ANSA McAL Limited ERM Framework and Policy

ANSA McAL LIMITED

Enterprise Risk Management Policy & Framework

DOCUMENT CHANGE RECORD

Date Approved Approved by:

August 11, 2022 Board of Directors

INTRODUCTION

The role of this Enterprise Risk Management (ERM) framework and policy document is to provide the Board of Directors, management and staff of ANSA McAL Limited (the Group), clear and consistent guidance on the integration of enterprise risk management into decision-making throughout the Group.

An innovative and resilient company requires a focused approach to managing risk to achieve strategic objectives and comply with regulatory requirements. Effective risk management, based on sound judgement and relevant data, enhances our capacity to identify, manage and derive maximum benefits from new challenges and opportunities. This framework provides information on how to identify, analyse, prioritise, evaluate and treat risks. In addition, it identifies other key activities needed for an effective risk management approach. The risk management process contained in this framework aligns with both the International Standard on Risk Management ISO 31000:2018 (ISO 31000) and the Committee of the Sponsoring Organisation of the Treadway Commission (COSO) framework1 .

PURPOSE

The purpose of this document is to establish the ERM framework and policy to be adhered to by the Group in its efforts to optimize the value of its business activities. This framework will assist the integration of risk management into all aspects of the business. It does not identify all enterprise risks but rather focuses on the key risks across the business that can be readily monitored and reported on a regular basis. It provides a formal process to assist the Group in:

• encouraging understanding of the implications of risk exposures, opportunities and their risk management by managers and their employees, in their day-to-day work and in strategic and corporate planning activities

• developing and implementing procedures to ensure that risks are identified, assessed against accepted criteria and that appropriate measures are implemented consistently, and

• defining and documenting processes and responsibilities.

This framework outlines risk strategy (risk appetite and method for assessing risks), risk infrastructure (governance and operational structures, tools, roles and responsibilities relating to risk management), risk analysis (risk identification, assessment, risk response and risk monitoring) and risk culture (attitudes and behaviours towards risks) that will be required to ensure that the requirements of the ERM policy are achieved.

As with any management process, the risk management function will not make decisions for the business. The function instead assists business lines with their decision-making processes. It is worth noting that it is impossible to predict all negative consequences. Therefore, risk management will not guarantee insulation from all risk, and is therefore not a fail-safe. This underscores the importance of risk surveillance, monitoring and evaluating to continuously refresh the identification, capture and assessment of risks.

SCOPE

This framework applies to all areas of the Group’s business, including all controlled entities, and all employees, third party contractors, or any person who works in any other capacity for the Group

DEFINITIONS

RISK is the effect of uncertainty on objectives. It is the possibility of an event or activity preventing the Group from achieving our objectives. It can be positive, negative or both, and can address, create or result in opportunities and threats. Ultimately, the Group seeks to manage risks such that we identify threats and reduce the negative impact of these risks upon achievement of our objectives and increase positive exposure to ensure that potential opportunities are maximized.

ENTERPRISE RISK MANAGEMENT (ERM) is the systematic application of management policies, procedures and practices to establish the context, identify, analyse, evaluate, treat, monitor and communicate risk. ERM is the process, effected by the Parent Board of Directors, management, and other staff, applied strategically across the enterprise, designed to identify potential events that may affect the Group, and manage risk to be within our risk appetite, to provide reasonable assurance regarding the achievement of our objectives.

RISK MANAGEMENT includes the activities and actions taken to ensure that the Group is aware of our risks and can make coordinated and informed decisions in managing those risks whilst identifying potential opportunities.

RISK EVENT is one occurrence, several occurrences or even a non-occurrence (when something doesn’t happen that should have happened). Events always have causes and consequences. Events without consequences are referred to as near misses or incidents.

RISK IMPACT is the outcome of the event which can either positively or negatively impact objectives.

RISK LIKELIHOOD is the chance of an event happening.

RISK OWNER is a person who has been given the authority to manage a particular risk and is accountable for doing so.

RISK SOURCE has the intrinsic potential to give rise to risk for the Group. It is where a risk originates.

RISK TREATMENT is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented, it becomes a control, or it modifies existing controls.

RISK CONTROL is a process, affected by the Parent Board of Directors, management and or other staff, designed to provide reasonable assurance regarding the achievement of objectives. It is any measure or action that modifies or regulates risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or regulates risk. Risk treatments become controls or modify existing controls once they are implemented.

STAKEHOLDER is a person that can affect, be affected by or perceives themselves to be affected by a decision or activity.

RISK STRATEGY is the way in which the Group undertakes risk management, including, but not limited to decisions made around the Group’s risk appetite positions on risks faced by the Group

RISK CULTURE is the system of values and behaviours present in an organization that shapes risk decisions of management and employees.

RISK INFRASTRUCTURE is the governance structure that is required to oversee the ERM process across the Group as well as the operational structure that is required to embed ERM in the strategic planning process as well as daily operations. Risk management roles and responsibilities are also clearly defined as well as the technologies that are meant to support the ERM process.

RISK ANALYSIS is the method used in identifying, assessing, managing, reporting, and monitoring risks that could positively or negatively influence the Group’s business objectives.

RISK APPETITE is the degree of risk, on a broad-based level, that the Group is willing to accept in the pursuit of its goals. In other words, it is the amount of risk exposure, or potential adverse impact from an event that the Group is willing to accept/retain.

