1
Urusharta Jamaah Sdn BhdBoard Audit and Risk Committee (“BARC”) - Presentation of Enterprise Risk Management (“ERM”)
Framework
Deloitte Risk Advisory Sdn Bhd
21 May 2021
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 2
Private and ConfidentialPrivate and Confidential
Table of Contents
Key Content of ERM Framework 3
Overview of the ERM Framework 4
Risk Management Philosophy 6
Roles and Responsibilities 7
Risk Category 9
Risk Management Process 10
Risk Assessment Criteria 11
Risk Appetite 14
Next Step 16
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 3
Private and ConfidentialPrivate and Confidential
Overview of the ERM Framework
Overview
• Reference: ISO31000:2018 Risk Management -Principles and Guidelines;
• Definition of ERM;
• Objective of implementing ERM; and
• Overview of the ERM Framework
Mandate and Commitment
• Commitment from the Board of Directors (“Board”) / Board Audit and Risk Committee (“BARC”) and Management in ensuring the objective of implementing effective risk management is achieved.
Risk Governance
• Risk Management Philosophy with three (3) Lines of Defense (“3LoD”); and
• Roles and responsibilities for Board, BARC, Management Executive Committee (“MEC”), Risk and Compliance Department (“RCD”, Head of Department (“HoD”) / Risk Owner
Risk Management Process
• Context setting;
• Risk identification;
• Risk assessment and prioritisation;
• Risk response and
• Risk monitoring and reporting
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 4
Private and ConfidentialPrivate and Confidential
Overview of the ERM Framework
Risk intelligent
Risk-conscious organization
Risk
ambition
& vision
Tone at the top
Organization
People
Empower
& create
trust
People
Empower
& create
trust
People
Empower
& create
trust
Risk Management Cycle
Identify
strategic risk
Assess &
evaluate
Integrate
across
enterprise
Respond
to risk
Design,
implement &
test controls
Monitor,
assure &
escalate
Source: Deloitte’s Overview of ERM Framework
Risk governance
Risk infrastructure
and management
Risk
ownership
Board of Directors
Executive
management
Business units,
policies &
procedures
Ris
k A
mbitio
n &
Vis
ion
Ris
k O
rganiz
ation
Ris
k
Managem
ent
Cycle
The ERM Framework is based on three (3) key components of effective risk management where it is split further into 12 core building
blocks of a successful Risk Management Function.
• Risk Ambition and Vision: strategic decision-making and risk oversight, led by the Board;
• Risk Organization: design, implementation, and maintenance of an effective risk program, led by the RCD and functional oversight
by the Chief Executive Officer (“CEO”); and
• Risk Management Cycle: identifying, measuring, monitoring, and reporting on risks, led by the business units.
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 5
Private and ConfidentialPrivate and Confidential
Overview of the ERM Framework (Continued)R
isk
Am
bit
ion
an
d
Vis
ion
Risk Governance Bodies: Creating the structure and oversight for risk to be effectively managed.
Risk Policies: Setting the tone and level of risk management applied across UJSB.
Risk Culture: The values and behaviors that drive risk management in UJSB.
Risk Appetite: Setting the level of risk UJSB is willing to accept, within tolerances.
Ris
k O
rga
nis
ati
on
Risk Resources: The people and time that is applied to risks management, centrally and across Business Units.
Risk Procedures and Templates: Providing guidance and clear direction for all areas of UJSB to perform risk management.
Risk Supporting Tools: Manual and automated tools leveraged to provide a better risk management process.
Risk Training: The support provided across the business to embed risk management.
Ris
k M
an
ag
em
en
t C
ycl
e Risk Identification: Process of identifying risks and opportunities to business operations, financials and reputation.
Risk Measurement and Response: Evaluation of risk on a common scale, with implementation of appropriate response.
Risk Management: Ongoing management and evaluation of risk mitigations, controls and other responses to risk.
Risk Monitoring and Reporting: Monitoring of key risks indicators to assess likelihood of crystallization and reporting of
current risk environment.
