ENTERPRISE RISK MANAGEMENT

FRAMEWORK

[Enterprise Risk Management Framework V.01]

In order to deliver value to our stakeholders which include our consumers, employees, communities and shareholders, IOI Properties Group Berhad must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, financial impacts, operational issues, compliance with laws, and reporting obligations. This document provides an overview of our enterprise-wide approach to risk management (the IOI Properties Group Berhad “Enterprise Risk Management Framework”) and illustrates examples of how this approach is implemented within the organization.

Version (01) .1. 2018

2 | P a g e

TABLE OF CONTENTS OVERALL ENTERPRISE RISK MANAGEMENT FRAMEWORK OF IOI PROPERTIES GROUP BERHAD (“IOIPG”)

Abbreviations …………………………………………………………………….. 4

Key Terms …………………………………………………………………….. 5

1.0 INTRODUCTION

1.1 Overview ………………………………………………………………………. 6

1.2 Purpose ………………………………………………………………………. 7

1.3 Objective ………………………………………………………………………. 7-8

1.4 Benefit ……………………………………………………………………….. 9

1.5 Restriction ……………………………………………………………………….. 9

2.0 ORGANIZATION

2.1 Background ………………………………………………………………………. 10-11

2.2 Governance Structure ………………………………………………………………………. 11

2.3 Risk: Corporate vs Governance ………………………………………………………………………. 12

2.4 Governance of Risk: Three Lines of Defense…………………………………………………… 13-15

2.5 Risk Culture ……………………………………………………………………….. 15-16

2.6 Roles and Responsibilities ………………………………………………………………………… 16

2.6.1 Board of Directors ………………………………………………………………………… 16

2.6.2 Risk Management Committee………………………………………………………………. 17

2.6.3 Chief Executive Officer (CEO) / Senior Management…………………………….. 18

2.6.4 Risk Management Department……………………………………………………………… 18

2.6.5 Business Units / Projects……………………………………………………………………….. 19

2.6.6 Risk Champion / Representative ……………………………………………………………. 19

2.6.7 Project Managers …………………………………………………………… 19

2.6.8 Risk Quality Assurance coordinator………………………………………………………. 20

2.6.9 Group Internal Audit ………………………………………………………………………… 20

3.0 RISK AWARENESS, LEARNING AND CULTURE ………………………………………………. 21

4.0 DEFINITION OF RISK & RISK MANAGEMENT

4.1 Definition of Risk …………………………………………………………………………. 21-22

4.2 Definition of Risk Management………………………………………………………………………… 22

4.3 Definition of ERM ………………………………………………………………………… 22-23

3 | P a g e

5.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 23

5.1 Overall Internal Control …………………………………………………………………………… 24

5.2 General Elements …………………………………………………………………………… 24-27

6.0 STRATEGY

6.1 Risk Management Strategy ……………………………………………………………………………. 28-29

6.2 Risk Appetite ……………………………………………………………………………. 29-30

6.3 Risk Response ……………………………………………………………………………. 30

7.0 GUIDELINES AND PRINCIPLES 31

7.1 Risk Management Principles ……………………………………………………………………………. 32

7.2 Risk Management Guidelines ……………………………………………………………………………. 32

8.0 RISK MANAGEMENT PROCESS 33

8.1 Communication and Consultation ………………………………………………………………. 34

8.2 Establish the context …………………………………………………………………………… 34-35

8.3 Risk Assessment …………………………………………………………………………… 36-39

8.4 Risk Mitigation Strategies …………………………………………………………………………… 39-42

8.5 Monitoring and Review …………………………………………………………………………… 42-44

8.6 Risk Management Tool – Risk Register………………………………………………………………… 44-50

9.0 RISK MANAGEMENT REPORTING 51-52

10.0 RISK TRAINING & DEVELOPMENT 52-53

11.0 APPROVING AUTHORITY 53

12.0 DATE OF IMPLEMENTATION 53

13.0 REFERENCE 53

14.0 COMPLIANCE 53

15.0 EXCEPTIONS 53

APPENDICES

Appendix 1 – RACI Matrix 54

Appendix 2 – Risk Register Template 55

Appendix 3 – Risk Review Report 56

4 | P a g e

Abbreviations

IOIPG Group

:

IOIPG & Its Subsidiaries

IOIPG : IOI Properties Group Berhad

Board

RMC

:

:

Board of Directors

Risk Management Committee

CEO : Chief Executive Officer

Senior Management : Senior Management of IOIPG

PD : Property Development

PI : Property Investment

ERM

RMD

:

:

Enterprise Risk Management

Risk Management Department

BU

ISO

:

:

Business and supports units or projects in IOIPG

International Organization for Standardization

ISO 31000

Standards Malaysia (MS)

:

:

International Standards for Risk Management –

principles and guidelines

Department of Standards Malaysia (JSM) under MOSTI

MS ISO 31000

: Malaysian Standards for Risk Management – principle

and guidelines

MOSTI

Framework

:

:

Ministry of Science, Technology and Innovation

Enterprise Risk Management (ERM) Framework

CG : Corporate Governance

RG

HR

IA

GM

Risk Champions

HOD

:

:

:

:

:

:

Risk Governance

Human Resources

Internal Audit

General Manager

Risk representative from each respective BU’s

Head of Department

5 | P a g e

Key terms Establishing a common language for risk is important in promoting the practice of a consistent and

effective risk management across the IOIPG. The terms used in this document are listed below, together

with their intended meaning: -

Enterprise Risk Management (“ERM”) framework

A structured and disciplined approach aligning strategy, processes, people, technology and knowledge

with the purpose of evaluating and managing the risks an organisation faces as it seeks to create value –

in essence every employee is an integral part of the IOIPG’s enterprise risk management framework.

Gross risk

The level of impact and likelihood of a risk before any control or risk mitigation is being applied.

Key risks

The risks that have been assessed and evaluated as being the most critical resulting in significant impact

to the achievement of the IOIPG’s business objectives.

Likelihood of occurrence

The probability of a particular risk occurring. Probabilities can range from “low” to “very high” and are

evaluated against a defined time period.

Senior Management/ Management

Consists of Senior Management / Management personnel of IOIPG.

Objectives

Description in measurable targets in order to reach the IOIPG’s goals.

Residual risk

The remaining risk(s) after controls has been put in place.

Risk(s)

Risk is anything that has the potential to prevent IOIPG from achieving its overall goals and objectives.

Risk impact/ consequences

An evaluation of the significance of a particular risk to IOIPG. The magnitude of impact is determined in

relation to the organisation’s appetite for risk, and organisational objectives.

Risk appetite

Risk appetite is defined as the level of risk IOIPG is prepared to accept to achieve its objectives

measurable in terms of the variance of return (i.e. risk) in order to achieve a desired level of result (i.e.

return) as set out in the risk parameters.

Risk management

Risk management is a continuous, proactive and systematic process to recognise, manage and

communicate risk from an organisation-wide perspective. It is all about making strategic decisions that

lead to achievement of the IOIPG’s overall corporate objectives.

Risk owner

Individual with overall responsibility for managing an identified risk.

Risk parameter

Used to estimate the impact of a risk should it occur and will is based on the IOIPG’s “risk appetite”.

Stakeholders

Any individual or group, internal or external, with an interest in IOIPG’s businesses.

6 | P a g e

1.0 INTRODUCTION

1.1 Overview

The establishment and development of Enterprise Risk Management (ERM) Framework is

to provide a comprehensive and proactive approach towards managing risk for IOI

Properties Group Berhad (IOIPG), as risks influences every aspect of our business.

Understanding the risk faced by IOIPG and managing them appropriately will enhance

IOIPG ability to make better decisions. This will subsequently improve the group’s overall

performance. It is also to ensure that risk objectives are properly defined and proper

controls are in place. In addition, awareness of managing risks in general for IOIPG is

crucial.

The importance of an effective risk management is due to several factors:

➢ Significant losses experienced in the property development industry;

➢ New regulatory requirement and international best practices;

➢ Regular changes in business environment including political atmosphere;

➢ Growing need to optimize economic capital and measure performance;

➢ Protection and enhancement of stakeholders’ and shareholders’ value

To appropriately respond to the above factors and at the same time to promote and

inculcate a balanced risk-taking business, IOIPG had recognized the need to create risk

awareness among staff and stakeholders. This in turn will assist IOIPG in establishing an

adequate enterprise risk management framework.

The scope of the enterprise risk management framework covers all activities, processes,

functions projects, products, services, assets and systems currently in place at IOIPG.

The process owner for all risk management initiatives is the Head of Risk Management

Department while the intended users include all stakeholders of IOIPG. In addition, the

framework is also in compliance with the best practices of International Standard of ISO

31000 (Risk Management – Principles and guidelines) and Malaysian Standard of MS ISO

31000.

7 | P a g e

1.2 Purpose

Risks influences every aspect of IOIPG’s business and operations. Understanding the risks

that IOIPG faces and managing them appropriately will enhance the group’s ability to make

better decisions making, meet objectives and subsequently improve performance of the

group.

