MISC BERHAD 188 INTEGRATED ANNUAL REPORT 2023 189 www.miscgroup.com GOVERNANCE SECTION 12 PETRONAS Resiliency Model Enterprise Risk Management (ERM) To reduce the likelihood and impact of the identified risks that may affect the achievement of business objectives. Crisis Management (CM) To prepare the Group to respond and manage crisis in the risk areas, to protect people, environment, assets and reputation. Business Continuity Management (BCM) To build the capability of the Group to recover and continue the operations of critical business functions in the event of disruptions. The Group adopts the PETRONAS Resiliency Model which provides an integrated view for managing risks effectively and is also guided by international best practice on risk management as per ISO 31000. The model focuses on three (3) areas of business resilience as shown below: ERM Framework 1 6 2 5 3 4 Governance • Risk policy • Risk organisation structure • Roles & responsibilities Risk Treatment • Risk treatment strategy • Risk treatment plan Risk Assessment • Risk identification • Risk analysis • Risk evaluation Continual Improvement • Risk assurance • System monitoring & review • Capability building Context Setting • External context • Internal context • Risk appetite • Risk criteria Monitoring & Review • Risk reporting & monitoring • Risk information system Enterprise Risk Management The Group has implemented risk management best practices in the form of an ERM framework which ensures business risks are prudently identified, evaluated, treated and managed to achieve MISC Group’s business objectives. Statement on Risk Management & Internal Control In sustaining the achievement of business objectives, it is important to manage risks across the Group on an integrated basis with a balanced view of the risks taken against the rewards of business performance. The business/service units and subsidiaries are required to perform an annual review of their risk profiles with an emphasis on linking these risks to MISC Group’s business objectives. The risk management process in MISC Group requires management to identify business risks at the strategic, tactical and operational levels, while also considering the ESG risks. These risks are assessed in terms of likelihood and magnitude of impact, as well as to identify and evaluate the adequacy of mechanisms in place to manage these risks. This process involves assessments at business/service units and subsidiaries before being examined at the Group for a more holistic and strategic view. The Group maintains a risk register, which comprises a list of Primary Risks critical to the Group inclusive of their corresponding risk mitigations and assigned Key Risk Indicators (KRIs), derived from the businesses. The KRIs are reviewed and identified based on each Primary Risk, for effective monitoring of the movement of respective risks quarterly. This enables management to act timely and take necessary measures in managing risks, to ensure that the Group’s initiatives are implemented effectively and business objectives are met. For the purpose of risk reporting, the status of the mitigation action plans identified to manage these risks and breaches to the KRI thresholds are monitored, updated and reported to the RMC, BSRC and subsequently to the Board on a quarterly basis. In essence, the risk management processes are as follows: Risk Profiling • Identify risks and existing controls via risk assessment. • Establish risk rating based on matrix and record into Risk Registers. • Select appropriate risk treatment option which includes identifying new risk mitigation plans. • Develop KRI thresholds for each risk registered. Risk Monitoring • Monitor risk level identified under the Primary Risks. • Track progress of mitigation action plans and its implementation. • Monitor performance of Primary Risks using KRI. Any change or movement in the KRIs, early warning shall be provided. Risk Reporting • Mitigation action plans to eliminate/minimise risk exposures are deliberated at RMC and BSRC. • KRIs that breach set thresholds are reviewed by CP before presentation to RMC for discussion on a quarterly basis. Significant breaches are raised to the BSRC for discussion and deliberation. Corporate Planning • Review and provide advisory on risk events breaching thresholds set. • Report risk events breaching thresholds for Primary Risks and other pertinent risk critical to the Group. • Review and report the status of the proposed mitigation action plans. RMC • Review and deliberate risk events breaching thresholds as well as the proposed mitigations, including providing direction in mitigating identified key risks. • Shortlist of key and significant risk events breaching thresholds. BSRC • Discussion and deliberation of key and significant risk events breaching thresholds as well as the proposed mitigations. • Provide guidance to management to ensure the Group’s risks are being managed appropriately. Statement on Risk Management & Internal Control
RkJQdWJsaXNoZXIy NDgzMzc=