GOVERNANCE

Oversight of the Group’s risk management activities is provided by the Parent Board of Directors, through its Audit & Risk Committee, and the Group Risk & Sustainability Committee (GRSC). Below illustrates how the framework ought to interact with other key risk management documents:

Strategic Plan Risk Management Strategy Risk Management Policy & Framework Risk Registers

Elements of the Company’s ERM system include the following documents: Strategic Plan - This document details the Group’s mission, vision, strategic direction and objectives.

Risk Management Strategy-This includes the risk appetite statement which will articulate the Group’s appetite for risk, and associated tolerance levels.

Risk Management Policy & Framework- Formally outlines the institutional and individual responsibilities and requirements. It recognizes the legislative and regulatory requirements. The policy affirms the Group’s strategic commitment to building a risk management culture in which risks, and opportunities are identified and managed effectively.

Risk Registers – Principal repository for recording and tracking risks, including recommendations/ agreed actions from auditors, regulators, insurers and relevant agencies.

HIERARCHY OF RISK MANAGEMENT DOCUMENTS

The policy governs risk management activities and defines roles, responsibilities, and accountability for managing risk. It establishes the basis for stakeholder communication and risk monitoring. The framework describes the processes and tools that operationalise the Risk Management policy.

The risk management process includes steps 1. establish context, 2. Identify risks, 3. Analyse risks, 4. Evaluate risks, and 5. Treat risks

The risk assessment criteria include impact and likelihood ratings which are used to quantify risks and rate control effectiveness

The risk appetite statement details the risk the Group is willing to take to achieve strategic goals.

Risk register(s) capture identified risks, controls and risk ratings. Register(s) are used to monitor and report on the Group’s risk profile.

Risk policies ensure identified risks are managed in a consistent manner and in line with standard industry practice.

OBJECTIVES OF ENTERPRISE RISK MANAGEMENT

Risk management is the responsibility of everyone at the Group. It must be administered in alignment with the strategic direction and operational objectives. ERM is an integrated approach to assessing and addressing all risks that threaten the achievement of strategic objectives. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate the top risks. It therefore cannot be approached from a siloed perspective but instead has to be integrated across all business and support processes.

The objectives of this ERM framework are to:

• Improve accountability and governance.

• Encourage transparency.

• Improve financial management.

• Improve organisational resilience.

• Provide a systematic approach to the early identification and management of risks.

• Provide consistent risk assessment criteria.

• Make available accurate and concise risk information that informs decision making including business direction.

• Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an acceptable level.

• Monitor and review risk levels to ensure that risk exposure remains within an acceptable level.

• Discourage unacceptable and unethical behaviours such as fraud, harassment and money laundering.

RISK STRATEGY

The Group’s risk management strategy is based on the following 4 principles

• Conscious risk-taking – Stakeholder protection and sustainable operations are central to the Group’s value proposition. The Group thus operates within a clearly defined risk policy and risk control framework.

• Clear accountability – The Group’s operations are supported by clearly defined authority limitations. Individuals are accountable for the risks they authorise / accept on the Group’s behalf; and their decisions are taken within the context of overall business objectives.

• Transparency – Risk transparency, knowledge sharing and responsiveness to change are integral to the risk control process. It creates a culture of trust and reduces ad hoc responses to unexpected and complex events.

• Protection - Safeguard the Group’s as well as its customer assets – human, property and reputation so that value is grown.

RISK APPETITE

The Group’s risk appetite is the shared view of the Board, its Committees and the Senior Executive, and refers to the amount and level of risk taking that the Group is prepared to accept or avoid in order to achieve its strategic objectives. In pursuing its vision, purpose and strategic goals, the Group will accept a level of risk proportionate to the expected benefits to be gained and the impact or likelihood of damage.

The Risk Appetite Statement influences and guides decision-making, clarifies strategic intent and helps to ensure choices align with the capacities and capabilities of the Company.

As a general rule, the Group’s risk appetite requires the implementation of action plans that seek to reduce residual risks2 that have been rated above moderate (i.e. Very High or High) to at least moderate or low.

A summary of the Risk Appetite Statement is shown in Table1.

2 Residual risk refers to the amount of risk exposure that is left after taking into consideration existing control measures, the experience of staff, the number of previous occurrences of the risks and similar factors.

RISK ASSESSMENT CRITERIA

The Group’s Risk Impact and Likelihood Scale

The Group’s Residual Risk Score

RISK CULTURE AND GOVERNANCE

Core to a risk intelligent enterprise is the element of Risk Culture. The Group believes in fostering a positive risk culture. One that approaches risks holistically and embodies risk management practices in its symbols, management systems, and behavioural norms. Risk culture is representative of the mindset, awareness, attitudes, and behaviours of the Group’s employees toward risk. It also influences the way risk is managed and therefore is an indicator of the effectiveness of the risk management policies and practices. It is important that it sets a standard for making the right risk related decisions and exhibits appropriate risk management behaviours. One that escalates risk and doesn’t reward reckless corner-cutting. Positive risk management behaviour is rewarded and recognized publicly through the Group’s performance management and innovation processes.

Key characteristics of a Risk Intelligent Culture:

• Same purpose, values, and ethics meaning people’s individual interests, values, and ethics are aligned with those of the Group's risk strategy, appetite, tolerance, and approach.

