Internal Control System and Risk

Management Framework
STRENGTHENING THE INTERNAL CONTROL
SYSTEM AND
ENTERPRISE RISK MANAGEMENT FRAMEWORK
 
Principle 12
 To ensure the integrity, transparency and  proper  governance  ill  the conduct of its affairs, the
company should have a strong and effective internal control system and enterprise risk
management framework.
Recommendation 12.1
 The Company should have an adequate and effective internal control system and an enterprise
risk management framework in the conduct of its business, taking into account its size, risk
profile and complexity of operations.
Explanation
 An adequate and effective internal control system and an enterprise risk management framework
help sustain safe and sound operations as well as implement management policies to attain
corporate goals. An effective internal control system embodies management oversight and
control culture; risk recognition and assessment; control activities; information and
communication; monitoring activities and correcting deficiencies. Moreover, an effective
enterprise risk management framework typically includes such activities as the identification,
sourcing, measurement, evaluation, mitigation and monitoring of risk.
 Recommendation 12.2
 The Company should have in  place  an  independent  internal  audit function that provides an
independent and objective assurance, and consulting services designed to add value and improve
the company's operations.
Explanation
 A separate internal audit function is essential to monitor and guide the implementation of
company policies. lt helps the company accomplish its objectives by bringing a systematic,
disciplined approach to evaluating and improving the effectiveness of the company’s
governance, risk management and control functions. The following are the functions of the
internal audit, among others:
 
o
o Provides an independent risk-based assurance service  to  the
Board,    Audit    Committee    and    Management,   
focusing    on reviewing the effectiveness of the governance
and control processes in (I) promoting the right values and 
ethics,  (2) ensuring effective performance  management  and 
accounting  in the organization, (3 ) communicating risk and
control information, and (4) coordinating the activities and
information among the Board, external and internal auditors,
and Management;
o Performs regular and special audit as contained in the annual
audit plan and/or based on the company’s risk assessment;
o Performs consulting and advisory services related to
governance and control as appropriate for the organization;
o Performs compliance audit of relevant laws, rules and
regulations, contractual obligations and other   commitments,
which could have a significant impact on the organization;
o Reviews, audits and assesses the efficiency and  effectiveness
of the internal control system of all areas of the company;
o Evaluates operations or programs   to ascertain   whether  
results are consistent with established objectives and goals,
and whether the operations or programs are being carried out
as planned;
o Evaluates specific operations at the request of the Board or
Management, as appropriate; and
o Monitors and evaluates governance processes.

A company’s internal audit activity way be a fully resourced activity housed with in the
organization or may be outsourced to qualified independent third party service providers.
Recommendation 12.3
Subject to a company’s size, risk profile and complexity of operations, it should have a qualified
Chief Audit Executive (CAE) appointed by the Board. The CAE shall oversee and be
responsible for the internal audit activities of the organization, including that portion that is
outsourced to a third party service provider. In case of a fully outsourced internal audit activity, a
qualified independent executive or senior   management personnel should be assigned the
responsibility for managing the fully outsourced internal audit activity.
Explanation
The  CAE,   in  order  to  achieve  the  necessary   independence   to  fulfill his/her
responsibilities, directly reports functionally to the Audit Committee   and    administratively   
to   the   CEO.   The   following   are   the responsibilities of the CAE, among others:

 o  Periodically reviews the internal audit charter and presents it to senior
management and the Board Audit  Committee  for approval;
o Establishes a risk-based internal audit plan, including policies and
procedures, to determine the priorities of the internal audit activity,
consistent with the organization’s goals:
o  Communicates the internal audit activity’s plans, resource requirements
and impact of resource limitations, as well as significant interim changes,
to senior management and the Audit Committee for review and approval; 
o Spearheads the performance of” the internal audit activity to ensure it
adds value to the organization;
o Reports periodically to the Audit Committee on the internal and it
activity's performance relative to its plan; and
o Presents findings and recommendations to the Audit Committee and gives
advice to senior management and the Board on how to improve internal

Recommendation 12.4
Subject to its size, risk profile and complexity of operations, the company should have a separate
risk management function to identify, assess and monitor key risk exposures.
Explanation
The risk management function involves the following activities, among others:

o Defining a risk management strategy;
o Identifying and analyzing key risks exposure relating  to economic,
environmental,  social  and  governance  (EESG) factors and the
achievement of the organization's strategic objectives;
o Evaluating and categorizing each identified risk using the company’s
predefined risk categories and parameters;
o Establishing a risk register with clearly defined, prioritized and residual
risks;
o Developing a risk mitigation plan for the most important risks to the
company, as defined by the risk management strategy;
o Communicating and reporting significant risk exposures including
business risks (i.e., strategic, compliance, operational, financial and
reputational risks), control issues and risk mitigation plan to the Board
Risk Oversight Committee; and
o Monitoring     and     evaluating     the     effectiveness    of      the
organization's risk management processes.

Recommendation 12.5
In managing the company's Risk Management System, the company should have a Chief Risk
Officer (CRO), who is the ultimate champion of Enterprise Risk Management (ERM) and has
adequate authority, stature, resources and support to fulfill his/her responsibilities, subject to a
company’s size, risk profile and complexity of operations.
Explanation
The CRO has the following functions. among others:

o Supervises the entire ERM process and spearheads the development,
implementation, maintenance and continuous improvement of ERM
processes and documentation;
o Communicates the top risks and the status of implementation of risk
management strategies and action plans to the Board Risk Oversight
Committee;
o Collaborates with     the    CEO       in    updating     and     waking
recommendations to the Board Risk Oversight Committee;
o Suggests ERM policies and related guidance, as way be needed; and
o Provides insights on the following:
o Risk 1uanageine1it‘processes are performing as intended;
o Risk measures reported are continuously reviewed by risk
owners for effectiveness; and
o Established risk   policies    and    procedures    are  
being complied with.

There should be clear communication between the Board Risk Oversight Committee and the
CRO.