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 6
Private and ConfidentialPrivate and Confidential
Risk Management Philosophy
UJSB adopts the Three Lines Defense (“3LoD”) Concept which propagates clear demarcation of roles, responsibilities and
accountabilities in managing risk, as follows:
1st Line of Defense
Responsible for day-to-day
risk management
Risk Owners/ Head of
Departments (“HoD”)
Risk Owners/ HoD of the
Subsidiary Companies
2nd Line of Defense 3rd Line of Defense
Responsible for independent
risk management oversight
over the risk owners
Risk & Compliance
Department (“RCD”)
Perform risk-based audit and
independent assurance over
the effectiveness of risk
management initiatives
Internal Audit
Department (“IAD”)
CEO / Management Executive Committee (“MEC”)
Board / BARC
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 7
Private and ConfidentialPrivate and Confidential
Roles and Responsibilities
The Risk Management Oversight Structure represent the delegation structure in which the Board assigns the risk management
responsibilities across UJSB, as follows:
Board and its Committee;
i.e. Board Audit & Risk Committee
(“BARC”)
Chief Executive
Officer (“CEO”)/
Management
Executive
Committee (“MEC”)
Risk and
Compliance
Department/ Risk
Coordinator (at
UJSB Company
Level)
HoD/ Risk Owner
HoD/ Risk Owner of the Subsidiary
Companies
• Agrees on key enterprise
risks for focused response
efforts
• Ensures that strategies for
managing identified risks
have been developed
• Facilitate cross-functional
mitigation initiatives for
key enterprise risks
• Commits to and executes
specific strategies,
allocates resources, and
prepared to correct course
if assumptions are invalid
or no longer applicable
• Oversight on management of
key risks, emerging risks, and
strategic risk initiatives
• Confirms/adjusts risk response
strategies based on evolving
risk profile
• Aggregates issues for
enterprise-wide view
• Identifies items for escalation
to board/ executive leadership
• Shares lessons learned and
connects dots across the
organization
• Identifies, assesses, and
manages key BU/functional
risks
• Reports on mitigation progress
and escalates emerging risk
issues
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 8
Private and ConfidentialPrivate and Confidential
Roles and Responsibilities (Continued)
Roles Key Responsibilities
Board Assumes the ultimate responsibility on ERM oversight, review and approve risk strategies,
and to ensure that UJSB established adequate internal controls and infrastructure.
BARC Assist the Board to fulfil their responsibilities in managing risks, review and recommend to
the Board on Risk Management Policies, risk appetite and tolerance limits, as well as
periodically review Risk Report and ensures that all areas of risk have been considered and
that all risks identified are being responded to appropriately.
MEC (chaired by the CEO) Consultative role throughout the risk management process and facilitate enterprise-wide
risk management initiatives from an operational perspective, as well as review the
implementation of the risk management framework and provide feedback to facilitate the
effective and consistent adoption of the risk framework throughout UJSB and its group of
companies.
Risk & Compliance Department/Risk
Coordinator; i.e., at UJSB Company-
Level
Provide assurance to the Management/ BARC as second line of defense that risks are
effectively being managed, coordinate and facilitate the updating of Risk Profile and
consolidate of Risk Profile from the respective Risk Owners, as well as provide periodic
reporting; i.e., half yearly to the Management and BARC.
HoD/Risk Owner (Properties, Equities,
Operations & Finance)
Primary responsible for managing risks within their respective areas, and responsible for
continuously updating the Risk Profile in accordance with the reporting requirements; i.e.,
half yearly.
Subsidiary Companies; i.e., TH Heavy
Engineering Berhad and UJ Property
Management Sdn. Bhd.
Adopt its respective Risk Management Framework to manage its risks, consistent with UJSB
Framework in which it can be tailored to the specific circumstances of the company and
guided by UJSB's Framework, as well as ensure timely reporting of risk information to RCD
and subsequently to the MEC on a bi-monthly basis.
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 9
Private and ConfidentialPrivate and Confidential
Risk Category
Risk category enables identification of risk root causes, impact and interdependencies and facilitates a common way of thinking,
discussing and managing risk.
Risk Category Definition
Strategic
Potential risk(s) that could disrupt the assumptions at the core of an organization’s business strategy,
including risks to strategic positioning, strategic execution and strategic choices and consequences -
impeding the organization’s ability to achieve its strategic objectives
Financial
The risk arising from the ineffective management and control of the finances of the organization and the
effects of external factors such as availability of credit, foreign exchange rates, interest rate movement
and other market exposures e.g. economic condition and market risk/ uncertainty impacting investment/
rental income
OperationalRisk of potential breakdowns/deficiencies in process effectiveness or efficiency resulting from controls
and/or process design weakness which may cause material exposure
Compliance and
Regulatory
The risk arising from unexpected changes and non-compliance with relevant laws, rules, policies and
procedures or standards.
Reputational
Risk of a potential tarnished reputation, loss of marketplace caused by a breach in risk management
requirements, operational breakdown, legal/regulatory breach, unsuccessful product launch or other
reputational-impacting event (e.g., service delivery failure)
CorruptionThe risk arising from dishonest or fraudulent conduct such as giving or accepting bribes or inappropriate
gifts, laundering money, abuse of cash, favoritism in awarding contract, facilitation payments, and
collusion.
