Urusharta Jamaah Sdn Bhd

1

Urusharta Jamaah Sdn BhdBoard Audit and Risk Committee (“BARC”) - Presentation of Enterprise Risk Management (“ERM”)

Framework

Deloitte Risk Advisory Sdn Bhd

21 May 2021

UJSB ERM Framework Development© 2021 Deloitte Risk Advisory Sdn Bhd 2

Private and ConfidentialPrivate and Confidential

Table of Contents

Key Content of ERM Framework 3

Overview of the ERM Framework 4

Risk Management Philosophy 6

Roles and Responsibilities 7

Risk Category 9

Risk Management Process 10

Risk Assessment Criteria 11

Risk Appetite 14

Next Step 16



Overview of the ERM Framework

Overview

• Reference: ISO31000:2018 Risk Management -Principles and Guidelines;

• Definition of ERM;

• Objective of implementing ERM; and

• Overview of the ERM Framework

Mandate and Commitment

• Commitment from the Board of Directors (“Board”) / Board Audit and Risk Committee (“BARC”) and Management in ensuring the objective of implementing effective risk management is achieved.

Risk Governance

• Risk Management Philosophy with three (3) Lines of Defense (“3LoD”); and

• Roles and responsibilities for Board, BARC, Management Executive Committee (“MEC”), Risk and Compliance Department (“RCD”, Head of Department (“HoD”) / Risk Owner

Risk Management Process

• Context setting;

• Risk identification;

• Risk assessment and prioritisation;

• Risk response and

• Risk monitoring and reporting



Overview of the ERM Framework

Risk intelligent

Risk-conscious organization

Risk

ambition

& vision

Tone at the top

Organization

People

Empower

& create

trust

People

Empower

& create

trust

People

Empower

& create

trust

Risk Management Cycle

Identify

strategic risk

Assess &

evaluate

Integrate

across

enterprise

Respond

to risk

Design,

implement &

test controls

Monitor,

assure &

escalate

Source: Deloitte’s Overview of ERM Framework

Risk governance

Risk infrastructure

and management

Risk

ownership

Board of Directors

Executive

management

Business units,

policies &

procedures

Ris

k A

mbitio

n &

Vis

ion

Ris

k O

rganiz

ation

Ris

k

Managem

ent

Cycle

The ERM Framework is based on three (3) key components of effective risk management where it is split further into 12 core building

blocks of a successful Risk Management Function.

• Risk Ambition and Vision: strategic decision-making and risk oversight, led by the Board;

• Risk Organization: design, implementation, and maintenance of an effective risk program, led by the RCD and functional oversight

by the Chief Executive Officer (“CEO”); and

• Risk Management Cycle: identifying, measuring, monitoring, and reporting on risks, led by the business units.



Overview of the ERM Framework (Continued)R

isk

Am

bit

ion

an

d

Vis

ion

Risk Governance Bodies: Creating the structure and oversight for risk to be effectively managed.

Risk Policies: Setting the tone and level of risk management applied across UJSB.

Risk Culture: The values and behaviors that drive risk management in UJSB.

Risk Appetite: Setting the level of risk UJSB is willing to accept, within tolerances.

Ris

k O

rga

nis

ati

on

Risk Resources: The people and time that is applied to risks management, centrally and across Business Units.

Risk Procedures and Templates: Providing guidance and clear direction for all areas of UJSB to perform risk management.

Risk Supporting Tools: Manual and automated tools leveraged to provide a better risk management process.

Risk Training: The support provided across the business to embed risk management.

Ris

k M

an

ag

em

en

t C

ycl

e Risk Identification: Process of identifying risks and opportunities to business operations, financials and reputation.

Risk Measurement and Response: Evaluation of risk on a common scale, with implementation of appropriate response.

Risk Management: Ongoing management and evaluation of risk mitigations, controls and other responses to risk.

Risk Monitoring and Reporting: Monitoring of key risks indicators to assess likelihood of crystallization and reporting of

current risk environment.



