Professional Documents
Culture Documents
Framework V.01]
FRAMEWORK
Version (01) .1. 2018
TABLE OF CONTENTS
OVERALL ENTERPRISE RISK MANAGEMENT FRAMEWORK OF IOI PROPERTIES GROUP BERHAD (“IOIPG”)
Abbreviations …………………………………………………………………….. 4
Key Terms …………………………………………………………………….. 5
1.0 INTRODUCTION
1.1 Overview ………………………………………………………………………. 6
1.2 Purpose ………………………………………………………………………. 7
1.3 Objective ………………………………………………………………………. 7-8
1.4 Benefit ……………………………………………………………………….. 9
1.5 Restriction ……………………………………………………………………….. 9
2.0 ORGANIZATION
2.1 Background ………………………………………………………………………. 10-11
2.2 Governance Structure ………………………………………………………………………. 11
2.3 Risk: Corporate vs Governance ………………………………………………………………………. 12
2.4 Governance of Risk: Three Lines of Defense…………………………………………………… 13-15
2.5 Risk Culture ……………………………………………………………………….. 15-16
2.6 Roles and Responsibilities ………………………………………………………………………… 16
2.6.1 Board of Directors ………………………………………………………………………… 16
2.6.2 Risk Management Committee………………………………………………………………. 17
2.6.3 Chief Executive Officer (CEO) / Senior Management…………………………….. 18
2.6.4 Risk Management Department……………………………………………………………… 18
2.6.5 Business Units / Projects……………………………………………………………………….. 19
2.6.6 Risk Champion / Representative ……………………………………………………………. 19
2.6.7 Project Managers …………………………………………………………… 19
2.6.8 Risk Quality Assurance coordinator………………………………………………………. 20
2.6.9 Group Internal Audit ………………………………………………………………………… 20
3.0 RISK AWARENESS, LEARNING AND CULTURE ………………………………………………. 21
2|Page
5.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 23
5.1 Overall Internal Control …………………………………………………………………………… 24
5.2 General Elements …………………………………………………………………………… 24-27
6.0 STRATEGY
6.1 Risk Management Strategy ……………………………………………………………………………. 28-29
6.2 Risk Appetite ……………………………………………………………………………. 29-30
6.3 Risk Response ……………………………………………………………………………. 30
7.0 GUIDELINES AND PRINCIPLES 31
7.1 Risk Management Principles ……………………………………………………………………………. 32
7.2 Risk Management Guidelines ……………………………………………………………………………. 32
8.0 RISK MANAGEMENT PROCESS 33
8.1 Communication and Consultation ………………………………………………………………. 34
8.2 Establish the context …………………………………………………………………………… 34-35
8.3 Risk Assessment …………………………………………………………………………… 36-39
8.4 Risk Mitigation Strategies …………………………………………………………………………… 39-42
8.5 Monitoring and Review …………………………………………………………………………… 42-44
8.6 Risk Management Tool – Risk Register………………………………………………………………… 44-50
9.0 RISK MANAGEMENT REPORTING 51-52
10.0 RISK TRAINING & DEVELOPMENT 52-53
11.0 APPROVING AUTHORITY 53
12.0 DATE OF IMPLEMENTATION 53
13.0 REFERENCE 53
14.0 COMPLIANCE 53
15.0 EXCEPTIONS 53
APPENDICES
3|Page
Abbreviations
4|Page
Key terms
Establishing a common language for risk is important in promoting the practice of a consistent and
effective risk management across the IOIPG. The terms used in this document are listed below, together
with their intended meaning: -
5|Page
1.0 INTRODUCTION
1.1 Overview
The establishment and development of Enterprise Risk Management (ERM) Framework is
to provide a comprehensive and proactive approach towards managing risk for IOI
Properties Group Berhad (IOIPG), as risks influences every aspect of our business.
Understanding the risk faced by IOIPG and managing them appropriately will enhance
IOIPG ability to make better decisions. This will subsequently improve the group’s overall
performance. It is also to ensure that risk objectives are properly defined and proper
controls are in place. In addition, awareness of managing risks in general for IOIPG is
crucial.
To appropriately respond to the above factors and at the same time to promote and
inculcate a balanced risk-taking business, IOIPG had recognized the need to create risk
awareness among staff and stakeholders. This in turn will assist IOIPG in establishing an
adequate enterprise risk management framework.
The scope of the enterprise risk management framework covers all activities, processes,
functions projects, products, services, assets and systems currently in place at IOIPG.
The process owner for all risk management initiatives is the Head of Risk Management
Department while the intended users include all stakeholders of IOIPG. In addition, the
framework is also in compliance with the best practices of International Standard of ISO
31000 (Risk Management – Principles and guidelines) and Malaysian Standard of MS ISO
31000.
6|Page
1.2 Purpose
Risks influences every aspect of IOIPG’s business and operations. Understanding the risks
that IOIPG faces and managing them appropriately will enhance the group’s ability to make
better decisions making, meet objectives and subsequently improve performance of the
group.