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 10
Private and ConfidentialPrivate and Confidential
Risk Management Process
The risk management process involves the following activities:
Context
Setting 1
Identify
2
Assess &
Prioritize3
4
Respond
5
Monitor and
Report
Step Description
1. Context Setting Understand UJSB's strategy, value drivers, and potential
risk in the context of the industry, value chain, and
stakeholder expectations
2. Risk
Identification
Define potential risks and uncertainties that could
positively or negatively affect UJSB’s goals and evaluate
their impacts and vulnerability to those impacts
3. Risk Assessment
and
Prioritisation
Determine the critical risks facing by UJSB at the
enterprise-level
4. Risk Response Develop and implement plan to respond to a risk and
understand its root causes
5. Risk Monitoring
and Reporting
Track priority risks and engage in routine discussions with
leadership on the status and impact of risk treatment
plans
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 11
Private and ConfidentialPrivate and Confidential
Risk Assessment Criteria
Scales are defined for risk ratings in terms of the impact and likelihood. These scales comprise rating levels and definitions that foster
consistent interpretation and application.
Impact
Impact (or consequence) refers to the extent to which a risk event might affect the Company
Score Rating Financial (RM) Reputational Compliance & RegulatoryBusiness Objective/
Strategies
5 Extreme • Annual Performance > -30%
• Rental loss (uncollectible rental) > 50%
• Operating loss > RM16.00 million
Sustained serious loss in image/
reputation in a longer-term
(weeks) with extensive negative
international publicity/ media
coverage
• Significant prosecution and fines,
litigation including class actions,
incarceration of leadership
• Any termination (result of a breach of
contractual obligation) resulting in
potential monetary losses
All business objectives/
strategies are not met
4 Major • -20% < Annual performance ≤ -30%
• 25% < Rental loss (uncollectible rental) ≤
50%
• RM8 million < Operating loss ≤ RM16
million
Diminution in image/ reputation
with extensive negative national
publicity/ media coverage,
sustained over several days
• Enforcement via prosecution, major
fines
• Major non-compliance of contractual
obligation
Some critical business
objectives/ strategies are not
met
3 Moderate • -10% < Annual performance ≤ -20%
• 10% < Rental loss (uncollectible rental) ≤
25%
• RM3 million < Operating loss ≤ RM8 million
Image/ reputation will be
affected with negative national
publicity/ media
• Enforcement via issuance of a
prohibition notice/ stop order and/or
issuance of a moderate fine
• Moderate non-compliance of
contractual obligation
Important (but not critical)
business objectives/
strategies are not met
2 Minor • Annual performance ≤ -10%
• 2% ≤ Rental loss (uncollectible rental) ≤ 10%
• RM0.65 million ≤ Operating loss ≤ RM3
million
Negative local publicity/ media
coverage
• Enforcement via improvement notice,
no fines
• Minor non-compliance of contractual
obligation
Uncritical business
objectives/ strategies are not
met
1 Insignificant • Annual performance i.e., NAV > 0%
• Rental loss (uncollectible rental) < 2%
• Operating loss < RM0.65 million
No publicity/ media coverage No enforcement, no fines, no non-
compliance
No impact to business
objectives/ strategies
* Based on prior year i.e., FY2020 end close of the fund
** Based on prior year i.e., FY2020 impairment loss on Trade Debtors
*** Based on prior year i.e., FY2020 direct operating costs and overhead expenses
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 12
Private and ConfidentialPrivate and Confidential
Risk Assessment Criteria (Continued)
Scales are defined for risk ratings in terms of the impact and likelihood. These scales comprise rating levels and definitions that foster
consistent interpretation and application.
Likelihood
Likelihood represents the possibility that a given event will occur
Score Rating Description Frequency
5Almost
CertainThe risk is almost certain to occur
The risk is expected to occur four
(4) times or more in a year
4 Likely High likelihood of occurrenceThe risk is expected to occur two
(2) to three (3) times in a year
3 PossibleThis risk may exist to happen but
is not certain or probable
The risk is expected to occur once
a year or once every two (2) years
2 UnlikelyConceivable, but low potential of
occurrence
The risk is expected to occur once
in three (3) to four (4) years
1 RareThis risk may only occur in very
exceptional circumstances
The risk is expected to occur once
in five (5) years or more
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 13
Private and ConfidentialPrivate and Confidential
Risk Assessment Criteria (Continued)
Scales are defined for risk ratings in terms of the impact and likelihood. These scales comprise rating levels and definitions that foster
consistent interpretation and application.