This enterprise risk management framework is designed to:

• Establish the context for an embedded enterprise risk management framework within

the IOIPG;

• Formalize the risk management functions across IOIPG;

• Brief personnel more strongly towards risk identification, measurement, control,

ongoing monitoring, responsibilities and accountability;

• Coordinate and streamline the understanding and application of risk management

within IOIPG and;

• Illustrate compliance by Board of Directors with duty of care and diligence in line with

good corporate governance practices.

1.3 Objective

The primary objective of the ERM framework is to support the overall achievement of IOI

Properties Group Berhad strategic objectives and safeguard the group’s resources, people,

finance, property and reputation through:

• Provision of a structured and a more consistent approach to identifying, rating,

mitigating, managing and monitoring risks.

• Assistance to decision makers to make good management decisions within a tolerable

strategic and business risk limits, including identifying and on leveraging opportunities.

• Challenges and informed strategic decisions via Risk Profile;

• An environment where staff understand and assume responsibility for managing the

risks for which they are accountable for as well as to be aware of the controls in place

to mitigate those risks;

• Provision of relevant and timely information across clear reporting structures; and

• Independent assurance and audit activities to provide feedback to the management

that quality processes and proper controls are in place and are effective.

8 | P a g e

Other relevant objectives of this framework are to:

• Outline the IOIPG’s risk context which comprises its philosophies, strategies and

policies, and operating system so as to better manage the business, project or any risk

exposures faced by the group;

• Provide guiding risk management principles to the respective HOD to assist them in

governing the actions of their respective personnel pertaining to managing risks and;

• Provide assurance to the Board that a sound risk management and internal control

system are in place and in conformance with global risk management standards (ISO

31000).

To realize the objectives of the enterprise risk management framework, IOIPG shall:

• Ensure that an appropriate enterprise risk management framework is in place and

aligned to the overall IOIPG’s business strategy;

• Support the framework and it’s strategy within an appropriate organizational structure

and ensure that associated responsibilities are clearly defined and communicated at

all levels;

• Ensure the risk management process is applied systematically across IOIPG to identify,

analyze, assess, evaluate, treat and manage risks that threaten the achievement of the

group’s objectives;

• Ensure that risk information is communicated through a clear and robust reporting

structure and;

• Integrate ongoing risk management activities within the business and throughout any

of IOIPG’s projects.

9 | P a g e

1.4 Benefits

The positive outcomes to be derived from an effective enterprise risk management

framework are as following:

• To act as a platform to enable IOIPG anticipate and respond to risks effectively;

• To encourage comprehensive and reliable sources of information on the status of risks

and the control measures;

• To minimise the likelihood of unforeseen damage to IOIPG’s financial performance,

reputation and stakeholders confidence;

• To create opportunity to align corporate strategy with risk strategy;

• To act as a tool which will enable the management of risks affecting to both tangible

and non-tangible assets;

• To provide opportunities in eliminating or reducing costs through more targeted and

effective control measures, which is aligned to key objectives and risks;

• To provide the basis for more effective strategic planning;

• To contribute to the improvement of overall organizational efficiency and effectiveness;

• To enable optimum use of resources and;

• To provide a framework for ensuring that unavoidable risks are adequately mitigated.

1.5 Restriction

This ERM framework is for internal use in IOIPG and not for general circulation or

publication nor is it to be reproduced, either in whole or part, or used for any other purposes

without Management’s prior written consent. Management does not assume any

responsibility or liability arising from any losses however occasioned by any other party

arising from the circulation, publication, reproduction or use of this document.

10 | P a g e

2.0 ORGANIZATION

2.1 Background

IOI Properties Group Berhad (“IOIPG”) is one of Malaysia’s leading public-listed property

developers. It has built a solid reputation as the esteemed property arm of IOI Group prior

to its successful listing onto the Main Market of Bursa Malaysia Securities Berhad on 15

January 2014.

IOIPG is renowned as one the largest property companies in the country with proven track

record spanning more than three decades in the property development industry. Its principal

activities include property development, property investment, leisure and hospitality. It has

successfully developed sustainable township in sought-after region of Klang Valley and

Johor in Malaysia while embarking on property developments in Singapore and the

People’s Republic China. IOIPG currently has a total of 10,000 acres of landbank in

Malaysia and abroad.

IOIPG established its presence in Singapore property market in 2007. It has ventured into

five property developments in the country comprising high-end residential developments

and integrated mixed developments. Among them are the luxury condominium

developments of Seascape and Cape Royale in Sentosa Cove and the award-winning

South Beach project.

In 2010, IOIPG ventured into property development in China. It has embarked on two mixed

property developments namely the IOI Park Bo Bay and IOI Palm City in Xiamen, Fujian

Province of the People’s Republic of China.

On the leisure and hospitality front, IOIPG owns and manages prestigious hotels, shopping

malls, golf courses and office blocks in Malaysia.

A strong testament to its quality excellence, it is consistently ranked among the top

developers in Asia and bestowed numerous accolades by leading publications and

organizations such as FIABCI, BCI Asia, The Edge Malaysia, Asia Pacific Property Awards,

and the Building and Construction Authority (“BCA”) in Singapore.

11 | P a g e

The IOI Properties Group Berhad provides a diverse range of services to 110,000 residents

in one of Victoria’s most densely populated municipalities. IOI Properties Group Berhad is

required to plan for and manage growth and change, deliver on its objectives within the

context of significant population, climate and urban change as well as increased legislative

and regulatory compliance obligations and financial accountability.

2.2 Governance Structure

IOIPG has defined the following governance structure for overall risk management:

Diagram 1: IOIPG’s Governance Structure

12 | P a g e

2.3 Corporate Governance vs Risk Governance

IOIPG maintains a strong leadership through sound governance and ethical business

conduct. It believes in achieving responsible commercial success while balancing the

interests of its stakeholders, and fervently uphold sustainability practices in the business as

well as regulatory laws imposed in the countries where it operates.

The safety and soundness of corporate governance rely on the effectiveness of risk

oversight and control functions. Over time, risk management approaches and practices in

the industry have evolved substantially, with increased attention to advancements in risk

management process and practices, as well as in the segregation of function as

independent parties in internal control environments.

Risk governance focuses on applying the principles of sound corporate governance to the

assessment and management of risks to ensure that risk-taking activities are aligned with

IOIPG capacity to absorb acceptable losses and its long-term viability.

It is concerned in particular with the roles of the board, senior management, and risk

management control functions as well as the processes by which risk information is

collected, analyzed and communicated to provide a sound basis for management

decisions. It is also concerned with the effects of incentives and organizational culture on

risk-taking behaviors and perceptions of risk in IOIPG.

With various kind of business property development, projects and activities, the availability

of comprehensive process and integrated systems to support an enterprise-wide or

consolidated view of risks, is particularly critical. Also important is the capacity of IOIPG to

respond swiftly to changes in the operating environment and developments in the business

strategies.

13 | P a g e

2.4 Governance of Risk: Three Lines of Defense Model

Risk management has a key role in the corporate governance structure to ensure the

effective management of risk.

The board provides direction to senior management by determining and setting the

organization’s risk appetite. It also seeks to identify the principal risks facing the group.

Thereafter, the board assures itself on ongoing basis that the senior management is

responding appropriately to these risks identified.

The board delegates primary ownership and responsibility to the CEO and senior

management for operating risk management and control. It is the management

responsibility to provide leadership and direction to the rest of the employees in respect of

risk management, and to control the organization’s overall risk-taking activities in relation

to the agreed level of risk appetite.

To ensure the effectiveness of an organization’s enterprise risk management framework,

the board and senior management need to rely on adequate line functions – including

monitoring and assurance functions within the organization. The corporate best practices

of risk management acknowledge the ‘Three Lines of Defense’ model as a way of defining

the relationship between these functions and act as a guideline to responsibilities should

and accountabilities:

1. The first line of defense – functions that own and manage risk.

2. The second line of defense – functions that oversee or specialize in risk

management and compliance.

3. The third line of defense – functions that provide independent assurance

above all internal audit.

14 | P a g e

The “Three Lines of Defense” model provides a simple and effective way to enhance

communications on risk management and control by clarifying essential roles and duties:

Diagram 2: The Three Lines of Defense Model

➢ 1st Line of Defense – Head of Business Units.

Each Business Unit is responsible for the ownership and management of their

respective risks. They are also responsible for implementing corrective actions to

address process deficiencies. Each business unit naturally serves as the 1st line as

controls are designed into business processes under their guidance. There should be

adequate managerial and supervisory controls in place to ensure compliance and to

highlight control breakdown, inadequate processes and unexpected events.

In some areas, specialist compliance roles have also been established to assist in

promoting and monitoring compliance e.g. Finance and Business Technology.

15 | P a g e

➢ 2nd Line of Defense – Risk Management & compliance.

The risk management and compliance functions ensure that the framework is fully

embedded, operational and monitor the 1st line controls to ensure that risks are being

effectively managed. It is a risk management function that facilitates and monitors the

implementation of effective risk management practices by management and assists

risk owners in defining the target risk exposure and reporting adequate risk-related

information throughout the organization. Each of these functions has some degree of

independence from the first line of defense.