1.3 Objective
The primary objective of the ERM framework is to support the overall achievement of IOI
Properties Group Berhad strategic objectives and safeguard the group’s resources, people,
finance, property and reputation through:
7|Page
Other relevant objectives of this framework are to:
• Outline the IOIPG’s risk context which comprises its philosophies, strategies and
policies, and operating system so as to better manage the business, project or any risk
exposures faced by the group;
• Provide guiding risk management principles to the respective HOD to assist them in
governing the actions of their respective personnel pertaining to managing risks and;
• Provide assurance to the Board that a sound risk management and internal control
system are in place and in conformance with global risk management standards (ISO
31000).
To realize the objectives of the enterprise risk management framework, IOIPG shall:
8|Page
1.4 Benefits
The positive outcomes to be derived from an effective enterprise risk management
framework are as following:
• To act as a platform to enable IOIPG anticipate and respond to risks effectively;
• To encourage comprehensive and reliable sources of information on the status of risks
and the control measures;
• To minimise the likelihood of unforeseen damage to IOIPG’s financial performance,
reputation and stakeholders confidence;
• To create opportunity to align corporate strategy with risk strategy;
• To act as a tool which will enable the management of risks affecting to both tangible
and non-tangible assets;
• To provide opportunities in eliminating or reducing costs through more targeted and
effective control measures, which is aligned to key objectives and risks;
• To provide the basis for more effective strategic planning;
• To contribute to the improvement of overall organizational efficiency and effectiveness;
• To enable optimum use of resources and;
• To provide a framework for ensuring that unavoidable risks are adequately mitigated.
1.5 Restriction
This ERM framework is for internal use in IOIPG and not for general circulation or
publication nor is it to be reproduced, either in whole or part, or used for any other purposes
without Management’s prior written consent. Management does not assume any
responsibility or liability arising from any losses however occasioned by any other party
arising from the circulation, publication, reproduction or use of this document.
9|Page
2.0 ORGANIZATION
2.1 Background
IOI Properties Group Berhad (“IOIPG”) is one of Malaysia’s leading public-listed property
developers. It has built a solid reputation as the esteemed property arm of IOI Group prior
to its successful listing onto the Main Market of Bursa Malaysia Securities Berhad on 15
January 2014.
IOIPG is renowned as one the largest property companies in the country with proven track
record spanning more than three decades in the property development industry. Its principal
activities include property development, property investment, leisure and hospitality. It has
successfully developed sustainable township in sought-after region of Klang Valley and
Johor in Malaysia while embarking on property developments in Singapore and the
People’s Republic China. IOIPG currently has a total of 10,000 acres of landbank in
Malaysia and abroad.
IOIPG established its presence in Singapore property market in 2007. It has ventured into
five property developments in the country comprising high-end residential developments
and integrated mixed developments. Among them are the luxury condominium
developments of Seascape and Cape Royale in Sentosa Cove and the award-winning
South Beach project.
In 2010, IOIPG ventured into property development in China. It has embarked on two mixed
property developments namely the IOI Park Bo Bay and IOI Palm City in Xiamen, Fujian
Province of the People’s Republic of China.
On the leisure and hospitality front, IOIPG owns and manages prestigious hotels, shopping
malls, golf courses and office blocks in Malaysia.
A strong testament to its quality excellence, it is consistently ranked among the top
developers in Asia and bestowed numerous accolades by leading publications and
organizations such as FIABCI, BCI Asia, The Edge Malaysia, Asia Pacific Property Awards,
and the Building and Construction Authority (“BCA”) in Singapore.
10 | P a g e
The IOI Properties Group Berhad provides a diverse range of services to 110,000 residents
in one of Victoria’s most densely populated municipalities. IOI Properties Group Berhad is
required to plan for and manage growth and change, deliver on its objectives within the
context of significant population, climate and urban change as well as increased legislative
and regulatory compliance obligations and financial accountability.
11 | P a g e
2.3 Corporate Governance vs Risk Governance
IOIPG maintains a strong leadership through sound governance and ethical business
conduct. It believes in achieving responsible commercial success while balancing the
interests of its stakeholders, and fervently uphold sustainability practices in the business as
well as regulatory laws imposed in the countries where it operates.
The safety and soundness of corporate governance rely on the effectiveness of risk
oversight and control functions. Over time, risk management approaches and practices in
the industry have evolved substantially, with increased attention to advancements in risk
management process and practices, as well as in the segregation of function as
independent parties in internal control environments.
Risk governance focuses on applying the principles of sound corporate governance to the
assessment and management of risks to ensure that risk-taking activities are aligned with
IOIPG capacity to absorb acceptable losses and its long-term viability.
It is concerned in particular with the roles of the board, senior management, and risk
management control functions as well as the processes by which risk information is
collected, analyzed and communicated to provide a sound basis for management
decisions. It is also concerned with the effects of incentives and organizational culture on
risk-taking behaviors and perceptions of risk in IOIPG.