• Consistent application of risk management is considered in all activities, from strategic planning to day-to-day operations, in every area of the Group

• The Group embeds a learning organisation and continuous process improvement approach.

• Open, transparent, relevant and honest communications where people are comfortable speaking frankly about risk using a common risk vocabulary that promotes shared understanding.

• There are risk champions and risk coordinators that understand the value of effective risk management and promote and articulate the benefits it brings to the Group.

• There is individual and collective responsibility for the identification and management of risk. The Parent Board of Directors must set the tone at the top but senior management and other identified individuals are responsible for driving the risk culture through initiatives and processes. Feedback loops should be active and become a funnel for further risk identification, ideation of detective / preventative controls and collation of lessons learnt.

• There is a balanced and unbiased view of both attributes of risk, threat and opportunity.

• Precise articulation of desirable and undesirable behaviour that is reflected in employee performance management systems.

PEOPLE CAPABILITY

Building the capability of the Group’s employees is critical as we ensure a consistent approach to managing risk across the business. Effective risk management requires the Group to be able to capably manage its own risks via a formal risk management program The nature and scale of this capability must be considered in the context of the current resource and capability profile and be commensurate with the characteristics and complexity of our risk profile. The Group will therefore equip employees to effectively manage risk which will include:

• Clearly defined risk responsibilities and accountabilities

• Risk competency acquired through learning and development, mentoring and experience

• Access to relevant communications and information

• Peer support and collaboration mechanisms

• Risk management as part of the staff induction program

• Ongoing risk management training

• Recognition and reward

• Risk management being integrated into performance agreement

ROLES AND RESPONSIBILITIES

The Group’s ability to conduct effective risk management is dependent upon having an appropriate risk governance structure and well-defined roles and responsibilities. It is important for everyone to be aware of his or her individual and collective risk management responsibilities. In order for risks to be effectively managed, it is essential to have people behaving in a way that is consistent with the organization’s approved approach. This indicates that risk management is not merely about having a well-defined process but also about effecting the behavioural change necessary for risk management to be embedded in all organizational activities.

Set out below is the proposed risk management governance structure at a Group level

Risk Management Governance & Operational Structure at Group Level

Risk Management Governance

& Operational Structure at Sector Level

This structure illustrates that risk management is not the sole responsibility of one individual but rather occurs and is supported at all organizational levels. It is important to note that the risk management structure must be supported by the assurance function of the Audit &

Committee.

BOARD OF DIRECTORS

The Parent Board of Directors (Parent Board) provides governance and oversight and establishes major policy guidelines for the enterprise risks assumed by the Group. The Parent Board of Directors is ultimately responsible for overseeing enterprise risk management and for ensuring that the necessary policies, procedures and systems are in place to manage the risks associated with these activities. It is the Parent Board of Directors’ responsibility to clearly communicate its goals and objectives concerning enterprise risk management activities to company personnel. The Parent Board is also responsible for approving overall risk limits.

GROUP RISK & SUSTAINABILITY COMMITTEE

The Group Risk & Sustainability Committee (GRSC) is established and authorized by the Board to oversee enterprise activities in order to ensure compliance with company policies, risk appetite and objectives. The GRSC is comprised of members of senior management and is headed by the Group Chief Executive Officer (GCEO). Specifically, the GRSC is responsible for:

• Overseeing strategies and issues impacting the Group’s overall risk profile

• Advising the Parent Board of Directors concerning risk policy matters

• Delegating risk management authorities to appropriate company personnel

• Reviewing the effectiveness of the specific hedging strategies implemented

• Oversight of compliance with this policy

• Reviewing appropriate enterprise risk control reports on a regular basis

• Reviewing analysis of risks and assumptions associated with proposed new business ventures

• Recommending changes to risk policies and limits for board approval

• Approving performance measurement benchmarks for personnel and reviewing performance against those benchmarks

• Reviewing all policy and limit violations and taking corrective action as applicable

• Approving the applicable procedures manuals across the Group and for individual subsidiaries that set forth processes and procedures governed by this policy

• Other risk related matters that require the Committee’s attention

The GRSC also has responsibility for the Group’s sustainability strategy and initiatives as outlined in its Charter.

The GRSC will comprise of the following persons:

• Group Chief Shared Services Officer (GCSSO)

• Group Chief Financial Officer (GCFO)

• Group Chief Legal and External Affairs Officer (GCLEA)

• Group Chief Strategy Officer (GCSO)

• Group Chief Information Officer (GCIO)

• Group Chief Human Resource Officer (GCHRO)

• Head, Group Internal Audit and Enterprise Risk Management (Head, GIA/ERM)

The GRSC will meet bimonthly at a minimum, to review past, current and proposed risk management strategies. The meetings provide the primary forum for the discussion of risk assessments (very high and high rated risks) and ongoing business. Outside of regularly scheduled meetings members may be called upon to respond to important opportunities or issues. Approval of any issues or submitted strategies requires affirmation by at least 75% of the GRSC members including the Chief Risk Officer (CRO) or equivalent

GROUP CHIEF EXECUTIVE OFFICER

The Group Chief Executive Officer (GCEO) is directly responsible for the Group’s business performance, review of the risk universe and supports the operation of appropriate business processes and controls. This function ensures compliance with this policy and will provide appropriate support and assistance to the risk management committee and the Chief Risk Officer in the conduct of their responsibilities.