Risk Management Philosophy

UJSB adopts the Three Lines Defense (“3LoD”) Concept which propagates clear demarcation of roles, responsibilities and

accountabilities in managing risk, as follows:

1st Line of Defense

Responsible for day-to-day

risk management

Risk Owners/ Head of

Departments (“HoD”)

Risk Owners/ HoD of the

Subsidiary Companies

2nd Line of Defense 3rd Line of Defense

Responsible for independent

risk management oversight

over the risk owners

Risk & Compliance

Department (“RCD”)

Perform risk-based audit and

independent assurance over

the effectiveness of risk

management initiatives

Internal Audit

Department (“IAD”)

CEO / Management Executive Committee (“MEC”)

Board / BARC



Roles and Responsibilities

The Risk Management Oversight Structure represent the delegation structure in which the Board assigns the risk management

responsibilities across UJSB, as follows:

Board and its Committee;

i.e. Board Audit & Risk Committee

(“BARC”)

Chief Executive

Officer (“CEO”)/

Management

Executive

Committee (“MEC”)

Risk and

Compliance

Department/ Risk

Coordinator (at

UJSB Company

Level)

HoD/ Risk Owner

HoD/ Risk Owner of the Subsidiary

Companies

• Agrees on key enterprise

risks for focused response

efforts

• Ensures that strategies for

managing identified risks

have been developed

• Facilitate cross-functional

mitigation initiatives for

key enterprise risks

• Commits to and executes

specific strategies,

allocates resources, and

prepared to correct course

if assumptions are invalid

or no longer applicable

• Oversight on management of

key risks, emerging risks, and

strategic risk initiatives

• Confirms/adjusts risk response

strategies based on evolving

risk profile

• Aggregates issues for

enterprise-wide view

• Identifies items for escalation

to board/ executive leadership

• Shares lessons learned and

connects dots across the

organization

• Identifies, assesses, and

manages key BU/functional

risks

• Reports on mitigation progress

and escalates emerging risk

issues



Roles and Responsibilities (Continued)

Roles Key Responsibilities

Board Assumes the ultimate responsibility on ERM oversight, review and approve risk strategies,

and to ensure that UJSB established adequate internal controls and infrastructure.

BARC Assist the Board to fulfil their responsibilities in managing risks, review and recommend to

the Board on Risk Management Policies, risk appetite and tolerance limits, as well as

periodically review Risk Report and ensures that all areas of risk have been considered and

that all risks identified are being responded to appropriately.

MEC (chaired by the CEO) Consultative role throughout the risk management process and facilitate enterprise-wide

risk management initiatives from an operational perspective, as well as review the

implementation of the risk management framework and provide feedback to facilitate the

effective and consistent adoption of the risk framework throughout UJSB and its group of

companies.

Risk & Compliance Department/Risk

Coordinator; i.e., at UJSB Company-

Level

Provide assurance to the Management/ BARC as second line of defense that risks are

effectively being managed, coordinate and facilitate the updating of Risk Profile and

consolidate of Risk Profile from the respective Risk Owners, as well as provide periodic

reporting; i.e., half yearly to the Management and BARC.

HoD/Risk Owner (Properties, Equities,

Operations & Finance)

Primary responsible for managing risks within their respective areas, and responsible for

continuously updating the Risk Profile in accordance with the reporting requirements; i.e.,

half yearly.

Subsidiary Companies; i.e., TH Heavy

Engineering Berhad and UJ Property

Management Sdn. Bhd.

Adopt its respective Risk Management Framework to manage its risks, consistent with UJSB

Framework in which it can be tailored to the specific circumstances of the company and

guided by UJSB's Framework, as well as ensure timely reporting of risk information to RCD

and subsequently to the MEC on a bi-monthly basis.



Risk Category

Risk category enables identification of risk root causes, impact and interdependencies and facilitates a common way of thinking,

discussing and managing risk.

Risk Category Definition

Strategic

Potential risk(s) that could disrupt the assumptions at the core of an organization’s business strategy,

including risks to strategic positioning, strategic execution and strategic choices and consequences -

impeding the organization’s ability to achieve its strategic objectives

Financial

The risk arising from the ineffective management and control of the finances of the organization and the

effects of external factors such as availability of credit, foreign exchange rates, interest rate movement

and other market exposures e.g. economic condition and market risk/ uncertainty impacting investment/

rental income

OperationalRisk of potential breakdowns/deficiencies in process effectiveness or efficiency resulting from controls

and/or process design weakness which may cause material exposure

Compliance and

Regulatory

The risk arising from unexpected changes and non-compliance with relevant laws, rules, policies and

procedures or standards.