With various kind of business property development, projects and activities, the availability
of comprehensive process and integrated systems to support an enterprise-wide or
consolidated view of risks, is particularly critical. Also important is the capacity of IOIPG to
respond swiftly to changes in the operating environment and developments in the business
strategies.
12 | P a g e
2.4 Governance of Risk: Three Lines of Defense Model
Risk management has a key role in the corporate governance structure to ensure the
effective management of risk.
The board provides direction to senior management by determining and setting the
organization’s risk appetite. It also seeks to identify the principal risks facing the group.
Thereafter, the board assures itself on ongoing basis that the senior management is
responding appropriately to these risks identified.
The board delegates primary ownership and responsibility to the CEO and senior
management for operating risk management and control. It is the management
responsibility to provide leadership and direction to the rest of the employees in respect of
risk management, and to control the organization’s overall risk-taking activities in relation
to the agreed level of risk appetite.
1. The first line of defense – functions that own and manage risk.
2. The second line of defense – functions that oversee or specialize in risk
management and compliance.
3. The third line of defense – functions that provide independent assurance
above all internal audit.
13 | P a g e
The “Three Lines of Defense” model provides a simple and effective way to enhance
communications on risk management and control by clarifying essential roles and duties:
In some areas, specialist compliance roles have also been established to assist in
promoting and monitoring compliance e.g. Finance and Business Technology.
14 | P a g e
➢ 2nd Line of Defense – Risk Management & compliance.
The risk management and compliance functions ensure that the framework is fully
embedded, operational and monitor the 1st line controls to ensure that risks are being
effectively managed. It is a risk management function that facilitates and monitors the
implementation of effective risk management practices by management and assists
risk owners in defining the target risk exposure and reporting adequate risk-related
information throughout the organization. Each of these functions has some degree of
independence from the first line of defense.
The Chief Executive Officer (CEO) and the Senior Management Leadership Team provide
governance leadership, agree to the strategic direction and risk appetite and promote the
culture and ‘tone from the top’ in order to ensure the best outcome for the group, staff and
stakeholders. They will actively consider risks during strategic and tactical decision-making
processes as will all levels of management and they will determine the level of residual
risk/appetite they are willing to accept, annually. IOIPG will take a risk-based approach to
managing internal and external projects, operational and strategic risks: i.e. risks will be
managed and monitored according to severity and financial risks to identify the quantum of
each respective risks involved and its impact.
15 | P a g e
The Risk Management Committee (“RMC”) will conduct full Two (2) half Yearly reviews
of their business unit risks (facilitated by the Risk Management & Quality Assurance Team)
with monthly High & Very High risks and quarterly monitoring of Medium and Low risks.
Management will also conduct out-of-cycle reviews of operational & financial risks, project
or strategic risks in cases such as if material changes occur, breakdown of controls or new
risks emerge i.e. organization change, major process or system change, failure of controls,
a major incident, a compliance breach, serious complaint or significant near miss.
It is therefore everyone’s responsibility within IOIPG to manage risk - the accountability for
managing any specific risk sits with the person most appropriate to manage that risk. This
is reflected in position descriptions (with varying degrees of responsibility at the various
levels) and the performance management process.
16 | P a g e
2.6.2 Risk Management Committees (“RMC”)
17 | P a g e
2.6.3 Chief Executive Officer (CEO) / Senior Management team
• The CEO, supported by the Chief Operating Officers of Divisions (COO), is
accountable for ensuring appropriate risk management within the group;
• Endorse the Risk Management Policy for approval by Board of Directors of
IOI Properties Group Berhad (IOIPG), approve the Enterprise Risk
Management Framework, and monitor implementation;
• Provide executive leadership in the management of strategic, operational and
project risk and generally champion risk management within the group;
• Ensure that their respective divisional risk profile as entered by each
department is reviewed, updated and approved quarterly (monthly- high risks);
• Report expeditiously to Risk Management Committee (“RMC”) incidents or
material risk mitigation failures and actions taken.
18 | P a g e
2.6.5 Business Units (BU’s) or Project Units – Risk Owner
• Accept the risk owner concept to own and manage their risks;
• Take all necessary steps to comply with Enterprise Risk Management
Framework;
• Support risk correspondence in promoting / championing risk awareness and
reporting of risk management;
• Conversant with the risk correspondence profiles of their own
units/projects/departments and if required, to share such knowledge with both
internal management and/or the external relevant bodies related;
• Verify and validate risk reporting by risk champion/coordinator personnel;
• Validate risk ratings, preventive controls and mitigating measures;
• Escalate risk issues to Risk Management Department / Manager and related
departments;
• Takes ownership of risk management of its business or project units and;
• Instil, apply and promote risk management awareness to staff.
• Ensure that this framework is applied to the projects under their purview; and
• Where the project is considered to materially influence the achievement of
IOIPG Corporate Objectives, ensure that the project risk assessment is
facilitated by the Risk and Compliance Representative.