➢ 3rd Line of Defense – Internal Audit

Internal audit (IA) provides independent assurance on the effectiveness of governance,

risk management, and internal controls, including the manner in which the 1st and 2nd

lines achieve risk management and control objectives. IA provides IOIPG and senior

management with comprehensive assurance based on the highest level of

independence and objectivity.

2.5 Risk Culture

The Chief Executive Officer (CEO) has the ultimate responsibility and accountability for

ensuring that risk is managed across the business units within IOIPG and is supported by

the Chief Operating Officer (COO) of both the Property Investment & Property Development

as well as Corporate Entities.

The Chief Executive Officer (CEO) and the Senior Management Leadership Team provide

governance leadership, agree to the strategic direction and risk appetite and promote the

culture and ‘tone from the top’ in order to ensure the best outcome for the group, staff and

stakeholders. They will actively consider risks during strategic and tactical decision-making

processes as will all levels of management and they will determine the level of residual

risk/appetite they are willing to accept, annually. IOIPG will take a risk-based approach to

managing internal and external projects, operational and strategic risks: i.e. risks will be

managed and monitored according to severity and financial risks to identify the quantum of

each respective risks involved and its impact.

16 | P a g e

The Risk Management Committee (“RMC”) will conduct full Two (2) half Yearly reviews

of their business unit risks (facilitated by the Risk Management & Quality Assurance Team)

with monthly High & Very High risks and quarterly monitoring of Medium and Low risks.

Management will also conduct out-of-cycle reviews of operational & financial risks, project

or strategic risks in cases such as if material changes occur, breakdown of controls or new

risks emerge i.e. organization change, major process or system change, failure of controls,

a major incident, a compliance breach, serious complaint or significant near miss.

2.6 Roles and Responsibilities

The Responsible, Accountable, Consulted, Informed (RACI) table (see Appendix 1)

illustrates accountability across the varied risk roles at IOI Properties Group Berhad. Risk

Management within the IOI Properties Group Berhad is an integral element of good

business practice. The Strategic and Operations Risk Assessment Processes are

integrated with the Strategic Planning and Business Planning processes.

It is therefore everyone’s responsibility within IOIPG to manage risk - the accountability for

managing any specific risk sits with the person most appropriate to manage that risk. This

is reflected in position descriptions (with varying degrees of responsibility at the various

levels) and the performance management process.

Notwithstanding the “whole of organisation” approach to risk management responsibility,

the Risk Management Framework has specific elements which require defined alignment

of roles and responsibilities. The responsibilities for each of the roles identified at each level

are as follows: -

2.6.1 Board of Directors (“Board”) of IOI Properties Group Berhad (“IOIPG”)

• Overall responsibility is to establish policies and framework for risk

management;

• Approve the Risk Management Policy and note the Enterprise Risk

Management (“ERM”) Framework;

• Be satisfied that strategic risks are identified, managed and controlled

appropriately and;

• Appoint the Risk Management Committee.

17 | P a g e

2.6.2 Risk Management Committees (“RMC”)

• Discuss, deliberate and recommend on issues relating to risk management

strategies, risk tolerance, policies and processes prior to submission to Board

for decision;

• Review adequacy of risk policies and framework and the extent to which these

are operating effectively;

• Review risk management reports on risk exposure, portfolios and risk

management activities;

• Endorse risk strategies, policies, and processes for eventual approval by

Board;

• Review the Enterprise Risk Management Framework and policy on

procedures for endorsement by Board;

• Approve the Enterprise Risk Management Framework as an internal guidance

and control process for managing risk;

• Encourage promotion of risk management awareness throughout IOIPG;

• Approve operational decisions in improving risk management;

• Ensure the Enterprise Risk Management Framework is being implemented

throughout IOIPG;

• Oversee the Risk Management Framework and review the mechanisms in

place to comply with the framework;

• Monitor the systems and process via the group’s risk profile and consider the

risk profile when developing and implementing the Internal Audit and

Compliance Program;

• Consider the adequacy of actions taken to ensure that the risks have been

dealt with in a timely manner to mitigate exposures to the group;

• Identify and refer specific projects or investigations deemed necessary to

assess risk management through the Chief Executive Officer, the internal

auditor and the Group;

• Oversee any subsequent investigation, including the investigation of any

suspected cases of near misses and;

• Review Project Portfolio and associated risks.

18 | P a g e

2.6.3 Chief Executive Officer (CEO) / Senior Management team

• The CEO, supported by the Chief Operating Officers of Divisions (COO), is

accountable for ensuring appropriate risk management within the group;

• Endorse the Risk Management Policy for approval by Board of Directors of

IOI Properties Group Berhad (IOIPG), approve the Enterprise Risk

Management Framework, and monitor implementation;

• Provide executive leadership in the management of strategic, operational and

project risk and generally champion risk management within the group;

• Ensure that their respective divisional risk profile as entered by each

department is reviewed, updated and approved quarterly (monthly- high risks);

• Report expeditiously to Risk Management Committee (“RMC”) incidents or

material risk mitigation failures and actions taken.

2.6.4 Risk Management Department / Manager

• Lead in enforcing the Risk Management Framework;

• Develop, promote and implement risk management awareness;

• Play facilitator/consultation role and provide training on risk management;

• Report to senior management on risk management information;

• Implement processes to monitor risks across IOIPG;

• Review industry developments and identify emerging risks;

• Review, analyse and assess risks across IOIPG;

• Review and forward specific incidents to Group Internal Audit for information,

where applicable;

• Provide assurance in the development, implementation and review of the Risk

Management Policy, Enterprise Risk Management Framework, and general

risk management practice within the group;

• Quality assure enterprise risk management reporting according to the

ISO:31000 Standards to the Risk Management Committee, Senior

Management & Quality Assurance;

• Ensure the organisation has the appropriate culture, capability, processes and

systems to deliver on this policy and the Enterprise Risk Management

Framework and;

• Provide sound recommendations for IOIPG Group on risk related matters and

strategies to mitigate an incident form occurring.

19 | P a g e

2.6.5 Business Units (BU’s) or Project Units – Risk Owner

• Accept the risk owner concept to own and manage their risks;

• Take all necessary steps to comply with Enterprise Risk Management

Framework;

• Support risk correspondence in promoting / championing risk awareness and

reporting of risk management;

• Conversant with the risk correspondence profiles of their own

units/projects/departments and if required, to share such knowledge with both

internal management and/or the external relevant bodies related;

• Verify and validate risk reporting by risk champion/coordinator personnel;

• Validate risk ratings, preventive controls and mitigating measures;

• Escalate risk issues to Risk Management Department / Manager and related

departments;

• Takes ownership of risk management of its business or project units and;

• Instil, apply and promote risk management awareness to staff.

2.6.6 Risk Champion / Coordinator Officer

• Submit prompt reporting of risk reviews on a specified deadline;

• Highlight risk issues to business/project owners and Risk Management

Department (RMD);

• Instil, apply and promote risk management awareness to staff and;

• Periodically review of risk ratings and control/mitigations actions.

2.6.7 Project managers

• Ensure that this framework is applied to the projects under their purview; and

• Where the project is considered to materially influence the achievement of

IOIPG Corporate Objectives, ensure that the project risk assessment is

facilitated by the Risk and Compliance Representative.

20 | P a g e

2.6.8 Risk Quality Assurance coordinator

• Lead the development, implementation and review of the Risk Management

Policy, Enterprise Risk Management Framework, and supporting processes

and systems;

• Develop, maintain and quality assure enterprise risk registers and monitor

implementation of controls and agreed mitigation actions in accordance to

ISO:31000;

• Prepare various risk management reports to the Senior Management Team,

Risk Management Committee, Risk Management Department and divisional

leadership teams in accordance with this framework and the Risk

Management Policy;

• Provide risk management training, advice and support and conduct risk

assessments as agreed with the Senior Management;

• Liaise with the Internal Auditor and provide secretariat support to the Risk

Management Committee and;

• Measure enterprise risk management maturity and report on the

implementation of actions to achieve target maturity.

2.6.9 Group Internal Audit

• Consider strategic and operational risks in the development and

implementation of the Group’s Internal Audit and Compliance Plan and

recommending improvements;

• Periodically auditing IOIPG’s Risk Management practices and providing

recommendations on improvement to management and the Risk Management

Committee;

• Ensuring the adequacy of risk management policies;

• Examine and evaluate the appropriateness and effectiveness of risk

management process;

• Evaluate the reliability (including integrity, accuracy and comprehensiveness)

and timeliness of risk management information;

• Evaluate the continuity and reliability of the risk management systems and;

• Evaluate the independence and overall effectiveness of the risk management

function.

21 | P a g e

3.0 AWARENESS, LEARNING AND CULTURE

IOI Properties Group Berhad (IOIPG) Berhad will build a strong risk culture which is a

combined set of individual and corporate values, attitudes, competencies and behavior that

will determine our commitment style towards risk management.

Risk management requires overall participation for both reporting and managing risks.

Substantial communication and awareness are essential to build a common understanding

of risk management and to gain widespread staff buy-in. The success of a risk management

program will depend almost entirely on how it is perceived and embraced by staff and

managers who shall execute it.

