Establishing Context Recording & Reporting Communication & Consultation Monitoring & Review Risk Assessment Risk Treatment Risk Evaluation Risk Identification STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL ENTERPRISE RISK MANAGEMENT Enterprise Risk Management Process The Group ERM Policy Statement & Framework and other relevant risk guidelines are generally aligned with the Principles and Guidelines of ISO 31000:2018. It provides a consistent and streamlined approach in implementing ERM across the Group. Our structured risk profiling process is set out as below which is in accordance with the ISO 31000 standard: Risk identification The objective of risk identification process is to identify, recognise and describe the risks associated with the business function. There are various methods that can be applied for the identification of risk during the risk workshop phase. This includes conducting strategic planning workshops, management meetings, interviews and desk research. Risk analysis The purpose of risk analysis is to prioritise the risk by evaluating the potential impact and likelihood of the risk occurring which could affect the business objective should the risk arise. Risk evaluation The risk evaluation process involves the identification of existing key controls and assessments on the effectiveness level which shall define the residual rating of the risks following the development and implementation of the existing controls. Risk treatment Risk treatment process involves identifying the range of options for treating risks, assessing these options, and prioritising the implementation of treatment plans. Recording & reporting The tools (i.e. Risk Registers) that can be used to monitor and review risks are KRIs. The KRIs will be reviewed or populated for the key risks which have material impact to the Group as a whole. Enterprise Risk Management Matrix As part of the enhancement to Yinson’s ERM Policy Statement & Framework, each risk identified is mapped according to a risk matrix which specifies the likelihood and impact of the risk. The likelihood rating depicts the probability of the risk to occur, while the impact rating specifies the extent of the impact of the risk should it occur. Both the measurements in terms of the likelihood and impact can be expressed qualitatively (i.e. guided by definitions and past events) and quantitatively (i.e. guided by defined numbers or KRIs). Establishing context The establishment of context defines the scope for the risk management process and sets the criteria to be used for the assessment and evaluation of the risks. The key message that will be discussed within the context settings includes the risk appetite and risk criteria (i.e. reputation, financials, etc.) Risk Analysis 202 YINSON HOLDINGS BERHAD GOVERNANCE
RkJQdWJsaXNoZXIy NDgzMzc=