19 | P a g e
2.6.8 Risk Quality Assurance coordinator
20 | P a g e
3.0 AWARENESS, LEARNING AND CULTURE
IOI Properties Group Berhad (IOIPG) Berhad will build a strong risk culture which is a
combined set of individual and corporate values, attitudes, competencies and behavior that
will determine our commitment style towards risk management.
Risk management requires overall participation for both reporting and managing risks.
Substantial communication and awareness are essential to build a common understanding
of risk management and to gain widespread staff buy-in. The success of a risk management
program will depend almost entirely on how it is perceived and embraced by staff and
managers who shall execute it.
Premised to the above, Risk Management Department (RMD) is to work closely with Human
Resource Department (HR) – Training & Development; to develop a structured risk
awareness and learning program where the learning modules are customized to suit the
staff of various levels.
21 | P a g e
Risk may be viewed as the threat to some events, action or loss of opportunity that, if it
occurs or crystallizes, will adversely affect any or combination of the following:
As may be appreciated from the concept and due to the diversity of the business objectives,
strategies and operations, a multitude of risks would be faced by IOIPG. These may be
categorized in general into strategic risks, operational risks and project risks.
Since the future as such is uncertain, any business or project activity is individually
associated with risks and rewards, and its objectives are to identify and reap rewards and
opportunities, as well as to manage and control the resulting risks.
22 | P a g e
ERM is truly a holistic, integrated, future-focused, and process-oriented approach that helps
IOIPG to manage all key business risks and opportunities with the intent of maximizing
shareholder value as a whole.
23 | P a g e
5.1 Framework as an overall internal control
IOI Properties Group Berhad undertakes proactive enterprise risk management because:
5.1.1 It is good practice to understand the strategic and operational risks and
opportunities facing IOI Properties Group Berhad in order to make informed
decisions and meet organizational and strategic goals;
5.1.2 IOI Properties Group Berhad provides critical services and infrastructure to the
customers and stakeholders; and IOI Properties Group Berhad has service
agreements and contractual obligations to non-government business entities and
organizations;
5.1.3 To implement the best practices of risk management in the market and in line
with the International Standard related.
The Framework is designed to provide the architecture for a common platform for all risk
management activities undertaken by IOI Properties Group Berhad, from individual
functional, process or project-based assessments to whole-of-organization assessments,
with the aim of enabling comparative analysis and prioritization of those assessments either
individually or cumulatively.
The effectiveness of risk management will depend on its integration into governance of the
organization, including decision-making. This requires support from stakeholders,
particularly the senior management.
The organization should evaluate its existing risk management practices and processes,
evaluate any gaps and address those gaps within the framework.
24 | P a g e
The components of the framework and the way in they work together should be customized
to the needs of IOIPG.
The Board and senior management should ensure that risk management is integrated
in all organizational activities and should demonstrate leadership and their
commitment by:
i. customizing and implementing all components of the framework;
ii. issuing a statement or policy that establishes a risk management approach,
plan or course of action;
iii. ensuring that the necessary and sufficient resources are allocated to manage
risks and;
iv. assigning authority, responsibility and accountability at appropriate levels within
the organization.
Senior management is accountable for managing risk while the Board are accountable
for overseeing risk management as a whole.
25 | P a g e
5.2.2 Integration
Integrating risk management into organization is a dynamic and iterative process and
should be customized to the organization’s need and culture. Risk management should
be a part of, and not separate from, the organizational purpose, governance, leadership
and commitment, strategy, objective and operations.
5.2.3 Design
The Board and senior management should demonstrate and articulate their continual
commitment to risk management through a policy, a statement or other forms that
clearly convey an organization’s objectives and commitment towards good risk
management.
They should ensure that the empowerment, responsibilities and accountability for
relevant roles with respect to risk management are assigned and communicated at all
level of the organization, and also should ensure allocation of appropriate resources
for risk management.
26 | P a g e
5.2.4 Implementation
Implementation of this framework will ensure that the risk management process is a
part of all activities throughout the organization, including decision-making, and that
changes in external and internal contexts will be adequately captured.
5.2.5 Evaluation
Framework performance should periodically measure, review and evaluate against its
purpose, implementation plans, indicators and expected behavior, to ensure that the
effectiveness of risk management are in order and in place.
5.2.6 Improvement
The organization should continually monitor and adapt the risk management framework
to address external and internal changes. In accomplishing this, the organization can
enhance its value.
It also should continually improve the suitability, adequacy and effectiveness of the risk
management framework and the way risk management process is integrated.
27 | P a g e
6.0 STRATEGY
As an essential surface of the risk management system, the following risk strategy forms
the strategic drive of the Risk Management Framework and sets the internal control method
that guides all personnel of IOIPG in dealing with risks in a rational, target-oriented manner:
As a business strategy indicates the direction of the business, a risk strategy provides
guidance for the risk activities within IOIPG. It can set the tone for aggressive or
conservative risk management activities, dictate how measuring and monitoring activities
can be accrued out and provide strategical view needed by the Board and
28 | P a g e
Senior Management. It is the risk strategy that provides the backbone for embedding risk
management within the culture of IOIPG business.