Premised to the above, Risk Management Department (RMD) is to work closely with Human

Resource Department (HR) – Training & Development; to develop a structured risk

awareness and learning program where the learning modules are customized to suit the

staff of various levels.

4.0 DEFINITION OF RISK, RISK MANAGEMENT & ERM

The purpose of this Enterprise Risk Management Framework is to provide a comprehensive

and proactive approach towards managing risk in IOI Properties Group Berhad (IOIPG).

Risk influences every aspect of our business thus the needs to understand of the

description and its definition.

4.1 Definition of Risk

Risk is the probability of an internal or external situation (an incident) having the potential

to impact upon IOI Properties Group Berhad; preventing it from successfully achieving its

objectives, delivering its services or capitalizing on its opportunities. Risks are an everyday

occurrence that could potentially impact on IOIPG’s ability to meet its obligations to

stakeholders and the community. IOI Properties Group Berhad recognizes that while some

risks cannot be fully eliminated they can be identified, controlled and managed to an

acceptable level. Based on ISO 31000, risk is defined as an effect of uncertainty on

objectives.

22 | P a g e

Risk may be viewed as the threat to some events, action or loss of opportunity that, if it

occurs or crystallizes, will adversely affect any or combination of the following:

• Value to IOIPG’s shareholders and other stakeholders.

• Ability to achieve objectives.

• Ability to implement business strategies.

• Manner in which operations are conducted.

• IOIPG’s reputation.

As may be appreciated from the concept and due to the diversity of the business objectives,

strategies and operations, a multitude of risks would be faced by IOIPG. These may be

categorized in general into strategic risks, operational risks and project risks.

Since the future as such is uncertain, any business or project activity is individually

associated with risks and rewards, and its objectives are to identify and reap rewards and

opportunities, as well as to manage and control the resulting risks.

4.2 Definition of Risk Management

Risk management is defined as “the coordinated activities to direct and control an

organization with regard to risk” based on ISO 31000 international standards definition.

Risk management is a continuous, proactive and systematic process to recognize, manage

and communicate risk from an-

Risk management is a central part of any organization’s strategic management. It is the

process whereby organizations methodically address the risks attaching to their activities

with the goal of achieving sustained benefit within each activity and across the portfolio of

all activities.

4.3 Definition of Enterprise Risk Management (ERM)

ERM is a structured and disciplined approach, aligning strategy, processes, people,

technology and knowledge with the purpose of evaluating and managing the risks that

IOIPG faces as its creates value.

23 | P a g e

ERM is truly a holistic, integrated, future-focused, and process-oriented approach that helps

IOIPG to manage all key business risks and opportunities with the intent of maximizing

shareholder value as a whole.

ERM shall be a core management competency that incorporate a well-structured

systematic process to identify business risks and lessen their impact on IOIPG.

This involves the following core elements:

• The identification of each business risk;

• The measurement of the identified business or project risk;

• The control or the way that risk is managed in line with the need of IOIPG’s policies

and strategies and;

• Constant monitoring and communicating of risks associated with any activity, function

or process in a way that will enable IOIPG to minimize opportunities.

5.0 THE EFFECTIVENESS OF RISK MANAGEMENT FRAMEWORK

IOI Properties Group Berhad’s Enterprise Risk Management Framework (“Framework”) is

aligned to the ISO: 31000 Standards and shall be applied to all activities across IOI

Properties Group Berhad. All risks need to be understood, considered and addressed by

everyone, including executive staff and senior management, employees, partners and

related stakeholders. IOIPG is committed to promoting an organizational culture where risk

management is embedded in all activities and business processes, to ensure long term

sustainability and growth of the company.

Diagram 3: Effectiveness of Enterprise Risk Management Framework

24 | P a g e

5.1 Framework as an overall internal control

IOI Properties Group Berhad undertakes proactive enterprise risk management because:

5.1.1 It is good practice to understand the strategic and operational risks and

opportunities facing IOI Properties Group Berhad in order to make informed

decisions and meet organizational and strategic goals;

5.1.2 IOI Properties Group Berhad provides critical services and infrastructure to the

customers and stakeholders; and IOI Properties Group Berhad has service

agreements and contractual obligations to non-government business entities and

organizations;

5.1.3 To implement the best practices of risk management in the market and in line

with the International Standard related.

The Framework is designed to provide the architecture for a common platform for all risk

management activities undertaken by IOI Properties Group Berhad, from individual

functional, process or project-based assessments to whole-of-organization assessments,

with the aim of enabling comparative analysis and prioritization of those assessments either

individually or cumulatively.

5.2 General Elements in Framework

The effectiveness of risk management will depend on its integration into governance of the

organization, including decision-making. This requires support from stakeholders,

particularly the senior management.

Framework development encompasses integrating, designing, implementing, evaluating

and improving risk management across IOIPG. (Diagram 4 illustrates the element

components of a framework).

The organization should evaluate its existing risk management practices and processes,

evaluate any gaps and address those gaps within the framework.

25 | P a g e

The components of the framework and the way in they work together should be customized

to the needs of IOIPG.

Diagram 4: Elements in Framework

The brief description of elements in framework is as follows:

5.2.1 Leadership and commitment

The Board and senior management should ensure that risk management is integrated

in all organizational activities and should demonstrate leadership and their

commitment by:

i. customizing and implementing all components of the framework;

ii. issuing a statement or policy that establishes a risk management approach,

plan or course of action;

iii. ensuring that the necessary and sufficient resources are allocated to manage

risks and;

iv. assigning authority, responsibility and accountability at appropriate levels within

the organization.

Senior management is accountable for managing risk while the Board are accountable

for overseeing risk management as a whole.

26 | P a g e

5.2.2 Integration

Integrating risk management relies on an understanding of organizational structures

and context. Structure differ depending on the organization’s purpose, goals and

complexity. Risk is managed in every part of the organization’s structure. Everyone in

an organization has responsibility for managing risk.

Integrating risk management into organization is a dynamic and iterative process and

should be customized to the organization’s need and culture. Risk management should

be a part of, and not separate from, the organizational purpose, governance, leadership

and commitment, strategy, objective and operations.

5.2.3 Design

The Board and senior management should demonstrate and articulate their continual

commitment to risk management through a policy, a statement or other forms that

clearly convey an organization’s objectives and commitment towards good risk

management.

They should ensure that the empowerment, responsibilities and accountability for

relevant roles with respect to risk management are assigned and communicated at all

level of the organization, and also should ensure allocation of appropriate resources

for risk management.

The organization should establish an unified approach to communication and

consultation in order to support the framework and facilitate the effective application of

risk management. Communication should involve sharing of information with targeted

audiences. Consultation should also involve participants providing feedback with the

expectation that it will contribute and shape decisions or other activities. These

methods and content should reflect the expectations of the stakeholders, where it is

relevant. It should also be timely and ensure that relevant information is collected,

collated, synthesized and shared, as appropriate, and that feedback is provided and

improvements are made.

27 | P a g e

5.2.4 Implementation

A good implementation of the framework requires the engagement and awareness of

stakeholders. This enables organizations to explicitly address uncertainty in decision-

making, while also ensuring that any new or subsequent uncertainty can be taken into

account as it arises.

Implementation of this framework will ensure that the risk management process is a

part of all activities throughout the organization, including decision-making, and that

changes in external and internal contexts will be adequately captured.

5.2.5 Evaluation

Framework performance should periodically measure, review and evaluate against its

purpose, implementation plans, indicators and expected behavior, to ensure that the

effectiveness of risk management are in order and in place.

In order to evaluate the effectiveness of the risk management framework, the

organization should determine whether it remains suitable to support achieving the

objectives of the organization.

5.2.6 Improvement

The organization should continually monitor and adapt the risk management framework

to address external and internal changes. In accomplishing this, the organization can

enhance its value.

It also should continually improve the suitability, adequacy and effectiveness of the risk

management framework and the way risk management process is integrated.

As relevant gaps or improvement opportunities are identified, the organization should

develop plans and tasks, and assign them to those accountable for implementation.

Upon implementation, these improvements should contribute to the enhancement of

risk management.

28 | P a g e

6.0 STRATEGY

6.1 Risk Management Strategy

Risk management strategy is an integral component of the overall strategy, which

determine core capabilities, departments, business units, projects, competitive advantages,

the formation of the value-added chain, and thus IOIPG’s value drivers. The risk

management strategy will align risk management resources and actions with business

strategy necessary to maximize organizational effectiveness. Linking the business

strategies to risk management approach can also provide a context for setting risk appetite

and risk measures so that they are linked to the overall strategic plan for IOIPG.

As an essential surface of the risk management system, the following risk strategy forms

the strategic drive of the Risk Management Framework and sets the internal control method

that guides all personnel of IOIPG in dealing with risks in a rational, target-oriented manner:

6.1.1 IOIPG’s Risk Management Framework statement shall be adopted by all

business units & projects and the risk management decision shall be made at the

operating level where knowledge and expertise reside. Responsibility for risk

management will be undertaken by business units & projects with appropriate

guidance from Risk Management Committee (RMC) / Group Risk Management

Department (RMD).

6.1.2 The Board strongly supports risk management with formal reporting. Risk

management is periodically on the Board’s agenda, Senior Management are

aware of and well-versed in risks associated matters within the IOIPG’s business.