HEAD OF GROUP INTERNAL AUDIT & RISK (GIA)

The Head of GIA shall provide oversight to the Group’s enterprise risk management activities. The responsibilities of this function include:

• Monitoring compliance with the Group’s risk management policies, procedures and limits and reporting any exceptions to the GRSC

• Understanding the Group’s enterprise risk management strategies

• Implementing, performing and documenting stress tests of the Group’s risk positions

• Assessing the effectiveness of the Group’s internal controls and procedures; ensuring existing controls and procedures are appropriate and efficient, and determining the need for, and facilitating the development of, any additional controls and procedures

• Assessing the effectiveness of the Group’s risk reporting and determining additional reporting requirements

• Assessing the appropriateness of the Group’s disclosures regarding enterprise risk management activities

• Distributing to the GRSC all applicable internal and external audit reports, reviews and findings

• Oversight of the development and implementation of risk management systems and models and the approval thereof

• Reports results of risk assessments to Sector Executive Management.

• Recommends the appropriate risk response for any identified risk.

TheHead of GIA will, when applicable, instruct the various functional groups to bring itself within compliance of the Group’s limits and controls.

AUDIT & RISK COMMITTEE

The Audit & Risk Committee reports directly to the Parent Board and is responsible for ensuring there is a current and comprehensive risk management system in place including associated procedures for effective identification and management of strategic and operational risks. This role is also required to:

• Assess the impact of the Risk Framework on its control environment

• Monitor implementation of risk management or mitigation plans.

• Satisfy itself that risk assessments undertaken have applied the appropriate resources to the analysis and research supporting the assessments.

• Determine whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested.

MANAGEMENT

Management are the risk owners, and they collaborate directly with theHead of GIA. They have accountability and authority to manage risks and any associated risk treatments. They also:

• Model good risk management behaviours.

• Contribute to the development of the Group’s enterprise risk profile.

• Review subsidiary company business unit risk profiles.

• Review and assess the current and planned approach to managing significant and critical risk areas.

• Ensure the risk management framework is implemented in individual subsidiary companies.

• Support officials who engage with risk in an appropriate and informed manner, regardless of the outcome.

• Contribute to the development of the Group’s risk profile and understand the effect of emerging risks on the Group’s ability to achieve its objectives.

STAFF AND CONTRACTORS

Staff and Contractors execute the business mandate. They are active participants in the risk identification, assessment and control process and are responsible for escalating any risk related matters to management. They also have the responsibility to:

• Monitoring a specific risk(s).

• Understand the risks they are charged with and be sufficiently empowered to influence their management.

• Understand and interpret the Group’s risk appetite and tolerance as it applies to their risks.

• Record and document these risks in appropriate risk registers

• Challenge the effectiveness of controls.

• Communicate and report on risk at regular intervals.

• Contribute to the development of the Group’s risk profile and understand the effect of emerging risks on the Group’s ability to achieve its objectives.

GROUP INTERNAL AUDIT

The Group Internal Audit function is a key part of the monitoring function of the risk management governance structure. Internal Audit will independently test the internal controls over risk areas across the Group, with an impact score of 4 or 5 to assist in ensuring that the mitigating controls are in fact effective. Accordingly, the Audit Plan of the Internal Audit function should be guided by the risk registers of the Group

Internal Audit is required to develop their risk-based audit plan, using the results of the risk assessment3 that is based on the requirements of this ERM policy and framework. They also have the responsibility to:

• Internal Audit is required to perform periodic independent checks to ensure that the ERM process is working as intended and make recommendations for improvements.

• Internal Audit is required to supply all final internal audit reports to theHead of GIA, so that theHead of GIA is able to analyse risks trends and the effectiveness of internal controls over key risk areas

• Internal Audit may be consulted by the Risk Owners and theHead of GIA in discussions surrounding the development of risk response plans/controls that are expected to mitigate, transfer, accept, avoid or transfer major risks.

3 Internal Audit reserves the right to examine the process that led to the generation of the risk assessment, and to ask appropriate questions as they see fit, before they use the results of the risk assessment to drive its audit plan. Internal audit may also elect to use other risk assessment techniques alongside the one that is embedded in the ERM process. It is however expected that Group Internal Audit will find the process used by the Group to be acceptable.

RELATIONSHIP WITH OTHER PROCESSES

Risk management is not a stand-alone discipline. In order to maximise risk management benefits and opportunities, it needs to be integrated with related existing business processes. Some of the key business processes with which risk alignment is necessary are:

• Internal Audit – Group Internal Audit reviews the effectiveness of controls. Alignment between the Internal Audit function and that of the controls within the Risk Management process is critical.

• Business Planning (including budget) – Identifying risk during the business planning process allows the Group to set realistic delivery timelines for strategies/ activities or to choose to remove a strategy/ activity if the associated risks are too high or unmanageable. The impact of changing risk levels over the year can then be mapped to the relevant objective, enabling the Group to conduct more timely feedback with key stakeholders.

• Performance Management - All risk responsibilities, whether a general responsibility to use the risk management process or specific responsibilities such as risk ownership or implementation of risk treatments should be included within the relevant individuals’ performance plans.