1. Emerging risks,
2. Risks that might be outside group’s control (i.e. political change and climate);
3. Where best to allocate scarce resources; and
4. Where the IOI Properties Group might want to take on additional risk to pursue a
strategic objective or expectation of above average returns.
Risk appetite should be set for each individual strategic risk and tolerance levels agreed,
using relevant performance indicators which are monitored through the monthly enterprise
reports. For operational risks, the group’s risk appetite will inform the annual risk process,
controls and assurance activities and is generally defined as follows:
29 | P a g e
To reduce and minimise the risk exposure and impact on IOI Properties Group Berhad on
materialisation of risks, the limit for Board’s approval on “Investment” is to be capped at
10% of the Company’s market capitalization, while the capital expenditure’s limit be
reduced to RM100 million.
In consideration of our risk appetite, one or more of the following action may be pursued:
30 | P a g e
7.0 PRINCIPLES AND GUIDELINES
It also provides a common methodology to identify and manage potential events that may
affect the group’s accountability for risk management and its governance.
The framework that IOIPG Group adopts is in line with global best practices and globally
accepted risk management standards such as the ISO 31000 standards, as depicted in the
following diagram:
31 | P a g e
7.1 Risk Management Principles
All levels of IOIPG Group shall commit to incorporating the following principles from the
International ISO: 31000 standards. Risk management will:
• Create and protect value;
• Be an integral part of Council’s organizational processes;
• Be part of the decision-making process;
• Explicitly address uncertainty by providing a framework in which risk can be assessed;
• Be systematic, structured and timely;
• Be based on the best available information;
• Be tailored to the group’s internal and external environments;
• Take into account group’s human and cultural factors;
• Be a transparent and inclusive process;
• Be dynamic, iterative and responsive to changes; and
• Continually improve.
• The Inherent Risks - The risk that an activity would pose if no controls or other
mitigating factors were in place. Determining the Likelihood and Impact of the risk
occurring allows IOIPG Group to understand which risks are of greater concern and
must therefore be mitigated accordingly.
• The Residual Risk - the risk that remains after the effectiveness of controls are
taken into account (the risk after controls) - can then be determined by assessing the
effectiveness of controls in place to mitigate the Likelihood and Impact of the risk
occurring.
All risks will be captured in an organisational Risk Register (Excel spreadsheet) and
reported regularly through the various Management and Committee structures.
32 | P a g e
8.0 RISK MANAGEMENT PROCESS
The risk management process is the “how to” element of the Framework and is defined in
the ISO Standard as “the systematic application of management policies, procedures and
practices to the task of communicating, establishing the context, identifying, analysing,
evaluating, treating, monitoring and reviewing risk.”
15.0
• Pool areas of expertise together
1. Communication & Consultation
21.0
4. RISK TREATMENT
22.0 • Selecting 1 (one) or more options for
modifying risks & implementing the option:
23.0 1. Avoid Risk
2. Accept Risk
3. Remove Risk
4. Change likelihood & Consequence
5. Share / Transfer Risk
33 | P a g e
8.1 Communication and Consultation
Communication and consultation with internal and external stakeholders are important
elements at each step of the risk management process. Effective communication is
essential to ensure that those responsible for implementing risk management and those
with a vested interest understand the basis on which risk management decisions are made
and why particular actions are required.
Key direction is set through the adoption of the IOI Properties Group Berhad Corporate
Plan, which is reviewed annually to ensure it continually reflects important priorities. IOIPG
Group is dependent on the framework to be used at the strategic and departmental
business unit level to improve performance by the organisation in the achievement of the
group’s strategies and actions as detailed in the Plan.
34 | P a g e
Establishing the external context is important to ensure that our business counterparts
and external partners and their objectives are considered when developing risk
management criteria and that externally generated threats and opportunities are also
properly taken into account.
• Goals and objectives and the strategies that are in place to achieve them;
• Culture;
• Strategic Plan, budget and drivers;
• Internal stakeholders;
• Occupational Health and Safety;
• Governance and structure;
• Capabilities in terms of resources such as people and systems;
• Processes; and
• IOIPG internal strengths, weaknesses, opportunities and threats (SWOT).
In each instance, consideration must also be given to the roles and responsibilities for
driving and undertaking the risk management process. The next phase involves three
(3) interconnected stages - Risk Identification, Risk Analysis and Risk Mitigation.
35 | P a g e
8.3 Risk Assessment
8.3.1 Risk Identification / Classification
The 1st phase is the Risk Identification phase. The purpose is to identify all risks: the
“what, when, why and how” incidents might impact on the achievement of the groups
objectives. Comprehensive identification using a well-structured systematic process is
critical, as a risk not identified will be excluded from further analysis, so identification
should include all risks, whether or not they are under the control of IOI Properties
Group Berhad.
