Risk Awareness

EWRM AwarenessEWRM Awareness

TNB EWRM

Outline of Presentation

Introduction GWRA Process Issues discussed at GRMC Q&A

IntroductionIntroduction

Regulatory Requirement

The Malaysian Code on

Corporate Governance

The Revamped Listing Requirements of Bursa Malaysia

Statement on Internal Control Identify principal risks

and ensure the implementation of an appropriate risk management system

Review the adequacy and integrity of internal control systems and management information systems

Establishment & the independence of the internal audit functions

Principles and best practices

TNB EWRM Framework

MitigationPlan

Risk policy and guidelines

Guidance on Risk Treatment Options

Risk control

Risk profiling

Reporting of information

‘Portfolio of key risks’

Management Response

Risk measurement

Terminate

Reduce

Accept

Pass on

Risk identification

Guidance on Group Wide Risk

Assessment

TNB Risk Information

System (TRIS)

(Monitoring system)

Guideline Principal

Enterprise Wide Risk Management Policy 2nd Edition

Enterprise Wide Risk Management Circular No. 1/2008

TNB’S EWRM Policy Summary

support the framework and strategy with an appropriate organisational structure by ensuring responsibilities are clearly defined and communicated at all levels

ensure that risk information is

communicated through a clear and robust reporting

structure

integrate ongoing risk management

activities within the business

identify and assess risks to our business objectives and understand how such risks influence our performance

Roles & Responsibilities - TNB Board of Directors

Responsible for all elements of risk management and internal control as set out under the Malaysian Code of Corporate Governance.

The Board of Directors shall: satisfy itself that significant risks faced are being managed

appropriately; ensure that an appropriate organisation and reporting structure;

and, adequately discuss and provide challenge on issues of risk and

opportunity, their treatment, and the overall risk appetite and risk portfolio of the Group.

The Board of Directors may delegate the above responsibility to any of the Board Committees as deemed appropriate.

Roles & Responsibilities - TNB Board Audit Committee

Responsible to assist the Board of Directors to establish appropriate policies on risk oversight and management.

The Board Audit Committee shall assist the Board of Directors: to identify principal risks and ensure the implementation of

appropriate systems to manage these risks; to oversee the establishment and implementation of the risk

management system, to approve the risk management policies and practices on behalf of

the Board; and review periodic reports on risk management to be informed on risk management matters and present periodic

summarised information on the Group-wide risk assessment process.

Roles & Responsibilities - TNB Board Audit Committee (Con’t..)

The Committee may, as and when necessary, invite other Board members and management personnel to attend the meetings

The Board Audit Committee shall: independently review the adequacy and effectiveness of risk

management at the TNB Group; review the adequacy and integrity of the system of internal control

put in place ; receive summary reports from the External Auditors and Group

Internal Audit

Roles & Responsibilities - TNB Group Risk Management Committee

Responsible for the continuous development of risk management in the Group;

The responsibility is carried out through developing risk management strategy and policy for the Board’s agreement;

The GRMC will form part of the activities of TNB's Group Executive Committee.

Roles & Responsibilities - TNB Group Risk Management Working Committee

The Group Risk Management Working Committee (GRMWC) is responsible to assist the Group Risk Management Committee

The authority delegated from the Group Risk Management Committee for which the GRMWC's roles and responsibilities are: Responsible for the continuous development of risk management in

TNB Group; Reviews and report to the Group Risk Management Committee on a

half yearly basis; Review and approve all guidelines on to risk management; Mandated to decide on the status and matters arising with regard

to the operating divisions' risks; and Identify key issues at the operating level that need to be escalated

for the Group Risk Management Committee attention / decision.

Roles & Responsibilities - TNB Group Chief Risk Officer

Responsible for the leadership, direction and coordination of the Group-wide application of risk management within the Group.

Ensures that the principles and requirements of managing risk are consistently adopted throughout the Group

Responsible for establishing the EWRM framework Produce an annual Group-wide risk assessment report for

the GRMC and BAC through GRMWC.

Provide assurance to TNB Board Audit Committee on the adequacy and effectiveness of the internal control systems

Offer independent challenge to the divisions to ensure the principles and requirements of managing risks are consistently adopted

As the third line of defence providing an independent assurance to the Board

Provide periodic Internal Audit activity report and follow-up reviews

Roles & Responsibilities - Chief Internal Auditor

Roles & Responsibilities - TNB Group EWRM Department

Responsible for the ongoing development and co-ordination of the EWRM system as well as the consolidation and reporting of all EWRM information;

Responsible for the co-ordination, negotiation and purchase of all TNB Group insurance covers and self-insurance arrangements ;

The principal reporting responsibility of the EWRM Department is to submit bi-annual risk assessment reports on key risks as identified by the Group-wide risk assessment process.