KEY PROCESS STEPS

Risk management is a continual process that involves the following key steps:

• Communicate and consult

• Establish the context

• Identify risks

• Analyse risks

• Evaluate risks

• Treat risks

• Monitor, surveil and review. Following this approach ensures that risk management is both comprehensive and consistent. This process should be conducted across the entire organisation on a continuous basis or as the rating of the risks identified warrants (e.g. Very High and High rated risks). This occurs in conjunction with the corporate and business planning process and involves the review and update of risk profiles for the enterprise as a whole and also includes a review for each individual division. This illustrates a “top-down” and a ”bottom-up” approach to risk management. Risk Management should be occurring at all times and in relation to all business activities. Therefore, everyone has a responsibility to continually apply this process when making business decisions and when conducting day-to-day management.

To assist you in completing the risk management process, each process step is described in further detail.

Communication and consultation with internal and external stakeholders is important throughout the risk management process to ensure the organization has a comprehensive picture of the risks we face.

External communication and consultation is targeted at informing external stakeholders of:

• The organisation’s risk management approach.

• The effectiveness of our risk management approach.

• Requesting feedback where appropriate.

Risk management is a key governance and management function, which external stakeholders, including Government and industry, are paying increased attention to. Satisfying these stakeholders that appropriate risk management practices are used will influence their perception of the organisation.

Internal communication and consultation is aimed at informing internal stakeholders of:

• The risk management process.

• Seeking feedback in relation to the process.

• Key risks and their responsibilities relating to management of these.

This involves:

A.THE EXTERNAL CONTEXT

Building an understanding of our external stakeholders and as such the extent to which this external environment will impact on the Group’s ability to achieve corporate objectives:

• Business, Social, Regulatory, Cultural, Competitive, Financial and Political Environments in which the Group operates

• Key drivers and trends

• It also involves considering strengths, weaknesses, opportunities and threats.

• Stakeholder interests and perceptions

B. THE INTERNAL CONTEXT

This is aimed at understanding organisational elements and the way they interact, such as:

• Culture, internal stakeholders, structure, capabilities (in terms of resources such as people, systems, processes and capital), goals and objectives and the strategies in place to achieve these.

• Information flows and decision-making processes

• Reports, surveys, questionnaires, business plans, audits and records, expert judgements

C. THE RISK MANAGEMENT CONTEXT

The goals, objectives, strategies, scope and parameters for the risk management process itself must also be considered.

Note: The “Establish the Context” part of the risk management process will only need to be repeated when there are significant changes to either our external environment or business operations.

Step 3 – Identify Risks

Risk identification is a key step in the risk management process to ensure a list of relevant risks is identified.

Risks can be identified using various tools and techniques including:

Part of risk identification also involves identifying risks that may arise “over the horizon”. Some examples of possible considerations could include:

• Worldwide events.

• Raising public expectations re public sector entities.

• Changing public attitudes towards Government.

Identifying major risk elements provides a better understanding of the risk and assists when considering current controls and identifying further treatment actions. It also reduces risk duplication and minimizes confusion as to risk meaning

Step 4 – Analyse Risks

Once a risk is identified, it is important to adequately describe it. The components of a comprehensive risk description are:

• Event e.g. High staff turnover;

• Cause e.g. Staff job dissatisfaction; and

• Impact i.e. Inability to achieve strategic objectives.

Risk analysis involves:

• Identifying controls currently in place (or that can be deployed) to manage the risk by either reducing the consequence or likelihood of the risk;

• Assessing the effectiveness of current controls;

• Identifying the likelihood of the risk occurring; and

• Identifying the potential consequence or impact that would result if the risk was to occur.

When evaluating the effectiveness of current controls, the factors to consider include consistency of application, understanding of control content and documentation of controls where appropriate. Controls are aimed at bringing the risk within an acceptable level. The evaluation of current controls can occur through several different processes including:

• Control self-assessment;

• Internal Audit reviewing the effectiveness of controls; and

• External Audit reviewing the effectiveness of controls.

The consequence and likelihood ratings, as identified after consideration of current controls, are combined to determine the overall risk level.

Step 5 – Evaluate Risks

Risk evaluation involves considering the overall risk level. This allows determination of whether further risk treatment actions are required to bring the risk within an acceptable level.

The output of the risk evaluation phase is a prioritised list of risks. There may be times when the action required will differ from that identified above; however where this is the case, the GCEO must approve deviation from the above action.

Risk treatment involves examining possible treatment options to determine the most appropriate action for managing a risk. Treatment actions are required where the current controls are not managing the risk within defined tolerance levels. Treatment options could involve improving existing controls and implementing additional controls.

Possible risk treatment options include:

• Avoid the risk – change business process or objective so as to avoid the risk;

• Change the likelihood – undertake actions aimed at reducing the cause of the risk;

• Change the consequence – undertake actions aimed at reducing the impact of the risk;

• Share/transfer the risk – transfer ownership and liability to a third party; and

• Accept the risk – accept the impact of the risk.

• Enhance the risk- increase the likelihood of achieving the opportunity

• Exploit the risk – Increase the return on monetisation of the opportunity

When determining the preferred treatment option, consideration should be given to the cost of the treatment as compared to the likely risk reduction that will result (cost benefit analysis).

On selecting the preferred treatment option, the following should occur:

• The cost of any actions should be incorporated into the relevant budget planning process;

• A responsible person should be identified for delivery of the action, with this expectation being communicated to them;

• A realistic due date should be set; and

• Performance measures should be determined.