6.1.3 Risk management is linked to business and operational planning and is generally

incorporated into new undertakings or projects

6.1.4 The risk management process is meant to promote a proactive risk management

approach and create the necessary risk awareness and cultivate a risk and

control culture within IOIPG.

As a business strategy indicates the direction of the business, a risk strategy provides

guidance for the risk activities within IOIPG. It can set the tone for aggressive or

conservative risk management activities, dictate how measuring and monitoring activities

can be accrued out and provide strategical view needed by the Board and

29 | P a g e

Senior Management. It is the risk strategy that provides the backbone for embedding risk

management within the culture of IOIPG business.

6.2 Risk Appetite

Risk appetite is the amount of risk exposure, or potential adverse impact from an event,

that the IOI Properties Group Berhad is willing to accept in pursuit of its objectives. Once

the risk appetite threshold has been breached, risk management controls and actions are

required to bring the exposure level back within the accepted range by considering:

1. Emerging risks,

2. Risks that might be outside group’s control (i.e. political change and climate);

3. Where best to allocate scarce resources; and

4. Where the IOI Properties Group might want to take on additional risk to pursue a

strategic objective or expectation of above average returns.

Risk appetite should be set for each individual strategic risk and tolerance levels agreed,

using relevant performance indicators which are monitored through the monthly enterprise

reports. For operational risks, the group’s risk appetite will inform the annual risk process,

controls and assurance activities and is generally defined as follows:

RISK RATING MINIMUM

MITIGATION

ACTION

DESCRIPTION

Very High Risk Reject & Avoid or

Mitigate

Immediate action required in consultation with

Management to either avoid the risk entirely or to

reduce the risk to a low, medium or high rating.

High Risk Accept & Mitigate These risks need to be mitigated with actions as

required and managers need to be assigned these

risks.

Medium Accept Managed by specific monitoring or response

procedures.

Low

Accept Managed by routine procedures.

Table 1: Risk Appetite

30 | P a g e

To reduce and minimise the risk exposure and impact on IOI Properties Group Berhad on

materialisation of risks, the limit for Board’s approval on “Investment” is to be capped at

10% of the Company’s market capitalization, while the capital expenditure’s limit be

reduced to RM100 million.

6.3 Risk Response

In consideration of our risk appetite, one or more of the following action may be pursued:

6.3.1 Risk Tolerance

This is taken usually when the risk is equal to the cost of doing business. Nothing

can be done at a reasonable cost to mitigate it.

6.3.2 Risk Treatment

To take action to control risks in an event it occurs. It is important that the control

put in place is proportionate to the risk. In general, the purpose of the control is

to contain the risk rather than to remove it.

6.3.3 Risk Termination

When it is feasible and cheaper to do so rather than being the risk, we may decide

to remove the risk altogether.

6.3.4 Risk Transfer

To consider a risk transfer strategy for operational risk losses that go beyond

IOIPG’s risk appetite. Risks transfer can be made possible via insurance or

outsourcing (of certain processes).

31 | P a g e

7.0 PRINCIPLES AND GUIDELINES

The framework provides an overview of the group’s enterprise-wide approach to risk

management and illustrates of how this approach is implemented within the IOIPG.

It also provides a common methodology to identify and manage potential events that may

affect the group’s accountability for risk management and its governance.

The framework that IOIPG Group adopts is in line with global best practices and globally

accepted risk management standards such as the ISO 31000 standards, as depicted in the

following diagram:

Diagram 5: Risk Management – Principles and Guidelines

32 | P a g e

7.1 Risk Management Principles

All levels of IOIPG Group shall commit to incorporating the following principles from the

International ISO: 31000 standards. Risk management will:

• Create and protect value;

• Be an integral part of Council’s organizational processes;

• Be part of the decision-making process;

• Explicitly address uncertainty by providing a framework in which risk can be assessed;

• Be systematic, structured and timely;

• Be based on the best available information;

• Be tailored to the group’s internal and external environments;

• Take into account group’s human and cultural factors;

• Be a transparent and inclusive process;

• Be dynamic, iterative and responsive to changes; and

• Continually improve.

7.2 Risk Management Guidelines

IOI Properties Group Berhad has finite resources, time and budget to manage all aspects

of its activities. It is therefore vital that IOIPG apportion adequate resources into the most

critical area, or that will have the greatest impact on the organisation. IOI properties group

Berhad will therefore take a risk-based approach to managing operational risks as follows,

• The Inherent Risks - The risk that an activity would pose if no controls or other

mitigating factors were in place. Determining the Likelihood and Impact of the risk

occurring allows IOIPG Group to understand which risks are of greater concern and

must therefore be mitigated accordingly.

• The Residual Risk - the risk that remains after the effectiveness of controls are

taken into account (the risk after controls) - can then be determined by assessing the

effectiveness of controls in place to mitigate the Likelihood and Impact of the risk

occurring.

All risks will be captured in an organisational Risk Register (Excel spreadsheet) and

reported regularly through the various Management and Committee structures.

33 | P a g e

8.0 RISK MANAGEMENT PROCESS

The risk management process is the “how to” element of the Framework and is defined in

the ISO Standard as “the systematic application of management policies, procedures and

practices to the task of communicating, establishing the context, identifying, analysing,

evaluating, treating, monitoring and reviewing risk.”

8.0

9.0

10.0

11.0

12.0

13.0

14.0 a

15.0

16.0

17.0

18.0

19.0

20.0

21.0

22.0

23.0

2. ESTABLISHING THE CONTEXT

• Understand the internal Environment

• Understand the External Environment

• Establish the context of Risk Management process

• Define Risk Criteria

Identifying Risks.

• Identify sources of risks , areas of impact, events and its causes and its potential consequences.

• Generate comprehensive list of risks identified.

3. RISK ASSESSMENT

Evaluate Risks.

• Determine treatment & priority for treatment implementation

4. RISK TREATMENT

• Selecting 1 (one) or more options for modifying risks & implementing the option:

1. Avoid Risk 2. Accept Risk 3. Remove Risk 4. Change likelihood & Consequence 5. Share / Transfer Risk

1.

Co

mm

un

icat

ion

& C

on

sult

atio

n

•A

ssis

t to

est

ablis

h c

on

text

, to

ols

& t

emp

late

s

•P

oo

l are

as o

f ex

per

tise

to

geth

er

•Se

cure

en

do

rsem

ent

& a

pp

rova

ls

•D

evel

op

Inte

rnal

& e

xter

nal

co

mm

un

icat

ion

pla

ns

5.

Mo

nit

or

& E

valu

ate

•P

erfo

rman

ce m

easu

res

& m

etri

cs

•co

nti

nu

ou

s im

pro

vem

ent

•A

nal

ysis

of

less

on

s le

arn

t

•R

evie

w In

tern

al&

ext

ern

al e

nvi

ron

men

t &

em

ergi

ng

risk

s

Diagram 6: IOIPG Risk Management Framework Process

Analyze Risks.

• Evaluate existing control environment.

• Develop understanding of risks.

• Consider the causes and consequences of risks including impact & probability.

34 | P a g e

8.1 Communication and Consultation

Communication and consultation with internal and external stakeholders are important

elements at each step of the risk management process. Effective communication is

essential to ensure that those responsible for implementing risk management and those

with a vested interest understand the basis on which risk management decisions are made

and why particular actions are required.

Key direction is set through the adoption of the IOI Properties Group Berhad Corporate

Plan, which is reviewed annually to ensure it continually reflects important priorities. IOIPG

Group is dependent on the framework to be used at the strategic and departmental

business unit level to improve performance by the organisation in the achievement of the

group’s strategies and actions as detailed in the Plan.

8.2 Establish the context

Establishing the strategic and operational context, in which the risk management process

will take place, defines the parameters within which risks must be managed, the criteria

against which risk will be evaluated and the structure of the analysis.

8.2.1 External context

In addition to considering the external environment, this also includes the relationship

or interface between IOIPG and its external environment. This may include:

• Business, social, regulatory, cultural, competitive, financial and political

environment.

• International, National, State, Industry and Community impact, trends and practice

• The group’s external opportunities and threats.

• Health and Safety.

• Media.

• Legal and Regulatory obligations.

• Strategic relations with external or stakeholders and key 3rd party service providers.

35 | P a g e

Establishing the external context is important to ensure that our business counterparts

and external partners and their objectives are considered when developing risk

management criteria and that externally generated threats and opportunities are also

properly taken into account.

8.2.2 Internal context

An understanding of IOIPG as an organisation is important prior to understanding the

risk management process, regardless of the level. Areas to consider include:

• Goals and objectives and the strategies that are in place to achieve them;

• Culture;

• Strategic Plan, budget and drivers;

• Internal stakeholders;

• Occupational Health and Safety;

• Governance and structure;

• Capabilities in terms of resources such as people and systems;

• Processes; and

• IOIPG internal strengths, weaknesses, opportunities and threats (SWOT).

8.2.3 Risk management context

The level of detail that will be entered into during the risk management process must

be considered prior to commencement and should be commensurate with the extent

and nature of the inherent level of risk. The extent and scope of the risk management

process will depend on the goals and objectives of the group’s activity that is being

addressed, as well as the budget that has been allocated to that activity.