Roles & Responsibilities - TNB’s Operating Division

Responsible for the identification, measurement, control, monitoring and reporting risk ;

Responsible for implementing the requirements of this policy ;

Specifically, the responsibilities are to: enhance its own organisation structure to include an

appropriate risk management structure to sustain the EWRM framework;

identify and assess risks to business objectives through the Group-wide risk assessment process;

ensure that appropriate controls are in place to manage identified risks ;

Roles & Responsibilities - TNB’s Operating Division (Con’t..)

Specifically, the responsibilities are to: ensure that continuous review and monitoring of identified risks are

carried out periodically; Incorporate the risk assessments and mitigation plans into the

annual business/operating plan; provide ongoing assurance on the status of key risks and actions

taken to manage them; ensure that full consideration and commentary on risks are

provided to support business strategy and the planning cycle; appoint divisional Risk Managers and departmental Risk

Coordinators; communicate risk management policy and strategy together with

defined responsibilities to all management and staff.

Roles & Responsibilities - Other Support Functions

Other Corporate Support Functions provide assistance and expert advice to the Operating Divisions;

The principal reporting responsibility of the Corporate Support Functions is their submission of risk assessment reports in conformance to the EWRM reporting requirement.

Roles & Responsibilities - Risk Managers & Risk Coordinators

Each operating division, subsidiary and corporate support function is also responsible for the appointment of Risk Manager and Risk Coordinator who will be responsible for: Risk Reporting and Monitoring

Coordinating the bi-annual risk reporting and monitoring processes at operating division;

Identifying and assessing risks to business objectives ; Identifying and reporting on the critical risks and its current status

as well as actions taken to manage them; Monitoring and reporting the implementation of approved

mitigation plans for key operating risks; and Ensuring that appropriate controls are in place to manage

identified risks.


Risk Advisory To represent the department at the TNB EWRM forum and TNB

Group risk management committee meetings (if required); To keep abreast with new developments in EWRM and Acting as a focal point for all EWRM support and advice within their

respective departments.


Risk Communication Communicating the enterprise wide risk management strategies,

policies and processes to all management and staff within the operating division; and

Engaging in dialogue and discussion with management and staff within the operating Division.

The Management has a front line responsibility for the identifying and evaluating risks within their area of responsibility, implementing agreed actions to manage risk;

Primarily, all managers must ensure that their area of responsibility does not expose the TNB Group to unnecessary risk.

Roles & Responsibilities - TNB Management

All employees have a general duty of care and are responsible for this policy.

All TNB employees to be conscious of the risks related to their actions and decisions.

Through appropriate preventative action, all reasonable care should be taken to prevent loss and to maximise opportunity.

Roles & Responsibilities - TNB Employees

Group Wide Risk Group Wide Risk Assessment ProcessAssessment Process

Group Wide Risk Assessment Process (GWRA)

Continual & consistent identification and assessment of key risks is critical to realise business objectives

Changing business conditions and the decisions made in the course of running the business will continuously alter the status of the key risks identified and introduce new key risks over time. It is important to have frequent and explicit discussions about risk in order to maintain continual awareness of which risks are significant.

The Group-Wide Risk Assessment Process requires that Group operating divisions, subsidiaries and corporate functions undertake the annual identification and assessment, and periodic update of all risks to the Group and operating division/subsidiary business objectives in conformance to the reporting requirements.

Revised Group-Wide Risk Assessment Process

Business Business OverviewOverview

Risk Risk IdentificationIdentification

WeakSome WeaknessesSatisfactory

Rare Almost CertainLikely UnlikelyModerate

Low SignificantModerate High

Insignificant MajorMinor CatastrophicModerate

Define Entity LevelBusiness Model

Prepare Business Process Analysis

Identify Risk Determine Causes

Identify Controls

Determine Residual Likelihood & Impact

Determine Gross Likelihood & Impact

Determine Residual & Gross Risk Rating

Controls Controls IdentificationIdentification

Risk Risk RatingRating

Risk Risk TreatmentTreatment Determine Risk

Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact

Determine ControlEffectiveness

Generate Risk Profile

ExistingProposed

Risk Risk Reporting & Reporting & MonitoringMonitoring

Monitor Risk Profile

Develop MitigationPlan

Prepare RiskAssessment Report

2

3

4




2

3

4

5

6

Review Risk Profile











Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

Core Business Processes

Strategic Management ProcessesCorporate GovernanceBusiness Planning & Strategy Development

Domestic:- TNB

- IPP

- Oil & Gas

Overseas:- Generation

- Oil & Gas

Alstom Repair & Maintenance

Domestic:

TNB

Overseas:

Resource Management Processes

Regulatory and Legal

Human Resources

Safety & Environmental Management

Information Systems

Financial Management

Procurement

Business DevelopmentMarketing

Markets Business Processes

Alliances / Suppliers

Core Products/Services

Customers

EXTERNAL BUSINESS DRIVERS AND STAKEHOLDERS

Legislation Political Environment Technology Environmental FactorsCustomers Economic Trends Stakeholders Suppliers Regulators

Define Entity Level Business Model (ELBM)

Prepare Business Process Analysis - Template

Business Process Analysis – Template (cont’d)

Business Process Analysis – Template (cont’d)











Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

Risk Categories

Strategic

Operating Divisions

High-level risks that may hinder the company from achieving its

strategic objectives

Management may also escalate risks that are beyond their control

to the strategic level for the attention of the Board

Risks that may prevent the divisions from achieving their

business objectives/ goals.

