Corporate Governance <strong>EDC</strong>’s risk management system is embedded in its strategic planning and budgeting processes, as part of its strategy execution process. Risk management activities are being done annually at the operational and strategic levels of the organization. With this, risk assessments are conducted to identify the top priority risks at the different levels of the organization (i.e. operational and strategic levels). Correspondingly, mitigating measures are formulated and implemented to manage the top risks. Also, the Board established the Enterprise Risk Management (ERM) Manual, which aims to establish a common risk language that will enable a dynamic and consistent application of risk management initiatives, aligned with ISO 31000:2009 (Risk Management – Principles and Guidelines). It was revised on April 23, 2015. Based on <strong>EDC</strong>’s ERM Manual, the RMC approves the risk appetite to guide the establishment of the risk tolerances based on physical injuries, environmental damage, reputation and financial impact. Once risks are identified, risk management strategies and plans are formulated, implemented, monitored and reviewed. • Key risks. The Company’s risk management activities are performed in three different levels with corresponding risk owners as shown in Figure 4 below of <strong>EDC</strong>’s Enterprise Risk Management Manual: Management level Level of ERM Ownership BOD Senior Management 1. Strategic Risks Risk Management Committee/Management Committee Line Management 2. Operational Risks Strategic Business Units/ Centers of Excellence Project 3. Project Risks Project Teams a. Strategic Risks. The ERM Manual defined strategic risks as those risks, whether internal or external, that significantly affect the accomplishment of the corporate short-term and long-term objectives. These are possible sources of loss due to adverse business decisions, improper implementation of plans, or lack of responsiveness to industry changes. <strong>EDC</strong>’s strategic risk management is integrated into the overall business strategy and planning processes, so that the risk management programs support the development and execution of the business strategy. It is a CEO and Boardlevel priority, wherein the objectives are to distill insights and provide clarity on the top 5 to 10 most important risks shaping <strong>EDC</strong>’s performance; to support risk-informed decisions at the RMC-level; to ensure a risk dialogue among the Management Committee, so that strategic risks can be prioritized according to their impact and likelihood of occurrence; and to enable proper risk oversight by the Board. b. Operational Risks. As provided in the ERM Manual, operational risks are those risks due to changes and circumstances in the internal and external environments that may affect <strong>EDC</strong>’s way of doing business. These are the possible sources of loss due to inadequate or failed internal processes, people or system, or from external events such as natural calamities. To prevent the risk of business interruption, <strong>EDC</strong>’s asset management are continuously being implemented, evaluated and strengthened. Business Continuity and Crisis Management Plans are also being developed to improve resilience. Lastly, business interruption insurance can be obtained to cover the potential revenue loss during an operational risk event. By doing these, the top management, through the Management Committee, are connected with the rest of the organization on operational risk matters to ensure that critical risk information will surface in a timely manner. c. Project Risks. The ERM Manual defines project risks as an uncertain event that, if it occurs, has a positive or negative effect on the project’s progress, result or outcome. Project risk management is a continuous part of <strong>EDC</strong>’s governance, and are embedded throughout the life cycle of every project as it is in the daily operation of the business. Generally, project risks are managed by building risk management into the project life cycle, ensuring that a process is in place to identify, prepare for and mitigate risks; developing project contingency plans; actively promoting risk-based mindset within the Project Team; anticipating and mitigating post-project risks which may impact business as usual. In <strong>2016</strong>, the RMC has conducted a review of the effectiveness of the Company’s risk management systems. 102-30 125
Board of Directors Oscar M. Lopez Federico R. Lopez Richard B. Tantoco Joaquin E. Quintos IV 126 I Energy Development Corporation Performance Report <strong>2016</strong>