Risk information requires regular monitoring and review to ensure it remains current. The environment in which the Group operates is constantly changing and so therefore are our risks. If risk information is inaccurate, poor decisions will be made that could otherwise have been avoided. Therefore, Risk Owners and Risk Treatment Owners have key risk and control review and update responsibilities to ensure continued update of information pertaining to their particular risks. In addition, the risk registers will be reviewed periodically, and review participation may be broader than solely Risk Owners and Risk Treatment Owners.

It is also important for effectiveness, the risk management framework be monitored and reviewed. This framework drives the extent to which risks will be adequately managed throughout the Group. Monitoring implementation of the Risk Management Strategy is one available monitoring mechanism.

In addition, the risk management framework itself will be reviewed no less frequent than annual, with results being reported to the Audit & Risk Committee and the Parent Board. As risk management developments are constantly occurring, this review mechanism will provide the Group with information on current risk management developments, facilitating making continuous risk management improvements.

RISK EXPOSURES

Below are some key risks categories which comprise the Group’s Risk Profile COMPLIANCE RISKS - This can be defined as risks or opportunities that are in relation to laws and regulations. Any risk that is a violation to public legal guidelines should be classified as a compliance risk. Data management, environmental impact, and corrupt practices are all examples of potential compliance risks. Risks that are linked to noncompliance and legal issues can bring about immense losses for the Group

CREDIT RISKS– This is risk due to uncertainty in a counterparty's (also called an obligor's or debtor’s) ability to meet its obligations. In assessing credit risk from a single counterparty, the Group must consider the issues of default probability, credit exposure and recovery rate.

CURRENCY RISKS - This is a form of risk that arises from the change in price of one currency against another. Assets or business operations across national borders, can make the company vulnerable to currency risk if their positions are not hedged.

CYBERSECURITY RISKS – This is information systems and communications exposure that can result from a cyber-attack, intellectual property theft or data breach in the Company. It relates to any event that can impact the technical infrastructure, use of technology or social media presence of the Group

EMERGING RISKS - The Group’s risk profile can change rapidly due to crises or events, or it could change more gradually overtime. Some emerging risk issues that require monitoring in the current environment include:

• Climate Risks

• Digital Currencies

• Pandemic Risks

• Disruptive innovations and technology (Autonomous vehicles, Artificial intelligence)

• Environmental, social and corporate governance (ESG) reporting mandates

FINANCIAL RISKS - This encompasses risks or opportunities to the Group in relation to monetary resources and cash flow. Funds, investments, and fraud are all risks within this category. Financial risks are essential in enterprise risk management, they heavily affect every aspect of a company.

HAZARD & SAFETY RISKS – These are potential threats that may compromise the health and wellbeing of employees in the workplace. Accidental injuries, non-communicable diseases amongst staff, geopolitical tension, epidemics, pandemics and natural disasters are all safety risks to be assessed. The Group must identify hazard risks in order to put in place control measures and treatment plans.

INSURANCE RISKS- This is the financial impact of events that may occur in the customer's environment that require settlement by the Group. It may limit the ability to spread the risk of these events occurring across other insurance underwriter's in the market. It is the risk of change in value due to deviations driven by controllable and uncontrollable factors leading to an inaccurate assessment of risks.

LEGISLATIVE AND REGULATORY RISKS - This is the potential that regulations or legislation by the government could significantly alter the business prospects of one or more of the Group’s operations.

LIQUIDITY RISKS-The risk that arises from the difficulty of selling an asset. An investment may sometimes need to be sold quickly. The Group might lose liquidity if its credit rating falls, it experiences sudden unexpected cash outflows, or some other event causes counterparties to avoid trading with or lending to the institution. The Group is also exposed to liquidity risk if markets on which it depends are subject to loss of liquidity.

MARKET RISKS- This is the risk to the Group’s financial condition resulting from adverse movements in the level or volatility of market prices of interest rate instruments, foreign exchange, equities and currencies. Market risk is usually measured as the potential gain/loss in a position/portfolio that is associated with a price movement of a given probability over a specified time horizon. Market risk is the risk that the value of an investment will decrease due to moves in market factors.

OPERATIONAL & STRATEGIC RISKS - Strategic threats are risks that are caused by external circumstances; such as shifts in consumer demand or technological changes. Operational risks (people, process, systems) refer to day-to-day internal workings that may fail; such as data breaches and human error in performance. Both internal and external risks should be recognized and analysed

PEOPLE AND KNOWLEDGE RISKS– This encompasses risks to the value of the Group’s knowledge, skills or any proprietary information. It also includes risks to the hiring, performance management and succession of employees.

REPUTATION RISKS– Events that damages the Group’s brand, goodwill or the confidence that stakeholders such as investors, customers, regulators, partners, employees have in the enterprise.

SHARED RISKS– These are risks extending beyond a single entity which require shared oversight and management. Accountability and responsibility for the management of shared risks must include any risks that extend across entities and may involve other sectors, community, industry or other jurisdictions.

SUSTAINABILITY & ESG RISKS– The impact that the preservation or deterioration of environmental, social or governance factors has on business objectives either as a result of external factors or from the business not adapting to recognise and address these risks

UNDERWRITING RISKS – This includes uncontrollable triggers that may not have been predicted resulting in an inaccurate assessment of risks when writing an insurance policy

RISK REPORTING

Risk management reporting is a key element of the ‘Monitor and Review’ phase of the risk management process and needs to occur at each step of the process. This risk management reporting process supports a formalised, structured, and comprehensive approach by the Group to the monitoring and review of its risks, thereby enhancing its risk management process. This is illustrated in Table 4.