Normally these risks are within the control of the respective

operating divisions.

Broad Risk Areas

Compliance

Information

FinancialHuman

Resource

Operational

Integrity

Governance

RISKS

No. Broad Risk Sub Broad Risk

1. GovernanceAuthority, Leadership, Performance, Corporate Direction & Strategy, Incentives, Limits, Internal audit, Board of Directors

2.Human Resources

HR management, Competencies, Recruitment, Recognition, Retention, Compensation, Performance measurement, Leadership development, Succession planning, Employee benefits

3. Finance

Funding, Financial instruments, Accounting information, Foreign exchange/ currency, Cash flow, Investment evaluation, Financial reporting, Tax, Pension fund, Treasury, Payroll, Cash management, Insurance, Debtor/ creditor management, Interest rates, Budgeting and planning, Securities

4. TechnologyExternal IT, Dependence of IT, Reliability, Management information systems, Access/availability, IT security, Relevance

Broad Risk Categories

No.

Broad Risk Sub Broad Risk

5. IntegrityManagement fraud, Employee fraud, Illegal acts, Unauthorised use

6. Compliance

Copyright and trademarks/ Contractual liability, Taxation, Consumer protection, Health and safety, Environment, Pension fund, Regulatory, Legal, Data protection

7. ReputationBrand, Reputation, Intellectual property, Stakeholder perception

8. Environment

Seasonality, Globalisation, Competition, E-commerce, Share price, Economic, Political, Catastrophic loss, Social, Strategic uncertainty

Broad Risk Categories (cont’)

No. Broad Risk Sub Broad Risk

9. Operational

Quality, Customer service, Cycle time, Pricing, Obsolescence, Shrinkage, Efficiency, Capacity planning, Sourcing, Product development, Product failure, Business interruption, Performance management, HR competencies, Motivation, Training, Repair & maintenance, Project management, Security systems, Marketing, Security procedures, Contingency planning, Channel, Supplier selection & mgmt, Supply chain mgmt, key suppliers, Speed to market, Capital projects, Physical plant, Buildings, Logistics, Mergers & acquisitions, Joint ventures & alliance

10. Mgmt InformationCompleteness/ assurance, Market intelligence, Mgmt information reporting, Integrity of information

11. Preparedness

Morale, Workplace environment, Confidentiality, Communication flow, Communication infrastructure, Change acceptance, Change readiness, Challenge, Ethics, Empowerment

Broad Risk Categories (cont’)

Causes may include :

Uncompetitive remuneration

Poaching by competitors

Poor training and development

Perceived end of career opportunities

Example : Loss of key personnel

Identify risks and determine causes


Business interruption

Increased cost of recruitment and training

Loss of morale

Damage to reputation

Determine impact











Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

Identify controls

Existing controls:

Awareness of market remuneration levels

Regular remuneration reviews

Well-developed training programme

Proposed controls:

To further enhance existing succession planning

To establish career development programme


Satisfactory

Controls are strong and operating properly, providing a reasonable level of assurance that objectives are being achieved.

Some weakness

Some control weaknesses/ inefficiencies have been identified. Although these are not considered to present serious risk exposure, improvements are required to provide reasonable assurance that objectives will be achieved.

Weak

Controls do not meet an acceptable standard, as many weaknesses/ inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved

Determine Control Effectiveness











Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

Determine Likelihood

Description Risk Likelihood Description

Rare Event may occur only in exceptional circumstances, e.g. approximately below 5% chance of occurring in the next 12 months

Unlikely The event could occur at some time, e.g. approximately below 25% but above 5% chance of occurring in the next 12 months

Moderate The event might occur at some time, e.g. approximately below 50% but above 25% chance of occurring in the next 12 months

Likely The event will probably occur in most circumstances, e.g. approximately below 95% but above 50% chance of occurring in the next 12 months

Almost Certain The event is expected to occur in most circumstances, e.g. approximately above 95% chance of occurring in the next 12 months

