SM Prime Holdings, Inc. recognizes that risk is inherent in all of its business activities, whether revenue-generating or support functions. Thus, these risks are subject to be managed under the Company’s enterprise risk management function. The function serves as the primary facilitator and manages the identification, prioritization, assessment of risk interrelationships, analyzing risks for the development of mitigation strategies and action plans, including the monitoring of risks and continuous improvement of the enterprise-wide risk management.
Oversight on the enterprise-wide risk management activities is exercised by the Risk Oversight Committee of the Board of Directors, by receiving updates on the status of risk management activities and related plans of action to address risks. Plans of action to address risks include investing in technology, recommending the provision of continuous trainings, and the establishment of policies.
Ownership and awareness of risks is important to a risk-conscious workforce, and the Business Units recognize responsibility for managing operational risks incidental to the nature of its various operations, and managing these by designing and implementing measures and controls commensurate to their risks.
The risks the Company deem significant or key to survival and success include safety & security, climate, operational process, economic, financial, information security & technology, social, regulatory compliance, and property damage & business disruption risks. These risks are managed at the enterprise-wide level and take a cyclical approach; thus, it is not a one-and-done activity. All key risks are required to undergo the enterprise risk management process.
In the area of managing information technology and related risks, IT governance is an important aspect of managing such risks and thus an effective reporting line and structure is established and consistently maintained. Activities that ensure the protection of confidentiality, integrity, and availability of all physical and electronic information assets are constantly engaged in. Threats to assets are also being assessed regularly by the conduct of risk assessments. Further, system vulnerability assessments, to proactively detect and address threats and vulnerabilities are regularly conducted. In managing cyber security, the Company has adopted globally accepted standards to employ similar approach of cyber security strategies within the organization.
Click here for the details on other key risks and risk management programs of SM Prime.
The Company’s risk management, governance and internal control systems and processes are subject to independent evaluation by the Internal Audit Department and External Audit.