Risk Map
Risk Map, often called a Heat Map is two dimensional representations of impact plotted against likelihood
Risk Map
Impact
Insignificant Minor Moderate Major Extreme
[1] [2] [3] [4] [5]
Likelihood
Almost
CertainMedium High High Very High Very High
[5] [5] [10] [15] [20] [25]
Likely Low Medium High High Very High
[4] [4] [8] [12] [16] [20]
Possible Low Medium Medium High High
[3] [3] [6] [9] [12] [15]
Unlikely Very Low Low Medium Medium High
[2] [2] [4] [6] [8] [10]
Rare Very Low Very Low Low Low Medium
[1] [1] [2] [3] [4] [5]
Risk
MapDescription/ Action
Very
High
The risk has now become
imminent and requires
immediate action
HighUrgent action is required to
reduce the risk
MediumAction is required to further
reduce the risk
Low
Monitor the risk and put in
place action if cost effective to
do so
Very
LowMonitor the risk
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 14
Private and ConfidentialPrivate and Confidential
Risk Appetite
Risk Appetite (or risk tolerance) can be defined as a quantum of risk an organization is willing to take in pursuit of its strategy.
The risk appetite cycle are as follows:
1. Set the strategic plan and objectives as well as the risk
strategy and risk capacity;
2. Articulate and cascade risk appetite statement and
limits;
3. Monitor and report Risk Profile versus risk appetite; and
4. Control and correct the Risk Profile should it deviate
from the risk appetite and reassess the risk appetite
and, as the case may be, its strategy in the light of
changes in the business, competitive or control
environments.
1. Set strategic plan & objective,
risk strategy and risk capacity
2. Articulate
risk appetite
statements
and limits
3. Monitor and
report
4. Control
and correct
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 15
Private and ConfidentialPrivate and Confidential
Risk Appetite (Continued)
Risk appetite is generally expressed through both quantitative and qualitative means and should consider extreme conditions, events
and outcomes.
UJSB should gather the following inputs, to establish the enterprise risk appetite statements:
• Applicable risk categories;
• Organizational risk capacity; i.e., how much risk the Company can theoretically take on and appetite; i.e., how much risk the
Company wants to take on; and
• Stakeholder’s interviews.
Risk category Objective/Risk Capacity Risk Appetite/Tolerance Limit
Financial
30% drop in annual performance i.e., Net
Asset Value (“NAV”)
15% drop in annual performance i.e.,
NAV
50% rental loss; i.e., uncollectible rental 25% rental loss; i.e., uncollectible rental
RM16.00 million operating losses RM5.50 million operating losses
Operational 24 hours of interruption 12 hours of interruption
Reputational
Extensive negative international publicity/
media coverage (sustained serious loss in
image/ reputation in a week)
Negative national publicity/ media
coverage (image/ reputation will be
affected)
Corruption Zero corruption risk event Zero corruption risk event
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 16
Private and ConfidentialPrivate and Confidential
Policies and Procedures (“P&P”)
Update of other operational
P&P, if any, as a result of the
implementation of the
Framework
By 2022
End of
Quarter 3,
2021
End of
Quarter 2,
2021
Quarter 4,
2021
Overview of the ERM Roll-Out in UJSB
Terms of Reference (“ToR”)
Update the relevant ToR i.e.,
MEC
Risk Assessment
Perform risk assessment exercise based on
the established ERM Framework
Subsequently, carry out the necessary
periodic reporting
Risk Resource
Hire new talent to support RCD if the current
structure lacks the capacity to carry out the roles
and responsibilities
Risk Training
Conduct risk management
training on the implementation
of the ERM Framework and to
raise risk awareness
In event that UJSB’s operations grow bigger and more complex:
Risk Resource
A separate Risk Management Committee at Management level
should be set up
Risk Tool
A Risk Management Tool should be considered to support the
risk management activities undertaken by the Company
The proposed implementation roadmap for UJSB’s ERM roll-out is set out as follows:
UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 17
Private and ConfidentialPrivate and Confidential
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities
(collectively, the “Deloitte organisation”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally
separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and
related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see
www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax & legal and related services. Our global
network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organisation”) serves four out of
five Fortune Global 500® companies. Learn how Deloitte’s approximately 312,000 people make an impact that matters at www.deloitte.com.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their
related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including
Auckland, Bangkok, Beijing, Hanoi, Ho Chi Minh City, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Shanghai, Singapore, Sydney,
Taipei, Tokyo and Yangon.
About Deloitte Malaysia
In Malaysia, services are provided by Deloitte Risk Advisory Sdn Bhd and its affiliates.
© 2021 Deloitte Risk Advisory Sdn Bhd