In each instance, consideration must also be given to the roles and responsibilities for

driving and undertaking the risk management process. The next phase involves three

(3) interconnected stages - Risk Identification, Risk Analysis and Risk Mitigation.

36 | P a g e

8.3 Risk Assessment

8.3.1 Risk Identification / Classification

The 1st phase is the Risk Identification phase. The purpose is to identify all risks: the

“what, when, why and how” incidents might impact on the achievement of the groups

objectives. Comprehensive identification using a well-structured systematic process is

critical, as a risk not identified will be excluded from further analysis, so identification

should include all risks, whether or not they are under the control of IOI Properties

Group Berhad.

An incident relates to the failure of people, processes, systems or from external factors

(e.g. fire, flood, assault or damage). In other words, something has gone wrong i.e. a

control failed to operate as expected, was not performed, or perhaps there was no

control in place. Incidents can have multiple and varied impacts:

• Financial (e.g. Losses, Costs, Fines, Penalties)

• Non-Financial (e.g. Customer, damage to Reputation/Assets, Regulatory,

Business interruption).

In this stage, all business units are to have a foresight of all potential risks and its

impact on the operations of the business units and register these foresights in their

respective risk registers and NOT a current ongoing “problem statement” with

corrective measures to overcome those statements.

Capturing, understanding the root causes and investigating incidents are critical as

these provide us with important and timely information on the operation and

effectiveness of our controls, threats to our business operation and the extent and

nature of our risks.

A comprehensive risk identification process is delivered through consideration of the

potential influence of each of the elements on the internal and external operating

environment on the group’s objectives. A systematic process includes working through

each goal, objective or planned implementation action, identifying the things that may

inhibit, detract from or prevent the achievement of the goal or enhance the opportunity

to meet the objective.

37 | P a g e

Documentation of identified risks and its categories occurs through the development of

a description of the risk and entry into the group’s Risk Register (Microsoft Excel

Spreadsheet). The risk description should contain a category of risk, statement of the

risk and include those factors which could cause or contribute to the occurrence of the

risk event.

IOI Properties Group Berhad utilise a range of tools and approaches to determine

potential risks, including:

• Team based brainstorming with experienced and knowledgeable staff

representatives;

• Structured techniques (such as SWOT analysis, process mapping, flow charting,

systems analysis or operational modelling);

• Annual strategic planning, budget and risk identification workshops,

• Examination and analysis of historical reports and incidents;

• Regular compliance reviews (internally and externally);

• Internal review by the Risk Management Committee (“RMC”); and

• Reviews by external service providers.

The organisational strategic risks are developed annually in conjunction with the

Executive Management Team, using the group’s strategic objectives and plan as a

starting point. The organisational operating risks are identified in conjunction with

Heads of Business Units on a monthly basis as a minimum, which run parallel with the

group’s annual business planning cycle. Output from both the Strategic and Business

Unit Risk Assessments are to then be used as input to the Business Planning Process.

38 | P a g e

RISK CATEGORIES

Operational Market Reputation Financial Technology Political Strategic

• Supply Chain • Investors • Compliance • Credit • Systems • Government

Stability

• Change in

Technology

• Production • Demand &

Supply

• Customer

Service

• Liquidity • CyberSecurity • Socioeconomic

conditions

• Regulatory

• Hazard • Pricing • Product

Liability

• FX Rates • Outdated

Hardware

• Internal Conflict • Political

• HR • Consumer

Behaviour

• Public

Enquiry &

Damage

• Interest Rate • Connectivity • External

Conflict

• Global

Economy

• Integrity • Commodity • Compliance • Competition

• Counter party • Investment • Corporate

Governance

• Security • Global Economy

• Health &

Safety

• Taxation

8.3.2 Risk Analysis & Assessment

The 2nd Phase is Risk Analysis and assessment. The analysis should involve

developing an understanding of the risk, the likelihood of the risk occurring and the full

range of potential impact/consequences. Identification of likelihood and impact is a

qualitative exercise based on perception and history. The initial analysis provides the

Inherent Likelihood, the Inherent Impact and the Inherent Risk Rating.

At this stage, the analysis assumes that all controls have failed or there were no

effective controls in place. Whilst this is unlikely, this allows IOI Properties Group

Berhad to understand which risks have the greatest potential for disrupting the

business operation and gives significant impact therefore require strong and effective

controls with appropriate and ongoing oversight.

Table 2: Risk Categories & Classification

39 | P a g e

8.3.3 Risk Evaluation

Risk evaluation is the process of identifying and measuring risk. Risk evaluation

process includes identification of risk, determine its probability and impact, action plan

to control inherent risk, define the risk rating to mitigate in the stage of residual risk and

monitoring them.

All of these risk management processes would be catered by one of risk management

tool called risk register.

8.4 Risk Mitigation Strategies

Risk mitigation involves identifying the most appropriate responses to reducing the inherent

risk level to a status acceptable within IOI Properties Group Berhad risk tolerance. Both

controls and mitigations are designed to mitigate the risk by reducing the likelihood of

negative risks occurring and/or reducing the impact of risks should they occur.

There are a number of mitigation options available and more than one will be applied to any

risk. Typical mitigation options include the establishment and operation of controls designed

to mitigate, discourage, identify and/or limit the impact and likelihood of a risk from

occurring. Most risks will have multiple different controls in place, some intended to prevent

a risk occurrence, some will detect an occurrence whilst others are designed to respond to

an occurrence. Controls will not always be performed by the risk owner. For example,

Business Units will have a key reliance on Technology to manage controls to ensure

systems are available and operating as required.

8.4.1 Controls

a) Directive Controls are those designed to establish desired outcomes.

Examples:

• Setting Council policies, Business Unit policy/procedures

• Setting capital expenditure limits

• Laws and regulations

• Training seminars

• Job descriptions

• Meetings

40 | P a g e

b) Preventive Controls are designed to discourage errors or irregularities from

occurring. They are proactive controls that help to ensure departmental

objectives are being met. Examples include:

• Training on applicable policies, Department policy/procedures;

• Review Occupational safety & health of office premises

• Segregation of duties (authorisation, record keeping & custody of the

related assets should not be performed by the one same individual)

• Physical control over assets

• Locking office door to discourage theft

• Using passwords to restrict computer access

• Shredding documents with confidential information.

c) Detective Controls are designed to find errors or irregularities after they have

occurred. Examples:

• Cash counts; bank reconciliation;

• Review of payroll reports;

• Compare transactions on reports to source documents;

• Monitor actual expenditures against budget;

• Review logs for evidence of mischief;

• Exception reports which list incorrect or invalid entries or transactions

• Reviews and comparisons

• Physical counts of inventories

d) Corrective Controls are intended to limit the extent of any damage caused

by an incident e.g. by recovering the organisation to normal working status as

rapidly and efficiently as possible. Examples:

• Submit corrective journal entries after discovering an error

• Complete changes to IT access lists if individual’s role changes

• System upgrades

• Additional training

• Changes to procedures.

41 | P a g e

e) Transfer the risk is intended to enable sharing of the risks to a third party in

order to reduce the likely impact should the risk materialise:

• Risk transfer may be achieved by taking out insurance to facilitate financial

recovery against the realisation of a risk.

• Compensating a third party to take the risk because the other party is more

able to effectively manage the risk.

• Risk may be wholly transferred, or partly transferred (i.e. shared).

• It is important to remember that it is almost impossible to transfer risk

completely. In almost all risk sharing arrangement, a degree of the original

risk remains and there is inevitably financial or other consideration for the

sharing of the risk. In addition, a new risk is inherited, that of being

dependent on a third party to manage the original risk.

f) Eliminate the risk. Some risks may only return to acceptable levels if the

activity is terminated. In such situations, the risks are deemed irrelevant and

not applicable in the current scenarios.

g) Accept the risk. A risk may be accepted because:

• the probability or consequences of the risk is low or minor,

• the cost of treating the risk outweighs any potential benefit,

• the risk falls within the group’s established risk appetite and/or tolerance

levels, or IOIPG has limited/no control over the risk. E.g. natural disasters,

international financial market impacts, terrorism and pandemic illnesses.

To manage such risks, IOIPG should have a business continuity plan (BCP)

in place to provide effective prevention and recovery.

When determining the most appropriate mitigation, IOIPG should consider:

• How will the mitigation modify the level of risk?

• How do costs balance out against benefits?

• How compatible is the mitigation with the overall business objectives?

• Does it comply with legislation?

• Does it introduce new or secondary risks?

42 | P a g e

In certain scenarios, more than one response may be necessary to address an

identified risk. In those cases a combination of responses (controls / mitigations)

should be taken into consideration.

8.5 Monitor and review

The risk assessment process provides a snap shot of the group’s risks, controls and action

plans at a given point of time – via the “Risk Register” (Appendix 3). The residual risk

impact and likelihoods and control effectiveness ratings can be reflected on a one-page

Heat Map with supporting opinion and insight on risks, controls and actions – the “Risk

Profile”.

