RISK TRAINING & DEVELOPMENT
To ensure the successful implementation of risk management throughout the organisation, it is

planned that appropriate training in risk management will be provided to High Level Management
and managers of each respective Business Units. Training co-ordinated between Training
Department & Group Risk Management Department should encompass the risk management
process, application of risk management tools, assistance with identification and analysis of the
group’s risk exposures, risk profiling and reporting.
In addition, the group’s Risk Management Team will coordinate with the Training and
Development Department to work towards ensuring:
• Induction training will include Risk Management awareness and Employee Code of
Conduct.
• Employees receive regular Risk Management awareness and update training (at
minimum, a half-day refresher course once every year for those staff directly involved in
Risk Reporting and Monitoring).
52 | P a g e
• Any updates and changes to the Risk Management Policy, Framework related policies,
procedures; Codes of Conduct, ethics etc. are circulated to all employees via the Intranet
or email where deemed necessary.
11.0 APPROVING AUTHORITY
The Board of Directors (“Board”) and Risk Management Committee (“RMC”) shall be responsible
for the approval or ratification of the Enterprise Risk Management (“ERM”) Framework.
12.0 DATE OF IMPLEMENTATION
Enterprise Risk Management (“ERM”) Framework is effective immediately upon approval by the
Board of Directors (“Board”) on 7th September 2018.
13.0 REFERENCE
The Framework is to be read in concurrence with all the other relevant policies and internal
procedural documents issued by IOIPG, International Standard bodies (“ISO”) and Department of
Standards Malaysia (“MS ISO”):
a) International Standard ISO 31000: Risk Management – Principle and Guidelines

b) Malaysian Standards MS ISO 31000: Risk Management – Principle and Guidelines
14.0 COMPLIANCE
The Framework is applicable to all departments/units/projects of IOIPG engaging or involve in.
15.0 EXCEPTIONS
Any exception from this Framework shall require the approval of Board of Directors of IOIPG
(“Board”) and Risk Management Committee (“RMC”) unless they are deemed as operational in
nature.
53 | P a g e
Appendix 1 – Risk Management RACI Matrix
The RACI matrix indicates the level of participation in each step of the process. The RACI
acronym derived from the four (4) key responsibilities in the risk management process which are
Responsible, Accountable, Consulted and Informed.
Responsible (R) – Accountable (A) – Consulted (C) – Informed (I)

Activity Staff Head Manager Risk Risk Mgt Risk Control CEO RMC Audit
BU’s Champion Dept Owner Owner
Risk Culture I I C C C R R A A
Risk Appetite Setting I C C C C R R A A
Risk Framework I I I C R C C A A
Communication I I I C R C C I I
Training / Awareness I I R R R R R A A
Hazard Identification R R R R R R R R R
Risk Assessment / I C C R R C C A I
Evaluation
Out of Cycle Risk C C R R C R C A I
Assessment
Risk Mitigation I C C R C C A A I
Strategies / Action
Plans
Monitoring I R A C C A A A I I
Reporting I C R R R A A I I I
Assurance I I C R R C C A A R
Attestation I R C R C A A I I
Crisis Management I R R R R R R A I
Emergency I R R R R R R A I
Management / BCP
Post Incident Review C C C R R C C I I
R - Responsible: Complete the work to achieve the task
A - Accountable: Ultimately answerable for accurate completion of the task or approval / final
approving authority
C - Consulted: Those whose opinions are sought to complete the task (SME)
I - Informed: Notified of the result of the task
54 | P a g e
Appendix 2 – Risk Register Template
Review Of Key Principal Risk & Control Activities

Risk Register Note : PLEASE DO NOT ALTER LAYOUT OF REPORT
Principal Risk Brief Overview of Controls, Corrective Action & Strategies
Description / Root Cause of Risk

