Enterprise Risk Management - Policies & Program

The Risk Management Policy is used to communicate the MPTC's commitment to managing enterprise-wide risks and establish clear responsibilities and accountabilities to ensure that all levels of the management such as the board, management, and staff are aware of and responsible for managing risks.

Its scope applies to all Business Units associated with the MPTC Group including directors, management, staff, and contractors of MPTC, its subsidiaries, and affiliates across all significant activities and processes. MPTC is committed to the formal, systematic, structured, and proactive management of risks across the organization.

MPTC recognizes that while risks are inherent in all its activities, managing risk is a good business practice that creates value and is integral to sound corporate governance and, in some instances, a mandatory legal requirement. Effective risk management can lead to better decision-making and planning as well as better identification of opportunities and threats.

ENTERPRISE RISK MANAGEMENT METHODOLOGIES

ERM consists of six (6) key elements in line with ISO 31000:2018; Communication and Consultation, Recording and Reporting; and Monitoring and Review. These are applied in the MPTC Group:

At the Group Level
At Business Unit Level
At Project/Process Owner/ Department Level

ENTERPRISE RISK MANAGEMENT PROCESS

The Risk management process is a structured approach that involves several key steps to effectively manage risks within an organization. It involves several key steps: Communication and Consultation, Scope, Context and Criteria, Risk Assessment, Risk Treatment, Recording and Reporting, and Monitoring and Review

ENTERPRISE RISK MANAGEMENT PROCESS

Enterprise Risk Management adopts an inclusive approach with regard to communication and consultation approach with all the relevant stakeholders (interested parties). This communication and consultation aim to:

Collate and bring the different areas of expertise together for each step of the risk management process.
Ensure that varying views are appropriately accounted for and considered when defining risk criteria and when evaluating risk. Provide enough information to facilitate risk oversight and decision-making.
Build a sense of inclusiveness and ownership among those affected by the risk.

Enterprise Risk Management Process

Establishing the Scope, Context and Criteria

MPTC ERM defines the scope and criteria for consistent risk management across business units. Climate change risk assessment, as part of the broader Environmental, Social, and Governance (ESG) risk framework, is recognized as an essential component of the risk context, as it can significantly influence the realization of the Company's objectives. The approach to climate change risk assessment considers both external and internal factors, as well as the Risk Appetite that may vary based on the context and objectives.

Risk Assessment

Is the iterative process of risk identification, analysis and evaluation. The objective is to provide enough information at appropriate levels and intervals for risk-informed management decisions. High quality risk assessment, including climate change risk assessment, enables greater acceptance of risk-taking opportunities while ensuring rigorous diligence, treatment, monitoring and control.

Risk Identification - risk is the effect of uncertainties on objectives, which could either be positive or negative. Risk identification considers future events, their causes and potential impact, including climate change risks. Each identified risk is to be recorded on the Risk Register, describing the risk in terms of category, causes/sources, likelihood, impact, rating, tolerance, and mitigating measures to be taken/implemented.
Risk Analysis - is the process of calculating likelihood of an event and impact if it were to occur. The product of the two is the risk rating. Thus the impact of each identified risk event needs to be determined. Some sources may have more than one impact; some impact may be applied to more than one source.
Risk Evaluation - based on the analysis of individual risks, including those influenced by climate-change related sources and ESG related sources, together with the defined risk appetite/tolerance of the organization, an evaluation is made to determine which risks require acceptance or priority response.

Risk Treatment

Once the quantum of risk is assessed, the necessary response to the risks, including risks with climate-change related sources, can be determined. These risks responses can be applied solely or in combination.

Recording and Reporting

Documenting the risk management process and communicating it to stakeholders. All risk is assigned and managed by the concerned Risk Owner, the unit who is ultimately accountable for ensuring the appropriate management and treatment of risk. Ownership is assigned based on the principle of who is "best suited" to take accountability for managing the risk, noting the many people may need to be involved. The risk register is the template/form/means to be used in recording any identified risks, including risks with climate change sources, as well as the ESG related sources.

Monitoring and Review

On-going and regular monitoring is vital to ensure that evolving and emerging risk areas, including risks with climate change related sources, are actively and effectively managed. This approach is tantamount to reducing the surprises that required timely actions are to be taken to reduce them to an acceptable level.

MPTC ought to implement a quarterly risk monitoring and review or as the needs arise such that there might be new, evolving and emerging risks, including risks with climate change-related sources and ESG-related sources, may emerge during the course operations. This perioding assessment allows the organization to stay responsive to the changing risk landscape and align its risk management efforts with the evolving context, including climate- change-related factors.