Reputational

Risk of a potential tarnished reputation, loss of marketplace caused by a breach in risk management

requirements, operational breakdown, legal/regulatory breach, unsuccessful product launch or other

reputational-impacting event (e.g., service delivery failure)

CorruptionThe risk arising from dishonest or fraudulent conduct such as giving or accepting bribes or inappropriate

gifts, laundering money, abuse of cash, favoritism in awarding contract, facilitation payments, and

collusion.



Risk Management Process

The risk management process involves the following activities:

Context

Setting 1

Identify

2

Assess &

Prioritize3

4

Respond

5

Monitor and

Report

Step Description

1. Context Setting Understand UJSB's strategy, value drivers, and potential

risk in the context of the industry, value chain, and

stakeholder expectations

2. Risk

Identification

Define potential risks and uncertainties that could

positively or negatively affect UJSB’s goals and evaluate

their impacts and vulnerability to those impacts

3. Risk Assessment

and

Prioritisation

Determine the critical risks facing by UJSB at the

enterprise-level

4. Risk Response Develop and implement plan to respond to a risk and

understand its root causes

5. Risk Monitoring

and Reporting

Track priority risks and engage in routine discussions with

leadership on the status and impact of risk treatment

plans



Risk Assessment Criteria

Scales are defined for risk ratings in terms of the impact and likelihood. These scales comprise rating levels and definitions that foster

consistent interpretation and application.

Impact

Impact (or consequence) refers to the extent to which a risk event might affect the Company

Score Rating Financial (RM) Reputational Compliance & RegulatoryBusiness Objective/

Strategies

5 Extreme • Annual Performance > -30%

• Rental loss (uncollectible rental) > 50%

• Operating loss > RM16.00 million

Sustained serious loss in image/

reputation in a longer-term

(weeks) with extensive negative

international publicity/ media

coverage

• Significant prosecution and fines,

litigation including class actions,

incarceration of leadership

• Any termination (result of a breach of

contractual obligation) resulting in

potential monetary losses

All business objectives/

strategies are not met

4 Major • -20% < Annual performance ≤ -30%

• 25% < Rental loss (uncollectible rental) ≤

50%

• RM8 million < Operating loss ≤ RM16

million

Diminution in image/ reputation

with extensive negative national

publicity/ media coverage,

sustained over several days

• Enforcement via prosecution, major

fines

• Major non-compliance of contractual

obligation

Some critical business

objectives/ strategies are not

met

3 Moderate • -10% < Annual performance ≤ -20%

• 10% < Rental loss (uncollectible rental) ≤

25%

• RM3 million < Operating loss ≤ RM8 million

Image/ reputation will be

affected with negative national

publicity/ media

• Enforcement via issuance of a

prohibition notice/ stop order and/or

issuance of a moderate fine

• Moderate non-compliance of

contractual obligation

Important (but not critical)

business objectives/

strategies are not met

2 Minor • Annual performance ≤ -10%

• 2% ≤ Rental loss (uncollectible rental) ≤ 10%

• RM0.65 million ≤ Operating loss ≤ RM3

million

Negative local publicity/ media

coverage

• Enforcement via improvement notice,

no fines

• Minor non-compliance of contractual

obligation

Uncritical business

objectives/ strategies are not

met

1 Insignificant • Annual performance i.e., NAV > 0%

• Rental loss (uncollectible rental) < 2%

• Operating loss < RM0.65 million

No publicity/ media coverage No enforcement, no fines, no non-

compliance

No impact to business

objectives/ strategies

* Based on prior year i.e., FY2020 end close of the fund

** Based on prior year i.e., FY2020 impairment loss on Trade Debtors

*** Based on prior year i.e., FY2020 direct operating costs and overhead expenses



Risk Assessment Criteria (Continued)



Likelihood

Likelihood represents the possibility that a given event will occur

Score Rating Description Frequency

5Almost

CertainThe risk is almost certain to occur

The risk is expected to occur four

(4) times or more in a year

4 Likely High likelihood of occurrenceThe risk is expected to occur two

(2) to three (3) times in a year

3 PossibleThis risk may exist to happen but

is not certain or probable

The risk is expected to occur once

a year or once every two (2) years

2 UnlikelyConceivable, but low potential of

occurrence


in three (3) to four (4) years

1 RareThis risk may only occur in very

exceptional circumstances


in five (5) years or more



Risk Assessment Criteria (Continued)



Risk Map

Risk Map, often called a Heat Map is two dimensional representations of impact plotted against likelihood

Risk Map

Impact

Insignificant Minor Moderate Major Extreme

[1] [2] [3] [4] [5]

