Adequate and Timely Information
To enable the Directors to properly fulfill their duties and responsibilities, Management provides the Directors with complete, adequate, and timely information about the matters to be taken up in their meetings. Information may include the background or explanation on matters brought before the Board, disclosures, budgets, forecasts, and internal financial documents. If the information provided by Management is not sufficient, further inquiries may be made by a Director to enable him to properly perform his duties and responsibilities. The Directors have independent access to Management and to the Corporate Secretary.
The Directors, either individually or as a Board, and in the performance of their duties and responsibilities, may seek access to independent professional advice within the guidelines set by the Board.
Accountability and Audit
The Board ensures that its Shareholders are provided with a balanced and comprehensible assessment of the Company’s performance, position and prospects on a quarterly basis, including interim and other reports that could adversely affect its business through its website and its submissions and disclosures to the SEC and Philippine Stock Exchange (PSE). Management formulates the rules and procedures on financial reporting and internal control for presentation to the Audit Committee in accordance with the following guidelines:
- The extent of its responsibility in the preparation of the financial statements of the Company, with the corresponding delineation of the responsibilities that pertain to the External Auditor, is clearly defined;
- An effective system of internal control that ensures the integrity of the financial reports and protection of the assets of the Company for the benefit of all Shareholders and other Stakeholders;
- On the basis of the approved Internal Audit Plan, Internal Audit examinations include at the minimum, the evaluation of the adequacy and effectiveness of controls that cover the Company’s governance, operations and information systems, including the reliability and integrity of financial and operation information, effectiveness and efficiency of operations, protection of assets, and compliance with contracts, laws, rules, and regulations;
- The Company consistently complies with the financial reporting requirements of the SEC;
- The External Auditor is rotated or changed every five (5) years or earlier, or the signing partner of the External Auditing firm assigned to the Company, is changed with the same frequency. The Corporate IA Head submits to the Audit Committee and Management an annual report on the Internal Audit department’s activities, responsibilities, and performance relative to the Internal Audit Plan as approved by the Audit Committee. The annual report includes significant risk exposures, control issues, and such other matters as may be needed or requested by the Board and Management. The Internal Audit Head certifies that he conducts his activities in accordance with the International Standards on the Professional Practice of Internal Auditing. If he does not, the Internal Audit Head shall disclose to the Board and Management the reasons why he has not fully complied with the said documents; and
- The Board, after consultations with the Audit Committee, recommends to the Shareholders an External Auditor duly accredited by the SEC who shall undertake an independent audit of the Company, and shall provide an objective assurance on the matter by which the financial statements shall be prepared and presented to the Shareholders.
The Corporate Internal Audit is focused on delivering its mandate of determining whether the governance, risk management and control processes, as designed and represented by management, are adequate and functioning in a manner that provides reasonable level of confidence that:
- Employees’ actions are compliant with policies, standards, procedures, and applicable laws and regulations;
- Quality and continuous improvement are fostered in the control processes;
- Programs, plans, and objectives are achieved;
- Resources are acquired economically, used efficiently, and protected adequately;
- Significant financial, managerial, and operating information is accurate, reliable, and timely;
- Significant key risks are appropriately identified and managed;
- Significant legislative or regulatory issues impacting the Company are recognized and properly addressed.
Opportunities for improving management control, profitability and the Company’s reputation may be identified during audits.
The Board of Directors (BOD) oversees Management’s adoption and implementation of a sound risk management framework for identifying, monitoring and managing key risk areas. The BOD review Management reports with due diligence to enable the company to anticipate, minimize, control and manage risks or possible threats to its operational and financial viability.
Enterprise Risk Management (ERM)
The Enterprise Risk Management (ERM) ensures that a sound ERM framework is in place to effectively identify, monitor, assess and manage key business risks. The risk management framework guides the Board in identifying units/business lines and enterprise level risk exposures, as well as the effectiveness of risk management strategies.
The ERM framework revolves around the following eight interrelated risk management approaches:
- Internal Environmental Scanning. This involves the review of the overall prevailing risk profile of the Business Unit (BU) to determine how risks are viewed and addressed by the management. This is presented during the strategic planning, annual budgeting and mid-year performance reviews of the BU.
- Objective Setting. The Company’s BOD mandates Management to set the overall annual targets through strategic planning activities, in order to ensure that management has a process in place to set objectives that are aligned with the Company’s goals.
- Event Identification. Internal and external events affecting the Group’s set targets are identified, distinguishing between risks and opportunities.
- Risk Assessment. Identified risks are analyzed relative to the probability and severity of potential loss that serves as basis for determining how the risks will be managed. The risks are further assessed as to which risks are controllable and uncontrollable, risks that require management’s action or monitoring, and risks that may materially weaken the Company’s earnings and capital.
- Risk Response. The Company’s BOD, through the oversight role of the Internal Control Group ensures action plan is executed to mitigate risks, either to avoid, self-insure, reduce, transfer or share risk.
- Control Activities. Policies and procedures are established and approved by the Company’s BOD and implemented to ensure that the risk responses are effectively carried out enterprise-wide.
- Information and Communication. Relevant risk management information is identified, captured and communicated in form and substance that enable all personnel to perform their risk management roles.
- Monitoring. The Internal Control Group of the respective Company and BU and Corporate Internal Audit constantly monitor the management of risks through audit reviews, compliance checks, revalidation of risk strategies and performance reviews.
With the leadership of the Company’s Chief Financial Officer (CFO), internal control is embedded in the operations of the company and each BU thus increasing their accountability and ownership in the execution of the BU’s internal control framework. To accomplish the established goals and objectives, BUs implement robust and efficient process controls to ensure:
Risk Assessment Tool
- Compliance with policies, procedures, laws and regulations;
- Economic and efficient use of resources;
- Check and balance and proper segregation of duties;
- Identification and remediation control weaknesses;
- Reliability and integrity of information;
- Proper safeguarding of company resources and protection of company assets through early detection and prevention of fraud.
To help Business Units in the Risk Assessment Process, the Risk Assessment Tool, a database driven web application was developed for departments and units to help in the assessment, monitoring and management of risks.
The Risk Assessment Tool documents the following activities:
- Risk Identification – is the critical step of the risk management process for the early identification of events that may have negative impact on the Company’s ability to achieve its goals and objectives.
- Risk Indicator – is a potential event or action that may prevent the continuity of operation or business
- Risk Driver – is an event or action that triggers the risk to materialize
- Value Creation Opportunities – is the positive benefit of addressing or managing the risk
- Identification of Existing Control Measures – this refers to activities, actions or measures already in place to control, prevent or manage the risk.
- Risk Rating/Score – is the quantification of the likelihood and impact to the Company if the risk materialize. The rating has two (2) components:
- Probability – refers to the likelihood of occurrence of risk.
- Severity – refers to the magnitude of the consequence of risk.
- Risk Management Strategy – is the structured and coherent approach to managing the identified risk.
- Risk Mitigation Action Plan – is the overall approach to reduce the risk impact severity and/or probability of occurrence.
Results of the Risk Assessment Process is summarized in a Dashboard that highlights the risks that require urgent actions and mitigation plan. The dashboard helps Management to monitor, manage and decide the risk strategy and needed action plan.