As the external and internal environment in which we operate is fluid, therefore the

influences on our objectives continue to ebb and flow. In addition, assumptions have been

made in relation to both the quality of response strategies which are already in place and

the implementation and quality of proposed responses. As a result, the risk management

process is iterative and should be the subject of a structured monitoring and review process.

8.5.1 Ongoing review of risks

Risk response and the effectiveness of control measures to manage risk need to be

monitored on an ongoing basis to ensure changing circumstances, such as the political

environment and the IOIPG strategic objectives and risk appetite do not alter the risk

evaluation profiles and adequacy assessments. New risks or deficiencies in existing

mitigation strategies may be identified via a number of sources:

• Changes in the strategic objectives;

• Regular review of the identified risks and mitigation strategies;

• The annual Internal Audit exercise;

• Ongoing monitoring by various Committees, Audit Committees & RMC;

• New legislation;

• New accounting standards, guidelines or information from any regulator

• Complaints

• Regulatory / Compliance breaches

• Incidents

• External Audit (if any)

• Project & internal policy changes

43 | P a g e

Internal audit will provide particular attention to those controls, mitigation activities or

other responses identified through the risk assessment as having significant priority. In

addition, the Risk Assessment Process, including the Framework, will be monitored,

evaluated and reviewed by the Internal Auditor.

Risks are to be monitored and reviewed by the responsible manager/officer on an

ongoing basis and reported to committees at least quarterly. The effectiveness of risk

responses will be continuously monitored by the responsible manager/officer and

reviewed six monthly (Half Yearly).

8.5.2 Alignment to the strategic plan

For risk assessments associated with the whole of IOI Properties Group Berhad or

individual departments, the review process will be built into the business planning

process. Output from the Strategic Risk Assessment and Business Unit Risk

Assessments are to be used as input to the Business Planning Process. That input will

include risk response plans. Internal Audit will use the information from the Business

Planning Risk Assessments, in particular the risk response plans, to assist with

development of the Internal Audit plan.

Existing Risks New Risks

Existing Response Plans New Response Plans

• Identify existing risk response plans in place.

• Establish objectives of the risk response plan,

i.e. which risk is being mitigated and to what

level/extent.

• Evaluate if the existing risk response plans

meet their objectives Assess if the response

plans are sufficient and relevant, i.e. if any

additional or removal of risk response plans is

required.

• Evaluate if Business Unit is prepared to accept

the type of risk and, if so, how much risk it is

prepared to tolerate.

• Assess if the existing response plans can be

leveraged to mitigate/control the new risks

identified .Identify a range of risk response

options & evaluate the options.

• Design a plan to implement the preferred

options, including the relevant KPIs and

measures of success Implement the selected

risk response plans.

Diagram 7: Risk Response Plans

44 | P a g e

To ensure that the identified strategic risks, and measures in place to manage them,

remain aligned to the group’s strategic objectives, any change to the overall Strategic

Plan will trigger a review of the risk assessment exercise and the Risk Management

Process.

8.5.3 Project related risks

In relation to project-based risk assessments, the risk mitigation plan provides the

project manager with a tool to continuously monitor project improvement through the

implementation of the plan.

Issues and delivered risks identified through the course of the project must be assessed

and included in the project risk register, having gone through the full risk assessment

process outlined above. This will ensure the continuing relevance of the risk

assessment.

8.6 Risk Management Tool – Risk Register

Risk registers provides a mechanism for documenting, managing, monitoring, reviewing,

updating and reporting risk information. Risk Register design, use and related processes

are developed and maintained by the Risk representatives appointed by the respective

Head of Business Units respectively. IOI Properties Group Berhad has adopted a risk

register template, each tailored to the classification of risks being managed and contain

crucial information on all identified risks of each Business Unit’s, including its risk owners

and accountability. This template is in line with the ISO: 31000 guidelines and in compliance

to the global standards. The critical information included in the risk register template

includes:

1. Risk Name & No.

2. Risk Category

3. Risk Rating

4. Risk Owner

5. Risk Impact

6. Risk Likelihood / Probability of Occurrence

7. Existing Control Activities

8. Corrective Action & Mitigation Strategies

9. Areas of Improvement : Consequences / Opportunities arises from the risk

45 | P a g e

A sample of the Risk Register Template is enclosed as Appendix 3.

The business units will conduct its own review of their risk registers and provide updates

on the risk information from time to time via risk review reports for analysis and verification

by Risk Management Department for the purpose of Half Yearly Financial risk review

sessions with the “Risk Management Committee (“RMC”).

A sample of Risk Review report is enclosed as Appendix 4.

8.6.1 Inherent likelihood & Probability

The Inherent Likelihood of a risk occurring is defined as the probability and frequency

of its

occurrence. The table below is a commonly used format with Four (4) levels of

Likelihood from Low, Medium, High and (an event that occurs only in exceptional

circumstances) to Very High (occurring frequently within a year). Each criterion is

assigned a range in between 0.1- 4.0 that will define the level of likelihood of

occurrence of each respective risk. (See Table 4- Probability Matrix).

Table 3: Risk Probability Matrix

8.6.2 Inherent impact

This is defined as the potential impact or consequence of a risk occurring and is

generally expressed as being a financial loss, non-financial loss (e.g. damage to

reputation, client impact, regulatory impact) or occasionally a gain. (See Table 5 - Risk

Impact Matrix) Accurately determining and assigning the possible multiple impacts can

be achieved by utilising the Impact range table, which is assigned four (4) levels:

Probability Definition Rating

Low <= 5% 0.1 to 1.0

Medium 6% to 20% 1.1 to 2.0

High 21% to 50% 2.1 to 3.0

Very High > 50% 3.1 to 4.0

46 | P a g e

Impact Levels:

• Low (Range 0.1 to 1.0)

• Medium (Range 1.1 to 2.0)

• High (Range 2.1 to 3.0)

• Very High (Range 3.1 to 4.0)

Table 4: Risk Impact Matrix

A risk may fit into a single category or fall across multiple types and similarly the level

of impact may fit into more than one column. It is up to management (with assistance

from risk representatives) to determine the type with the highest consequence for

inclusion into the risk register. This consequence matrix document should be reviewed

at least every two (2) years with business subject matter experts as part of the

Framework review to ensure that categories and descriptions are relevant and

reflective of IOI Properties Group Berhad internal and external environments.

8.6.3 Inherent risk rating

For each of the risks listed from the Risk Identification process, the likelihood of the risk

occurring and its impacts can be plotted using the criteria matrices by multiplying the

numbers associated to each criteria of Likelihood of occurrence and Impact and be

illustrated in a heatmap (see Diagram 3):

e.g The Likelihood of a single risk is considered as ‘Very High’ (4) x with the Impact

assessed as being ‘Very High’ (4) = 16.

Impact Definition Rating

Low will not derail objective / immaterial loss 0.1 to 1.0

Medium impede full achievement of objective / sustainable loss 1.1 to 2.0

High will derail objective / material loss 2.1 to 3.0

Very High serious damage / critical loss 3.1 to 4.0

47 | P a g e

The resulting level of risk will be shown as the intersection of the two dimensions on

the Risk Level Matrix (see below and Appendix 3). This provides the Inherent Risk

Rating of 16 = Very High ( ) and immediate remedial action should be taken to reduce

this risk.

The risk rating displayed on a heatmap is described in Four (4) Shaded areas reflecting the

level of risk(s) :-

Low High

Medium Very High

8.6.4 Current control environment

To understand the extent to which the likelihood and impact of a risk occurring is being

mitigated, the full set of controls currently in place must be documented and assessed

for effectiveness of design and operation. The assessment should only assess controls

that are currently in operation, not those that are planned.

Diagram 8: Risk Heat Map

48 | P a g e

Where controls are operated by a third party (e.g. Technology), discussions with the

control owner should take place to ensure there is an appropriate assessment of the

control that takes into consideration the views of the control owner and the risk owner.

8.6.5 Residual risk

When the controls have been assessed and rated, the “Residual Risk” (the amount of

risk left over after inherent risks have been reduced by controls) rating can be

determined. For each of the risks listed from the Risk Identification process, the

Residual Likelihood of occurrence and potential impacts can be plotted by multiplying

the numbers associated to each criteria of Likelihood and Impact. For example, the risk

of a Cost Overrun occurring in the Project Management process, taking into

consideration the effectiveness of controls in place (considered ‘Good’), could now be

reassessed as follows:

The Likelihood is Low (= 1) X Impact assessed as now being Medium (= 3).

The resulting residual risk (1 x 3 = 3) will be shown as the intersection of the two

dimensions on the matrix (see below). This provides the Residual Risk level of 3 =

Low. It is likely that no further actions would be required to further mitigate this risk.

Diagram 9: Residual Risk Rating

49 | P a g e

Alternatively, if controls in place to mitigate a Cost Overrun occurring in the Project

Management process are determined to be ‘Poor’, the inherent risk could be

reassessed as follows:

The Likelihood is Possible (= 3) X Impact assessed as still being Major (= 4).

The resulting residual risk (3 x 4 = 12) would be High. In these circumstances, the

Residual risk would be outside of appetite and would require actions to address the

controls gaps or weaknesses to further mitigate the likelihood or impact of the risk

occurring.