Likelihood

Almost

CertainMedium High High Very High Very High

[5] [5] [10] [15] [20] [25]

Likely Low Medium High High Very High

[4] [4] [8] [12] [16] [20]

Possible Low Medium Medium High High

[3] [3] [6] [9] [12] [15]

Unlikely Very Low Low Medium Medium High

[2] [2] [4] [6] [8] [10]

Rare Very Low Very Low Low Low Medium

[1] [1] [2] [3] [4] [5]

Risk

MapDescription/ Action

Very

High

The risk has now become

imminent and requires

immediate action

HighUrgent action is required to

reduce the risk

MediumAction is required to further

reduce the risk

Low

Monitor the risk and put in

place action if cost effective to

do so

Very

LowMonitor the risk



Risk Appetite

Risk Appetite (or risk tolerance) can be defined as a quantum of risk an organization is willing to take in pursuit of its strategy.

The risk appetite cycle are as follows:

1. Set the strategic plan and objectives as well as the risk

strategy and risk capacity;

2. Articulate and cascade risk appetite statement and

limits;

3. Monitor and report Risk Profile versus risk appetite; and

4. Control and correct the Risk Profile should it deviate

from the risk appetite and reassess the risk appetite

and, as the case may be, its strategy in the light of

changes in the business, competitive or control

environments.

1. Set strategic plan & objective,

risk strategy and risk capacity

2. Articulate

risk appetite

statements

and limits

3. Monitor and

report

4. Control

and correct



Risk Appetite (Continued)

Risk appetite is generally expressed through both quantitative and qualitative means and should consider extreme conditions, events

and outcomes.

UJSB should gather the following inputs, to establish the enterprise risk appetite statements:

• Applicable risk categories;

• Organizational risk capacity; i.e., how much risk the Company can theoretically take on and appetite; i.e., how much risk the

Company wants to take on; and

• Stakeholder’s interviews.

Risk category Objective/Risk Capacity Risk Appetite/Tolerance Limit

Financial

30% drop in annual performance i.e., Net

Asset Value (“NAV”)

15% drop in annual performance i.e.,

NAV

50% rental loss; i.e., uncollectible rental 25% rental loss; i.e., uncollectible rental

RM16.00 million operating losses RM5.50 million operating losses

Operational 24 hours of interruption 12 hours of interruption

Reputational

Extensive negative international publicity/

media coverage (sustained serious loss in

image/ reputation in a week)

Negative national publicity/ media

coverage (image/ reputation will be

affected)

Corruption Zero corruption risk event Zero corruption risk event



Policies and Procedures (“P&P”)

Update of other operational

P&P, if any, as a result of the

implementation of the

Framework

By 2022

End of

Quarter 3,

2021

End of

Quarter 2,

2021

Quarter 4,

2021

Overview of the ERM Roll-Out in UJSB

Terms of Reference (“ToR”)

Update the relevant ToR i.e.,

MEC

Risk Assessment

Perform risk assessment exercise based on

the established ERM Framework

Subsequently, carry out the necessary

periodic reporting

Risk Resource

Hire new talent to support RCD if the current

structure lacks the capacity to carry out the roles

and responsibilities

Risk Training

Conduct risk management

training on the implementation

of the ERM Framework and to

raise risk awareness

In event that UJSB’s operations grow bigger and more complex:

Risk Resource

A separate Risk Management Committee at Management level

should be set up

Risk Tool

A Risk Management Tool should be considered to support the

risk management activities undertaken by the Company

The proposed implementation roadmap for UJSB’s ERM roll-out is set out as follows:

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities

(collectively, the “Deloitte organisation”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally

separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and

related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see

www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax & legal and related services. Our global

network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organisation”) serves four out of

five Fortune Global 500® companies. Learn how Deloitte’s approximately 312,000 people make an impact that matters at www.deloitte.com.

Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their

related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including

Auckland, Bangkok, Beijing, Hanoi, Ho Chi Minh City, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Shanghai, Singapore, Sydney,

Taipei, Tokyo and Yangon.

About Deloitte Malaysia

In Malaysia, services are provided by Deloitte Risk Advisory Sdn Bhd and its affiliates.

© 2021 Deloitte Risk Advisory Sdn Bhd

Urusharta Jamaah Sdn Bhd

Documents

Transcript of Urusharta Jamaah Sdn Bhd