The FPH Enterprise Risk Management (ERM) process follows the ISO 31000:2018 Standard. An ERM review across the FPH businesses is conducted annually. The process involves defining the review’s scope, context, and criteria of the cycle’s activities, doing a risk assessment, designing activities to mitigate risks, monitoring and reviewing, recording the review’s output and reporting it to relevant bodies, and communicating and consulting with all parties involved. The process is iterative and goes in a feedback loop, taking into account changes in context, objectives, and internal and external factors that may have an impact on value creation. All outputs are captured and documented through a risk register. The annual cycle ends with oversight through regular monitoring and review done at various levels. 

The Board of Directors, through the Board Risk Oversight Committee (BROC), has oversight over the ERM process. The BROC reviews all major risks and opportunities and works with the FPH businesses on their corresponding management strategies and action plans. Dedicated meetings of the BROC take place four to six times throughout the year for these risk management discussions.

The Chief Risk Officer (CRO) and Senior Management review the critical strategic risks and opportunities prior to the BROC review. The CRO and ERM Team serve as the process champion to ensure a fully functioning ERM system is in place.

The ERM team provides the framework and supports respective risk management systems, initiatives, and programs placed in each of our businesses. Within each subsidiary’s risk management system, major risks are identified with the appropriate risk owners.

At the subsidiary level, the risk owners evaluate, monitor, manage, and report their assigned risks, including the mitigation and application of appropriate risk management solutions. Project risks and opportunities are reviewed by project teams with support either from the subsidiary’s respective risk management champions and/or the FPH Risk Management Team, as the case may be.

With regard to cybersecurity risks, this is a joint responsibility of ERM/Tech Risk and IT and its management is lodged with both the CRO and the Chief Digital Officer (CDO). Cybersecurity risks and their management are included in the annual risk management review cycle. More details on the management of cybersecurity risks, as well as related policies and programs, are detailed in pages 153-154 of the Intellectual Capital section.

ESG-related risks and climate-related risks are part of each of our subsidiaries’ risk register. In the annual review of risks, the risk register is reviewed by the subsidiary risk teams for what are the relevant top risks the businesses face. It is through this process that ESG-related and climate-related risks may surface and, if reviewed to be material to the business, are further discussed with senior management.

Risk management and risk awareness are embedded into employee knowledge through ERM 101 lectures. This is part of the onboarding of all new employees and is given as a refresher to everyone involved in the risk review process every ERM cycle. The ERM team also gives the ERM 101 lectures and other briefings to the subsidiaries for their own new employees, as requested.