Group Responsibilities

Parent Board of Directors

• Review reports

• Communicate risk information issues back to the organisation

• Discuss new and emerging risks as identified by management

Parent Audit & Risk Committee

• Review reports

• Communicate risk information issues back to the organisation

• Communicate key risk issues to the Board

• Discuss new and emerging risks as identified by management

GCEO

• Review reports

• Closely monitor extreme risks

• Identify new and emerging risks

• Provide executive support to theHead of GIA for example, requiring timely provision of risk information from the subsidiary sectors to theHead of GIA.

Group Risk & Sustainability Management Committee (GRSC)

C-Suite / Sector Executives

• Review reports

• Communicate key risk issues to the GCEO.

• Identify new and emerging risks

• Review reports

• Communicate key risk issues to the GRSC/GCEO

• Identify new and emerging risks

Group Responsibilities

Risk Owners

• Monitor and review the risks they own

• Prepare reports for the risks they own

• Provide theHead of GIA or Group Risk Manager with information on the risks they own

• Identify new and emerging risks

Group Chief Financial Officer

• Review reports prepared by theHead of GIA or Group Risk Manager

• Provide executive support to theHead of GIA or Group Risk Manager, for example, requiring timely provision of risk information from the organisation to theHead of GIA or Group Risk Manager

• Identify new and emerging risks

CRO or Group Risk Manager

Sector Management and Staff

• Prepare reports

• Gather risk information from the relevant organisational people, for example, Risk Owners

• Identify new and emerging risks

• Provide risk information to theHead of GIA/Group Risk Manager and or Sector Head/MD

• Monitor and review risks within their areas

• Identify new and emerging risks

TRACKING AND DOCUMENTING LOSSES AND NEAR MISSES

Loss Event Database (Appendix I)

For the Group’s management to be proactive and maintain control of emerging problems, management must be aware of what problems are developing. They must be systematically examining trends and symptoms. Only then can emerging risks be anticipated and mitigated. A Loss event database should therefore be maintained capturing both actual operational losses and near misses, which are incidents that could have resulted in injury, financial loss, and litigation of property damage but did not. Within this database, both internal and external events must be captured. To maximise the value gained from this, leadership must establish a reporting culture reinforcing that every opportunity to identify, control risks or prevent harmful incidents must be acted on. Risks should always be communicated and not ignored.

All near misses should be investigated to identify the root cause and the weaknesses in the system that resulted in the circumstances that led to the near miss. The reports generated or lessons learnt must be used to improve risk management systems as they represent an opportunity for training, feedback on performance and a commitment to continuous improvement. Managers and Supervisors are encouraged to foster open communication through the exercise of non-punitive coaching.

Key Risk Indicators

Key Risk Indicators (KRIs) are metrics that predict potential risks that can negatively or positively impact the Group’s business objectives. They quantify and track the internal and external environment giving clues into the functioning of the Group’s internal and external controls. In this way they communicate the changing landscape of the Group’s risk exposure. It is important that once the data is captured that risk teams brainstorm and document the likely risk events, likelihood and impact that can ensue if non-conformances are not addressed. Quality of data is premium. Typical sources of information would include reports and data from operations, documentation of performance issues leading to personnel errors and event reports provided from external operating experiences. This will assist with trend analysis that supports early identification of adverse trends and correction of aggregated minor problems that can moth ball into a risk source that triggers a significant failure within the Group’s business systems. Corrective actions that address identified weaknesses should be specified and implemented through the corrective action programme. Specific KRI’s should be developed for each business unit. As things change, all current metrics must be thoroughly reviewed; frequency will depend on internal and external changes, strategic goals, and other factors, but this should be done at least annually.

Examples of issues that can be converted into numerical KRIs include statistics involving People, Processes and Systems.

People

• Staff Turnover

• Overtime

• Client Claims and Complaints

• Absenteeism

• Staff Satisfaction

Process

• Outstanding Confirms

• Budget Overruns

• Corrections

• Suspense accounts

• Unusual transfers

• Mandate deviations

• Limit excesses

• Change orders

• Backlogs

• Corrections

• Text omissions

• Money laundering cases

• Litigation

• Audit issues outstanding

Systems

• Phishing scams

• Inappropriate data sharing

• Access controls failures

• Manual override

• Insufficient data capture

• Attempted breeches

RISK ESCALATION

Everyone has the ability to identify risks at any time. When these risks are identified outside of the formal risk review process, escalation of the risk to the appropriate recipient needs to occur.

Risk escalation is an important tool for ensuring that risks are known and understood by the people with the authority to appropriately manage them. If a situation poses an extreme risk and requires allocation of substantial risk treatment resources, then it would not be appropriate for this to be managed at the Company level. The Board has overall accountability for managing risks and therefore, where a risk poses such a high threat, the Board should be immediately informed of it.

The table set out below indicates the appropriate escalation process. TheHead of GIA will act as the conduit between the person who has identified the risk and the relevant escalation recipient. Therefore, if you identify a risk which requires escalation, please report it directly to theHead of GIA. TheHead of GIA will assess and review the risk information provided to them and escalate the risk in line with the requirements set out in table 5.

