SM Prime views Enterprise Risk Management (ERM) as integral to achieving its strategic objectives and sustaining long-term value. It recognizes that risk is inherent in its operations and that value creation requires a disciplined balance between risk and reward. Through the systematic identification, assessment, and management of risks, the Company strengthens its ability to navigate complexity, respond effectively to change, and capitalize on emerging opportunities.

Enterprise Risk Management Framework

The Company is guided by an Enterprise Risk Management Framework aligned with ISO 31000:2018 and COSO ERM Framework (2017). This framework establishes a consistent approach to managing risks in order to create, protect, and preserve value across the organization, while fostering a culture in which risk management is regarded as both a shared responsibility and a value-adding activity.

Risk Governance

SM Prime’s risk governance structure embeds risk management across all levels of the organization. This structure is operationalized through the Three Lines of Defense model.

Governance

Board Risk Oversight Committee

The Board of Directors, through the Board Risk Oversight Committee (BROC), provides the leadership and direction needed to maintain an effective and integrated risk management system. The BROC establishes the “tone at the top” and exercises active oversight of the enterprise risk management process, including matters related to risk strategy, policies, and governance.

First Line

Business Units (Process Owners)

The first line is composed of Business Unit (BU) process owners who own and manage risks inherent in their daily operations. The BU Heads are ultimately accountable for ensuring that risks are properly identified, assessed, and managed at their level through appropriate controls and treatment plans.

Second Line

Enterprise Risk Management Department

The ERM Department, led by the Chief Risk Officer, champions the Company’s risk management initiatives by developing frameworks and policies, delivering risk advisories, conducting training and capacity building sessions, facilitating risk communication, and monitoring and reporting key enterprise risks.

Business Risk Champions (BRCs)

Business Risk Champions collaborate closely with the ERM Department to support the implementation of risk management programs and initiatives. BRCs are empowered and trained to help their respective units identify, assess, and treat risks. They act as the liaison between the ERM Department and BUs, ensuring that risk-related information flows smoothly and that risk responses are aligned with the overall risk strategy.

Third Line

Internal Audit Department (IAD)

The third line of defense is the Internal Audit function. It provides independent and objective assurance on the adequacy and effectiveness of the risk management activities carried out by both the first and second lines. This ensures that the overall control environment remains sound and aligned with established guidelines and best practices.

Risk Culture

A risk-aware culture is grounded in strong leadership commitment. Leaders set the tone from the top by modeling responsible risk-taking and ensuring risk practices remain aligned with the Company’s core values. Training and awareness initiatives play an equally important role in building a risk-conscious mindset across SM Prime. Risk management concepts are reinforced through regular training sessions, awareness campaigns, and targeted communications that deepen understanding and promote active participation. The Company’s risk appetite further strengthens this culture by defining acceptable boundaries which enables employees to make informed decisions that support both performance and accountability.

Risk Management Process

At the core of the framework is a consistent risk management process aligned with ISO 31000:2018 guidelines. The process begins with establishing the scope, criteria, and context that will guide the assessment. Within this defined framework, risks are systematically identified, analyzed, and evaluated based on their likelihood and potential impact. Risks are then prioritized in line with the Company’s risk appetite. Corresponding treatment strategies, whether to accept, mitigate, transfer, or avoid the risks, are applied to ensure that residual risk exposures remain within acceptable levels. Ongoing monitoring and review help assess the effectiveness of these strategies, track shifts in the risk profile, and confirm whether responses are implemented as intended.

Throughout the process, clear documentation and structured reporting support transparency and risk-informed decision making at all levels. Open communication and continuous consultation with stakeholders ensure that risk information is shared, validated, and integrated into plans and actions, thereby strengthening the overall effectiveness of enterprise risk management across SM Prime. As an output of this process, the Company identifies and prioritizes its key enterprise risks. Further details on these risks and the corresponding risk management initiatives are provided here.