An incident relates to the failure of people, processes, systems or from external factors
(e.g. fire, flood, assault or damage). In other words, something has gone wrong i.e. a
control failed to operate as expected, was not performed, or perhaps there was no
control in place. Incidents can have multiple and varied impacts:
• Financial (e.g. Losses, Costs, Fines, Penalties)
• Non-Financial (e.g. Customer, damage to Reputation/Assets, Regulatory,
Business interruption).
In this stage, all business units are to have a foresight of all potential risks and its
impact on the operations of the business units and register these foresights in their
respective risk registers and NOT a current ongoing “problem statement” with
corrective measures to overcome those statements.
Capturing, understanding the root causes and investigating incidents are critical as
these provide us with important and timely information on the operation and
effectiveness of our controls, threats to our business operation and the extent and
nature of our risks.
36 | P a g e
Documentation of identified risks and its categories occurs through the development of
a description of the risk and entry into the group’s Risk Register (Microsoft Excel
Spreadsheet). The risk description should contain a category of risk, statement of the
risk and include those factors which could cause or contribute to the occurrence of the
risk event.
IOI Properties Group Berhad utilise a range of tools and approaches to determine
potential risks, including:
• Team based brainstorming with experienced and knowledgeable staff
representatives;
• Structured techniques (such as SWOT analysis, process mapping, flow charting,
systems analysis or operational modelling);
• Annual strategic planning, budget and risk identification workshops,
• Examination and analysis of historical reports and incidents;
• Regular compliance reviews (internally and externally);
• Internal review by the Risk Management Committee (“RMC”); and
• Reviews by external service providers.
The organisational strategic risks are developed annually in conjunction with the
Executive Management Team, using the group’s strategic objectives and plan as a
starting point. The organisational operating risks are identified in conjunction with
Heads of Business Units on a monthly basis as a minimum, which run parallel with the
group’s annual business planning cycle. Output from both the Strategic and Business
Unit Risk Assessments are to then be used as input to the Business Planning Process.
37 | P a g e
RISK CATEGORIES
Operational Market Reputation Financial Technology Political Strategic
• Supply Chain • Investors • Compliance • Credit • Systems • Government • Change in
Stability Technology
• Production • Demand & • Customer • Liquidity • CyberSecurity • Socioeconomic • Regulatory
Supply Service conditions
• Hazard • Pricing • Product • FX Rates • Outdated • Internal Conflict • Political
Liability Hardware
• HR • Consumer • Public • Interest Rate • Connectivity • External • Global
Behaviour Enquiry & Conflict Economy
Damage
• Integrity • Commodity • Compliance • Competition
• Counter party • Investment • Corporate
Governance
• Security • Global Economy
• Health & • Taxation
Safety
At this stage, the analysis assumes that all controls have failed or there were no
effective controls in place. Whilst this is unlikely, this allows IOI Properties Group
Berhad to understand which risks have the greatest potential for disrupting the
business operation and gives significant impact therefore require strong and effective
controls with appropriate and ongoing oversight.
38 | P a g e
8.3.3 Risk Evaluation
Risk evaluation is the process of identifying and measuring risk. Risk evaluation
process includes identification of risk, determine its probability and impact, action plan
to control inherent risk, define the risk rating to mitigate in the stage of residual risk and
monitoring them.
All of these risk management processes would be catered by one of risk management
tool called risk register.
Risk mitigation involves identifying the most appropriate responses to reducing the inherent
risk level to a status acceptable within IOI Properties Group Berhad risk tolerance. Both
controls and mitigations are designed to mitigate the risk by reducing the likelihood of
negative risks occurring and/or reducing the impact of risks should they occur.
There are a number of mitigation options available and more than one will be applied to any
risk. Typical mitigation options include the establishment and operation of controls designed
to mitigate, discourage, identify and/or limit the impact and likelihood of a risk from
occurring. Most risks will have multiple different controls in place, some intended to prevent
a risk occurrence, some will detect an occurrence whilst others are designed to respond to
an occurrence. Controls will not always be performed by the risk owner. For example,
Business Units will have a key reliance on Technology to manage controls to ensure
systems are available and operating as required.
8.4.1 Controls
39 | P a g e
b) Preventive Controls are designed to discourage errors or irregularities from
occurring. They are proactive controls that help to ensure departmental
objectives are being met. Examples include:
c) Detective Controls are designed to find errors or irregularities after they have
occurred. Examples:
d) Corrective Controls are intended to limit the extent of any damage caused
by an incident e.g. by recovering the organisation to normal working status as
rapidly and efficiently as possible. Examples:
40 | P a g e
e) Transfer the risk is intended to enable sharing of the risks to a third party in
order to reduce the likely impact should the risk materialise:
f) Eliminate the risk. Some risks may only return to acceptable levels if the
activity is terminated. In such situations, the risks are deemed irrelevant and
not applicable in the current scenarios.
41 | P a g e
In certain scenarios, more than one response may be necessary to address an
identified risk. In those cases a combination of responses (controls / mitigations)
should be taken into consideration.