SSMLL

HSMLL

HHSML

HHSSM

HHHSS

Likely

Moderate

Likelihood ofOccurrence

Unlikely

Rare

Insignificant Minor Moderate Major Catastrophic

Magnitude of Impact

Almostcertain

Determine Gross and Residual Risk Ratings

Insignificant

Likely

Rare

Catastrophic

Magnitude of Impact

Moderate

Unlikely High

Significant

Moderate

Low

Illustrative residual risk profile

Almostcertain

Lik

eli

hood

Moderate

Minor Major

Creditrisk

Shortage of skilled

planners

Tenaga Nasional Berhad

Lack of performance-based culture

Failure of business ventures

Market risks (FX,interest

rates and fuel cost)

Dependence on gas-fired

plants

Ability to cost-effectively

finance and re-finance

Unsatisfied customers

Increase intheft of

electricity

Loss of assets

Safety, health & environment

Changes in regulatory

requirements

Competition from IPPs

Loss of key personnel

Ineffective manpower planning












Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

TNB Risk Treatment Strategy

To focus on key risks viewed as critical to the business, rated as high and/or significant

The residual risk ratings to be continuously monitored

Key risks can be categorised as:

i. Strategic risks

ii. Operating risks

Strategy

Management action

Reduce

Accept

Pass-on

Riskappetite

Terminate

Risk profile

Risk Treatment Options

Determine Risk Treatment Decision

Risk treatment option – “Terminate”

Eliminating the business area or significantly altering it Option selected typically for risks that could have

catastrophic or major impact on the business and when the costs of pursuing other choices significantly outweigh the potential benefits

Example, if an investment is found to be consistently non-performing and it is determined that the resources consumed to improve performance far outweigh the return on investment, the decision may be to divest or dispose of the investment

Risk treatment option – “Reduce”

Management can choose to reduce the risks by taking specific actions aimed at: Reducing the likelihood that a risk will occur in the first

place; and Reducing the impact of that a risk might have on

Deadline the business should it actually occur.

Examples of risk reduction techniques

Management can choose to reduce the likelihood by actions including: Physical measures – improving building security can

reduce the risk of losing assets Policies – employee training (formal or OJT) and

reasonable health and safety procedures can reduce the workplace accidents

Diversification – product, market, or supplier diversification, etc. For example, Entering other markets or selling other energy related

products could reduce exposure to a decline in one market or product

Using alternative suppliers Controls – compliance with policies and procedures;

proactively calculate and monitor KPIs

Examples of risk reduction techniques (cont’d.)

Management can choose to reduce the impact by actions including: Contingency planning – business continuity planning

for events that may affect TNB’s ability to provide core services

Maintaining resilience having access to back-up production resources having liquid assets or the ability to borrow and

raise new capital developing and maintaining spare capacity having good relations with the government,

suppliers, customers and employees,

Other examples of risk reduction techniques

Clarify accountabilities

Update performance

contracts

Business plan review

Education and training

programme

Establish minimum controls

Seek expert advice

Project evaluation

Improve processes

Establish performance reporting

requirements

Determine policy

Risk reduction

techniques

Risk treatment option – “Accept”

Management may decide that the level of residual risk is acceptable after considering factors such as: Adequacy of current controls; The quality and quantity of information about the

controls; The likelihood and consequences of the risk occurring The cost of additional controls

This options means management chooses not to act and to consciously accept a certain risk. For example, a risk ranked as “low” may be accepted because the level of the risk of acceptable in relation to TNB’s risk appetite

Risk treatment option – “Pass-On”

Transferring an entire business process to another party as is the case with sub-contracting and outsourcing arrangements

Sharing the business process with another party as is the case with partnership and joint venture arrangements

Retaining the process and transferring the legal or financial risks as is the case with insurance arrangements and the use of certain treasury products

Develop Risk Mitigation Plan

Task Focus

Owners Identify the personnel to undertake the mitigation plans

Mitigation plan Determine the plan to undertake to manage the risk based on the risk treatment decision

Mitigation cost Ascertain the estimated cost for the risk treatment

Commencement & Completion date

Develop the timeline and identify the commencement and completion dates of mitigation plans

Mitigation status Determine the status of the action plans i.e. implemented, work in progress (with percentage of completion) or not implemented











Identify Controls







Treatment

Pre

Ris

kA

sses

smen

tR

isk

Ass

essm

ent

Po

st R

isk

Ass

essm

ent

1Determine Risk

Parameters

Determine Impact



ExistingProposed





2

3

4




2

3

4

5

6

Review Risk Profile

Risk Monitoring & Review

Risk monitoring and review involves the following: a re-examination of all risks identified to ensure that

the current assessments remain valid; and reviewing the progress of risk treatment actions and

the relevant fallback plans, if required. Risk monitoring and review should form part of the

normal management reviews. The risk register is updated after every review and assessment.

Q & AQ & A

Thank You

Powering The Nation’s Progress www.tnb.com.my

Documents

Risk Awareness