REVIEW AND APPROVAL

Review and Monitoring is needed to ensure that the Risk Framework is sustained in accordance with the latest risk management standards and best practice. It requires ongoing monitoring and review to ensure:

• The policy and register are reflective of the Group’s internal and external environment.

• The risk management objectives have been achieved or are progressing satisfactorily.

• Reports provide the information necessary for decision making and continuous improvement.

• Risk management contributes to the Group’s purpose.

• Risk treatments are still effective in managing the risk.

The Risk Management Framework and report templates will be reviewed by theHead of GIA and approved at least every year by the 30th December.

REFERENCES

For further information on risk management, the following documents provide a comprehensive and practical overview:

• ISO 31000 – Risk management - Principles and guidelines

• COSO Enterprise Risk Management Integrated Framework (2017)

Appendix II – Risk Register Template

Appendix III – Risk Categories / Sub-Categories

Risk Category Risk Sub-Category

Business Continuity Risk

• Business Resumption and Contingency Planning Risk

• Communication Risk

• Third Party Risk

• Prospective Disaster Risk Management

• Data Recoverability Risk

External Risk

People and Culture Risk

• External Theft and Fraud Risk

• Reputational Risk

• Patent/Intellectual Property Risk

• Third Party Risk

• Adequacy Risk

• Culture Risk

• Employment Practice Risk

• Internal Theft and Fraud Risk

• Key Person Risk

• Workplace Safety Risk

• Behavioural Risk

• Risk Culture

Process and Operational Risk

• Customer Service & Interaction Risk

• Data Input Risk

• Financial Controls Risk

• Financial Reporting Risk

• Information Management Risk

• Legal and Regulatory Risk

• Process and Product Management Risk

• Project Management Risk

• Operational Risk

Information Technology Risk

• Communication Equipment Risk

• IT Hardware Risk

• IT Security Risk

• IT Software Risk

• IT System Implementation Risk

• Change Management Execution Risk

• Cyber Security Risk

Financial Risk

• Credit Risk

• Market Risk

• Investment Risk

• Liquidity Risk

• Financial Reporting and Controls Risk

• Interest Rate Risk

• Foreign Exchange (FX) Risk

• Revenue Management Risk

• Political Risk/Government Override or Intervention

Risk Category

Procurement Risk

Risk Sub-Category

• Sole Source Risk

• Large Customer Risk

• Commercial Contract Risk

• Legal and Regulatory Risk

• Process and Product Management Risk

• Culture Risk

• Internal Theft and Fraud Risk

• Financial Reporting Risk

• Operational Risk

Health, Safety & Environmental Risk

• Risk and Safety Culture

• Workplace Safety Risk

• Legal and Regulatory Risk

• Business Impact Analysis

• Adequacy Risk

• HSE Process and Operations Risk

Compliance Risk

• AML/CFT Risk

• Legal and Regulatory Risk

• Customer Risk

• Product Risk/Quality Risk

• Delivery Risk

• Country Risk

• Operational Risk

Project Management Risk

Pandemic Risk/Covid-19

• Cost Risk

• Schedule Risk

• Performance Risk

• Adequacy Risk (People)

• Adequacy Risk (Stationary/Technology/Personal Items)

• Adequacy Risk (PPE)

• Business Resumption and Contingency Planning Risk

• Customer Service & Interaction Risk

• Financial Controls Risk

• Financial Reporting Risk

• Key Person Risk

• Credit Risk

• Business Impact Analysis

• Project Risk

• Large Customer Risk

• Political Risk/Government Override or Intervention

• Revenue Management Risk

• Internal Theft and Fraud Risk

• Sole Source Risk

• Third Party Risk

• IT Security Risk

• Cyber Security Risk

Environmental, Social and Governance (ESG)

• Sustainability Risk

Appendix IV – Control Effectiveness Scale

Control Effectiveness Category

Fully Effective

Substantially Effective

Partially Effective

Largely ineffective

None or totally ineffective

Description

Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk and address the root causes. Management believes they are always effective and reliable.

Most controls are designed correctly and are in place and effective. Some more work to be done to improve operating effectiveness or management has doubts about the operational effectiveness and reliability.

While the design of controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective. or

Some of the controls do not seem correctly designed in that they do not treat root causes. Those that are correctly designed are operating effectively.

Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively.

Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design or very limited operational effectiveness.

Appendix V – Three Line Model

FIRST LINE: The business line leaders – i.e. Managers and principal officers have “ownership” of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities. The first line is responsible for identifying, measuring and reporting risk on an enterprise-wide basis.

SECOND LINE: The risk management function is responsible for coordinating and supporting the first line of defense in executing their risk management responsibilities, independently from the first line of defense The second line provides “independent challenge” to the first line through reviewing its risk assessments and risk responses. The compliance function, where one exits is also part of the second line of defense.

THIRD LINE: The internal audit function is responsible for conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, is effective and that policies and processes are in place and consistently applied (Basel). The external auditors and the regulators are often times considered to be part of the third line (or some quarters say the “fourth line”) as they too are independent of the first and second line and are expected to provide assurance as to the level of compliance of the first two lines over risk and control procedures.

FOURTH LINE: The external auditors and regulators, as they too are independent of the first and second line and are expected to provide assurance as to the level of compliance of the first two lines over risk and control procedures