The risk assessment process provides a snap shot of the group’s risks, controls and action
plans at a given point of time – via the “Risk Register” (Appendix 3). The residual risk
impact and likelihoods and control effectiveness ratings can be reflected on a one-page
Heat Map with supporting opinion and insight on risks, controls and actions – the “Risk
Profile”.
As the external and internal environment in which we operate is fluid, therefore the
influences on our objectives continue to ebb and flow. In addition, assumptions have been
made in relation to both the quality of response strategies which are already in place and
the implementation and quality of proposed responses. As a result, the risk management
process is iterative and should be the subject of a structured monitoring and review process.
Risk response and the effectiveness of control measures to manage risk need to be
monitored on an ongoing basis to ensure changing circumstances, such as the political
environment and the IOIPG strategic objectives and risk appetite do not alter the risk
evaluation profiles and adequacy assessments. New risks or deficiencies in existing
mitigation strategies may be identified via a number of sources:
42 | P a g e
Internal audit will provide particular attention to those controls, mitigation activities or
other responses identified through the risk assessment as having significant priority. In
addition, the Risk Assessment Process, including the Framework, will be monitored,
evaluated and reviewed by the Internal Auditor.
• Identify existing risk response plans in place. • Evaluate if Business Unit is prepared to accept
the type of risk and, if so, how much risk it is
• Establish objectives of the risk response plan, prepared to tolerate.
i.e. which risk is being mitigated and to what
• Assess if the existing response plans can be
level/extent.
leveraged to mitigate/control the new risks
identified .Identify a range of risk response
options & evaluate the options.
• Evaluate if the existing risk response plans
meet their objectives Assess if the response
plans are sufficient and relevant, i.e. if any • Design a plan to implement the preferred
additional or removal of risk response plans is options, including the relevant KPIs and
required. measures of success Implement the selected
risk response plans.
For risk assessments associated with the whole of IOI Properties Group Berhad or
individual departments, the review process will be built into the business planning
process. Output from the Strategic Risk Assessment and Business Unit Risk
Assessments are to be used as input to the Business Planning Process. That input will
include risk response plans. Internal Audit will use the information from the Business
Planning Risk Assessments, in particular the risk response plans, to assist with
development of the Internal Audit plan.
43 | P a g e
To ensure that the identified strategic risks, and measures in place to manage them,
remain aligned to the group’s strategic objectives, any change to the overall Strategic
Plan will trigger a review of the risk assessment exercise and the Risk Management
Process.
In relation to project-based risk assessments, the risk mitigation plan provides the
project manager with a tool to continuously monitor project improvement through the
implementation of the plan.
Issues and delivered risks identified through the course of the project must be assessed
and included in the project risk register, having gone through the full risk assessment
process outlined above. This will ensure the continuing relevance of the risk
assessment.
44 | P a g e
A sample of the Risk Register Template is enclosed as Appendix 3.
The business units will conduct its own review of their risk registers and provide updates
on the risk information from time to time via risk review reports for analysis and verification
by Risk Management Department for the purpose of Half Yearly Financial risk review
sessions with the “Risk Management Committee (“RMC”).
45 | P a g e
Impact Levels:
• Low (Range 0.1 to 1.0)
• Medium (Range 1.1 to 2.0)
• High (Range 2.1 to 3.0)
• Very High (Range 3.1 to 4.0)
A risk may fit into a single category or fall across multiple types and similarly the level
of impact may fit into more than one column. It is up to management (with assistance
from risk representatives) to determine the type with the highest consequence for
inclusion into the risk register. This consequence matrix document should be reviewed
at least every two (2) years with business subject matter experts as part of the
Framework review to ensure that categories and descriptions are relevant and
reflective of IOI Properties Group Berhad internal and external environments.
e.g The Likelihood of a single risk is considered as ‘Very High’ (4) x with the Impact
assessed as being ‘Very High’ (4) = 16.
46 | P a g e
The resulting level of risk will be shown as the intersection of the two dimensions on
the Risk Level Matrix (see below and Appendix 3). This provides the Inherent Risk
Rating of 16 = Very High ( ) and immediate remedial action should be taken to reduce
this risk.
The risk rating displayed on a heatmap is described in Four (4) Shaded areas reflecting the
level of risk(s) :-
Low High
47 | P a g e
Where controls are operated by a third party (e.g. Technology), discussions with the
control owner should take place to ensure there is an appropriate assessment of the
control that takes into consideration the views of the control owner and the risk owner.
When the controls have been assessed and rated, the “Residual Risk” (the amount of
risk left over after inherent risks have been reduced by controls) rating can be
determined. For each of the risks listed from the Risk Identification process, the
Residual Likelihood of occurrence and potential impacts can be plotted by multiplying
the numbers associated to each criteria of Likelihood and Impact. For example, the risk
of a Cost Overrun occurring in the Project Management process, taking into
consideration the effectiveness of controls in place (considered ‘Good’), could now be
reassessed as follows:
The resulting residual risk (1 x 3 = 3) will be shown as the intersection of the two
dimensions on the matrix (see below). This provides the Residual Risk level of 3 =
Low. It is likely that no further actions would be required to further mitigate this risk.