RISK :
Risk No.
Select
Risk Rating
N/A
Corrective Action & Mitigation Strategy
Risk Status
Select
Risk Category
Select
Impact
Select
Likelihood
Select Consequences / Opportunities (if any) arises from the Risk
Control Type
Preventive
Detective
Directive
Corrective
Risk Owner :
55 | P a g e
Appendix 3 – Risk Review Report
Note : -
PLEASE DO NOT ALTER LAYOUT OF REPORT
EXECUTIVE SUMMARY
Risk Review Period : Select *Compulsory
N/A
Select
Business Entity : *Compulsory 1st Half FY 2018
2nd Half FY 2018
Scope Of Review : Acknowledgement 1st Half FY 2019
2nd Half FY 2019
We are directly responsible for the design, establishment, and maintenance of internal
1st Half FY 2020
control systems to manage risks related to our Unit / Department.
2nd Half FY 2020
Sc ope of the review
We have for the mentioned period identified and reviewed all principal risks; corresponding N/A
controls (in processes and procedures) and control activities (monitoring, measure, analyses &
communication) ; and have responded appropriately to the same for the following units/depts/
functions : -
Signed Off By, Acknowledged By,
Head Of Division / Department / Business Unit Risk Management Dept

Date : Date :
56 | P a g e

IOIPG-Enterprise Risk Management Framework PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IOIPG-Enterprise Risk Management Framework PDF

Uploaded by

Copyright:

Available Formats

[Enterprise Risk Management

In order to deliver value to our stakeholders which

Risks are inherent in our business activities and can

This document provides an overview of our

4.0 DEFINITION OF RISK & RISK MANAGEMENT

4.1 Definition of Risk …………………………………………………………………………. 21-22

Appendix 1 – RACI Matrix 54

IOIPG Group : IOIPG & Its Subsidiaries

Board : Board of Directors

Standards Malaysia (MS) : Department of Standards Malaysia (JSM) under MOSTI

MOSTI : Ministry of Science, Technology and Innovation

Enterprise Risk Management (“ERM”) framework

The importance of an effective risk management is due to several factors:

This enterprise risk management framework is designed to:

• Provision of a structured and a more consistent approach to identifying, rating,

• Ensure that an appropriate enterprise risk management framework is in place and

2.2 Governance Structure

Diagram 1: IOIPG’s Governance Structure

To ensure the effectiveness of an organization’s enterprise risk management framework,

Diagram 2: The Three Lines of Defense Model

➢ 1st Line of Defense – Head of Business Units.

➢ 3rd Line of Defense – Internal Audit

Internal audit (IA) provides independent assurance on the effectiveness of governance,

2.5 Risk Culture

2.6 Roles and Responsibilities

Notwithstanding the “whole of organisation” approach to risk management responsibility,

2.6.1 Board of Directors (“Board”) of IOI Properties Group Berhad (“IOIPG”)

• Overall responsibility is to establish policies and framework for risk

• Discuss, deliberate and recommend on issues relating to risk management

2.6.4 Risk Management Department / Manager

2.6.6 Risk Champion / Coordinator Officer

• Submit prompt reporting of risk reviews on a specified deadline;

2.6.7 Project managers

• Lead the development, implementation and review of the Risk Management

2.6.9 Group Internal Audit

• Consider strategic and operational risks in the development and

4.0 DEFINITION OF RISK, RISK MANAGEMENT & ERM

The purpose of this Enterprise Risk Management Framework is to provide a comprehensive

4.1 Definition of Risk

• Value to IOIPG’s shareholders and other stakeholders.

4.2 Definition of Risk Management

Risk management is a continuous, proactive and systematic process to recognize, manage

Risk management is a central part of any organization’s strategic management. It is the

4.3 Definition of Enterprise Risk Management (ERM)

ERM shall be a core management competency that incorporate a well-structured

This involves the following core elements:

5.0 THE EFFECTIVENESS OF RISK MANAGEMENT FRAMEWORK

IOI Properties Group Berhad’s Enterprise Risk Management Framework (“Framework”) is

Diagram 3: Effectiveness of Enterprise Risk Management Framework

5.2 General Elements in Framework

Framework development encompasses integrating, designing, implementing, evaluating

Diagram 4: Elements in Framework

The brief description of elements in framework is as follows:

5.2.1 Leadership and commitment

Integrating risk management relies on an understanding of organizational structures

The organization should establish an unified approach to communication and

A good implementation of the framework requires the engagement and awareness of

In order to evaluate the effectiveness of the risk management framework, the

As relevant gaps or improvement opportunities are identified, the organization should

6.1 Risk Management Strategy

6.1.1 IOIPG’s Risk Management Framework statement shall be adopted by all

6.2 Risk Appetite

RISK RATING MINIMUM DESCRIPTION