8.6.7 Residual Risk Rating

This step prioritises the Residual risks to be addressed. The IOIPG Board Of Directors

and Risk Management Committee (“RMC”) will set a threshold (Risk Appetite) every

two years whereby risks above the threshold are unacceptable and must be addressed

and risks below the threshold are treated differently (i.e. recorded/recorded &

monitored). IOIPG has also set criteria for responses to the range of Residual Risk

Level ratings.

Using the example above – the Residual risk of a Cost Overrun is assessed as being

High.

Naturally, this is unacceptable so actions are required to develop or enhance controls

to mitigate the likelihood and impact of a Cost Overrun from occurring.

• Residual Risks assessed as ‘Very High’, are likely to impact on strategic

objectives and are unacceptable and must be immediately and actively mitigated,

managed and monitored by the risk owner.

• Residual Risks identified as ‘High’ are likely to impact Division or possibly

strategic objectives and therefore the IOIPG Board Of Directors and Risk

Management Committee (“RMC”) are likely to view these risks as unacceptable.

The risk owner must actively mitigate, manage and report with ongoing

monitoring by the RMD – Risk Mgt Dept.

50 | P a g e

• Residual Risks identified as ‘Medium’ should be assessed on a case by case

basis to understand the nature of the risk and whether the strengthening of

controls is required, otherwise this can be tolerated if it is determined that impacts

won’t adversely affect organisational objectives. Medium risks can be managed

with controls but must be monitored to ensure the risk exposure is effectively

managed and doesn’t worsen.

• Residual Risks identified as ‘Low’ are within operational and organisational

tolerances and can be accepted. Low risks must still be recorded.

8.6.8 Action plans

Where control weaknesses are identified and the decision is taken that further

mitigation is required (i.e. the residual exposure is not accepted), an action plan must

be established.

All actions must be:

• Owned: who is responsible for ensuring the action is addressed.

• Specific: the exact activities that will be undertaken.

• Timely: must be completed within appropriate time frames, commensurate with

the significance of the gap/weakness.

• Achievable: the action/activities must be realistic to ensure appropriate

mitigation.

• Measurable: it must be possible to quantify the action or have a means of

assessing progress.

• Justified: can demonstrate a further reduction in the Residual Likelihood and/or

Impact.

• Governed: tracked, managed and reported.

51 | P a g e

9.0 RISK REPORTING

Reporting associated with the Risk Management Framework is structured to satisfy two criteria:

1) Information relating to the IOI Properties Group Berhad existing risk profile & Risk

registers and;

2) Information relating to the IOI Properties Group Berhad implementation, performance

and status of the Framework. (Compliance)

The table below indicates the reporting responsibilities and frequency:

Report Name Submission By Report Recipient Frequency

Strategic Risk

Assessment

Chief Operating Officer

(COO)

Senior Management /

Risk Management

Committee (“RMC”) /

Group Risk Management

Department

Annually

Business Unit Risk

Register Status Report

All Business Unit General

Managers / Asst. General

Managers / Managers

Risk Management

Committee (“RMC”) /

Group Risk Management

Department

Quarterly / Half

Yearly

Department Risk

Assessment(s)

Business Unit Managers /

Risk Team

Group Risk Management

Department

Quarterly / Monthly

reviews for High /

Very High risks

Risk Mitigation Actions

on Track

Responsible risk control

& action owners

(facilitated by

Risk & Assurance Team)

Group Risk Management

Department

Quarterly

Table 5: Reporting Accountabilities & Frequencies

52 | P a g e

Diagram 10: Reporting Structure

10.0 RISK TRAINING & DEVELOPMENT

To ensure the successful implementation of risk management throughout the organisation, it is

planned that appropriate training in risk management will be provided to High Level Management

and managers of each respective Business Units. Training co-ordinated between Training

Department & Group Risk Management Department should encompass the risk management

process, application of risk management tools, assistance with identification and analysis of the

group’s risk exposures, risk profiling and reporting.

In addition, the group’s Risk Management Team will coordinate with the Training and

Development Department to work towards ensuring:

• Induction training will include Risk Management awareness and Employee Code of

Conduct.

• Employees receive regular Risk Management awareness and update training (at

minimum, a half-day refresher course once every year for those staff directly involved in

Risk Reporting and Monitoring).

Board

Senior Leadership Team

Management Team

Operational Team

INTE

RN

AL

REP

OR

TIN

G

EXTERNAL REPORTING

• The Group’s risk profile • Actions to address key risks • Effectiveness and progress of actions taken • State of risk management framework • Major incidents and issues

• Results/Key Performance Indicators • Commentary on major events in period • Major incidents and issues • Areas of focus where risks are changing adversely • New risk exposure • Progress on actions to address key risks

• Commentary on major events in the reporting period • Major incidents and issues • Areas of focus where risks are changing adversely. • Progress on actions to address key risks

• Better disclosure of risks and risk management practices to stakeholders

53 | P a g e

• Any updates and changes to the Risk Management Policy, Framework related policies,

procedures; Codes of Conduct, ethics etc. are circulated to all employees via the Intranet

or email where deemed necessary.

11.0 APPROVING AUTHORITY

The Board of Directors (“Board”) and Risk Management Committee (“RMC”) shall be responsible

for the approval or ratification of the Enterprise Risk Management (“ERM”) Framework.

12.0 DATE OF IMPLEMENTATION

Enterprise Risk Management (“ERM”) Framework is effective immediately upon approval by the

Board of Directors (“Board”) on 7th September 2018.

13.0 REFERENCE

The Framework is to be read in concurrence with all the other relevant policies and internal

procedural documents issued by IOIPG, International Standard bodies (“ISO”) and Department of

Standards Malaysia (“MS ISO”):

a) International Standard ISO 31000: Risk Management – Principle and Guidelines

b) Malaysian Standards MS ISO 31000: Risk Management – Principle and Guidelines

14.0 COMPLIANCE

The Framework is applicable to all departments/units/projects of IOIPG engaging or involve in.

15.0 EXCEPTIONS

Any exception from this Framework shall require the approval of Board of Directors of IOIPG

(“Board”) and Risk Management Committee (“RMC”) unless they are deemed as operational in

nature.

54 | P a g e

Appendix 1 – Risk Management RACI Matrix

The RACI matrix indicates the level of participation in each step of the process. The RACI

acronym derived from the four (4) key responsibilities in the risk management process which are

Responsible, Accountable, Consulted and Informed.

Responsible (R) – Accountable (A) – Consulted (C) – Informed (I)

Activity Staff Head

BU’s

Manager Risk

Champion

Risk Mgt

Dept

Risk

Owner

Control

Owner

CEO RMC Audit

Risk Culture I I C C C R R A A

Risk Appetite Setting I C C C C R R A A

Risk Framework I I I C R C C A A

Communication I I I C R C C I I

Training / Awareness I I R R R R R A A

Hazard Identification R R R R R R R R R

Risk Assessment /

Evaluation

I C C R R C C A I

Out of Cycle Risk

Assessment

C C R R C R C A I

Risk Mitigation

Strategies / Action

Plans

I C C R C C A A I

Monitoring I R A C C A A A I I

Reporting I C R R R A A I I I

Assurance I I C R R C C A A R

Attestation I R C R C A A I I

Crisis Management I R R R R R R A I

Emergency

Management / BCP

I R R R R R R A I

Post Incident Review C C C R R C C I I

R - Responsible: Complete the work to achieve the task

A - Accountable: Ultimately answerable for accurate completion of the task or approval / final

approving authority

C - Consulted: Those whose opinions are sought to complete the task (SME)

I - Informed: Notified of the result of the task

55 | P a g e

Appendix 2 – Risk Register Template

Review Of Key Principal Risk & Control Activities

Risk Register Note : PLEASE DO NOT ALTER LAYOUT OF REPORT

Principal Risk Brief Overview of Controls, Corrective Action & Strategies

Description / Root Cause of Risk

RISK :

Risk No.

Risk Rating

N/ACorrective Action & Mitigation Strategy

Risk Status

Risk Category

Impact

Likelihood

Consequences / Opportunities (if any) arises from the Risk

Control Type

Risk Owner :

Select

Select

Select

Select

Select

PreventiveDetectiveDirectiveCorrective

56 | P a g e

Appendix 3 – Risk Review Report

Note : - PLEASE DO NOT ALTER LAYOUT OF REPORT

Risk Review Period : *Compulsory

N/A

Select

Business Entity : *Compulsory 1st Half FY 2018

2nd Half FY 2018

Scope Of Review : 1st Half FY 2019

2nd Half FY 2019

1st Half FY 2020

2nd Half FY 2020

N/A

Signed Off By, Acknowledged By,

Head Of Division / Department / Business Unit Risk Management Dept

Date : Date :

EXECUTIVE SUMMARY

We are directly responsible for the design, establishment, and maintenance of internalcontrol systems to manage risks related to our Unit / Department.

Acknowledgement

Scope of the reviewWe have for the mentioned period identified and reviewed all principal risks; correspondingcontrols (in processes and procedures) and control activities (monitoring, measure, analyses &communication) ; and have responded appropriately to the same for the following units/depts/functions : -

Select