48 | P a g e
Alternatively, if controls in place to mitigate a Cost Overrun occurring in the Project
Management process are determined to be ‘Poor’, the inherent risk could be
reassessed as follows:
The resulting residual risk (3 x 4 = 12) would be High. In these circumstances, the
Residual risk would be outside of appetite and would require actions to address the
controls gaps or weaknesses to further mitigate the likelihood or impact of the risk
occurring.
This step prioritises the Residual risks to be addressed. The IOIPG Board Of Directors
and Risk Management Committee (“RMC”) will set a threshold (Risk Appetite) every
two years whereby risks above the threshold are unacceptable and must be addressed
and risks below the threshold are treated differently (i.e. recorded/recorded &
monitored). IOIPG has also set criteria for responses to the range of Residual Risk
Level ratings.
Using the example above – the Residual risk of a Cost Overrun is assessed as being
High.
49 | P a g e
• Residual Risks identified as ‘Medium’ should be assessed on a case by case
basis to understand the nature of the risk and whether the strengthening of
controls is required, otherwise this can be tolerated if it is determined that impacts
won’t adversely affect organisational objectives. Medium risks can be managed
with controls but must be monitored to ensure the risk exposure is effectively
managed and doesn’t worsen.
Where control weaknesses are identified and the decision is taken that further
mitigation is required (i.e. the residual exposure is not accepted), an action plan must
be established.
50 | P a g e
9.0 RISK REPORTING
Reporting associated with the Risk Management Framework is structured to satisfy two criteria:
1) Information relating to the IOI Properties Group Berhad existing risk profile & Risk
registers and;
2) Information relating to the IOI Properties Group Berhad implementation, performance
and status of the Framework. (Compliance)
51 | P a g e
Board
• The Group’s risk profile
• Actions to address key risks
INTERNAL REPORTING
• Effectiveness and progress of actions taken
• State of risk management framework
Senior Leadership
Team • Major incidents and issues
In addition, the group’s Risk Management Team will coordinate with the Training and
Development Department to work towards ensuring:
• Induction training will include Risk Management awareness and Employee Code of
Conduct.
• Employees receive regular Risk Management awareness and update training (at
minimum, a half-day refresher course once every year for those staff directly involved in
Risk Reporting and Monitoring).
52 | P a g e
• Any updates and changes to the Risk Management Policy, Framework related policies,
procedures; Codes of Conduct, ethics etc. are circulated to all employees via the Intranet
or email where deemed necessary.
The Board of Directors (“Board”) and Risk Management Committee (“RMC”) shall be responsible
for the approval or ratification of the Enterprise Risk Management (“ERM”) Framework.
Enterprise Risk Management (“ERM”) Framework is effective immediately upon approval by the
Board of Directors (“Board”) on 7th September 2018.
13.0 REFERENCE
The Framework is to be read in concurrence with all the other relevant policies and internal
procedural documents issued by IOIPG, International Standard bodies (“ISO”) and Department of
Standards Malaysia (“MS ISO”):
14.0 COMPLIANCE
15.0 EXCEPTIONS
Any exception from this Framework shall require the approval of Board of Directors of IOIPG
(“Board”) and Risk Management Committee (“RMC”) unless they are deemed as operational in
nature.
53 | P a g e
Appendix 1 – Risk Management RACI Matrix
The RACI matrix indicates the level of participation in each step of the process. The RACI
acronym derived from the four (4) key responsibilities in the risk management process which are
Responsible, Accountable, Consulted and Informed.
A - Accountable: Ultimately answerable for accurate completion of the task or approval / final
approving authority
C - Consulted: Those whose opinions are sought to complete the task (SME)
54 | P a g e
Appendix 2 – Risk Register Template
Risk No.
Select
Risk Rating
N/A
Corrective Action & Mitigation Strategy
Risk Status
Select
Risk Category
Select
Impact
Select
Likelihood
Select Consequences / Opportunities (if any) arises from the Risk
Control Type
Preventive
Detective
Directive
Corrective
Risk Owner :
55 | P a g e
Appendix 3 – Risk Review Report
Note : -
PLEASE DO NOT ALTER LAYOUT OF REPORT
EXECUTIVE SUMMARY
Risk Review Period : Select *Compulsory
N/A
Select
Business Entity : *Compulsory 1st Half FY 2018
2nd Half FY 2018
Scope Of Review : Acknowledgement 1st Half FY 2019
2nd Half FY 2019
We are directly responsible for the design, establishment, and maintenance of internal
1st Half FY 2020
control systems to manage risks related to our Unit / Department.
2nd Half FY 2020
Sc ope of the review
We have for the mentioned period identified and reviewed all principal risks; corresponding N/A
controls (in processes and procedures) and control activities (monitoring, measure, analyses &
communication) ; and have responded appropriately to the same for the following units/depts/
functions : -
56 | P a g e